From ba3d9442558cf4ff07af06d8cb929e75b732de45 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Wed, 10 Jun 2026 07:54:14 -0400 Subject: [PATCH] Fixes for all trees Signed-off-by: Sasha Levin --- ...integer-overflow-in-i2c_timeout-ioct.patch | 65 +++++++++++++++++++ queue-5.10/series | 1 + ...integer-overflow-in-i2c_timeout-ioct.patch | 65 +++++++++++++++++++ queue-5.15/series | 1 + ...integer-overflow-in-i2c_timeout-ioct.patch | 65 +++++++++++++++++++ ...d_unlock-to-srcu_read_unlock-in-hand.patch | 48 ++++++++++++++ queue-6.1/series | 2 + ...integer-overflow-in-i2c_timeout-ioct.patch | 65 +++++++++++++++++++ ...d_unlock-to-srcu_read_unlock-in-hand.patch | 48 ++++++++++++++ queue-6.12/series | 2 + ...integer-overflow-in-i2c_timeout-ioct.patch | 65 +++++++++++++++++++ ...he-srcu-lock-for-page-table-walks-in.patch | 61 +++++++++++++++++ queue-6.18/series | 2 + ...integer-overflow-in-i2c_timeout-ioct.patch | 65 +++++++++++++++++++ ...d_unlock-to-srcu_read_unlock-in-hand.patch | 48 ++++++++++++++ queue-6.6/series | 2 + ...integer-overflow-in-i2c_timeout-ioct.patch | 65 +++++++++++++++++++ ...he-srcu-lock-for-page-table-walks-in.patch | 57 ++++++++++++++++ queue-7.0/series | 2 + 19 files changed, 729 insertions(+) create mode 100644 queue-5.10/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch create mode 100644 queue-5.15/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch create mode 100644 queue-6.1/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch create mode 100644 queue-6.1/ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch create mode 100644 queue-6.12/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch create mode 100644 queue-6.12/ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch create mode 100644 queue-6.18/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch create mode 100644 queue-6.18/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch create mode 100644 queue-6.6/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch create mode 100644 queue-6.6/ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch create mode 100644 queue-7.0/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch create mode 100644 queue-7.0/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch diff --git a/queue-5.10/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch b/queue-5.10/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch new file mode 100644 index 0000000000..a411d4a179 --- /dev/null +++ b/queue-5.10/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch @@ -0,0 +1,65 @@ +From e19e48d6663d064c2ef53e206b125981164876db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2026 10:57:45 +0800 +Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl + +From: Mingyu Wang <25181214217@stu.xidian.edu.cn> + +[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ] + +While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong +timeout value` warning was observed, accompanied by SMBus controller +state machine corruption. + +The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of +10 ms. The user argument is checked against INT_MAX, but it is +subsequently multiplied by 10 before being passed to msecs_to_jiffies(). + +A malicious user can pass a large value (e.g., 429496729) that passes +the `arg > INT_MAX` check but overflows when multiplied by 10. This +results in a truncated 32-bit unsigned value that bypasses the +internal `(int)m < 0` check in `msecs_to_jiffies()`. + +The truncated value is then assigned to `client->adapter->timeout` +(a signed 32-bit int), which is reinterpreted as a negative number. +When passed to wait_for_completion_timeout(), this negative value +undergoes sign extension to a 64-bit unsigned long, triggering the +`schedule_timeout` warning and causing premature returns. This leaves +the SMBus state machine in an unrecoverable state, constituting a +local Denial of Service (DoS). + +Fix this by bounding the user argument to `INT_MAX / 10`. + +Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> +[wsa: move the comment as well] +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-dev.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c +index f0bd4ae19df67f..25438ba6bdfb72 100644 +--- a/drivers/i2c/i2c-dev.c ++++ b/drivers/i2c/i2c-dev.c +@@ -477,12 +477,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + client->adapter->retries = arg; + break; + case I2C_TIMEOUT: +- if (arg > INT_MAX) ++ /* ++ * For historical reasons, user-space sets the timeout value in ++ * units of 10 ms. ++ */ ++ if (arg > INT_MAX / 10) + return -EINVAL; + +- /* For historical reasons, user-space sets the timeout +- * value in units of 10 ms. +- */ + client->adapter->timeout = msecs_to_jiffies(arg * 10); + break; + default: +-- +2.53.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 0916cf682e..b33a51540e 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -146,3 +146,4 @@ ipv4-restrict-ipopt_ssrr-and-ipopt_lsrr-options.patch ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch sctp-purge-outqueue-on-stale-cookie-echo-handling.patch +i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch diff --git a/queue-5.15/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch b/queue-5.15/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch new file mode 100644 index 0000000000..e9d0c7f3c2 --- /dev/null +++ b/queue-5.15/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch @@ -0,0 +1,65 @@ +From f14b9824b6fb9b3f6e2a94de10b36ea7fe1a64a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2026 10:57:45 +0800 +Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl + +From: Mingyu Wang <25181214217@stu.xidian.edu.cn> + +[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ] + +While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong +timeout value` warning was observed, accompanied by SMBus controller +state machine corruption. + +The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of +10 ms. The user argument is checked against INT_MAX, but it is +subsequently multiplied by 10 before being passed to msecs_to_jiffies(). + +A malicious user can pass a large value (e.g., 429496729) that passes +the `arg > INT_MAX` check but overflows when multiplied by 10. This +results in a truncated 32-bit unsigned value that bypasses the +internal `(int)m < 0` check in `msecs_to_jiffies()`. + +The truncated value is then assigned to `client->adapter->timeout` +(a signed 32-bit int), which is reinterpreted as a negative number. +When passed to wait_for_completion_timeout(), this negative value +undergoes sign extension to a 64-bit unsigned long, triggering the +`schedule_timeout` warning and causing premature returns. This leaves +the SMBus state machine in an unrecoverable state, constituting a +local Denial of Service (DoS). + +Fix this by bounding the user argument to `INT_MAX / 10`. + +Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> +[wsa: move the comment as well] +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-dev.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c +index 9fefceb3a95d46..e18d14bf94a9be 100644 +--- a/drivers/i2c/i2c-dev.c ++++ b/drivers/i2c/i2c-dev.c +@@ -476,12 +476,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + client->adapter->retries = arg; + break; + case I2C_TIMEOUT: +- if (arg > INT_MAX) ++ /* ++ * For historical reasons, user-space sets the timeout value in ++ * units of 10 ms. ++ */ ++ if (arg > INT_MAX / 10) + return -EINVAL; + +- /* For historical reasons, user-space sets the timeout +- * value in units of 10 ms. +- */ + client->adapter->timeout = msecs_to_jiffies(arg * 10); + break; + default: +-- +2.53.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 7ac33f63f3..bda8e4893b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -168,3 +168,4 @@ ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch sctp-purge-outqueue-on-stale-cookie-echo-handling.patch +i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch diff --git a/queue-6.1/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch b/queue-6.1/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch new file mode 100644 index 0000000000..85258e7b3e --- /dev/null +++ b/queue-6.1/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch @@ -0,0 +1,65 @@ +From 2af63b4f342848bc4201b9020bbea401c09cd2da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2026 10:57:45 +0800 +Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl + +From: Mingyu Wang <25181214217@stu.xidian.edu.cn> + +[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ] + +While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong +timeout value` warning was observed, accompanied by SMBus controller +state machine corruption. + +The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of +10 ms. The user argument is checked against INT_MAX, but it is +subsequently multiplied by 10 before being passed to msecs_to_jiffies(). + +A malicious user can pass a large value (e.g., 429496729) that passes +the `arg > INT_MAX` check but overflows when multiplied by 10. This +results in a truncated 32-bit unsigned value that bypasses the +internal `(int)m < 0` check in `msecs_to_jiffies()`. + +The truncated value is then assigned to `client->adapter->timeout` +(a signed 32-bit int), which is reinterpreted as a negative number. +When passed to wait_for_completion_timeout(), this negative value +undergoes sign extension to a 64-bit unsigned long, triggering the +`schedule_timeout` warning and causing premature returns. This leaves +the SMBus state machine in an unrecoverable state, constituting a +local Denial of Service (DoS). + +Fix this by bounding the user argument to `INT_MAX / 10`. + +Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> +[wsa: move the comment as well] +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-dev.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c +index dd35f341b16fd3..d10d8fe29a73b9 100644 +--- a/drivers/i2c/i2c-dev.c ++++ b/drivers/i2c/i2c-dev.c +@@ -476,12 +476,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + client->adapter->retries = arg; + break; + case I2C_TIMEOUT: +- if (arg > INT_MAX) ++ /* ++ * For historical reasons, user-space sets the timeout value in ++ * units of 10 ms. ++ */ ++ if (arg > INT_MAX / 10) + return -EINVAL; + +- /* For historical reasons, user-space sets the timeout +- * value in units of 10 ms. +- */ + client->adapter->timeout = msecs_to_jiffies(arg * 10); + break; + default: +-- +2.53.0 + diff --git a/queue-6.1/ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch b/queue-6.1/ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch new file mode 100644 index 0000000000..5dc9d81e96 --- /dev/null +++ b/queue-6.1/ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch @@ -0,0 +1,48 @@ +From 6f27b2a72be10e26a186c566bbfd42a574517088 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 May 2026 14:32:35 +0800 +Subject: ipmi: Fix rcu_read_unlock to srcu_read_unlock in + handle_read_event_rsp + +From: Rui Qi + +Fix a bug where rcu_read_unlock() was used instead of srcu_read_unlock() +in handle_read_event_rsp() when ipmi_alloc_recv_msg() fails. + +This mismatch leads to an SRCU read-side critical section imbalance: the +entry uses srcu_read_lock(&intf->users_srcu) but the error path +incorrectly calls rcu_read_unlock(), which is a no-op for SRCU and +leaves the SRCU lock held. + +The offending code was restructured in mainline by commit 3be997d5a64a +("ipmi:msghandler: Remove srcu from the ipmi user structure"), which +replaced the SRCU locking with a mutex in this function, effectively +eliminating the mismatch. However, that commit is part of a larger +SRCU removal series that is not suitable for stable backport. This +minimal fix addresses the SRCU imbalance for 6.12 and earlier stable +branches that still carry the original locking scheme. + +Fixes: e86ee2d44b44 ("ipmi: Rework locking and shutdown for hot remove") +Cc: stable@vger.kernel.org +Signed-off-by: Rui Qi +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_msghandler.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c +index 8bc8da7f70bb8e..62d39ea9f00836 100644 +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -4396,7 +4396,7 @@ static int handle_read_event_rsp(struct ipmi_smi *intf, + + recv_msg = ipmi_alloc_recv_msg(user); + if (IS_ERR(recv_msg)) { +- rcu_read_unlock(); ++ srcu_read_unlock(&intf->users_srcu, index); + list_for_each_entry_safe(recv_msg, recv_msg2, &msgs, + link) { + list_del(&recv_msg->link); +-- +2.53.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 705032ff5d..0e495616de 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -222,3 +222,5 @@ ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch sctp-purge-outqueue-on-stale-cookie-echo-handling.patch +i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch +ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch diff --git a/queue-6.12/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch b/queue-6.12/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch new file mode 100644 index 0000000000..2822b771f7 --- /dev/null +++ b/queue-6.12/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch @@ -0,0 +1,65 @@ +From ba552ad18875cc90f6b8a704c8b3539f7634ab30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2026 10:57:45 +0800 +Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl + +From: Mingyu Wang <25181214217@stu.xidian.edu.cn> + +[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ] + +While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong +timeout value` warning was observed, accompanied by SMBus controller +state machine corruption. + +The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of +10 ms. The user argument is checked against INT_MAX, but it is +subsequently multiplied by 10 before being passed to msecs_to_jiffies(). + +A malicious user can pass a large value (e.g., 429496729) that passes +the `arg > INT_MAX` check but overflows when multiplied by 10. This +results in a truncated 32-bit unsigned value that bypasses the +internal `(int)m < 0` check in `msecs_to_jiffies()`. + +The truncated value is then assigned to `client->adapter->timeout` +(a signed 32-bit int), which is reinterpreted as a negative number. +When passed to wait_for_completion_timeout(), this negative value +undergoes sign extension to a 64-bit unsigned long, triggering the +`schedule_timeout` warning and causing premature returns. This leaves +the SMBus state machine in an unrecoverable state, constituting a +local Denial of Service (DoS). + +Fix this by bounding the user argument to `INT_MAX / 10`. + +Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> +[wsa: move the comment as well] +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-dev.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c +index e9577f920286d0..c8715df8b08b1d 100644 +--- a/drivers/i2c/i2c-dev.c ++++ b/drivers/i2c/i2c-dev.c +@@ -487,12 +487,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + client->adapter->retries = arg; + break; + case I2C_TIMEOUT: +- if (arg > INT_MAX) ++ /* ++ * For historical reasons, user-space sets the timeout value in ++ * units of 10 ms. ++ */ ++ if (arg > INT_MAX / 10) + return -EINVAL; + +- /* For historical reasons, user-space sets the timeout +- * value in units of 10 ms. +- */ + client->adapter->timeout = msecs_to_jiffies(arg * 10); + break; + default: +-- +2.53.0 + diff --git a/queue-6.12/ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch b/queue-6.12/ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch new file mode 100644 index 0000000000..173b26fdee --- /dev/null +++ b/queue-6.12/ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch @@ -0,0 +1,48 @@ +From 259e352599f2a4dfb0f04bc6d1021ffd8d019260 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 May 2026 14:32:35 +0800 +Subject: ipmi: Fix rcu_read_unlock to srcu_read_unlock in + handle_read_event_rsp + +From: Rui Qi + +Fix a bug where rcu_read_unlock() was used instead of srcu_read_unlock() +in handle_read_event_rsp() when ipmi_alloc_recv_msg() fails. + +This mismatch leads to an SRCU read-side critical section imbalance: the +entry uses srcu_read_lock(&intf->users_srcu) but the error path +incorrectly calls rcu_read_unlock(), which is a no-op for SRCU and +leaves the SRCU lock held. + +The offending code was restructured in mainline by commit 3be997d5a64a +("ipmi:msghandler: Remove srcu from the ipmi user structure"), which +replaced the SRCU locking with a mutex in this function, effectively +eliminating the mismatch. However, that commit is part of a larger +SRCU removal series that is not suitable for stable backport. This +minimal fix addresses the SRCU imbalance for 6.12 and earlier stable +branches that still carry the original locking scheme. + +Fixes: e86ee2d44b44 ("ipmi: Rework locking and shutdown for hot remove") +Cc: stable@vger.kernel.org +Signed-off-by: Rui Qi +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_msghandler.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c +index 188722ec0337b3..41ae4dac4eebad 100644 +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -4395,7 +4395,7 @@ static int handle_read_event_rsp(struct ipmi_smi *intf, + + recv_msg = ipmi_alloc_recv_msg(user); + if (IS_ERR(recv_msg)) { +- rcu_read_unlock(); ++ srcu_read_unlock(&intf->users_srcu, index); + list_for_each_entry_safe(recv_msg, recv_msg2, &msgs, + link) { + list_del(&recv_msg->link); +-- +2.53.0 + diff --git a/queue-6.12/series b/queue-6.12/series index cc27fc4b65..78ad79e6b0 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -55,3 +55,5 @@ ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch sctp-purge-outqueue-on-stale-cookie-echo-handling.patch +i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch +ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch diff --git a/queue-6.18/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch b/queue-6.18/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch new file mode 100644 index 0000000000..0bd6147745 --- /dev/null +++ b/queue-6.18/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch @@ -0,0 +1,65 @@ +From ce65f2949f6432822977613ca7101d6a86254f9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2026 10:57:45 +0800 +Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl + +From: Mingyu Wang <25181214217@stu.xidian.edu.cn> + +[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ] + +While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong +timeout value` warning was observed, accompanied by SMBus controller +state machine corruption. + +The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of +10 ms. The user argument is checked against INT_MAX, but it is +subsequently multiplied by 10 before being passed to msecs_to_jiffies(). + +A malicious user can pass a large value (e.g., 429496729) that passes +the `arg > INT_MAX` check but overflows when multiplied by 10. This +results in a truncated 32-bit unsigned value that bypasses the +internal `(int)m < 0` check in `msecs_to_jiffies()`. + +The truncated value is then assigned to `client->adapter->timeout` +(a signed 32-bit int), which is reinterpreted as a negative number. +When passed to wait_for_completion_timeout(), this negative value +undergoes sign extension to a 64-bit unsigned long, triggering the +`schedule_timeout` warning and causing premature returns. This leaves +the SMBus state machine in an unrecoverable state, constituting a +local Denial of Service (DoS). + +Fix this by bounding the user argument to `INT_MAX / 10`. + +Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> +[wsa: move the comment as well] +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-dev.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c +index e9577f920286d0..c8715df8b08b1d 100644 +--- a/drivers/i2c/i2c-dev.c ++++ b/drivers/i2c/i2c-dev.c +@@ -487,12 +487,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + client->adapter->retries = arg; + break; + case I2C_TIMEOUT: +- if (arg > INT_MAX) ++ /* ++ * For historical reasons, user-space sets the timeout value in ++ * units of 10 ms. ++ */ ++ if (arg > INT_MAX / 10) + return -EINVAL; + +- /* For historical reasons, user-space sets the timeout +- * value in units of 10 ms. +- */ + client->adapter->timeout = msecs_to_jiffies(arg * 10); + break; + default: +-- +2.53.0 + diff --git a/queue-6.18/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch b/queue-6.18/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch new file mode 100644 index 0000000000..72f42f8a7d --- /dev/null +++ b/queue-6.18/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch @@ -0,0 +1,61 @@ +From cac4acb1b336b27232ae740be39eaa1034ecb0dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jun 2026 18:48:08 +0900 +Subject: KVM: arm64: Take the SRCU lock for page table walks in fault + injection and AT emulation + +From: Hyunwoo Kim + +[ Upstream commit f2ca45b50d4216c9cc7ffabf50d9ad1932209251 ] + +walk_s1() and kvm_walk_nested_s2() expect to be called while holding +kvm->srcu to guard against memslot changes. While this is generally +the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the +respective walkers without taking kvm->srcu. + +Fix by acquiring kvm->srcu prior to the table walk in both instances. + +Cc: stable@vger.kernel.org +Fixes: 50f77dc87f13 ("KVM: arm64: Populate level on S1PTW SEA injection") +Fixes: be04cebf3e78 ("KVM: arm64: nv: Add emulation of AT S12E{0,1}{R,W}") +Suggested-by: Oliver Upton +Signed-off-by: Hyunwoo Kim +Reviewed-by: Oliver Upton +Link: https://patch.msgid.link/aiAZfdeyanIvP8SD@v4bel +Signed-off-by: Marc Zyngier +[ Hyunwoo Kim: __kvm_at_s12() still returns void in 6.18.y, so the + surrounding context differs from upstream (return; instead of + return ret;); the added scoped_guard() is unchanged. ] +Signed-off-by: Hyunwoo Kim +Signed-off-by: Sasha Levin +--- + arch/arm64/kvm/at.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/kvm/at.c b/arch/arm64/kvm/at.c +index be26d5aa668c39..e6de6aac6ede20 100644 +--- a/arch/arm64/kvm/at.c ++++ b/arch/arm64/kvm/at.c +@@ -1528,7 +1528,8 @@ void __kvm_at_s12(struct kvm_vcpu *vcpu, u32 op, u64 vaddr) + /* Do the stage-2 translation */ + ipa = (par & GENMASK_ULL(47, 12)) | (vaddr & GENMASK_ULL(11, 0)); + out.esr = 0; +- ret = kvm_walk_nested_s2(vcpu, ipa, &out); ++ scoped_guard(srcu, &vcpu->kvm->srcu) ++ ret = kvm_walk_nested_s2(vcpu, ipa, &out); + if (ret < 0) + return; + +@@ -1623,7 +1624,8 @@ int __kvm_find_s1_desc_level(struct kvm_vcpu *vcpu, u64 va, u64 ipa, int *level) + } + + /* Walk the guest's PT, looking for a match along the way */ +- ret = walk_s1(vcpu, &wi, &wr, va); ++ scoped_guard(srcu, &vcpu->kvm->srcu) ++ ret = walk_s1(vcpu, &wi, &wr, va); + switch (ret) { + case -EINTR: + /* We interrupted the walk on a match, return the level */ +-- +2.53.0 + diff --git a/queue-6.18/series b/queue-6.18/series index 03e135d424..9b60f10d07 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -62,3 +62,5 @@ ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch sctp-purge-outqueue-on-stale-cookie-echo-handling.patch +i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch +kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch diff --git a/queue-6.6/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch b/queue-6.6/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch new file mode 100644 index 0000000000..d3e8ecd6cf --- /dev/null +++ b/queue-6.6/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch @@ -0,0 +1,65 @@ +From a0c0fa10ee209567b685a35881676d4e0fadfa14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2026 10:57:45 +0800 +Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl + +From: Mingyu Wang <25181214217@stu.xidian.edu.cn> + +[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ] + +While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong +timeout value` warning was observed, accompanied by SMBus controller +state machine corruption. + +The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of +10 ms. The user argument is checked against INT_MAX, but it is +subsequently multiplied by 10 before being passed to msecs_to_jiffies(). + +A malicious user can pass a large value (e.g., 429496729) that passes +the `arg > INT_MAX` check but overflows when multiplied by 10. This +results in a truncated 32-bit unsigned value that bypasses the +internal `(int)m < 0` check in `msecs_to_jiffies()`. + +The truncated value is then assigned to `client->adapter->timeout` +(a signed 32-bit int), which is reinterpreted as a negative number. +When passed to wait_for_completion_timeout(), this negative value +undergoes sign extension to a 64-bit unsigned long, triggering the +`schedule_timeout` warning and causing premature returns. This leaves +the SMBus state machine in an unrecoverable state, constituting a +local Denial of Service (DoS). + +Fix this by bounding the user argument to `INT_MAX / 10`. + +Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> +[wsa: move the comment as well] +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-dev.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c +index 7d337380a05d99..2ee07fc675d63a 100644 +--- a/drivers/i2c/i2c-dev.c ++++ b/drivers/i2c/i2c-dev.c +@@ -476,12 +476,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + client->adapter->retries = arg; + break; + case I2C_TIMEOUT: +- if (arg > INT_MAX) ++ /* ++ * For historical reasons, user-space sets the timeout value in ++ * units of 10 ms. ++ */ ++ if (arg > INT_MAX / 10) + return -EINVAL; + +- /* For historical reasons, user-space sets the timeout +- * value in units of 10 ms. +- */ + client->adapter->timeout = msecs_to_jiffies(arg * 10); + break; + default: +-- +2.53.0 + diff --git a/queue-6.6/ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch b/queue-6.6/ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch new file mode 100644 index 0000000000..a0c9eb003b --- /dev/null +++ b/queue-6.6/ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch @@ -0,0 +1,48 @@ +From d826d5fc282b691d72dc388d49d024f642c01495 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 May 2026 14:32:35 +0800 +Subject: ipmi: Fix rcu_read_unlock to srcu_read_unlock in + handle_read_event_rsp + +From: Rui Qi + +Fix a bug where rcu_read_unlock() was used instead of srcu_read_unlock() +in handle_read_event_rsp() when ipmi_alloc_recv_msg() fails. + +This mismatch leads to an SRCU read-side critical section imbalance: the +entry uses srcu_read_lock(&intf->users_srcu) but the error path +incorrectly calls rcu_read_unlock(), which is a no-op for SRCU and +leaves the SRCU lock held. + +The offending code was restructured in mainline by commit 3be997d5a64a +("ipmi:msghandler: Remove srcu from the ipmi user structure"), which +replaced the SRCU locking with a mutex in this function, effectively +eliminating the mismatch. However, that commit is part of a larger +SRCU removal series that is not suitable for stable backport. This +minimal fix addresses the SRCU imbalance for 6.12 and earlier stable +branches that still carry the original locking scheme. + +Fixes: e86ee2d44b44 ("ipmi: Rework locking and shutdown for hot remove") +Cc: stable@vger.kernel.org +Signed-off-by: Rui Qi +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_msghandler.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c +index fc5f9d757b948c..37b84bfa623e99 100644 +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -4396,7 +4396,7 @@ static int handle_read_event_rsp(struct ipmi_smi *intf, + + recv_msg = ipmi_alloc_recv_msg(user); + if (IS_ERR(recv_msg)) { +- rcu_read_unlock(); ++ srcu_read_unlock(&intf->users_srcu, index); + list_for_each_entry_safe(recv_msg, recv_msg2, &msgs, + link) { + list_del(&recv_msg->link); +-- +2.53.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 8814bbb948..6c90603676 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -242,3 +242,5 @@ ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch sctp-purge-outqueue-on-stale-cookie-echo-handling.patch +i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch +ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch diff --git a/queue-7.0/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch b/queue-7.0/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch new file mode 100644 index 0000000000..8f15c2e2c3 --- /dev/null +++ b/queue-7.0/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch @@ -0,0 +1,65 @@ +From d4d49d7d68259828c44eb97566b49cfcc45b2d80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2026 10:57:45 +0800 +Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl + +From: Mingyu Wang <25181214217@stu.xidian.edu.cn> + +[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ] + +While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong +timeout value` warning was observed, accompanied by SMBus controller +state machine corruption. + +The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of +10 ms. The user argument is checked against INT_MAX, but it is +subsequently multiplied by 10 before being passed to msecs_to_jiffies(). + +A malicious user can pass a large value (e.g., 429496729) that passes +the `arg > INT_MAX` check but overflows when multiplied by 10. This +results in a truncated 32-bit unsigned value that bypasses the +internal `(int)m < 0` check in `msecs_to_jiffies()`. + +The truncated value is then assigned to `client->adapter->timeout` +(a signed 32-bit int), which is reinterpreted as a negative number. +When passed to wait_for_completion_timeout(), this negative value +undergoes sign extension to a 64-bit unsigned long, triggering the +`schedule_timeout` warning and causing premature returns. This leaves +the SMBus state machine in an unrecoverable state, constituting a +local Denial of Service (DoS). + +Fix this by bounding the user argument to `INT_MAX / 10`. + +Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> +[wsa: move the comment as well] +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-dev.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c +index 7bbe0263411eb7..ccaac5e29f906b 100644 +--- a/drivers/i2c/i2c-dev.c ++++ b/drivers/i2c/i2c-dev.c +@@ -487,12 +487,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + client->adapter->retries = arg; + break; + case I2C_TIMEOUT: +- if (arg > INT_MAX) ++ /* ++ * For historical reasons, user-space sets the timeout value in ++ * units of 10 ms. ++ */ ++ if (arg > INT_MAX / 10) + return -EINVAL; + +- /* For historical reasons, user-space sets the timeout +- * value in units of 10 ms. +- */ + client->adapter->timeout = msecs_to_jiffies(arg * 10); + break; + default: +-- +2.53.0 + diff --git a/queue-7.0/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch b/queue-7.0/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch new file mode 100644 index 0000000000..1ef9964e44 --- /dev/null +++ b/queue-7.0/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch @@ -0,0 +1,57 @@ +From 971c15264302a47c87e42cb68fba5033109d2522 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Jun 2026 21:09:33 +0900 +Subject: KVM: arm64: Take the SRCU lock for page table walks in fault + injection and AT emulation + +From: Hyunwoo Kim + +[ Upstream commit f2ca45b50d4216c9cc7ffabf50d9ad1932209251 ] + +walk_s1() and kvm_walk_nested_s2() expect to be called while holding +kvm->srcu to guard against memslot changes. While this is generally +the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the +respective walkers without taking kvm->srcu. + +Fix by acquiring kvm->srcu prior to the table walk in both instances. + +Cc: stable@vger.kernel.org +Fixes: 50f77dc87f13 ("KVM: arm64: Populate level on S1PTW SEA injection") +Fixes: be04cebf3e78 ("KVM: arm64: nv: Add emulation of AT S12E{0,1}{R,W}") +Suggested-by: Oliver Upton +Signed-off-by: Hyunwoo Kim +Reviewed-by: Oliver Upton +Link: https://patch.msgid.link/aiAZfdeyanIvP8SD@v4bel +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + arch/arm64/kvm/at.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/kvm/at.c b/arch/arm64/kvm/at.c +index a024d9a770dc74..1d563070526c4d 100644 +--- a/arch/arm64/kvm/at.c ++++ b/arch/arm64/kvm/at.c +@@ -1568,7 +1568,8 @@ int __kvm_at_s12(struct kvm_vcpu *vcpu, u32 op, u64 vaddr) + /* Do the stage-2 translation */ + ipa = (par & GENMASK_ULL(47, 12)) | (vaddr & GENMASK_ULL(11, 0)); + out.esr = 0; +- ret = kvm_walk_nested_s2(vcpu, ipa, &out); ++ scoped_guard(srcu, &vcpu->kvm->srcu) ++ ret = kvm_walk_nested_s2(vcpu, ipa, &out); + if (ret < 0) + return ret; + +@@ -1664,7 +1665,8 @@ int __kvm_find_s1_desc_level(struct kvm_vcpu *vcpu, u64 va, u64 ipa, int *level) + } + + /* Walk the guest's PT, looking for a match along the way */ +- ret = walk_s1(vcpu, &wi, &wr, va); ++ scoped_guard(srcu, &vcpu->kvm->srcu) ++ ret = walk_s1(vcpu, &wi, &wr, va); + switch (ret) { + case -EINTR: + /* We interrupted the walk on a match, return the level */ +-- +2.53.0 + diff --git a/queue-7.0/series b/queue-7.0/series index 92f100faeb..2b6ce97883 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -69,3 +69,5 @@ sctp-purge-outqueue-on-stale-cookie-echo-handling.patch fwctl-bnxt_en-move-common-definitions-to-include-lin.patch fwctl-bnxt_en-refactor-aux-bus-functions-to-be-more-.patch reapply-bnxt_en-bring-back-rtnl_lock-in-the-bnxt_ope.patch +i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch +kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch -- 2.47.3