From: Greg Kroah-Hartman Date: Mon, 9 Mar 2026 10:39:40 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v6.19.7~20 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aedca350141a99cba3c67ea924b9638c5f5a2353;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: alsa-usb-audio-use-correct-version-for-uac3-header-validation.patch drbd-fix-logic-bug-in-drbd_al_begin_io_nonblock.patch drbd-fix-null-pointer-dereference-on-local-read-error.patch ib-mthca-add-missed-mthca_unmap_user_db-for-mthca_create_srq.patch net-sched-ets-fix-divide-by-zero-in-the-offload-path.patch nfsd-fix-cred-ref-leak-in-nfsd_nl_threads_set_doit.patch platform-x86-dell-wmi-add-audio-mic-mute-key-codes.patch platform-x86-dell-wmi-sysman-don-t-hex-dump-plaintext-password-data.patch rdma-irdma-fix-kernel-stack-leak-in-irdma_create_user_ah.patch scsi-core-fix-refcount-leak-for-tagset_refcnt.patch scsi-target-fix-recursive-locking-in-__configfs_open_file.patch selftests-mptcp-join-check-removing-signal-subflow-endp.patch selftests-mptcp-more-stable-simult_flows-tests.patch smb-client-don-t-log-plaintext-credentials-in-cifs_set_cifscreds.patch smb-client-fix-broken-multichannel-with-krb5-signing.patch smb-client-fix-cifs_pick_channel-when-channels-are-equally-loaded.patch squashfs-check-metadata-block-offset-is-within-range.patch tracing-fix-warn_on-in-tracing_buffers_mmap_close.patch wifi-cfg80211-cancel-rfkill_block-work-in-wiphy_unregister.patch wifi-mac80211-bounds-check-link_id-in-ieee80211_ml_reconfiguration.patch wifi-mac80211-fix-null-pointer-dereference-in-mesh_rx_csa_frame.patch wifi-radiotap-reject-radiotap-with-unknown-bits.patch --- diff --git a/queue-6.12/alsa-usb-audio-use-correct-version-for-uac3-header-validation.patch b/queue-6.12/alsa-usb-audio-use-correct-version-for-uac3-header-validation.patch new file mode 100644 index 0000000000..5e2e168e1b --- /dev/null +++ b/queue-6.12/alsa-usb-audio-use-correct-version-for-uac3-header-validation.patch @@ -0,0 +1,43 @@ +From 54f9d645a5453d0bfece0c465d34aaf072ea99fa Mon Sep 17 00:00:00 2001 +From: Jun Seo +Date: Thu, 26 Feb 2026 10:08:20 +0900 +Subject: ALSA: usb-audio: Use correct version for UAC3 header validation + +From: Jun Seo + +commit 54f9d645a5453d0bfece0c465d34aaf072ea99fa upstream. + +The entry of the validators table for UAC3 AC header descriptor is +defined with the wrong protocol version UAC_VERSION_2, while it should +have been UAC_VERSION_3. This results in the validator never matching +for actual UAC3 devices (protocol == UAC_VERSION_3), causing their +header descriptors to bypass validation entirely. A malicious USB +device presenting a truncated UAC3 header could exploit this to cause +out-of-bounds reads when the driver later accesses unvalidated +descriptor fields. + +The bug was introduced in the same commit as the recently fixed UAC3 +feature unit sub-type typo, and appears to be from the same copy-paste +error when the UAC3 section was created from the UAC2 section. + +Fixes: 57f8770620e9 ("ALSA: usb-audio: More validations of descriptor units") +Cc: +Signed-off-by: Jun Seo +Link: https://patch.msgid.link/20260226010820.36529-1-jun.seo.93@proton.me +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/validate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/usb/validate.c ++++ b/sound/usb/validate.c +@@ -281,7 +281,7 @@ static const struct usb_desc_validator a + /* UAC_VERSION_2, UAC2_SAMPLE_RATE_CONVERTER: not implemented yet */ + + /* UAC3 */ +- FIXED(UAC_VERSION_2, UAC_HEADER, struct uac3_ac_header_descriptor), ++ FIXED(UAC_VERSION_3, UAC_HEADER, struct uac3_ac_header_descriptor), + FIXED(UAC_VERSION_3, UAC_INPUT_TERMINAL, + struct uac3_input_terminal_descriptor), + FIXED(UAC_VERSION_3, UAC_OUTPUT_TERMINAL, diff --git a/queue-6.12/drbd-fix-logic-bug-in-drbd_al_begin_io_nonblock.patch b/queue-6.12/drbd-fix-logic-bug-in-drbd_al_begin_io_nonblock.patch new file mode 100644 index 0000000000..07bb3aebec --- /dev/null +++ b/queue-6.12/drbd-fix-logic-bug-in-drbd_al_begin_io_nonblock.patch @@ -0,0 +1,161 @@ +From ab140365fb62c0bdab22b2f516aff563b2559e3b Mon Sep 17 00:00:00 2001 +From: Lars Ellenberg +Date: Thu, 19 Feb 2026 15:20:12 +0100 +Subject: drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lars Ellenberg + +commit ab140365fb62c0bdab22b2f516aff563b2559e3b upstream. + +Even though we check that we "should" be able to do lc_get_cumulative() +while holding the device->al_lock spinlock, it may still fail, +if some other code path decided to do lc_try_lock() with bad timing. + +If that happened, we logged "LOGIC BUG for enr=...", +but still did not return an error. + +The rest of the code now assumed that this request has references +for the relevant activity log extents. + +The implcations are that during an active resync, mutual exclusivity of +resync versus application IO is not guaranteed. And a potential crash +at this point may not realizs that these extents could have been target +of in-flight IO and would need to be resynced just in case. + +Also, once the request completes, it will give up activity log references it +does not even hold, which will trigger a BUG_ON(refcnt == 0) in lc_put(). + +Fix: + +Do not crash the kernel for a condition that is harmless during normal +operation: also catch "e->refcnt == 0", not only "e == NULL" +when being noisy about "al_complete_io() called on inactive extent %u\n". + +And do not try to be smart and "guess" whether something will work, then +be surprised when it does not. +Deal with the fact that it may or may not work. If it does not, remember a +possible "partially in activity log" state (only possible for requests that +cross extent boundaries), and return an error code from +drbd_al_begin_io_nonblock(). + +A latter call for the same request will then resume from where we left off. + +Cc: stable@vger.kernel.org +Signed-off-by: Lars Ellenberg +Signed-off-by: Christoph Böhmwalder +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/drbd/drbd_actlog.c | 53 ++++++++++++++++--------------------- + drivers/block/drbd/drbd_interval.h | 5 ++- + 2 files changed, 27 insertions(+), 31 deletions(-) + +--- a/drivers/block/drbd/drbd_actlog.c ++++ b/drivers/block/drbd/drbd_actlog.c +@@ -483,38 +483,20 @@ void drbd_al_begin_io(struct drbd_device + + int drbd_al_begin_io_nonblock(struct drbd_device *device, struct drbd_interval *i) + { +- struct lru_cache *al = device->act_log; + /* for bios crossing activity log extent boundaries, + * we may need to activate two extents in one go */ + unsigned first = i->sector >> (AL_EXTENT_SHIFT-9); + unsigned last = i->size == 0 ? first : (i->sector + (i->size >> 9) - 1) >> (AL_EXTENT_SHIFT-9); +- unsigned nr_al_extents; +- unsigned available_update_slots; + unsigned enr; + +- D_ASSERT(device, first <= last); +- +- nr_al_extents = 1 + last - first; /* worst case: all touched extends are cold. */ +- available_update_slots = min(al->nr_elements - al->used, +- al->max_pending_changes - al->pending_changes); +- +- /* We want all necessary updates for a given request within the same transaction +- * We could first check how many updates are *actually* needed, +- * and use that instead of the worst-case nr_al_extents */ +- if (available_update_slots < nr_al_extents) { +- /* Too many activity log extents are currently "hot". +- * +- * If we have accumulated pending changes already, +- * we made progress. +- * +- * If we cannot get even a single pending change through, +- * stop the fast path until we made some progress, +- * or requests to "cold" extents could be starved. */ +- if (!al->pending_changes) +- __set_bit(__LC_STARVING, &device->act_log->flags); +- return -ENOBUFS; ++ if (i->partially_in_al_next_enr) { ++ D_ASSERT(device, first < i->partially_in_al_next_enr); ++ D_ASSERT(device, last >= i->partially_in_al_next_enr); ++ first = i->partially_in_al_next_enr; + } + ++ D_ASSERT(device, first <= last); ++ + /* Is resync active in this area? */ + for (enr = first; enr <= last; enr++) { + struct lc_element *tmp; +@@ -529,14 +511,21 @@ int drbd_al_begin_io_nonblock(struct drb + } + } + +- /* Checkout the refcounts. +- * Given that we checked for available elements and update slots above, +- * this has to be successful. */ ++ /* Try to checkout the refcounts. */ + for (enr = first; enr <= last; enr++) { + struct lc_element *al_ext; + al_ext = lc_get_cumulative(device->act_log, enr); +- if (!al_ext) +- drbd_info(device, "LOGIC BUG for enr=%u\n", enr); ++ ++ if (!al_ext) { ++ /* Did not work. We may have exhausted the possible ++ * changes per transaction. Or raced with someone ++ * "locking" it against changes. ++ * Remember where to continue from. ++ */ ++ if (enr > first) ++ i->partially_in_al_next_enr = enr; ++ return -ENOBUFS; ++ } + } + return 0; + } +@@ -556,7 +545,11 @@ void drbd_al_complete_io(struct drbd_dev + + for (enr = first; enr <= last; enr++) { + extent = lc_find(device->act_log, enr); +- if (!extent) { ++ /* Yes, this masks a bug elsewhere. However, during normal ++ * operation this is harmless, so no need to crash the kernel ++ * by the BUG_ON(refcount == 0) in lc_put(). ++ */ ++ if (!extent || extent->refcnt == 0) { + drbd_err(device, "al_complete_io() called on inactive extent %u\n", enr); + continue; + } +--- a/drivers/block/drbd/drbd_interval.h ++++ b/drivers/block/drbd/drbd_interval.h +@@ -8,12 +8,15 @@ + struct drbd_interval { + struct rb_node rb; + sector_t sector; /* start sector of the interval */ +- unsigned int size; /* size in bytes */ + sector_t end; /* highest interval end in subtree */ ++ unsigned int size; /* size in bytes */ + unsigned int local:1 /* local or remote request? */; + unsigned int waiting:1; /* someone is waiting for completion */ + unsigned int completed:1; /* this has been completed already; + * ignore for conflict detection */ ++ ++ /* to resume a partially successful drbd_al_begin_io_nonblock(); */ ++ unsigned int partially_in_al_next_enr; + }; + + static inline void drbd_clear_interval(struct drbd_interval *i) diff --git a/queue-6.12/drbd-fix-null-pointer-dereference-on-local-read-error.patch b/queue-6.12/drbd-fix-null-pointer-dereference-on-local-read-error.patch new file mode 100644 index 0000000000..ff7ca31a25 --- /dev/null +++ b/queue-6.12/drbd-fix-null-pointer-dereference-on-local-read-error.patch @@ -0,0 +1,47 @@ +From 0d195d3b205ca90db30d70d09d7bb6909aac178f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christoph=20B=C3=B6hmwalder?= + +Date: Fri, 20 Feb 2026 12:39:37 +0100 +Subject: drbd: fix null-pointer dereference on local read error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christoph Böhmwalder + +commit 0d195d3b205ca90db30d70d09d7bb6909aac178f upstream. + +In drbd_request_endio(), READ_COMPLETED_WITH_ERROR is passed to +__req_mod() with a NULL peer_device: + + __req_mod(req, what, NULL, &m); + +The READ_COMPLETED_WITH_ERROR handler then unconditionally passes this +NULL peer_device to drbd_set_out_of_sync(), which dereferences it, +causing a null-pointer dereference. + +Fix this by obtaining the peer_device via first_peer_device(device), +matching how drbd_req_destroy() handles the same situation. + +Cc: stable@vger.kernel.org +Reported-by: Tuo Li +Link: https://lore.kernel.org/linux-block/20260104165355.151864-1-islituo@gmail.com +Signed-off-by: Christoph Böhmwalder +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/drbd/drbd_req.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/block/drbd/drbd_req.c ++++ b/drivers/block/drbd/drbd_req.c +@@ -621,7 +621,8 @@ int __req_mod(struct drbd_request *req, + break; + + case READ_COMPLETED_WITH_ERROR: +- drbd_set_out_of_sync(peer_device, req->i.sector, req->i.size); ++ drbd_set_out_of_sync(first_peer_device(device), ++ req->i.sector, req->i.size); + drbd_report_io_error(device, req); + __drbd_chk_io_error(device, DRBD_READ_ERROR); + fallthrough; diff --git a/queue-6.12/ib-mthca-add-missed-mthca_unmap_user_db-for-mthca_create_srq.patch b/queue-6.12/ib-mthca-add-missed-mthca_unmap_user_db-for-mthca_create_srq.patch new file mode 100644 index 0000000000..106056565a --- /dev/null +++ b/queue-6.12/ib-mthca-add-missed-mthca_unmap_user_db-for-mthca_create_srq.patch @@ -0,0 +1,49 @@ +From 117942ca43e2e3c3d121faae530989931b7f67e1 Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Mon, 16 Feb 2026 11:02:48 -0400 +Subject: IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() + +From: Jason Gunthorpe + +commit 117942ca43e2e3c3d121faae530989931b7f67e1 upstream. + +Fix a user triggerable leak on the system call failure path. + +Cc: stable@vger.kernel.org +Fixes: ec34a922d243 ("[PATCH] IB/mthca: Add SRQ implementation") +Signed-off-by: Jason Gunthorpe +Link: https://patch.msgid.link/2-v1-83e918d69e73+a9-rdma_udata_rc_jgg@nvidia.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mthca/mthca_provider.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/mthca/mthca_provider.c ++++ b/drivers/infiniband/hw/mthca/mthca_provider.c +@@ -428,6 +428,8 @@ static int mthca_create_srq(struct ib_sr + + if (context && ib_copy_to_udata(udata, &srq->srqn, sizeof(__u32))) { + mthca_free_srq(to_mdev(ibsrq->device), srq); ++ mthca_unmap_user_db(to_mdev(ibsrq->device), &context->uar, ++ context->db_tab, ucmd.db_index); + return -EFAULT; + } + +@@ -436,6 +438,7 @@ static int mthca_create_srq(struct ib_sr + + static int mthca_destroy_srq(struct ib_srq *srq, struct ib_udata *udata) + { ++ mthca_free_srq(to_mdev(srq->device), to_msrq(srq)); + if (udata) { + struct mthca_ucontext *context = + rdma_udata_to_drv_context( +@@ -446,8 +449,6 @@ static int mthca_destroy_srq(struct ib_s + mthca_unmap_user_db(to_mdev(srq->device), &context->uar, + context->db_tab, to_msrq(srq)->db_index); + } +- +- mthca_free_srq(to_mdev(srq->device), to_msrq(srq)); + return 0; + } + diff --git a/queue-6.12/net-sched-ets-fix-divide-by-zero-in-the-offload-path.patch b/queue-6.12/net-sched-ets-fix-divide-by-zero-in-the-offload-path.patch new file mode 100644 index 0000000000..68a99b8a63 --- /dev/null +++ b/queue-6.12/net-sched-ets-fix-divide-by-zero-in-the-offload-path.patch @@ -0,0 +1,115 @@ +From e35626f610f3d2b7953ccddf6a77453da22b3a9e Mon Sep 17 00:00:00 2001 +From: Davide Caratti +Date: Tue, 24 Feb 2026 21:28:32 +0100 +Subject: net/sched: ets: fix divide by zero in the offload path + +From: Davide Caratti + +commit e35626f610f3d2b7953ccddf6a77453da22b3a9e upstream. + +Offloading ETS requires computing each class' WRR weight: this is done by +averaging over the sums of quanta as 'q_sum' and 'q_psum'. Using unsigned +int, the same integer size as the individual DRR quanta, can overflow and +even cause division by zero, like it happened in the following splat: + + Oops: divide error: 0000 [#1] SMP PTI + CPU: 13 UID: 0 PID: 487 Comm: tc Tainted: G E 6.19.0-virtme #45 PREEMPT(full) + Tainted: [E]=UNSIGNED_MODULE + Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 + RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets] + Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44 + RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246 + RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660 + RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe + R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe + R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000 + FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0 + Call Trace: + + ets_qdisc_change+0x870/0xf40 [sch_ets] + qdisc_create+0x12b/0x540 + tc_modify_qdisc+0x6d7/0xbd0 + rtnetlink_rcv_msg+0x168/0x6b0 + netlink_rcv_skb+0x5c/0x110 + netlink_unicast+0x1d6/0x2b0 + netlink_sendmsg+0x22e/0x470 + ____sys_sendmsg+0x38a/0x3c0 + ___sys_sendmsg+0x99/0xe0 + __sys_sendmsg+0x8a/0xf0 + do_syscall_64+0x111/0xf80 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + RIP: 0033:0x7f440b81c77e + Code: 4d 89 d8 e8 d4 bc 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa + RSP: 002b:00007fff951e4c10 EFLAGS: 00000202 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 0000000000481820 RCX: 00007f440b81c77e + RDX: 0000000000000000 RSI: 00007fff951e4cd0 RDI: 0000000000000003 + RBP: 00007fff951e4c20 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff951f4fa8 + R13: 00000000699ddede R14: 00007f440bb01000 R15: 0000000000486980 + + Modules linked in: sch_ets(E) netdevsim(E) + ---[ end trace 0000000000000000 ]--- + RIP: 0010:ets_offload_change+0x11f/0x290 [sch_ets] + Code: e4 45 31 ff eb 03 41 89 c7 41 89 cb 89 ce 83 f9 0f 0f 87 b7 00 00 00 45 8b 08 31 c0 45 01 cc 45 85 c9 74 09 41 6b c4 64 31 d2 <41> f7 f2 89 c2 44 29 fa 45 89 df 41 83 fb 0f 0f 87 c7 00 00 00 44 + RSP: 0018:ffffd0a180d77588 EFLAGS: 00010246 + RAX: 00000000ffffff38 RBX: ffff8d3d482ca000 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffd0a180d77660 + RBP: ffffd0a180d77690 R08: ffff8d3d482ca2d8 R09: 00000000fffffffe + R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffffe + R13: ffff8d3d472f2000 R14: 0000000000000003 R15: 0000000000000000 + FS: 00007f440b6c2740(0000) GS:ffff8d3dc9803000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000000003cdd2000 CR3: 0000000007b58002 CR4: 0000000000172ef0 + Kernel panic - not syncing: Fatal exception + Kernel Offset: 0x30000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) + ---[ end Kernel panic - not syncing: Fatal exception ]--- + +Fix this using 64-bit integers for 'q_sum' and 'q_psum'. + +Cc: stable@vger.kernel.org +Fixes: d35eb52bd2ac ("net: sch_ets: Make the ETS qdisc offloadable") +Signed-off-by: Davide Caratti +Reviewed-by: Jamal Hadi Salim +Reviewed-by: Petr Machata +Link: https://patch.msgid.link/28504887df314588c7255e9911769c36f751edee.1771964872.git.dcaratti@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_ets.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/net/sched/sch_ets.c ++++ b/net/sched/sch_ets.c +@@ -115,12 +115,12 @@ static void ets_offload_change(struct Qd + struct ets_sched *q = qdisc_priv(sch); + struct tc_ets_qopt_offload qopt; + unsigned int w_psum_prev = 0; +- unsigned int q_psum = 0; +- unsigned int q_sum = 0; + unsigned int quantum; + unsigned int w_psum; + unsigned int weight; + unsigned int i; ++ u64 q_psum = 0; ++ u64 q_sum = 0; + + if (!tc_can_offload(dev) || !dev->netdev_ops->ndo_setup_tc) + return; +@@ -138,8 +138,12 @@ static void ets_offload_change(struct Qd + + for (i = 0; i < q->nbands; i++) { + quantum = q->classes[i].quantum; +- q_psum += quantum; +- w_psum = quantum ? q_psum * 100 / q_sum : 0; ++ if (quantum) { ++ q_psum += quantum; ++ w_psum = div64_u64(q_psum * 100, q_sum); ++ } else { ++ w_psum = 0; ++ } + weight = w_psum - w_psum_prev; + w_psum_prev = w_psum; + diff --git a/queue-6.12/nfsd-fix-cred-ref-leak-in-nfsd_nl_threads_set_doit.patch b/queue-6.12/nfsd-fix-cred-ref-leak-in-nfsd_nl_threads_set_doit.patch new file mode 100644 index 0000000000..27ddd3ae9b --- /dev/null +++ b/queue-6.12/nfsd-fix-cred-ref-leak-in-nfsd_nl_threads_set_doit.patch @@ -0,0 +1,73 @@ +From 1cb968a2013ffa8112d52ebe605009ea1c6a582c Mon Sep 17 00:00:00 2001 +From: Kuniyuki Iwashima +Date: Sat, 24 Jan 2026 04:18:40 +0000 +Subject: nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit(). + +From: Kuniyuki Iwashima + +commit 1cb968a2013ffa8112d52ebe605009ea1c6a582c upstream. + +syzbot reported memory leak of struct cred. [0] + +nfsd_nl_threads_set_doit() passes get_current_cred() to +nfsd_svc(), but put_cred() is not called after that. + +The cred is finally passed down to _svc_xprt_create(), +which calls get_cred() with the cred for struct svc_xprt. + +The ownership of the refcount by get_current_cred() is not +transferred to anywhere and is just leaked. + +nfsd_svc() is also called from write_threads(), but it does +not bump file->f_cred there. + +nfsd_nl_threads_set_doit() is called from sendmsg() and +current->cred does not go away. + +Let's use current_cred() in nfsd_nl_threads_set_doit(). + +[0]: +BUG: memory leak +unreferenced object 0xffff888108b89480 (size 184): + comm "syz-executor", pid 5994, jiffies 4294943386 + hex dump (first 32 bytes): + 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace (crc 369454a7): + kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] + slab_post_alloc_hook mm/slub.c:4958 [inline] + slab_alloc_node mm/slub.c:5263 [inline] + kmem_cache_alloc_noprof+0x412/0x580 mm/slub.c:5270 + prepare_creds+0x22/0x600 kernel/cred.c:185 + copy_creds+0x44/0x290 kernel/cred.c:286 + copy_process+0x7a7/0x2870 kernel/fork.c:2086 + kernel_clone+0xac/0x6e0 kernel/fork.c:2651 + __do_sys_clone+0x7f/0xb0 kernel/fork.c:2792 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: 924f4fb003ba ("NFSD: convert write_threads to netlink command") +Cc: stable@vger.kernel.org +Reported-by: syzbot+dd3b43aa0204089217ee@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/69744674.a00a0220.33ccc7.0000.GAE@google.com/ +Tested-by: syzbot+dd3b43aa0204089217ee@syzkaller.appspotmail.com +Signed-off-by: Kuniyuki Iwashima +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfsctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -1724,7 +1724,7 @@ int nfsd_nl_threads_set_doit(struct sk_b + scope = nla_data(attr); + } + +- ret = nfsd_svc(nrpools, nthreads, net, get_current_cred(), scope); ++ ret = nfsd_svc(nrpools, nthreads, net, current_cred(), scope); + if (ret > 0) + ret = 0; + out_unlock: diff --git a/queue-6.12/platform-x86-dell-wmi-add-audio-mic-mute-key-codes.patch b/queue-6.12/platform-x86-dell-wmi-add-audio-mic-mute-key-codes.patch new file mode 100644 index 0000000000..c79bf638b3 --- /dev/null +++ b/queue-6.12/platform-x86-dell-wmi-add-audio-mic-mute-key-codes.patch @@ -0,0 +1,42 @@ +From 26a7601471f62b95d56a81c3a8ccb551b5a6630f Mon Sep 17 00:00:00 2001 +From: Kurt Borja +Date: Sat, 7 Feb 2026 12:16:34 -0500 +Subject: platform/x86: dell-wmi: Add audio/mic mute key codes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kurt Borja + +commit 26a7601471f62b95d56a81c3a8ccb551b5a6630f upstream. + +Add audio/mic mute key codes found in Alienware m18 r1 AMD. + +Cc: stable@vger.kernel.org +Tested-by: Olexa Bilaniuk +Suggested-by: Olexa Bilaniuk +Signed-off-by: Kurt Borja +Acked-by: Pali Rohár +Link: https://patch.msgid.link/20260207-mute-keys-v2-1-c55e5471c9c1@gmail.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/dell/dell-wmi-base.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/platform/x86/dell/dell-wmi-base.c ++++ b/drivers/platform/x86/dell/dell-wmi-base.c +@@ -80,6 +80,12 @@ static const struct dmi_system_id dell_w + static const struct key_entry dell_wmi_keymap_type_0000[] = { + { KE_IGNORE, 0x003a, { KEY_CAPSLOCK } }, + ++ /* Audio mute toggle */ ++ { KE_KEY, 0x0109, { KEY_MUTE } }, ++ ++ /* Mic mute toggle */ ++ { KE_KEY, 0x0150, { KEY_MICMUTE } }, ++ + /* Meta key lock */ + { KE_IGNORE, 0xe000, { KEY_RIGHTMETA } }, + diff --git a/queue-6.12/platform-x86-dell-wmi-sysman-don-t-hex-dump-plaintext-password-data.patch b/queue-6.12/platform-x86-dell-wmi-sysman-don-t-hex-dump-plaintext-password-data.patch new file mode 100644 index 0000000000..6defa6a5fb --- /dev/null +++ b/queue-6.12/platform-x86-dell-wmi-sysman-don-t-hex-dump-plaintext-password-data.patch @@ -0,0 +1,37 @@ +From d1a196e0a6dcddd03748468a0e9e3100790fc85c Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Tue, 3 Mar 2026 12:30:51 +0100 +Subject: platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thorsten Blum + +commit d1a196e0a6dcddd03748468a0e9e3100790fc85c upstream. + +set_new_password() hex dumps the entire buffer, which contains plaintext +password data, including current and new passwords. Remove the hex dump +to avoid leaking credentials. + +Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems") +Cc: stable@vger.kernel.org +Signed-off-by: Thorsten Blum +Link: https://patch.msgid.link/20260303113050.58127-2-thorsten.blum@linux.dev +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c ++++ b/drivers/platform/x86/dell/dell-wmi-sysman/passwordattr-interface.c +@@ -93,7 +93,6 @@ int set_new_password(const char *passwor + if (ret < 0) + goto out; + +- print_hex_dump_bytes("set new password data: ", DUMP_PREFIX_NONE, buffer, buffer_size); + ret = call_password_interface(wmi_priv.password_attr_wdev, buffer, buffer_size); + /* on success copy the new password to current password */ + if (!ret) diff --git a/queue-6.12/rdma-irdma-fix-kernel-stack-leak-in-irdma_create_user_ah.patch b/queue-6.12/rdma-irdma-fix-kernel-stack-leak-in-irdma_create_user_ah.patch new file mode 100644 index 0000000000..9454156d4a --- /dev/null +++ b/queue-6.12/rdma-irdma-fix-kernel-stack-leak-in-irdma_create_user_ah.patch @@ -0,0 +1,39 @@ +From 74586c6da9ea222a61c98394f2fc0a604748438c Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Mon, 16 Feb 2026 11:02:49 -0400 +Subject: RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() + +From: Jason Gunthorpe + +commit 74586c6da9ea222a61c98394f2fc0a604748438c upstream. + +struct irdma_create_ah_resp { // 8 bytes, no padding + __u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx) + __u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK +}; + +rsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assigned before ib_respond_udata(). + +The reserved members of the structure were not zeroed. + +Cc: stable@vger.kernel.org +Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") +Signed-off-by: Jason Gunthorpe +Link: https://patch.msgid.link/3-v1-83e918d69e73+a9-rdma_udata_rc_jgg@nvidia.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/irdma/verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/irdma/verbs.c ++++ b/drivers/infiniband/hw/irdma/verbs.c +@@ -4589,7 +4589,7 @@ static int irdma_create_user_ah(struct i + #define IRDMA_CREATE_AH_MIN_RESP_LEN offsetofend(struct irdma_create_ah_resp, rsvd) + struct irdma_ah *ah = container_of(ibah, struct irdma_ah, ibah); + struct irdma_device *iwdev = to_iwdev(ibah->pd->device); +- struct irdma_create_ah_resp uresp; ++ struct irdma_create_ah_resp uresp = {}; + struct irdma_ah *parent_ah; + int err; + diff --git a/queue-6.12/scsi-core-fix-refcount-leak-for-tagset_refcnt.patch b/queue-6.12/scsi-core-fix-refcount-leak-for-tagset_refcnt.patch new file mode 100644 index 0000000000..5cceaeba16 --- /dev/null +++ b/queue-6.12/scsi-core-fix-refcount-leak-for-tagset_refcnt.patch @@ -0,0 +1,48 @@ +From 1ac22c8eae81366101597d48360718dff9b9d980 Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Mon, 23 Feb 2026 15:27:28 -0800 +Subject: scsi: core: Fix refcount leak for tagset_refcnt + +From: Junxiao Bi + +commit 1ac22c8eae81366101597d48360718dff9b9d980 upstream. + +This leak will cause a hang when tearing down the SCSI host. For example, +iscsid hangs with the following call trace: + +[130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured + +PID: 2528 TASK: ffff9d0408974e00 CPU: 3 COMMAND: "iscsid" + #0 [ffffb5b9c134b9e0] __schedule at ffffffff860657d4 + #1 [ffffb5b9c134ba28] schedule at ffffffff86065c6f + #2 [ffffb5b9c134ba40] schedule_timeout at ffffffff86069fb0 + #3 [ffffb5b9c134bab0] __wait_for_common at ffffffff8606674f + #4 [ffffb5b9c134bb10] scsi_remove_host at ffffffff85bfe84b + #5 [ffffb5b9c134bb30] iscsi_sw_tcp_session_destroy at ffffffffc03031c4 [iscsi_tcp] + #6 [ffffb5b9c134bb48] iscsi_if_recv_msg at ffffffffc0292692 [scsi_transport_iscsi] + #7 [ffffb5b9c134bb98] iscsi_if_rx at ffffffffc02929c2 [scsi_transport_iscsi] + #8 [ffffb5b9c134bbf0] netlink_unicast at ffffffff85e551d6 + #9 [ffffb5b9c134bc38] netlink_sendmsg at ffffffff85e554ef + +Fixes: 8fe4ce5836e9 ("scsi: core: Fix a use-after-free") +Cc: stable@vger.kernel.org +Signed-off-by: Junxiao Bi +Reviewed-by: Mike Christie +Reviewed-by: Bart Van Assche +Link: https://patch.msgid.link/20260223232728.93350-1-junxiao.bi@oracle.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_scan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/scsi_scan.c ++++ b/drivers/scsi/scsi_scan.c +@@ -354,6 +354,7 @@ static struct scsi_device *scsi_alloc_sd + * since we use this queue depth most of times. + */ + if (scsi_realloc_sdev_budget_map(sdev, depth)) { ++ kref_put(&sdev->host->tagset_refcnt, scsi_mq_free_tags); + put_device(&starget->dev); + kfree(sdev); + goto out; diff --git a/queue-6.12/scsi-target-fix-recursive-locking-in-__configfs_open_file.patch b/queue-6.12/scsi-target-fix-recursive-locking-in-__configfs_open_file.patch new file mode 100644 index 0000000000..91c1d9b45f --- /dev/null +++ b/queue-6.12/scsi-target-fix-recursive-locking-in-__configfs_open_file.patch @@ -0,0 +1,92 @@ +From 14d4ac19d1895397532eec407433c5d74d9da53b Mon Sep 17 00:00:00 2001 +From: Prithvi Tambewagh +Date: Mon, 16 Feb 2026 11:50:02 +0530 +Subject: scsi: target: Fix recursive locking in __configfs_open_file() + +From: Prithvi Tambewagh + +commit 14d4ac19d1895397532eec407433c5d74d9da53b upstream. + +In flush_write_buffer, &p->frag_sem is acquired and then the loaded store +function is called, which, here, is target_core_item_dbroot_store(). This +function called filp_open(), following which these functions were called +(in reverse order), according to the call trace: + + down_read + __configfs_open_file + do_dentry_open + vfs_open + do_open + path_openat + do_filp_open + file_open_name + filp_open + target_core_item_dbroot_store + flush_write_buffer + configfs_write_iter + +target_core_item_dbroot_store() tries to validate the new file path by +trying to open the file path provided to it; however, in this case, the bug +report shows: + +db_root: not a directory: /sys/kernel/config/target/dbroot + +indicating that the same configfs file was tried to be opened, on which it +is currently working on. Thus, it is trying to acquire frag_sem semaphore +of the same file of which it already holds the semaphore obtained in +flush_write_buffer(), leading to acquiring the semaphore in a nested manner +and a possibility of recursive locking. + +Fix this by modifying target_core_item_dbroot_store() to use kern_path() +instead of filp_open() to avoid opening the file using filesystem-specific +function __configfs_open_file(), and further modifying it to make this fix +compatible. + +Reported-by: syzbot+f6e8174215573a84b797@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=f6e8174215573a84b797 +Tested-by: syzbot+f6e8174215573a84b797@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Prithvi Tambewagh +Reviewed-by: Dmitry Bogdanov +Link: https://patch.msgid.link/20260216062002.61937-1-activprithvi@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_configfs.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +--- a/drivers/target/target_core_configfs.c ++++ b/drivers/target/target_core_configfs.c +@@ -108,8 +108,8 @@ static ssize_t target_core_item_dbroot_s + const char *page, size_t count) + { + ssize_t read_bytes; +- struct file *fp; + ssize_t r = -EINVAL; ++ struct path path = {}; + + mutex_lock(&target_devices_lock); + if (target_devices) { +@@ -131,17 +131,14 @@ static ssize_t target_core_item_dbroot_s + db_root_stage[read_bytes - 1] = '\0'; + + /* validate new db root before accepting it */ +- fp = filp_open(db_root_stage, O_RDONLY, 0); +- if (IS_ERR(fp)) { ++ r = kern_path(db_root_stage, LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &path); ++ if (r) { + pr_err("db_root: cannot open: %s\n", db_root_stage); ++ if (r == -ENOTDIR) ++ pr_err("db_root: not a directory: %s\n", db_root_stage); + goto unlock; + } +- if (!S_ISDIR(file_inode(fp)->i_mode)) { +- filp_close(fp, NULL); +- pr_err("db_root: not a directory: %s\n", db_root_stage); +- goto unlock; +- } +- filp_close(fp, NULL); ++ path_put(&path); + + strncpy(db_root, db_root_stage, read_bytes); + pr_debug("Target_Core_ConfigFS: db_root set to %s\n", db_root); diff --git a/queue-6.12/selftests-mptcp-join-check-removing-signal-subflow-endp.patch b/queue-6.12/selftests-mptcp-join-check-removing-signal-subflow-endp.patch new file mode 100644 index 0000000000..c94ab4d24e --- /dev/null +++ b/queue-6.12/selftests-mptcp-join-check-removing-signal-subflow-endp.patch @@ -0,0 +1,57 @@ +From 1777f349ff41b62dfe27454b69c27b0bc99ffca5 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Tue, 3 Mar 2026 11:56:06 +0100 +Subject: selftests: mptcp: join: check removing signal+subflow endp + +From: Matthieu Baerts (NGI0) + +commit 1777f349ff41b62dfe27454b69c27b0bc99ffca5 upstream. + +This validates the previous commit: endpoints with both the signal and +subflow flags should always be marked as used even if it was not +possible to create new subflows due to the MPTCP PM limits. + +For this test, an extra endpoint is created with both the signal and the +subflow flags, and limits are set not to create extra subflows. In this +case, an ADD_ADDR is sent, but no subflows are created. Still, the local +endpoint is marked as used, and no warning is fired when removing the +endpoint, after having sent a RM_ADDR. + +The 'Fixes' tag here below is the same as the one from the previous +commit: this patch here is not fixing anything wrong in the selftests, +but it validates the previous fix for an issue introduced by this commit +ID. + +Fixes: 85df533a787b ("mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-5-4b5462b6f016@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -2384,6 +2384,19 @@ remove_tests() + chk_rst_nr 0 0 + fi + ++ # signal+subflow with limits, remove ++ if reset "remove signal+subflow with limits"; then ++ pm_nl_set_limits $ns1 0 0 ++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,subflow ++ pm_nl_set_limits $ns2 0 0 ++ addr_nr_ns1=-1 speed=slow \ ++ run_tests $ns1 $ns2 10.0.1.1 ++ chk_join_nr 0 0 0 ++ chk_add_nr 1 1 ++ chk_rm_nr 1 0 invert ++ chk_rst_nr 0 0 ++ fi ++ + # addresses remove + if reset "remove addresses"; then + pm_nl_set_limits $ns1 3 3 diff --git a/queue-6.12/selftests-mptcp-more-stable-simult_flows-tests.patch b/queue-6.12/selftests-mptcp-more-stable-simult_flows-tests.patch new file mode 100644 index 0000000000..8e781c3438 --- /dev/null +++ b/queue-6.12/selftests-mptcp-more-stable-simult_flows-tests.patch @@ -0,0 +1,60 @@ +From 8c09412e584d9bcc0e71d758ec1008d1c8d1a326 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 3 Mar 2026 11:56:02 +0100 +Subject: selftests: mptcp: more stable simult_flows tests + +From: Paolo Abeni + +commit 8c09412e584d9bcc0e71d758ec1008d1c8d1a326 upstream. + +By default, the netem qdisc can keep up to 1000 packets under its belly +to deal with the configured rate and delay. The simult flows test-case +simulates very low speed links, to avoid problems due to slow CPUs and +the TCP stack tend to transmit at a slightly higher rate than the +(virtual) link constraints. + +All the above causes a relatively large amount of packets being enqueued +in the netem qdiscs - the longer the transfer, the longer the queue - +producing increasingly high TCP RTT samples and consequently increasingly +larger receive buffer size due to DRS. + +When the receive buffer size becomes considerably larger than the needed +size, the tests results can flake, i.e. because minimal inaccuracy in the +pacing rate can lead to a single subflow usage towards the end of the +connection for a considerable amount of data. + +Address the issue explicitly setting netem limits suitable for the +configured link speeds and unflake all the affected tests. + +Fixes: 1a418cb8e888 ("mptcp: simult flow self-tests") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260303-net-mptcp-misc-fixes-7-0-rc2-v1-1-4b5462b6f016@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/simult_flows.sh | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/tools/testing/selftests/net/mptcp/simult_flows.sh ++++ b/tools/testing/selftests/net/mptcp/simult_flows.sh +@@ -226,10 +226,13 @@ run_test() + for dev in ns2eth1 ns2eth2; do + tc -n $ns2 qdisc del dev $dev root >/dev/null 2>&1 + done +- tc -n $ns1 qdisc add dev ns1eth1 root netem rate ${rate1}mbit $delay1 +- tc -n $ns1 qdisc add dev ns1eth2 root netem rate ${rate2}mbit $delay2 +- tc -n $ns2 qdisc add dev ns2eth1 root netem rate ${rate1}mbit $delay1 +- tc -n $ns2 qdisc add dev ns2eth2 root netem rate ${rate2}mbit $delay2 ++ ++ # keep the queued pkts number low, or the RTT estimator will see ++ # increasing latency over time. ++ tc -n $ns1 qdisc add dev ns1eth1 root netem rate ${rate1}mbit $delay1 limit 50 ++ tc -n $ns1 qdisc add dev ns1eth2 root netem rate ${rate2}mbit $delay2 limit 50 ++ tc -n $ns2 qdisc add dev ns2eth1 root netem rate ${rate1}mbit $delay1 limit 50 ++ tc -n $ns2 qdisc add dev ns2eth2 root netem rate ${rate2}mbit $delay2 limit 50 + + # time is measured in ms, account for transfer size, aggregated link speed + # and header overhead (10%) diff --git a/queue-6.12/series b/queue-6.12/series index 2683bb322a..c28bf3f3cd 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -145,3 +145,25 @@ can-usb-f81604-handle-short-interrupt-urb-messages-properly.patch can-usb-f81604-handle-bulk-write-errors-properly.patch hid-add-hid_claimed_input-guards-in-raw_event-callbacks-missing-them.patch x86-efi-defer-freeing-of-boot-services-memory.patch +platform-x86-dell-wmi-sysman-don-t-hex-dump-plaintext-password-data.patch +platform-x86-dell-wmi-add-audio-mic-mute-key-codes.patch +alsa-usb-audio-use-correct-version-for-uac3-header-validation.patch +wifi-radiotap-reject-radiotap-with-unknown-bits.patch +wifi-cfg80211-cancel-rfkill_block-work-in-wiphy_unregister.patch +wifi-mac80211-bounds-check-link_id-in-ieee80211_ml_reconfiguration.patch +wifi-mac80211-fix-null-pointer-dereference-in-mesh_rx_csa_frame.patch +ib-mthca-add-missed-mthca_unmap_user_db-for-mthca_create_srq.patch +rdma-irdma-fix-kernel-stack-leak-in-irdma_create_user_ah.patch +net-sched-ets-fix-divide-by-zero-in-the-offload-path.patch +nfsd-fix-cred-ref-leak-in-nfsd_nl_threads_set_doit.patch +tracing-fix-warn_on-in-tracing_buffers_mmap_close.patch +scsi-target-fix-recursive-locking-in-__configfs_open_file.patch +squashfs-check-metadata-block-offset-is-within-range.patch +drbd-fix-logic-bug-in-drbd_al_begin_io_nonblock.patch +drbd-fix-null-pointer-dereference-on-local-read-error.patch +smb-client-fix-cifs_pick_channel-when-channels-are-equally-loaded.patch +smb-client-fix-broken-multichannel-with-krb5-signing.patch +smb-client-don-t-log-plaintext-credentials-in-cifs_set_cifscreds.patch +scsi-core-fix-refcount-leak-for-tagset_refcnt.patch +selftests-mptcp-more-stable-simult_flows-tests.patch +selftests-mptcp-join-check-removing-signal-subflow-endp.patch diff --git a/queue-6.12/smb-client-don-t-log-plaintext-credentials-in-cifs_set_cifscreds.patch b/queue-6.12/smb-client-don-t-log-plaintext-credentials-in-cifs_set_cifscreds.patch new file mode 100644 index 0000000000..acc20cab6f --- /dev/null +++ b/queue-6.12/smb-client-don-t-log-plaintext-credentials-in-cifs_set_cifscreds.patch @@ -0,0 +1,33 @@ +From 2f37dc436d4e61ff7ae0b0353cf91b8c10396e4d Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Thu, 26 Feb 2026 22:28:45 +0100 +Subject: smb: client: Don't log plaintext credentials in cifs_set_cifscreds + +From: Thorsten Blum + +commit 2f37dc436d4e61ff7ae0b0353cf91b8c10396e4d upstream. + +When debug logging is enabled, cifs_set_cifscreds() logs the key +payload and exposes the plaintext username and password. Remove the +debug log to avoid exposing credentials. + +Fixes: 8a8798a5ff90 ("cifs: fetch credentials out of keyring for non-krb5 auth multiuser mounts") +Cc: stable@vger.kernel.org +Acked-by: Paulo Alcantara (Red Hat) +Signed-off-by: Thorsten Blum +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/connect.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/smb/client/connect.c ++++ b/fs/smb/client/connect.c +@@ -2197,7 +2197,6 @@ cifs_set_cifscreds(struct smb3_fs_contex + /* find first : in payload */ + payload = upayload->data; + delim = strnchr(payload, upayload->datalen, ':'); +- cifs_dbg(FYI, "payload=%s\n", payload); + if (!delim) { + cifs_dbg(FYI, "Unable to find ':' in payload (datalen=%d)\n", + upayload->datalen); diff --git a/queue-6.12/smb-client-fix-broken-multichannel-with-krb5-signing.patch b/queue-6.12/smb-client-fix-broken-multichannel-with-krb5-signing.patch new file mode 100644 index 0000000000..6b8af3211c --- /dev/null +++ b/queue-6.12/smb-client-fix-broken-multichannel-with-krb5-signing.patch @@ -0,0 +1,76 @@ +From d9d1e319b39ea685ede59319002d567c159d23c3 Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Wed, 25 Feb 2026 21:34:55 -0300 +Subject: smb: client: fix broken multichannel with krb5+signing + +From: Paulo Alcantara + +commit d9d1e319b39ea685ede59319002d567c159d23c3 upstream. + +When mounting a share with 'multichannel,max_channels=n,sec=krb5i', +the client was duplicating signing key for all secondary channels, +thus making the server fail all commands sent from secondary channels +due to bad signatures. + +Every channel has its own signing key, so when establishing a new +channel with krb5 auth, make sure to use the new session key as the +derived key to generate channel's signing key in SMB2_auth_kerberos(). + +Repro: + +$ mount.cifs //srv/share /mnt -o multichannel,max_channels=4,sec=krb5i +$ sleep 5 +$ umount /mnt +$ dmesg + ... + CIFS: VFS: sign fail cmd 0x5 message id 0x2 + CIFS: VFS: \\srv SMB signature verification returned error = -13 + CIFS: VFS: sign fail cmd 0x5 message id 0x2 + CIFS: VFS: \\srv SMB signature verification returned error = -13 + CIFS: VFS: sign fail cmd 0x4 message id 0x2 + CIFS: VFS: \\srv SMB signature verification returned error = -13 + +Reported-by: Xiaoli Feng +Reviewed-by: Enzo Matsumiya +Signed-off-by: Paulo Alcantara (Red Hat) +Cc: David Howells +Cc: linux-cifs@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -1666,19 +1666,17 @@ SMB2_auth_kerberos(struct SMB2_sess_data + is_binding = (ses->ses_status == SES_GOOD); + spin_unlock(&ses->ses_lock); + +- /* keep session key if binding */ +- if (!is_binding) { +- kfree_sensitive(ses->auth_key.response); +- ses->auth_key.response = kmemdup(msg->data, msg->sesskey_len, +- GFP_KERNEL); +- if (!ses->auth_key.response) { +- cifs_dbg(VFS, "Kerberos can't allocate (%u bytes) memory\n", +- msg->sesskey_len); +- rc = -ENOMEM; +- goto out_put_spnego_key; +- } +- ses->auth_key.len = msg->sesskey_len; ++ kfree_sensitive(ses->auth_key.response); ++ ses->auth_key.response = kmemdup(msg->data, ++ msg->sesskey_len, ++ GFP_KERNEL); ++ if (!ses->auth_key.response) { ++ cifs_dbg(VFS, "%s: can't allocate (%u bytes) memory\n", ++ __func__, msg->sesskey_len); ++ rc = -ENOMEM; ++ goto out_put_spnego_key; + } ++ ses->auth_key.len = msg->sesskey_len; + + sess_data->iov[1].iov_base = msg->data + msg->sesskey_len; + sess_data->iov[1].iov_len = msg->secblob_len; diff --git a/queue-6.12/smb-client-fix-cifs_pick_channel-when-channels-are-equally-loaded.patch b/queue-6.12/smb-client-fix-cifs_pick_channel-when-channels-are-equally-loaded.patch new file mode 100644 index 0000000000..e8ff22eccf --- /dev/null +++ b/queue-6.12/smb-client-fix-cifs_pick_channel-when-channels-are-equally-loaded.patch @@ -0,0 +1,71 @@ +From 663c28469d3274d6456f206a6671c91493d85ff1 Mon Sep 17 00:00:00 2001 +From: Henrique Carvalho +Date: Sat, 21 Feb 2026 01:59:44 -0300 +Subject: smb: client: fix cifs_pick_channel when channels are equally loaded + +From: Henrique Carvalho + +commit 663c28469d3274d6456f206a6671c91493d85ff1 upstream. + +cifs_pick_channel uses (start % chan_count) when channels are equally +loaded, but that can return a channel that failed the eligibility +checks. + +Drop the fallback and return the scan-selected channel instead. If none +is eligible, keep the existing behavior of using the primary channel. + +Signed-off-by: Henrique Carvalho +Acked-by: Paulo Alcantara (Red Hat) +Acked-by: Meetakshi Setiya +Reviewed-by: Shyam Prasad N +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/transport.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +--- a/fs/smb/client/transport.c ++++ b/fs/smb/client/transport.c +@@ -1026,16 +1026,21 @@ cifs_cancelled_callback(struct mid_q_ent + } + + /* +- * Return a channel (master if none) of @ses that can be used to send +- * regular requests. ++ * cifs_pick_channel - pick an eligible channel for network operations + * +- * If we are currently binding a new channel (negprot/sess.setup), +- * return the new incomplete channel. ++ * @ses: session reference ++ * ++ * Select an eligible channel (not terminating and not marked as needing ++ * reconnect), preferring the least loaded one. If no eligible channel is ++ * found, fall back to the primary channel (index 0). ++ * ++ * Return: TCP_Server_Info pointer for the chosen channel, or NULL if @ses is ++ * NULL. + */ + struct TCP_Server_Info *cifs_pick_channel(struct cifs_ses *ses) + { + uint index = 0; +- unsigned int min_in_flight = UINT_MAX, max_in_flight = 0; ++ unsigned int min_in_flight = UINT_MAX; + struct TCP_Server_Info *server = NULL; + int i, start, cur; + +@@ -1065,14 +1070,8 @@ struct TCP_Server_Info *cifs_pick_channe + min_in_flight = server->in_flight; + index = cur; + } +- if (server->in_flight > max_in_flight) +- max_in_flight = server->in_flight; + } + +- /* if all channels are equally loaded, fall back to round-robin */ +- if (min_in_flight == max_in_flight) +- index = (uint)start % ses->chan_count; +- + server = ses->chans[index].server; + spin_unlock(&ses->chan_lock); + diff --git a/queue-6.12/squashfs-check-metadata-block-offset-is-within-range.patch b/queue-6.12/squashfs-check-metadata-block-offset-is-within-range.patch new file mode 100644 index 0000000000..a2baa70eca --- /dev/null +++ b/queue-6.12/squashfs-check-metadata-block-offset-is-within-range.patch @@ -0,0 +1,46 @@ +From fdb24a820a5832ec4532273282cbd4f22c291a0d Mon Sep 17 00:00:00 2001 +From: Phillip Lougher +Date: Tue, 17 Feb 2026 05:09:55 +0000 +Subject: Squashfs: check metadata block offset is within range + +From: Phillip Lougher + +commit fdb24a820a5832ec4532273282cbd4f22c291a0d upstream. + +Syzkaller reports a "general protection fault in squashfs_copy_data" + +This is ultimately caused by a corrupted index look-up table, which +produces a negative metadata block offset. + +This is subsequently passed to squashfs_copy_data (via +squashfs_read_metadata) where the negative offset causes an out of bounds +access. + +The fix is to check that the offset is within range in +squashfs_read_metadata. This will trap this and other cases. + +Link: https://lkml.kernel.org/r/20260217050955.138351-1-phillip@squashfs.org.uk +Fixes: f400e12656ab ("Squashfs: cache operations") +Reported-by: syzbot+a9747fe1c35a5b115d3f@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/699234e2.a70a0220.2c38d7.00e2.GAE@google.com/ +Signed-off-by: Phillip Lougher +Cc: Christian Brauner +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/cache.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/squashfs/cache.c ++++ b/fs/squashfs/cache.c +@@ -340,6 +340,9 @@ int squashfs_read_metadata(struct super_ + if (unlikely(length < 0)) + return -EIO; + ++ if (unlikely(*offset < 0 || *offset >= SQUASHFS_METADATA_SIZE)) ++ return -EIO; ++ + while (length) { + entry = squashfs_cache_get(sb, msblk->block_cache, *block, 0); + if (entry->error) { diff --git a/queue-6.12/tracing-fix-warn_on-in-tracing_buffers_mmap_close.patch b/queue-6.12/tracing-fix-warn_on-in-tracing_buffers_mmap_close.patch new file mode 100644 index 0000000000..8f78452a70 --- /dev/null +++ b/queue-6.12/tracing-fix-warn_on-in-tracing_buffers_mmap_close.patch @@ -0,0 +1,111 @@ +From e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e Mon Sep 17 00:00:00 2001 +From: Qing Wang +Date: Fri, 27 Feb 2026 10:58:42 +0800 +Subject: tracing: Fix WARN_ON in tracing_buffers_mmap_close + +From: Qing Wang + +commit e39bb9e02b68942f8e9359d2a3efe7d37ae6be0e upstream. + +When a process forks, the child process copies the parent's VMAs but the +user_mapped reference count is not incremented. As a result, when both the +parent and child processes exit, tracing_buffers_mmap_close() is called +twice. On the second call, user_mapped is already 0, causing the function to +return -ENODEV and triggering a WARN_ON. + +Normally, this isn't an issue as the memory is mapped with VM_DONTCOPY set. +But this is only a hint, and the application can call +madvise(MADVISE_DOFORK) which resets the VM_DONTCOPY flag. When the +application does that, it can trigger this issue on fork. + +Fix it by incrementing the user_mapped reference count without re-mapping +the pages in the VMA's open callback. + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Cc: Vincent Donnefort +Cc: Lorenzo Stoakes +Link: https://patch.msgid.link/20260227025842.1085206-1-wangqing7171@gmail.com +Fixes: cf9f0f7c4c5bb ("tracing: Allow user-space mapping of the ring-buffer") +Reported-by: syzbot+3b5dd2030fe08afdf65d@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=3b5dd2030fe08afdf65d +Tested-by: syzbot+3b5dd2030fe08afdf65d@syzkaller.appspotmail.com +Signed-off-by: Qing Wang +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/ring_buffer.h | 1 + + kernel/trace/ring_buffer.c | 21 +++++++++++++++++++++ + kernel/trace/trace.c | 13 +++++++++++++ + 3 files changed, 35 insertions(+) + +--- a/include/linux/ring_buffer.h ++++ b/include/linux/ring_buffer.h +@@ -244,6 +244,7 @@ int trace_rb_cpu_prepare(unsigned int cp + + int ring_buffer_map(struct trace_buffer *buffer, int cpu, + struct vm_area_struct *vma); ++void ring_buffer_map_dup(struct trace_buffer *buffer, int cpu); + int ring_buffer_unmap(struct trace_buffer *buffer, int cpu); + int ring_buffer_map_get_reader(struct trace_buffer *buffer, int cpu); + #endif /* _LINUX_RING_BUFFER_H */ +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -7154,6 +7154,27 @@ unlock: + return err; + } + ++/* ++ * This is called when a VMA is duplicated (e.g., on fork()) to increment ++ * the user_mapped counter without remapping pages. ++ */ ++void ring_buffer_map_dup(struct trace_buffer *buffer, int cpu) ++{ ++ struct ring_buffer_per_cpu *cpu_buffer; ++ ++ if (WARN_ON(!cpumask_test_cpu(cpu, buffer->cpumask))) ++ return; ++ ++ cpu_buffer = buffer->buffers[cpu]; ++ ++ guard(mutex)(&cpu_buffer->mapping_lock); ++ ++ if (cpu_buffer->user_mapped) ++ __rb_inc_dec_mapped(cpu_buffer, true); ++ else ++ WARN(1, "Unexpected buffer stat, it should be mapped"); ++} ++ + int ring_buffer_unmap(struct trace_buffer *buffer, int cpu) + { + struct ring_buffer_per_cpu *cpu_buffer; +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -8274,6 +8274,18 @@ static inline int get_snapshot_map(struc + static inline void put_snapshot_map(struct trace_array *tr) { } + #endif + ++/* ++ * This is called when a VMA is duplicated (e.g., on fork()) to increment ++ * the user_mapped counter without remapping pages. ++ */ ++static void tracing_buffers_mmap_open(struct vm_area_struct *vma) ++{ ++ struct ftrace_buffer_info *info = vma->vm_file->private_data; ++ struct trace_iterator *iter = &info->iter; ++ ++ ring_buffer_map_dup(iter->array_buffer->buffer, iter->cpu_file); ++} ++ + static void tracing_buffers_mmap_close(struct vm_area_struct *vma) + { + struct ftrace_buffer_info *info = vma->vm_file->private_data; +@@ -8293,6 +8305,7 @@ static int tracing_buffers_may_split(str + } + + static const struct vm_operations_struct tracing_buffers_vmops = { ++ .open = tracing_buffers_mmap_open, + .close = tracing_buffers_mmap_close, + .may_split = tracing_buffers_may_split, + }; diff --git a/queue-6.12/wifi-cfg80211-cancel-rfkill_block-work-in-wiphy_unregister.patch b/queue-6.12/wifi-cfg80211-cancel-rfkill_block-work-in-wiphy_unregister.patch new file mode 100644 index 0000000000..132487a951 --- /dev/null +++ b/queue-6.12/wifi-cfg80211-cancel-rfkill_block-work-in-wiphy_unregister.patch @@ -0,0 +1,57 @@ +From 767d23ade706d5fa51c36168e92a9c5533c351a1 Mon Sep 17 00:00:00 2001 +From: Daniil Dulov +Date: Wed, 11 Feb 2026 11:20:24 +0300 +Subject: wifi: cfg80211: cancel rfkill_block work in wiphy_unregister() + +From: Daniil Dulov + +commit 767d23ade706d5fa51c36168e92a9c5533c351a1 upstream. + +There is a use-after-free error in cfg80211_shutdown_all_interfaces found +by syzkaller: + +BUG: KASAN: use-after-free in cfg80211_shutdown_all_interfaces+0x213/0x220 +Read of size 8 at addr ffff888112a78d98 by task kworker/0:5/5326 +CPU: 0 UID: 0 PID: 5326 Comm: kworker/0:5 Not tainted 6.19.0-rc2 #2 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Workqueue: events cfg80211_rfkill_block_work +Call Trace: + + dump_stack_lvl+0x116/0x1f0 + print_report+0xcd/0x630 + kasan_report+0xe0/0x110 + cfg80211_shutdown_all_interfaces+0x213/0x220 + cfg80211_rfkill_block_work+0x1e/0x30 + process_one_work+0x9cf/0x1b70 + worker_thread+0x6c8/0xf10 + kthread+0x3c5/0x780 + ret_from_fork+0x56d/0x700 + ret_from_fork_asm+0x1a/0x30 + + +The problem arises due to the rfkill_block work is not cancelled when wiphy +is being unregistered. In order to fix the issue cancel the corresponding +work in wiphy_unregister(). + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 1f87f7d3a3b4 ("cfg80211: add rfkill support") +Cc: stable@vger.kernel.org +Signed-off-by: Daniil Dulov +Link: https://patch.msgid.link/20260211082024.1967588-1-d.dulov@aladdin.ru +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/wireless/core.c ++++ b/net/wireless/core.c +@@ -1174,6 +1174,7 @@ void wiphy_unregister(struct wiphy *wiph + /* this has nothing to do now but make sure it's gone */ + cancel_work_sync(&rdev->wiphy_work); + ++ cancel_work_sync(&rdev->rfkill_block); + cancel_work_sync(&rdev->conn_work); + flush_work(&rdev->event_work); + cancel_delayed_work_sync(&rdev->dfs_update_channels_wk); diff --git a/queue-6.12/wifi-mac80211-bounds-check-link_id-in-ieee80211_ml_reconfiguration.patch b/queue-6.12/wifi-mac80211-bounds-check-link_id-in-ieee80211_ml_reconfiguration.patch new file mode 100644 index 0000000000..e612be45da --- /dev/null +++ b/queue-6.12/wifi-mac80211-bounds-check-link_id-in-ieee80211_ml_reconfiguration.patch @@ -0,0 +1,38 @@ +From 162d331d833dc73a3e905a24c44dd33732af1fc5 Mon Sep 17 00:00:00 2001 +From: Ariel Silver +Date: Fri, 20 Feb 2026 10:11:29 +0000 +Subject: wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration + +From: Ariel Silver + +commit 162d331d833dc73a3e905a24c44dd33732af1fc5 upstream. + +link_id is taken from the ML Reconfiguration element (control & 0x000f), +so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS +(15) elements, so index 15 is out-of-bounds. Skip subelements with +link_id >= IEEE80211_MLD_MAX_NUM_LINKS to avoid a stack out-of-bounds +write. + +Fixes: 8eb8dd2ffbbb ("wifi: mac80211: Support link removal using Reconfiguration ML element") +Reported-by: Ariel Silver +Signed-off-by: Ariel Silver +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260220101129.1202657-1-Ariel.Silver@cybereason.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mlme.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -6256,6 +6256,9 @@ static void ieee80211_ml_reconfiguration + control = le16_to_cpu(prof->control); + link_id = control & IEEE80211_MLE_STA_RECONF_CONTROL_LINK_ID; + ++ if (link_id >= IEEE80211_MLD_MAX_NUM_LINKS) ++ continue; ++ + removed_links |= BIT(link_id); + + /* the MAC address should not be included, but handle it */ diff --git a/queue-6.12/wifi-mac80211-fix-null-pointer-dereference-in-mesh_rx_csa_frame.patch b/queue-6.12/wifi-mac80211-fix-null-pointer-dereference-in-mesh_rx_csa_frame.patch new file mode 100644 index 0000000000..13bcc403e9 --- /dev/null +++ b/queue-6.12/wifi-mac80211-fix-null-pointer-dereference-in-mesh_rx_csa_frame.patch @@ -0,0 +1,63 @@ +From 017c1792525064a723971f0216e6ef86a8c7af11 Mon Sep 17 00:00:00 2001 +From: Vahagn Vardanian +Date: Mon, 23 Feb 2026 00:00:00 +0000 +Subject: wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame() + +From: Vahagn Vardanian + +commit 017c1792525064a723971f0216e6ef86a8c7af11 upstream. + +In mesh_rx_csa_frame(), elems->mesh_chansw_params_ie is dereferenced +at lines 1638 and 1642 without a prior NULL check: + + ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl; + ... + pre_value = le16_to_cpu(elems->mesh_chansw_params_ie->mesh_pre_value); + +The mesh_matches_local() check above only validates the Mesh ID, +Mesh Configuration, and Supported Rates IEs. It does not verify the +presence of the Mesh Channel Switch Parameters IE (element ID 118). +When a received CSA action frame omits that IE, ieee802_11_parse_elems() +leaves elems->mesh_chansw_params_ie as NULL, and the unconditional +dereference causes a kernel NULL pointer dereference. + +A remote mesh peer with an established peer link (PLINK_ESTAB) can +trigger this by sending a crafted SPECTRUM_MGMT/CHL_SWITCH action frame +that includes a matching Mesh ID and Mesh Configuration IE but omits the +Mesh Channel Switch Parameters IE. No authentication beyond the default +open mesh peering is required. + +Crash confirmed on kernel 6.17.0-5-generic via mac80211_hwsim: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + Oops: Oops: 0000 [#1] SMP NOPTI + RIP: 0010:ieee80211_mesh_rx_queued_mgmt+0x143/0x2a0 [mac80211] + CR2: 0000000000000000 + +Fix by adding a NULL check for mesh_chansw_params_ie after +mesh_matches_local() returns, consistent with how other optional IEs +are guarded throughout the mesh code. + +The bug has been present since v3.13 (released 2014-01-19). + +Fixes: 8f2535b92d68 ("mac80211: process the CSA frame for mesh accordingly") +Cc: stable@vger.kernel.org +Signed-off-by: Vahagn Vardanian +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mesh.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -1631,6 +1631,9 @@ static void mesh_rx_csa_frame(struct iee + if (!mesh_matches_local(sdata, elems)) + goto free; + ++ if (!elems->mesh_chansw_params_ie) ++ goto free; ++ + ifmsh->chsw_ttl = elems->mesh_chansw_params_ie->mesh_ttl; + if (!--ifmsh->chsw_ttl) + fwd_csa = false; diff --git a/queue-6.12/wifi-radiotap-reject-radiotap-with-unknown-bits.patch b/queue-6.12/wifi-radiotap-reject-radiotap-with-unknown-bits.patch new file mode 100644 index 0000000000..8416e5f659 --- /dev/null +++ b/queue-6.12/wifi-radiotap-reject-radiotap-with-unknown-bits.patch @@ -0,0 +1,51 @@ +From c854758abe0b8d86f9c43dc060ff56a0ee5b31e0 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 17 Feb 2026 13:05:26 +0100 +Subject: wifi: radiotap: reject radiotap with unknown bits + +From: Johannes Berg + +commit c854758abe0b8d86f9c43dc060ff56a0ee5b31e0 upstream. + +The radiotap parser is currently only used with the radiotap +namespace (not with vendor namespaces), but if the undefined +field 18 is used, the alignment/size is unknown as well. In +this case, iterator->_next_ns_data isn't initialized (it's +only set for skipping vendor namespaces), and syzbot points +out that we later compare against this uninitialized value. + +Fix this by moving the rejection of unknown radiotap fields +down to after the in-namespace lookup, so it will really use +iterator->_next_ns_data only for vendor namespaces, even in +case undefined fields are present. + +Cc: stable@vger.kernel.org +Fixes: 33e5a2f776e3 ("wireless: update radiotap parser") +Reported-by: syzbot+b09c1af8764c0097bb19@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/r/69944a91.a70a0220.2c38d7.00fc.GAE@google.com +Link: https://patch.msgid.link/20260217120526.162647-2-johannes@sipsolutions.net +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/radiotap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/wireless/radiotap.c ++++ b/net/wireless/radiotap.c +@@ -239,14 +239,14 @@ int ieee80211_radiotap_iterator_next( + default: + if (!iterator->current_namespace || + iterator->_arg_index >= iterator->current_namespace->n_bits) { +- if (iterator->current_namespace == &radiotap_ns) +- return -ENOENT; + align = 0; + } else { + align = iterator->current_namespace->align_size[iterator->_arg_index].align; + size = iterator->current_namespace->align_size[iterator->_arg_index].size; + } + if (!align) { ++ if (iterator->current_namespace == &radiotap_ns) ++ return -ENOENT; + /* skip all subsequent data */ + iterator->_arg = iterator->_next_ns_data; + /* give up on this namespace */