From: Greg Kroah-Hartman Date: Tue, 12 May 2026 12:50:53 +0000 (+0200) Subject: 6.6-stable patches X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=82b2072dbdf5757435302c329e72bb79699c75b2;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: bluetooth-hci_event-fix-oob-read-and-infinite-loop-in-hci_le_create_big_complete_evt.patch bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch bluetooth-virtio_bt-clamp-rx-length-before-skb_put.patch bluetooth-virtio_bt-validate-rx-pkt_type-header-length.patch ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch selinux-don-t-reserve-xattr-slot-when-we-won-t-fill-it.patch selinux-prune-sys-fs-selinux-disable.patch selinux-shrink-critical-section-in-sel_write_load.patch spi-s3c64xx-fix-null-deref-on-driver-unbind.patch spi-zynqmp-gqspi-fix-controller-deregistration.patch staging-vme_user-fix-root-device-leak-on-init-failure.patch xfrm-provide-message-size-for-xfrm_msg_mapping.patch --- diff --git a/queue-6.6/bluetooth-hci_event-fix-oob-read-and-infinite-loop-in-hci_le_create_big_complete_evt.patch b/queue-6.6/bluetooth-hci_event-fix-oob-read-and-infinite-loop-in-hci_le_create_big_complete_evt.patch new file mode 100644 index 0000000000..5e920e9c2a --- /dev/null +++ b/queue-6.6/bluetooth-hci_event-fix-oob-read-and-infinite-loop-in-hci_le_create_big_complete_evt.patch @@ -0,0 +1,80 @@ +From 5ddb8014261137cadaf83ab5617a588d80a22586 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Fri, 10 Apr 2026 15:29:52 -0400 +Subject: Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt + +From: Luiz Augusto von Dentz + +commit 5ddb8014261137cadaf83ab5617a588d80a22586 upstream. + +hci_le_create_big_complete_evt() iterates over BT_BOUND connections for +a BIG handle using a while loop, accessing ev->bis_handle[i++] on each +iteration. However, there is no check that i stays within ev->num_bis +before the array access. + +When a controller sends a LE_Create_BIG_Complete event with fewer +bis_handle entries than there are BT_BOUND connections for that BIG, +or with num_bis=0, the loop reads beyond the valid bis_handle[] flex +array into adjacent heap memory. Since the out-of-bounds values +typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() +rejects them and the connection remains in BT_BOUND state. The same +connection is then found again by hci_conn_hash_lookup_big_state(), +creating an infinite loop with hci_dev_lock held. + +Fix this by terminating the BIG if in case not all BIS could be setup +properly. + +Fixes: a0bfde167b50 ("Bluetooth: ISO: Add support for connecting multiple BISes") +Cc: stable@vger.kernel.org +Signed-off-by: ZhiTao Ou +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_event.c | 27 +++++++++++++++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -6874,9 +6874,29 @@ static void hci_le_create_big_complete_e + continue; + } + ++ if (ev->num_bis <= i) { ++ bt_dev_err(hdev, ++ "Not enough BIS handles for BIG 0x%2.2x", ++ ev->handle); ++ ev->status = HCI_ERROR_UNSPECIFIED; ++ hci_connect_cfm(conn, ev->status); ++ hci_conn_del(conn); ++ continue; ++ } ++ + if (hci_conn_set_handle(conn, +- __le16_to_cpu(ev->bis_handle[i++]))) ++ __le16_to_cpu(ev->bis_handle[i++]))) { ++ bt_dev_err(hdev, ++ "Failed to set BIS handle for BIG 0x%2.2x", ++ ev->handle); ++ /* Force error so BIG gets terminated as not all BIS ++ * could be connected. ++ */ ++ ev->status = HCI_ERROR_UNSPECIFIED; ++ hci_connect_cfm(conn, ev->status); ++ hci_conn_del(conn); + continue; ++ } + + conn->state = BT_CONNECTED; + set_bit(HCI_CONN_BIG_CREATED, &conn->flags); +@@ -6885,7 +6905,10 @@ static void hci_le_create_big_complete_e + hci_iso_setup_path(conn); + } + +- if (!ev->status && !i) ++ /* If there is an unexpected error or if no BISes have been connected ++ * for the BIG, terminate it. ++ */ ++ if (ev->status == HCI_ERROR_UNSPECIFIED || (!ev->status && !i)) + /* If no BISes have been connected for the BIG, + * terminate. This is in case all bound connections + * have been closed before the BIG creation diff --git a/queue-6.6/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch b/queue-6.6/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch new file mode 100644 index 0000000000..f2e8e8ebb2 --- /dev/null +++ b/queue-6.6/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch @@ -0,0 +1,33 @@ +From 0a120d96166301d7a95be75b52f843837dbd1219 Mon Sep 17 00:00:00 2001 +From: Siwei Zhang +Date: Wed, 15 Apr 2026 16:49:59 -0400 +Subject: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() + +From: Siwei Zhang + +commit 0a120d96166301d7a95be75b52f843837dbd1219 upstream. + +Add the same NULL guard already present in +l2cap_sock_resume_cb() and l2cap_sock_ready_cb(). + +Fixes: 80808e431e1e ("Bluetooth: Add l2cap_chan_ops abstraction") +Cc: stable@kernel.org +Signed-off-by: Siwei Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1464,6 +1464,9 @@ static struct l2cap_chan *l2cap_sock_new + { + struct sock *sk, *parent = chan->data; + ++ if (!parent) ++ return NULL; ++ + lock_sock(parent); + + /* Check for backlog size */ diff --git a/queue-6.6/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch b/queue-6.6/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch new file mode 100644 index 0000000000..0445f02939 --- /dev/null +++ b/queue-6.6/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch @@ -0,0 +1,33 @@ +From 2ff1a41a912de8517b4482e946dd951b7d80edbf Mon Sep 17 00:00:00 2001 +From: Siwei Zhang +Date: Wed, 15 Apr 2026 16:51:36 -0400 +Subject: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() + +From: Siwei Zhang + +commit 2ff1a41a912de8517b4482e946dd951b7d80edbf upstream. + +Add the same NULL guard already present in +l2cap_sock_resume_cb() and l2cap_sock_ready_cb(). + +Fixes: 89bc500e41fc ("Bluetooth: Add state tracking to struct l2cap_chan") +Cc: stable@kernel.org +Signed-off-by: Siwei Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1627,6 +1627,9 @@ static void l2cap_sock_state_change_cb(s + { + struct sock *sk = chan->data; + ++ if (!sk) ++ return; ++ + sk->sk_state = state; + + if (err) diff --git a/queue-6.6/bluetooth-virtio_bt-clamp-rx-length-before-skb_put.patch b/queue-6.6/bluetooth-virtio_bt-clamp-rx-length-before-skb_put.patch new file mode 100644 index 0000000000..2374c59b4d --- /dev/null +++ b/queue-6.6/bluetooth-virtio_bt-clamp-rx-length-before-skb_put.patch @@ -0,0 +1,91 @@ +From 21bd244b6de5d2fe1063c23acc93fbdd2b20d112 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Tue, 21 Apr 2026 13:08:44 -0400 +Subject: Bluetooth: virtio_bt: clamp rx length before skb_put + +From: Michael Bommarito + +commit 21bd244b6de5d2fe1063c23acc93fbdd2b20d112 upstream. + +virtbt_rx_work() calls skb_put(skb, len) where len comes directly +from virtqueue_get_buf() with no validation against the buffer we +posted to the device. The RX skb is allocated in virtbt_add_inbuf() +and exposed to virtio as exactly 1000 bytes via sg_init_one(). + +Checking len against skb_tailroom(skb) is not sufficient because +alloc_skb() can leave more tailroom than the 1000 bytes actually +handed to the device. A malicious or buggy backend can therefore +report used.len between 1001 and skb_tailroom(skb), causing skb_put() +to include uninitialized kernel heap bytes that were never written by +the device. + +The same path also accepts len == 0, in which case skb_put(skb, 0) +leaves the skb empty but virtbt_rx_handle() still reads the pkt_type +byte from skb->data, consuming uninitialized memory. + +Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and +sg_init_one(), and gate virtbt_rx_work() on that same constant so +the bound checked matches the buffer actually exposed to the device. +Reject used.len == 0 in the same gate so an empty completion can +no longer reach virtbt_rx_handle(). + +Use bt_dev_err_ratelimited() because the length value comes from an +untrusted backend that can otherwise flood the kernel log. + +Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer +overflow in USB transport layer"), which hardened the USB 9p +transport against unchecked device-reported length. + +Fixes: 160fbcf3bfb9 ("Bluetooth: virtio_bt: Use skb_put to set length") +Cc: stable@vger.kernel.org +Cc: Soenke Huster +Signed-off-by: Michael Bommarito +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/virtio_bt.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/bluetooth/virtio_bt.c ++++ b/drivers/bluetooth/virtio_bt.c +@@ -12,6 +12,7 @@ + #include + + #define VERSION "0.1" ++#define VIRTBT_RX_BUF_SIZE 1000 + + enum { + VIRTBT_VQ_TX, +@@ -33,11 +34,11 @@ static int virtbt_add_inbuf(struct virti + struct sk_buff *skb; + int err; + +- skb = alloc_skb(1000, GFP_KERNEL); ++ skb = alloc_skb(VIRTBT_RX_BUF_SIZE, GFP_KERNEL); + if (!skb) + return -ENOMEM; + +- sg_init_one(sg, skb->data, 1000); ++ sg_init_one(sg, skb->data, VIRTBT_RX_BUF_SIZE); + + err = virtqueue_add_inbuf(vq, sg, 1, skb, GFP_KERNEL); + if (err < 0) { +@@ -227,8 +228,15 @@ static void virtbt_rx_work(struct work_s + if (!skb) + return; + +- skb_put(skb, len); +- virtbt_rx_handle(vbt, skb); ++ if (!len || len > VIRTBT_RX_BUF_SIZE) { ++ bt_dev_err_ratelimited(vbt->hdev, ++ "rx reply len %u outside [1, %u]\n", ++ len, VIRTBT_RX_BUF_SIZE); ++ kfree_skb(skb); ++ } else { ++ skb_put(skb, len); ++ virtbt_rx_handle(vbt, skb); ++ } + + if (virtbt_add_inbuf(vbt) < 0) + return; diff --git a/queue-6.6/bluetooth-virtio_bt-validate-rx-pkt_type-header-length.patch b/queue-6.6/bluetooth-virtio_bt-validate-rx-pkt_type-header-length.patch new file mode 100644 index 0000000000..eb5d769036 --- /dev/null +++ b/queue-6.6/bluetooth-virtio_bt-validate-rx-pkt_type-header-length.patch @@ -0,0 +1,93 @@ +From daf23014e5d975e72ea9c02b5160d3fcf070ea47 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Tue, 21 Apr 2026 13:08:45 -0400 +Subject: Bluetooth: virtio_bt: validate rx pkt_type header length + +From: Michael Bommarito + +commit daf23014e5d975e72ea9c02b5160d3fcf070ea47 upstream. + +virtbt_rx_handle() reads the leading pkt_type byte from the RX skb +and forwards the remainder to hci_recv_frame() for every +event/ACL/SCO/ISO type, without checking that the remaining payload +is at least the fixed HCI header for that type. + +After the preceding patch bounds the backend-supplied used.len to +[1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches +hci_recv_frame() with skb->len already pulled to 0. If the byte +happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification +fast-path in hci_dev_classify_pkt_type() dereferences +hci_acl_hdr(skb)->handle whenever the HCI device has an active +CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of +uninitialized RX-buffer data. The same hazard exists for every +packet type the driver accepts because none of the switch cases in +virtbt_rx_handle() check skb->len against the per-type minimum HCI +header size before handing the frame to the core. + +After stripping pkt_type, require skb->len to cover the fixed +header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) +before calling hci_recv_frame(); drop ratelimited otherwise. +Unknown pkt_type values still take the original kfree_skb() default +path. + +Use bt_dev_err_ratelimited() because both the length and pkt_type +values come from an untrusted backend that can otherwise flood the +kernel log. + +Fixes: 160fbcf3bfb9 ("Bluetooth: virtio_bt: Use skb_put to set length") +Cc: stable@vger.kernel.org +Cc: Soenke Huster +Signed-off-by: Michael Bommarito +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/virtio_bt.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +--- a/drivers/bluetooth/virtio_bt.c ++++ b/drivers/bluetooth/virtio_bt.c +@@ -198,6 +198,7 @@ static int virtbt_shutdown_generic(struc + + static void virtbt_rx_handle(struct virtio_bluetooth *vbt, struct sk_buff *skb) + { ++ size_t min_hdr; + __u8 pkt_type; + + pkt_type = *((__u8 *) skb->data); +@@ -205,16 +206,32 @@ static void virtbt_rx_handle(struct virt + + switch (pkt_type) { + case HCI_EVENT_PKT: ++ min_hdr = sizeof(struct hci_event_hdr); ++ break; + case HCI_ACLDATA_PKT: ++ min_hdr = sizeof(struct hci_acl_hdr); ++ break; + case HCI_SCODATA_PKT: ++ min_hdr = sizeof(struct hci_sco_hdr); ++ break; + case HCI_ISODATA_PKT: +- hci_skb_pkt_type(skb) = pkt_type; +- hci_recv_frame(vbt->hdev, skb); ++ min_hdr = sizeof(struct hci_iso_hdr); + break; + default: + kfree_skb(skb); +- break; ++ return; + } ++ ++ if (skb->len < min_hdr) { ++ bt_dev_err_ratelimited(vbt->hdev, ++ "rx pkt_type 0x%02x payload %u < hdr %zu\n", ++ pkt_type, skb->len, min_hdr); ++ kfree_skb(skb); ++ return; ++ } ++ ++ hci_skb_pkt_type(skb) = pkt_type; ++ hci_recv_frame(vbt->hdev, skb); + } + + static void virtbt_rx_work(struct work_struct *work) diff --git a/queue-6.6/ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch b/queue-6.6/ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch new file mode 100644 index 0000000000..22d7660771 --- /dev/null +++ b/queue-6.6/ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch @@ -0,0 +1,50 @@ +From bc0fcb9823cd0894934cf968b525c575833d7078 Mon Sep 17 00:00:00 2001 +From: Yilin Zhu +Date: Sun, 12 Apr 2026 13:07:54 +0800 +Subject: ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() + +From: Yilin Zhu + +commit bc0fcb9823cd0894934cf968b525c575833d7078 upstream. + +xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not +already have a dst attached. ip6_route_input_lookup() returns a +referenced dst entry even when the lookup resolves to an error route. + +If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching +the dst to the skb and without releasing the reference returned by the +lookup. Repeated packets hitting this path therefore leak dst entries. + +Release the dst before jumping to the drop path. + +Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP") +Cc: stable@kernel.org +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ruide Cao +Signed-off-by: Yilin Zhu +Signed-off-by: Ren Wei +Reviewed-by: Simon Horman +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/xfrm6_protocol.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv6/xfrm6_protocol.c ++++ b/net/ipv6/xfrm6_protocol.c +@@ -88,8 +88,10 @@ int xfrm6_rcv_encap(struct sk_buff *skb, + + dst = ip6_route_input_lookup(dev_net(skb->dev), skb->dev, &fl6, + skb, flags); +- if (dst->error) ++ if (dst->error) { ++ dst_release(dst); + goto drop; ++ } + skb_dst_set(skb, dst); + } + diff --git a/queue-6.6/selinux-don-t-reserve-xattr-slot-when-we-won-t-fill-it.patch b/queue-6.6/selinux-don-t-reserve-xattr-slot-when-we-won-t-fill-it.patch new file mode 100644 index 0000000000..8909bf9151 --- /dev/null +++ b/queue-6.6/selinux-don-t-reserve-xattr-slot-when-we-won-t-fill-it.patch @@ -0,0 +1,41 @@ +From 1e5a8eed7821e7a43a31b4c1b3675a91be6bc6f6 Mon Sep 17 00:00:00 2001 +From: David Windsor +Date: Sun, 26 Apr 2026 19:23:49 -0400 +Subject: selinux: don't reserve xattr slot when we won't fill it + +From: David Windsor + +commit 1e5a8eed7821e7a43a31b4c1b3675a91be6bc6f6 upstream. + +Move lsm_get_xattr_slot() below the SBLABEL_MNT check so we don't leave +a NULL-named slot in the array when returning -EOPNOTSUPP; filesystem +initxattrs() callbacks stop iterating at the first NULL ->name, silently +dropping xattrs installed by later LSMs. + +Cc: stable@vger.kernel.org +Signed-off-by: David Windsor +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/hooks.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -2903,7 +2903,7 @@ static int selinux_inode_init_security(s + { + const struct task_security_struct *tsec = selinux_cred(current_cred()); + struct superblock_security_struct *sbsec; +- struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); ++ struct xattr *xattr; + u32 newsid, clen; + int rc; + char *context; +@@ -2930,6 +2930,7 @@ static int selinux_inode_init_security(s + !(sbsec->flags & SBLABEL_MNT)) + return -EOPNOTSUPP; + ++ xattr = lsm_get_xattr_slot(xattrs, xattr_count); + if (xattr) { + rc = security_sid_to_context_force(newsid, + &context, &clen); diff --git a/queue-6.6/selinux-prune-sys-fs-selinux-disable.patch b/queue-6.6/selinux-prune-sys-fs-selinux-disable.patch new file mode 100644 index 0000000000..1688f532e9 --- /dev/null +++ b/queue-6.6/selinux-prune-sys-fs-selinux-disable.patch @@ -0,0 +1,71 @@ +From 19cfa0099024bb9cd40f6d950caa7f47ff8e77f6 Mon Sep 17 00:00:00 2001 +From: Stephen Smalley +Date: Tue, 5 May 2026 08:49:49 -0400 +Subject: selinux: prune /sys/fs/selinux/disable + +From: Stephen Smalley + +commit 19cfa0099024bb9cd40f6d950caa7f47ff8e77f6 upstream. + +Commit f22f9aaf6c3d ("selinux: remove the runtime disable +functionality") removed the underlying SELinux runtime disable +functionality but left everything else intact and started logging an +error message to warn any residual users. + +Prune it to just log an error message once and to return count +(i.e. all bytes written successfully) to avoid breaking +userspace. This also fixes a local DoS from logspam. + +Cc: stable@vger.kernel.org +Signed-off-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/selinuxfs.c | 36 +++++++----------------------------- + 1 file changed, 7 insertions(+), 29 deletions(-) + +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -272,35 +272,13 @@ static ssize_t sel_write_disable(struct + size_t count, loff_t *ppos) + + { +- char *page; +- ssize_t length; +- int new_value; +- +- if (count >= PAGE_SIZE) +- return -ENOMEM; +- +- /* No partial writes. */ +- if (*ppos != 0) +- return -EINVAL; +- +- page = memdup_user_nul(buf, count); +- if (IS_ERR(page)) +- return PTR_ERR(page); +- +- if (sscanf(page, "%d", &new_value) != 1) { +- length = -EINVAL; +- goto out; +- } +- length = count; +- +- if (new_value) { +- pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n"); +- pr_err("SELinux: Runtime disable is not supported, use selinux=0 on the kernel cmdline.\n"); +- } +- +-out: +- kfree(page); +- return length; ++ /* ++ * Setting disable is no longer supported, see ++ * https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable ++ */ ++ pr_err_once("SELinux: %s (%d) wrote to disable. This is no longer supported.\n", ++ current->comm, current->pid); ++ return count; + } + + static const struct file_operations sel_disable_ops = { diff --git a/queue-6.6/selinux-shrink-critical-section-in-sel_write_load.patch b/queue-6.6/selinux-shrink-critical-section-in-sel_write_load.patch new file mode 100644 index 0000000000..fe0ddad05b --- /dev/null +++ b/queue-6.6/selinux-shrink-critical-section-in-sel_write_load.patch @@ -0,0 +1,76 @@ +From 868f31e4061eca8c3cd607d79d954d5e54f204aa Mon Sep 17 00:00:00 2001 +From: Stephen Smalley +Date: Thu, 30 Apr 2026 14:36:52 -0400 +Subject: selinux: shrink critical section in sel_write_load() + +From: Stephen Smalley + +commit 868f31e4061eca8c3cd607d79d954d5e54f204aa upstream. + +Currently sel_write_load() takes the policy mutex earlier than +necessary. Move the taking of the mutex later. This avoids +holding it unnecessarily across the vmalloc() and copy_from_user() +of the policy data. + +Cc: stable@vger.kernel.org +Signed-off-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/selinuxfs.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -594,34 +594,31 @@ static ssize_t sel_write_load(struct fil + if (!count) + return -EINVAL; + +- mutex_lock(&selinux_state.policy_mutex); +- + length = avc_has_perm(current_sid(), SECINITSID_SECURITY, + SECCLASS_SECURITY, SECURITY__LOAD_POLICY, NULL); + if (length) +- goto out; ++ return length; + + data = vmalloc(count); +- if (!data) { +- length = -ENOMEM; +- goto out; +- } ++ if (!data) ++ return -ENOMEM; + if (copy_from_user(data, buf, count) != 0) { + length = -EFAULT; + goto out; + } + ++ mutex_lock(&selinux_state.policy_mutex); + length = security_load_policy(data, count, &load_state); + if (length) { + pr_warn_ratelimited("SELinux: failed to load policy\n"); +- goto out; ++ goto out_unlock; + } + fsi = file_inode(file)->i_sb->s_fs_info; + length = sel_make_policy_nodes(fsi, load_state.policy); + if (length) { + pr_warn_ratelimited("SELinux: failed to initialize selinuxfs\n"); + selinux_policy_cancel(&load_state); +- goto out; ++ goto out_unlock; + } + + selinux_policy_commit(&load_state); +@@ -631,8 +628,9 @@ static ssize_t sel_write_load(struct fil + from_kuid(&init_user_ns, audit_get_loginuid(current)), + audit_get_sessionid(current)); + +-out: ++out_unlock: + mutex_unlock(&selinux_state.policy_mutex); ++out: + vfree(data); + return length; + } diff --git a/queue-6.6/series b/queue-6.6/series index 1191dc2af0..4884d07446 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -200,3 +200,16 @@ usb-serial-option-add-telit-cinterion-le910cx-compositions.patch usb-ulpi-fix-memory-leak-on-ulpi_register-error-paths.patch alsa-firewire-tascam-do-not-drop-unread-control-events.patch powerpc-kdump-fix-kasan-sanitization-flag-for-core_-bits-.o.patch +xfrm-provide-message-size-for-xfrm_msg_mapping.patch +ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch +selinux-don-t-reserve-xattr-slot-when-we-won-t-fill-it.patch +selinux-shrink-critical-section-in-sel_write_load.patch +selinux-prune-sys-fs-selinux-disable.patch +bluetooth-virtio_bt-clamp-rx-length-before-skb_put.patch +bluetooth-virtio_bt-validate-rx-pkt_type-header-length.patch +bluetooth-hci_event-fix-oob-read-and-infinite-loop-in-hci_le_create_big_complete_evt.patch +bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch +bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch +spi-zynqmp-gqspi-fix-controller-deregistration.patch +spi-s3c64xx-fix-null-deref-on-driver-unbind.patch +staging-vme_user-fix-root-device-leak-on-init-failure.patch diff --git a/queue-6.6/spi-s3c64xx-fix-null-deref-on-driver-unbind.patch b/queue-6.6/spi-s3c64xx-fix-null-deref-on-driver-unbind.patch new file mode 100644 index 0000000000..3ef6d20089 --- /dev/null +++ b/queue-6.6/spi-s3c64xx-fix-null-deref-on-driver-unbind.patch @@ -0,0 +1,45 @@ +From 45daacbead8a009844bd5dba6cfa731332184d17 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Apr 2026 11:49:25 +0200 +Subject: spi: s3c64xx: fix NULL-deref on driver unbind + +From: Johan Hovold + +commit 45daacbead8a009844bd5dba6cfa731332184d17 upstream. + +A change moving DMA channel allocation from probe() back to +s3c64xx_spi_prepare_transfer() failed to remove the corresponding +deallocation from remove(). + +Drop the bogus DMA channel release from remove() to avoid triggering a +NULL-pointer dereference on driver unbind. + +This issue was flagged by Sashiko when reviewing a controller +deregistration fix. + +Fixes: f52b03c70744 ("spi: s3c64xx: requests spi-dma channel only during data transfer") +Cc: stable@vger.kernel.org # 6.0 +Cc: Adithya K V +Link: https://sashiko.dev/#/patchset/20260410081757.503099-1-johan%40kernel.org +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260410094925.518343-1-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-s3c64xx.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/drivers/spi/spi-s3c64xx.c ++++ b/drivers/spi/spi-s3c64xx.c +@@ -1338,11 +1338,6 @@ static void s3c64xx_spi_remove(struct pl + + writel(0, sdd->regs + S3C64XX_SPI_INT_EN); + +- if (!is_polling(sdd)) { +- dma_release_channel(sdd->rx_dma.ch); +- dma_release_channel(sdd->tx_dma.ch); +- } +- + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_disable(&pdev->dev); + pm_runtime_set_suspended(&pdev->dev); diff --git a/queue-6.6/spi-zynqmp-gqspi-fix-controller-deregistration.patch b/queue-6.6/spi-zynqmp-gqspi-fix-controller-deregistration.patch new file mode 100644 index 0000000000..1281520988 --- /dev/null +++ b/queue-6.6/spi-zynqmp-gqspi-fix-controller-deregistration.patch @@ -0,0 +1,44 @@ +From 6895fc4faafc9082e15e4e624b23dd5f0c98feb5 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Apr 2026 10:17:55 +0200 +Subject: spi: zynqmp-gqspi: fix controller deregistration + +From: Johan Hovold + +commit 6895fc4faafc9082e15e4e624b23dd5f0c98feb5 upstream. + +Make sure to deregister the controller before disabling underlying +resources like clocks during driver unbind. + +Fixes: dfe11a11d523 ("spi: Add support for Zynq Ultrascale+ MPSoC GQSPI controller") +Cc: stable@vger.kernel.org # 4.2: 64640f6c972e +Cc: stable@vger.kernel.org # 4.2 +Cc: Ranjit Waghmode +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260410081757.503099-26-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-zynqmp-gqspi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-zynqmp-gqspi.c ++++ b/drivers/spi/spi-zynqmp-gqspi.c +@@ -1324,7 +1324,7 @@ static int zynqmp_qspi_probe(struct plat + ctlr->dev.of_node = np; + ctlr->auto_runtime_pm = true; + +- ret = devm_spi_register_controller(&pdev->dev, ctlr); ++ ret = spi_register_controller(ctlr); + if (ret) { + dev_err(&pdev->dev, "spi_register_controller failed\n"); + goto clk_dis_all; +@@ -1365,6 +1365,8 @@ static void zynqmp_qspi_remove(struct pl + + pm_runtime_get_sync(&pdev->dev); + ++ spi_unregister_controller(xqspi->ctlr); ++ + zynqmp_gqspi_write(xqspi, GQSPI_EN_OFST, 0x0); + + pm_runtime_disable(&pdev->dev); diff --git a/queue-6.6/staging-vme_user-fix-root-device-leak-on-init-failure.patch b/queue-6.6/staging-vme_user-fix-root-device-leak-on-init-failure.patch new file mode 100644 index 0000000000..11bb77f89d --- /dev/null +++ b/queue-6.6/staging-vme_user-fix-root-device-leak-on-init-failure.patch @@ -0,0 +1,33 @@ +From 32c91e8ee039777d0b95b914633fc6a42607959c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 24 Apr 2026 12:49:10 +0200 +Subject: staging: vme_user: fix root device leak on init failure + +From: Johan Hovold + +commit 32c91e8ee039777d0b95b914633fc6a42607959c upstream. + +Make sure to deregister and free the root device in case module +initialisation fails. + +Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver") +Cc: stable@vger.kernel.org # 4.9 +Cc: Martyn Welch +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260424104910.2619349-1-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/vme_user/vme_fake.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/staging/vme_user/vme_fake.c ++++ b/drivers/staging/vme_user/vme_fake.c +@@ -1235,6 +1235,8 @@ err_master: + err_driver: + kfree(fake_bridge); + err_struct: ++ root_device_unregister(vme_root); ++ + return retval; + } + diff --git a/queue-6.6/xfrm-provide-message-size-for-xfrm_msg_mapping.patch b/queue-6.6/xfrm-provide-message-size-for-xfrm_msg_mapping.patch new file mode 100644 index 0000000000..8c5e00dc23 --- /dev/null +++ b/queue-6.6/xfrm-provide-message-size-for-xfrm_msg_mapping.patch @@ -0,0 +1,40 @@ +From 28465227c80fe417b4013c432be1f3737cb9f9a3 Mon Sep 17 00:00:00 2001 +From: Ruijie Li +Date: Wed, 29 Apr 2026 00:41:43 +0800 +Subject: xfrm: provide message size for XFRM_MSG_MAPPING + +From: Ruijie Li + +commit 28465227c80fe417b4013c432be1f3737cb9f9a3 upstream. + +The compat 64=>32 translation path handles XFRM_MSG_MAPPING, but +xfrm_msg_min[] does not provide the native payload size for this +message type. + +Add the missing XFRM_MSG_MAPPING entry so compat translation can size +and translate mapping notifications correctly. + +Fixes: 5461fc0c8d9f ("xfrm/compat: Add 64=>32-bit messages translator") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Signed-off-by: Ruijie Li +Signed-off-by: Ren Wei +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_user.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -3015,6 +3015,7 @@ const int xfrm_msg_min[XFRM_NR_MSGTYPES] + [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = sizeof(u32), + [XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = sizeof(u32), + [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32), ++ [XFRM_MSG_MAPPING - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_mapping), + [XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default), + [XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default), + };