From: Greg Kroah-Hartman Date: Sun, 9 Nov 2025 04:18:10 +0000 (+0900) Subject: 6.1-stable patches X-Git-Tag: v6.12.58~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=96bfa0729b059ed2a233f68a96eb674a12e3b6a4;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: bluetooth-mgmt-fix-oob-access-in-parse_adv_monitor_pattern.patch lib-crypto-curve25519-hacl64-fix-older-clang-kasan-workaround-for-gcc.patch rtc-rx8025-fix-incorrect-register-reference.patch scsi-ufs-ufs-pci-fix-s0ix-s3-for-intel-controllers.patch smb-client-validate-change-notify-buffer-before-copy.patch --- diff --git a/queue-6.1/bluetooth-mgmt-fix-oob-access-in-parse_adv_monitor_pattern.patch b/queue-6.1/bluetooth-mgmt-fix-oob-access-in-parse_adv_monitor_pattern.patch new file mode 100644 index 0000000000..e8c8ff90a0 --- /dev/null +++ b/queue-6.1/bluetooth-mgmt-fix-oob-access-in-parse_adv_monitor_pattern.patch @@ -0,0 +1,60 @@ +From 8d59fba49362c65332395789fd82771f1028d87e Mon Sep 17 00:00:00 2001 +From: Ilia Gavrilov +Date: Mon, 20 Oct 2025 15:12:55 +0000 +Subject: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() + +From: Ilia Gavrilov + +commit 8d59fba49362c65332395789fd82771f1028d87e upstream. + +In the parse_adv_monitor_pattern() function, the value of +the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). +The size of the 'value' array in the mgmt_adv_pattern structure is 31. +If the value of 'pattern[i].length' is set in the user space +and exceeds 31, the 'patterns[i].value' array can be accessed +out of bound when copied. + +Increasing the size of the 'value' array in +the 'mgmt_adv_pattern' structure will break the userspace. +Considering this, and to avoid OOB access revert the limits for 'offset' +and 'length' back to the value of HCI_MAX_AD_LENGTH. + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: db08722fc7d4 ("Bluetooth: hci_core: Fix missing instances using HCI_MAX_AD_LENGTH") +Cc: stable@vger.kernel.org +Signed-off-by: Ilia Gavrilov +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + include/net/bluetooth/mgmt.h | 2 +- + net/bluetooth/mgmt.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/include/net/bluetooth/mgmt.h ++++ b/include/net/bluetooth/mgmt.h +@@ -772,7 +772,7 @@ struct mgmt_adv_pattern { + __u8 ad_type; + __u8 offset; + __u8 length; +- __u8 value[31]; ++ __u8 value[HCI_MAX_AD_LENGTH]; + } __packed; + + #define MGMT_OP_ADD_ADV_PATTERNS_MONITOR 0x0052 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -5436,9 +5436,9 @@ static u8 parse_adv_monitor_pattern(stru + for (i = 0; i < pattern_count; i++) { + offset = patterns[i].offset; + length = patterns[i].length; +- if (offset >= HCI_MAX_EXT_AD_LENGTH || +- length > HCI_MAX_EXT_AD_LENGTH || +- (offset + length) > HCI_MAX_EXT_AD_LENGTH) ++ if (offset >= HCI_MAX_AD_LENGTH || ++ length > HCI_MAX_AD_LENGTH || ++ (offset + length) > HCI_MAX_AD_LENGTH) + return MGMT_STATUS_INVALID_PARAMS; + + p = kmalloc(sizeof(*p), GFP_KERNEL); diff --git a/queue-6.1/lib-crypto-curve25519-hacl64-fix-older-clang-kasan-workaround-for-gcc.patch b/queue-6.1/lib-crypto-curve25519-hacl64-fix-older-clang-kasan-workaround-for-gcc.patch new file mode 100644 index 0000000000..9d9c657724 --- /dev/null +++ b/queue-6.1/lib-crypto-curve25519-hacl64-fix-older-clang-kasan-workaround-for-gcc.patch @@ -0,0 +1,37 @@ +From 2b81082ad37cc3f28355fb73a6a69b91ff7dbf20 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 3 Nov 2025 12:11:24 -0700 +Subject: lib/crypto: curve25519-hacl64: Fix older clang KASAN workaround for GCC + +From: Nathan Chancellor + +commit 2b81082ad37cc3f28355fb73a6a69b91ff7dbf20 upstream. + +Commit 2f13daee2a72 ("lib/crypto/curve25519-hacl64: Disable KASAN with +clang-17 and older") inadvertently disabled KASAN in curve25519-hacl64.o +for GCC unconditionally because clang-min-version will always evaluate +to nothing for GCC. Add a check for CONFIG_CC_IS_CLANG to avoid applying +the workaround for GCC, which is only needed for clang-17 and older. + +Cc: stable@vger.kernel.org +Fixes: 2f13daee2a72 ("lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older") +Signed-off-by: Nathan Chancellor +Acked-by: Ard Biesheuvel +Link: https://lore.kernel.org/r/20251103-curve25519-hacl64-fix-kasan-workaround-v2-1-ab581cbd8035@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + lib/crypto/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/crypto/Makefile ++++ b/lib/crypto/Makefile +@@ -26,7 +26,7 @@ libcurve25519-generic-y := curve25519 + libcurve25519-generic-$(CONFIG_ARCH_SUPPORTS_INT128) := curve25519-hacl64.o + libcurve25519-generic-y += curve25519-generic.o + # clang versions prior to 18 may blow out the stack with KASAN +-ifeq ($(call clang-min-version, 180000),) ++ifeq ($(CONFIG_CC_IS_CLANG)_$(call clang-min-version, 180000),y_) + KASAN_SANITIZE_curve25519-hacl64.o := n + endif + diff --git a/queue-6.1/rtc-rx8025-fix-incorrect-register-reference.patch b/queue-6.1/rtc-rx8025-fix-incorrect-register-reference.patch new file mode 100644 index 0000000000..6b98b4dccd --- /dev/null +++ b/queue-6.1/rtc-rx8025-fix-incorrect-register-reference.patch @@ -0,0 +1,33 @@ +From 162f24cbb0f6ec596e7e9f3e91610d79dc805229 Mon Sep 17 00:00:00 2001 +From: Yuta Hayama +Date: Wed, 15 Oct 2025 12:07:05 +0900 +Subject: rtc: rx8025: fix incorrect register reference + +From: Yuta Hayama + +commit 162f24cbb0f6ec596e7e9f3e91610d79dc805229 upstream. + +This code is intended to operate on the CTRL1 register, but ctrl[1] is +actually CTRL2. Correctly, ctrl[0] is CTRL1. + +Signed-off-by: Yuta Hayama +Fixes: 71af91565052 ("rtc: rx8025: fix 12/24 hour mode detection on RX-8035") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/eae5f479-5d28-4a37-859d-d54794e7628c@lineo.co.jp +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-rx8025.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/rtc/rtc-rx8025.c ++++ b/drivers/rtc/rtc-rx8025.c +@@ -315,7 +315,7 @@ static int rx8025_init_client(struct i2c + return hour_reg; + rx8025->is_24 = (hour_reg & RX8035_BIT_HOUR_1224); + } else { +- rx8025->is_24 = (ctrl[1] & RX8025_BIT_CTRL1_1224); ++ rx8025->is_24 = (ctrl[0] & RX8025_BIT_CTRL1_1224); + } + out: + return err; diff --git a/queue-6.1/scsi-ufs-ufs-pci-fix-s0ix-s3-for-intel-controllers.patch b/queue-6.1/scsi-ufs-ufs-pci-fix-s0ix-s3-for-intel-controllers.patch new file mode 100644 index 0000000000..54a5efc090 --- /dev/null +++ b/queue-6.1/scsi-ufs-ufs-pci-fix-s0ix-s3-for-intel-controllers.patch @@ -0,0 +1,138 @@ +From bb44826c3bdbf1fa3957008a04908f45e5666463 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Fri, 24 Oct 2025 11:59:15 +0300 +Subject: scsi: ufs: ufs-pci: Fix S0ix/S3 for Intel controllers + +From: Adrian Hunter + +commit bb44826c3bdbf1fa3957008a04908f45e5666463 upstream. + +Intel platforms with UFS, can support Suspend-to-Idle (S0ix) and +Suspend-to-RAM (S3). For S0ix the link state should be HIBERNATE. For +S3, state is lost, so the link state must be OFF. Driver policy, +expressed by spm_lvl, can be 3 (link HIBERNATE, device SLEEP) for S0ix +but must be changed to 5 (link OFF, device POWEROFF) for S3. + +Fix support for S0ix/S3 by switching spm_lvl as needed. During suspend +->prepare(), if the suspend target state is not Suspend-to-Idle, ensure +the spm_lvl is at least 5 to ensure that resume will be possible from +deep sleep states. During suspend ->complete(), restore the spm_lvl to +its original value that is suitable for S0ix. + +This fix is first needed in Intel Alder Lake based controllers. + +Fixes: 7dc9fb47bc9a ("scsi: ufs: ufs-pci: Add support for Intel ADL") +Cc: stable@vger.kernel.org +Signed-off-by: Adrian Hunter +Reviewed-by: Bart Van Assche +Link: https://patch.msgid.link/20251024085918.31825-2-adrian.hunter@intel.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/host/ufshcd-pci.c | 67 ++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 65 insertions(+), 2 deletions(-) + +--- a/drivers/ufs/host/ufshcd-pci.c ++++ b/drivers/ufs/host/ufshcd-pci.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -34,6 +35,7 @@ struct intel_host { + u32 dsm_fns; + u32 active_ltr; + u32 idle_ltr; ++ int saved_spm_lvl; + struct dentry *debugfs_root; + struct gpio_desc *reset_gpio; + }; +@@ -375,6 +377,7 @@ static int ufs_intel_common_init(struct + host = devm_kzalloc(hba->dev, sizeof(*host), GFP_KERNEL); + if (!host) + return -ENOMEM; ++ host->saved_spm_lvl = -1; + ufshcd_set_variant(hba, host); + intel_dsm_init(host, hba->dev); + if (INTEL_DSM_SUPPORTED(host, RESET)) { +@@ -542,6 +545,66 @@ static int ufshcd_pci_restore(struct dev + + return ufshcd_system_resume(dev); + } ++ ++static int ufs_intel_suspend_prepare(struct device *dev) ++{ ++ struct ufs_hba *hba = dev_get_drvdata(dev); ++ struct intel_host *host = ufshcd_get_variant(hba); ++ int err; ++ ++ /* ++ * Only s2idle (S0ix) retains link state. Force power-off ++ * (UFS_PM_LVL_5) for any other case. ++ */ ++ if (pm_suspend_target_state != PM_SUSPEND_TO_IDLE && hba->spm_lvl < UFS_PM_LVL_5) { ++ host->saved_spm_lvl = hba->spm_lvl; ++ hba->spm_lvl = UFS_PM_LVL_5; ++ } ++ ++ err = ufshcd_suspend_prepare(dev); ++ ++ if (err < 0 && host->saved_spm_lvl != -1) { ++ hba->spm_lvl = host->saved_spm_lvl; ++ host->saved_spm_lvl = -1; ++ } ++ ++ return err; ++} ++ ++static void ufs_intel_resume_complete(struct device *dev) ++{ ++ struct ufs_hba *hba = dev_get_drvdata(dev); ++ struct intel_host *host = ufshcd_get_variant(hba); ++ ++ ufshcd_resume_complete(dev); ++ ++ if (host->saved_spm_lvl != -1) { ++ hba->spm_lvl = host->saved_spm_lvl; ++ host->saved_spm_lvl = -1; ++ } ++} ++ ++static int ufshcd_pci_suspend_prepare(struct device *dev) ++{ ++ struct ufs_hba *hba = dev_get_drvdata(dev); ++ ++ if (!strcmp(hba->vops->name, "intel-pci")) ++ return ufs_intel_suspend_prepare(dev); ++ ++ return ufshcd_suspend_prepare(dev); ++} ++ ++static void ufshcd_pci_resume_complete(struct device *dev) ++{ ++ struct ufs_hba *hba = dev_get_drvdata(dev); ++ ++ if (!strcmp(hba->vops->name, "intel-pci")) { ++ ufs_intel_resume_complete(dev); ++ return; ++ } ++ ++ ufshcd_resume_complete(dev); ++} + #endif + + /** +@@ -633,8 +696,8 @@ static const struct dev_pm_ops ufshcd_pc + .thaw = ufshcd_system_resume, + .poweroff = ufshcd_system_suspend, + .restore = ufshcd_pci_restore, +- .prepare = ufshcd_suspend_prepare, +- .complete = ufshcd_resume_complete, ++ .prepare = ufshcd_pci_suspend_prepare, ++ .complete = ufshcd_pci_resume_complete, + #endif + }; + diff --git a/queue-6.1/series b/queue-6.1/series index 323b56c6c0..ee27a3569b 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -323,3 +323,8 @@ net-dsa-microchip-fix-reserved-multicast-address-tab.patch net-bridge-fix-use-after-free-due-to-mst-port-state-.patch net-bridge-fix-mst-static-key-usage.patch tracing-fix-memory-leaks-in-create_field_var.patch +bluetooth-mgmt-fix-oob-access-in-parse_adv_monitor_pattern.patch +rtc-rx8025-fix-incorrect-register-reference.patch +smb-client-validate-change-notify-buffer-before-copy.patch +lib-crypto-curve25519-hacl64-fix-older-clang-kasan-workaround-for-gcc.patch +scsi-ufs-ufs-pci-fix-s0ix-s3-for-intel-controllers.patch diff --git a/queue-6.1/smb-client-validate-change-notify-buffer-before-copy.patch b/queue-6.1/smb-client-validate-change-notify-buffer-before-copy.patch new file mode 100644 index 0000000000..5d54d4cacb --- /dev/null +++ b/queue-6.1/smb-client-validate-change-notify-buffer-before-copy.patch @@ -0,0 +1,43 @@ +From 4012abe8a78fbb8869634130024266eaef7081fe Mon Sep 17 00:00:00 2001 +From: Joshua Rogers +Date: Fri, 7 Nov 2025 00:09:37 +0800 +Subject: smb: client: validate change notify buffer before copy + +From: Joshua Rogers + +commit 4012abe8a78fbb8869634130024266eaef7081fe upstream. + +SMB2_change_notify called smb2_validate_iov() but ignored the return +code, then kmemdup()ed using server provided OutputBufferOffset/Length. + +Check the return of smb2_validate_iov() and bail out on error. + +Discovered with help from the ZeroPath security tooling. + +Signed-off-by: Joshua Rogers +Reviewed-by: Paulo Alcantara (Red Hat) +Cc: stable@vger.kernel.org +Fixes: e3e9463414f61 ("smb3: improve SMB3 change notification support") +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -3837,9 +3837,12 @@ SMB2_change_notify(const unsigned int xi + + smb_rsp = (struct smb2_change_notify_rsp *)rsp_iov.iov_base; + +- smb2_validate_iov(le16_to_cpu(smb_rsp->OutputBufferOffset), +- le32_to_cpu(smb_rsp->OutputBufferLength), &rsp_iov, ++ rc = smb2_validate_iov(le16_to_cpu(smb_rsp->OutputBufferOffset), ++ le32_to_cpu(smb_rsp->OutputBufferLength), ++ &rsp_iov, + sizeof(struct file_notify_information)); ++ if (rc) ++ goto cnotify_exit; + + *out_data = kmemdup((char *)smb_rsp + le16_to_cpu(smb_rsp->OutputBufferOffset), + le32_to_cpu(smb_rsp->OutputBufferLength), GFP_KERNEL);