From: Greg Kroah-Hartman Date: Mon, 12 Jan 2026 10:48:08 +0000 (+0100) Subject: 5.15-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=33f93185cef790be2089f4026539bdc734f1c521;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: atm-fix-dma_free_coherent-size.patch drm-pl111-fix-error-handling-in-pl111_amba_probe.patch lib-crypto-aes-fix-missing-mmu-protection-for-aes-s-box.patch libceph-make-calc_target-set-t-paused-not-just-clear-it.patch libceph-make-free_choose_arg_map-resilient-to-partial-allocation.patch libceph-prevent-potential-out-of-bounds-reads-in-handle_auth_done.patch libceph-replace-overzealous-bug_on-in-osdmap_apply_incremental.patch libceph-return-the-handler-error-from-mon_handle_auth_done.patch mei-me-add-nova-lake-point-s-did.patch net-3com-3c59x-fix-possible-null-dereference-in-vortex_probe1.patch wifi-avoid-kernel-infoleak-from-struct-iw_point.patch --- diff --git a/queue-5.15/atm-fix-dma_free_coherent-size.patch b/queue-5.15/atm-fix-dma_free_coherent-size.patch new file mode 100644 index 0000000000..946a1e7933 --- /dev/null +++ b/queue-5.15/atm-fix-dma_free_coherent-size.patch @@ -0,0 +1,34 @@ +From 4d984b0574ff708e66152763fbfdef24ea40933f Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Wed, 7 Jan 2026 10:01:36 +0100 +Subject: atm: Fix dma_free_coherent() size + +From: Thomas Fourier + +commit 4d984b0574ff708e66152763fbfdef24ea40933f upstream. + +The size of the buffer is not the same when alloc'd with +dma_alloc_coherent() in he_init_tpdrq() and freed. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20260107090141.80900-2-fourier.thomas@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/atm/he.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/atm/he.c ++++ b/drivers/atm/he.c +@@ -1590,7 +1590,8 @@ he_stop(struct he_dev *he_dev) + he_dev->tbrq_base, he_dev->tbrq_phys); + + if (he_dev->tpdrq_base) +- dma_free_coherent(&he_dev->pci_dev->dev, CONFIG_TBRQ_SIZE * sizeof(struct he_tbrq), ++ dma_free_coherent(&he_dev->pci_dev->dev, ++ CONFIG_TPDRQ_SIZE * sizeof(struct he_tpdrq), + he_dev->tpdrq_base, he_dev->tpdrq_phys); + + dma_pool_destroy(he_dev->tpd_pool); diff --git a/queue-5.15/drm-pl111-fix-error-handling-in-pl111_amba_probe.patch b/queue-5.15/drm-pl111-fix-error-handling-in-pl111_amba_probe.patch new file mode 100644 index 0000000000..ee0c97da32 --- /dev/null +++ b/queue-5.15/drm-pl111-fix-error-handling-in-pl111_amba_probe.patch @@ -0,0 +1,37 @@ +From 0ddd3bb4b14c9102c0267b3fd916c81fe5ab89c1 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Thu, 11 Dec 2025 16:33:44 +0400 +Subject: drm/pl111: Fix error handling in pl111_amba_probe + +From: Miaoqian Lin + +commit 0ddd3bb4b14c9102c0267b3fd916c81fe5ab89c1 upstream. + +Jump to the existing dev_put label when devm_request_irq() fails +so drm_dev_put() and of_reserved_mem_device_release() run +instead of returning early and leaking resources. + +Found via static analysis and code review. + +Fixes: bed41005e617 ("drm/pl111: Initial drm/kms driver for pl111") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Reviewed-by: Javier Martinez Canillas +Signed-off-by: Linus Walleij +Link: https://patch.msgid.link/20251211123345.2392065-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/pl111/pl111_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/pl111/pl111_drv.c ++++ b/drivers/gpu/drm/pl111/pl111_drv.c +@@ -297,7 +297,7 @@ static int pl111_amba_probe(struct amba_ + variant->name, priv); + if (ret != 0) { + dev_err(dev, "%s failed irq %d\n", __func__, ret); +- return ret; ++ goto dev_put; + } + + ret = pl111_modeset_init(drm); diff --git a/queue-5.15/lib-crypto-aes-fix-missing-mmu-protection-for-aes-s-box.patch b/queue-5.15/lib-crypto-aes-fix-missing-mmu-protection-for-aes-s-box.patch new file mode 100644 index 0000000000..d76fb66710 --- /dev/null +++ b/queue-5.15/lib-crypto-aes-fix-missing-mmu-protection-for-aes-s-box.patch @@ -0,0 +1,46 @@ +From 74d74bb78aeccc9edc10db216d6be121cf7ec176 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 6 Jan 2026 21:20:23 -0800 +Subject: lib/crypto: aes: Fix missing MMU protection for AES S-box + +From: Eric Biggers + +commit 74d74bb78aeccc9edc10db216d6be121cf7ec176 upstream. + +__cacheline_aligned puts the data in the ".data..cacheline_aligned" +section, which isn't marked read-only i.e. it doesn't receive MMU +protection. Replace it with ____cacheline_aligned which does the right +thing and just aligns the data while keeping it in ".rodata". + +Fixes: b5e0b032b6c3 ("crypto: aes - add generic time invariant AES cipher") +Cc: stable@vger.kernel.org +Reported-by: Qingfang Deng +Closes: https://lore.kernel.org/r/20260105074712.498-1-dqfext@gmail.com/ +Acked-by: Ard Biesheuvel +Link: https://lore.kernel.org/r/20260107052023.174620-1-ebiggers@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + lib/crypto/aes.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/lib/crypto/aes.c ++++ b/lib/crypto/aes.c +@@ -12,7 +12,7 @@ + * Emit the sbox as volatile const to prevent the compiler from doing + * constant folding on sbox references involving fixed indexes. + */ +-static volatile const u8 __cacheline_aligned aes_sbox[] = { ++static volatile const u8 ____cacheline_aligned aes_sbox[] = { + 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, + 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, + 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, +@@ -47,7 +47,7 @@ static volatile const u8 __cacheline_ali + 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16, + }; + +-static volatile const u8 __cacheline_aligned aes_inv_sbox[] = { ++static volatile const u8 ____cacheline_aligned aes_inv_sbox[] = { + 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, + 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb, + 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, diff --git a/queue-5.15/libceph-make-calc_target-set-t-paused-not-just-clear-it.patch b/queue-5.15/libceph-make-calc_target-set-t-paused-not-just-clear-it.patch new file mode 100644 index 0000000000..655deddf2a --- /dev/null +++ b/queue-5.15/libceph-make-calc_target-set-t-paused-not-just-clear-it.patch @@ -0,0 +1,74 @@ +From c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Mon, 5 Jan 2026 19:23:19 +0100 +Subject: libceph: make calc_target() set t->paused, not just clear it + +From: Ilya Dryomov + +commit c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176 upstream. + +Currently calc_target() clears t->paused if the request shouldn't be +paused anymore, but doesn't ever set t->paused even though it's able to +determine when the request should be paused. Setting t->paused is left +to __submit_request() which is fine for regular requests but doesn't +work for linger requests -- since __submit_request() doesn't operate +on linger requests, there is nowhere for lreq->t.paused to be set. +One consequence of this is that watches don't get reestablished on +paused -> unpaused transitions in cases where requests have been paused +long enough for the (paused) unwatch request to time out and for the +subsequent (re)watch request to enter the paused state. On top of the +watch not getting reestablished, rbd_reregister_watch() gets stuck with +rbd_dev->watch_mutex held: + + rbd_register_watch + __rbd_register_watch + ceph_osdc_watch + linger_reg_commit_wait + +It's waiting for lreq->reg_commit_wait to be completed, but for that to +happen the respective request needs to end up on need_resend_linger list +and be kicked when requests are unpaused. There is no chance for that +if the request in question is never marked paused in the first place. + +The fact that rbd_dev->watch_mutex remains taken out forever then +prevents the image from getting unmapped -- "rbd unmap" would inevitably +hang in D state on an attempt to grab the mutex. + +Cc: stable@vger.kernel.org +Reported-by: Raphael Zimmer +Signed-off-by: Ilya Dryomov +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/osd_client.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/ceph/osd_client.c ++++ b/net/ceph/osd_client.c +@@ -1529,6 +1529,7 @@ static enum calc_target_result calc_targ + struct ceph_pg_pool_info *pi; + struct ceph_pg pgid, last_pgid; + struct ceph_osds up, acting; ++ bool should_be_paused; + bool is_read = t->flags & CEPH_OSD_FLAG_READ; + bool is_write = t->flags & CEPH_OSD_FLAG_WRITE; + bool force_resend = false; +@@ -1597,10 +1598,16 @@ static enum calc_target_result calc_targ + &last_pgid)) + force_resend = true; + +- if (t->paused && !target_should_be_paused(osdc, t, pi)) { +- t->paused = false; ++ should_be_paused = target_should_be_paused(osdc, t, pi); ++ if (t->paused && !should_be_paused) { + unpaused = true; + } ++ if (t->paused != should_be_paused) { ++ dout("%s t %p paused %d -> %d\n", __func__, t, t->paused, ++ should_be_paused); ++ t->paused = should_be_paused; ++ } ++ + legacy_change = ceph_pg_compare(&t->pgid, &pgid) || + ceph_osds_changed(&t->acting, &acting, + t->used_replica || any_change); diff --git a/queue-5.15/libceph-make-free_choose_arg_map-resilient-to-partial-allocation.patch b/queue-5.15/libceph-make-free_choose_arg_map-resilient-to-partial-allocation.patch new file mode 100644 index 0000000000..8d73caf9f8 --- /dev/null +++ b/queue-5.15/libceph-make-free_choose_arg_map-resilient-to-partial-allocation.patch @@ -0,0 +1,69 @@ +From e3fe30e57649c551757a02e1cad073c47e1e075e Mon Sep 17 00:00:00 2001 +From: Tuo Li +Date: Sun, 21 Dec 2025 02:11:49 +0800 +Subject: libceph: make free_choose_arg_map() resilient to partial allocation + +From: Tuo Li + +commit e3fe30e57649c551757a02e1cad073c47e1e075e upstream. + +free_choose_arg_map() may dereference a NULL pointer if its caller fails +after a partial allocation. + +For example, in decode_choose_args(), if allocation of arg_map->args +fails, execution jumps to the fail label and free_choose_arg_map() is +called. Since arg_map->size is updated to a non-zero value before memory +allocation, free_choose_arg_map() will iterate over arg_map->args and +dereference a NULL pointer. + +To prevent this potential NULL pointer dereference and make +free_choose_arg_map() more resilient, add checks for pointers before +iterating. + +Cc: stable@vger.kernel.org +Co-authored-by: Ilya Dryomov +Signed-off-by: Tuo Li +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/osdmap.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/net/ceph/osdmap.c ++++ b/net/ceph/osdmap.c +@@ -225,22 +225,26 @@ static struct crush_choose_arg_map *allo + + static void free_choose_arg_map(struct crush_choose_arg_map *arg_map) + { +- if (arg_map) { +- int i, j; ++ int i, j; + +- WARN_ON(!RB_EMPTY_NODE(&arg_map->node)); ++ if (!arg_map) ++ return; + ++ WARN_ON(!RB_EMPTY_NODE(&arg_map->node)); ++ ++ if (arg_map->args) { + for (i = 0; i < arg_map->size; i++) { + struct crush_choose_arg *arg = &arg_map->args[i]; +- +- for (j = 0; j < arg->weight_set_size; j++) +- kfree(arg->weight_set[j].weights); +- kfree(arg->weight_set); ++ if (arg->weight_set) { ++ for (j = 0; j < arg->weight_set_size; j++) ++ kfree(arg->weight_set[j].weights); ++ kfree(arg->weight_set); ++ } + kfree(arg->ids); + } + kfree(arg_map->args); +- kfree(arg_map); + } ++ kfree(arg_map); + } + + DEFINE_RB_FUNCS(choose_arg_map, struct crush_choose_arg_map, choose_args_index, diff --git a/queue-5.15/libceph-prevent-potential-out-of-bounds-reads-in-handle_auth_done.patch b/queue-5.15/libceph-prevent-potential-out-of-bounds-reads-in-handle_auth_done.patch new file mode 100644 index 0000000000..3aa8fbf122 --- /dev/null +++ b/queue-5.15/libceph-prevent-potential-out-of-bounds-reads-in-handle_auth_done.patch @@ -0,0 +1,35 @@ +From 818156caffbf55cb4d368f9c3cac64e458fb49c9 Mon Sep 17 00:00:00 2001 +From: ziming zhang +Date: Thu, 11 Dec 2025 16:52:58 +0800 +Subject: libceph: prevent potential out-of-bounds reads in handle_auth_done() + +From: ziming zhang + +commit 818156caffbf55cb4d368f9c3cac64e458fb49c9 upstream. + +Perform an explicit bounds check on payload_len to avoid a possible +out-of-bounds access in the callout. + +[ idryomov: changelog ] + +Cc: stable@vger.kernel.org +Signed-off-by: ziming zhang +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/messenger_v2.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ceph/messenger_v2.c ++++ b/net/ceph/messenger_v2.c +@@ -2068,7 +2068,9 @@ static int process_auth_done(struct ceph + + ceph_decode_64_safe(&p, end, global_id, bad); + ceph_decode_32_safe(&p, end, con->v2.con_mode, bad); ++ + ceph_decode_32_safe(&p, end, payload_len, bad); ++ ceph_decode_need(&p, end, payload_len, bad); + + dout("%s con %p global_id %llu con_mode %d payload_len %d\n", + __func__, con, global_id, con->v2.con_mode, payload_len); diff --git a/queue-5.15/libceph-replace-overzealous-bug_on-in-osdmap_apply_incremental.patch b/queue-5.15/libceph-replace-overzealous-bug_on-in-osdmap_apply_incremental.patch new file mode 100644 index 0000000000..e28378755f --- /dev/null +++ b/queue-5.15/libceph-replace-overzealous-bug_on-in-osdmap_apply_incremental.patch @@ -0,0 +1,38 @@ +From e00c3f71b5cf75681dbd74ee3f982a99cb690c2b Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Mon, 15 Dec 2025 11:53:31 +0100 +Subject: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() + +From: Ilya Dryomov + +commit e00c3f71b5cf75681dbd74ee3f982a99cb690c2b upstream. + +If the osdmap is (maliciously) corrupted such that the incremental +osdmap epoch is different from what is expected, there is no need to +BUG. Instead, just declare the incremental osdmap to be invalid. + +Cc: stable@vger.kernel.org +Reported-by: ziming zhang +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/osdmap.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ceph/osdmap.c ++++ b/net/ceph/osdmap.c +@@ -1959,11 +1959,13 @@ struct ceph_osdmap *osdmap_apply_increme + sizeof(u64) + sizeof(u32), e_inval); + ceph_decode_copy(p, &fsid, sizeof(fsid)); + epoch = ceph_decode_32(p); +- BUG_ON(epoch != map->epoch+1); + ceph_decode_copy(p, &modified, sizeof(modified)); + new_pool_max = ceph_decode_64(p); + new_flags = ceph_decode_32(p); + ++ if (epoch != map->epoch + 1) ++ goto e_inval; ++ + /* full map? */ + ceph_decode_32_safe(p, end, len, e_inval); + if (len > 0) { diff --git a/queue-5.15/libceph-return-the-handler-error-from-mon_handle_auth_done.patch b/queue-5.15/libceph-return-the-handler-error-from-mon_handle_auth_done.patch new file mode 100644 index 0000000000..be7afe3c07 --- /dev/null +++ b/queue-5.15/libceph-return-the-handler-error-from-mon_handle_auth_done.patch @@ -0,0 +1,38 @@ +From e84b48d31b5008932c0a0902982809fbaa1d3b70 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Mon, 29 Dec 2025 15:14:48 +0100 +Subject: libceph: return the handler error from mon_handle_auth_done() + +From: Ilya Dryomov + +commit e84b48d31b5008932c0a0902982809fbaa1d3b70 upstream. + +Currently any error from ceph_auth_handle_reply_done() is propagated +via finish_auth() but isn't returned from mon_handle_auth_done(). This +results in higher layers learning that (despite the monitor considering +us to be successfully authenticated) something went wrong in the +authentication phase and reacting accordingly, but msgr2 still trying +to proceed with establishing the session in the background. In the +case of secure mode this can trigger a WARN in setup_crypto() and later +lead to a NULL pointer dereference inside of prepare_auth_signature(). + +Cc: stable@vger.kernel.org +Fixes: cd1a677cad99 ("libceph, ceph: implement msgr2.1 protocol (crc and secure modes)") +Signed-off-by: Ilya Dryomov +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/mon_client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ceph/mon_client.c ++++ b/net/ceph/mon_client.c +@@ -1418,7 +1418,7 @@ static int mon_handle_auth_done(struct c + if (!ret) + finish_hunting(monc); + mutex_unlock(&monc->mutex); +- return 0; ++ return ret; + } + + static int mon_handle_auth_bad_method(struct ceph_connection *con, diff --git a/queue-5.15/mei-me-add-nova-lake-point-s-did.patch b/queue-5.15/mei-me-add-nova-lake-point-s-did.patch new file mode 100644 index 0000000000..154da07348 --- /dev/null +++ b/queue-5.15/mei-me-add-nova-lake-point-s-did.patch @@ -0,0 +1,44 @@ +From 420f423defcf6d0af2263d38da870ca4a20c0990 Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Mon, 15 Dec 2025 12:59:15 +0200 +Subject: mei: me: add nova lake point S DID + +From: Alexander Usyskin + +commit 420f423defcf6d0af2263d38da870ca4a20c0990 upstream. + +Add Nova Lake S device id. + +Cc: stable +Co-developed-by: Tomas Winkler +Signed-off-by: Tomas Winkler +Signed-off-by: Alexander Usyskin +Link: https://patch.msgid.link/20251215105915.1672659-1-alexander.usyskin@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/hw-me-regs.h | 2 ++ + drivers/misc/mei/pci-me.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/drivers/misc/mei/hw-me-regs.h ++++ b/drivers/misc/mei/hw-me-regs.h +@@ -122,6 +122,8 @@ + + #define MEI_DEV_ID_WCL_P 0x4D70 /* Wildcat Lake P */ + ++#define MEI_DEV_ID_NVL_S 0x6E68 /* Nova Lake Point S */ ++ + /* + * MEI HW Section + */ +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -128,6 +128,8 @@ static const struct pci_device_id mei_me + + {MEI_PCI_DEVICE(MEI_DEV_ID_WCL_P, MEI_ME_PCH15_CFG)}, + ++ {MEI_PCI_DEVICE(MEI_DEV_ID_NVL_S, MEI_ME_PCH15_CFG)}, ++ + /* required last entry */ + {0, } + }; diff --git a/queue-5.15/net-3com-3c59x-fix-possible-null-dereference-in-vortex_probe1.patch b/queue-5.15/net-3com-3c59x-fix-possible-null-dereference-in-vortex_probe1.patch new file mode 100644 index 0000000000..3419bb5d75 --- /dev/null +++ b/queue-5.15/net-3com-3c59x-fix-possible-null-dereference-in-vortex_probe1.patch @@ -0,0 +1,33 @@ +From a4e305ed60f7c41bbf9aabc16dd75267194e0de3 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Tue, 6 Jan 2026 10:47:21 +0100 +Subject: net: 3com: 3c59x: fix possible null dereference in vortex_probe1() + +From: Thomas Fourier + +commit a4e305ed60f7c41bbf9aabc16dd75267194e0de3 upstream. + +pdev can be null and free_ring: can be called in 1297 with a null +pdev. + +Fixes: 55c82617c3e8 ("3c59x: convert to generic DMA API") +Cc: +Signed-off-by: Thomas Fourier +Link: https://patch.msgid.link/20260106094731.25819-2-fourier.thomas@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/3com/3c59x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/3com/3c59x.c ++++ b/drivers/net/ethernet/3com/3c59x.c +@@ -1471,7 +1471,7 @@ static int vortex_probe1(struct device * + return 0; + + free_ring: +- dma_free_coherent(&pdev->dev, ++ dma_free_coherent(gendev, + sizeof(struct boom_rx_desc) * RX_RING_SIZE + + sizeof(struct boom_tx_desc) * TX_RING_SIZE, + vp->rx_ring, vp->rx_ring_dma); diff --git a/queue-5.15/series b/queue-5.15/series index da209e3027..7f6ede4040 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -501,3 +501,14 @@ firmware-arm_scmi-fix-unused-notifier-block-in-unregister.patch revert-iommu-amd-skip-enabling-command-event-buffers-for-kdump.patch net-ethtool-fix-the-error-condition-in-ethtool_get_phy_stats_ethtool.patch usb-gadget-lpc32xx_udc-fix-clock-imbalance-in-error-path.patch +atm-fix-dma_free_coherent-size.patch +net-3com-3c59x-fix-possible-null-dereference-in-vortex_probe1.patch +mei-me-add-nova-lake-point-s-did.patch +lib-crypto-aes-fix-missing-mmu-protection-for-aes-s-box.patch +drm-pl111-fix-error-handling-in-pl111_amba_probe.patch +wifi-avoid-kernel-infoleak-from-struct-iw_point.patch +libceph-prevent-potential-out-of-bounds-reads-in-handle_auth_done.patch +libceph-replace-overzealous-bug_on-in-osdmap_apply_incremental.patch +libceph-make-free_choose_arg_map-resilient-to-partial-allocation.patch +libceph-return-the-handler-error-from-mon_handle_auth_done.patch +libceph-make-calc_target-set-t-paused-not-just-clear-it.patch diff --git a/queue-5.15/wifi-avoid-kernel-infoleak-from-struct-iw_point.patch b/queue-5.15/wifi-avoid-kernel-infoleak-from-struct-iw_point.patch new file mode 100644 index 0000000000..3896aab15a --- /dev/null +++ b/queue-5.15/wifi-avoid-kernel-infoleak-from-struct-iw_point.patch @@ -0,0 +1,59 @@ +From 21cbf883d073abbfe09e3924466aa5e0449e7261 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 8 Jan 2026 10:19:27 +0000 +Subject: wifi: avoid kernel-infoleak from struct iw_point + +From: Eric Dumazet + +commit 21cbf883d073abbfe09e3924466aa5e0449e7261 upstream. + +struct iw_point has a 32bit hole on 64bit arches. + +struct iw_point { + void __user *pointer; /* Pointer to the data (in user space) */ + __u16 length; /* number of fields or size in bytes */ + __u16 flags; /* Optional params */ +}; + +Make sure to zero the structure to avoid disclosing 32bits of kernel data +to user space. + +Fixes: 87de87d5e47f ("wext: Dispatch and handle compat ioctls entirely in net/wireless/wext.c") +Reported-by: syzbot+bfc7323743ca6dbcc3d3@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/695f83f3.050a0220.1c677c.0392.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260108101927.857582-1-edumazet@google.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/wext-core.c | 4 ++++ + net/wireless/wext-priv.c | 4 ++++ + 2 files changed, 8 insertions(+) + +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -1084,6 +1084,10 @@ static int compat_standard_call(struct n + return ioctl_standard_call(dev, iwr, cmd, info, handler); + + iwp_compat = (struct compat_iw_point *) &iwr->u.data; ++ ++ /* struct iw_point has a 32bit hole on 64bit arches. */ ++ memset(&iwp, 0, sizeof(iwp)); ++ + iwp.pointer = compat_ptr(iwp_compat->pointer); + iwp.length = iwp_compat->length; + iwp.flags = iwp_compat->flags; +--- a/net/wireless/wext-priv.c ++++ b/net/wireless/wext-priv.c +@@ -228,6 +228,10 @@ int compat_private_call(struct net_devic + struct iw_point iwp; + + iwp_compat = (struct compat_iw_point *) &iwr->u.data; ++ ++ /* struct iw_point has a 32bit hole on 64bit arches. */ ++ memset(&iwp, 0, sizeof(iwp)); ++ + iwp.pointer = compat_ptr(iwp_compat->pointer); + iwp.length = iwp_compat->length; + iwp.flags = iwp_compat->flags;