]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
5.10-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 2 Jul 2026 13:59:50 +0000 (15:59 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 2 Jul 2026 13:59:50 +0000 (15:59 +0200)
added patches:
fbdev-fix-fb_new_modelist-to-prevent-null-ptr-deref-in-fb_videomode_to_var.patch
fbdev-modedb-fix-misaligned-fields-in-the-1920x1080-60-mode.patch
fpga-region-fix-use-after-free-in-child_regions_with_firmware.patch
hdlc_ppp-sync-per-proto-timers-before-freeing-hdlc-state.patch
irqchip-imgpdc-fix-resource-leak-add-missing-chained-handler-cleanup-on-remove.patch
kvm-svm-fix-page-overflow-in-sev_dbg_crypt-for-encrypt-path.patch
nfsd-check-get_user-return-when-reading-princhashlen.patch
nfsd-fix-posix_acl-leak-on-setacl-decode-failure.patch
nfsd-fix-secinfo_no_name-decode-error-cleanup.patch
ocfs2-reject-oversized-group-bitmap-descriptors.patch
pnfs-fix-use-after-free-in-pnfs_update_layout.patch
tipc-fix-slab-use-after-free-read-in-tipc_aead_decrypt_done.patch

13 files changed:
queue-5.10/fbdev-fix-fb_new_modelist-to-prevent-null-ptr-deref-in-fb_videomode_to_var.patch [new file with mode: 0644]
queue-5.10/fbdev-modedb-fix-misaligned-fields-in-the-1920x1080-60-mode.patch [new file with mode: 0644]
queue-5.10/fpga-region-fix-use-after-free-in-child_regions_with_firmware.patch [new file with mode: 0644]
queue-5.10/hdlc_ppp-sync-per-proto-timers-before-freeing-hdlc-state.patch [new file with mode: 0644]
queue-5.10/irqchip-imgpdc-fix-resource-leak-add-missing-chained-handler-cleanup-on-remove.patch [new file with mode: 0644]
queue-5.10/kvm-svm-fix-page-overflow-in-sev_dbg_crypt-for-encrypt-path.patch [new file with mode: 0644]
queue-5.10/nfsd-check-get_user-return-when-reading-princhashlen.patch [new file with mode: 0644]
queue-5.10/nfsd-fix-posix_acl-leak-on-setacl-decode-failure.patch [new file with mode: 0644]
queue-5.10/nfsd-fix-secinfo_no_name-decode-error-cleanup.patch [new file with mode: 0644]
queue-5.10/ocfs2-reject-oversized-group-bitmap-descriptors.patch [new file with mode: 0644]
queue-5.10/pnfs-fix-use-after-free-in-pnfs_update_layout.patch [new file with mode: 0644]
queue-5.10/series
queue-5.10/tipc-fix-slab-use-after-free-read-in-tipc_aead_decrypt_done.patch [new file with mode: 0644]

diff --git a/queue-5.10/fbdev-fix-fb_new_modelist-to-prevent-null-ptr-deref-in-fb_videomode_to_var.patch b/queue-5.10/fbdev-fix-fb_new_modelist-to-prevent-null-ptr-deref-in-fb_videomode_to_var.patch
new file mode 100644 (file)
index 0000000..a84cd68
--- /dev/null
@@ -0,0 +1,59 @@
+From 7f08fc10fa3d3366dc3af723970bd03d7d6d10e3 Mon Sep 17 00:00:00 2001
+From: Ian Bridges <icb@fastmail.org>
+Date: Wed, 24 Jun 2026 23:13:12 -0500
+Subject: fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var
+
+From: Ian Bridges <icb@fastmail.org>
+
+commit 7f08fc10fa3d3366dc3af723970bd03d7d6d10e3 upstream.
+
+info->var, a framebuffer's current mode, is expected to have a matching
+entry in info->modelist. var_to_display() relies on this and treats a
+failed fb_match_mode() as "This should not happen". fb_set_var() keeps it
+true by adding the mode to the list on every change, and
+do_register_framebuffer() does the same at registration.
+
+store_modes() replaces the modelist from userspace. fb_new_modelist()
+validates the new modes but does not check that info->var still has a
+match. It relies on fbcon_new_modelist() to re-point consoles, but that
+only handles consoles mapped to the framebuffer. With fbcon unbound there
+are none, so info->var is left describing a mode that is no longer in the
+list.
+
+A later console takeover runs var_to_display(), where fb_match_mode()
+returns NULL and leaves fb_display[i].mode NULL. fbcon_switch() passes it
+to display_to_var(), and fb_videomode_to_var() dereferences the NULL mode.
+
+Keep the current mode in the list in fb_new_modelist(), the same way
+fb_set_var() does.
+
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-8
+Signed-off-by: Ian Bridges <icb@fastmail.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/core/fbmem.c |   12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/video/fbdev/core/fbmem.c
++++ b/drivers/video/fbdev/core/fbmem.c
+@@ -1989,6 +1989,18 @@ int fb_new_modelist(struct fb_info *info
+       if (list_empty(&info->modelist))
+               return 1;
++      /*
++       * The new modelist may not contain the current mode (info->var), and
++       * fbcon_new_modelist() below only re-points consoles mapped to this
++       * framebuffer. Add the current mode here so info->var keeps a match
++       * even when fbcon is unbound.
++       */
++      if (!fb_match_mode(&info->var, &info->modelist)) {
++              fb_var_to_videomode(&mode, &info->var);
++              if (fb_add_videomode(&mode, &info->modelist))
++                      return 1;
++      }
++
+       fbcon_new_modelist(info);
+       return 0;
diff --git a/queue-5.10/fbdev-modedb-fix-misaligned-fields-in-the-1920x1080-60-mode.patch b/queue-5.10/fbdev-modedb-fix-misaligned-fields-in-the-1920x1080-60-mode.patch
new file mode 100644 (file)
index 0000000..5001d9a
--- /dev/null
@@ -0,0 +1,46 @@
+From d894c48a57d78206e4df9c90d4acfaf39394806a Mon Sep 17 00:00:00 2001
+From: Steffen Persvold <spersvold@gmail.com>
+Date: Fri, 12 Jun 2026 18:40:41 +0200
+Subject: fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode
+
+From: Steffen Persvold <spersvold@gmail.com>
+
+commit d894c48a57d78206e4df9c90d4acfaf39394806a upstream.
+
+The 1920x1080@60 modedb entry has one too many initializers before
+its sync field: a stray "0" occupies the sync slot, which shifts the
+remaining values by one field. The entry therefore decodes as
+sync = 0, vmode = FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT (0x3,
+i.e. FB_VMODE_INTERLACED | FB_VMODE_DOUBLE), and flag =
+FB_VMODE_NONINTERLACED, instead of the intended sync = positive H/V,
+vmode = non-interlaced.
+
+fb_find_mode() then returns a 1920x1080 mode flagged as interlaced +
+doublescan with active-low syncs. Drivers that honour var->vmode and
+var->sync when programming display timing enable doublescan and the
+wrong sync polarity, corrupting the output.
+
+Drop the stray initializer so sync and vmode hold their intended
+values (positive H/V sync, non-interlaced), matching the adjacent
+1920x1200 entry.
+
+Fixes: c8902258b2b8 ("fbdev: modedb: Add 1920x1080 at 60 Hz video mode")
+Cc: stable@vger.kernel.org
+Signed-off-by: Steffen Persvold <spersvold@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/core/modedb.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/core/modedb.c
++++ b/drivers/video/fbdev/core/modedb.c
+@@ -258,7 +258,7 @@ static const struct fb_videomode modedb[
+               FB_VMODE_DOUBLE },
+       /* 1920x1080 @ 60 Hz, 67.3 kHz hsync */
+-      { NULL, 60, 1920, 1080, 6734, 148, 88, 36, 4, 44, 5, 0,
++      { NULL, 60, 1920, 1080, 6734, 148, 88, 36, 4, 44, 5,
+               FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
+               FB_VMODE_NONINTERLACED },
diff --git a/queue-5.10/fpga-region-fix-use-after-free-in-child_regions_with_firmware.patch b/queue-5.10/fpga-region-fix-use-after-free-in-child_regions_with_firmware.patch
new file mode 100644 (file)
index 0000000..92e2d44
--- /dev/null
@@ -0,0 +1,39 @@
+From 54f3c5643ec523a04b6ec0e7c19eb10f5ebebdd3 Mon Sep 17 00:00:00 2001
+From: Wentao Liang <vulab@iscas.ac.cn>
+Date: Wed, 8 Apr 2026 15:45:34 +0000
+Subject: fpga: region: fix use-after-free in child_regions_with_firmware()
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+commit 54f3c5643ec523a04b6ec0e7c19eb10f5ebebdd3 upstream.
+
+Move of_node_put(child_region) after the error print to avoid accessing
+freed memory when pr_err() references child_region.
+
+Fixes: 0fa20cdfcc1f ("fpga: fpga-region: device tree control for FPGA")
+Cc: stable@vger.kernel.org
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+[ Yilun: Fix the Fixes tag ]
+Reviewed-by: Xu Yilun <yilun.xu@intel.com>
+Link: https://lore.kernel.org/r/20260408154534.404327-1-vulab@iscas.ac.cn
+Signed-off-by: Xu Yilun <yilun.xu@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/fpga/of-fpga-region.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/fpga/of-fpga-region.c
++++ b/drivers/fpga/of-fpga-region.c
+@@ -166,11 +166,10 @@ static int child_regions_with_firmware(s
+                                                    fpga_region_of_match);
+       }
+-      of_node_put(child_region);
+-
+       if (ret)
+               pr_err("firmware-name not allowed in child FPGA region: %pOF",
+                      child_region);
++      of_node_put(child_region);
+       return ret;
+ }
diff --git a/queue-5.10/hdlc_ppp-sync-per-proto-timers-before-freeing-hdlc-state.patch b/queue-5.10/hdlc_ppp-sync-per-proto-timers-before-freeing-hdlc-state.patch
new file mode 100644 (file)
index 0000000..d5e3146
--- /dev/null
@@ -0,0 +1,109 @@
+From c78a4e41ab5ead6193ad8a2dd92e8906bae659fa Mon Sep 17 00:00:00 2001
+From: Fan Wu <fanwu01@zju.edu.cn>
+Date: Wed, 17 Jun 2026 02:05:18 +0000
+Subject: hdlc_ppp: sync per-proto timers before freeing hdlc state
+
+From: Fan Wu <fanwu01@zju.edu.cn>
+
+commit c78a4e41ab5ead6193ad8a2dd92e8906bae659fa upstream.
+
+Each PPP control protocol (LCP/IPCP/IPV6CP) embedded in struct ppp
+registers a timer via timer_setup(). That struct ppp is the
+hdlc->state allocation, which detach_hdlc_protocol() frees with kfree()
+in both teardown paths: unregister_hdlc_device() and the re-attach inside
+attach_hdlc_protocol().
+
+The ppp proto never registered a .detach callback, so
+detach_hdlc_protocol() performs no timer synchronization before the
+kfree(). The only cancel, timer_delete(&proto->timer) in ppp_cp_event(),
+is partial (it does not wait for a running callback) and only runs on the
+->CLOSED transition; ppp_stop()/ppp_close() do not sync either. A
+ppp_timer callback already executing (blocked on ppp->lock) survives the
+kfree and then dereferences proto->state / ppp->lock in freed memory,
+leading to a use-after-free.
+
+Fix this by adding a .detach helper that calls timer_shutdown_sync() on
+every per-proto timer. detach_hdlc_protocol() invokes proto->detach(dev)
+before kfree(hdlc->state), so timer_shutdown_sync()
+now runs on both free paths.
+timer_shutdown_sync() is used instead of timer_delete_sync() because the
+keepalive path re-arms the timer through add_timer()/mod_timer() and
+shutdown blocks any re-activation during teardown.
+
+Initialize the per-protocol timers in ppp_ioctl() when the protocol is
+attached, and remove the now-redundant timer_setup() from ppp_start(), so
+that the timers are initialized exactly once at attach time and
+ppp_timer_release() never operates on uninitialized timer_list
+structures. attach_hdlc_protocol() uses kmalloc() (not kzalloc), so
+struct ppp's protos[i].timer is uninitialized garbage until the first
+timer_setup(); without this init-at-attach, attaching the PPP protocol
+without ever bringing the device up would leave timer_shutdown_sync()
+operating on uninitialized memory in .detach. Moving the init out of
+ppp_start() (which only runs on NETDEV_UP) into the attach path makes the
+initialization unconditional and avoids initializing the same timer_list
+twice.
+
+This bug was found by static analysis.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Fan Wu <fanwu01@zju.edu.cn>
+Link: https://patch.msgid.link/20260617020518.116319-1-fanwu01@zju.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wan/hdlc_ppp.c |   15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wan/hdlc_ppp.c
++++ b/drivers/net/wan/hdlc_ppp.c
+@@ -624,7 +624,6 @@ static void ppp_start(struct net_device
+       for (i = 0; i < IDX_COUNT; i++) {
+               struct proto *proto = &ppp->protos[i];
+               proto->dev = dev;
+-              timer_setup(&proto->timer, ppp_timer, 0);
+               proto->state = CLOSED;
+       }
+       ppp->protos[IDX_LCP].pid = PID_LCP;
+@@ -644,6 +643,15 @@ static void ppp_close(struct net_device
+       ppp_tx_flush();
+ }
++static void ppp_timer_release(struct net_device *dev)
++{
++      struct ppp *ppp = get_ppp(dev);
++      int i;
++
++      for (i = 0; i < IDX_COUNT; i++)
++              timer_shutdown_sync(&ppp->protos[i].timer);
++}
++
+ static struct hdlc_proto proto = {
+       .start          = ppp_start,
+       .stop           = ppp_stop,
+@@ -652,6 +660,7 @@ static struct hdlc_proto proto = {
+       .ioctl          = ppp_ioctl,
+       .netif_rx       = ppp_rx,
+       .module         = THIS_MODULE,
++      .detach         = ppp_timer_release,
+ };
+ static const struct header_ops ppp_header_ops = {
+@@ -662,7 +671,7 @@ static int ppp_ioctl(struct net_device *
+ {
+       hdlc_device *hdlc = dev_to_hdlc(dev);
+       struct ppp *ppp;
+-      int result;
++      int i, result;
+       switch (ifr->ifr_settings.type) {
+       case IF_GET_PROTO:
+@@ -689,6 +698,8 @@ static int ppp_ioctl(struct net_device *
+                       return result;
+               ppp = get_ppp(dev);
++              for (i = 0; i < IDX_COUNT; i++)
++                      timer_setup(&ppp->protos[i].timer, ppp_timer, 0);
+               spin_lock_init(&ppp->lock);
+               ppp->req_timeout = 2;
+               ppp->cr_retries = 10;
diff --git a/queue-5.10/irqchip-imgpdc-fix-resource-leak-add-missing-chained-handler-cleanup-on-remove.patch b/queue-5.10/irqchip-imgpdc-fix-resource-leak-add-missing-chained-handler-cleanup-on-remove.patch
new file mode 100644 (file)
index 0000000..6d53167
--- /dev/null
@@ -0,0 +1,64 @@
+From 37738fdf2ab1e504d1c63ce5bc0aeb6452d8f057 Mon Sep 17 00:00:00 2001
+From: Qingshuang Fu <fuqingshuang@kylinos.cn>
+Date: Thu, 18 Jun 2026 10:13:52 +0800
+Subject: irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove
+
+From: Qingshuang Fu <fuqingshuang@kylinos.cn>
+
+commit 37738fdf2ab1e504d1c63ce5bc0aeb6452d8f057 upstream.
+
+The driver allocates domain generic chips using
+irq_alloc_domain_generic_chips() during probe and sets up chained
+handlers using irq_set_chained_handler_and_data(). However, on driver
+removal, the generic chips are not freed and the chained handlers are
+not removed.
+
+The generic chips remain on the global gc_list and may later be accessed by
+generic interrupt chip suspend, resume, or shutdown callbacks after the
+driver has been removed, potentially resulting in a use-after-free and
+kernel crash.
+
+The chained handlers that were installed in probe for peripheral and
+syswake interrupts are also left dangling, which can lead to spurious
+interrupts accessing freed memory.
+
+Fix these issues by:
+
+  - Setting IRQ_DOMAIN_FLAG_DESTROY_GC flag in domain->flags, so the
+    core code automatically removes generic chips when irq_domain_remove()
+    is called
+
+  - Clearing all chained handlers with NULL in pdc_intc_remove()
+
+Fixes: b6ef9161e43a ("irq-imgpdc: add ImgTec PDC irqchip driver")
+Signed-off-by: Qingshuang Fu <fuqingshuang@kylinos.cn>
+Signed-off-by: Thomas Gleixner <tglx@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20260618021352.661773-1-fffsqian@163.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-imgpdc.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/irqchip/irq-imgpdc.c
++++ b/drivers/irqchip/irq-imgpdc.c
+@@ -385,6 +385,7 @@ static int pdc_intc_probe(struct platfor
+               dev_err(&pdev->dev, "cannot add IRQ domain\n");
+               return -ENOMEM;
+       }
++      priv->domain->flags |= IRQ_DOMAIN_FLAG_DESTROY_GC;
+       /*
+        * Set up 2 generic irq chips with 2 chip types.
+@@ -472,6 +473,11 @@ static int pdc_intc_remove(struct platfo
+ {
+       struct pdc_intc_priv *priv = platform_get_drvdata(pdev);
++      for (unsigned int i = 0; i < priv->nr_perips; ++i)
++              irq_set_chained_handler_and_data(priv->perip_irqs[i], NULL, NULL);
++
++      irq_set_chained_handler_and_data(priv->syswake_irq, NULL, NULL);
++
+       irq_domain_remove(priv->domain);
+       return 0;
+ }
diff --git a/queue-5.10/kvm-svm-fix-page-overflow-in-sev_dbg_crypt-for-encrypt-path.patch b/queue-5.10/kvm-svm-fix-page-overflow-in-sev_dbg_crypt-for-encrypt-path.patch
new file mode 100644 (file)
index 0000000..60158b5
--- /dev/null
@@ -0,0 +1,93 @@
+From 78ee2d50185a037b3d2452a97f3dad69c3f7f389 Mon Sep 17 00:00:00 2001
+From: Ashutosh Desai <ashutoshdesai993@gmail.com>
+Date: Fri, 1 May 2026 13:35:32 -0700
+Subject: KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path
+
+From: Ashutosh Desai <ashutoshdesai993@gmail.com>
+
+commit 78ee2d50185a037b3d2452a97f3dad69c3f7f389 upstream.
+
+In sev_dbg_crypt(), the per-iteration transfer length is bounded by
+the source page offset (PAGE_SIZE - s_off) but not by the destination
+page offset (PAGE_SIZE - d_off).  When d_off > s_off, the encrypt
+path (__sev_dbg_encrypt_user) performs a read-modify-write using a
+single-page intermediate buffer (dst_tpage):
+
+  1. __sev_dbg_decrypt() expands the size to round_up(len + (d_off & 15), 16)
+     before issuing the PSP command.  If len + (d_off & 15) > PAGE_SIZE,
+     the PSP writes beyond the end of the 4096-byte dst_tpage allocation.
+
+  2. The subsequent memcpy()/copy_from_user() into
+     page_address(dst_tpage) + (d_off & 15) of 'len' bytes overflows
+     by up to 15 bytes under the same condition.
+
+Trigger example: s_off = 0, d_off = 1, debug.len = PAGE_SIZE -
+the PSP is instructed to write round_up(4097, 16) = 4112 bytes to
+a 4096-byte buffer.
+
+Fix by also bounding len by (PAGE_SIZE - d_off), the same check that
+sev_send_update_data() already performs for its single-page guest
+region.
+
+ ==================================================================
+ BUG: KASAN: slab-use-after-free in sev_dbg_crypt+0x993/0xd10 [kvm_amd]
+ Write of size 4095 at addr ff110062293bb009 by task sev_dbg_test/228214
+
+ CPU: 96 UID: 0 PID: 228214 Comm: sev_dbg_test Tainted: G     U  W           7.0.0-smp--5ce9b0c48211-dbg #156 PREEMPTLAZY
+ Tainted: [U]=USER, [W]=WARN
+ Hardware name: Google Astoria/astoria, BIOS 0.20250817.1-0 08/25/2025
+ Call Trace:
+  <TASK>
+  dump_stack_lvl+0x54/0x70
+  print_report+0xbc/0x260
+  kasan_report+0xa2/0xd0
+  kasan_check_range+0x25f/0x2c0
+  __asan_memcpy+0x40/0x70
+  sev_dbg_crypt+0x993/0xd10 [kvm_amd]
+  sev_mem_enc_ioctl+0x33c/0x450 [kvm_amd]
+  kvm_vm_ioctl+0x65d/0x6d0 [kvm]
+  __se_sys_ioctl+0xb2/0x100
+  do_syscall_64+0xe8/0x870
+  entry_SYSCALL_64_after_hwframe+0x4b/0x53
+  </TASK>
+
+ The buggy address belongs to the physical page:
+ page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7fe72b6a0 pfn:0x62293bb
+ memcg:ff11000112827d82
+ flags: 0x1400000000000000(node=1|zone=1)
+ raw: 1400000000000000 0000000000000000 dead000000000122 0000000000000000
+ raw: 00000007fe72b6a0 0000000000000000 00000001ffffffff ff11000112827d82
+ page dumped because: kasan: bad access detected
+
+ Memory state around the buggy address:
+  ff110062293bbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  ff110062293bbf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ >ff110062293bc000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+                    ^
+  ff110062293bc080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+  ff110062293bc100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ==================================================================
+ Disabling lock debugging due to kernel taint
+
+Fixes: 24f41fb23a39 ("KVM: SVM: Add support for SEV DEBUG_DECRYPT command")
+Fixes: 7d1594f5d94b ("KVM: SVM: Add support for SEV DEBUG_ENCRYPT command")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
+[sean: add sample KASAN splat, Fixes, and stable@]
+Link: https://patch.msgid.link/20260501203537.2120074-2-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/sev.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kvm/svm/sev.c
++++ b/arch/x86/kvm/svm/sev.c
+@@ -836,6 +836,7 @@ static int sev_dbg_crypt(struct kvm *kvm
+               s_off = vaddr & ~PAGE_MASK;
+               d_off = dst_vaddr & ~PAGE_MASK;
+               len = min_t(size_t, (PAGE_SIZE - s_off), size);
++              len = min_t(size_t, len, PAGE_SIZE - d_off);
+               if (dec)
+                       ret = __sev_dbg_decrypt_user(kvm,
diff --git a/queue-5.10/nfsd-check-get_user-return-when-reading-princhashlen.patch b/queue-5.10/nfsd-check-get_user-return-when-reading-princhashlen.patch
new file mode 100644 (file)
index 0000000..0a55453
--- /dev/null
@@ -0,0 +1,47 @@
+From e186fa1c057f5eccb22afb1e83e34c0627085868 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dominik=20Wo=C5=BAniak?= <stalion@gmail.com>
+Date: Thu, 21 May 2026 17:46:56 +0200
+Subject: nfsd: check get_user() return when reading princhashlen
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dominik Woźniak <stalion@gmail.com>
+
+commit e186fa1c057f5eccb22afb1e83e34c0627085868 upstream.
+
+In __cld_pipe_inprogress_downcall(), the get_user() that reads
+princhashlen from the userspace cld_msg_v2 buffer does not check its
+return value. A failing copy leaves princhashlen with uninitialised
+stack contents, which are then used to drive memdup_user() and stored
+as princhash.len on the resulting reclaim record. The other get_user()
+calls in this function all check the return; only this one is missed,
+which is most likely a copy-paste oversight from when v2 upcalls were
+introduced.
+
+Mirror the existing pattern used a few lines above for namelen.
+namecopy is declared with __free(kfree) so the early return cleans up
+the already-allocated buffer automatically.
+
+Fixes: 6ee95d1c8991 ("nfsd: add support for upcall version 2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dominik Woźniak <stalion@gmail.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4recover.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4recover.c
++++ b/fs/nfsd/nfs4recover.c
+@@ -815,7 +815,8 @@ __cld_pipe_inprogress_downcall(const str
+                       if (IS_ERR(name.data))
+                               return PTR_ERR(name.data);
+                       name.len = namelen;
+-                      get_user(princhashlen, &ci->cc_princhash.cp_len);
++                      if (get_user(princhashlen, &ci->cc_princhash.cp_len))
++                              return -EFAULT;
+                       if (princhashlen > 0) {
+                               princhash.data = memdup_user(
+                                               &ci->cc_princhash.cp_data,
diff --git a/queue-5.10/nfsd-fix-posix_acl-leak-on-setacl-decode-failure.patch b/queue-5.10/nfsd-fix-posix_acl-leak-on-setacl-decode-failure.patch
new file mode 100644 (file)
index 0000000..4ec8722
--- /dev/null
@@ -0,0 +1,131 @@
+From 0853ac544c590880d797b04daa33fcb72b6be0e1 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@kernel.org>
+Date: Thu, 21 May 2026 13:51:43 -0400
+Subject: nfsd: fix posix_acl leak on SETACL decode failure
+
+From: Jeff Layton <jlayton@kernel.org>
+
+commit 0853ac544c590880d797b04daa33fcb72b6be0e1 upstream.
+
+nfsaclsvc_decode_setaclargs() and nfs3svc_decode_setaclargs() each
+call nfs_stream_decode_acl() twice, first for NFS_ACL and then for
+NFS_DFACL.  Each successful call transfers ownership of a freshly
+allocated posix_acl into argp->acl_access or argp->acl_default.  If
+the first call succeeds but the second fails, the decoder returns
+false and argp->acl_access is left dangling.
+
+ACLPROC2_SETACL.pc_release was wired to nfssvc_release_attrstat and
+ACLPROC3_SETACL.pc_release was wired to nfs3svc_release_fhandle.
+Both only call fh_put() and have no knowledge of the ACL fields on
+argp.  The posix_acl_release() pairs sat at the out: labels inside
+nfsacld_proc_setacl() and nfsd3_proc_setacl(), but svc_process()
+skips pc_func when pc_decode returns false, so that cleanup is
+unreachable on decode failure:
+
+    svc_process_common()
+      pc_decode()                  /* decode_setaclargs: false */
+      /* pc_func skipped */
+      pc_release()                 /* fh_put only -- ACLs leaked */
+
+The orphaned posix_acl is leaked for the lifetime of the server.
+
+Fix by adding nfsaclsvc_release_setacl() and nfs3svc_release_setacl(),
+which release both argp->acl_access and argp->acl_default in addition
+to fh_put(), and wiring them as pc_release for their respective SETACL
+procedures.  pc_release runs on every path svc_process() takes after
+decode, including decode failure, so the posix_acl_release() pairs are
+removed from the proc functions' out: labels to keep ownership in one
+place.  This matches the existing release_getacl() pattern used by
+the sibling GETACL procedures.
+
+Fixes: a257cdd0e217 ("[PATCH] NFSD: Add server support for NFSv3 ACLs.")
+Cc: stable@vger.kernel.org
+Assisted-by: kres:claude-opus-4-7
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs2acl.c |   17 ++++++++++++-----
+ fs/nfsd/nfs3acl.c |   17 ++++++++++++-----
+ 2 files changed, 24 insertions(+), 10 deletions(-)
+
+--- a/fs/nfsd/nfs2acl.c
++++ b/fs/nfsd/nfs2acl.c
+@@ -129,10 +129,7 @@ static __be32 nfsacld_proc_setacl(struct
+       resp->status = fh_getattr(fh, &resp->stat);
+ out:
+-      /* argp->acl_{access,default} may have been allocated in
+-         nfssvc_decode_setaclargs. */
+-      posix_acl_release(argp->acl_access);
+-      posix_acl_release(argp->acl_default);
++      /* argp->acl_{access,default} are released in nfsaclsvc_release_setacl. */
+       return rpc_success;
+ out_drop_lock:
+@@ -310,6 +307,16 @@ static void nfsaclsvc_release_access(str
+ struct nfsd3_voidargs { int dummy; };
++static void nfsaclsvc_release_setacl(struct svc_rqst *rqstp)
++{
++      struct nfsd3_setaclargs *argp = rqstp->rq_argp;
++      struct nfsd_attrstat *resp = rqstp->rq_resp;
++
++      fh_put(&resp->fh);
++      posix_acl_release(argp->acl_access);
++      posix_acl_release(argp->acl_default);
++}
++
+ #define ST 1          /* status*/
+ #define AT 21         /* attributes */
+ #define pAT (1+AT)    /* post attributes - conditional */
+@@ -343,7 +350,7 @@ static const struct svc_procedure nfsd_a
+               .pc_func = nfsacld_proc_setacl,
+               .pc_decode = nfsaclsvc_decode_setaclargs,
+               .pc_encode = nfssvc_encode_attrstatres,
+-              .pc_release = nfssvc_release_attrstat,
++              .pc_release = nfsaclsvc_release_setacl,
+               .pc_argsize = sizeof(struct nfsd3_setaclargs),
+               .pc_argzero = sizeof(struct nfsd3_setaclargs),
+               .pc_ressize = sizeof(struct nfsd_attrstat),
+--- a/fs/nfsd/nfs3acl.c
++++ b/fs/nfsd/nfs3acl.c
+@@ -116,10 +116,7 @@ out_drop_lock:
+ out_errno:
+       resp->status = nfserrno(error);
+ out:
+-      /* argp->acl_{access,default} may have been allocated in
+-         nfs3svc_decode_setaclargs. */
+-      posix_acl_release(argp->acl_access);
+-      posix_acl_release(argp->acl_default);
++      /* argp->acl_{access,default} are released in nfs3svc_release_setacl. */
+       return rpc_success;
+ }
+@@ -223,6 +220,16 @@ static void nfs3svc_release_getacl(struc
+ struct nfsd3_voidargs { int dummy; };
++static void nfs3svc_release_setacl(struct svc_rqst *rqstp)
++{
++      struct nfsd3_setaclargs *argp = rqstp->rq_argp;
++      struct nfsd3_attrstat *resp = rqstp->rq_resp;
++
++      fh_put(&resp->fh);
++      posix_acl_release(argp->acl_access);
++      posix_acl_release(argp->acl_default);
++}
++
+ #define ST 1          /* status*/
+ #define AT 21         /* attributes */
+ #define pAT (1+AT)    /* post attributes - conditional */
+@@ -256,7 +263,7 @@ static const struct svc_procedure nfsd_a
+               .pc_func = nfsd3_proc_setacl,
+               .pc_decode = nfs3svc_decode_setaclargs,
+               .pc_encode = nfs3svc_encode_setaclres,
+-              .pc_release = nfs3svc_release_fhandle,
++              .pc_release = nfs3svc_release_setacl,
+               .pc_argsize = sizeof(struct nfsd3_setaclargs),
+               .pc_argzero = sizeof(struct nfsd3_setaclargs),
+               .pc_ressize = sizeof(struct nfsd3_attrstat),
diff --git a/queue-5.10/nfsd-fix-secinfo_no_name-decode-error-cleanup.patch b/queue-5.10/nfsd-fix-secinfo_no_name-decode-error-cleanup.patch
new file mode 100644 (file)
index 0000000..db0d2f8
--- /dev/null
@@ -0,0 +1,48 @@
+From 9e18e83b8846a5c3fe13fc8a464b4865d33996c6 Mon Sep 17 00:00:00 2001
+From: Guannan Wang <wgnbuaa@gmail.com>
+Date: Thu, 21 May 2026 16:03:32 +0800
+Subject: NFSD: Fix SECINFO_NO_NAME decode error cleanup
+
+From: Guannan Wang <wgnbuaa@gmail.com>
+
+commit 9e18e83b8846a5c3fe13fc8a464b4865d33996c6 upstream.
+
+nfsd4_decode_secinfo_no_name() currently initializes sin_exp after
+decoding sin_style. If the XDR stream is truncated, the decoder returns
+nfserr_bad_xdr before sin_exp is initialized.
+
+Since commit 3fdc54646234 ("NFSD: Reduce amount of struct
+nfsd4_compoundargs that needs clearing"), the inline iops array is not
+cleared between RPC calls. A failed SECINFO_NO_NAME decode can therefore
+leave sin_exp holding stale union contents from a previous operation.
+
+The error response path still invokes nfsd4_secinfo_no_name_release(),
+which calls exp_put() on a non-NULL sin_exp.
+
+Initialize sin_exp before the first failable decode step, matching
+nfsd4_decode_secinfo().
+
+Fixes: 3fdc54646234 ("NFSD: Reduce amount of struct nfsd4_compoundargs that needs clearing")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guannan Wang <wgnbuaa@gmail.com>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4xdr.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -1821,10 +1821,11 @@ static __be32 nfsd4_decode_secinfo_no_na
+                                          union nfsd4_op_u *u)
+ {
+       struct nfsd4_secinfo_no_name *sin = &u->secinfo_no_name;
++
++      sin->sin_exp = NULL;
+       if (xdr_stream_decode_u32(argp->xdr, &sin->sin_style) < 0)
+               return nfserr_bad_xdr;
+-      sin->sin_exp = NULL;
+       return nfs_ok;
+ }
diff --git a/queue-5.10/ocfs2-reject-oversized-group-bitmap-descriptors.patch b/queue-5.10/ocfs2-reject-oversized-group-bitmap-descriptors.patch
new file mode 100644 (file)
index 0000000..4585307
--- /dev/null
@@ -0,0 +1,128 @@
+From 9bd541e09dffff27e5bec0f9f45b0228173a5375 Mon Sep 17 00:00:00 2001
+From: Zhang Cen <rollkingzzc@gmail.com>
+Date: Sun, 24 May 2026 19:12:48 +0800
+Subject: ocfs2: reject oversized group bitmap descriptors
+
+From: Zhang Cen <rollkingzzc@gmail.com>
+
+commit 9bd541e09dffff27e5bec0f9f45b0228173a5375 upstream.
+
+ocfs2_validate_gd_parent() only bounds bg_bits against the parent
+allocator's chain geometry.  A malicious descriptor can still claim a
+bg_size/bg_bits pair that exceeds the bitmap bytes that physically fit in
+the group descriptor block, so later bitmap scans and bit updates can run
+past bg_bitmap.
+
+Add a physical-cap check based on ocfs2_group_bitmap_size() for the parent
+allocator type and reject descriptors whose bg_size or bg_bits exceed that
+capacity.  Keep the existing chain geometry check so both the on-disk
+bitmap layout and the allocator metadata must agree before the descriptor
+is used.
+
+Validation reproduced this kernel report:
+KASAN use-after-free in _find_next_bit+0x7f/0xc0
+Read of size 8
+Call trace:
+  dump_stack_lvl+0x66/0xa0 (?:?)
+  print_report+0xd0/0x630 (?:?)
+  _find_next_bit+0x7f/0xc0 (?:?)
+  srso_alias_return_thunk+0x5/0xfbef5 (?:?)
+  __virt_addr_valid+0x188/0x2f0 (?:?)
+  kasan_report+0xe4/0x120 (?:?)
+  ocfs2_find_max_contig_free_bits+0x35/0x70 (fs/ocfs2/suballoc.c:1375)
+  ocfs2_block_group_set_bits+0x472/0x4b0 (fs/ocfs2/suballoc.c:1457)
+  ocfs2_cluster_group_search+0x16b/0x440 (fs/ocfs2/suballoc.c:86)
+  ocfs2_bg_discontig_fix_result+0x1ef/0x230 (fs/ocfs2/suballoc.c:1786)
+  ocfs2_search_chain+0x8f8/0x10a0 (fs/ocfs2/suballoc.c:1886)
+  get_page_from_freelist+0x70e/0x2370 (?:?)
+  lock_release+0xc6/0x290 (?:?)
+  do_raw_spin_unlock+0x9a/0x100 (?:?)
+  kasan_unpoison+0x27/0x60 (?:?)
+  __bfs+0x147/0x240 (?:?)
+  get_page_from_freelist+0x83d/0x2370 (?:?)
+  ocfs2_claim_suballoc_bits+0x38c/0xe70 (fs/ocfs2/suballoc.c:96)
+  sched_domains_numa_masks_clear+0x70/0xd0 (?:?)
+  check_irq_usage+0xe8/0xb70 (?:?)
+  __ocfs2_claim_clusters+0x18d/0x4c0 (fs/ocfs2/suballoc.c:2497)
+  check_path+0x24/0x50 (?:?)
+  rcu_is_watching+0x20/0x50 (?:?)
+  check_prev_add+0xfd/0xd00 (?:?)
+  ocfs2_add_clusters_in_btree+0x17d/0x810 (fs/ocfs2/suballoc.c:?)
+  __folio_batch_add_and_move+0x1f5/0x3d0 (?:?)
+  ocfs2_add_inode_data+0xd9/0x120 (fs/ocfs2/suballoc.c:?)
+  filemap_add_folio+0x105/0x1f0 (?:?)
+  ocfs2_write_begin_nolock+0x29f7/0x2f80 (fs/ocfs2/suballoc.c:3043)
+  ocfs2_read_inode_block+0xb5/0x110 (fs/ocfs2/suballoc.c:?)
+  down_write+0xf5/0x180 (?:?)
+  ocfs2_write_begin+0x180/0x240 (fs/ocfs2/suballoc.c:?)
+  __mark_inode_dirty+0x758/0x9a0 (?:?)
+  inode_to_bdi+0x41/0x90 (?:?)
+  balance_dirty_pages_ratelimited_flags+0xf8/0x1d0 (?:?)
+  generic_perform_write+0x252/0x440 (?:?)
+  mnt_put_write_access_file+0x16/0x70 (?:?)
+  file_update_time_flags+0xe4/0x200 (?:?)
+  ocfs2_file_write_iter+0x80a/0x1320 (fs/ocfs2/suballoc.c:?)
+  lock_acquire+0x184/0x2f0 (?:?)
+  ksys_write+0xd2/0x170 (?:?)
+  apparmor_file_permission+0xf5/0x310 (?:?)
+  read_zero+0x8d/0x140 (?:?)
+  lock_is_held_type+0x8f/0x100 (?:?)
+
+Link: https://lore.kernel.org/20260524111248.1429884-1-rollkingzzc@gmail.com
+Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem")
+Assisted-by: Codex:gpt-5.5
+Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Heming Zhao <heming.zhao@suse.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/suballoc.c |   22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+--- a/fs/ocfs2/suballoc.c
++++ b/fs/ocfs2/suballoc.c
+@@ -203,8 +203,16 @@ static int ocfs2_validate_gd_parent(stru
+                                   int resize)
+ {
+       unsigned int max_bits;
++      unsigned int max_bitmap_bits;
++      unsigned int max_bitmap_size;
++      int suballocator;
+       struct ocfs2_group_desc *gd = (struct ocfs2_group_desc *)bh->b_data;
++      suballocator = le64_to_cpu(di->i_blkno) != OCFS2_SB(sb)->bitmap_blkno;
++      max_bitmap_size = ocfs2_group_bitmap_size(sb, suballocator,
++                                                OCFS2_SB(sb)->s_feature_incompat);
++      max_bitmap_bits = max_bitmap_size * 8;
++
+       if (di->i_blkno != gd->bg_parent_dinode) {
+               do_error("Group descriptor #%llu has bad parent pointer (%llu, expected %llu)\n",
+                        (unsigned long long)bh->b_blocknr,
+@@ -212,6 +220,20 @@ static int ocfs2_validate_gd_parent(stru
+                        (unsigned long long)le64_to_cpu(di->i_blkno));
+       }
++      if (le16_to_cpu(gd->bg_size) > max_bitmap_size) {
++              do_error("Group descriptor #%llu has bitmap size %u but physical max of %u\n",
++                       (unsigned long long)bh->b_blocknr,
++                       le16_to_cpu(gd->bg_size),
++                       max_bitmap_size);
++      }
++
++      if (le16_to_cpu(gd->bg_bits) > max_bitmap_bits) {
++              do_error("Group descriptor #%llu has bit count %u but physical max of %u\n",
++                       (unsigned long long)bh->b_blocknr,
++                       le16_to_cpu(gd->bg_bits),
++                       max_bitmap_bits);
++      }
++
+       max_bits = le16_to_cpu(di->id2.i_chain.cl_cpg) * le16_to_cpu(di->id2.i_chain.cl_bpc);
+       if (le16_to_cpu(gd->bg_bits) > max_bits) {
+               do_error("Group descriptor #%llu has bit count of %u\n",
diff --git a/queue-5.10/pnfs-fix-use-after-free-in-pnfs_update_layout.patch b/queue-5.10/pnfs-fix-use-after-free-in-pnfs_update_layout.patch
new file mode 100644 (file)
index 0000000..c3612f2
--- /dev/null
@@ -0,0 +1,41 @@
+From 13e198a90ca4050f4bee8a3f23680389a6563ccc Mon Sep 17 00:00:00 2001
+From: Wentao Liang <vulab@iscas.ac.cn>
+Date: Mon, 18 May 2026 13:10:36 +0000
+Subject: pNFS: Fix use-after-free in pnfs_update_layout()
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+commit 13e198a90ca4050f4bee8a3f23680389a6563ccc upstream.
+
+When hitting the NFS_LAYOUT_RETURN branch in pnfs_update_layout(),
+the code calls pnfs_prepare_to_retry_layoutget(lo). If it succeeds,
+pnfs_put_layout_hdr(lo) is called before trace_pnfs_update_layout(),
+which still references 'lo'. This results in a use-after-free when the
+tracepoint accesses lo's fields.
+
+Fix this by moving the tracepoint call before pnfs_put_layout_hdr(lo).
+
+Fixes: 2c8d5fc37fe2 ("pNFS: Stricter ordering of layoutget and layoutreturn")
+Cc: stable@vger.kernel.org
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/pnfs.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -2074,11 +2074,11 @@ lookup_again:
+               dprintk("%s wait for layoutreturn\n", __func__);
+               lseg = ERR_PTR(pnfs_prepare_to_retry_layoutget(lo));
+               if (!IS_ERR(lseg)) {
+-                      pnfs_put_layout_hdr(lo);
+                       dprintk("%s retrying\n", __func__);
+                       trace_pnfs_update_layout(ino, pos, count, iomode, lo,
+                                                lseg,
+                                                PNFS_UPDATE_LAYOUT_RETRY);
++                      pnfs_put_layout_hdr(lo);
+                       goto lookup_again;
+               }
+               trace_pnfs_update_layout(ino, pos, count, iomode, lo, lseg,
index 87582d6517769453a5513446d9b1aa31baeb735d..efddcaaefde474a28237f78a58904640b3fdfe53 100644 (file)
@@ -68,3 +68,15 @@ f2fs-validate-acl-entry-sizes-in-f2fs_acl_from_disk.patch
 bpf-use-kvfree-for-replaced-sysctl-write-buffer.patch
 mips-dec-prevent-initial-console-buffer-from-landing-in-xkphys.patch
 exfat-fix-potential-use-after-free-in-exfat_find_dir_entry.patch
+hdlc_ppp-sync-per-proto-timers-before-freeing-hdlc-state.patch
+tipc-fix-slab-use-after-free-read-in-tipc_aead_decrypt_done.patch
+pnfs-fix-use-after-free-in-pnfs_update_layout.patch
+irqchip-imgpdc-fix-resource-leak-add-missing-chained-handler-cleanup-on-remove.patch
+fpga-region-fix-use-after-free-in-child_regions_with_firmware.patch
+ocfs2-reject-oversized-group-bitmap-descriptors.patch
+kvm-svm-fix-page-overflow-in-sev_dbg_crypt-for-encrypt-path.patch
+fbdev-fix-fb_new_modelist-to-prevent-null-ptr-deref-in-fb_videomode_to_var.patch
+fbdev-modedb-fix-misaligned-fields-in-the-1920x1080-60-mode.patch
+nfsd-fix-secinfo_no_name-decode-error-cleanup.patch
+nfsd-fix-posix_acl-leak-on-setacl-decode-failure.patch
+nfsd-check-get_user-return-when-reading-princhashlen.patch
diff --git a/queue-5.10/tipc-fix-slab-use-after-free-read-in-tipc_aead_decrypt_done.patch b/queue-5.10/tipc-fix-slab-use-after-free-read-in-tipc_aead_decrypt_done.patch
new file mode 100644 (file)
index 0000000..2069a5c
--- /dev/null
@@ -0,0 +1,124 @@
+From bda3348872a2ef0d19f2df6aa8cb5025adce2f20 Mon Sep 17 00:00:00 2001
+From: Doruk Tan Ozturk <doruk@0sec.ai>
+Date: Wed, 17 Jun 2026 09:58:18 +0200
+Subject: tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done
+
+From: Doruk Tan Ozturk <doruk@0sec.ai>
+
+commit bda3348872a2ef0d19f2df6aa8cb5025adce2f20 upstream.
+
+tipc_aead_decrypt() goes straight from tipc_bearer_hold(b) to
+crypto_aead_decrypt(req) without taking a reference on the netns, unlike
+the encrypt path. When crypto_aead_decrypt() is offloaded asynchronously
+(e.g. the SIMD aead wrapper queuing to cryptd), the cryptd worker runs
+tipc_aead_decrypt_done() later. If the bearer's netns is torn down in the
+meantime, cleanup_net() -> tipc_exit_net() -> tipc_crypto_stop() frees the
+per-netns tipc_crypto, and the completion then reads it:
+tipc_aead_decrypt_done() dereferences aead->crypto->stats and
+aead->crypto->net, and tipc_crypto_rcv_complete() dereferences
+aead->crypto->aead[] and the node table -- reading freed memory.
+
+Decoded KASAN splat (v7.1-rc7, CONFIG_KASAN_INLINE + TIPC + TIPC_CRYPTO):
+
+  BUG: KASAN: slab-use-after-free in tipc_aead_decrypt_done (net/tipc/crypto.c:999)
+  Read of size 8 at addr ffff8881056258a8 by task kworker/u16:2/51
+  Workqueue: events_unbound
+  Call Trace:
+   tipc_aead_decrypt_done (net/tipc/crypto.c:999)
+   process_one_work (kernel/workqueue.c:3314)
+   worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
+   kthread (kernel/kthread.c:436)
+   ret_from_fork (arch/x86/kernel/process.c:158)
+   ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
+
+  Allocated by task 169:
+   __kasan_kmalloc (mm/kasan/common.c:398 mm/kasan/common.c:415)
+   tipc_crypto_start (net/tipc/crypto.c:1502)
+   tipc_init_net (net/tipc/core.c:72)
+   ops_init (net/core/net_namespace.c:137)
+   setup_net (net/core/net_namespace.c:446)
+   copy_net_ns (net/core/net_namespace.c:579)
+   create_new_namespaces (kernel/nsproxy.c:132)
+   __x64_sys_unshare (kernel/fork.c:3316)
+   do_syscall_64 (arch/x86/entry/syscall_64.c:63)
+   entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
+
+  Freed by task 8:
+   kfree (mm/slub.c:6566)
+   tipc_exit_net (net/tipc/core.c:119)
+   cleanup_net (net/core/net_namespace.c:704)
+   process_one_work (kernel/workqueue.c:3314)
+   kthread (kernel/kthread.c:436)
+
+This is the same class of bug that commit e279024617134 ("net/tipc: fix
+slab-use-after-free Read in tipc_aead_encrypt_done") fixed for the encrypt
+side. The encrypt path takes maybe_get_net(aead->crypto->net) before
+crypto_aead_encrypt() and drops it with put_net() on the synchronous
+return paths and in tipc_aead_encrypt_done(); the -EINPROGRESS/-EBUSY
+return keeps the reference for the async callback to release. The decrypt
+path was left without the equivalent guard.
+
+Mirror the encrypt-side fix on the decrypt path: take a net reference
+before crypto_aead_decrypt() (failing with -ENODEV and the matching
+bearer put if it cannot be acquired), keep it across the
+-EINPROGRESS/-EBUSY async return, and drop it with put_net() on the
+synchronous success/error return and at the end of
+tipc_aead_decrypt_done().
+
+Reproduced under KASAN on v7.1-rc7: a UDP bearer with a cluster key is
+flooded with crafted encrypted frames from an unknown peer (driving the
+cluster-key decrypt path) while the bearer's netns is repeatedly torn
+down. The completion must run asynchronously to outlive
+tipc_crypto_stop(); on x86 the stock aesni gcm(aes) now decrypts
+synchronously, so the async path was exercised via cryptd offload. The
+unguarded aead->crypto dereference in tipc_aead_decrypt_done() is the
+unpatched upstream path; tipc_aead_decrypt() still lacks
+maybe_get_net(aead->crypto->net), so the completion can outlive the free
+on any config where crypto_aead_decrypt() goes async.
+
+Found by 0sec automated security-research tooling (https://0sec.ai).
+
+Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
+Cc: stable@vger.kernel.org
+Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
+Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
+Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20260617075818.37431-1-doruk@0sec.ai
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/tipc/crypto.c |    9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/tipc/crypto.c
++++ b/net/tipc/crypto.c
+@@ -954,12 +954,20 @@ static int tipc_aead_decrypt(struct net
+               goto exit;
+       }
++      /* Get net to avoid freed tipc_crypto when delete namespace */
++      if (!maybe_get_net(net)) {
++              tipc_bearer_put(b);
++              rc = -ENODEV;
++              goto exit;
++      }
++
+       /* Now, do decrypt */
+       rc = crypto_aead_decrypt(req);
+       if (rc == -EINPROGRESS || rc == -EBUSY)
+               return rc;
+       tipc_bearer_put(b);
++      put_net(net);
+ exit:
+       kfree(ctx);
+@@ -997,6 +1005,7 @@ static void tipc_aead_decrypt_done(struc
+       }
+       tipc_bearer_put(b);
++      put_net(net);
+ }
+ static inline int tipc_ehdr_size(struct tipc_ehdr *ehdr)