From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 13 Apr 2026 13:47:35 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=HEAD;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	netlink-add-nla-be16-32-types-to-minlen-array.patch
	xen-privcmd-unregister-xenstore-notifier-on-module-exit.patch
---

diff --git a/queue-5.15/netlink-add-nla-be16-32-types-to-minlen-array.patch b/queue-5.15/netlink-add-nla-be16-32-types-to-minlen-array.patch
new file mode 100644
index 0000000000..789af66fae
--- /dev/null
+++ b/queue-5.15/netlink-add-nla-be16-32-types-to-minlen-array.patch
@@ -0,0 +1,60 @@
+From 9a0d18853c280f6a0ee99f91619f2442a17a323a Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 21 Feb 2024 18:27:33 +0100
+Subject: netlink: add nla be16/32 types to minlen array
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 9a0d18853c280f6a0ee99f91619f2442a17a323a upstream.
+
+BUG: KMSAN: uninit-value in nla_validate_range_unsigned lib/nlattr.c:222 [inline]
+BUG: KMSAN: uninit-value in nla_validate_int_range lib/nlattr.c:336 [inline]
+BUG: KMSAN: uninit-value in validate_nla lib/nlattr.c:575 [inline]
+BUG: KMSAN: uninit-value in __nla_validate_parse+0x2e20/0x45c0 lib/nlattr.c:631
+ nla_validate_range_unsigned lib/nlattr.c:222 [inline]
+ nla_validate_int_range lib/nlattr.c:336 [inline]
+ validate_nla lib/nlattr.c:575 [inline]
+...
+
+The message in question matches this policy:
+
+ [NFTA_TARGET_REV]       = NLA_POLICY_MAX(NLA_BE32, 255),
+
+but because NLA_BE32 size in minlen array is 0, the validation
+code will read past the malformed (too small) attribute.
+
+Note: Other attributes, e.g. BITFIELD32, SINT, UINT.. are also missing:
+those likely should be added too.
+
+Reported-by: syzbot+3f497b07aa3baf2fb4d0@syzkaller.appspotmail.com
+Reported-by: xingwei lee <xrivendell7@gmail.com>
+Closes: https://lore.kernel.org/all/CABOYnLzFYHSnvTyS6zGa-udNX55+izqkOt2sB9WDqUcEGW6n8w@mail.gmail.com/raw
+Fixes: ecaf75ffd5f5 ("netlink: introduce bigendian integer types")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Link: https://lore.kernel.org/r/20240221172740.5092-1-fw@strlen.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/nlattr.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/lib/nlattr.c
++++ b/lib/nlattr.c
+@@ -30,6 +30,8 @@ static const u8 nla_attr_len[NLA_TYPE_MA
+ 	[NLA_S16]	= sizeof(s16),
+ 	[NLA_S32]	= sizeof(s32),
+ 	[NLA_S64]	= sizeof(s64),
++	[NLA_BE16]	= sizeof(__be16),
++	[NLA_BE32]	= sizeof(__be32),
+ };
+ 
+ static const u8 nla_attr_minlen[NLA_TYPE_MAX+1] = {
+@@ -43,6 +45,8 @@ static const u8 nla_attr_minlen[NLA_TYPE
+ 	[NLA_S16]	= sizeof(s16),
+ 	[NLA_S32]	= sizeof(s32),
+ 	[NLA_S64]	= sizeof(s64),
++	[NLA_BE16]	= sizeof(__be16),
++	[NLA_BE32]	= sizeof(__be32),
+ };
+ 
+ /*
diff --git a/queue-5.15/series b/queue-5.15/series
index abcf0e4fee..690e8ed5c5 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -538,3 +538,5 @@ net-qualcomm-qca_uart-report-the-consumed-byte-on-rx-skb-allocation-failure.patc
 net-stmmac-fix-integer-underflow-in-chain-mode.patch
 rxrpc-fix-reference-count-leak-in-rxrpc_server_keyring.patch
 rxrpc-fix-key-keyring-checks-in-setsockopt-rxrpc_security_key-keyring.patch
+netlink-add-nla-be16-32-types-to-minlen-array.patch
+xen-privcmd-unregister-xenstore-notifier-on-module-exit.patch
diff --git a/queue-5.15/xen-privcmd-unregister-xenstore-notifier-on-module-exit.patch b/queue-5.15/xen-privcmd-unregister-xenstore-notifier-on-module-exit.patch
new file mode 100644
index 0000000000..d56891f7ad
--- /dev/null
+++ b/queue-5.15/xen-privcmd-unregister-xenstore-notifier-on-module-exit.patch
@@ -0,0 +1,42 @@
+From cd7e1fef5a1ca1c4fcd232211962ac2395601636 Mon Sep 17 00:00:00 2001
+From: GuoHan Zhao <zhaoguohan@kylinos.cn>
+Date: Wed, 25 Mar 2026 20:02:46 +0800
+Subject: xen/privcmd: unregister xenstore notifier on module exit
+
+From: GuoHan Zhao <zhaoguohan@kylinos.cn>
+
+commit cd7e1fef5a1ca1c4fcd232211962ac2395601636 upstream.
+
+Commit 453b8fb68f36 ("xen/privcmd: restrict usage in
+unprivileged domU") added a xenstore notifier to defer setting the
+restriction target until Xenstore is ready.
+
+XEN_PRIVCMD can be built as a module, but privcmd_exit() leaves that
+notifier behind. Balance the notifier lifecycle by unregistering it on
+module exit.
+
+This is harmless even if xenstore was already ready at registration
+time and the notifier was never queued on the chain.
+
+Fixes: 453b8fb68f3641fe ("xen/privcmd: restrict usage in unprivileged domU")
+Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Message-ID: <20260325120246.252899-1-zhaoguohan@kylinos.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/privcmd.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/xen/privcmd.c
++++ b/drivers/xen/privcmd.c
+@@ -1068,6 +1068,9 @@ static int __init privcmd_init(void)
+ 
+ static void __exit privcmd_exit(void)
+ {
++	if (!xen_initial_domain())
++		unregister_xenstore_notifier(&xenstore_notifier);
++
+ 	misc_deregister(&privcmd_dev);
+ 	misc_deregister(&xen_privcmdbuf_dev);
+ }