From: Greg Kroah-Hartman Date: Tue, 12 May 2026 12:50:25 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v6.12.88~59 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b37139b187d72c18b672a09e0d0709db288e8fa4;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch bluetooth-virtio_bt-clamp-rx-length-before-skb_put.patch bluetooth-virtio_bt-validate-rx-pkt_type-header-length.patch ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch powerpc-kdump-fix-kasan-sanitization-flag-for-core_-bits-.o.patch spi-zynqmp-gqspi-fix-controller-deregistration.patch staging-vme_user-fix-root-device-leak-on-init-failure.patch xfrm-provide-message-size-for-xfrm_msg_mapping.patch --- diff --git a/queue-6.1/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch b/queue-6.1/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch new file mode 100644 index 0000000000..9be29b4273 --- /dev/null +++ b/queue-6.1/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch @@ -0,0 +1,33 @@ +From 0a120d96166301d7a95be75b52f843837dbd1219 Mon Sep 17 00:00:00 2001 +From: Siwei Zhang +Date: Wed, 15 Apr 2026 16:49:59 -0400 +Subject: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() + +From: Siwei Zhang + +commit 0a120d96166301d7a95be75b52f843837dbd1219 upstream. + +Add the same NULL guard already present in +l2cap_sock_resume_cb() and l2cap_sock_ready_cb(). + +Fixes: 80808e431e1e ("Bluetooth: Add l2cap_chan_ops abstraction") +Cc: stable@kernel.org +Signed-off-by: Siwei Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1500,6 +1500,9 @@ static struct l2cap_chan *l2cap_sock_new + { + struct sock *sk, *parent = chan->data; + ++ if (!parent) ++ return NULL; ++ + lock_sock(parent); + + /* Check for backlog size */ diff --git a/queue-6.1/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch b/queue-6.1/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch new file mode 100644 index 0000000000..8deabd649a --- /dev/null +++ b/queue-6.1/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch @@ -0,0 +1,33 @@ +From 2ff1a41a912de8517b4482e946dd951b7d80edbf Mon Sep 17 00:00:00 2001 +From: Siwei Zhang +Date: Wed, 15 Apr 2026 16:51:36 -0400 +Subject: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() + +From: Siwei Zhang + +commit 2ff1a41a912de8517b4482e946dd951b7d80edbf upstream. + +Add the same NULL guard already present in +l2cap_sock_resume_cb() and l2cap_sock_ready_cb(). + +Fixes: 89bc500e41fc ("Bluetooth: Add state tracking to struct l2cap_chan") +Cc: stable@kernel.org +Signed-off-by: Siwei Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1663,6 +1663,9 @@ static void l2cap_sock_state_change_cb(s + { + struct sock *sk = chan->data; + ++ if (!sk) ++ return; ++ + sk->sk_state = state; + + if (err) diff --git a/queue-6.1/bluetooth-virtio_bt-clamp-rx-length-before-skb_put.patch b/queue-6.1/bluetooth-virtio_bt-clamp-rx-length-before-skb_put.patch new file mode 100644 index 0000000000..499c606616 --- /dev/null +++ b/queue-6.1/bluetooth-virtio_bt-clamp-rx-length-before-skb_put.patch @@ -0,0 +1,91 @@ +From 21bd244b6de5d2fe1063c23acc93fbdd2b20d112 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Tue, 21 Apr 2026 13:08:44 -0400 +Subject: Bluetooth: virtio_bt: clamp rx length before skb_put + +From: Michael Bommarito + +commit 21bd244b6de5d2fe1063c23acc93fbdd2b20d112 upstream. + +virtbt_rx_work() calls skb_put(skb, len) where len comes directly +from virtqueue_get_buf() with no validation against the buffer we +posted to the device. The RX skb is allocated in virtbt_add_inbuf() +and exposed to virtio as exactly 1000 bytes via sg_init_one(). + +Checking len against skb_tailroom(skb) is not sufficient because +alloc_skb() can leave more tailroom than the 1000 bytes actually +handed to the device. A malicious or buggy backend can therefore +report used.len between 1001 and skb_tailroom(skb), causing skb_put() +to include uninitialized kernel heap bytes that were never written by +the device. + +The same path also accepts len == 0, in which case skb_put(skb, 0) +leaves the skb empty but virtbt_rx_handle() still reads the pkt_type +byte from skb->data, consuming uninitialized memory. + +Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and +sg_init_one(), and gate virtbt_rx_work() on that same constant so +the bound checked matches the buffer actually exposed to the device. +Reject used.len == 0 in the same gate so an empty completion can +no longer reach virtbt_rx_handle(). + +Use bt_dev_err_ratelimited() because the length value comes from an +untrusted backend that can otherwise flood the kernel log. + +Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer +overflow in USB transport layer"), which hardened the USB 9p +transport against unchecked device-reported length. + +Fixes: 160fbcf3bfb9 ("Bluetooth: virtio_bt: Use skb_put to set length") +Cc: stable@vger.kernel.org +Cc: Soenke Huster +Signed-off-by: Michael Bommarito +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/virtio_bt.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/bluetooth/virtio_bt.c ++++ b/drivers/bluetooth/virtio_bt.c +@@ -12,6 +12,7 @@ + #include + + #define VERSION "0.1" ++#define VIRTBT_RX_BUF_SIZE 1000 + + enum { + VIRTBT_VQ_TX, +@@ -33,11 +34,11 @@ static int virtbt_add_inbuf(struct virti + struct sk_buff *skb; + int err; + +- skb = alloc_skb(1000, GFP_KERNEL); ++ skb = alloc_skb(VIRTBT_RX_BUF_SIZE, GFP_KERNEL); + if (!skb) + return -ENOMEM; + +- sg_init_one(sg, skb->data, 1000); ++ sg_init_one(sg, skb->data, VIRTBT_RX_BUF_SIZE); + + err = virtqueue_add_inbuf(vq, sg, 1, skb, GFP_KERNEL); + if (err < 0) { +@@ -219,8 +220,15 @@ static void virtbt_rx_work(struct work_s + if (!skb) + return; + +- skb_put(skb, len); +- virtbt_rx_handle(vbt, skb); ++ if (!len || len > VIRTBT_RX_BUF_SIZE) { ++ bt_dev_err_ratelimited(vbt->hdev, ++ "rx reply len %u outside [1, %u]\n", ++ len, VIRTBT_RX_BUF_SIZE); ++ kfree_skb(skb); ++ } else { ++ skb_put(skb, len); ++ virtbt_rx_handle(vbt, skb); ++ } + + if (virtbt_add_inbuf(vbt) < 0) + return; diff --git a/queue-6.1/bluetooth-virtio_bt-validate-rx-pkt_type-header-length.patch b/queue-6.1/bluetooth-virtio_bt-validate-rx-pkt_type-header-length.patch new file mode 100644 index 0000000000..654794fd80 --- /dev/null +++ b/queue-6.1/bluetooth-virtio_bt-validate-rx-pkt_type-header-length.patch @@ -0,0 +1,93 @@ +From daf23014e5d975e72ea9c02b5160d3fcf070ea47 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Tue, 21 Apr 2026 13:08:45 -0400 +Subject: Bluetooth: virtio_bt: validate rx pkt_type header length + +From: Michael Bommarito + +commit daf23014e5d975e72ea9c02b5160d3fcf070ea47 upstream. + +virtbt_rx_handle() reads the leading pkt_type byte from the RX skb +and forwards the remainder to hci_recv_frame() for every +event/ACL/SCO/ISO type, without checking that the remaining payload +is at least the fixed HCI header for that type. + +After the preceding patch bounds the backend-supplied used.len to +[1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches +hci_recv_frame() with skb->len already pulled to 0. If the byte +happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification +fast-path in hci_dev_classify_pkt_type() dereferences +hci_acl_hdr(skb)->handle whenever the HCI device has an active +CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of +uninitialized RX-buffer data. The same hazard exists for every +packet type the driver accepts because none of the switch cases in +virtbt_rx_handle() check skb->len against the per-type minimum HCI +header size before handing the frame to the core. + +After stripping pkt_type, require skb->len to cover the fixed +header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) +before calling hci_recv_frame(); drop ratelimited otherwise. +Unknown pkt_type values still take the original kfree_skb() default +path. + +Use bt_dev_err_ratelimited() because both the length and pkt_type +values come from an untrusted backend that can otherwise flood the +kernel log. + +Fixes: 160fbcf3bfb9 ("Bluetooth: virtio_bt: Use skb_put to set length") +Cc: stable@vger.kernel.org +Cc: Soenke Huster +Signed-off-by: Michael Bommarito +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/virtio_bt.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +--- a/drivers/bluetooth/virtio_bt.c ++++ b/drivers/bluetooth/virtio_bt.c +@@ -190,6 +190,7 @@ static int virtbt_shutdown_generic(struc + + static void virtbt_rx_handle(struct virtio_bluetooth *vbt, struct sk_buff *skb) + { ++ size_t min_hdr; + __u8 pkt_type; + + pkt_type = *((__u8 *) skb->data); +@@ -197,16 +198,32 @@ static void virtbt_rx_handle(struct virt + + switch (pkt_type) { + case HCI_EVENT_PKT: ++ min_hdr = sizeof(struct hci_event_hdr); ++ break; + case HCI_ACLDATA_PKT: ++ min_hdr = sizeof(struct hci_acl_hdr); ++ break; + case HCI_SCODATA_PKT: ++ min_hdr = sizeof(struct hci_sco_hdr); ++ break; + case HCI_ISODATA_PKT: +- hci_skb_pkt_type(skb) = pkt_type; +- hci_recv_frame(vbt->hdev, skb); ++ min_hdr = sizeof(struct hci_iso_hdr); + break; + default: + kfree_skb(skb); +- break; ++ return; + } ++ ++ if (skb->len < min_hdr) { ++ bt_dev_err_ratelimited(vbt->hdev, ++ "rx pkt_type 0x%02x payload %u < hdr %zu\n", ++ pkt_type, skb->len, min_hdr); ++ kfree_skb(skb); ++ return; ++ } ++ ++ hci_skb_pkt_type(skb) = pkt_type; ++ hci_recv_frame(vbt->hdev, skb); + } + + static void virtbt_rx_work(struct work_struct *work) diff --git a/queue-6.1/ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch b/queue-6.1/ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch new file mode 100644 index 0000000000..22d7660771 --- /dev/null +++ b/queue-6.1/ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch @@ -0,0 +1,50 @@ +From bc0fcb9823cd0894934cf968b525c575833d7078 Mon Sep 17 00:00:00 2001 +From: Yilin Zhu +Date: Sun, 12 Apr 2026 13:07:54 +0800 +Subject: ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() + +From: Yilin Zhu + +commit bc0fcb9823cd0894934cf968b525c575833d7078 upstream. + +xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not +already have a dst attached. ip6_route_input_lookup() returns a +referenced dst entry even when the lookup resolves to an error route. + +If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching +the dst to the skb and without releasing the reference returned by the +lookup. Repeated packets hitting this path therefore leak dst entries. + +Release the dst before jumping to the drop path. + +Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP") +Cc: stable@kernel.org +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ruide Cao +Signed-off-by: Yilin Zhu +Signed-off-by: Ren Wei +Reviewed-by: Simon Horman +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/xfrm6_protocol.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv6/xfrm6_protocol.c ++++ b/net/ipv6/xfrm6_protocol.c +@@ -88,8 +88,10 @@ int xfrm6_rcv_encap(struct sk_buff *skb, + + dst = ip6_route_input_lookup(dev_net(skb->dev), skb->dev, &fl6, + skb, flags); +- if (dst->error) ++ if (dst->error) { ++ dst_release(dst); + goto drop; ++ } + skb_dst_set(skb, dst); + } + diff --git a/queue-6.1/powerpc-kdump-fix-kasan-sanitization-flag-for-core_-bits-.o.patch b/queue-6.1/powerpc-kdump-fix-kasan-sanitization-flag-for-core_-bits-.o.patch new file mode 100644 index 0000000000..491a05137d --- /dev/null +++ b/queue-6.1/powerpc-kdump-fix-kasan-sanitization-flag-for-core_-bits-.o.patch @@ -0,0 +1,52 @@ +From b3a97f9484080c6e71db9e803e3cc1bb372a9bc7 Mon Sep 17 00:00:00 2001 +From: Sourabh Jain +Date: Tue, 7 Apr 2026 18:13:44 +0530 +Subject: powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sourabh Jain + +commit b3a97f9484080c6e71db9e803e3cc1bb372a9bc7 upstream. + +KASAN instrumentation is intended to be disabled for the kexec core +code, but the existing Makefile entry misses the object suffix. As a +result, the flag is not applied correctly to core_$(BITS).o. + +So when KASAN is enabled, kexec_copy_flush and copy_segments in +kexec/core_64.c are instrumented, which can result in accesses to +shadow memory via normal address translation paths. Since these run +with the MMU disabled, such accesses may trigger page faults +(bad_page_fault) that cannot be handled in the kdump path, ultimately +causing a hang and preventing the kdump kernel from booting. The same +is true for kexec as well, since the same functions are used there. + +Update the entry to include the “.o” suffix so that KASAN +instrumentation is properly disabled for this object file. + +Fixes: 2ab2d5794f14 ("powerpc/kasan: Disable address sanitization in kexec paths") +Reported-by: Venkat Rao Bagalkote +Closes: https://lore.kernel.org/all/1dee8891-8bcc-46b4-93f3-fc3a774abd5b@linux.ibm.com/ +Cc: stable@vger.kernel.org +Reviewed-by: Ritesh Harjani (IBM) +Tested-by: Venkat Rao Bagalkote +Acked-by: Mahesh Salgaonkar +Reviewed-by: Aboorva Devarajan +Tested-by: Aboorva Devarajan +Signed-off-by: Sourabh Jain +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20260407124349.1698552-1-sourabhjain@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kexec/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kexec/Makefile ++++ b/arch/powerpc/kexec/Makefile +@@ -14,4 +14,4 @@ GCOV_PROFILE_core_$(BITS).o := n + KCOV_INSTRUMENT_core_$(BITS).o := n + UBSAN_SANITIZE_core_$(BITS).o := n + KASAN_SANITIZE_core.o := n +-KASAN_SANITIZE_core_$(BITS) := n ++KASAN_SANITIZE_core_$(BITS).o := n diff --git a/queue-6.1/series b/queue-6.1/series index 55de39a2b5..7f5206e191 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -314,3 +314,12 @@ usb-omap_udc-dma-don-t-enable-burst-4-mode.patch usb-serial-option-add-telit-cinterion-le910cx-compositions.patch usb-ulpi-fix-memory-leak-on-ulpi_register-error-paths.patch alsa-firewire-tascam-do-not-drop-unread-control-events.patch +powerpc-kdump-fix-kasan-sanitization-flag-for-core_-bits-.o.patch +xfrm-provide-message-size-for-xfrm_msg_mapping.patch +ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch +bluetooth-virtio_bt-clamp-rx-length-before-skb_put.patch +bluetooth-virtio_bt-validate-rx-pkt_type-header-length.patch +bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch +bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch +spi-zynqmp-gqspi-fix-controller-deregistration.patch +staging-vme_user-fix-root-device-leak-on-init-failure.patch diff --git a/queue-6.1/spi-zynqmp-gqspi-fix-controller-deregistration.patch b/queue-6.1/spi-zynqmp-gqspi-fix-controller-deregistration.patch new file mode 100644 index 0000000000..306f3841de --- /dev/null +++ b/queue-6.1/spi-zynqmp-gqspi-fix-controller-deregistration.patch @@ -0,0 +1,44 @@ +From 6895fc4faafc9082e15e4e624b23dd5f0c98feb5 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Apr 2026 10:17:55 +0200 +Subject: spi: zynqmp-gqspi: fix controller deregistration + +From: Johan Hovold + +commit 6895fc4faafc9082e15e4e624b23dd5f0c98feb5 upstream. + +Make sure to deregister the controller before disabling underlying +resources like clocks during driver unbind. + +Fixes: dfe11a11d523 ("spi: Add support for Zynq Ultrascale+ MPSoC GQSPI controller") +Cc: stable@vger.kernel.org # 4.2: 64640f6c972e +Cc: stable@vger.kernel.org # 4.2 +Cc: Ranjit Waghmode +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260410081757.503099-26-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-zynqmp-gqspi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-zynqmp-gqspi.c ++++ b/drivers/spi/spi-zynqmp-gqspi.c +@@ -1202,7 +1202,7 @@ static int zynqmp_qspi_probe(struct plat + ctlr->dev.of_node = np; + ctlr->auto_runtime_pm = true; + +- ret = devm_spi_register_controller(&pdev->dev, ctlr); ++ ret = spi_register_controller(ctlr); + if (ret) { + dev_err(&pdev->dev, "spi_register_controller failed\n"); + goto clk_dis_all; +@@ -1243,6 +1243,8 @@ static int zynqmp_qspi_remove(struct pla + + pm_runtime_get_sync(&pdev->dev); + ++ spi_unregister_controller(xqspi->ctlr); ++ + zynqmp_gqspi_write(xqspi, GQSPI_EN_OFST, 0x0); + + pm_runtime_disable(&pdev->dev); diff --git a/queue-6.1/staging-vme_user-fix-root-device-leak-on-init-failure.patch b/queue-6.1/staging-vme_user-fix-root-device-leak-on-init-failure.patch new file mode 100644 index 0000000000..449588ea98 --- /dev/null +++ b/queue-6.1/staging-vme_user-fix-root-device-leak-on-init-failure.patch @@ -0,0 +1,33 @@ +From 32c91e8ee039777d0b95b914633fc6a42607959c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 24 Apr 2026 12:49:10 +0200 +Subject: staging: vme_user: fix root device leak on init failure + +From: Johan Hovold + +commit 32c91e8ee039777d0b95b914633fc6a42607959c upstream. + +Make sure to deregister and free the root device in case module +initialisation fails. + +Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver") +Cc: stable@vger.kernel.org # 4.9 +Cc: Martyn Welch +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260424104910.2619349-1-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/vme_user/vme_fake.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/staging/vme_user/vme_fake.c ++++ b/drivers/staging/vme_user/vme_fake.c +@@ -1242,6 +1242,8 @@ err_master: + err_driver: + kfree(fake_bridge); + err_struct: ++ root_device_unregister(vme_root); ++ + return retval; + + } diff --git a/queue-6.1/xfrm-provide-message-size-for-xfrm_msg_mapping.patch b/queue-6.1/xfrm-provide-message-size-for-xfrm_msg_mapping.patch new file mode 100644 index 0000000000..82990c6cf1 --- /dev/null +++ b/queue-6.1/xfrm-provide-message-size-for-xfrm_msg_mapping.patch @@ -0,0 +1,40 @@ +From 28465227c80fe417b4013c432be1f3737cb9f9a3 Mon Sep 17 00:00:00 2001 +From: Ruijie Li +Date: Wed, 29 Apr 2026 00:41:43 +0800 +Subject: xfrm: provide message size for XFRM_MSG_MAPPING + +From: Ruijie Li + +commit 28465227c80fe417b4013c432be1f3737cb9f9a3 upstream. + +The compat 64=>32 translation path handles XFRM_MSG_MAPPING, but +xfrm_msg_min[] does not provide the native payload size for this +message type. + +Add the missing XFRM_MSG_MAPPING entry so compat translation can size +and translate mapping notifications correctly. + +Fixes: 5461fc0c8d9f ("xfrm/compat: Add 64=>32-bit messages translator") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Signed-off-by: Ruijie Li +Signed-off-by: Ren Wei +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_user.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -2960,6 +2960,7 @@ const int xfrm_msg_min[XFRM_NR_MSGTYPES] + [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = sizeof(u32), + [XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = sizeof(u32), + [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32), ++ [XFRM_MSG_MAPPING - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_mapping), + [XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default), + [XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default), + };