From: Sasha Levin Date: Mon, 11 May 2026 14:21:28 +0000 (-0400) Subject: Fixes for all trees X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ca6dfb8c821cc505e8a3ff83dbce92ce25877123;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-6.1/bluetooth-btintel-serialize-btintel_hw_error-with-hc.patch b/queue-6.1/bluetooth-btintel-serialize-btintel_hw_error-with-hc.patch new file mode 100644 index 0000000000..f09ec2b4a9 --- /dev/null +++ b/queue-6.1/bluetooth-btintel-serialize-btintel_hw_error-with-hc.patch @@ -0,0 +1,102 @@ +From 6df75dd28fb0ba58487289d8cb21f81a19e2b0e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 May 2026 14:35:39 +0800 +Subject: Bluetooth: btintel: serialize btintel_hw_error() with + hci_req_sync_lock + +From: Cen Zhang + +[ Upstream commit 94d8e6fe5d0818e9300e514e095a200bd5ff93ae ] + +btintel_hw_error() issues two __hci_cmd_sync() calls (HCI_OP_RESET +and Intel exception-info retrieval) without holding +hci_req_sync_lock(). This lets it race against +hci_dev_do_close() -> btintel_shutdown_combined(), which also runs +__hci_cmd_sync() under the same lock. When both paths manipulate +hdev->req_status/req_rsp concurrently, the close path may free the +response skb first, and the still-running hw_error path hits a +slab-use-after-free in kfree_skb(). + +Wrap the whole recovery sequence in hci_req_sync_lock/unlock so it +is serialized with every other synchronous HCI command issuer. + +Below is the data race report and the kasan report: + + BUG: data-race in __hci_cmd_sync_sk / btintel_shutdown_combined + + read of hdev->req_rsp at net/bluetooth/hci_sync.c:199 + by task kworker/u17:1/83: + __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 + __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 + btintel_hw_error+0x114/0x670 drivers/bluetooth/btintel.c:254 + hci_error_reset+0x348/0xa30 net/bluetooth/hci_core.c:1030 + + write/free by task ioctl/22580: + btintel_shutdown_combined+0xd0/0x360 + drivers/bluetooth/btintel.c:3648 + hci_dev_close_sync+0x9ae/0x2c10 net/bluetooth/hci_sync.c:5246 + hci_dev_do_close+0x232/0x460 net/bluetooth/hci_core.c:526 + + BUG: KASAN: slab-use-after-free in + sk_skb_reason_drop+0x43/0x380 net/core/skbuff.c:1202 + Read of size 4 at addr ffff888144a738dc + by task kworker/u17:1/83: + __hci_cmd_sync_sk+0x12f2/0x1c30 net/bluetooth/hci_sync.c:200 + __hci_cmd_sync+0x55/0x80 net/bluetooth/hci_sync.c:223 + btintel_hw_error+0x186/0x670 drivers/bluetooth/btintel.c:260 + +Fixes: 973bb97e5aee ("Bluetooth: btintel: Add generic function for handling hardware errors") +Signed-off-by: Cen Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Fang Wang <32840572@qq.com> +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btintel.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c +index 7a9d2da3c8146..1cba08e9403a4 100644 +--- a/drivers/bluetooth/btintel.c ++++ b/drivers/bluetooth/btintel.c +@@ -225,11 +225,13 @@ static void btintel_hw_error(struct hci_dev *hdev, u8 code) + + bt_dev_err(hdev, "Hardware error 0x%2.2x", code); + ++ hci_req_sync_lock(hdev); ++ + skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, HCI_INIT_TIMEOUT); + if (IS_ERR(skb)) { + bt_dev_err(hdev, "Reset after hardware error failed (%ld)", + PTR_ERR(skb)); +- return; ++ goto unlock; + } + kfree_skb(skb); + +@@ -237,18 +239,21 @@ static void btintel_hw_error(struct hci_dev *hdev, u8 code) + if (IS_ERR(skb)) { + bt_dev_err(hdev, "Retrieving Intel exception info failed (%ld)", + PTR_ERR(skb)); +- return; ++ goto unlock; + } + + if (skb->len != 13) { + bt_dev_err(hdev, "Exception info size mismatch"); + kfree_skb(skb); +- return; ++ goto unlock; + } + + bt_dev_err(hdev, "Exception info %s", (char *)(skb->data + 1)); + + kfree_skb(skb); ++ ++unlock: ++ hci_req_sync_unlock(hdev); + } + + int btintel_version_info(struct hci_dev *hdev, struct intel_version *ver) +-- +2.53.0 + diff --git a/queue-6.1/bluetooth-hci_sync-remove-remaining-dependencies-of-.patch b/queue-6.1/bluetooth-hci_sync-remove-remaining-dependencies-of-.patch new file mode 100644 index 0000000000..0378dfaa81 --- /dev/null +++ b/queue-6.1/bluetooth-hci_sync-remove-remaining-dependencies-of-.patch @@ -0,0 +1,130 @@ +From 765ec1924ea67d625d3439e9244cd6ef4f2f8afd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 May 2026 14:34:05 +0800 +Subject: Bluetooth: hci_sync: Remove remaining dependencies of hci_request + +From: Luiz Augusto von Dentz + +[ Upstream commit f2d89775358606c7ab6b6b6c4a02fe1e8cd270b1 ] + +This removes the dependencies of hci_req_init and hci_request_cancel_all +from hci_sync.c. + +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Fang Wang <32840572@qq.com> +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_sync.h | 17 +++++++++++++++++ + net/bluetooth/hci_request.h | 21 --------------------- + net/bluetooth/hci_sync.c | 14 +++++++++++--- + 3 files changed, 28 insertions(+), 24 deletions(-) + +diff --git a/include/net/bluetooth/hci_sync.h b/include/net/bluetooth/hci_sync.h +index a8b106d884d41..a68ddf5c02286 100644 +--- a/include/net/bluetooth/hci_sync.h ++++ b/include/net/bluetooth/hci_sync.h +@@ -5,6 +5,23 @@ + * Copyright (C) 2021 Intel Corporation + */ + ++#define HCI_REQ_DONE 0 ++#define HCI_REQ_PEND 1 ++#define HCI_REQ_CANCELED 2 ++ ++#define hci_req_sync_lock(hdev) mutex_lock(&hdev->req_lock) ++#define hci_req_sync_unlock(hdev) mutex_unlock(&hdev->req_lock) ++ ++struct hci_request { ++ struct hci_dev *hdev; ++ struct sk_buff_head cmd_q; ++ ++ /* If something goes wrong when building the HCI request, the error ++ * value is stored in this field. ++ */ ++ int err; ++}; ++ + typedef int (*hci_cmd_sync_work_func_t)(struct hci_dev *hdev, void *data); + typedef void (*hci_cmd_sync_work_destroy_t)(struct hci_dev *hdev, void *data, + int err); +diff --git a/net/bluetooth/hci_request.h b/net/bluetooth/hci_request.h +index 0be75cf0efed8..b730da4a8b476 100644 +--- a/net/bluetooth/hci_request.h ++++ b/net/bluetooth/hci_request.h +@@ -22,27 +22,6 @@ + + #include + +-#define HCI_REQ_DONE 0 +-#define HCI_REQ_PEND 1 +-#define HCI_REQ_CANCELED 2 +- +-#define hci_req_sync_lock(hdev) mutex_lock(&hdev->req_lock) +-#define hci_req_sync_unlock(hdev) mutex_unlock(&hdev->req_lock) +- +-#define HCI_REQ_DONE 0 +-#define HCI_REQ_PEND 1 +-#define HCI_REQ_CANCELED 2 +- +-struct hci_request { +- struct hci_dev *hdev; +- struct sk_buff_head cmd_q; +- +- /* If something goes wrong when building the HCI request, the error +- * value is stored in this field. +- */ +- int err; +-}; +- + void hci_req_init(struct hci_request *req, struct hci_dev *hdev); + void hci_req_purge(struct hci_request *req); + bool hci_req_status_pend(struct hci_dev *hdev); +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index c6f9d07a48194..4d23455e90bbe 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -11,7 +11,6 @@ + #include + #include + +-#include "hci_request.h" + #include "hci_codec.h" + #include "hci_debugfs.h" + #include "smp.h" +@@ -142,6 +141,13 @@ static int hci_cmd_sync_run(struct hci_request *req) + return 0; + } + ++static void hci_request_init(struct hci_request *req, struct hci_dev *hdev) ++{ ++ skb_queue_head_init(&req->cmd_q); ++ req->hdev = hdev; ++ req->err = 0; ++} ++ + /* This function requires the caller holds hdev->req_lock. */ + struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen, + const void *param, u8 event, u32 timeout, +@@ -153,7 +159,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen, + + bt_dev_dbg(hdev, "Opcode 0x%4.4x", opcode); + +- hci_req_init(&req, hdev); ++ hci_request_init(&req, hdev); + + hci_cmd_sync_add(&req, opcode, plen, param, event, sk); + +@@ -5188,7 +5194,9 @@ int hci_dev_close_sync(struct hci_dev *hdev) + cancel_delayed_work(&hdev->le_scan_disable); + cancel_delayed_work(&hdev->le_scan_restart); + +- hci_request_cancel_all(hdev); ++ hci_cmd_sync_cancel_sync(hdev, ENODEV); ++ ++ cancel_interleave_scan(hdev); + + if (hdev->adv_instance_timeout) { + cancel_delayed_work_sync(&hdev->adv_instance_expire); +-- +2.53.0 + diff --git a/queue-6.1/ice-fix-memory-leak-in-ice_set_ringparam.patch b/queue-6.1/ice-fix-memory-leak-in-ice_set_ringparam.patch new file mode 100644 index 0000000000..9862e5393a --- /dev/null +++ b/queue-6.1/ice-fix-memory-leak-in-ice_set_ringparam.patch @@ -0,0 +1,74 @@ +From 0936ca498fa28178890279c55f8b11167a6b906f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 May 2026 17:22:13 +0800 +Subject: ice: Fix memory leak in ice_set_ringparam() + +From: Zilin Guan + +[ Upstream commit fe868b499d16f55bbeea89992edb98043c9de416 ] + +In ice_set_ringparam, tx_rings and xdp_rings are allocated before +rx_rings. If the allocation of rx_rings fails, the code jumps to +the done label leaking both tx_rings and xdp_rings. Furthermore, if +the setup of an individual Rx ring fails during the loop, the code jumps +to the free_tx label which releases tx_rings but leaks xdp_rings. + +Fix this by introducing a free_xdp label and updating the error paths to +ensure both xdp_rings and tx_rings are properly freed if rx_rings +allocation or setup fails. + +Compile tested only. Issue found using a prototype static analysis tool +and code review. + +Fixes: fcea6f3da546 ("ice: Add stats and ethtool support") +Fixes: efc2214b6047 ("ice: Add support for XDP") +Signed-off-by: Zilin Guan +Reviewed-by: Paul Menzel +Reviewed-by: Aleksandr Loktionov +Tested-by: Rinitha S (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Rajani Kantha <681739313@139.com> +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_ethtool.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c +index 49c524304a412..7774292a5bdbe 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c +@@ -2891,7 +2891,7 @@ ice_set_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring, + rx_rings = kcalloc(vsi->num_rxq, sizeof(*rx_rings), GFP_KERNEL); + if (!rx_rings) { + err = -ENOMEM; +- goto done; ++ goto free_xdp; + } + + ice_for_each_rxq(vsi, i) { +@@ -2921,7 +2921,7 @@ ice_set_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring, + } + kfree(rx_rings); + err = -ENOMEM; +- goto free_tx; ++ goto free_xdp; + } + } + +@@ -2972,6 +2972,13 @@ ice_set_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring, + } + goto done; + ++free_xdp: ++ if (xdp_rings) { ++ ice_for_each_xdp_txq(vsi, i) ++ ice_free_tx_ring(&xdp_rings[i]); ++ kfree(xdp_rings); ++ } ++ + free_tx: + /* error cleanup if the Rx allocations failed after getting Tx */ + if (tx_rings) { +-- +2.53.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 35ea92b42a..314f0c8e50 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -296,3 +296,6 @@ ext4-validate-p_idx-bounds-in-ext4_ext_correct_index.patch kvm-x86-fix-shadow-paging-use-after-free-due-to-unex.patch net-fix-icmp-host-relookup-triggering-ip_rt_bug.patch flow_dissector-do-not-dissect-pppoe-pfc-frames.patch +bluetooth-hci_sync-remove-remaining-dependencies-of-.patch +bluetooth-btintel-serialize-btintel_hw_error-with-hc.patch +ice-fix-memory-leak-in-ice_set_ringparam.patch diff --git a/queue-6.12/bluetooth-l2cap-fix-deadlock-in-l2cap_conn_del.patch b/queue-6.12/bluetooth-l2cap-fix-deadlock-in-l2cap_conn_del.patch new file mode 100644 index 0000000000..102450cc51 --- /dev/null +++ b/queue-6.12/bluetooth-l2cap-fix-deadlock-in-l2cap_conn_del.patch @@ -0,0 +1,66 @@ +From 08d75e5c47669d781cadd8083e31bd68a10b3113 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 May 2026 15:44:11 +0800 +Subject: Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del() + +From: Hyunwoo Kim + +[ Upstream commit 00fdebbbc557a2fc21321ff2eaa22fd70c078608 ] + +l2cap_conn_del() calls cancel_delayed_work_sync() for both info_timer +and id_addr_timer while holding conn->lock. However, the work functions +l2cap_info_timeout() and l2cap_conn_update_id_addr() both acquire +conn->lock, creating a potential AB-BA deadlock if the work is already +executing when l2cap_conn_del() takes the lock. + +Move the work cancellations before acquiring conn->lock and use +disable_delayed_work_sync() to additionally prevent the works from +being rearmed after cancellation, consistent with the pattern used in +hci_conn_del(). + +Fixes: ab4eedb790ca ("Bluetooth: L2CAP: Fix corrupted list in hci_chan_del") +Signed-off-by: Hyunwoo Kim +Signed-off-by: Luiz Augusto von Dentz +[ Minor context conflict resolved. ] +Signed-off-by: Wenshan Lan +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 128f5701efb46..307f7fe975b59 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -1756,6 +1756,9 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err) + + BT_DBG("hcon %p conn %p, err %d", hcon, conn, err); + ++ disable_delayed_work_sync(&conn->info_timer); ++ disable_delayed_work_sync(&conn->id_addr_timer); ++ + mutex_lock(&conn->lock); + + kfree_skb(conn->rx_skb); +@@ -1769,8 +1772,6 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err) + if (work_pending(&conn->pending_rx_work)) + cancel_work_sync(&conn->pending_rx_work); + +- cancel_delayed_work_sync(&conn->id_addr_timer); +- + l2cap_unregister_all_users(conn); + + /* Force the connection to be immediately dropped */ +@@ -1789,9 +1790,6 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err) + l2cap_chan_put(chan); + } + +- if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) +- cancel_delayed_work_sync(&conn->info_timer); +- + hci_chan_del(conn->hchan); + conn->hchan = NULL; + +-- +2.53.0 + diff --git a/queue-6.12/series b/queue-6.12/series index ad80278e2c..1303b05a39 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -21,3 +21,4 @@ flow_dissector-do-not-dissect-pppoe-pfc-frames.patch net-txgbe-fix-rtnl-assertion-warning-when-remove-mod.patch net-af_key-zero-aligned-sockaddr-tail-in-pf_key-expo.patch kvm-svm-check-validity-of-vmcb-controls-when-returning-from-smm.patch +bluetooth-l2cap-fix-deadlock-in-l2cap_conn_del.patch