--- /dev/null
+From 9c72a5182ed92904d01057f208c390a303f00a0f Mon Sep 17 00:00:00 2001
+From: Guangshuo Li <lgs201920130244@gmail.com>
+Date: Mon, 1 Dec 2025 11:40:58 +0800
+Subject: e1000: fix OOB in e1000_tbi_should_accept()
+
+From: Guangshuo Li <lgs201920130244@gmail.com>
+
+commit 9c72a5182ed92904d01057f208c390a303f00a0f upstream.
+
+In e1000_tbi_should_accept() we read the last byte of the frame via
+'data[length - 1]' to evaluate the TBI workaround. If the descriptor-
+reported length is zero or larger than the actual RX buffer size, this
+read goes out of bounds and can hit unrelated slab objects. The issue
+is observed from the NAPI receive path (e1000_clean_rx_irq):
+
+==================================================================
+BUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790
+Read of size 1 at addr ffff888014114e54 by task sshd/363
+
+CPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ <IRQ>
+ dump_stack_lvl+0x5a/0x74
+ print_address_description+0x7b/0x440
+ print_report+0x101/0x200
+ kasan_report+0xc1/0xf0
+ e1000_tbi_should_accept+0x610/0x790
+ e1000_clean_rx_irq+0xa8c/0x1110
+ e1000_clean+0xde2/0x3c10
+ __napi_poll+0x98/0x380
+ net_rx_action+0x491/0xa20
+ __do_softirq+0x2c9/0x61d
+ do_softirq+0xd1/0x120
+ </IRQ>
+ <TASK>
+ __local_bh_enable_ip+0xfe/0x130
+ ip_finish_output2+0x7d5/0xb00
+ __ip_queue_xmit+0xe24/0x1ab0
+ __tcp_transmit_skb+0x1bcb/0x3340
+ tcp_write_xmit+0x175d/0x6bd0
+ __tcp_push_pending_frames+0x7b/0x280
+ tcp_sendmsg_locked+0x2e4f/0x32d0
+ tcp_sendmsg+0x24/0x40
+ sock_write_iter+0x322/0x430
+ vfs_write+0x56c/0xa60
+ ksys_write+0xd1/0x190
+ do_syscall_64+0x43/0x90
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+RIP: 0033:0x7f511b476b10
+Code: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24
+RSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10
+RDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003
+RBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00
+R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003
+ </TASK>
+Allocated by task 1:
+ __kasan_krealloc+0x131/0x1c0
+ krealloc+0x90/0xc0
+ add_sysfs_param+0xcb/0x8a0
+ kernel_add_sysfs_param+0x81/0xd4
+ param_sysfs_builtin+0x138/0x1a6
+ param_sysfs_init+0x57/0x5b
+ do_one_initcall+0x104/0x250
+ do_initcall_level+0x102/0x132
+ do_initcalls+0x46/0x74
+ kernel_init_freeable+0x28f/0x393
+ kernel_init+0x14/0x1a0
+ ret_from_fork+0x22/0x30
+The buggy address belongs to the object at ffff888014114000
+ which belongs to the cache kmalloc-2k of size 2048
+The buggy address is located 1620 bytes to the right of
+ 2048-byte region [ffff888014114000, ffff888014114800]
+The buggy address belongs to the physical page:
+page:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110
+head:ffffea0000504400 order:3 compound_mapcount:0 compound_pincount:0
+flags: 0x100000000010200(slab|head|node=0|zone=1)
+raw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000
+raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+==================================================================
+
+This happens because the TBI check unconditionally dereferences the last
+byte without validating the reported length first:
+
+ u8 last_byte = *(data + length - 1);
+
+Fix by rejecting the frame early if the length is zero, or if it exceeds
+adapter->rx_buffer_len. This preserves the TBI workaround semantics for
+valid frames and prevents touching memory beyond the RX buffer.
+
+Fixes: 2037110c96d5 ("e1000: move tbi workaround code into helper function")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/e1000/e1000_main.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
+@@ -4089,7 +4089,15 @@ static bool e1000_tbi_should_accept(stru
+ u32 length, const u8 *data)
+ {
+ struct e1000_hw *hw = &adapter->hw;
+- u8 last_byte = *(data + length - 1);
++ u8 last_byte;
++
++ /* Guard against OOB on data[length - 1] */
++ if (unlikely(!length))
++ return false;
++ /* Upper bound: length must not exceed rx_buffer_len */
++ if (unlikely(length > adapter->rx_buffer_len))
++ return false;
++ last_byte = *(data + length - 1);
+
+ if (TBI_ACCEPT(hw, status, errors, length, last_byte)) {
+ unsigned long irq_flags;
--- /dev/null
+From 15ef641a0c6728d25a400df73922e80ab2cf029c Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
+Date: Thu, 11 Dec 2025 15:37:56 +0800
+Subject: fjes: Add missing iounmap in fjes_hw_init()
+
+From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
+
+commit 15ef641a0c6728d25a400df73922e80ab2cf029c upstream.
+
+In error paths, add fjes_hw_iounmap() to release the
+resource acquired by fjes_hw_iomap(). Add a goto label
+to do so.
+
+Fixes: 8cdc3f6c5d22 ("fjes: Hardware initialization routine")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
+Signed-off-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251211073756.101824-1-lihaoxiang@isrc.iscas.ac.cn
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/fjes/fjes_hw.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/fjes/fjes_hw.c
++++ b/drivers/net/fjes/fjes_hw.c
+@@ -333,7 +333,7 @@ int fjes_hw_init(struct fjes_hw *hw)
+
+ ret = fjes_hw_reset(hw);
+ if (ret)
+- return ret;
++ goto err_iounmap;
+
+ fjes_hw_set_irqmask(hw, REG_ICTL_MASK_ALL, true);
+
+@@ -346,8 +346,10 @@ int fjes_hw_init(struct fjes_hw *hw)
+ hw->max_epid = fjes_hw_get_max_epid(hw);
+ hw->my_epid = fjes_hw_get_my_epid(hw);
+
+- if ((hw->max_epid == 0) || (hw->my_epid >= hw->max_epid))
+- return -ENXIO;
++ if ((hw->max_epid == 0) || (hw->my_epid >= hw->max_epid)) {
++ ret = -ENXIO;
++ goto err_iounmap;
++ }
+
+ ret = fjes_hw_setup(hw);
+
+@@ -355,6 +357,10 @@ int fjes_hw_init(struct fjes_hw *hw)
+ hw->hw_info.trace_size = FJES_DEBUG_BUFFER_SIZE;
+
+ return ret;
++
++err_iounmap:
++ fjes_hw_iounmap(hw);
++ return ret;
+ }
+
+ void fjes_hw_exit(struct fjes_hw *hw)
--- /dev/null
+From c6e8e595a0798ad67da0f7bebaf69c31ef70dfff Mon Sep 17 00:00:00 2001
+From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
+Date: Fri, 28 Nov 2025 16:18:32 +0000
+Subject: idr: fix idr_alloc() returning an ID out of range
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+commit c6e8e595a0798ad67da0f7bebaf69c31ef70dfff upstream.
+
+If you use an IDR with a non-zero base, and specify a range that lies
+entirely below the base, 'max - base' becomes very large and
+idr_get_free() can return an ID that lies outside of the requested range.
+
+Link: https://lkml.kernel.org/r/20251128161853.3200058-1-willy@infradead.org
+Fixes: 6ce711f27500 ("idr: Make 1-based IDRs more efficient")
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reported-by: Jan Sokolowski <jan.sokolowski@intel.com>
+Reported-by: Koen Koning <koen.koning@intel.com>
+Reported-by: Peter Senna Tschudin <peter.senna@linux.intel.com>
+Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6449
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/idr.c | 2 ++
+ tools/testing/radix-tree/idr-test.c | 21 +++++++++++++++++++++
+ 2 files changed, 23 insertions(+)
+
+--- a/lib/idr.c
++++ b/lib/idr.c
+@@ -40,6 +40,8 @@ int idr_alloc_u32(struct idr *idr, void
+
+ if (WARN_ON_ONCE(!(idr->idr_rt.xa_flags & ROOT_IS_IDR)))
+ idr->idr_rt.xa_flags |= IDR_RT_MARKER;
++ if (max < base)
++ return -ENOSPC;
+
+ id = (id < base) ? 0 : id - base;
+ radix_tree_iter_init(&iter, id);
+--- a/tools/testing/radix-tree/idr-test.c
++++ b/tools/testing/radix-tree/idr-test.c
+@@ -57,6 +57,26 @@ void idr_alloc_test(void)
+ idr_destroy(&idr);
+ }
+
++void idr_alloc2_test(void)
++{
++ int id;
++ struct idr idr = IDR_INIT_BASE(idr, 1);
++
++ id = idr_alloc(&idr, idr_alloc2_test, 0, 1, GFP_KERNEL);
++ assert(id == -ENOSPC);
++
++ id = idr_alloc(&idr, idr_alloc2_test, 1, 2, GFP_KERNEL);
++ assert(id == 1);
++
++ id = idr_alloc(&idr, idr_alloc2_test, 0, 1, GFP_KERNEL);
++ assert(id == -ENOSPC);
++
++ id = idr_alloc(&idr, idr_alloc2_test, 0, 2, GFP_KERNEL);
++ assert(id == -ENOSPC);
++
++ idr_destroy(&idr);
++}
++
+ void idr_replace_test(void)
+ {
+ DEFINE_IDR(idr);
+@@ -409,6 +429,7 @@ void idr_checks(void)
+
+ idr_replace_test();
+ idr_alloc_test();
++ idr_alloc2_test();
+ idr_null_test();
+ idr_nowait_test();
+ idr_get_next_test(0);
--- /dev/null
+From 57f3cb6c84159d12ba343574df2115fb18dd83ca Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@nvidia.com>
+Date: Fri, 28 Nov 2025 20:53:21 -0400
+Subject: RDMA/cm: Fix leaking the multicast GID table reference
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+commit 57f3cb6c84159d12ba343574df2115fb18dd83ca upstream.
+
+If the CM ID is destroyed while the CM event for multicast creating is
+still queued the cancel_work_sync() will prevent the work from running
+which also prevents destroying the ah_attr. This leaks a refcount and
+triggers a WARN:
+
+ GID entry ref leak for dev syz1 index 2 ref=573
+ WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline]
+ WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886
+
+Destroy the ah_attr after canceling the work, it is safe to call this
+twice.
+
+Link: https://patch.msgid.link/r/0-v1-4285d070a6b2+20a-rdma_mc_gid_leak_syz_jgg@nvidia.com
+Cc: stable@vger.kernel.org
+Fixes: fe454dc31e84 ("RDMA/ucma: Fix use-after-free bug in ucma_create_uevent")
+Reported-by: syzbot+b0da83a6c0e2e2bddbd4@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68232e7b.050a0220.f2294.09f6.GAE@google.com
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/cma.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -1836,6 +1836,7 @@ static void destroy_mc(struct rdma_id_pr
+ ib_sa_free_multicast(mc->sa_mc);
+
+ if (rdma_protocol_roce(id_priv->id.device, id_priv->id.port_num)) {
++ struct rdma_cm_event *event = &mc->iboe_join.event;
+ struct rdma_dev_addr *dev_addr =
+ &id_priv->id.route.addr.dev_addr;
+ struct net_device *ndev = NULL;
+@@ -1858,6 +1859,8 @@ static void destroy_mc(struct rdma_id_pr
+ dev_put(ndev);
+
+ cancel_work_sync(&mc->iboe_join.work);
++ if (event->event == RDMA_CM_EVENT_MULTICAST_JOIN)
++ rdma_destroy_ah_attr(&event->param.ud.ah_attr);
+ }
+ kfree(mc);
+ }
--- /dev/null
+From a7b8e876e0ef0232b8076972c57ce9a7286b47ca Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@nvidia.com>
+Date: Fri, 28 Nov 2025 13:37:28 -0400
+Subject: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+commit a7b8e876e0ef0232b8076972c57ce9a7286b47ca upstream.
+
+The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a
+LS_NLA_TYPE_DGID attribute, it is invalid if it does not.
+
+Use the nl parsing logic properly and call nla_parse_deprecated() to fill
+the nlattrs array and then directly index that array to get the data for
+the DGID. Just fail if it is NULL.
+
+Remove the for loop searching for the nla, and squash the validation and
+parsing into one function.
+
+Fixes an uninitialized read from the stack triggered by userspace if it
+does not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE
+query.
+
+ BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline]
+ BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490
+ hex_byte_pack include/linux/hex.h:13 [inline]
+ ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490
+ ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509
+ ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633
+ pointer+0xc09/0x1bd0 lib/vsprintf.c:2542
+ vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930
+ vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279
+ vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426
+ vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465
+ vprintk+0x36/0x50 kernel/printk/printk_safe.c:82
+ _printk+0x17e/0x1b0 kernel/printk/printk.c:2475
+ ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline]
+ ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141
+ rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]
+ rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
+ rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259
+ netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
+ netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346
+ netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896
+ sock_sendmsg_nosec net/socket.c:714 [inline]
+ __sock_sendmsg+0x333/0x3d0 net/socket.c:729
+ ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617
+ ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671
+ __sys_sendmsg+0x1aa/0x300 net/socket.c:2703
+ __compat_sys_sendmsg net/compat.c:346 [inline]
+ __do_compat_sys_sendmsg net/compat.c:353 [inline]
+ __se_compat_sys_sendmsg net/compat.c:350 [inline]
+ __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350
+ ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371
+ do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
+ __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306
+ do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331
+ do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3
+
+Link: https://patch.msgid.link/r/0-v1-3fbaef094271+2cf-rdma_op_ip_rslv_syz_jgg@nvidia.com
+Cc: stable@vger.kernel.org
+Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload")
+Reported-by: syzbot+938fcd548c303fe33c1a@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/r/68dc3dac.a00a0220.102ee.004f.GAE@google.com
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/addr.c | 33 ++++++++++-----------------------
+ 1 file changed, 10 insertions(+), 23 deletions(-)
+
+--- a/drivers/infiniband/core/addr.c
++++ b/drivers/infiniband/core/addr.c
+@@ -81,37 +81,25 @@ static const struct nla_policy ib_nl_add
+ .min = sizeof(struct rdma_nla_ls_gid)},
+ };
+
+-static inline bool ib_nl_is_good_ip_resp(const struct nlmsghdr *nlh)
++static void ib_nl_process_ip_rsep(const struct nlmsghdr *nlh)
+ {
+ struct nlattr *tb[LS_NLA_TYPE_MAX] = {};
++ union ib_gid gid;
++ struct addr_req *req;
++ int found = 0;
+ int ret;
+
+ if (nlh->nlmsg_flags & RDMA_NL_LS_F_ERR)
+- return false;
++ return;
+
+ ret = nla_parse_deprecated(tb, LS_NLA_TYPE_MAX - 1, nlmsg_data(nlh),
+ nlmsg_len(nlh), ib_nl_addr_policy, NULL);
+ if (ret)
+- return false;
+-
+- return true;
+-}
+-
+-static void ib_nl_process_good_ip_rsep(const struct nlmsghdr *nlh)
+-{
+- const struct nlattr *head, *curr;
+- union ib_gid gid;
+- struct addr_req *req;
+- int len, rem;
+- int found = 0;
+-
+- head = (const struct nlattr *)nlmsg_data(nlh);
+- len = nlmsg_len(nlh);
++ return;
+
+- nla_for_each_attr(curr, head, len, rem) {
+- if (curr->nla_type == LS_NLA_TYPE_DGID)
+- memcpy(&gid, nla_data(curr), nla_len(curr));
+- }
++ if (!tb[LS_NLA_TYPE_DGID])
++ return;
++ memcpy(&gid, nla_data(tb[LS_NLA_TYPE_DGID]), sizeof(gid));
+
+ spin_lock_bh(&lock);
+ list_for_each_entry(req, &req_list, list) {
+@@ -138,8 +126,7 @@ int ib_nl_handle_ip_res_resp(struct sk_b
+ !(NETLINK_CB(skb).sk))
+ return -EPERM;
+
+- if (ib_nl_is_good_ip_resp(nlh))
+- ib_nl_process_good_ip_rsep(nlh);
++ ib_nl_process_ip_rsep(nlh);
+
+ return 0;
+ }
media-tda1997x-remove-redundant-cancel_delayed_work-in-probe.patch
media-i2c-adv7604-remove-redundant-cancel_delayed_work-in-probe.patch
media-i2c-adv7842-remove-redundant-cancel_delayed_work-in-probe.patch
+idr-fix-idr_alloc-returning-an-id-out-of-range.patch
+rdma-core-check-for-the-presence-of-ls_nla_type_dgid-correctly.patch
+rdma-cm-fix-leaking-the-multicast-gid-table-reference.patch
+e1000-fix-oob-in-e1000_tbi_should_accept.patch
+fjes-add-missing-iounmap-in-fjes_hw_init.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
