--- /dev/null
+From 6df75dd28fb0ba58487289d8cb21f81a19e2b0e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 May 2026 14:35:39 +0800
+Subject: Bluetooth: btintel: serialize btintel_hw_error() with
+ hci_req_sync_lock
+
+From: Cen Zhang <zzzccc427@gmail.com>
+
+[ Upstream commit 94d8e6fe5d0818e9300e514e095a200bd5ff93ae ]
+
+btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET
+and Intel exception-info retrieval) without holding
+hci_req_sync_lock(). This lets it race against
+hci_dev_do_close() -> btintel_shutdown_combined(), which also runs
+__hci_cmd_sync() under the same lock. When both paths manipulate
+hdev->req_status/req_rsp concurrently, the close path may free the
+response skb first, and the still-running hw_error path hits a
+slab-use-after-free in kfree_skb().
+
+Wrap the whole recovery sequence in hci_req_sync_lock/unlock so it
+is serialized with every other synchronous HCI command issuer.
+
+Below is the data race report and the kasan report:
+
+ BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined
+
+ read of hdev->req_rsp at net/bluetooth/hci_sync.c:199
+ by task kworker/u17:1/83:
+ __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200
+ __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223
+ btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254
+ hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030
+
+ write/free by task ioctl/22580:
+ btintel_shutdown_combined+0xd0/0x360
+ drivers/bluetooth/btintel.c:3648
+ hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246
+ hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526
+
+ BUG: KASAN: slab-use-after-free in
+ sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202
+ Read of size 4 at addr ffff888144a738dc
+ by task kworker/u17:1/83:
+ __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200
+ __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223
+ btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260
+
+Fixes: 973bb97e5aee ("Bluetooth: btintel: Add generic function for handling hardware errors")
+Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Fang Wang <32840572@qq.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btintel.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
+index 7a9d2da3c8146..1cba08e9403a4 100644
+--- a/drivers/bluetooth/btintel.c
++++ b/drivers/bluetooth/btintel.c
+@@ -225,11 +225,13 @@ static void btintel_hw_error(struct hci_dev *hdev, u8 code)
+
+ bt_dev_err(hdev, "Hardware error 0x%2.2x", code);
+
++ hci_req_sync_lock(hdev);
++
+ skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT);
+ if (IS_ERR(skb)) {
+ bt_dev_err(hdev, "Reset after hardware error failed (%ld)",
+ PTR_ERR(skb));
+- return;
++ goto unlock;
+ }
+ kfree_skb(skb);
+
+@@ -237,18 +239,21 @@ static void btintel_hw_error(struct hci_dev *hdev, u8 code)
+ if (IS_ERR(skb)) {
+ bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)",
+ PTR_ERR(skb));
+- return;
++ goto unlock;
+ }
+
+ if (skb->len != 13) {
+ bt_dev_err(hdev, "Exception info size mismatch");
+ kfree_skb(skb);
+- return;
++ goto unlock;
+ }
+
+ bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1));
+
+ kfree_skb(skb);
++
++unlock:
++ hci_req_sync_unlock(hdev);
+ }
+
+ int btintel_version_info(struct hci_dev *hdev, struct intel_version *ver)
+--
+2.53.0
+
--- /dev/null
+From 765ec1924ea67d625d3439e9244cd6ef4f2f8afd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 May 2026 14:34:05 +0800
+Subject: Bluetooth: hci_sync: Remove remaining dependencies of hci_request
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit f2d89775358606c7ab6b6b6c4a02fe1e8cd270b1 ]
+
+This removes the dependencies of hci_req_init and hci_request_cancel_all
+from hci_sync.c.
+
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Fang Wang <32840572@qq.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci_sync.h | 17 +++++++++++++++++
+ net/bluetooth/hci_request.h | 21 ---------------------
+ net/bluetooth/hci_sync.c | 14 +++++++++++---
+ 3 files changed, 28 insertions(+), 24 deletions(-)
+
+diff --git a/include/net/bluetooth/hci_sync.h b/include/net/bluetooth/hci_sync.h
+index a8b106d884d41..a68ddf5c02286 100644
+--- a/include/net/bluetooth/hci_sync.h
++++ b/include/net/bluetooth/hci_sync.h
+@@ -5,6 +5,23 @@
+ * Copyright (C) 2021 Intel Corporation
+ */
+
++#define HCI_REQ_DONE 0
++#define HCI_REQ_PEND 1
++#define HCI_REQ_CANCELED 2
++
++#define hci_req_sync_lock(hdev) mutex_lock(&hdev->req_lock)
++#define hci_req_sync_unlock(hdev) mutex_unlock(&hdev->req_lock)
++
++struct hci_request {
++ struct hci_dev *hdev;
++ struct sk_buff_head cmd_q;
++
++ /* If something goes wrong when building the HCI request, the error
++ * value is stored in this field.
++ */
++ int err;
++};
++
+ typedef int (*hci_cmd_sync_work_func_t)(struct hci_dev *hdev, void *data);
+ typedef void (*hci_cmd_sync_work_destroy_t)(struct hci_dev *hdev, void *data,
+ int err);
+diff --git a/net/bluetooth/hci_request.h b/net/bluetooth/hci_request.h
+index 0be75cf0efed8..b730da4a8b476 100644
+--- a/net/bluetooth/hci_request.h
++++ b/net/bluetooth/hci_request.h
+@@ -22,27 +22,6 @@
+
+ #include <asm/unaligned.h>
+
+-#define HCI_REQ_DONE 0
+-#define HCI_REQ_PEND 1
+-#define HCI_REQ_CANCELED 2
+-
+-#define hci_req_sync_lock(hdev) mutex_lock(&hdev->req_lock)
+-#define hci_req_sync_unlock(hdev) mutex_unlock(&hdev->req_lock)
+-
+-#define HCI_REQ_DONE 0
+-#define HCI_REQ_PEND 1
+-#define HCI_REQ_CANCELED 2
+-
+-struct hci_request {
+- struct hci_dev *hdev;
+- struct sk_buff_head cmd_q;
+-
+- /* If something goes wrong when building the HCI request, the error
+- * value is stored in this field.
+- */
+- int err;
+-};
+-
+ void hci_req_init(struct hci_request *req, struct hci_dev *hdev);
+ void hci_req_purge(struct hci_request *req);
+ bool hci_req_status_pend(struct hci_dev *hdev);
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index c6f9d07a48194..4d23455e90bbe 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -11,7 +11,6 @@
+ #include <net/bluetooth/hci_core.h>
+ #include <net/bluetooth/mgmt.h>
+
+-#include "hci_request.h"
+ #include "hci_codec.h"
+ #include "hci_debugfs.h"
+ #include "smp.h"
+@@ -142,6 +141,13 @@ static int hci_cmd_sync_run(struct hci_request *req)
+ return 0;
+ }
+
++static void hci_request_init(struct hci_request *req, struct hci_dev *hdev)
++{
++ skb_queue_head_init(&req->cmd_q);
++ req->hdev = hdev;
++ req->err = 0;
++}
++
+ /* This function requires the caller holds hdev->req_lock. */
+ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
+ const void *param, u8 event, u32 timeout,
+@@ -153,7 +159,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
+
+ bt_dev_dbg(hdev, "Opcode 0x%4.4x", opcode);
+
+- hci_req_init(&req, hdev);
++ hci_request_init(&req, hdev);
+
+ hci_cmd_sync_add(&req, opcode, plen, param, event, sk);
+
+@@ -5188,7 +5194,9 @@ int hci_dev_close_sync(struct hci_dev *hdev)
+ cancel_delayed_work(&hdev->le_scan_disable);
+ cancel_delayed_work(&hdev->le_scan_restart);
+
+- hci_request_cancel_all(hdev);
++ hci_cmd_sync_cancel_sync(hdev, ENODEV);
++
++ cancel_interleave_scan(hdev);
+
+ if (hdev->adv_instance_timeout) {
+ cancel_delayed_work_sync(&hdev->adv_instance_expire);
+--
+2.53.0
+
--- /dev/null
+From 0936ca498fa28178890279c55f8b11167a6b906f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 May 2026 17:22:13 +0800
+Subject: ice: Fix memory leak in ice_set_ringparam()
+
+From: Zilin Guan <zilin@seu.edu.cn>
+
+[ Upstream commit fe868b499d16f55bbeea89992edb98043c9de416 ]
+
+In ice_set_ringparam, tx_rings and xdp_rings are allocated before
+rx_rings. If the allocation of rx_rings fails, the code jumps to
+the done label leaking both tx_rings and xdp_rings. Furthermore, if
+the setup of an individual Rx ring fails during the loop, the code jumps
+to the free_tx label which releases tx_rings but leaks xdp_rings.
+
+Fix this by introducing a free_xdp label and updating the error paths to
+ensure both xdp_rings and tx_rings are properly freed if rx_rings
+allocation or setup fails.
+
+Compile tested only. Issue found using a prototype static analysis tool
+and code review.
+
+Fixes: fcea6f3da546 ("ice: Add stats and ethtool support")
+Fixes: efc2214b6047 ("ice: Add support for XDP")
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Rajani Kantha <681739313@139.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_ethtool.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c
+index 49c524304a412..7774292a5bdbe 100644
+--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
+@@ -2891,7 +2891,7 @@ ice_set_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring,
+ rx_rings = kcalloc(vsi->num_rxq, sizeof(*rx_rings), GFP_KERNEL);
+ if (!rx_rings) {
+ err = -ENOMEM;
+- goto done;
++ goto free_xdp;
+ }
+
+ ice_for_each_rxq(vsi, i) {
+@@ -2921,7 +2921,7 @@ ice_set_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring,
+ }
+ kfree(rx_rings);
+ err = -ENOMEM;
+- goto free_tx;
++ goto free_xdp;
+ }
+ }
+
+@@ -2972,6 +2972,13 @@ ice_set_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring,
+ }
+ goto done;
+
++free_xdp:
++ if (xdp_rings) {
++ ice_for_each_xdp_txq(vsi, i)
++ ice_free_tx_ring(&xdp_rings[i]);
++ kfree(xdp_rings);
++ }
++
+ free_tx:
+ /* error cleanup if the Rx allocations failed after getting Tx */
+ if (tx_rings) {
+--
+2.53.0
+
kvm-x86-fix-shadow-paging-use-after-free-due-to-unex.patch
net-fix-icmp-host-relookup-triggering-ip_rt_bug.patch
flow_dissector-do-not-dissect-pppoe-pfc-frames.patch
+bluetooth-hci_sync-remove-remaining-dependencies-of-.patch
+bluetooth-btintel-serialize-btintel_hw_error-with-hc.patch
+ice-fix-memory-leak-in-ice_set_ringparam.patch
--- /dev/null
+From 08d75e5c47669d781cadd8083e31bd68a10b3113 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 May 2026 15:44:11 +0800
+Subject: Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del()
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+[ Upstream commit 00fdebbbc557a2fc21321ff2eaa22fd70c078608 ]
+
+l2cap_conn_del() calls cancel_delayed_work_sync() for both info_timer
+and id_addr_timer while holding conn->lock. However, the work functions
+l2cap_info_timeout() and l2cap_conn_update_id_addr() both acquire
+conn->lock, creating a potential AB-BA deadlock if the work is already
+executing when l2cap_conn_del() takes the lock.
+
+Move the work cancellations before acquiring conn->lock and use
+disable_delayed_work_sync() to additionally prevent the works from
+being rearmed after cancellation, consistent with the pattern used in
+hci_conn_del().
+
+Fixes: ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del")
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+[ Minor context conflict resolved. ]
+Signed-off-by: Wenshan Lan <jetlan9@163.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 128f5701efb46..307f7fe975b59 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -1756,6 +1756,9 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
+
+ BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
+
++ disable_delayed_work_sync(&conn->info_timer);
++ disable_delayed_work_sync(&conn->id_addr_timer);
++
+ mutex_lock(&conn->lock);
+
+ kfree_skb(conn->rx_skb);
+@@ -1769,8 +1772,6 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
+ if (work_pending(&conn->pending_rx_work))
+ cancel_work_sync(&conn->pending_rx_work);
+
+- cancel_delayed_work_sync(&conn->id_addr_timer);
+-
+ l2cap_unregister_all_users(conn);
+
+ /* Force the connection to be immediately dropped */
+@@ -1789,9 +1790,6 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
+ l2cap_chan_put(chan);
+ }
+
+- if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
+- cancel_delayed_work_sync(&conn->info_timer);
+-
+ hci_chan_del(conn->hchan);
+ conn->hchan = NULL;
+
+--
+2.53.0
+
net-txgbe-fix-rtnl-assertion-warning-when-remove-mod.patch
net-af_key-zero-aligned-sockaddr-tail-in-pf_key-expo.patch
kvm-svm-check-validity-of-vmcb-controls-when-returning-from-smm.patch
+bluetooth-l2cap-fix-deadlock-in-l2cap_conn_del.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
