From: Greg Kroah-Hartman Date: Sat, 6 Sep 2025 20:18:09 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v5.4.299~40 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=675c33444359fb792803a12d1c44473fb967fa67;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: batman-adv-fix-oob-read-write-in-network-coding-decode.patch cifs-prevent-null-pointer-dereference-in-utf16-conversion.patch drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch net-pcs-rzn1-miic-correct-modctrl-register-offset.patch ocfs2-prevent-release-journal-inode-after-journal-shutdown.patch proc-fix-missing-pde_set_flags-for-net-proc-files.patch scsi-lpfc-fix-buffer-free-clear-order-in-deferred-receive-path.patch wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch --- diff --git a/queue-6.1/batman-adv-fix-oob-read-write-in-network-coding-decode.patch b/queue-6.1/batman-adv-fix-oob-read-write-in-network-coding-decode.patch new file mode 100644 index 0000000000..b3ca6e46e7 --- /dev/null +++ b/queue-6.1/batman-adv-fix-oob-read-write-in-network-coding-decode.patch @@ -0,0 +1,44 @@ +From d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087 Mon Sep 17 00:00:00 2001 +From: Stanislav Fort +Date: Sun, 31 Aug 2025 16:56:23 +0200 +Subject: batman-adv: fix OOB read/write in network-coding decode + +From: Stanislav Fort + +commit d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087 upstream. + +batadv_nc_skb_decode_packet() trusts coded_len and checks only against +skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing +payload headroom, and the source skb length is not verified, allowing an +out-of-bounds read and a small out-of-bounds write. + +Validate that coded_len fits within the payload area of both destination +and source sk_buffs before XORing. + +Fixes: 2df5278b0267 ("batman-adv: network coding - receive coded packets and decode them") +Cc: stable@vger.kernel.org +Reported-by: Stanislav Fort +Signed-off-by: Stanislav Fort +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/network-coding.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/network-coding.c ++++ b/net/batman-adv/network-coding.c +@@ -1687,7 +1687,12 @@ batadv_nc_skb_decode_packet(struct batad + + coding_len = ntohs(coded_packet_tmp.coded_len); + +- if (coding_len > skb->len) ++ /* ensure dst buffer is large enough (payload only) */ ++ if (coding_len + h_size > skb->len) ++ return NULL; ++ ++ /* ensure src buffer is large enough (payload only) */ ++ if (coding_len + h_size > nc_packet->skb->len) + return NULL; + + /* Here the magic is reversed: diff --git a/queue-6.1/cifs-prevent-null-pointer-dereference-in-utf16-conversion.patch b/queue-6.1/cifs-prevent-null-pointer-dereference-in-utf16-conversion.patch new file mode 100644 index 0000000000..7d15e03a3a --- /dev/null +++ b/queue-6.1/cifs-prevent-null-pointer-dereference-in-utf16-conversion.patch @@ -0,0 +1,39 @@ +From 70bccd9855dae56942f2b18a08ba137bb54093a0 Mon Sep 17 00:00:00 2001 +From: Makar Semyonov +Date: Thu, 4 Sep 2025 15:28:41 +0300 +Subject: cifs: prevent NULL pointer dereference in UTF16 conversion + +From: Makar Semyonov + +commit 70bccd9855dae56942f2b18a08ba137bb54093a0 upstream. + +There can be a NULL pointer dereference bug here. NULL is passed to +__cifs_sfu_make_node without checks, which passes it unchecked to +cifs_strndup_to_utf16, which in turn passes it to +cifs_local_to_utf16_bytes where '*from' is dereferenced, causing a crash. + +This patch adds a check for NULL 'src' in cifs_strndup_to_utf16 and +returns NULL early to prevent dereferencing NULL pointer. + +Found by Linux Verification Center (linuxtesting.org) with SVACE + +Signed-off-by: Makar Semyonov +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifs_unicode.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/smb/client/cifs_unicode.c ++++ b/fs/smb/client/cifs_unicode.c +@@ -619,6 +619,9 @@ cifs_strndup_to_utf16(const char *src, c + int len; + __le16 *dst; + ++ if (!src) ++ return NULL; ++ + len = cifs_local_to_utf16_bytes(src, maxlen, cp); + len += 2; /* NULL */ + dst = kmalloc(len, GFP_KERNEL); diff --git a/queue-6.1/drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch b/queue-6.1/drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch new file mode 100644 index 0000000000..1eeb0536d8 --- /dev/null +++ b/queue-6.1/drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch @@ -0,0 +1,105 @@ +From 71403f58b4bb6c13b71c05505593a355f697fd94 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 6 Aug 2025 10:47:50 -0400 +Subject: drm/amdgpu: drop hw access in non-DC audio fini + +From: Alex Deucher + +commit 71403f58b4bb6c13b71c05505593a355f697fd94 upstream. + +We already disable the audio pins in hw_fini so +there is no need to do it again in sw_fini. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4481 +Cc: oushixiong +Signed-off-by: Alex Deucher +(cherry picked from commit 5eeb16ca727f11278b2917fd4311a7d7efb0bbd6) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 ----- + drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 ----- + drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 ----- + drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 ----- + 4 files changed, 20 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/dce_v10_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/dce_v10_0.c +@@ -1464,17 +1464,12 @@ static int dce_v10_0_audio_init(struct a + + static void dce_v10_0_audio_fini(struct amdgpu_device *adev) + { +- int i; +- + if (!amdgpu_audio) + return; + + if (!adev->mode_info.audio.enabled) + return; + +- for (i = 0; i < adev->mode_info.audio.num_pins; i++) +- dce_v10_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false); +- + adev->mode_info.audio.enabled = false; + } + +--- a/drivers/gpu/drm/amd/amdgpu/dce_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/dce_v11_0.c +@@ -1506,17 +1506,12 @@ static int dce_v11_0_audio_init(struct a + + static void dce_v11_0_audio_fini(struct amdgpu_device *adev) + { +- int i; +- + if (!amdgpu_audio) + return; + + if (!adev->mode_info.audio.enabled) + return; + +- for (i = 0; i < adev->mode_info.audio.num_pins; i++) +- dce_v11_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false); +- + adev->mode_info.audio.enabled = false; + } + +--- a/drivers/gpu/drm/amd/amdgpu/dce_v6_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/dce_v6_0.c +@@ -1375,17 +1375,12 @@ static int dce_v6_0_audio_init(struct am + + static void dce_v6_0_audio_fini(struct amdgpu_device *adev) + { +- int i; +- + if (!amdgpu_audio) + return; + + if (!adev->mode_info.audio.enabled) + return; + +- for (i = 0; i < adev->mode_info.audio.num_pins; i++) +- dce_v6_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false); +- + adev->mode_info.audio.enabled = false; + } + +--- a/drivers/gpu/drm/amd/amdgpu/dce_v8_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/dce_v8_0.c +@@ -1427,17 +1427,12 @@ static int dce_v8_0_audio_init(struct am + + static void dce_v8_0_audio_fini(struct amdgpu_device *adev) + { +- int i; +- + if (!amdgpu_audio) + return; + + if (!adev->mode_info.audio.enabled) + return; + +- for (i = 0; i < adev->mode_info.audio.num_pins; i++) +- dce_v8_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false); +- + adev->mode_info.audio.enabled = false; + } + diff --git a/queue-6.1/e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch b/queue-6.1/e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch new file mode 100644 index 0000000000..9218decb32 --- /dev/null +++ b/queue-6.1/e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch @@ -0,0 +1,55 @@ +From 90fb7db49c6dbac961c6b8ebfd741141ffbc8545 Mon Sep 17 00:00:00 2001 +From: Vitaly Lifshits +Date: Sun, 17 Aug 2025 12:25:47 +0300 +Subject: e1000e: fix heap overflow in e1000_set_eeprom + +From: Vitaly Lifshits + +commit 90fb7db49c6dbac961c6b8ebfd741141ffbc8545 upstream. + +Fix a possible heap overflow in e1000_set_eeprom function by adding +input validation for the requested length of the change in the EEPROM. +In addition, change the variable type from int to size_t for better +code practices and rearrange declarations to RCT. + +Cc: stable@vger.kernel.org +Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)") +Co-developed-by: Mikael Wessel +Signed-off-by: Mikael Wessel +Signed-off-by: Vitaly Lifshits +Tested-by: Mor Bar-Gabay +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000e/ethtool.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/intel/e1000e/ethtool.c ++++ b/drivers/net/ethernet/intel/e1000e/ethtool.c +@@ -559,12 +559,12 @@ static int e1000_set_eeprom(struct net_d + { + struct e1000_adapter *adapter = netdev_priv(netdev); + struct e1000_hw *hw = &adapter->hw; ++ size_t total_len, max_len; + u16 *eeprom_buff; +- void *ptr; +- int max_len; ++ int ret_val = 0; + int first_word; + int last_word; +- int ret_val = 0; ++ void *ptr; + u16 i; + + if (eeprom->len == 0) +@@ -579,6 +579,10 @@ static int e1000_set_eeprom(struct net_d + + max_len = hw->nvm.word_size * 2; + ++ if (check_add_overflow(eeprom->offset, eeprom->len, &total_len) || ++ total_len > max_len) ++ return -EFBIG; ++ + first_word = eeprom->offset >> 1; + last_word = (eeprom->offset + eeprom->len - 1) >> 1; + eeprom_buff = kmalloc(max_len, GFP_KERNEL); diff --git a/queue-6.1/net-pcs-rzn1-miic-correct-modctrl-register-offset.patch b/queue-6.1/net-pcs-rzn1-miic-correct-modctrl-register-offset.patch new file mode 100644 index 0000000000..9ac32e2234 --- /dev/null +++ b/queue-6.1/net-pcs-rzn1-miic-correct-modctrl-register-offset.patch @@ -0,0 +1,49 @@ +From a7195a3d67dace056af7ca65144a11874df79562 Mon Sep 17 00:00:00 2001 +From: Lad Prabhakar +Date: Mon, 1 Sep 2025 12:20:19 +0100 +Subject: net: pcs: rzn1-miic: Correct MODCTRL register offset + +From: Lad Prabhakar + +commit a7195a3d67dace056af7ca65144a11874df79562 upstream. + +Correct the Mode Control Register (MODCTRL) offset for RZ/N MIIC. +According to the R-IN Engine and Ethernet Peripherals Manual (Rev.1.30) +[0], Table 10.1 "Ethernet Accessory Register List", MODCTRL is at offset +0x8, not 0x20 as previously defined. + +Offset 0x20 actually maps to the Port Trigger Control Register (PTCTRL), +which controls PTP_MODE[3:0] and RGMII_CLKSEL[4]. Using this incorrect +definition prevented the driver from configuring the SW_MODE[4:0] bits +in MODCTRL, which control the internal connection of Ethernet ports. As +a result, the MIIC could not be switched into the correct mode, leading +to link setup failures and non-functional Ethernet ports on affected +systems. + +[0] https://www.renesas.com/en/document/mah/rzn1d-group-rzn1s-group-rzn1l-group-users-manual-r-engine-and-ethernet-peripherals?r=1054571 + +Fixes: 7dc54d3b8d91 ("net: pcs: add Renesas MII converter driver") +Cc: stable@kernel.org +Signed-off-by: Lad Prabhakar +Reviewed-by: Wolfram Sang +Reviewed-by: Russell King (Oracle) +Reviewed-by: Geert Uytterhoeven +Tested-by: Wolfram Sang +Link: https://patch.msgid.link/20250901112019.16278-1-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/pcs/pcs-rzn1-miic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/pcs/pcs-rzn1-miic.c ++++ b/drivers/net/pcs/pcs-rzn1-miic.c +@@ -18,7 +18,7 @@ + #define MIIC_PRCMD 0x0 + #define MIIC_ESID_CODE 0x4 + +-#define MIIC_MODCTRL 0x20 ++#define MIIC_MODCTRL 0x8 + #define MIIC_MODCTRL_SW_MODE GENMASK(4, 0) + + #define MIIC_CONVCTRL(port) (0x100 + (port) * 4) diff --git a/queue-6.1/ocfs2-prevent-release-journal-inode-after-journal-shutdown.patch b/queue-6.1/ocfs2-prevent-release-journal-inode-after-journal-shutdown.patch new file mode 100644 index 0000000000..5ad421e850 --- /dev/null +++ b/queue-6.1/ocfs2-prevent-release-journal-inode-after-journal-shutdown.patch @@ -0,0 +1,58 @@ +From f46e8ef8bb7b452584f2e75337b619ac51a7cadf Mon Sep 17 00:00:00 2001 +From: Edward Adam Davis +Date: Tue, 19 Aug 2025 21:41:02 +0800 +Subject: ocfs2: prevent release journal inode after journal shutdown + +From: Edward Adam Davis + +commit f46e8ef8bb7b452584f2e75337b619ac51a7cadf upstream. + +Before calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already +been executed in ocfs2_dismount_volume(), so osb->journal must be NULL. +Therefore, the following calltrace will inevitably fail when it reaches +jbd2_journal_release_jbd_inode(). + +ocfs2_dismount_volume()-> + ocfs2_delete_osb()-> + ocfs2_free_slot_info()-> + __ocfs2_free_slot_info()-> + evict()-> + ocfs2_evict_inode()-> + ocfs2_clear_inode()-> + jbd2_journal_release_jbd_inode(osb->journal->j_journal, + +Adding osb->journal checks will prevent null-ptr-deref during the above +execution path. + +Link: https://lkml.kernel.org/r/tencent_357489BEAEE4AED74CBD67D246DBD2C4C606@qq.com +Fixes: da5e7c87827e ("ocfs2: cleanup journal init and shutdown") +Signed-off-by: Edward Adam Davis +Reported-by: syzbot+47d8cb2f2cc1517e515a@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=47d8cb2f2cc1517e515a +Tested-by: syzbot+47d8cb2f2cc1517e515a@syzkaller.appspotmail.com +Reviewed-by: Mark Tinguely +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/ocfs2/inode.c ++++ b/fs/ocfs2/inode.c +@@ -1205,6 +1205,9 @@ static void ocfs2_clear_inode(struct ino + * the journal is flushed before journal shutdown. Thus it is safe to + * have inodes get cleaned up after journal shutdown. + */ ++ if (!osb->journal) ++ return; ++ + jbd2_journal_release_jbd_inode(osb->journal->j_journal, + &oi->ip_jinode); + } diff --git a/queue-6.1/proc-fix-missing-pde_set_flags-for-net-proc-files.patch b/queue-6.1/proc-fix-missing-pde_set_flags-for-net-proc-files.patch new file mode 100644 index 0000000000..83f76151ff --- /dev/null +++ b/queue-6.1/proc-fix-missing-pde_set_flags-for-net-proc-files.patch @@ -0,0 +1,132 @@ +From 2ce3d282bd5050fca8577defeff08ada0d55d062 Mon Sep 17 00:00:00 2001 +From: wangzijie +Date: Mon, 18 Aug 2025 20:31:02 +0800 +Subject: proc: fix missing pde_set_flags() for net proc files +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: wangzijie + +commit 2ce3d282bd5050fca8577defeff08ada0d55d062 upstream. + +To avoid potential UAF issues during module removal races, we use +pde_set_flags() to save proc_ops flags in PDE itself before +proc_register(), and then use pde_has_proc_*() helpers instead of directly +dereferencing pde->proc_ops->*. + +However, the pde_set_flags() call was missing when creating net related +proc files. This omission caused incorrect behavior which FMODE_LSEEK was +being cleared inappropriately in proc_reg_open() for net proc files. Lars +reported it in this link[1]. + +Fix this by ensuring pde_set_flags() is called when register proc entry, +and add NULL check for proc_ops in pde_set_flags(). + +[wangzijie1@honor.com: stash pde->proc_ops in a local const variable, per Christian] + Link: https://lkml.kernel.org/r/20250821105806.1453833-1-wangzijie1@honor.com +Link: https://lkml.kernel.org/r/20250818123102.959595-1-wangzijie1@honor.com +Link: https://lore.kernel.org/all/20250815195616.64497967@chagall.paradoxon.rec/ [1] +Fixes: ff7ec8dc1b64 ("proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al") +Signed-off-by: wangzijie +Reported-by: Lars Wendler +Tested-by: Stefano Brivio +Tested-by: Petr Vaněk +Tested by: Lars Wendler +Cc: Alexei Starovoitov +Cc: Alexey Dobriyan +Cc: Al Viro +Cc: "Edgecombe, Rick P" +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Cc: Kirill A. Shutemov +Cc: wangzijie +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/generic.c | 38 +++++++++++++++++++++----------------- + 1 file changed, 21 insertions(+), 17 deletions(-) + +--- a/fs/proc/generic.c ++++ b/fs/proc/generic.c +@@ -363,6 +363,25 @@ static const struct inode_operations pro + .setattr = proc_notify_change, + }; + ++static void pde_set_flags(struct proc_dir_entry *pde) ++{ ++ const struct proc_ops *proc_ops = pde->proc_ops; ++ ++ if (!proc_ops) ++ return; ++ ++ if (proc_ops->proc_flags & PROC_ENTRY_PERMANENT) ++ pde->flags |= PROC_ENTRY_PERMANENT; ++ if (proc_ops->proc_read_iter) ++ pde->flags |= PROC_ENTRY_proc_read_iter; ++#ifdef CONFIG_COMPAT ++ if (proc_ops->proc_compat_ioctl) ++ pde->flags |= PROC_ENTRY_proc_compat_ioctl; ++#endif ++ if (proc_ops->proc_lseek) ++ pde->flags |= PROC_ENTRY_proc_lseek; ++} ++ + /* returns the registered entry, or frees dp and returns NULL on failure */ + struct proc_dir_entry *proc_register(struct proc_dir_entry *dir, + struct proc_dir_entry *dp) +@@ -370,6 +389,8 @@ struct proc_dir_entry *proc_register(str + if (proc_alloc_inum(&dp->low_ino)) + goto out_free_entry; + ++ pde_set_flags(dp); ++ + write_lock(&proc_subdir_lock); + dp->parent = dir; + if (pde_subdir_insert(dir, dp) == false) { +@@ -558,20 +579,6 @@ struct proc_dir_entry *proc_create_reg(c + return p; + } + +-static void pde_set_flags(struct proc_dir_entry *pde) +-{ +- if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT) +- pde->flags |= PROC_ENTRY_PERMANENT; +- if (pde->proc_ops->proc_read_iter) +- pde->flags |= PROC_ENTRY_proc_read_iter; +-#ifdef CONFIG_COMPAT +- if (pde->proc_ops->proc_compat_ioctl) +- pde->flags |= PROC_ENTRY_proc_compat_ioctl; +-#endif +- if (pde->proc_ops->proc_lseek) +- pde->flags |= PROC_ENTRY_proc_lseek; +-} +- + struct proc_dir_entry *proc_create_data(const char *name, umode_t mode, + struct proc_dir_entry *parent, + const struct proc_ops *proc_ops, void *data) +@@ -582,7 +589,6 @@ struct proc_dir_entry *proc_create_data( + if (!p) + return NULL; + p->proc_ops = proc_ops; +- pde_set_flags(p); + return proc_register(parent, p); + } + EXPORT_SYMBOL(proc_create_data); +@@ -633,7 +639,6 @@ struct proc_dir_entry *proc_create_seq_p + p->proc_ops = &proc_seq_ops; + p->seq_ops = ops; + p->state_size = state_size; +- pde_set_flags(p); + return proc_register(parent, p); + } + EXPORT_SYMBOL(proc_create_seq_private); +@@ -664,7 +669,6 @@ struct proc_dir_entry *proc_create_singl + return NULL; + p->proc_ops = &proc_single_ops; + p->single_show = show; +- pde_set_flags(p); + return proc_register(parent, p); + } + EXPORT_SYMBOL(proc_create_single_data); diff --git a/queue-6.1/scsi-lpfc-fix-buffer-free-clear-order-in-deferred-receive-path.patch b/queue-6.1/scsi-lpfc-fix-buffer-free-clear-order-in-deferred-receive-path.patch new file mode 100644 index 0000000000..88c5bfb37a --- /dev/null +++ b/queue-6.1/scsi-lpfc-fix-buffer-free-clear-order-in-deferred-receive-path.patch @@ -0,0 +1,70 @@ +From 9dba9a45c348e8460da97c450cddf70b2056deb3 Mon Sep 17 00:00:00 2001 +From: John Evans +Date: Thu, 28 Aug 2025 12:40:08 +0800 +Subject: scsi: lpfc: Fix buffer free/clear order in deferred receive path + +From: John Evans + +commit 9dba9a45c348e8460da97c450cddf70b2056deb3 upstream. + +Fix a use-after-free window by correcting the buffer release sequence in +the deferred receive path. The code freed the RQ buffer first and only +then cleared the context pointer under the lock. Concurrent paths (e.g., +ABTS and the repost path) also inspect and release the same pointer under +the lock, so the old order could lead to double-free/UAF. + +Note that the repost path already uses the correct pattern: detach the +pointer under the lock, then free it after dropping the lock. The +deferred path should do the same. + +Fixes: 472e146d1cf3 ("scsi: lpfc: Correct upcalling nvmet_fc transport during io done downcall") +Cc: stable@vger.kernel.org +Signed-off-by: John Evans +Link: https://lore.kernel.org/r/20250828044008.743-1-evans1210144@gmail.com +Reviewed-by: Justin Tee +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_nvmet.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_nvmet.c ++++ b/drivers/scsi/lpfc/lpfc_nvmet.c +@@ -1243,7 +1243,7 @@ lpfc_nvmet_defer_rcv(struct nvmet_fc_tar + struct lpfc_nvmet_tgtport *tgtp; + struct lpfc_async_xchg_ctx *ctxp = + container_of(rsp, struct lpfc_async_xchg_ctx, hdlrctx.fcp_req); +- struct rqb_dmabuf *nvmebuf = ctxp->rqb_buffer; ++ struct rqb_dmabuf *nvmebuf; + struct lpfc_hba *phba = ctxp->phba; + unsigned long iflag; + +@@ -1251,13 +1251,18 @@ lpfc_nvmet_defer_rcv(struct nvmet_fc_tar + lpfc_nvmeio_data(phba, "NVMET DEFERRCV: xri x%x sz %d CPU %02x\n", + ctxp->oxid, ctxp->size, raw_smp_processor_id()); + ++ spin_lock_irqsave(&ctxp->ctxlock, iflag); ++ nvmebuf = ctxp->rqb_buffer; + if (!nvmebuf) { ++ spin_unlock_irqrestore(&ctxp->ctxlock, iflag); + lpfc_printf_log(phba, KERN_INFO, LOG_NVME_IOERR, + "6425 Defer rcv: no buffer oxid x%x: " + "flg %x ste %x\n", + ctxp->oxid, ctxp->flag, ctxp->state); + return; + } ++ ctxp->rqb_buffer = NULL; ++ spin_unlock_irqrestore(&ctxp->ctxlock, iflag); + + tgtp = phba->targetport->private; + if (tgtp) +@@ -1265,9 +1270,6 @@ lpfc_nvmet_defer_rcv(struct nvmet_fc_tar + + /* Free the nvmebuf since a new buffer already replaced it */ + nvmebuf->hrq->rqbp->rqb_free_buffer(phba, nvmebuf); +- spin_lock_irqsave(&ctxp->ctxlock, iflag); +- ctxp->rqb_buffer = NULL; +- spin_unlock_irqrestore(&ctxp->ctxlock, iflag); + } + + /** diff --git a/queue-6.1/series b/queue-6.1/series index 2610f07449..31bcdacaf5 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -42,3 +42,12 @@ acpi-iort-fix-memory-leak-in-iort_rmr_alloc_sids.patch pcmcia-fix-a-null-pointer-dereference-in-__iodyn_find_io_region.patch x86-mm-64-define-arch_page_table_sync_mask-and-arch_sync_kernel_mappings.patch mm-move-page-table-sync-declarations-to-linux-pgtable.h.patch +ocfs2-prevent-release-journal-inode-after-journal-shutdown.patch +proc-fix-missing-pde_set_flags-for-net-proc-files.patch +wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch +drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch +scsi-lpfc-fix-buffer-free-clear-order-in-deferred-receive-path.patch +batman-adv-fix-oob-read-write-in-network-coding-decode.patch +cifs-prevent-null-pointer-dereference-in-utf16-conversion.patch +e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch +net-pcs-rzn1-miic-correct-modctrl-register-offset.patch diff --git a/queue-6.1/wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch b/queue-6.1/wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch new file mode 100644 index 0000000000..ef83553fbb --- /dev/null +++ b/queue-6.1/wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch @@ -0,0 +1,70 @@ +From 0e20450829ca3c1dbc2db536391537c57a40fe0b Mon Sep 17 00:00:00 2001 +From: Qianfeng Rong +Date: Fri, 15 Aug 2025 10:30:50 +0800 +Subject: wifi: mwifiex: Initialize the chan_stats array to zero + +From: Qianfeng Rong + +commit 0e20450829ca3c1dbc2db536391537c57a40fe0b upstream. + +The adapter->chan_stats[] array is initialized in +mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out +memory. The array is filled in mwifiex_update_chan_statistics() +and then the user can query the data in mwifiex_cfg80211_dump_survey(). + +There are two potential issues here. What if the user calls +mwifiex_cfg80211_dump_survey() before the data has been filled in. +Also the mwifiex_update_chan_statistics() function doesn't necessarily +initialize the whole array. Since the array was not initialized at +the start that could result in an information leak. + +Also this array is pretty small. It's a maximum of 900 bytes so it's +more appropriate to use kcalloc() instead vmalloc(). + +Cc: stable@vger.kernel.org +Fixes: bf35443314ac ("mwifiex: channel statistics support for mwifiex") +Suggested-by: Dan Carpenter +Signed-off-by: Qianfeng Rong +Reviewed-by: Dan Carpenter +Link: https://patch.msgid.link/20250815023055.477719-1-rongqianfeng@vivo.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +++-- + drivers/net/wireless/marvell/mwifiex/main.c | 4 ++-- + 2 files changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +@@ -4316,8 +4316,9 @@ int mwifiex_init_channel_scan_gap(struct + * additional active scan request for hidden SSIDs on passive channels. + */ + adapter->num_in_chan_stats = 2 * (n_channels_bg + n_channels_a); +- adapter->chan_stats = vmalloc(array_size(sizeof(*adapter->chan_stats), +- adapter->num_in_chan_stats)); ++ adapter->chan_stats = kcalloc(adapter->num_in_chan_stats, ++ sizeof(*adapter->chan_stats), ++ GFP_KERNEL); + + if (!adapter->chan_stats) + return -ENOMEM; +--- a/drivers/net/wireless/marvell/mwifiex/main.c ++++ b/drivers/net/wireless/marvell/mwifiex/main.c +@@ -664,7 +664,7 @@ static int _mwifiex_fw_dpc(const struct + goto done; + + err_add_intf: +- vfree(adapter->chan_stats); ++ kfree(adapter->chan_stats); + err_init_chan_scan: + wiphy_unregister(adapter->wiphy); + wiphy_free(adapter->wiphy); +@@ -1486,7 +1486,7 @@ static void mwifiex_uninit_sw(struct mwi + wiphy_free(adapter->wiphy); + adapter->wiphy = NULL; + +- vfree(adapter->chan_stats); ++ kfree(adapter->chan_stats); + mwifiex_free_cmd_buffers(adapter); + } +