--- /dev/null
+From 8d59fba49362c65332395789fd82771f1028d87e Mon Sep 17 00:00:00 2001
+From: Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru>
+Date: Mon, 20 Oct 2025 15:12:55 +0000
+Subject: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()
+
+From: Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru>
+
+commit 8d59fba49362c65332395789fd82771f1028d87e upstream.
+
+In the parse_adv_monitor_pattern() function, the value of
+the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251).
+The size of the 'value' array in the mgmt_adv_pattern structure is 31.
+If the value of 'pattern[i].length' is set in the user space
+and exceeds 31, the 'patterns[i].value' array can be accessed
+out of bound when copied.
+
+Increasing the size of the 'value' array in
+the 'mgmt_adv_pattern' structure will break the userspace.
+Considering this, and to avoid OOB access revert the limits for 'offset'
+and 'length' back to the value of HCI_MAX_AD_LENGTH.
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with SVACE.
+
+Fixes: db08722fc7d4 ("Bluetooth: hci_core: Fix missing instances using HCI_MAX_AD_LENGTH")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/bluetooth/mgmt.h | 2 +-
+ net/bluetooth/mgmt.c | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/include/net/bluetooth/mgmt.h
++++ b/include/net/bluetooth/mgmt.h
+@@ -772,7 +772,7 @@ struct mgmt_adv_pattern {
+ __u8 ad_type;
+ __u8 offset;
+ __u8 length;
+- __u8 value[31];
++ __u8 value[HCI_MAX_AD_LENGTH];
+ } __packed;
+
+ #define MGMT_OP_ADD_ADV_PATTERNS_MONITOR 0x0052
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -5436,9 +5436,9 @@ static u8 parse_adv_monitor_pattern(stru
+ for (i = 0; i < pattern_count; i++) {
+ offset = patterns[i].offset;
+ length = patterns[i].length;
+- if (offset >= HCI_MAX_EXT_AD_LENGTH ||
+- length > HCI_MAX_EXT_AD_LENGTH ||
+- (offset + length) > HCI_MAX_EXT_AD_LENGTH)
++ if (offset >= HCI_MAX_AD_LENGTH ||
++ length > HCI_MAX_AD_LENGTH ||
++ (offset + length) > HCI_MAX_AD_LENGTH)
+ return MGMT_STATUS_INVALID_PARAMS;
+
+ p = kmalloc(sizeof(*p), GFP_KERNEL);
--- /dev/null
+From 2b81082ad37cc3f28355fb73a6a69b91ff7dbf20 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Mon, 3 Nov 2025 12:11:24 -0700
+Subject: lib/crypto: curve25519-hacl64: Fix older clang KASAN workaround for GCC
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 2b81082ad37cc3f28355fb73a6a69b91ff7dbf20 upstream.
+
+Commit 2f13daee2a72 ("lib/crypto/curve25519-hacl64: Disable KASAN with
+clang-17 and older") inadvertently disabled KASAN in curve25519-hacl64.o
+for GCC unconditionally because clang-min-version will always evaluate
+to nothing for GCC. Add a check for CONFIG_CC_IS_CLANG to avoid applying
+the workaround for GCC, which is only needed for clang-17 and older.
+
+Cc: stable@vger.kernel.org
+Fixes: 2f13daee2a72 ("lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older")
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Link: https://lore.kernel.org/r/20251103-curve25519-hacl64-fix-kasan-workaround-v2-1-ab581cbd8035@kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/crypto/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/crypto/Makefile
++++ b/lib/crypto/Makefile
+@@ -26,7 +26,7 @@ libcurve25519-generic-y := curve25519
+ libcurve25519-generic-$(CONFIG_ARCH_SUPPORTS_INT128) := curve25519-hacl64.o
+ libcurve25519-generic-y += curve25519-generic.o
+ # clang versions prior to 18 may blow out the stack with KASAN
+-ifeq ($(call clang-min-version, 180000),)
++ifeq ($(CONFIG_CC_IS_CLANG)_$(call clang-min-version, 180000),y_)
+ KASAN_SANITIZE_curve25519-hacl64.o := n
+ endif
+
--- /dev/null
+From 162f24cbb0f6ec596e7e9f3e91610d79dc805229 Mon Sep 17 00:00:00 2001
+From: Yuta Hayama <hayama@lineo.co.jp>
+Date: Wed, 15 Oct 2025 12:07:05 +0900
+Subject: rtc: rx8025: fix incorrect register reference
+
+From: Yuta Hayama <hayama@lineo.co.jp>
+
+commit 162f24cbb0f6ec596e7e9f3e91610d79dc805229 upstream.
+
+This code is intended to operate on the CTRL1 register, but ctrl[1] is
+actually CTRL2. Correctly, ctrl[0] is CTRL1.
+
+Signed-off-by: Yuta Hayama <hayama@lineo.co.jp>
+Fixes: 71af91565052 ("rtc: rx8025: fix 12/24 hour mode detection on RX-8035")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/eae5f479-5d28-4a37-859d-d54794e7628c@lineo.co.jp
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-rx8025.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/rtc/rtc-rx8025.c
++++ b/drivers/rtc/rtc-rx8025.c
+@@ -315,7 +315,7 @@ static int rx8025_init_client(struct i2c
+ return hour_reg;
+ rx8025->is_24 = (hour_reg & RX8035_BIT_HOUR_1224);
+ } else {
+- rx8025->is_24 = (ctrl[1] & RX8025_BIT_CTRL1_1224);
++ rx8025->is_24 = (ctrl[0] & RX8025_BIT_CTRL1_1224);
+ }
+ out:
+ return err;
--- /dev/null
+From bb44826c3bdbf1fa3957008a04908f45e5666463 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Fri, 24 Oct 2025 11:59:15 +0300
+Subject: scsi: ufs: ufs-pci: Fix S0ix/S3 for Intel controllers
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit bb44826c3bdbf1fa3957008a04908f45e5666463 upstream.
+
+Intel platforms with UFS, can support Suspend-to-Idle (S0ix) and
+Suspend-to-RAM (S3). For S0ix the link state should be HIBERNATE. For
+S3, state is lost, so the link state must be OFF. Driver policy,
+expressed by spm_lvl, can be 3 (link HIBERNATE, device SLEEP) for S0ix
+but must be changed to 5 (link OFF, device POWEROFF) for S3.
+
+Fix support for S0ix/S3 by switching spm_lvl as needed. During suspend
+->prepare(), if the suspend target state is not Suspend-to-Idle, ensure
+the spm_lvl is at least 5 to ensure that resume will be possible from
+deep sleep states. During suspend ->complete(), restore the spm_lvl to
+its original value that is suitable for S0ix.
+
+This fix is first needed in Intel Alder Lake based controllers.
+
+Fixes: 7dc9fb47bc9a ("scsi: ufs: ufs-pci: Add support for Intel ADL")
+Cc: stable@vger.kernel.org
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://patch.msgid.link/20251024085918.31825-2-adrian.hunter@intel.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/host/ufshcd-pci.c | 67 ++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 65 insertions(+), 2 deletions(-)
+
+--- a/drivers/ufs/host/ufshcd-pci.c
++++ b/drivers/ufs/host/ufshcd-pci.c
+@@ -15,6 +15,7 @@
+ #include <linux/pci.h>
+ #include <linux/pm_runtime.h>
+ #include <linux/pm_qos.h>
++#include <linux/suspend.h>
+ #include <linux/debugfs.h>
+ #include <linux/uuid.h>
+ #include <linux/acpi.h>
+@@ -34,6 +35,7 @@ struct intel_host {
+ u32 dsm_fns;
+ u32 active_ltr;
+ u32 idle_ltr;
++ int saved_spm_lvl;
+ struct dentry *debugfs_root;
+ struct gpio_desc *reset_gpio;
+ };
+@@ -375,6 +377,7 @@ static int ufs_intel_common_init(struct
+ host = devm_kzalloc(hba->dev, sizeof(*host), GFP_KERNEL);
+ if (!host)
+ return -ENOMEM;
++ host->saved_spm_lvl = -1;
+ ufshcd_set_variant(hba, host);
+ intel_dsm_init(host, hba->dev);
+ if (INTEL_DSM_SUPPORTED(host, RESET)) {
+@@ -542,6 +545,66 @@ static int ufshcd_pci_restore(struct dev
+
+ return ufshcd_system_resume(dev);
+ }
++
++static int ufs_intel_suspend_prepare(struct device *dev)
++{
++ struct ufs_hba *hba = dev_get_drvdata(dev);
++ struct intel_host *host = ufshcd_get_variant(hba);
++ int err;
++
++ /*
++ * Only s2idle (S0ix) retains link state. Force power-off
++ * (UFS_PM_LVL_5) for any other case.
++ */
++ if (pm_suspend_target_state != PM_SUSPEND_TO_IDLE && hba->spm_lvl < UFS_PM_LVL_5) {
++ host->saved_spm_lvl = hba->spm_lvl;
++ hba->spm_lvl = UFS_PM_LVL_5;
++ }
++
++ err = ufshcd_suspend_prepare(dev);
++
++ if (err < 0 && host->saved_spm_lvl != -1) {
++ hba->spm_lvl = host->saved_spm_lvl;
++ host->saved_spm_lvl = -1;
++ }
++
++ return err;
++}
++
++static void ufs_intel_resume_complete(struct device *dev)
++{
++ struct ufs_hba *hba = dev_get_drvdata(dev);
++ struct intel_host *host = ufshcd_get_variant(hba);
++
++ ufshcd_resume_complete(dev);
++
++ if (host->saved_spm_lvl != -1) {
++ hba->spm_lvl = host->saved_spm_lvl;
++ host->saved_spm_lvl = -1;
++ }
++}
++
++static int ufshcd_pci_suspend_prepare(struct device *dev)
++{
++ struct ufs_hba *hba = dev_get_drvdata(dev);
++
++ if (!strcmp(hba->vops->name, "intel-pci"))
++ return ufs_intel_suspend_prepare(dev);
++
++ return ufshcd_suspend_prepare(dev);
++}
++
++static void ufshcd_pci_resume_complete(struct device *dev)
++{
++ struct ufs_hba *hba = dev_get_drvdata(dev);
++
++ if (!strcmp(hba->vops->name, "intel-pci")) {
++ ufs_intel_resume_complete(dev);
++ return;
++ }
++
++ ufshcd_resume_complete(dev);
++}
+ #endif
+
+ /**
+@@ -633,8 +696,8 @@ static const struct dev_pm_ops ufshcd_pc
+ .thaw = ufshcd_system_resume,
+ .poweroff = ufshcd_system_suspend,
+ .restore = ufshcd_pci_restore,
+- .prepare = ufshcd_suspend_prepare,
+- .complete = ufshcd_resume_complete,
++ .prepare = ufshcd_pci_suspend_prepare,
++ .complete = ufshcd_pci_resume_complete,
+ #endif
+ };
+
net-bridge-fix-use-after-free-due-to-mst-port-state-.patch
net-bridge-fix-mst-static-key-usage.patch
tracing-fix-memory-leaks-in-create_field_var.patch
+bluetooth-mgmt-fix-oob-access-in-parse_adv_monitor_pattern.patch
+rtc-rx8025-fix-incorrect-register-reference.patch
+smb-client-validate-change-notify-buffer-before-copy.patch
+lib-crypto-curve25519-hacl64-fix-older-clang-kasan-workaround-for-gcc.patch
+scsi-ufs-ufs-pci-fix-s0ix-s3-for-intel-controllers.patch
--- /dev/null
+From 4012abe8a78fbb8869634130024266eaef7081fe Mon Sep 17 00:00:00 2001
+From: Joshua Rogers <linux@joshua.hu>
+Date: Fri, 7 Nov 2025 00:09:37 +0800
+Subject: smb: client: validate change notify buffer before copy
+
+From: Joshua Rogers <linux@joshua.hu>
+
+commit 4012abe8a78fbb8869634130024266eaef7081fe upstream.
+
+SMB2_change_notify called smb2_validate_iov() but ignored the return
+code, then kmemdup()ed using server provided OutputBufferOffset/Length.
+
+Check the return of smb2_validate_iov() and bail out on error.
+
+Discovered with help from the ZeroPath security tooling.
+
+Signed-off-by: Joshua Rogers <linux@joshua.hu>
+Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Cc: stable@vger.kernel.org
+Fixes: e3e9463414f61 ("smb3: improve SMB3 change notification support")
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2pdu.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/client/smb2pdu.c
++++ b/fs/smb/client/smb2pdu.c
+@@ -3837,9 +3837,12 @@ SMB2_change_notify(const unsigned int xi
+
+ smb_rsp = (struct smb2_change_notify_rsp *)rsp_iov.iov_base;
+
+- smb2_validate_iov(le16_to_cpu(smb_rsp->OutputBufferOffset),
+- le32_to_cpu(smb_rsp->OutputBufferLength), &rsp_iov,
++ rc = smb2_validate_iov(le16_to_cpu(smb_rsp->OutputBufferOffset),
++ le32_to_cpu(smb_rsp->OutputBufferLength),
++ &rsp_iov,
+ sizeof(struct file_notify_information));
++ if (rc)
++ goto cnotify_exit;
+
+ *out_data = kmemdup((char *)smb_rsp + le16_to_cpu(smb_rsp->OutputBufferOffset),
+ le32_to_cpu(smb_rsp->OutputBufferLength), GFP_KERNEL);
projects / thirdparty / kernel / stable-queue.git / commitdiff
