From: Greg Kroah-Hartman Date: Sun, 12 Apr 2026 05:20:20 +0000 (+0200) Subject: 6.18-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=391e3ff2c01d1229c1112e2ebb4d22b024e2567e;p=thirdparty%2Fkernel%2Fstable-queue.git 6.18-stable patches added patches: input-uinput-fix-circular-locking-dependency-with-ff-core.patch input-uinput-take-event-lock-when-submitting-ff-request-event.patch mptcp-fix-slab-use-after-free-in-__inet_lookup_established.patch net-rfkill-prevent-unlimited-numbers-of-rfkill-events-from-being-created.patch revert-alsa-hda-realtek-add-quirk-for-gigabyte-technology-to-fix-headphone.patch revert-mptcp-add-needs_id-for-netlink-appending-addr.patch seg6-separate-dst_cache-for-input-and-output-paths-in-seg6-lwtunnel.patch series usb-typec-ucsi-skip-connector-validation-before-init.patch wifi-rt2x00usb-fix-devres-lifetime.patch xfrm_user-fix-info-leak-in-build_report.patch --- diff --git a/queue-6.18/input-uinput-fix-circular-locking-dependency-with-ff-core.patch b/queue-6.18/input-uinput-fix-circular-locking-dependency-with-ff-core.patch new file mode 100644 index 0000000000..2f50db79e0 --- /dev/null +++ b/queue-6.18/input-uinput-fix-circular-locking-dependency-with-ff-core.patch @@ -0,0 +1,158 @@ +From 4cda78d6f8bf2b700529f2fbccb994c3e826d7c2 Mon Sep 17 00:00:00 2001 +From: Mikhail Gavrilov +Date: Tue, 7 Apr 2026 12:50:31 +0500 +Subject: Input: uinput - fix circular locking dependency with ff-core + +From: Mikhail Gavrilov + +commit 4cda78d6f8bf2b700529f2fbccb994c3e826d7c2 upstream. + +A lockdep circular locking dependency warning can be triggered +reproducibly when using a force-feedback gamepad with uinput (for +example, playing ELDEN RING under Wine with a Flydigi Vader 5 +controller): + + ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex + +The cycle is caused by four lock acquisition paths: + +1. ff upload: input_ff_upload() holds ff->mutex and calls + uinput_dev_upload_effect() -> uinput_request_submit() -> + uinput_request_send(), which acquires udev->mutex. + +2. device create: uinput_ioctl_handler() holds udev->mutex and calls + uinput_create_device() -> input_register_device(), which acquires + input_mutex. + +3. device register: input_register_device() holds input_mutex and + calls kbd_connect() -> input_register_handle(), which acquires + dev->mutex. + +4. evdev release: evdev_release() calls input_flush_device() under + dev->mutex, which calls input_ff_flush() acquiring ff->mutex. + +Fix this by introducing a new state_lock spinlock to protect +udev->state and udev->dev access in uinput_request_send() instead of +acquiring udev->mutex. The function only needs to atomically check +device state and queue an input event into the ring buffer via +uinput_dev_event() -- both operations are safe under a spinlock +(ktime_get_ts64() and wake_up_interruptible() do not sleep). This +breaks the ff->mutex -> udev->mutex link since a spinlock is a leaf in +the lock ordering and cannot form cycles with mutexes. + +To keep state transitions visible to uinput_request_send(), protect +writes to udev->state in uinput_create_device() and +uinput_destroy_device() with the same state_lock spinlock. + +Additionally, move init_completion(&request->done) from +uinput_request_send() to uinput_request_submit() before +uinput_request_reserve_slot(). Once the slot is allocated, +uinput_flush_requests() may call complete() on it at any time from +the destroy path, so the completion must be initialised before the +request becomes visible. + +Lock ordering after the fix: + + ff->mutex -> state_lock (spinlock, leaf) + udev->mutex -> state_lock (spinlock, leaf) + udev->mutex -> input_mutex -> dev->mutex -> ff->mutex (no back-edge) + +Fixes: ff462551235d ("Input: uinput - switch to the new FF interface") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/CABXGCsMoxag+kEwHhb7KqhuyxfmGGd0P=tHZyb1uKE0pLr8Hkg@mail.gmail.com/ +Signed-off-by: Mikhail Gavrilov +Link: https://patch.msgid.link/20260407075031.38351-1-mikhail.v.gavrilov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/misc/uinput.c | 28 +++++++++++++++++++++------- + 1 file changed, 21 insertions(+), 7 deletions(-) + +--- a/drivers/input/misc/uinput.c ++++ b/drivers/input/misc/uinput.c +@@ -57,6 +57,7 @@ struct uinput_device { + struct input_dev *dev; + struct mutex mutex; + enum uinput_state state; ++ spinlock_t state_lock; + wait_queue_head_t waitq; + unsigned char ready; + unsigned char head; +@@ -146,19 +147,15 @@ static void uinput_request_release_slot( + static int uinput_request_send(struct uinput_device *udev, + struct uinput_request *request) + { +- int retval; ++ int retval = 0; + +- retval = mutex_lock_interruptible(&udev->mutex); +- if (retval) +- return retval; ++ spin_lock(&udev->state_lock); + + if (udev->state != UIST_CREATED) { + retval = -ENODEV; + goto out; + } + +- init_completion(&request->done); +- + /* + * Tell our userspace application about this new request + * by queueing an input event. +@@ -166,7 +163,7 @@ static int uinput_request_send(struct ui + uinput_dev_event(udev->dev, EV_UINPUT, request->code, request->id); + + out: +- mutex_unlock(&udev->mutex); ++ spin_unlock(&udev->state_lock); + return retval; + } + +@@ -175,6 +172,13 @@ static int uinput_request_submit(struct + { + int retval; + ++ /* ++ * Initialize completion before allocating the request slot. ++ * Once the slot is allocated, uinput_flush_requests() may ++ * complete it at any time, so it must be initialized first. ++ */ ++ init_completion(&request->done); ++ + retval = uinput_request_reserve_slot(udev, request); + if (retval) + return retval; +@@ -289,7 +293,14 @@ static void uinput_destroy_device(struct + struct input_dev *dev = udev->dev; + enum uinput_state old_state = udev->state; + ++ /* ++ * Update state under state_lock so that concurrent ++ * uinput_request_send() sees the state change before we ++ * flush pending requests and tear down the device. ++ */ ++ spin_lock(&udev->state_lock); + udev->state = UIST_NEW_DEVICE; ++ spin_unlock(&udev->state_lock); + + if (dev) { + name = dev->name; +@@ -366,7 +377,9 @@ static int uinput_create_device(struct u + if (error) + goto fail2; + ++ spin_lock(&udev->state_lock); + udev->state = UIST_CREATED; ++ spin_unlock(&udev->state_lock); + + return 0; + +@@ -384,6 +397,7 @@ static int uinput_open(struct inode *ino + return -ENOMEM; + + mutex_init(&newdev->mutex); ++ spin_lock_init(&newdev->state_lock); + spin_lock_init(&newdev->requests_lock); + init_waitqueue_head(&newdev->requests_waitq); + init_waitqueue_head(&newdev->waitq); diff --git a/queue-6.18/input-uinput-take-event-lock-when-submitting-ff-request-event.patch b/queue-6.18/input-uinput-take-event-lock-when-submitting-ff-request-event.patch new file mode 100644 index 0000000000..fa29756ada --- /dev/null +++ b/queue-6.18/input-uinput-take-event-lock-when-submitting-ff-request-event.patch @@ -0,0 +1,62 @@ +From ff14dafde15c11403fac61367a34fea08926e9ee Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Tue, 7 Apr 2026 22:16:27 -0700 +Subject: Input: uinput - take event lock when submitting FF request "event" + +From: Dmitry Torokhov + +commit ff14dafde15c11403fac61367a34fea08926e9ee upstream. + +To avoid racing with FF playback events and corrupting device's event +queue take event_lock spinlock when calling uinput_dev_event() when +submitting a FF upload or erase "event". + +Tested-by: Mikhail Gavrilov +Link: https://patch.msgid.link/adXkf6MWzlB8LA_s@google.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/misc/uinput.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/misc/uinput.c ++++ b/drivers/input/misc/uinput.c +@@ -25,8 +25,10 @@ + #include + #include + #include ++#include + #include + #include ++#include + #include + #include "../input-compat.h" + +@@ -76,6 +78,8 @@ static int uinput_dev_event(struct input + struct uinput_device *udev = input_get_drvdata(dev); + struct timespec64 ts; + ++ lockdep_assert_held(&dev->event_lock); ++ + ktime_get_ts64(&ts); + + udev->buff[udev->head] = (struct input_event) { +@@ -147,6 +151,7 @@ static void uinput_request_release_slot( + static int uinput_request_send(struct uinput_device *udev, + struct uinput_request *request) + { ++ unsigned long flags; + int retval = 0; + + spin_lock(&udev->state_lock); +@@ -160,7 +165,9 @@ static int uinput_request_send(struct ui + * Tell our userspace application about this new request + * by queueing an input event. + */ ++ spin_lock_irqsave(&udev->dev->event_lock, flags); + uinput_dev_event(udev->dev, EV_UINPUT, request->code, request->id); ++ spin_unlock_irqrestore(&udev->dev->event_lock, flags); + + out: + spin_unlock(&udev->state_lock); diff --git a/queue-6.18/mptcp-fix-slab-use-after-free-in-__inet_lookup_established.patch b/queue-6.18/mptcp-fix-slab-use-after-free-in-__inet_lookup_established.patch new file mode 100644 index 0000000000..08206fd625 --- /dev/null +++ b/queue-6.18/mptcp-fix-slab-use-after-free-in-__inet_lookup_established.patch @@ -0,0 +1,101 @@ +From 9b55b253907e7431210483519c5ad711a37dafa1 Mon Sep 17 00:00:00 2001 +From: Jiayuan Chen +Date: Mon, 6 Apr 2026 11:15:10 +0800 +Subject: mptcp: fix slab-use-after-free in __inet_lookup_established + +From: Jiayuan Chen + +commit 9b55b253907e7431210483519c5ad711a37dafa1 upstream. + +The ehash table lookups are lockless and rely on +SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability +during RCU read-side critical sections. Both tcp_prot and +tcpv6_prot have their slab caches created with this flag +via proto_register(). + +However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into +tcpv6_prot_override during inet_init() (fs_initcall, level 5), +before inet6_init() (module_init/device_initcall, level 6) has +called proto_register(&tcpv6_prot). At that point, +tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab +remains NULL permanently. + +This causes MPTCP v6 subflow child sockets to be allocated via +kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab +cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so +when these sockets are freed without SOCK_RCU_FREE (which is +cleared for child sockets by design), the memory can be +immediately reused. Concurrent ehash lookups under +rcu_read_lock can then access freed memory, triggering a +slab-use-after-free in __inet_lookup_established. + +Fix this by splitting the IPv6-specific initialization out of +mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called +from mptcp_proto_v6_init() before protocol registration. This +ensures tcpv6_prot_override.slab correctly inherits the +SLAB_TYPESAFE_BY_RCU slab cache. + +Fixes: b19bc2945b40 ("mptcp: implement delegated actions") +Cc: stable@vger.kernel.org +Signed-off-by: Jiayuan Chen +Reviewed-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260406031512.189159-1-jiayuan.chen@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 2 ++ + net/mptcp/protocol.h | 1 + + net/mptcp/subflow.c | 15 +++++++++------ + 3 files changed, 12 insertions(+), 6 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -4271,6 +4271,8 @@ int __init mptcp_proto_v6_init(void) + { + int err; + ++ mptcp_subflow_v6_init(); ++ + mptcp_v6_prot = mptcp_prot; + strscpy(mptcp_v6_prot.name, "MPTCPv6", sizeof(mptcp_v6_prot.name)); + mptcp_v6_prot.slab = NULL; +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -830,6 +830,7 @@ static inline void mptcp_subflow_tcp_fal + void __init mptcp_proto_init(void); + #if IS_ENABLED(CONFIG_MPTCP_IPV6) + int __init mptcp_proto_v6_init(void); ++void __init mptcp_subflow_v6_init(void); + #endif + + struct sock *mptcp_sk_clone_init(const struct sock *sk, +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -2145,7 +2145,15 @@ void __init mptcp_subflow_init(void) + tcp_prot_override.psock_update_sk_prot = NULL; + #endif + ++ mptcp_diag_subflow_init(&subflow_ulp_ops); ++ ++ if (tcp_register_ulp(&subflow_ulp_ops) != 0) ++ panic("MPTCP: failed to register subflows to ULP\n"); ++} ++ + #if IS_ENABLED(CONFIG_MPTCP_IPV6) ++void __init mptcp_subflow_v6_init(void) ++{ + /* In struct mptcp_subflow_request_sock, we assume the TCP request sock + * structures for v4 and v6 have the same size. It should not changed in + * the future but better to make sure to be warned if it is no longer +@@ -2184,10 +2192,5 @@ void __init mptcp_subflow_init(void) + /* Disable sockmap processing for subflows */ + tcpv6_prot_override.psock_update_sk_prot = NULL; + #endif +-#endif +- +- mptcp_diag_subflow_init(&subflow_ulp_ops); +- +- if (tcp_register_ulp(&subflow_ulp_ops) != 0) +- panic("MPTCP: failed to register subflows to ULP\n"); + } ++#endif diff --git a/queue-6.18/net-rfkill-prevent-unlimited-numbers-of-rfkill-events-from-being-created.patch b/queue-6.18/net-rfkill-prevent-unlimited-numbers-of-rfkill-events-from-being-created.patch new file mode 100644 index 0000000000..dc6b809083 --- /dev/null +++ b/queue-6.18/net-rfkill-prevent-unlimited-numbers-of-rfkill-events-from-being-created.patch @@ -0,0 +1,114 @@ +From ea245d78dec594372e27d8c79616baf49e98a4a1 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 30 Mar 2026 11:14:13 +0200 +Subject: net: rfkill: prevent unlimited numbers of rfkill events from being created + +From: Greg Kroah-Hartman + +commit ea245d78dec594372e27d8c79616baf49e98a4a1 upstream. + +Userspace can create an unlimited number of rfkill events if the system +is so configured, while not consuming them from the rfkill file +descriptor, causing a potential out of memory situation. Prevent this +from bounding the number of pending rfkill events at a "large" number +(i.e. 1000) to prevent abuses like this. + +Cc: Johannes Berg +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026033013-disfigure-scroll-e25e@gregkh +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/rfkill/core.c | 35 ++++++++++++++++++++++++----------- + 1 file changed, 24 insertions(+), 11 deletions(-) + +--- a/net/rfkill/core.c ++++ b/net/rfkill/core.c +@@ -73,11 +73,14 @@ struct rfkill_int_event { + struct rfkill_event_ext ev; + }; + ++/* Max rfkill events that can be "in-flight" for one data source */ ++#define MAX_RFKILL_EVENT 1000 + struct rfkill_data { + struct list_head list; + struct list_head events; + struct mutex mtx; + wait_queue_head_t read_wait; ++ u32 event_count; + bool input_handler; + u8 max_size; + }; +@@ -255,10 +258,12 @@ static void rfkill_global_led_trigger_un + } + #endif /* CONFIG_RFKILL_LEDS */ + +-static void rfkill_fill_event(struct rfkill_event_ext *ev, +- struct rfkill *rfkill, +- enum rfkill_operation op) ++static int rfkill_fill_event(struct rfkill_int_event *int_ev, ++ struct rfkill *rfkill, ++ struct rfkill_data *data, ++ enum rfkill_operation op) + { ++ struct rfkill_event_ext *ev = &int_ev->ev; + unsigned long flags; + + ev->idx = rfkill->idx; +@@ -271,6 +276,15 @@ static void rfkill_fill_event(struct rfk + RFKILL_BLOCK_SW_PREV)); + ev->hard_block_reasons = rfkill->hard_block_reasons; + spin_unlock_irqrestore(&rfkill->lock, flags); ++ ++ scoped_guard(mutex, &data->mtx) { ++ if (data->event_count++ > MAX_RFKILL_EVENT) { ++ data->event_count--; ++ return -ENOSPC; ++ } ++ list_add_tail(&int_ev->list, &data->events); ++ } ++ return 0; + } + + static void rfkill_send_events(struct rfkill *rfkill, enum rfkill_operation op) +@@ -282,10 +296,10 @@ static void rfkill_send_events(struct rf + ev = kzalloc(sizeof(*ev), GFP_KERNEL); + if (!ev) + continue; +- rfkill_fill_event(&ev->ev, rfkill, op); +- mutex_lock(&data->mtx); +- list_add_tail(&ev->list, &data->events); +- mutex_unlock(&data->mtx); ++ if (rfkill_fill_event(ev, rfkill, data, op)) { ++ kfree(ev); ++ continue; ++ } + wake_up_interruptible(&data->read_wait); + } + } +@@ -1186,10 +1200,8 @@ static int rfkill_fop_open(struct inode + if (!ev) + goto free; + rfkill_sync(rfkill); +- rfkill_fill_event(&ev->ev, rfkill, RFKILL_OP_ADD); +- mutex_lock(&data->mtx); +- list_add_tail(&ev->list, &data->events); +- mutex_unlock(&data->mtx); ++ if (rfkill_fill_event(ev, rfkill, data, RFKILL_OP_ADD)) ++ kfree(ev); + } + list_add(&data->list, &rfkill_fds); + mutex_unlock(&rfkill_global_mutex); +@@ -1259,6 +1271,7 @@ static ssize_t rfkill_fop_read(struct fi + ret = -EFAULT; + + list_del(&ev->list); ++ data->event_count--; + kfree(ev); + out: + mutex_unlock(&data->mtx); diff --git a/queue-6.18/revert-alsa-hda-realtek-add-quirk-for-gigabyte-technology-to-fix-headphone.patch b/queue-6.18/revert-alsa-hda-realtek-add-quirk-for-gigabyte-technology-to-fix-headphone.patch new file mode 100644 index 0000000000..c037cf1917 --- /dev/null +++ b/queue-6.18/revert-alsa-hda-realtek-add-quirk-for-gigabyte-technology-to-fix-headphone.patch @@ -0,0 +1,59 @@ +From 8508e9118649f13f7b857e9e10147b241db615d7 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 7 Apr 2026 14:33:17 +0200 +Subject: Revert "ALSA: hda/realtek: Add quirk for Gigabyte Technology to fix headphone" + +From: Takashi Iwai + +commit 8508e9118649f13f7b857e9e10147b241db615d7 upstream. + +This reverts commit 56fbbe096a89ff4b52af78a21a4afd9d94bdcc80. + +It caused regressions on other Gigabyte models, and looking at the +bugzilla entry again, the suggested change appears rather dubious, as +incorrectly setting the front mic pin as the headphone. + +Fixes: 56fbbe096a89 ("ALSA: hda/realtek: Add quirk for Gigabyte Technology to fix headphone") +Cc: +Reported-by: Marcin Krycki +Reported-by: Theodoros Orfanidis +Closes: https://lore.kernel.org/CAEfRphPU_ABuVFzaHhspxgp2WAqi7kKNGo4yOOt0zeVFPSj8+Q@mail.gmail.com +Link: https://patch.msgid.link/20260407123333.171130-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/hda/codecs/realtek/alc662.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/sound/hda/codecs/realtek/alc662.c ++++ b/sound/hda/codecs/realtek/alc662.c +@@ -313,7 +313,6 @@ enum { + ALC897_FIXUP_HEADSET_MIC_PIN2, + ALC897_FIXUP_UNIS_H3C_X500S, + ALC897_FIXUP_HEADSET_MIC_PIN3, +- ALC897_FIXUP_H610M_HP_PIN, + }; + + static const struct hda_fixup alc662_fixups[] = { +@@ -767,13 +766,6 @@ static const struct hda_fixup alc662_fix + { } + }, + }, +- [ALC897_FIXUP_H610M_HP_PIN] = { +- .type = HDA_FIXUP_PINS, +- .v.pins = (const struct hda_pintbl[]) { +- { 0x19, 0x0321403f }, /* HP out */ +- { } +- }, +- }, + }; + + static const struct hda_quirk alc662_fixup_tbl[] = { +@@ -823,7 +815,6 @@ static const struct hda_quirk alc662_fix + SND_PCI_QUIRK(0x1043, 0x8469, "ASUS mobo", ALC662_FIXUP_NO_JACK_DETECT), + SND_PCI_QUIRK(0x105b, 0x0cd6, "Foxconn", ALC662_FIXUP_ASUS_MODE2), + SND_PCI_QUIRK(0x144d, 0xc051, "Samsung R720", ALC662_FIXUP_IDEAPAD), +- SND_PCI_QUIRK(0x1458, 0xa194, "H610M H V2 DDR4", ALC897_FIXUP_H610M_HP_PIN), + SND_PCI_QUIRK(0x14cd, 0x5003, "USI", ALC662_FIXUP_USI_HEADSET_MODE), + SND_PCI_QUIRK(0x17aa, 0x1036, "Lenovo P520", ALC662_FIXUP_LENOVO_MULTI_CODECS), + SND_PCI_QUIRK(0x17aa, 0x1057, "Lenovo P360", ALC897_FIXUP_HEADSET_MIC_PIN), diff --git a/queue-6.18/revert-mptcp-add-needs_id-for-netlink-appending-addr.patch b/queue-6.18/revert-mptcp-add-needs_id-for-netlink-appending-addr.patch new file mode 100644 index 0000000000..eaf07015ac --- /dev/null +++ b/queue-6.18/revert-mptcp-add-needs_id-for-netlink-appending-addr.patch @@ -0,0 +1,104 @@ +From 8e2760eaab778494fc1fa257031e0e1799647f46 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Tue, 7 Apr 2026 10:41:41 +0200 +Subject: Revert "mptcp: add needs_id for netlink appending addr" + +From: Matthieu Baerts (NGI0) + +commit 8e2760eaab778494fc1fa257031e0e1799647f46 upstream. + +This commit was originally adding the ability to add MPTCP endpoints +with ID 0 by accident. The in-kernel PM, handling MPTCP endpoints at the +net namespace level, is not supposed to handle endpoints with such ID, +because this ID 0 is reserved to the initial subflow, as mentioned in +the MPTCPv1 protocol [1], a per-connection setting. + +Note that 'ip mptcp endpoint add id 0' stops early with an error, but +other tools might still request the in-kernel PM to create MPTCP +endpoints with this restricted ID 0. + +In other words, it was wrong to call the mptcp_pm_has_addr_attr_id +helper to check whether the address ID attribute is set: if it was set +to 0, a new MPTCP endpoint would be created with ID 0, which is not +expected, and might cause various issues later. + +Fixes: 584f38942626 ("mptcp: add needs_id for netlink appending addr") +Cc: stable@vger.kernel.org +Link: https://datatracker.ietf.org/doc/html/rfc8684#section-3.2-9 [1] +Reviewed-by: Geliang Tang +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260407-net-mptcp-revert-pm-needs-id-v2-1-7a25cbc324f8@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_kernel.c | 24 +++++------------------- + 1 file changed, 5 insertions(+), 19 deletions(-) + +--- a/net/mptcp/pm_kernel.c ++++ b/net/mptcp/pm_kernel.c +@@ -710,7 +710,7 @@ static void __mptcp_pm_release_addr_entr + + static int mptcp_pm_nl_append_new_local_addr(struct pm_nl_pernet *pernet, + struct mptcp_pm_addr_entry *entry, +- bool needs_id, bool replace) ++ bool replace) + { + struct mptcp_pm_addr_entry *cur, *del_entry = NULL; + int ret = -EINVAL; +@@ -769,7 +769,7 @@ static int mptcp_pm_nl_append_new_local_ + } + } + +- if (!entry->addr.id && needs_id) { ++ if (!entry->addr.id) { + find_next: + entry->addr.id = find_next_zero_bit(pernet->id_bitmap, + MPTCP_PM_MAX_ADDR_ID + 1, +@@ -780,7 +780,7 @@ find_next: + } + } + +- if (!entry->addr.id && needs_id) ++ if (!entry->addr.id) + goto out; + + __set_bit(entry->addr.id, pernet->id_bitmap); +@@ -909,7 +909,7 @@ int mptcp_pm_nl_get_local_id(struct mptc + return -ENOMEM; + + entry->addr.port = 0; +- ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, true, false); ++ ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, false); + if (ret < 0) + kfree(entry); + +@@ -963,18 +963,6 @@ next: + return 0; + } + +-static bool mptcp_pm_has_addr_attr_id(const struct nlattr *attr, +- struct genl_info *info) +-{ +- struct nlattr *tb[MPTCP_PM_ADDR_ATTR_MAX + 1]; +- +- if (!nla_parse_nested_deprecated(tb, MPTCP_PM_ADDR_ATTR_MAX, attr, +- mptcp_pm_address_nl_policy, info->extack) && +- tb[MPTCP_PM_ADDR_ATTR_ID]) +- return true; +- return false; +-} +- + /* Add an MPTCP endpoint */ + int mptcp_pm_nl_add_addr_doit(struct sk_buff *skb, struct genl_info *info) + { +@@ -1023,9 +1011,7 @@ int mptcp_pm_nl_add_addr_doit(struct sk_ + goto out_free; + } + } +- ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, +- !mptcp_pm_has_addr_attr_id(attr, info), +- true); ++ ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, true); + if (ret < 0) { + GENL_SET_ERR_MSG_FMT(info, "too many addresses or duplicate one: %d", ret); + goto out_free; diff --git a/queue-6.18/seg6-separate-dst_cache-for-input-and-output-paths-in-seg6-lwtunnel.patch b/queue-6.18/seg6-separate-dst_cache-for-input-and-output-paths-in-seg6-lwtunnel.patch new file mode 100644 index 0000000000..0bfcba0df7 --- /dev/null +++ b/queue-6.18/seg6-separate-dst_cache-for-input-and-output-paths-in-seg6-lwtunnel.patch @@ -0,0 +1,120 @@ +From c3812651b522fe8437ebb7063b75ddb95b571643 Mon Sep 17 00:00:00 2001 +From: Andrea Mayer +Date: Sat, 4 Apr 2026 02:44:04 +0200 +Subject: seg6: separate dst_cache for input and output paths in seg6 lwtunnel + +From: Andrea Mayer + +commit c3812651b522fe8437ebb7063b75ddb95b571643 upstream. + +The seg6 lwtunnel uses a single dst_cache per encap route, shared +between seg6_input_core() and seg6_output_core(). These two paths +can perform the post-encap SID lookup in different routing contexts +(e.g., ip rules matching on the ingress interface, or VRF table +separation). Whichever path runs first populates the cache, and the +other reuses it blindly, bypassing its own lookup. + +Fix this by splitting the cache into cache_input and cache_output, +so each path maintains its own cached dst independently. + +Fixes: 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels") +Cc: stable@vger.kernel.org +Signed-off-by: Andrea Mayer +Reviewed-by: Nicolas Dichtel +Reviewed-by: Justin Iurman +Link: https://patch.msgid.link/20260404004405.4057-2-andrea.mayer@uniroma2.it +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/seg6_iptunnel.c | 34 +++++++++++++++++++++++----------- + 1 file changed, 23 insertions(+), 11 deletions(-) + +--- a/net/ipv6/seg6_iptunnel.c ++++ b/net/ipv6/seg6_iptunnel.c +@@ -48,7 +48,8 @@ static size_t seg6_lwt_headroom(struct s + } + + struct seg6_lwt { +- struct dst_cache cache; ++ struct dst_cache cache_input; ++ struct dst_cache cache_output; + struct seg6_iptunnel_encap tuninfo[]; + }; + +@@ -488,7 +489,7 @@ static int seg6_input_core(struct net *n + slwt = seg6_lwt_lwtunnel(lwtst); + + local_bh_disable(); +- dst = dst_cache_get(&slwt->cache); ++ dst = dst_cache_get(&slwt->cache_input); + local_bh_enable(); + + err = seg6_do_srh(skb, dst); +@@ -504,7 +505,7 @@ static int seg6_input_core(struct net *n + /* cache only if we don't create a dst reference loop */ + if (!dst->error && lwtst != dst->lwtstate) { + local_bh_disable(); +- dst_cache_set_ip6(&slwt->cache, dst, ++ dst_cache_set_ip6(&slwt->cache_input, dst, + &ipv6_hdr(skb)->saddr); + local_bh_enable(); + } +@@ -564,7 +565,7 @@ static int seg6_output_core(struct net * + slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate); + + local_bh_disable(); +- dst = dst_cache_get(&slwt->cache); ++ dst = dst_cache_get(&slwt->cache_output); + local_bh_enable(); + + err = seg6_do_srh(skb, dst); +@@ -591,7 +592,7 @@ static int seg6_output_core(struct net * + /* cache only if we don't create a dst reference loop */ + if (orig_dst->lwtstate != dst->lwtstate) { + local_bh_disable(); +- dst_cache_set_ip6(&slwt->cache, dst, &fl6.saddr); ++ dst_cache_set_ip6(&slwt->cache_output, dst, &fl6.saddr); + local_bh_enable(); + } + +@@ -701,11 +702,13 @@ static int seg6_build_state(struct net * + + slwt = seg6_lwt_lwtunnel(newts); + +- err = dst_cache_init(&slwt->cache, GFP_ATOMIC); +- if (err) { +- kfree(newts); +- return err; +- } ++ err = dst_cache_init(&slwt->cache_input, GFP_ATOMIC); ++ if (err) ++ goto err_free_newts; ++ ++ err = dst_cache_init(&slwt->cache_output, GFP_ATOMIC); ++ if (err) ++ goto err_destroy_input; + + memcpy(&slwt->tuninfo, tuninfo, tuninfo_len); + +@@ -720,11 +723,20 @@ static int seg6_build_state(struct net * + *ts = newts; + + return 0; ++ ++err_destroy_input: ++ dst_cache_destroy(&slwt->cache_input); ++err_free_newts: ++ kfree(newts); ++ return err; + } + + static void seg6_destroy_state(struct lwtunnel_state *lwt) + { +- dst_cache_destroy(&seg6_lwt_lwtunnel(lwt)->cache); ++ struct seg6_lwt *slwt = seg6_lwt_lwtunnel(lwt); ++ ++ dst_cache_destroy(&slwt->cache_input); ++ dst_cache_destroy(&slwt->cache_output); + } + + static int seg6_fill_encap_info(struct sk_buff *skb, diff --git a/queue-6.18/series b/queue-6.18/series new file mode 100644 index 0000000000..872b67d577 --- /dev/null +++ b/queue-6.18/series @@ -0,0 +1,10 @@ +usb-typec-ucsi-skip-connector-validation-before-init.patch +wifi-rt2x00usb-fix-devres-lifetime.patch +xfrm_user-fix-info-leak-in-build_report.patch +net-rfkill-prevent-unlimited-numbers-of-rfkill-events-from-being-created.patch +revert-alsa-hda-realtek-add-quirk-for-gigabyte-technology-to-fix-headphone.patch +revert-mptcp-add-needs_id-for-netlink-appending-addr.patch +mptcp-fix-slab-use-after-free-in-__inet_lookup_established.patch +seg6-separate-dst_cache-for-input-and-output-paths-in-seg6-lwtunnel.patch +input-uinput-fix-circular-locking-dependency-with-ff-core.patch +input-uinput-take-event-lock-when-submitting-ff-request-event.patch diff --git a/queue-6.18/usb-typec-ucsi-skip-connector-validation-before-init.patch b/queue-6.18/usb-typec-ucsi-skip-connector-validation-before-init.patch new file mode 100644 index 0000000000..10729798f6 --- /dev/null +++ b/queue-6.18/usb-typec-ucsi-skip-connector-validation-before-init.patch @@ -0,0 +1,41 @@ +From 5a1140404cbf7ba40137dfb1fb96893aa9a67d68 Mon Sep 17 00:00:00 2001 +From: Nathan Rebello +Date: Tue, 7 Apr 2026 02:39:58 -0400 +Subject: usb: typec: ucsi: skip connector validation before init + +From: Nathan Rebello + +commit 5a1140404cbf7ba40137dfb1fb96893aa9a67d68 upstream. + +Notifications can arrive before ucsi_init() has populated +ucsi->cap.num_connectors via GET_CAPABILITY. At that point +num_connectors is still 0, causing all valid connector numbers to be +incorrectly rejected as bogus. + +Skip the bounds check when num_connectors is 0 (not yet initialized). +Pre-init notifications are already handled safely by the early-event +guard in ucsi_connector_change(). + +Reported-by: Takashi Iwai +Fixes: d2d8c17ac01a ("usb: typec: ucsi: validate connector number in ucsi_notify_common()") +Cc: stable@vger.kernel.org +Signed-off-by: Nathan Rebello +Tested-by: Takashi Iwai +Link: https://patch.msgid.link/20260407063958.863-1-nathan.c.rebello@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/typec/ucsi/ucsi.c ++++ b/drivers/usb/typec/ucsi/ucsi.c +@@ -43,7 +43,8 @@ void ucsi_notify_common(struct ucsi *ucs + return; + + if (UCSI_CCI_CONNECTOR(cci)) { +- if (UCSI_CCI_CONNECTOR(cci) <= ucsi->cap.num_connectors) ++ if (!ucsi->cap.num_connectors || ++ UCSI_CCI_CONNECTOR(cci) <= ucsi->cap.num_connectors) + ucsi_connector_change(ucsi, UCSI_CCI_CONNECTOR(cci)); + else + dev_err(ucsi->dev, "bogus connector number in CCI: %lu\n", diff --git a/queue-6.18/wifi-rt2x00usb-fix-devres-lifetime.patch b/queue-6.18/wifi-rt2x00usb-fix-devres-lifetime.patch new file mode 100644 index 0000000000..9eb0cdc329 --- /dev/null +++ b/queue-6.18/wifi-rt2x00usb-fix-devres-lifetime.patch @@ -0,0 +1,41 @@ +From 25369b22223d1c56e42a0cd4ac9137349d5a898e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 27 Mar 2026 12:32:19 +0100 +Subject: wifi: rt2x00usb: fix devres lifetime + +From: Johan Hovold + +commit 25369b22223d1c56e42a0cd4ac9137349d5a898e upstream. + +USB drivers bind to USB interfaces and any device managed resources +should have their lifetime tied to the interface rather than parent USB +device. This avoids issues like memory leaks when drivers are unbound +without their devices being physically disconnected (e.g. on probe +deferral or configuration changes). + +Fix the USB anchor lifetime so that it is released on driver unbind. + +Fixes: 8b4c0009313f ("rt2x00usb: Use usb anchor to manage URB") +Cc: stable@vger.kernel.org # 4.7 +Cc: Vishal Thanki +Signed-off-by: Johan Hovold +Acked-by: Stanislaw Gruszka +Reviewed-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/20260327113219.1313748-1-johan@kernel.org +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ralink/rt2x00/rt2x00usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c +@@ -828,7 +828,7 @@ int rt2x00usb_probe(struct usb_interface + if (retval) + goto exit_free_device; + +- rt2x00dev->anchor = devm_kmalloc(&usb_dev->dev, ++ rt2x00dev->anchor = devm_kmalloc(&usb_intf->dev, + sizeof(struct usb_anchor), + GFP_KERNEL); + if (!rt2x00dev->anchor) { diff --git a/queue-6.18/xfrm_user-fix-info-leak-in-build_report.patch b/queue-6.18/xfrm_user-fix-info-leak-in-build_report.patch new file mode 100644 index 0000000000..d781dd6cd9 --- /dev/null +++ b/queue-6.18/xfrm_user-fix-info-leak-in-build_report.patch @@ -0,0 +1,40 @@ +From d10119968d0e1f2b669604baf2a8b5fdb72fa6b4 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 6 Apr 2026 17:34:22 +0200 +Subject: xfrm_user: fix info leak in build_report() + +From: Greg Kroah-Hartman + +commit d10119968d0e1f2b669604baf2a8b5fdb72fa6b4 upstream. + +struct xfrm_user_report is a __u8 proto field followed by a struct +xfrm_selector which means there is three "empty" bytes of padding, but +the padding is never zeroed before copying to userspace. Fix that up by +zeroing the structure before setting individual member variables. + +Cc: stable +Cc: Steffen Klassert +Cc: Herbert Xu +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Simon Horman +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_user.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -4108,6 +4108,7 @@ static int build_report(struct sk_buff * + return -EMSGSIZE; + + ur = nlmsg_data(nlh); ++ memset(ur, 0, sizeof(*ur)); + ur->proto = proto; + memcpy(&ur->sel, sel, sizeof(ur->sel)); +