From 04fb41198952f471e2b72c80c6fcb8262bdd456c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 28 May 2026 13:36:58 +0200 Subject: [PATCH] 5.10-stable patches added patches: ipv4-raw-reject-ip_hdrincl-packets-with-ihl-5.patch ixgbevf-fix-use-after-free-in-vepa-multicast-source-pruning.patch ring-buffer-fix-reporting-of-missed-events-in-iterator.patch vsock-vmci-fix-uaf-when-peer-resets-connection-during-handshake.patch wifi-ath11k-clear-shared-srng-pointer-state-on-restart.patch wifi-cfg80211-advance-loop-vars-in-cfg80211_merge_profile.patch --- ...reject-ip_hdrincl-packets-with-ihl-5.patch | 86 +++++++++++++++++++ ...ree-in-vepa-multicast-source-pruning.patch | 62 +++++++++++++ ...porting-of-missed-events-in-iterator.patch | 72 ++++++++++++++++ queue-5.10/series | 6 ++ ...r-resets-connection-during-handshake.patch | 64 ++++++++++++++ ...shared-srng-pointer-state-on-restart.patch | 60 +++++++++++++ ...-loop-vars-in-cfg80211_merge_profile.patch | 52 +++++++++++ 7 files changed, 402 insertions(+) create mode 100644 queue-5.10/ipv4-raw-reject-ip_hdrincl-packets-with-ihl-5.patch create mode 100644 queue-5.10/ixgbevf-fix-use-after-free-in-vepa-multicast-source-pruning.patch create mode 100644 queue-5.10/ring-buffer-fix-reporting-of-missed-events-in-iterator.patch create mode 100644 queue-5.10/vsock-vmci-fix-uaf-when-peer-resets-connection-during-handshake.patch create mode 100644 queue-5.10/wifi-ath11k-clear-shared-srng-pointer-state-on-restart.patch create mode 100644 queue-5.10/wifi-cfg80211-advance-loop-vars-in-cfg80211_merge_profile.patch diff --git a/queue-5.10/ipv4-raw-reject-ip_hdrincl-packets-with-ihl-5.patch b/queue-5.10/ipv4-raw-reject-ip_hdrincl-packets-with-ihl-5.patch new file mode 100644 index 0000000000..38d0cf99f7 --- /dev/null +++ b/queue-5.10/ipv4-raw-reject-ip_hdrincl-packets-with-ihl-5.patch @@ -0,0 +1,86 @@ +From 915fab69823a14c170dbaa3b41978768e0fe62fc Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Tue, 12 May 2026 16:51:14 -0400 +Subject: ipv4: raw: reject IP_HDRINCL packets with ihl < 5 + +From: Michael Bommarito + +commit 915fab69823a14c170dbaa3b41978768e0fe62fc upstream. + +raw_send_hdrinc() validates that the caller-supplied IPv4 header +fits within the message length: + + iphlen = iph->ihl * 4; + err = -EINVAL; + if (iphlen > length) + goto error_free; + + if (iphlen >= sizeof(*iph)) { + /* fix up saddr, tot_len, id, csum, transport_header */ + } + +It does not, however, reject ihl < 5. For such a packet the +"if (iphlen >= sizeof(*iph))" branch is skipped, leaving the +crafted iphdr untouched, but the packet is still handed to +__ip_local_out() and onward. Downstream consumers that read +iph->ihl assume a sane value: net/ipv4/ah4.c:ah_output() in +particular subtracts sizeof(struct iphdr) from top_iph->ihl * 4 +and passes the (signed-int-negative, then cast to size_t) +result to memcpy(), producing an OOB access of length close to +SIZE_MAX and a host kernel panic. + +An IPv4 header with ihl < 5 is malformed by definition (RFC 791: +"Internet Header Length is the length of the internet header in +32 bit words ... Note that the minimum value for a correct header +is 5."). The kernel should not be willing to inject such a +packet into its own output path. + +Reject "iphlen < sizeof(*iph)" alongside the existing +"iphlen > length" check. This matches the principle that locally +constructed packets that re-enter the IP stack must pass the same +basic sanity tests that a foreign packet would be subjected to. + +Once this lands, the "if (iphlen >= sizeof(*iph))" wrapper around +the fixup branch becomes redundant; left in place to keep the +patch minimal and backport-friendly. A follow-up can unwrap it. + +Note that commit 86f4c90a1c5c ("ipv4, ipv6: ensure raw socket +message is big enough to hold an IP header") ensures the message +buffer is large enough to hold an iphdr, but does not constrain +the self-reported iph->ihl. + +Reachability: the malformed packet source is any caller with +CAP_NET_RAW, including an unprivileged process in a user+net +namespace on a kernel with CONFIG_USER_NS=y. The reproduced AH +crash also requires a matching xfrm AH policy on the outgoing +route; a container granted CAP_NET_ADMIN can install that state +and policy in its netns. Loopback bypasses xfrm_output, so the +trigger uses a real netdev. + +Reproduced on UML + KASAN: kernel-mode fault at addr 0x0 with +memcpy_orig at the crash site. Same shape reproduces inside a +rootless Docker container with --cap-add NET_ADMIN on a stock +distro kernel. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Suggested-by: Herbert Xu +Signed-off-by: Michael Bommarito +Link: https://patch.msgid.link/77ec2b5e8111961c2c39883c92e8aa2709039c17.1778614451.git.michael.bommarito@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/raw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -407,7 +407,7 @@ static int raw_send_hdrinc(struct sock * + * in, reject the frame as invalid + */ + err = -EINVAL; +- if (iphlen > length) ++ if (iphlen > length || iphlen < sizeof(*iph)) + goto error_free; + + if (iphlen >= sizeof(*iph)) { diff --git a/queue-5.10/ixgbevf-fix-use-after-free-in-vepa-multicast-source-pruning.patch b/queue-5.10/ixgbevf-fix-use-after-free-in-vepa-multicast-source-pruning.patch new file mode 100644 index 0000000000..97d8e598de --- /dev/null +++ b/queue-5.10/ixgbevf-fix-use-after-free-in-vepa-multicast-source-pruning.patch @@ -0,0 +1,62 @@ +From 5d49b568c188dc77199d8d2b959c91da8cc27cf1 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Fri, 15 May 2026 11:24:14 -0700 +Subject: ixgbevf: fix use-after-free in VEPA multicast source pruning + +From: Michael Bommarito + +commit 5d49b568c188dc77199d8d2b959c91da8cc27cf1 upstream. + +ixgbevf_clean_rx_irq() prunes frames whose source MAC matches the VF's +own address (VEPA multicast workaround) by freeing the skb and +continuing to the next descriptor: + + dev_kfree_skb_irq(skb); + continue; + +The skb pointer is declared outside the while loop and persists across +iterations. Because the continue skips the "skb = NULL" reset at the +bottom of the loop, the next iteration enters the "else if (skb)" path +and calls ixgbevf_add_rx_frag() on the freed skb, dereferencing +skb_shinfo(skb)->nr_frags - a use-after-free in NAPI softirq context. + +The sibling driver iavf already handles this correctly by nulling the +pointer before continuing. Apply the same pattern here. + +I do not have ixgbevf hardware; the bug was found by static analysis +(scan_drop_continue_loops.py + semgrep drop_continue_in_loop, multi-tool +corroboration with the highest score in the scan). The UAF was confirmed +under KASAN by loading a test module that reproduces the exact code +pattern (alloc skb, kfree_skb, then read skb_shinfo(skb)->nr_frags): + + BUG: KASAN: slab-use-after-free in ixgbevf_uaf_test_init+0x100/0x1000 + Read of size 8 at addr 000000006163ae78 by task insmod/30 + freed 208-byte region [000000006163adc0, 000000006163ae90) + +QEMU emulates igb (82576) but not ixgbe (82599), and the igbvf VF +driver does not include the VEPA source pruning path, so a full +end-to-end reproduction with emulated hardware was not possible. + +Fixes: bad17234ba70 ("ixgbevf: Change receive model to use double buffered page based receives") +Cc: stable@vger.kernel.org +Signed-off-by: Michael Bommarito +Reviewed-by: Simon Horman +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Link: https://patch.msgid.link/20260515182419.1597859-8-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c ++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +@@ -1228,6 +1228,7 @@ static int ixgbevf_clean_rx_irq(struct i + ether_addr_equal(rx_ring->netdev->dev_addr, + eth_hdr(skb)->h_source)) { + dev_kfree_skb_irq(skb); ++ skb = NULL; + continue; + } + diff --git a/queue-5.10/ring-buffer-fix-reporting-of-missed-events-in-iterator.patch b/queue-5.10/ring-buffer-fix-reporting-of-missed-events-in-iterator.patch new file mode 100644 index 0000000000..f06738d976 --- /dev/null +++ b/queue-5.10/ring-buffer-fix-reporting-of-missed-events-in-iterator.patch @@ -0,0 +1,72 @@ +From a254b6d13b0edd6272926674d2afc46d46e496b7 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Wed, 20 May 2026 22:08:01 -0400 +Subject: ring-buffer: Fix reporting of missed events in iterator + +From: Steven Rostedt + +commit a254b6d13b0edd6272926674d2afc46d46e496b7 upstream. + +When tracing is active while reading the trace file, if the iterator +reading the buffer detects that the writer has passed the iterator head, +it will reset and set a "missed events" flag. This flag is passed to the +output processing to show the user that events were missed: + + CPU:4 [LOST EVENTS] + +The problem is that the flag is reset after it is checked in +ring_buffer_iter_dropped(). But the "trace" file iterates over all the CPU +ring buffers and it will check if they are dropped when figuring out which +buffer to print next. This prematurely clears the missed_events flag if +the CPU buffer with the missed events is not the one that is printed next. + +On the iteration where the CPU buffer with the missed events is printed, +the check if it had missed events would return false and the output does +not show that events were missed. + +Do not reset the missed_events flag when checking if there were missed +events, but instead clear it when moving the iterator head to the next +event. + +Cc: stable@vger.kernel.org +Cc: Mathieu Desnoyers +Link: https://patch.msgid.link/20260520220801.4fd09d13@fedora +Fixes: c9b7a4a72ff64 ("ring-buffer/tracing: Have iterator acknowledge dropped events") +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ring_buffer.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -4167,6 +4167,7 @@ static void rb_iter_reset(struct ring_bu + iter->head_page = cpu_buffer->reader_page; + iter->head = cpu_buffer->reader_page->read; + iter->next_event = iter->head; ++ iter->missed_events = 0; + + iter->cache_reader_page = iter->head_page; + iter->cache_read = cpu_buffer->read; +@@ -4776,10 +4777,7 @@ ring_buffer_peek(struct trace_buffer *bu + */ + bool ring_buffer_iter_dropped(struct ring_buffer_iter *iter) + { +- bool ret = iter->missed_events != 0; +- +- iter->missed_events = 0; +- return ret; ++ return iter->missed_events != 0; + } + EXPORT_SYMBOL_GPL(ring_buffer_iter_dropped); + +@@ -4996,7 +4994,7 @@ void ring_buffer_iter_advance(struct rin + unsigned long flags; + + raw_spin_lock_irqsave(&cpu_buffer->reader_lock, flags); +- ++ iter->missed_events = 0; + rb_advance_iter(iter); + + raw_spin_unlock_irqrestore(&cpu_buffer->reader_lock, flags); diff --git a/queue-5.10/series b/queue-5.10/series index f2a35ec014..880518873a 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -541,3 +541,9 @@ phonet-pep-disable-bh-around-forwarded-sk_receive_skb.patch net-bcmgenet-keep-rbuf-eee-pm-disabled.patch netfilter-ip6t_hbh-reject-oversized-option-lists.patch netfilter-ipset-stop-hash-range-iteration-at-end.patch +ring-buffer-fix-reporting-of-missed-events-in-iterator.patch +vsock-vmci-fix-uaf-when-peer-resets-connection-during-handshake.patch +wifi-ath11k-clear-shared-srng-pointer-state-on-restart.patch +ipv4-raw-reject-ip_hdrincl-packets-with-ihl-5.patch +ixgbevf-fix-use-after-free-in-vepa-multicast-source-pruning.patch +wifi-cfg80211-advance-loop-vars-in-cfg80211_merge_profile.patch diff --git a/queue-5.10/vsock-vmci-fix-uaf-when-peer-resets-connection-during-handshake.patch b/queue-5.10/vsock-vmci-fix-uaf-when-peer-resets-connection-during-handshake.patch new file mode 100644 index 0000000000..69f2f11b67 --- /dev/null +++ b/queue-5.10/vsock-vmci-fix-uaf-when-peer-resets-connection-during-handshake.patch @@ -0,0 +1,64 @@ +From 99e22ddf4edb63dc8382bc028af928056d3450cf Mon Sep 17 00:00:00 2001 +From: Minh Nguyen +Date: Tue, 19 May 2026 17:23:10 +0700 +Subject: vsock/vmci: fix UAF when peer resets connection during handshake + +From: Minh Nguyen + +commit 99e22ddf4edb63dc8382bc028af928056d3450cf upstream. + +vmci_transport_recv_connecting_server() returned err = 0 for a peer +RST in its default switch arm: + + err = pkt->type == VMCI_TRANSPORT_PACKET_TYPE_RST ? 0 : -EINVAL; + +That made vmci_transport_recv_listen() skip vsock_remove_pending(), +leaving the pending socket on the listener's pending_links with +sk_state = TCP_CLOSE while destroy: still dropped the explicit +reference taken before schedule_delayed_work(). + +One second later vsock_pending_work() observed is_pending=true and +performed full cleanup: vsock_remove_pending() then the two trailing +sock_put(sk) calls -- the first reached refcount 0 and __sk_freed +the socket, and the second wrote into the freed object: + + BUG: KASAN: slab-use-after-free in refcount_warn_saturate + Write of size 4 at addr ffff88800b1cac80 by task kworker + Workqueue: events vsock_pending_work + +Treat peer RST like any other unexpected packet type (err = -EINVAL). +All destroy: arms now return err < 0, so vmci_transport_recv_listen() +removes pending from pending_links synchronously and +vsock_pending_work() takes the is_pending=false / !rejected branch, +dropping only its own work reference. This also closes the +multi-packet race Sashiko reported on v2: pending is removed from +the list before any subsequent packet can find it. + +The pre-existing sk_acceptq_removed() gap on the err < 0 path of +vmci_transport_recv_listen() that Sashiko also noted is not +introduced or changed by this patch. + +Tested on lts-6.12.79 with KASAN: 52/100 unpatched -> 0/100 patched. + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Cc: stable@vger.kernel.org +Signed-off-by: Minh Nguyen +Acked-by: Bryan Tan +Link: https://patch.msgid.link/20260519102310.237181-1-minhnguyen.080505@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/vmci_transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/vmw_vsock/vmci_transport.c ++++ b/net/vmw_vsock/vmci_transport.c +@@ -1158,7 +1158,7 @@ vmci_transport_recv_connecting_server(st + /* Close and cleanup the connection. */ + vmci_transport_send_reset(pending, pkt); + skerr = EPROTO; +- err = pkt->type == VMCI_TRANSPORT_PACKET_TYPE_RST ? 0 : -EINVAL; ++ err = -EINVAL; + goto destroy; + } + diff --git a/queue-5.10/wifi-ath11k-clear-shared-srng-pointer-state-on-restart.patch b/queue-5.10/wifi-ath11k-clear-shared-srng-pointer-state-on-restart.patch new file mode 100644 index 0000000000..baa20b619c --- /dev/null +++ b/queue-5.10/wifi-ath11k-clear-shared-srng-pointer-state-on-restart.patch @@ -0,0 +1,60 @@ +From f51e4b3b5574ad8cb5b16b11f8a1452147ece87a Mon Sep 17 00:00:00 2001 +From: Kyle Farnung +Date: Wed, 13 May 2026 21:52:12 -0700 +Subject: wifi: ath11k: clear shared SRNG pointer state on restart + +From: Kyle Farnung + +commit f51e4b3b5574ad8cb5b16b11f8a1452147ece87a upstream. + +LMAC rings reuse the shared rdp/wrp pointer buffers without going +through the normal SRNG hw-init path that zeros non-LMAC ring +pointers. After restart, ath11k_hal_srng_clear() can therefore hand +stale hp/tp state from the previous firmware instance back to the new +one. + +Clear the shared pointer buffers while keeping the allocations in +place so restart still avoids reallocating SRNG DMA memory, but starts +with fresh ring-pointer state. + +Fixes: 32be3ca4cf78b ("wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again") +Cc: stable@vger.kernel.org +Closes: https://lore.kernel.org/all/CAOPSVF04q6uvVdq8GTRLHBrVMdpt9=o9wVcFMc6f-yhmSBcZqQ@mail.gmail.com/ +Signed-off-by: Kyle Farnung +Reviewed-by: Rameshkumar Sundaram +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20260513-kfarnung-ath11k-srng-clear-pointer-state-v1-1-bc700dd8b333@gmail.com +Signed-off-by: Jeff Johnson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/hal.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ath/ath11k/hal.c ++++ b/drivers/net/wireless/ath/ath11k/hal.c +@@ -1319,14 +1319,22 @@ EXPORT_SYMBOL(ath11k_hal_srng_deinit); + + void ath11k_hal_srng_clear(struct ath11k_base *ab) + { +- /* No need to memset rdp and wrp memory since each individual +- * segment would get cleared in ath11k_hal_srng_src_hw_init() +- * and ath11k_hal_srng_dst_hw_init(). ++ /* ++ * Preserve the shared pointer buffers, but clear the previous ++ * firmware instance's hp/tp state before handing them back to FW. ++ * LMAC rings reuse this shared memory without going through the ++ * normal SRNG hw-init path that zeros non-LMAC ring pointers. + */ + memset(ab->hal.srng_list, 0, + sizeof(ab->hal.srng_list)); + memset(ab->hal.shadow_reg_addr, 0, + sizeof(ab->hal.shadow_reg_addr)); ++ if (ab->hal.rdp.vaddr) ++ memset(ab->hal.rdp.vaddr, 0, ++ sizeof(*ab->hal.rdp.vaddr) * HAL_SRNG_RING_ID_MAX); ++ if (ab->hal.wrp.vaddr) ++ memset(ab->hal.wrp.vaddr, 0, ++ sizeof(*ab->hal.wrp.vaddr) * HAL_SRNG_NUM_LMAC_RINGS); + ab->hal.avail_blk_resource = 0; + ab->hal.current_blk_index = 0; + ab->hal.num_shadow_reg_configured = 0; diff --git a/queue-5.10/wifi-cfg80211-advance-loop-vars-in-cfg80211_merge_profile.patch b/queue-5.10/wifi-cfg80211-advance-loop-vars-in-cfg80211_merge_profile.patch new file mode 100644 index 0000000000..7c9e115e34 --- /dev/null +++ b/queue-5.10/wifi-cfg80211-advance-loop-vars-in-cfg80211_merge_profile.patch @@ -0,0 +1,52 @@ +From 7666dbb1bacc4ba522b96740cba7283d243d16e1 Mon Sep 17 00:00:00 2001 +From: John Walker +Date: Thu, 7 May 2026 17:07:20 -0600 +Subject: wifi: cfg80211: advance loop vars in cfg80211_merge_profile() + +From: John Walker + +commit 7666dbb1bacc4ba522b96740cba7283d243d16e1 upstream. + +cfg80211_merge_profile() reassembles a Multi-BSSID non-transmitted BSS +profile that has been split across multiple consecutive MBSSID elements. +Its while-loop calls + + cfg80211_get_profile_continuation(ie, ielen, mbssid_elem, sub_elem) + +but never advances mbssid_elem or sub_elem inside the body. Each +iteration therefore searches for a continuation that follows the same +fixed pair; the helper returns the same next_mbssid; and the same +next_sub bytes are memcpy()'d into merged_ie at a growing offset until +the buffer fills. + +Advance both mbssid_elem and sub_elem to the just-consumed continuation +so the next call to cfg80211_get_profile_continuation() searches for a +further continuation beyond it (or returns NULL when none exists). + +A specially-crafted malicious beacon can take advantage of this bug +to cause the kernel to spend an excessive amount of time in +cfg80211_merge_profile (up to as much as 2ms per beacon received), +which could theoretically be abused in some way. + +Cc: stable@vger.kernel.org +Fixes: fe806e4992c9 ("cfg80211: support profile split between elements") +Signed-off-by: John Walker +Link: https://patch.msgid.link/20260507230720.64783-1-johnwalker0@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/scan.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -2176,6 +2176,9 @@ size_t cfg80211_merge_profile(const u8 * + memcpy(merged_ie + copied_len, next_sub->data, + next_sub->datalen); + copied_len += next_sub->datalen; ++ ++ mbssid_elem = next_mbssid; ++ sub_elem = next_sub; + } + + return copied_len; -- 2.47.3