From: Greg Kroah-Hartman Date: Fri, 20 Mar 2026 09:01:23 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v6.1.167~93 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a83c96c7e45e111720bda106d9aa74b00f8e34d9;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: bluetooth-l2cap-fix-type-confusion-in-l2cap_ecred_reconf_rsp.patch bluetooth-l2cap-validate-l2cap_info_rsp-payload-length-before-access.patch hid-bpf-prevent-buffer-overflow-in-hid_hw_request.patch loongarch-give-more-information-if-kmem-access-failed.patch mac80211-fix-crash-in-ieee80211_chan_bw_change-for-ap_vlan-stations.patch net-macb-fix-use-after-free-access-to-ptp-clock.patch nfc-nxp-nci-allow-gpios-to-sleep.patch nfsd-fix-heap-overflow-in-nfsv4.0-lock-replay-cache.patch nfsd-hold-net-reference-for-the-lifetime-of-proc-fs-nfs-exports-fd.patch nvdimm-bus-fix-potential-use-after-free-in-asynchronous-initialization.patch parisc-flush-correct-cache-in-cacheflush-syscall.patch selftests-hid-fix-compilation-when-bpf_wq-and-hid_device-are-not-exported.patch sunrpc-fix-cache_request-leak-in-cache_release.patch --- diff --git a/queue-6.12/bluetooth-l2cap-fix-type-confusion-in-l2cap_ecred_reconf_rsp.patch b/queue-6.12/bluetooth-l2cap-fix-type-confusion-in-l2cap_ecred_reconf_rsp.patch new file mode 100644 index 0000000000..41e2351d79 --- /dev/null +++ b/queue-6.12/bluetooth-l2cap-fix-type-confusion-in-l2cap_ecred_reconf_rsp.patch @@ -0,0 +1,59 @@ +From 15145675690cab2de1056e7ed68e59cbd0452529 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lukas=20Johannes=20M=C3=B6ller?= + +Date: Tue, 10 Mar 2026 21:59:46 +0000 +Subject: Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lukas Johannes Möller + +commit 15145675690cab2de1056e7ed68e59cbd0452529 upstream. + +l2cap_ecred_reconf_rsp() casts the incoming data to struct +l2cap_ecred_conn_rsp (the ECRED *connection* response, 8 bytes with +result at offset 6) instead of struct l2cap_ecred_reconf_rsp (2 bytes +with result at offset 0). + +This causes two problems: + + - The sizeof(*rsp) length check requires 8 bytes instead of the + correct 2, so valid L2CAP_ECRED_RECONF_RSP packets are rejected + with -EPROTO. + + - rsp->result reads from offset 6 instead of offset 0, returning + wrong data when the packet is large enough to pass the check. + +Fix by using the correct type. Also pass the already byte-swapped +result variable to BT_DBG instead of the raw __le16 field. + +Fixes: 15f02b910562 ("Bluetooth: L2CAP: Add initial code for Enhanced Credit Based Mode") +Cc: stable@vger.kernel.org +Signed-off-by: Lukas Johannes Möller +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -5373,7 +5373,7 @@ static inline int l2cap_ecred_reconf_rsp + u8 *data) + { + struct l2cap_chan *chan, *tmp; +- struct l2cap_ecred_conn_rsp *rsp = (void *) data; ++ struct l2cap_ecred_reconf_rsp *rsp = (void *)data; + u16 result; + + if (cmd_len < sizeof(*rsp)) +@@ -5381,7 +5381,7 @@ static inline int l2cap_ecred_reconf_rsp + + result = __le16_to_cpu(rsp->result); + +- BT_DBG("result 0x%4.4x", rsp->result); ++ BT_DBG("result 0x%4.4x", result); + + if (!result) + return 0; diff --git a/queue-6.12/bluetooth-l2cap-validate-l2cap_info_rsp-payload-length-before-access.patch b/queue-6.12/bluetooth-l2cap-validate-l2cap_info_rsp-payload-length-before-access.patch new file mode 100644 index 0000000000..349afd0c11 --- /dev/null +++ b/queue-6.12/bluetooth-l2cap-validate-l2cap_info_rsp-payload-length-before-access.patch @@ -0,0 +1,63 @@ +From dd815e6e3918dc75a49aaabac36e4f024d675101 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lukas=20Johannes=20M=C3=B6ller?= + +Date: Tue, 10 Mar 2026 21:59:47 +0000 +Subject: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lukas Johannes Möller + +commit dd815e6e3918dc75a49aaabac36e4f024d675101 upstream. + +l2cap_information_rsp() checks that cmd_len covers the fixed +l2cap_info_rsp header (type + result, 4 bytes) but then reads +rsp->data without verifying that the payload is present: + + - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads + 4 bytes past the header (needs cmd_len >= 8). + + - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header + (needs cmd_len >= 5). + +A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an +out-of-bounds read of adjacent skb data. + +Guard each data access with the required payload length check. If the +payload is too short, skip the read and let the state machine complete +with safe defaults (feat_mask and remote_fixed_chan remain zero from +kzalloc), so the info timer cleanup and l2cap_conn_start() still run +and the connection is not stalled. + +Fixes: 4e8402a3f884 ("[Bluetooth] Retrieve L2CAP features mask on connection setup") +Cc: stable@vger.kernel.org +Signed-off-by: Lukas Johannes Möller +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4587,7 +4587,8 @@ static inline int l2cap_information_rsp( + + switch (type) { + case L2CAP_IT_FEAT_MASK: +- conn->feat_mask = get_unaligned_le32(rsp->data); ++ if (cmd_len >= sizeof(*rsp) + sizeof(u32)) ++ conn->feat_mask = get_unaligned_le32(rsp->data); + + if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) { + struct l2cap_info_req req; +@@ -4606,7 +4607,8 @@ static inline int l2cap_information_rsp( + break; + + case L2CAP_IT_FIXED_CHAN: +- conn->remote_fixed_chan = rsp->data[0]; ++ if (cmd_len >= sizeof(*rsp) + sizeof(rsp->data[0])) ++ conn->remote_fixed_chan = rsp->data[0]; + conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE; + conn->info_ident = 0; + diff --git a/queue-6.12/hid-bpf-prevent-buffer-overflow-in-hid_hw_request.patch b/queue-6.12/hid-bpf-prevent-buffer-overflow-in-hid_hw_request.patch new file mode 100644 index 0000000000..4f724f2dd4 --- /dev/null +++ b/queue-6.12/hid-bpf-prevent-buffer-overflow-in-hid_hw_request.patch @@ -0,0 +1,35 @@ +From 2b658c1c442ec1cd9eec5ead98d68662c40fe645 Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Fri, 13 Mar 2026 08:40:25 +0100 +Subject: HID: bpf: prevent buffer overflow in hid_hw_request + +From: Benjamin Tissoires + +commit 2b658c1c442ec1cd9eec5ead98d68662c40fe645 upstream. + +right now the returned value is considered to be always valid. However, +when playing with HID-BPF, the return value can be arbitrary big, +because it's the return value of dispatch_hid_bpf_raw_requests(), which +calls the struct_ops and we have no guarantees that the value makes +sense. + +Fixes: 8bd0488b5ea5 ("HID: bpf: add HID-BPF hooks for hid_hw_raw_requests") +Cc: stable@vger.kernel.org +Acked-by: Jiri Kosina +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/bpf/hid_bpf_dispatch.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/hid/bpf/hid_bpf_dispatch.c ++++ b/drivers/hid/bpf/hid_bpf_dispatch.c +@@ -450,6 +450,8 @@ hid_bpf_hw_request(struct hid_bpf_ctx *c + (u64)(long)ctx, + true); /* prevent infinite recursions */ + ++ if (ret > size) ++ ret = size; + if (ret > 0) + memcpy(buf, dma_data, ret); + diff --git a/queue-6.12/loongarch-give-more-information-if-kmem-access-failed.patch b/queue-6.12/loongarch-give-more-information-if-kmem-access-failed.patch new file mode 100644 index 0000000000..0b32a22923 --- /dev/null +++ b/queue-6.12/loongarch-give-more-information-if-kmem-access-failed.patch @@ -0,0 +1,64 @@ +From a47f0754bdd01f971c9715acdbdd3a07515c8f83 Mon Sep 17 00:00:00 2001 +From: Tiezhu Yang +Date: Mon, 16 Mar 2026 10:36:01 +0800 +Subject: LoongArch: Give more information if kmem access failed + +From: Tiezhu Yang + +commit a47f0754bdd01f971c9715acdbdd3a07515c8f83 upstream. + +If memory access such as copy_{from, to}_kernel_nofault() failed, its +users do not know what happened, so it is very useful to print the +exception code for such cases. Furthermore, it is better to print the +caller function to know where is the entry. + +Here are the low level call chains: + + copy_from_kernel_nofault() + copy_from_kernel_nofault_loop() + __get_kernel_nofault() + + copy_to_kernel_nofault() + copy_to_kernel_nofault_loop() + __put_kernel_nofault() + +Cc: stable@vger.kernel.org +Signed-off-by: Tiezhu Yang +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/include/asm/uaccess.h | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/arch/loongarch/include/asm/uaccess.h ++++ b/arch/loongarch/include/asm/uaccess.h +@@ -196,8 +196,13 @@ do { \ + \ + __get_kernel_common(*((type *)(dst)), sizeof(type), \ + (__force type *)(src)); \ +- if (unlikely(__gu_err)) \ ++ if (unlikely(__gu_err)) { \ ++ pr_info("%s: memory access failed, ecode 0x%x\n", \ ++ __func__, read_csr_excode()); \ ++ pr_info("%s: the caller is %pS\n", \ ++ __func__, __builtin_return_address(0)); \ + goto err_label; \ ++ } \ + } while (0) + + #define __put_kernel_nofault(dst, src, type, err_label) \ +@@ -207,8 +212,13 @@ do { \ + \ + __pu_val = *(__force type *)(src); \ + __put_kernel_common(((type *)(dst)), sizeof(type)); \ +- if (unlikely(__pu_err)) \ ++ if (unlikely(__pu_err)) { \ ++ pr_info("%s: memory access failed, ecode 0x%x\n", \ ++ __func__, read_csr_excode()); \ ++ pr_info("%s: the caller is %pS\n", \ ++ __func__, __builtin_return_address(0)); \ + goto err_label; \ ++ } \ + } while (0) + + extern unsigned long __copy_user(void *to, const void *from, __kernel_size_t n); diff --git a/queue-6.12/mac80211-fix-crash-in-ieee80211_chan_bw_change-for-ap_vlan-stations.patch b/queue-6.12/mac80211-fix-crash-in-ieee80211_chan_bw_change-for-ap_vlan-stations.patch new file mode 100644 index 0000000000..de236b8142 --- /dev/null +++ b/queue-6.12/mac80211-fix-crash-in-ieee80211_chan_bw_change-for-ap_vlan-stations.patch @@ -0,0 +1,51 @@ +From 672e5229e1ecfc2a3509b53adcb914d8b024a853 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Thu, 5 Mar 2026 17:08:12 +0000 +Subject: mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations + +From: Felix Fietkau + +commit 672e5229e1ecfc2a3509b53adcb914d8b024a853 upstream. + +ieee80211_chan_bw_change() iterates all stations and accesses +link->reserved.oper via sta->sdata->link[link_id]. For stations on +AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to +the VLAN sdata, whose link never participates in chanctx reservations. +This leaves link->reserved.oper zero-initialized with chan == NULL, +causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw() +when accessing chandef->chan->band during CSA. + +Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata() +before accessing link data. + +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Link: https://patch.msgid.link/20260305170812.2904208-1-nbd@nbd.name +[also change sta->sdata in ARRAY_SIZE even if it doesn't matter] +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/chan.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/mac80211/chan.c ++++ b/net/mac80211/chan.c +@@ -423,14 +423,16 @@ static void ieee80211_chan_bw_change(str + rcu_read_lock(); + list_for_each_entry_rcu(sta, &local->sta_list, + list) { +- struct ieee80211_sub_if_data *sdata = sta->sdata; ++ struct ieee80211_sub_if_data *sdata; + enum ieee80211_sta_rx_bandwidth new_sta_bw; + unsigned int link_id; + + if (!ieee80211_sdata_running(sta->sdata)) + continue; + +- for (link_id = 0; link_id < ARRAY_SIZE(sta->sdata->link); link_id++) { ++ sdata = get_bss_sdata(sta->sdata); ++ ++ for (link_id = 0; link_id < ARRAY_SIZE(sdata->link); link_id++) { + struct ieee80211_link_data *link = + rcu_dereference(sdata->link[link_id]); + struct ieee80211_bss_conf *link_conf; diff --git a/queue-6.12/net-macb-fix-use-after-free-access-to-ptp-clock.patch b/queue-6.12/net-macb-fix-use-after-free-access-to-ptp-clock.patch new file mode 100644 index 0000000000..56f449cdc1 --- /dev/null +++ b/queue-6.12/net-macb-fix-use-after-free-access-to-ptp-clock.patch @@ -0,0 +1,128 @@ +From 8da13e6d63c1a97f7302d342c89c4a56a55c7015 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Mon, 16 Mar 2026 13:38:24 +0300 +Subject: net: macb: fix use-after-free access to PTP clock + +From: Fedor Pchelkin + +commit 8da13e6d63c1a97f7302d342c89c4a56a55c7015 upstream. + +PTP clock is registered on every opening of the interface and destroyed on +every closing. However it may be accessed via get_ts_info ethtool call +which is possible while the interface is just present in the kernel. + +BUG: KASAN: use-after-free in ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426 +Read of size 4 at addr ffff8880194345cc by task syz.0.6/948 + +CPU: 1 PID: 948 Comm: syz.0.6 Not tainted 6.1.164+ #109 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:316 [inline] + print_report+0x17f/0x496 mm/kasan/report.c:420 + kasan_report+0xd9/0x180 mm/kasan/report.c:524 + ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426 + gem_get_ts_info+0x138/0x1e0 drivers/net/ethernet/cadence/macb_main.c:3349 + macb_get_ts_info+0x68/0xb0 drivers/net/ethernet/cadence/macb_main.c:3371 + __ethtool_get_ts_info+0x17c/0x260 net/ethtool/common.c:558 + ethtool_get_ts_info net/ethtool/ioctl.c:2367 [inline] + __dev_ethtool net/ethtool/ioctl.c:3017 [inline] + dev_ethtool+0x2b05/0x6290 net/ethtool/ioctl.c:3095 + dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510 + sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215 + sock_ioctl+0x577/0x6d0 net/socket.c:1320 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:46 [inline] + do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + + +Allocated by task 457: + kmalloc include/linux/slab.h:563 [inline] + kzalloc include/linux/slab.h:699 [inline] + ptp_clock_register+0x144/0x10e0 drivers/ptp/ptp_clock.c:235 + gem_ptp_init+0x46f/0x930 drivers/net/ethernet/cadence/macb_ptp.c:375 + macb_open+0x901/0xd10 drivers/net/ethernet/cadence/macb_main.c:2920 + __dev_open+0x2ce/0x500 net/core/dev.c:1501 + __dev_change_flags+0x56a/0x740 net/core/dev.c:8651 + dev_change_flags+0x92/0x170 net/core/dev.c:8722 + do_setlink+0xaf8/0x3a80 net/core/rtnetlink.c:2833 + __rtnl_newlink+0xbf4/0x1940 net/core/rtnetlink.c:3608 + rtnl_newlink+0x63/0xa0 net/core/rtnetlink.c:3655 + rtnetlink_rcv_msg+0x3c6/0xed0 net/core/rtnetlink.c:6150 + netlink_rcv_skb+0x15d/0x430 net/netlink/af_netlink.c:2511 + netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] + netlink_unicast+0x6d7/0xa30 net/netlink/af_netlink.c:1344 + netlink_sendmsg+0x97e/0xeb0 net/netlink/af_netlink.c:1872 + sock_sendmsg_nosec net/socket.c:718 [inline] + __sock_sendmsg+0x14b/0x180 net/socket.c:730 + __sys_sendto+0x320/0x3b0 net/socket.c:2152 + __do_sys_sendto net/socket.c:2164 [inline] + __se_sys_sendto net/socket.c:2160 [inline] + __x64_sys_sendto+0xdc/0x1b0 net/socket.c:2160 + do_syscall_x64 arch/x86/entry/common.c:46 [inline] + do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +Freed by task 938: + kasan_slab_free include/linux/kasan.h:177 [inline] + slab_free_hook mm/slub.c:1729 [inline] + slab_free_freelist_hook mm/slub.c:1755 [inline] + slab_free mm/slub.c:3687 [inline] + __kmem_cache_free+0xbc/0x320 mm/slub.c:3700 + device_release+0xa0/0x240 drivers/base/core.c:2507 + kobject_cleanup lib/kobject.c:681 [inline] + kobject_release lib/kobject.c:712 [inline] + kref_put include/linux/kref.h:65 [inline] + kobject_put+0x1cd/0x350 lib/kobject.c:729 + put_device+0x1b/0x30 drivers/base/core.c:3805 + ptp_clock_unregister+0x171/0x270 drivers/ptp/ptp_clock.c:391 + gem_ptp_remove+0x4e/0x1f0 drivers/net/ethernet/cadence/macb_ptp.c:404 + macb_close+0x1c8/0x270 drivers/net/ethernet/cadence/macb_main.c:2966 + __dev_close_many+0x1b9/0x310 net/core/dev.c:1585 + __dev_close net/core/dev.c:1597 [inline] + __dev_change_flags+0x2bb/0x740 net/core/dev.c:8649 + dev_change_flags+0x92/0x170 net/core/dev.c:8722 + dev_ifsioc+0x151/0xe00 net/core/dev_ioctl.c:326 + dev_ioctl+0x33e/0x1070 net/core/dev_ioctl.c:572 + sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215 + sock_ioctl+0x577/0x6d0 net/socket.c:1320 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:870 [inline] + __se_sys_ioctl fs/ioctl.c:856 [inline] + __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:46 [inline] + do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +Set the PTP clock pointer to NULL after unregistering. + +Fixes: c2594d804d5c ("macb: Common code to enable ptp support for MACB/GEM") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin +Link: https://patch.msgid.link/20260316103826.74506-1-pchelkin@ispras.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cadence/macb_ptp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/cadence/macb_ptp.c ++++ b/drivers/net/ethernet/cadence/macb_ptp.c +@@ -355,8 +355,10 @@ void gem_ptp_remove(struct net_device *n + { + struct macb *bp = netdev_priv(ndev); + +- if (bp->ptp_clock) ++ if (bp->ptp_clock) { + ptp_clock_unregister(bp->ptp_clock); ++ bp->ptp_clock = NULL; ++ } + + gem_ptp_clear_timer(bp); + diff --git a/queue-6.12/nfc-nxp-nci-allow-gpios-to-sleep.patch b/queue-6.12/nfc-nxp-nci-allow-gpios-to-sleep.patch new file mode 100644 index 0000000000..a129ecc39a --- /dev/null +++ b/queue-6.12/nfc-nxp-nci-allow-gpios-to-sleep.patch @@ -0,0 +1,41 @@ +From 55dc632ab2ac2889b15995a9eef56c753d48ebc7 Mon Sep 17 00:00:00 2001 +From: Ian Ray +Date: Tue, 17 Mar 2026 10:53:36 +0200 +Subject: NFC: nxp-nci: allow GPIOs to sleep + +From: Ian Ray + +commit 55dc632ab2ac2889b15995a9eef56c753d48ebc7 upstream. + +Allow the firmware and enable GPIOs to sleep. + +This fixes a `WARN_ON' and allows the driver to operate GPIOs which are +connected to I2C GPIO expanders. + +-- >8 -- +kernel: WARNING: CPU: 3 PID: 2636 at drivers/gpio/gpiolib.c:3880 gpiod_set_value+0x88/0x98 +-- >8 -- + +Fixes: 43201767b44c ("NFC: nxp-nci: Convert to use GPIO descriptor") +Cc: stable@vger.kernel.org +Signed-off-by: Ian Ray +Link: https://patch.msgid.link/20260317085337.146545-1-ian.ray@gehealthcare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/nxp-nci/i2c.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/nfc/nxp-nci/i2c.c ++++ b/drivers/nfc/nxp-nci/i2c.c +@@ -47,8 +47,8 @@ static int nxp_nci_i2c_set_mode(void *ph + { + struct nxp_nci_i2c_phy *phy = (struct nxp_nci_i2c_phy *) phy_id; + +- gpiod_set_value(phy->gpiod_fw, (mode == NXP_NCI_MODE_FW) ? 1 : 0); +- gpiod_set_value(phy->gpiod_en, (mode != NXP_NCI_MODE_COLD) ? 1 : 0); ++ gpiod_set_value_cansleep(phy->gpiod_fw, (mode == NXP_NCI_MODE_FW) ? 1 : 0); ++ gpiod_set_value_cansleep(phy->gpiod_en, (mode != NXP_NCI_MODE_COLD) ? 1 : 0); + usleep_range(10000, 15000); + + if (mode == NXP_NCI_MODE_COLD) diff --git a/queue-6.12/nfsd-fix-heap-overflow-in-nfsv4.0-lock-replay-cache.patch b/queue-6.12/nfsd-fix-heap-overflow-in-nfsv4.0-lock-replay-cache.patch new file mode 100644 index 0000000000..ae679179be --- /dev/null +++ b/queue-6.12/nfsd-fix-heap-overflow-in-nfsv4.0-lock-replay-cache.patch @@ -0,0 +1,92 @@ +From 5133b61aaf437e5f25b1b396b14242a6bb0508e2 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Tue, 24 Feb 2026 11:33:35 -0500 +Subject: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache + +From: Jeff Layton + +commit 5133b61aaf437e5f25b1b396b14242a6bb0508e2 upstream. + +The NFSv4.0 replay cache uses a fixed 112-byte inline buffer +(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. +This size was calculated based on OPEN responses and does not account +for LOCK denied responses, which include the conflicting lock owner as +a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT). + +When a LOCK operation is denied due to a conflict with an existing lock +that has a large owner, nfsd4_encode_operation() copies the full encoded +response into the undersized replay buffer via read_bytes_from_xdr_buf() +with no bounds check. This results in a slab-out-of-bounds write of up +to 944 bytes past the end of the buffer, corrupting adjacent heap memory. + +This can be triggered remotely by an unauthenticated attacker with two +cooperating NFSv4.0 clients: one sets a lock with a large owner string, +then the other requests a conflicting lock to provoke the denial. + +We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full +opaque, but that would increase the size of every stateowner, when most +lockowners are not that large. + +Instead, fix this by checking the encoded response length against +NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the +response is too large, set rp_buflen to 0 to skip caching the replay +payload. The status is still cached, and the client already received the +correct response on the original request. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@kernel.org +Reported-by: Nicholas Carlini +Tested-by: Nicholas Carlini +Signed-off-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4xdr.c | 9 +++++++-- + fs/nfsd/state.h | 17 ++++++++++++----- + 2 files changed, 19 insertions(+), 7 deletions(-) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -5809,9 +5809,14 @@ nfsd4_encode_operation(struct nfsd4_comp + int len = xdr->buf->len - (op_status_offset + XDR_UNIT); + + so->so_replay.rp_status = op->status; +- so->so_replay.rp_buflen = len; +- read_bytes_from_xdr_buf(xdr->buf, op_status_offset + XDR_UNIT, ++ if (len <= NFSD4_REPLAY_ISIZE) { ++ so->so_replay.rp_buflen = len; ++ read_bytes_from_xdr_buf(xdr->buf, ++ op_status_offset + XDR_UNIT, + so->so_replay.rp_buf, len); ++ } else { ++ so->so_replay.rp_buflen = 0; ++ } + } + status: + op->status = nfsd4_map_status(op->status, +--- a/fs/nfsd/state.h ++++ b/fs/nfsd/state.h +@@ -473,11 +473,18 @@ struct nfs4_client_reclaim { + struct xdr_netobj cr_princhash; + }; + +-/* A reasonable value for REPLAY_ISIZE was estimated as follows: +- * The OPEN response, typically the largest, requires +- * 4(status) + 8(stateid) + 20(changeinfo) + 4(rflags) + 8(verifier) + +- * 4(deleg. type) + 8(deleg. stateid) + 4(deleg. recall flag) + +- * 20(deleg. space limit) + ~32(deleg. ace) = 112 bytes ++/* ++ * REPLAY_ISIZE is sized for an OPEN response with delegation: ++ * 4(status) + 8(stateid) + 20(changeinfo) + 4(rflags) + ++ * 8(verifier) + 4(deleg. type) + 8(deleg. stateid) + ++ * 4(deleg. recall flag) + 20(deleg. space limit) + ++ * ~32(deleg. ace) = 112 bytes ++ * ++ * Some responses can exceed this. A LOCK denial includes the conflicting ++ * lock owner, which can be up to 1024 bytes (NFS4_OPAQUE_LIMIT). Responses ++ * larger than REPLAY_ISIZE are not cached in rp_ibuf; only rp_status is ++ * saved. Enlarging this constant increases the size of every ++ * nfs4_stateowner. + */ + + #define NFSD4_REPLAY_ISIZE 112 diff --git a/queue-6.12/nfsd-hold-net-reference-for-the-lifetime-of-proc-fs-nfs-exports-fd.patch b/queue-6.12/nfsd-hold-net-reference-for-the-lifetime-of-proc-fs-nfs-exports-fd.patch new file mode 100644 index 0000000000..32c2204178 --- /dev/null +++ b/queue-6.12/nfsd-hold-net-reference-for-the-lifetime-of-proc-fs-nfs-exports-fd.patch @@ -0,0 +1,80 @@ +From e7fcf179b82d3a3730fd8615da01b087cc654d0b Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Thu, 19 Feb 2026 16:50:17 -0500 +Subject: NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd + +From: Chuck Lever + +commit e7fcf179b82d3a3730fd8615da01b087cc654d0b upstream. + +The /proc/fs/nfs/exports proc entry is created at module init +and persists for the module's lifetime. exports_proc_open() +captures the caller's current network namespace and stores +its svc_export_cache in seq->private, but takes no reference +on the namespace. If the namespace is subsequently torn down +(e.g. container destruction after the opener does setns() to a +different namespace), nfsd_net_exit() calls nfsd_export_shutdown() +which frees the cache. Subsequent reads on the still-open fd +dereference the freed cache_detail, walking a freed hash table. + +Hold a reference on the struct net for the lifetime of the open +file descriptor. This prevents nfsd_net_exit() from running -- +and thus prevents nfsd_export_shutdown() from freeing the cache +-- while any exports fd is open. cache_detail already stores +its net pointer (cd->net, set by cache_create_net()), so +exports_release() can retrieve it without additional per-file +storage. + +Reported-by: Misbah Anjum N +Closes: https://lore.kernel.org/linux-nfs/dcd371d3a95815a84ba7de52cef447b8@linux.ibm.com/ +Fixes: 96d851c4d28d ("nfsd: use proper net while reading "exports" file") +Cc: stable@vger.kernel.org +Reviewed-by: Jeff Layton +Reviewed-by: NeilBrown +Tested-by: Olga Kornievskaia +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfsctl.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -152,9 +152,19 @@ static int exports_net_open(struct net * + + seq = file->private_data; + seq->private = nn->svc_export_cache; ++ get_net(net); + return 0; + } + ++static int exports_release(struct inode *inode, struct file *file) ++{ ++ struct seq_file *seq = file->private_data; ++ struct cache_detail *cd = seq->private; ++ ++ put_net(cd->net); ++ return seq_release(inode, file); ++} ++ + static int exports_nfsd_open(struct inode *inode, struct file *file) + { + return exports_net_open(inode->i_sb->s_fs_info, file); +@@ -164,7 +174,7 @@ static const struct file_operations expo + .open = exports_nfsd_open, + .read = seq_read, + .llseek = seq_lseek, +- .release = seq_release, ++ .release = exports_release, + }; + + static int export_features_show(struct seq_file *m, void *v) +@@ -1456,7 +1466,7 @@ static const struct proc_ops exports_pro + .proc_open = exports_proc_open, + .proc_read = seq_read, + .proc_lseek = seq_lseek, +- .proc_release = seq_release, ++ .proc_release = exports_release, + }; + + static int create_proc_exports_entry(void) diff --git a/queue-6.12/nvdimm-bus-fix-potential-use-after-free-in-asynchronous-initialization.patch b/queue-6.12/nvdimm-bus-fix-potential-use-after-free-in-asynchronous-initialization.patch new file mode 100644 index 0000000000..93d2fb2f4e --- /dev/null +++ b/queue-6.12/nvdimm-bus-fix-potential-use-after-free-in-asynchronous-initialization.patch @@ -0,0 +1,55 @@ +From a8aec14230322ed8f1e8042b6d656c1631d41163 Mon Sep 17 00:00:00 2001 +From: Ira Weiny +Date: Fri, 6 Mar 2026 12:33:05 -0600 +Subject: nvdimm/bus: Fix potential use after free in asynchronous initialization + +From: Ira Weiny + +commit a8aec14230322ed8f1e8042b6d656c1631d41163 upstream. + +Dingisoul with KASAN reports a use after free if device_add() fails in +nd_async_device_register(). + +Commit b6eae0f61db2 ("libnvdimm: Hold reference on parent while +scheduling async init") correctly added a reference on the parent device +to be held until asynchronous initialization was complete. However, if +device_add() results in an allocation failure the ref count of the +device drops to 0 prior to the parent pointer being accessed. Thus +resulting in use after free. + +The bug bot AI correctly identified the fix. Save a reference to the +parent pointer to be used to drop the parent reference regardless of the +outcome of device_add(). + +Reported-by: Dingisoul +Closes: http://lore.kernel.org/8855544b-be9e-4153-aa55-0bc328b13733@gmail.com +Fixes: b6eae0f61db2 ("libnvdimm: Hold reference on parent while scheduling async init") +Cc: stable@vger.kernel.org +Reviewed-by: Dave Jiang +Link: https://patch.msgid.link/20260306-fix-uaf-async-init-v1-1-a28fd7526723@intel.com +Signed-off-by: Ira Weiny +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvdimm/bus.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/nvdimm/bus.c ++++ b/drivers/nvdimm/bus.c +@@ -489,14 +489,15 @@ EXPORT_SYMBOL_GPL(nd_synchronize); + static void nd_async_device_register(void *d, async_cookie_t cookie) + { + struct device *dev = d; ++ struct device *parent = dev->parent; + + if (device_add(dev) != 0) { + dev_err(dev, "%s: failed\n", __func__); + put_device(dev); + } + put_device(dev); +- if (dev->parent) +- put_device(dev->parent); ++ if (parent) ++ put_device(parent); + } + + static void nd_async_device_unregister(void *d, async_cookie_t cookie) diff --git a/queue-6.12/parisc-flush-correct-cache-in-cacheflush-syscall.patch b/queue-6.12/parisc-flush-correct-cache-in-cacheflush-syscall.patch new file mode 100644 index 0000000000..5db07988ca --- /dev/null +++ b/queue-6.12/parisc-flush-correct-cache-in-cacheflush-syscall.patch @@ -0,0 +1,51 @@ +From 2c98a8fbd6aa647414c6248dacf254ebe91c79ad Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Mon, 9 Mar 2026 15:16:37 +0100 +Subject: parisc: Flush correct cache in cacheflush() syscall + +From: Helge Deller + +commit 2c98a8fbd6aa647414c6248dacf254ebe91c79ad upstream. + +The assembly flush instructions were swapped for I- and D-cache flags: + +SYSCALL_DEFINE3(cacheflush, ...) +{ + if (cache & DCACHE) { + "fic ...\n" + } + if (cache & ICACHE && error == 0) { + "fdc ...\n" + } + +Fix it by using fdc for DCACHE, and fic for ICACHE flushing. + +Reported-by: Felix Lechner +Fixes: c6d96328fecd ("parisc: Add cacheflush() syscall") +Cc: # v6.5+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/parisc/kernel/cache.c ++++ b/arch/parisc/kernel/cache.c +@@ -953,7 +953,7 @@ SYSCALL_DEFINE3(cacheflush, unsigned lon + #else + "1: cmpb,<<,n %0,%2,1b\n" + #endif +- " fic,m %3(%4,%0)\n" ++ " fdc,m %3(%4,%0)\n" + "2: sync\n" + ASM_EXCEPTIONTABLE_ENTRY_EFAULT(1b, 2b, "%1") + : "+r" (start), "+r" (error) +@@ -968,7 +968,7 @@ SYSCALL_DEFINE3(cacheflush, unsigned lon + #else + "1: cmpb,<<,n %0,%2,1b\n" + #endif +- " fdc,m %3(%4,%0)\n" ++ " fic,m %3(%4,%0)\n" + "2: sync\n" + ASM_EXCEPTIONTABLE_ENTRY_EFAULT(1b, 2b, "%1") + : "+r" (start), "+r" (error) diff --git a/queue-6.12/selftests-hid-fix-compilation-when-bpf_wq-and-hid_device-are-not-exported.patch b/queue-6.12/selftests-hid-fix-compilation-when-bpf_wq-and-hid_device-are-not-exported.patch new file mode 100644 index 0000000000..cb676f1e9c --- /dev/null +++ b/queue-6.12/selftests-hid-fix-compilation-when-bpf_wq-and-hid_device-are-not-exported.patch @@ -0,0 +1,69 @@ +From 5d4c6c132ea9a967d48890dd03e6a786c060e968 Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Fri, 13 Mar 2026 08:40:24 +0100 +Subject: selftests/hid: fix compilation when bpf_wq and hid_device are not exported +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benjamin Tissoires + +commit 5d4c6c132ea9a967d48890dd03e6a786c060e968 upstream. + +This can happen in situations when CONFIG_HID_SUPPORT is set to no, or +some complex situations where struct bpf_wq is not exported. + +So do the usual dance of hiding them before including vmlinux.h, and +then redefining them and make use of CO-RE to have the correct offsets. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202603111558.KLCIxsZB-lkp@intel.com/ +Fixes: fe8d561db3e8 ("selftests/hid: add wq test for hid_bpf_input_report()") +Cc: stable@vger.kernel.org +Acked-by: Jiri Kosina +Reviewed-by: Thomas Weißschuh +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/hid/progs/hid_bpf_helpers.h | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/tools/testing/selftests/hid/progs/hid_bpf_helpers.h ++++ b/tools/testing/selftests/hid/progs/hid_bpf_helpers.h +@@ -6,8 +6,10 @@ + #define __HID_BPF_HELPERS_H + + /* "undefine" structs and enums in vmlinux.h, because we "override" them below */ ++#define bpf_wq bpf_wq___not_used + #define hid_bpf_ctx hid_bpf_ctx___not_used + #define hid_bpf_ops hid_bpf_ops___not_used ++#define hid_device hid_device___not_used + #define hid_report_type hid_report_type___not_used + #define hid_class_request hid_class_request___not_used + #define hid_bpf_attach_flags hid_bpf_attach_flags___not_used +@@ -24,8 +26,10 @@ + + #include "vmlinux.h" + ++#undef bpf_wq + #undef hid_bpf_ctx + #undef hid_bpf_ops ++#undef hid_device + #undef hid_report_type + #undef hid_class_request + #undef hid_bpf_attach_flags +@@ -52,6 +56,14 @@ enum hid_report_type { + HID_REPORT_TYPES, + }; + ++struct hid_device { ++ unsigned int id; ++} __attribute__((preserve_access_index)); ++ ++struct bpf_wq { ++ __u64 __opaque[2]; ++}; ++ + struct hid_bpf_ctx { + struct hid_device *hid; + __u32 allocated_size; diff --git a/queue-6.12/series b/queue-6.12/series index f46c129173..99fa1e3320 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -304,3 +304,16 @@ drm-i915-psr-repeat-selective-update-area-alignment.patch drm-amd-display-add-pixel_clock-to-amd_pp_display_configuration.patch drm-amd-pm-use-pm_display_cfg-in-legacy-dpm-v2.patch drm-amdgpu-add-basic-validation-for-ras-header.patch +nfsd-hold-net-reference-for-the-lifetime-of-proc-fs-nfs-exports-fd.patch +nfsd-fix-heap-overflow-in-nfsv4.0-lock-replay-cache.patch +selftests-hid-fix-compilation-when-bpf_wq-and-hid_device-are-not-exported.patch +hid-bpf-prevent-buffer-overflow-in-hid_hw_request.patch +sunrpc-fix-cache_request-leak-in-cache_release.patch +nvdimm-bus-fix-potential-use-after-free-in-asynchronous-initialization.patch +loongarch-give-more-information-if-kmem-access-failed.patch +nfc-nxp-nci-allow-gpios-to-sleep.patch +net-macb-fix-use-after-free-access-to-ptp-clock.patch +parisc-flush-correct-cache-in-cacheflush-syscall.patch +mac80211-fix-crash-in-ieee80211_chan_bw_change-for-ap_vlan-stations.patch +bluetooth-l2cap-fix-type-confusion-in-l2cap_ecred_reconf_rsp.patch +bluetooth-l2cap-validate-l2cap_info_rsp-payload-length-before-access.patch diff --git a/queue-6.12/sunrpc-fix-cache_request-leak-in-cache_release.patch b/queue-6.12/sunrpc-fix-cache_request-leak-in-cache_release.patch new file mode 100644 index 0000000000..4b543479be --- /dev/null +++ b/queue-6.12/sunrpc-fix-cache_request-leak-in-cache_release.patch @@ -0,0 +1,86 @@ +From 17ad31b3a43b72aec3a3d83605891e1397d0d065 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Mon, 23 Feb 2026 12:09:58 -0500 +Subject: sunrpc: fix cache_request leak in cache_release + +From: Jeff Layton + +commit 17ad31b3a43b72aec3a3d83605891e1397d0d065 upstream. + +When a reader's file descriptor is closed while in the middle of reading +a cache_request (rp->offset != 0), cache_release() decrements the +request's readers count but never checks whether it should free the +request. + +In cache_read(), when readers drops to 0 and CACHE_PENDING is clear, the +cache_request is removed from the queue and freed along with its buffer +and cache_head reference. cache_release() lacks this cleanup. + +The only other path that frees requests with readers == 0 is +cache_dequeue(), but it runs only when CACHE_PENDING transitions from +set to clear. If that transition already happened while readers was +still non-zero, cache_dequeue() will have skipped the request, and no +subsequent call will clean it up. + +Add the same cleanup logic from cache_read() to cache_release(): after +decrementing readers, check if it reached 0 with CACHE_PENDING clear, +and if so, dequeue and free the cache_request. + +Reported-by: NeilBrown +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@kernel.org +Signed-off-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/cache.c | 26 +++++++++++++++++++++----- + 1 file changed, 21 insertions(+), 5 deletions(-) + +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -1049,14 +1049,25 @@ static int cache_release(struct inode *i + struct cache_reader *rp = filp->private_data; + + if (rp) { ++ struct cache_request *rq = NULL; ++ + spin_lock(&queue_lock); + if (rp->offset) { + struct cache_queue *cq; +- for (cq= &rp->q; &cq->list != &cd->queue; +- cq = list_entry(cq->list.next, struct cache_queue, list)) ++ for (cq = &rp->q; &cq->list != &cd->queue; ++ cq = list_entry(cq->list.next, ++ struct cache_queue, list)) + if (!cq->reader) { +- container_of(cq, struct cache_request, q) +- ->readers--; ++ struct cache_request *cr = ++ container_of(cq, ++ struct cache_request, q); ++ cr->readers--; ++ if (cr->readers == 0 && ++ !test_bit(CACHE_PENDING, ++ &cr->item->flags)) { ++ list_del(&cr->q.list); ++ rq = cr; ++ } + break; + } + rp->offset = 0; +@@ -1064,9 +1075,14 @@ static int cache_release(struct inode *i + list_del(&rp->q.list); + spin_unlock(&queue_lock); + ++ if (rq) { ++ cache_put(rq->item, cd); ++ kfree(rq->buf); ++ kfree(rq); ++ } ++ + filp->private_data = NULL; + kfree(rp); +- + } + if (filp->f_mode & FMODE_WRITE) { + atomic_dec(&cd->writers);