--- /dev/null
+From 0a120d96166301d7a95be75b52f843837dbd1219 Mon Sep 17 00:00:00 2001
+From: Siwei Zhang <oss@fourdim.xyz>
+Date: Wed, 15 Apr 2026 16:49:59 -0400
+Subject: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
+
+From: Siwei Zhang <oss@fourdim.xyz>
+
+commit 0a120d96166301d7a95be75b52f843837dbd1219 upstream.
+
+Add the same NULL guard already present in
+l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
+
+Fixes: 80808e431e1e ("Bluetooth: Add l2cap_chan_ops abstraction")
+Cc: stable@kernel.org
+Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1500,6 +1500,9 @@ static struct l2cap_chan *l2cap_sock_new
+ {
+ struct sock *sk, *parent = chan->data;
+
++ if (!parent)
++ return NULL;
++
+ lock_sock(parent);
+
+ /* Check for backlog size */
--- /dev/null
+From 2ff1a41a912de8517b4482e946dd951b7d80edbf Mon Sep 17 00:00:00 2001
+From: Siwei Zhang <oss@fourdim.xyz>
+Date: Wed, 15 Apr 2026 16:51:36 -0400
+Subject: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
+
+From: Siwei Zhang <oss@fourdim.xyz>
+
+commit 2ff1a41a912de8517b4482e946dd951b7d80edbf upstream.
+
+Add the same NULL guard already present in
+l2cap_sock_resume_cb() and l2cap_sock_ready_cb().
+
+Fixes: 89bc500e41fc ("Bluetooth: Add state tracking to struct l2cap_chan")
+Cc: stable@kernel.org
+Signed-off-by: Siwei Zhang <oss@fourdim.xyz>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_sock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1663,6 +1663,9 @@ static void l2cap_sock_state_change_cb(s
+ {
+ struct sock *sk = chan->data;
+
++ if (!sk)
++ return;
++
+ sk->sk_state = state;
+
+ if (err)
--- /dev/null
+From 21bd244b6de5d2fe1063c23acc93fbdd2b20d112 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Tue, 21 Apr 2026 13:08:44 -0400
+Subject: Bluetooth: virtio_bt: clamp rx length before skb_put
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 21bd244b6de5d2fe1063c23acc93fbdd2b20d112 upstream.
+
+virtbt_rx_work() calls skb_put(skb, len) where len comes directly
+from virtqueue_get_buf() with no validation against the buffer we
+posted to the device. The RX skb is allocated in virtbt_add_inbuf()
+and exposed to virtio as exactly 1000 bytes via sg_init_one().
+
+Checking len against skb_tailroom(skb) is not sufficient because
+alloc_skb() can leave more tailroom than the 1000 bytes actually
+handed to the device. A malicious or buggy backend can therefore
+report used.len between 1001 and skb_tailroom(skb), causing skb_put()
+to include uninitialized kernel heap bytes that were never written by
+the device.
+
+The same path also accepts len == 0, in which case skb_put(skb, 0)
+leaves the skb empty but virtbt_rx_handle() still reads the pkt_type
+byte from skb->data, consuming uninitialized memory.
+
+Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and
+sg_init_one(), and gate virtbt_rx_work() on that same constant so
+the bound checked matches the buffer actually exposed to the device.
+Reject used.len == 0 in the same gate so an empty completion can
+no longer reach virtbt_rx_handle().
+
+Use bt_dev_err_ratelimited() because the length value comes from an
+untrusted backend that can otherwise flood the kernel log.
+
+Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer
+overflow in USB transport layer"), which hardened the USB 9p
+transport against unchecked device-reported length.
+
+Fixes: 160fbcf3bfb9 ("Bluetooth: virtio_bt: Use skb_put to set length")
+Cc: stable@vger.kernel.org
+Cc: Soenke Huster <soenke.huster@eknoes.de>
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/virtio_bt.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/bluetooth/virtio_bt.c
++++ b/drivers/bluetooth/virtio_bt.c
+@@ -12,6 +12,7 @@
+ #include <net/bluetooth/hci_core.h>
+
+ #define VERSION "0.1"
++#define VIRTBT_RX_BUF_SIZE 1000
+
+ enum {
+ VIRTBT_VQ_TX,
+@@ -33,11 +34,11 @@ static int virtbt_add_inbuf(struct virti
+ struct sk_buff *skb;
+ int err;
+
+- skb = alloc_skb(1000, GFP_KERNEL);
++ skb = alloc_skb(VIRTBT_RX_BUF_SIZE, GFP_KERNEL);
+ if (!skb)
+ return -ENOMEM;
+
+- sg_init_one(sg, skb->data, 1000);
++ sg_init_one(sg, skb->data, VIRTBT_RX_BUF_SIZE);
+
+ err = virtqueue_add_inbuf(vq, sg, 1, skb, GFP_KERNEL);
+ if (err < 0) {
+@@ -219,8 +220,15 @@ static void virtbt_rx_work(struct work_s
+ if (!skb)
+ return;
+
+- skb_put(skb, len);
+- virtbt_rx_handle(vbt, skb);
++ if (!len || len > VIRTBT_RX_BUF_SIZE) {
++ bt_dev_err_ratelimited(vbt->hdev,
++ "rx reply len %u outside [1, %u]\n",
++ len, VIRTBT_RX_BUF_SIZE);
++ kfree_skb(skb);
++ } else {
++ skb_put(skb, len);
++ virtbt_rx_handle(vbt, skb);
++ }
+
+ if (virtbt_add_inbuf(vbt) < 0)
+ return;
--- /dev/null
+From daf23014e5d975e72ea9c02b5160d3fcf070ea47 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Tue, 21 Apr 2026 13:08:45 -0400
+Subject: Bluetooth: virtio_bt: validate rx pkt_type header length
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit daf23014e5d975e72ea9c02b5160d3fcf070ea47 upstream.
+
+virtbt_rx_handle() reads the leading pkt_type byte from the RX skb
+and forwards the remainder to hci_recv_frame() for every
+event/ACL/SCO/ISO type, without checking that the remaining payload
+is at least the fixed HCI header for that type.
+
+After the preceding patch bounds the backend-supplied used.len to
+[1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches
+hci_recv_frame() with skb->len already pulled to 0. If the byte
+happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification
+fast-path in hci_dev_classify_pkt_type() dereferences
+hci_acl_hdr(skb)->handle whenever the HCI device has an active
+CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of
+uninitialized RX-buffer data. The same hazard exists for every
+packet type the driver accepts because none of the switch cases in
+virtbt_rx_handle() check skb->len against the per-type minimum HCI
+header size before handing the frame to the core.
+
+After stripping pkt_type, require skb->len to cover the fixed
+header size for the selected type (event 2, ACL 4, SCO 3, ISO 4)
+before calling hci_recv_frame(); drop ratelimited otherwise.
+Unknown pkt_type values still take the original kfree_skb() default
+path.
+
+Use bt_dev_err_ratelimited() because both the length and pkt_type
+values come from an untrusted backend that can otherwise flood the
+kernel log.
+
+Fixes: 160fbcf3bfb9 ("Bluetooth: virtio_bt: Use skb_put to set length")
+Cc: stable@vger.kernel.org
+Cc: Soenke Huster <soenke.huster@eknoes.de>
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/virtio_bt.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+--- a/drivers/bluetooth/virtio_bt.c
++++ b/drivers/bluetooth/virtio_bt.c
+@@ -190,6 +190,7 @@ static int virtbt_shutdown_generic(struc
+
+ static void virtbt_rx_handle(struct virtio_bluetooth *vbt, struct sk_buff *skb)
+ {
++ size_t min_hdr;
+ __u8 pkt_type;
+
+ pkt_type = *((__u8 *) skb->data);
+@@ -197,16 +198,32 @@ static void virtbt_rx_handle(struct virt
+
+ switch (pkt_type) {
+ case HCI_EVENT_PKT:
++ min_hdr = sizeof(struct hci_event_hdr);
++ break;
+ case HCI_ACLDATA_PKT:
++ min_hdr = sizeof(struct hci_acl_hdr);
++ break;
+ case HCI_SCODATA_PKT:
++ min_hdr = sizeof(struct hci_sco_hdr);
++ break;
+ case HCI_ISODATA_PKT:
+- hci_skb_pkt_type(skb) = pkt_type;
+- hci_recv_frame(vbt->hdev, skb);
++ min_hdr = sizeof(struct hci_iso_hdr);
+ break;
+ default:
+ kfree_skb(skb);
+- break;
++ return;
+ }
++
++ if (skb->len < min_hdr) {
++ bt_dev_err_ratelimited(vbt->hdev,
++ "rx pkt_type 0x%02x payload %u < hdr %zu\n",
++ pkt_type, skb->len, min_hdr);
++ kfree_skb(skb);
++ return;
++ }
++
++ hci_skb_pkt_type(skb) = pkt_type;
++ hci_recv_frame(vbt->hdev, skb);
+ }
+
+ static void virtbt_rx_work(struct work_struct *work)
--- /dev/null
+From bc0fcb9823cd0894934cf968b525c575833d7078 Mon Sep 17 00:00:00 2001
+From: Yilin Zhu <zylzyl2333@gmail.com>
+Date: Sun, 12 Apr 2026 13:07:54 +0800
+Subject: ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
+
+From: Yilin Zhu <zylzyl2333@gmail.com>
+
+commit bc0fcb9823cd0894934cf968b525c575833d7078 upstream.
+
+xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not
+already have a dst attached. ip6_route_input_lookup() returns a
+referenced dst entry even when the lookup resolves to an error route.
+
+If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching
+the dst to the skb and without releasing the reference returned by the
+lookup. Repeated packets hitting this path therefore leak dst entries.
+
+Release the dst before jumping to the drop path.
+
+Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP")
+Cc: stable@kernel.org
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Tested-by: Ruide Cao <caoruide123@gmail.com>
+Signed-off-by: Yilin Zhu <zylzyl2333@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/xfrm6_protocol.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/xfrm6_protocol.c
++++ b/net/ipv6/xfrm6_protocol.c
+@@ -88,8 +88,10 @@ int xfrm6_rcv_encap(struct sk_buff *skb,
+
+ dst = ip6_route_input_lookup(dev_net(skb->dev), skb->dev, &fl6,
+ skb, flags);
+- if (dst->error)
++ if (dst->error) {
++ dst_release(dst);
+ goto drop;
++ }
+ skb_dst_set(skb, dst);
+ }
+
--- /dev/null
+From b3a97f9484080c6e71db9e803e3cc1bb372a9bc7 Mon Sep 17 00:00:00 2001
+From: Sourabh Jain <sourabhjain@linux.ibm.com>
+Date: Tue, 7 Apr 2026 18:13:44 +0530
+Subject: powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sourabh Jain <sourabhjain@linux.ibm.com>
+
+commit b3a97f9484080c6e71db9e803e3cc1bb372a9bc7 upstream.
+
+KASAN instrumentation is intended to be disabled for the kexec core
+code, but the existing Makefile entry misses the object suffix. As a
+result, the flag is not applied correctly to core_$(BITS).o.
+
+So when KASAN is enabled, kexec_copy_flush and copy_segments in
+kexec/core_64.c are instrumented, which can result in accesses to
+shadow memory via normal address translation paths. Since these run
+with the MMU disabled, such accesses may trigger page faults
+(bad_page_fault) that cannot be handled in the kdump path, ultimately
+causing a hang and preventing the kdump kernel from booting. The same
+is true for kexec as well, since the same functions are used there.
+
+Update the entry to include the “.o” suffix so that KASAN
+instrumentation is properly disabled for this object file.
+
+Fixes: 2ab2d5794f14 ("powerpc/kasan: Disable address sanitization in kexec paths")
+Reported-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
+Closes: https://lore.kernel.org/all/1dee8891-8bcc-46b4-93f3-fc3a774abd5b@linux.ibm.com/
+Cc: stable@vger.kernel.org
+Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
+Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
+Acked-by: Mahesh Salgaonkar <mahesh@linux.ibm.com>
+Reviewed-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
+Tested-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
+Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20260407124349.1698552-1-sourabhjain@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kexec/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kexec/Makefile
++++ b/arch/powerpc/kexec/Makefile
+@@ -14,4 +14,4 @@ GCOV_PROFILE_core_$(BITS).o := n
+ KCOV_INSTRUMENT_core_$(BITS).o := n
+ UBSAN_SANITIZE_core_$(BITS).o := n
+ KASAN_SANITIZE_core.o := n
+-KASAN_SANITIZE_core_$(BITS) := n
++KASAN_SANITIZE_core_$(BITS).o := n
usb-serial-option-add-telit-cinterion-le910cx-compositions.patch
usb-ulpi-fix-memory-leak-on-ulpi_register-error-paths.patch
alsa-firewire-tascam-do-not-drop-unread-control-events.patch
+powerpc-kdump-fix-kasan-sanitization-flag-for-core_-bits-.o.patch
+xfrm-provide-message-size-for-xfrm_msg_mapping.patch
+ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch
+bluetooth-virtio_bt-clamp-rx-length-before-skb_put.patch
+bluetooth-virtio_bt-validate-rx-pkt_type-header-length.patch
+bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch
+bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch
+spi-zynqmp-gqspi-fix-controller-deregistration.patch
+staging-vme_user-fix-root-device-leak-on-init-failure.patch
--- /dev/null
+From 6895fc4faafc9082e15e4e624b23dd5f0c98feb5 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 10 Apr 2026 10:17:55 +0200
+Subject: spi: zynqmp-gqspi: fix controller deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 6895fc4faafc9082e15e4e624b23dd5f0c98feb5 upstream.
+
+Make sure to deregister the controller before disabling underlying
+resources like clocks during driver unbind.
+
+Fixes: dfe11a11d523 ("spi: Add support for Zynq Ultrascale+ MPSoC GQSPI controller")
+Cc: stable@vger.kernel.org # 4.2: 64640f6c972e
+Cc: stable@vger.kernel.org # 4.2
+Cc: Ranjit Waghmode <ranjit.waghmode@xilinx.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260410081757.503099-26-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-zynqmp-gqspi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-zynqmp-gqspi.c
++++ b/drivers/spi/spi-zynqmp-gqspi.c
+@@ -1202,7 +1202,7 @@ static int zynqmp_qspi_probe(struct plat
+ ctlr->dev.of_node = np;
+ ctlr->auto_runtime_pm = true;
+
+- ret = devm_spi_register_controller(&pdev->dev, ctlr);
++ ret = spi_register_controller(ctlr);
+ if (ret) {
+ dev_err(&pdev->dev, "spi_register_controller failed\n");
+ goto clk_dis_all;
+@@ -1243,6 +1243,8 @@ static int zynqmp_qspi_remove(struct pla
+
+ pm_runtime_get_sync(&pdev->dev);
+
++ spi_unregister_controller(xqspi->ctlr);
++
+ zynqmp_gqspi_write(xqspi, GQSPI_EN_OFST, 0x0);
+
+ pm_runtime_disable(&pdev->dev);
--- /dev/null
+From 32c91e8ee039777d0b95b914633fc6a42607959c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 24 Apr 2026 12:49:10 +0200
+Subject: staging: vme_user: fix root device leak on init failure
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 32c91e8ee039777d0b95b914633fc6a42607959c upstream.
+
+Make sure to deregister and free the root device in case module
+initialisation fails.
+
+Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver")
+Cc: stable@vger.kernel.org # 4.9
+Cc: Martyn Welch <martyn@welchs.me.uk>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260424104910.2619349-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/vme_user/vme_fake.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/staging/vme_user/vme_fake.c
++++ b/drivers/staging/vme_user/vme_fake.c
+@@ -1242,6 +1242,8 @@ err_master:
+ err_driver:
+ kfree(fake_bridge);
+ err_struct:
++ root_device_unregister(vme_root);
++
+ return retval;
+
+ }
--- /dev/null
+From 28465227c80fe417b4013c432be1f3737cb9f9a3 Mon Sep 17 00:00:00 2001
+From: Ruijie Li <ruijieli51@gmail.com>
+Date: Wed, 29 Apr 2026 00:41:43 +0800
+Subject: xfrm: provide message size for XFRM_MSG_MAPPING
+
+From: Ruijie Li <ruijieli51@gmail.com>
+
+commit 28465227c80fe417b4013c432be1f3737cb9f9a3 upstream.
+
+The compat 64=>32 translation path handles XFRM_MSG_MAPPING, but
+xfrm_msg_min[] does not provide the native payload size for this
+message type.
+
+Add the missing XFRM_MSG_MAPPING entry so compat translation can size
+and translate mapping notifications correctly.
+
+Fixes: 5461fc0c8d9f ("xfrm/compat: Add 64=>32-bit messages translator")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Ruijie Li <ruijieli51@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xfrm/xfrm_user.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -2960,6 +2960,7 @@ const int xfrm_msg_min[XFRM_NR_MSGTYPES]
+ [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = sizeof(u32),
+ [XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = sizeof(u32),
+ [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32),
++ [XFRM_MSG_MAPPING - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_mapping),
+ [XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default),
+ [XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default),
+ };
projects / thirdparty / kernel / stable-queue.git / commitdiff
