--- /dev/null
+From b9c310d72783cc2f30d103eed83920a5a29c671a Mon Sep 17 00:00:00 2001
+From: Ali Norouzi <ali.norouzi@keysight.com>
+Date: Thu, 19 Mar 2026 16:47:44 +0100
+Subject: can: gw: fix OOB heap access in cgw_csum_crc8_rel()
+
+From: Ali Norouzi <ali.norouzi@keysight.com>
+
+commit b9c310d72783cc2f30d103eed83920a5a29c671a upstream.
+
+cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx():
+
+ int from = calc_idx(crc8->from_idx, cf->len);
+ int to = calc_idx(crc8->to_idx, cf->len);
+ int res = calc_idx(crc8->result_idx, cf->len);
+
+ if (from < 0 || to < 0 || res < 0)
+ return;
+
+However, the loop and the result write then use the raw s8 fields directly
+instead of the computed variables:
+
+ for (i = crc8->from_idx; ...) /* BUG: raw negative index */
+ cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */
+
+With from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame,
+calc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with
+i = -64, reading cf->data[-64], and the write goes to cf->data[-64].
+This write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the
+start of the canfd_frame on the heap.
+
+The companion function cgw_csum_xor_rel() uses `from`/`to`/`res`
+correctly throughout; fix cgw_csum_crc8_rel() to match.
+
+Confirmed with KASAN on linux-7.0-rc2:
+ BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0
+ Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62
+
+To configure the can-gw crc8 checksums CAP_NET_ADMIN is needed.
+
+Fixes: 456a8a646b25 ("can: gw: add support for CAN FD frames")
+Cc: stable@vger.kernel.org
+Reported-by: Ali Norouzi <ali.norouzi@keysight.com>
+Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Ali Norouzi <ali.norouzi@keysight.com>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Link: https://patch.msgid.link/20260319-fix-can-gw-and-can-isotp-v2-1-c45d52c6d2d8@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/gw.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/can/gw.c
++++ b/net/can/gw.c
+@@ -374,10 +374,10 @@ static void cgw_csum_crc8_rel(struct can
+ return;
+
+ if (from <= to) {
+- for (i = crc8->from_idx; i <= crc8->to_idx; i++)
++ for (i = from; i <= to; i++)
+ crc = crc8->crctab[crc ^ cf->data[i]];
+ } else {
+- for (i = crc8->from_idx; i >= crc8->to_idx; i--)
++ for (i = from; i >= to; i--)
+ crc = crc8->crctab[crc ^ cf->data[i]];
+ }
+
+@@ -396,7 +396,7 @@ static void cgw_csum_crc8_rel(struct can
+ break;
+ }
+
+- cf->data[crc8->result_idx] = crc ^ crc8->final_xor_val;
++ cf->data[res] = crc ^ crc8->final_xor_val;
+ }
+
+ static void cgw_csum_crc8_pos(struct canfd_frame *cf,
--- /dev/null
+From 6a28fb8cb28b9eb39a392e531d938a889eacafc5 Mon Sep 17 00:00:00 2001
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Fri, 20 Mar 2026 15:08:14 +0530
+Subject: cpufreq: conservative: Reset requested_freq on limits change
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+commit 6a28fb8cb28b9eb39a392e531d938a889eacafc5 upstream.
+
+A recently reported issue highlighted that the cached requested_freq
+is not guaranteed to stay in sync with policy->cur. If the platform
+changes the actual CPU frequency after the governor sets one (e.g.
+due to platform-specific frequency scaling) and a re-sync occurs
+later, policy->cur may diverge from requested_freq.
+
+This can lead to incorrect behavior in the conservative governor.
+For example, the governor may assume the CPU is already running at
+the maximum frequency and skip further increases even though there
+is still headroom.
+
+Avoid this by resetting the cached requested_freq to policy->cur on
+detecting a change in policy limits.
+
+Reported-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Tested-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Link: https://lore.kernel.org/all/20260210115458.3493646-1-zhenglifeng1@huawei.com/
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Reviewed-by: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com>
+Cc: All applicable <stable@vger.kernel.org>
+Link: https://patch.msgid.link/d846a141a98ac0482f20560fcd7525c0f0ec2f30.1773999467.git.viresh.kumar@linaro.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/cpufreq_conservative.c | 12 ++++++++++++
+ drivers/cpufreq/cpufreq_governor.c | 3 +++
+ drivers/cpufreq/cpufreq_governor.h | 1 +
+ 3 files changed, 16 insertions(+)
+
+--- a/drivers/cpufreq/cpufreq_conservative.c
++++ b/drivers/cpufreq/cpufreq_conservative.c
+@@ -314,6 +314,17 @@ static void cs_start(struct cpufreq_poli
+ dbs_info->requested_freq = policy->cur;
+ }
+
++static void cs_limits(struct cpufreq_policy *policy)
++{
++ struct cs_policy_dbs_info *dbs_info = to_dbs_info(policy->governor_data);
++
++ /*
++ * The limits have changed, so may have the current frequency. Reset
++ * requested_freq to avoid any unintended outcomes due to the mismatch.
++ */
++ dbs_info->requested_freq = policy->cur;
++}
++
+ static struct dbs_governor cs_governor = {
+ .gov = CPUFREQ_DBS_GOVERNOR_INITIALIZER("conservative"),
+ .kobj_type = { .default_groups = cs_groups },
+@@ -323,6 +334,7 @@ static struct dbs_governor cs_governor =
+ .init = cs_init,
+ .exit = cs_exit,
+ .start = cs_start,
++ .limits = cs_limits,
+ };
+
+ #define CPU_FREQ_GOV_CONSERVATIVE (cs_governor.gov)
+--- a/drivers/cpufreq/cpufreq_governor.c
++++ b/drivers/cpufreq/cpufreq_governor.c
+@@ -561,6 +561,7 @@ EXPORT_SYMBOL_GPL(cpufreq_dbs_governor_s
+
+ void cpufreq_dbs_governor_limits(struct cpufreq_policy *policy)
+ {
++ struct dbs_governor *gov = dbs_governor_of(policy);
+ struct policy_dbs_info *policy_dbs;
+
+ /* Protect gov->gdbs_data against cpufreq_dbs_governor_exit() */
+@@ -572,6 +573,8 @@ void cpufreq_dbs_governor_limits(struct
+ mutex_lock(&policy_dbs->update_mutex);
+ cpufreq_policy_apply_limits(policy);
+ gov_update_sample_delay(policy_dbs, 0);
++ if (gov->limits)
++ gov->limits(policy);
+ mutex_unlock(&policy_dbs->update_mutex);
+
+ out:
+--- a/drivers/cpufreq/cpufreq_governor.h
++++ b/drivers/cpufreq/cpufreq_governor.h
+@@ -138,6 +138,7 @@ struct dbs_governor {
+ int (*init)(struct dbs_data *dbs_data);
+ void (*exit)(struct dbs_data *dbs_data);
+ void (*start)(struct cpufreq_policy *policy);
++ void (*limits)(struct cpufreq_policy *policy);
+ };
+
+ static inline struct dbs_governor *dbs_governor_of(struct cpufreq_policy *policy)
--- /dev/null
+From 9bbb19d21ded7d78645506f20d8c44895e3d0fb9 Mon Sep 17 00:00:00 2001
+From: Hyunwoo Kim <imv4bel@gmail.com>
+Date: Tue, 17 Mar 2026 08:52:01 +0900
+Subject: ksmbd: do not expire session on binding failure
+
+From: Hyunwoo Kim <imv4bel@gmail.com>
+
+commit 9bbb19d21ded7d78645506f20d8c44895e3d0fb9 upstream.
+
+When a multichannel session binding request fails (e.g. wrong password),
+the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED.
+However, during binding, sess points to the target session looked up via
+ksmbd_session_lookup_slowpath() -- which belongs to another connection's
+user. This allows a remote attacker to invalidate any active session by
+simply sending a binding request with a wrong password (DoS).
+
+Fix this by skipping session expiration when the failed request was
+a binding attempt, since the session does not belong to the current
+connection. The reference taken by ksmbd_session_lookup_slowpath() is
+still correctly released via ksmbd_user_session_put().
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -1928,8 +1928,14 @@ out_err:
+ if (sess->user && sess->user->flags & KSMBD_USER_FLAG_DELAY_SESSION)
+ try_delay = true;
+
+- sess->last_active = jiffies;
+- sess->state = SMB2_SESSION_EXPIRED;
++ /*
++ * For binding requests, session belongs to another
++ * connection. Do not expire it.
++ */
++ if (!(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) {
++ sess->last_active = jiffies;
++ sess->state = SMB2_SESSION_EXPIRED;
++ }
+ ksmbd_user_session_put(sess);
+ work->sess = NULL;
+ if (try_delay) {
--- /dev/null
+From 0e55f63dd08f09651d39e1b709a91705a8a0ddcb Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 13 Mar 2026 14:45:58 +0900
+Subject: ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 0e55f63dd08f09651d39e1b709a91705a8a0ddcb upstream.
+
+After this commit (e2b76ab8b5c9 "ksmbd: add support for read compound"),
+response buffer management was changed to use dynamic iov array.
+In the new design, smb2_calc_max_out_buf_len() expects the second
+argument (hdr2_len) to be the offset of ->Buffer field in the
+response structure, not a hardcoded magic number.
+Fix the remaining call sites to use the correct offsetof() value.
+
+Cc: stable@vger.kernel.org
+Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound")
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -4124,8 +4124,9 @@ int smb2_query_dir(struct ksmbd_work *wo
+ d_info.wptr = (char *)rsp->Buffer;
+ d_info.rptr = (char *)rsp->Buffer;
+ d_info.out_buf_len =
+- smb2_calc_max_out_buf_len(work, 8,
+- le32_to_cpu(req->OutputBufferLength));
++ smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_query_directory_rsp, Buffer),
++ le32_to_cpu(req->OutputBufferLength));
+ if (d_info.out_buf_len < 0) {
+ rc = -EINVAL;
+ goto err_out;
+@@ -4392,8 +4393,9 @@ static int smb2_get_ea(struct ksmbd_work
+ }
+
+ buf_free_len =
+- smb2_calc_max_out_buf_len(work, 8,
+- le32_to_cpu(req->OutputBufferLength));
++ smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_query_info_rsp, Buffer),
++ le32_to_cpu(req->OutputBufferLength));
+ if (buf_free_len < 0)
+ return -EINVAL;
+
+@@ -4690,8 +4692,9 @@ static void get_file_stream_info(struct
+ file_info = (struct smb2_file_stream_info *)rsp->Buffer;
+
+ buf_free_len =
+- smb2_calc_max_out_buf_len(work, 8,
+- le32_to_cpu(req->OutputBufferLength));
++ smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_query_info_rsp, Buffer),
++ le32_to_cpu(req->OutputBufferLength));
+ if (buf_free_len < 0)
+ goto out;
+
+@@ -7740,8 +7743,9 @@ int smb2_ioctl(struct ksmbd_work *work)
+ buffer = (char *)req + le32_to_cpu(req->InputOffset);
+
+ cnt_code = le32_to_cpu(req->CtlCode);
+- ret = smb2_calc_max_out_buf_len(work, 48,
+- le32_to_cpu(req->MaxOutputResponse));
++ ret = smb2_calc_max_out_buf_len(work,
++ offsetof(struct smb2_ioctl_rsp, Buffer),
++ le32_to_cpu(req->MaxOutputResponse));
+ if (ret < 0) {
+ rsp->hdr.Status = STATUS_INVALID_PARAMETER;
+ goto out;
--- /dev/null
+From c5c0a268b38adffbb2e70e6957017537ff54c157 Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Thu, 26 Mar 2026 14:38:44 +0100
+Subject: s390/barrier: Make array_index_mask_nospec() __always_inline
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit c5c0a268b38adffbb2e70e6957017537ff54c157 upstream.
+
+Mark array_index_mask_nospec() as __always_inline to guarantee the
+mitigation is emitted inline regardless of compiler inlining decisions.
+
+Fixes: e2dd833389cc ("s390: add optimized array_index_mask_nospec")
+Cc: stable@kernel.org
+Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/barrier.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/include/asm/barrier.h
++++ b/arch/s390/include/asm/barrier.h
+@@ -60,8 +60,8 @@ do { \
+ * @size: number of elements in array
+ */
+ #define array_index_mask_nospec array_index_mask_nospec
+-static inline unsigned long array_index_mask_nospec(unsigned long index,
+- unsigned long size)
++static __always_inline unsigned long array_index_mask_nospec(unsigned long index,
++ unsigned long size)
+ {
+ unsigned long mask;
+
--- /dev/null
+From 48b8814e25d073dd84daf990a879a820bad2bcbd Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 24 Mar 2026 17:34:05 +0100
+Subject: s390/syscalls: Add spectre boundary for syscall dispatch table
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 48b8814e25d073dd84daf990a879a820bad2bcbd upstream.
+
+The s390 syscall number is directly controlled by userspace, but does
+not have an array_index_nospec() boundary to prevent access past the
+syscall function pointer tables.
+
+Cc: Heiko Carstens <hca@linux.ibm.com>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Alexander Gordeev <agordeev@linux.ibm.com>
+Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
+Cc: Sven Schnelle <svens@linux.ibm.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Fixes: 56e62a737028 ("s390: convert to generic entry")
+Cc: stable@kernel.org
+Assisted-by: gkh_clanker_2000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Link: https://lore.kernel.org/r/2026032404-sterling-swoosh-43e6@gregkh
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/kernel/syscall.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/s390/kernel/syscall.c
++++ b/arch/s390/kernel/syscall.c
+@@ -13,6 +13,7 @@
+ */
+
+ #include <linux/errno.h>
++#include <linux/nospec.h>
+ #include <linux/sched.h>
+ #include <linux/mm.h>
+ #include <linux/fs.h>
+@@ -141,6 +142,7 @@ static void do_syscall(struct pt_regs *r
+ if (likely(nr >= NR_syscalls))
+ goto out;
+ do {
++ nr = array_index_nospec(nr, NR_syscalls);
+ regs->gprs[2] = current->thread.sys_call_table[nr](regs);
+ } while (test_and_clear_pt_regs_flag(regs, PIF_EXECVE_PGSTE_RESTART));
+ out:
asoc-adau1372-fix-unchecked-clk_prepare_enable-retur.patch
asoc-adau1372-fix-clock-leak-on-pll-lock-failure.patch
spi-spi-fsl-lpspi-fix-teardown-order-issue-uaf.patch
+s390-syscalls-add-spectre-boundary-for-syscall-dispatch-table.patch
+s390-barrier-make-array_index_mask_nospec-__always_inline.patch
+ksmbd-replace-hardcoded-hdr2_len-with-offsetof-in-smb2_calc_max_out_buf_len.patch
+ksmbd-do-not-expire-session-on-binding-failure.patch
+can-gw-fix-oob-heap-access-in-cgw_csum_crc8_rel.patch
+cpufreq-conservative-reset-requested_freq-on-limits-change.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
