From: Greg Kroah-Hartman Date: Sun, 12 Apr 2026 05:20:02 +0000 (+0200) Subject: 6.6-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d6f4800f9f75f18e33462c7e070867bd68c8b8b1;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: input-uinput-fix-circular-locking-dependency-with-ff-core.patch input-uinput-take-event-lock-when-submitting-ff-request-event.patch lib-crypto-chacha-zeroize-permuted_state-before-it-leaves-scope.patch mptcp-fix-slab-use-after-free-in-__inet_lookup_established.patch net-rfkill-prevent-unlimited-numbers-of-rfkill-events-from-being-created.patch series wifi-rt2x00usb-fix-devres-lifetime.patch xfrm_user-fix-info-leak-in-build_report.patch --- diff --git a/queue-6.6/input-uinput-fix-circular-locking-dependency-with-ff-core.patch b/queue-6.6/input-uinput-fix-circular-locking-dependency-with-ff-core.patch new file mode 100644 index 0000000000..2f50db79e0 --- /dev/null +++ b/queue-6.6/input-uinput-fix-circular-locking-dependency-with-ff-core.patch @@ -0,0 +1,158 @@ +From 4cda78d6f8bf2b700529f2fbccb994c3e826d7c2 Mon Sep 17 00:00:00 2001 +From: Mikhail Gavrilov +Date: Tue, 7 Apr 2026 12:50:31 +0500 +Subject: Input: uinput - fix circular locking dependency with ff-core + +From: Mikhail Gavrilov + +commit 4cda78d6f8bf2b700529f2fbccb994c3e826d7c2 upstream. + +A lockdep circular locking dependency warning can be triggered +reproducibly when using a force-feedback gamepad with uinput (for +example, playing ELDEN RING under Wine with a Flydigi Vader 5 +controller): + + ff->mutex -> udev->mutex -> input_mutex -> dev->mutex -> ff->mutex + +The cycle is caused by four lock acquisition paths: + +1. ff upload: input_ff_upload() holds ff->mutex and calls + uinput_dev_upload_effect() -> uinput_request_submit() -> + uinput_request_send(), which acquires udev->mutex. + +2. device create: uinput_ioctl_handler() holds udev->mutex and calls + uinput_create_device() -> input_register_device(), which acquires + input_mutex. + +3. device register: input_register_device() holds input_mutex and + calls kbd_connect() -> input_register_handle(), which acquires + dev->mutex. + +4. evdev release: evdev_release() calls input_flush_device() under + dev->mutex, which calls input_ff_flush() acquiring ff->mutex. + +Fix this by introducing a new state_lock spinlock to protect +udev->state and udev->dev access in uinput_request_send() instead of +acquiring udev->mutex. The function only needs to atomically check +device state and queue an input event into the ring buffer via +uinput_dev_event() -- both operations are safe under a spinlock +(ktime_get_ts64() and wake_up_interruptible() do not sleep). This +breaks the ff->mutex -> udev->mutex link since a spinlock is a leaf in +the lock ordering and cannot form cycles with mutexes. + +To keep state transitions visible to uinput_request_send(), protect +writes to udev->state in uinput_create_device() and +uinput_destroy_device() with the same state_lock spinlock. + +Additionally, move init_completion(&request->done) from +uinput_request_send() to uinput_request_submit() before +uinput_request_reserve_slot(). Once the slot is allocated, +uinput_flush_requests() may call complete() on it at any time from +the destroy path, so the completion must be initialised before the +request becomes visible. + +Lock ordering after the fix: + + ff->mutex -> state_lock (spinlock, leaf) + udev->mutex -> state_lock (spinlock, leaf) + udev->mutex -> input_mutex -> dev->mutex -> ff->mutex (no back-edge) + +Fixes: ff462551235d ("Input: uinput - switch to the new FF interface") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/all/CABXGCsMoxag+kEwHhb7KqhuyxfmGGd0P=tHZyb1uKE0pLr8Hkg@mail.gmail.com/ +Signed-off-by: Mikhail Gavrilov +Link: https://patch.msgid.link/20260407075031.38351-1-mikhail.v.gavrilov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/misc/uinput.c | 28 +++++++++++++++++++++------- + 1 file changed, 21 insertions(+), 7 deletions(-) + +--- a/drivers/input/misc/uinput.c ++++ b/drivers/input/misc/uinput.c +@@ -57,6 +57,7 @@ struct uinput_device { + struct input_dev *dev; + struct mutex mutex; + enum uinput_state state; ++ spinlock_t state_lock; + wait_queue_head_t waitq; + unsigned char ready; + unsigned char head; +@@ -146,19 +147,15 @@ static void uinput_request_release_slot( + static int uinput_request_send(struct uinput_device *udev, + struct uinput_request *request) + { +- int retval; ++ int retval = 0; + +- retval = mutex_lock_interruptible(&udev->mutex); +- if (retval) +- return retval; ++ spin_lock(&udev->state_lock); + + if (udev->state != UIST_CREATED) { + retval = -ENODEV; + goto out; + } + +- init_completion(&request->done); +- + /* + * Tell our userspace application about this new request + * by queueing an input event. +@@ -166,7 +163,7 @@ static int uinput_request_send(struct ui + uinput_dev_event(udev->dev, EV_UINPUT, request->code, request->id); + + out: +- mutex_unlock(&udev->mutex); ++ spin_unlock(&udev->state_lock); + return retval; + } + +@@ -175,6 +172,13 @@ static int uinput_request_submit(struct + { + int retval; + ++ /* ++ * Initialize completion before allocating the request slot. ++ * Once the slot is allocated, uinput_flush_requests() may ++ * complete it at any time, so it must be initialized first. ++ */ ++ init_completion(&request->done); ++ + retval = uinput_request_reserve_slot(udev, request); + if (retval) + return retval; +@@ -289,7 +293,14 @@ static void uinput_destroy_device(struct + struct input_dev *dev = udev->dev; + enum uinput_state old_state = udev->state; + ++ /* ++ * Update state under state_lock so that concurrent ++ * uinput_request_send() sees the state change before we ++ * flush pending requests and tear down the device. ++ */ ++ spin_lock(&udev->state_lock); + udev->state = UIST_NEW_DEVICE; ++ spin_unlock(&udev->state_lock); + + if (dev) { + name = dev->name; +@@ -366,7 +377,9 @@ static int uinput_create_device(struct u + if (error) + goto fail2; + ++ spin_lock(&udev->state_lock); + udev->state = UIST_CREATED; ++ spin_unlock(&udev->state_lock); + + return 0; + +@@ -384,6 +397,7 @@ static int uinput_open(struct inode *ino + return -ENOMEM; + + mutex_init(&newdev->mutex); ++ spin_lock_init(&newdev->state_lock); + spin_lock_init(&newdev->requests_lock); + init_waitqueue_head(&newdev->requests_waitq); + init_waitqueue_head(&newdev->waitq); diff --git a/queue-6.6/input-uinput-take-event-lock-when-submitting-ff-request-event.patch b/queue-6.6/input-uinput-take-event-lock-when-submitting-ff-request-event.patch new file mode 100644 index 0000000000..fa29756ada --- /dev/null +++ b/queue-6.6/input-uinput-take-event-lock-when-submitting-ff-request-event.patch @@ -0,0 +1,62 @@ +From ff14dafde15c11403fac61367a34fea08926e9ee Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Tue, 7 Apr 2026 22:16:27 -0700 +Subject: Input: uinput - take event lock when submitting FF request "event" + +From: Dmitry Torokhov + +commit ff14dafde15c11403fac61367a34fea08926e9ee upstream. + +To avoid racing with FF playback events and corrupting device's event +queue take event_lock spinlock when calling uinput_dev_event() when +submitting a FF upload or erase "event". + +Tested-by: Mikhail Gavrilov +Link: https://patch.msgid.link/adXkf6MWzlB8LA_s@google.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/misc/uinput.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/misc/uinput.c ++++ b/drivers/input/misc/uinput.c +@@ -25,8 +25,10 @@ + #include + #include + #include ++#include + #include + #include ++#include + #include + #include "../input-compat.h" + +@@ -76,6 +78,8 @@ static int uinput_dev_event(struct input + struct uinput_device *udev = input_get_drvdata(dev); + struct timespec64 ts; + ++ lockdep_assert_held(&dev->event_lock); ++ + ktime_get_ts64(&ts); + + udev->buff[udev->head] = (struct input_event) { +@@ -147,6 +151,7 @@ static void uinput_request_release_slot( + static int uinput_request_send(struct uinput_device *udev, + struct uinput_request *request) + { ++ unsigned long flags; + int retval = 0; + + spin_lock(&udev->state_lock); +@@ -160,7 +165,9 @@ static int uinput_request_send(struct ui + * Tell our userspace application about this new request + * by queueing an input event. + */ ++ spin_lock_irqsave(&udev->dev->event_lock, flags); + uinput_dev_event(udev->dev, EV_UINPUT, request->code, request->id); ++ spin_unlock_irqrestore(&udev->dev->event_lock, flags); + + out: + spin_unlock(&udev->state_lock); diff --git a/queue-6.6/lib-crypto-chacha-zeroize-permuted_state-before-it-leaves-scope.patch b/queue-6.6/lib-crypto-chacha-zeroize-permuted_state-before-it-leaves-scope.patch new file mode 100644 index 0000000000..7f0a54f5a6 --- /dev/null +++ b/queue-6.6/lib-crypto-chacha-zeroize-permuted_state-before-it-leaves-scope.patch @@ -0,0 +1,49 @@ +From e5046823f8fa3677341b541a25af2fcb99a5b1e0 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Wed, 25 Mar 2026 20:29:20 -0700 +Subject: lib/crypto: chacha: Zeroize permuted_state before it leaves scope + +From: Eric Biggers + +commit e5046823f8fa3677341b541a25af2fcb99a5b1e0 upstream. + +Since the ChaCha permutation is invertible, the local variable +'permuted_state' is sufficient to compute the original 'state', and thus +the key, even after the permutation has been done. + +While the kernel is quite inconsistent about zeroizing secrets on the +stack (and some prominent userspace crypto libraries don't bother at all +since it's not guaranteed to work anyway), the kernel does try to do it +as a best practice, especially in cases involving the RNG. + +Thus, explicitly zeroize 'permuted_state' before it goes out of scope. + +Fixes: c08d0e647305 ("crypto: chacha20 - Add a generic ChaCha20 stream cipher implementation") +Cc: stable@vger.kernel.org +Acked-by: Ard Biesheuvel +Link: https://lore.kernel.org/r/20260326032920.39408-1-ebiggers@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + lib/crypto/chacha.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/lib/crypto/chacha.c ++++ b/lib/crypto/chacha.c +@@ -86,6 +86,8 @@ void chacha_block_generic(u32 *state, u8 + put_unaligned_le32(x[i] + state[i], &stream[i * sizeof(u32)]); + + state[12]++; ++ ++ memzero_explicit(x, sizeof(x)); + } + EXPORT_SYMBOL(chacha_block_generic); + +@@ -110,5 +112,7 @@ void hchacha_block_generic(const u32 *st + + memcpy(&stream[0], &x[0], 16); + memcpy(&stream[4], &x[12], 16); ++ ++ memzero_explicit(x, sizeof(x)); + } + EXPORT_SYMBOL(hchacha_block_generic); diff --git a/queue-6.6/mptcp-fix-slab-use-after-free-in-__inet_lookup_established.patch b/queue-6.6/mptcp-fix-slab-use-after-free-in-__inet_lookup_established.patch new file mode 100644 index 0000000000..3baa20ade2 --- /dev/null +++ b/queue-6.6/mptcp-fix-slab-use-after-free-in-__inet_lookup_established.patch @@ -0,0 +1,101 @@ +From 9b55b253907e7431210483519c5ad711a37dafa1 Mon Sep 17 00:00:00 2001 +From: Jiayuan Chen +Date: Mon, 6 Apr 2026 11:15:10 +0800 +Subject: mptcp: fix slab-use-after-free in __inet_lookup_established + +From: Jiayuan Chen + +commit 9b55b253907e7431210483519c5ad711a37dafa1 upstream. + +The ehash table lookups are lockless and rely on +SLAB_TYPESAFE_BY_RCU to guarantee socket memory stability +during RCU read-side critical sections. Both tcp_prot and +tcpv6_prot have their slab caches created with this flag +via proto_register(). + +However, MPTCP's mptcp_subflow_init() copies tcpv6_prot into +tcpv6_prot_override during inet_init() (fs_initcall, level 5), +before inet6_init() (module_init/device_initcall, level 6) has +called proto_register(&tcpv6_prot). At that point, +tcpv6_prot.slab is still NULL, so tcpv6_prot_override.slab +remains NULL permanently. + +This causes MPTCP v6 subflow child sockets to be allocated via +kmalloc (falling into kmalloc-4k) instead of the TCPv6 slab +cache. The kmalloc-4k cache lacks SLAB_TYPESAFE_BY_RCU, so +when these sockets are freed without SOCK_RCU_FREE (which is +cleared for child sockets by design), the memory can be +immediately reused. Concurrent ehash lookups under +rcu_read_lock can then access freed memory, triggering a +slab-use-after-free in __inet_lookup_established. + +Fix this by splitting the IPv6-specific initialization out of +mptcp_subflow_init() into a new mptcp_subflow_v6_init(), called +from mptcp_proto_v6_init() before protocol registration. This +ensures tcpv6_prot_override.slab correctly inherits the +SLAB_TYPESAFE_BY_RCU slab cache. + +Fixes: b19bc2945b40 ("mptcp: implement delegated actions") +Cc: stable@vger.kernel.org +Signed-off-by: Jiayuan Chen +Reviewed-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260406031512.189159-1-jiayuan.chen@linux.dev +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 2 ++ + net/mptcp/protocol.h | 1 + + net/mptcp/subflow.c | 15 +++++++++------ + 3 files changed, 12 insertions(+), 6 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -4301,6 +4301,8 @@ int __init mptcp_proto_v6_init(void) + { + int err; + ++ mptcp_subflow_v6_init(); ++ + mptcp_v6_prot = mptcp_prot; + strcpy(mptcp_v6_prot.name, "MPTCPv6"); + mptcp_v6_prot.slab = NULL; +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -746,6 +746,7 @@ static inline void mptcp_subflow_tcp_fal + void __init mptcp_proto_init(void); + #if IS_ENABLED(CONFIG_MPTCP_IPV6) + int __init mptcp_proto_v6_init(void); ++void __init mptcp_subflow_v6_init(void); + #endif + + struct sock *mptcp_sk_clone_init(const struct sock *sk, +--- a/net/mptcp/subflow.c ++++ b/net/mptcp/subflow.c +@@ -2092,7 +2092,15 @@ void __init mptcp_subflow_init(void) + tcp_prot_override.psock_update_sk_prot = NULL; + #endif + ++ mptcp_diag_subflow_init(&subflow_ulp_ops); ++ ++ if (tcp_register_ulp(&subflow_ulp_ops) != 0) ++ panic("MPTCP: failed to register subflows to ULP\n"); ++} ++ + #if IS_ENABLED(CONFIG_MPTCP_IPV6) ++void __init mptcp_subflow_v6_init(void) ++{ + /* In struct mptcp_subflow_request_sock, we assume the TCP request sock + * structures for v4 and v6 have the same size. It should not changed in + * the future but better to make sure to be warned if it is no longer +@@ -2132,10 +2140,5 @@ void __init mptcp_subflow_init(void) + /* Disable sockmap processing for subflows */ + tcpv6_prot_override.psock_update_sk_prot = NULL; + #endif +-#endif +- +- mptcp_diag_subflow_init(&subflow_ulp_ops); +- +- if (tcp_register_ulp(&subflow_ulp_ops) != 0) +- panic("MPTCP: failed to register subflows to ULP\n"); + } ++#endif diff --git a/queue-6.6/net-rfkill-prevent-unlimited-numbers-of-rfkill-events-from-being-created.patch b/queue-6.6/net-rfkill-prevent-unlimited-numbers-of-rfkill-events-from-being-created.patch new file mode 100644 index 0000000000..9e93888b24 --- /dev/null +++ b/queue-6.6/net-rfkill-prevent-unlimited-numbers-of-rfkill-events-from-being-created.patch @@ -0,0 +1,114 @@ +From ea245d78dec594372e27d8c79616baf49e98a4a1 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 30 Mar 2026 11:14:13 +0200 +Subject: net: rfkill: prevent unlimited numbers of rfkill events from being created + +From: Greg Kroah-Hartman + +commit ea245d78dec594372e27d8c79616baf49e98a4a1 upstream. + +Userspace can create an unlimited number of rfkill events if the system +is so configured, while not consuming them from the rfkill file +descriptor, causing a potential out of memory situation. Prevent this +from bounding the number of pending rfkill events at a "large" number +(i.e. 1000) to prevent abuses like this. + +Cc: Johannes Berg +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/2026033013-disfigure-scroll-e25e@gregkh +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/rfkill/core.c | 35 ++++++++++++++++++++++++----------- + 1 file changed, 24 insertions(+), 11 deletions(-) + +--- a/net/rfkill/core.c ++++ b/net/rfkill/core.c +@@ -73,11 +73,14 @@ struct rfkill_int_event { + struct rfkill_event_ext ev; + }; + ++/* Max rfkill events that can be "in-flight" for one data source */ ++#define MAX_RFKILL_EVENT 1000 + struct rfkill_data { + struct list_head list; + struct list_head events; + struct mutex mtx; + wait_queue_head_t read_wait; ++ u32 event_count; + bool input_handler; + u8 max_size; + }; +@@ -255,10 +258,12 @@ static void rfkill_global_led_trigger_un + } + #endif /* CONFIG_RFKILL_LEDS */ + +-static void rfkill_fill_event(struct rfkill_event_ext *ev, +- struct rfkill *rfkill, +- enum rfkill_operation op) ++static int rfkill_fill_event(struct rfkill_int_event *int_ev, ++ struct rfkill *rfkill, ++ struct rfkill_data *data, ++ enum rfkill_operation op) + { ++ struct rfkill_event_ext *ev = &int_ev->ev; + unsigned long flags; + + ev->idx = rfkill->idx; +@@ -271,6 +276,15 @@ static void rfkill_fill_event(struct rfk + RFKILL_BLOCK_SW_PREV)); + ev->hard_block_reasons = rfkill->hard_block_reasons; + spin_unlock_irqrestore(&rfkill->lock, flags); ++ ++ scoped_guard(mutex, &data->mtx) { ++ if (data->event_count++ > MAX_RFKILL_EVENT) { ++ data->event_count--; ++ return -ENOSPC; ++ } ++ list_add_tail(&int_ev->list, &data->events); ++ } ++ return 0; + } + + static void rfkill_send_events(struct rfkill *rfkill, enum rfkill_operation op) +@@ -282,10 +296,10 @@ static void rfkill_send_events(struct rf + ev = kzalloc(sizeof(*ev), GFP_KERNEL); + if (!ev) + continue; +- rfkill_fill_event(&ev->ev, rfkill, op); +- mutex_lock(&data->mtx); +- list_add_tail(&ev->list, &data->events); +- mutex_unlock(&data->mtx); ++ if (rfkill_fill_event(ev, rfkill, data, op)) { ++ kfree(ev); ++ continue; ++ } + wake_up_interruptible(&data->read_wait); + } + } +@@ -1190,10 +1204,8 @@ static int rfkill_fop_open(struct inode + if (!ev) + goto free; + rfkill_sync(rfkill); +- rfkill_fill_event(&ev->ev, rfkill, RFKILL_OP_ADD); +- mutex_lock(&data->mtx); +- list_add_tail(&ev->list, &data->events); +- mutex_unlock(&data->mtx); ++ if (rfkill_fill_event(ev, rfkill, data, RFKILL_OP_ADD)) ++ kfree(ev); + } + list_add(&data->list, &rfkill_fds); + mutex_unlock(&rfkill_global_mutex); +@@ -1263,6 +1275,7 @@ static ssize_t rfkill_fop_read(struct fi + ret = -EFAULT; + + list_del(&ev->list); ++ data->event_count--; + kfree(ev); + out: + mutex_unlock(&data->mtx); diff --git a/queue-6.6/series b/queue-6.6/series new file mode 100644 index 0000000000..51f6798f42 --- /dev/null +++ b/queue-6.6/series @@ -0,0 +1,7 @@ +lib-crypto-chacha-zeroize-permuted_state-before-it-leaves-scope.patch +wifi-rt2x00usb-fix-devres-lifetime.patch +xfrm_user-fix-info-leak-in-build_report.patch +net-rfkill-prevent-unlimited-numbers-of-rfkill-events-from-being-created.patch +mptcp-fix-slab-use-after-free-in-__inet_lookup_established.patch +input-uinput-fix-circular-locking-dependency-with-ff-core.patch +input-uinput-take-event-lock-when-submitting-ff-request-event.patch diff --git a/queue-6.6/wifi-rt2x00usb-fix-devres-lifetime.patch b/queue-6.6/wifi-rt2x00usb-fix-devres-lifetime.patch new file mode 100644 index 0000000000..9757234e96 --- /dev/null +++ b/queue-6.6/wifi-rt2x00usb-fix-devres-lifetime.patch @@ -0,0 +1,41 @@ +From 25369b22223d1c56e42a0cd4ac9137349d5a898e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 27 Mar 2026 12:32:19 +0100 +Subject: wifi: rt2x00usb: fix devres lifetime + +From: Johan Hovold + +commit 25369b22223d1c56e42a0cd4ac9137349d5a898e upstream. + +USB drivers bind to USB interfaces and any device managed resources +should have their lifetime tied to the interface rather than parent USB +device. This avoids issues like memory leaks when drivers are unbound +without their devices being physically disconnected (e.g. on probe +deferral or configuration changes). + +Fix the USB anchor lifetime so that it is released on driver unbind. + +Fixes: 8b4c0009313f ("rt2x00usb: Use usb anchor to manage URB") +Cc: stable@vger.kernel.org # 4.7 +Cc: Vishal Thanki +Signed-off-by: Johan Hovold +Acked-by: Stanislaw Gruszka +Reviewed-by: Greg Kroah-Hartman +Link: https://patch.msgid.link/20260327113219.1313748-1-johan@kernel.org +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ralink/rt2x00/rt2x00usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00usb.c +@@ -830,7 +830,7 @@ int rt2x00usb_probe(struct usb_interface + if (retval) + goto exit_free_device; + +- rt2x00dev->anchor = devm_kmalloc(&usb_dev->dev, ++ rt2x00dev->anchor = devm_kmalloc(&usb_intf->dev, + sizeof(struct usb_anchor), + GFP_KERNEL); + if (!rt2x00dev->anchor) { diff --git a/queue-6.6/xfrm_user-fix-info-leak-in-build_report.patch b/queue-6.6/xfrm_user-fix-info-leak-in-build_report.patch new file mode 100644 index 0000000000..2de8747787 --- /dev/null +++ b/queue-6.6/xfrm_user-fix-info-leak-in-build_report.patch @@ -0,0 +1,40 @@ +From d10119968d0e1f2b669604baf2a8b5fdb72fa6b4 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 6 Apr 2026 17:34:22 +0200 +Subject: xfrm_user: fix info leak in build_report() + +From: Greg Kroah-Hartman + +commit d10119968d0e1f2b669604baf2a8b5fdb72fa6b4 upstream. + +struct xfrm_user_report is a __u8 proto field followed by a struct +xfrm_selector which means there is three "empty" bytes of padding, but +the padding is never zeroed before copying to userspace. Fix that up by +zeroing the structure before setting individual member variables. + +Cc: stable +Cc: Steffen Klassert +Cc: Herbert Xu +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Simon Horman +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_user.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -3740,6 +3740,7 @@ static int build_report(struct sk_buff * + return -EMSGSIZE; + + ur = nlmsg_data(nlh); ++ memset(ur, 0, sizeof(*ur)); + ur->proto = proto; + memcpy(&ur->sel, sel, sizeof(ur->sel)); +