From 7780f283d14c8c6bf40fe9262219ad821a5dae80 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 12 May 2026 14:51:06 +0200 Subject: [PATCH] 6.12-stable patches added patches: bluetooth-btmtk-validate-wmt-event-skb-length-before-struct-access.patch bluetooth-hci_event-fix-oob-read-and-infinite-loop-in-hci_le_create_big_complete_evt.patch bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch bluetooth-virtio_bt-clamp-rx-length-before-skb_put.patch bluetooth-virtio_bt-validate-rx-pkt_type-header-length.patch ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch loongarch-kvm-fix-missing-emulate_fail-in-kvm_emu_mmio_read.patch selinux-don-t-reserve-xattr-slot-when-we-won-t-fill-it.patch selinux-prune-sys-fs-selinux-disable.patch selinux-shrink-critical-section-in-sel_write_load.patch spi-s3c64xx-fix-null-deref-on-driver-unbind.patch spi-sun4i-fix-controller-deregistration.patch spi-sun6i-fix-controller-deregistration.patch spi-syncuacer-fix-controller-deregistration.patch spi-ti-qspi-fix-controller-deregistration.patch spi-zynqmp-gqspi-fix-controller-deregistration.patch staging-vme_user-fix-root-device-leak-on-init-failure.patch xfrm-ah-account-for-esn-high-bits-in-async-callbacks.patch xfrm-defensively-unhash-xfrm_state-lists-in-__xfrm_state_delete.patch xfrm-provide-message-size-for-xfrm_msg_mapping.patch --- ...vent-skb-length-before-struct-access.patch | 58 ++++++++ ...op-in-hci_le_create_big_complete_evt.patch | 80 +++++++++++ ...eref-in-l2cap_sock_new_connection_cb.patch | 33 +++++ ...-deref-in-l2cap_sock_state_change_cb.patch | 33 +++++ ...io_bt-clamp-rx-length-before-skb_put.patch | 91 +++++++++++++ ...t-validate-rx-pkt_type-header-length.patch | 93 +++++++++++++ ...ease-dst-on-error-in-xfrm6_rcv_encap.patch | 50 +++++++ ...ng-emulate_fail-in-kvm_emu_mmio_read.patch | 37 +++++ ...rve-xattr-slot-when-we-won-t-fill-it.patch | 41 ++++++ ...selinux-prune-sys-fs-selinux-disable.patch | 71 ++++++++++ ...k-critical-section-in-sel_write_load.patch | 76 +++++++++++ queue-6.12/series | 21 +++ ...64xx-fix-null-deref-on-driver-unbind.patch | 45 ++++++ ...-sun4i-fix-controller-deregistration.patch | 50 +++++++ ...-sun6i-fix-controller-deregistration.patch | 53 ++++++++ ...cuacer-fix-controller-deregistration.patch | 50 +++++++ ...i-qspi-fix-controller-deregistration.patch | 65 +++++++++ ...-gqspi-fix-controller-deregistration.patch | 44 ++++++ ...fix-root-device-leak-on-init-failure.patch | 33 +++++ ...for-esn-high-bits-in-async-callbacks.patch | 128 ++++++++++++++++++ ...m_state-lists-in-__xfrm_state_delete.patch | 119 ++++++++++++++++ ...de-message-size-for-xfrm_msg_mapping.patch | 40 ++++++ 22 files changed, 1311 insertions(+) create mode 100644 queue-6.12/bluetooth-btmtk-validate-wmt-event-skb-length-before-struct-access.patch create mode 100644 queue-6.12/bluetooth-hci_event-fix-oob-read-and-infinite-loop-in-hci_le_create_big_complete_evt.patch create mode 100644 queue-6.12/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch create mode 100644 queue-6.12/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch create mode 100644 queue-6.12/bluetooth-virtio_bt-clamp-rx-length-before-skb_put.patch create mode 100644 queue-6.12/bluetooth-virtio_bt-validate-rx-pkt_type-header-length.patch create mode 100644 queue-6.12/ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch create mode 100644 queue-6.12/loongarch-kvm-fix-missing-emulate_fail-in-kvm_emu_mmio_read.patch create mode 100644 queue-6.12/selinux-don-t-reserve-xattr-slot-when-we-won-t-fill-it.patch create mode 100644 queue-6.12/selinux-prune-sys-fs-selinux-disable.patch create mode 100644 queue-6.12/selinux-shrink-critical-section-in-sel_write_load.patch create mode 100644 queue-6.12/spi-s3c64xx-fix-null-deref-on-driver-unbind.patch create mode 100644 queue-6.12/spi-sun4i-fix-controller-deregistration.patch create mode 100644 queue-6.12/spi-sun6i-fix-controller-deregistration.patch create mode 100644 queue-6.12/spi-syncuacer-fix-controller-deregistration.patch create mode 100644 queue-6.12/spi-ti-qspi-fix-controller-deregistration.patch create mode 100644 queue-6.12/spi-zynqmp-gqspi-fix-controller-deregistration.patch create mode 100644 queue-6.12/staging-vme_user-fix-root-device-leak-on-init-failure.patch create mode 100644 queue-6.12/xfrm-ah-account-for-esn-high-bits-in-async-callbacks.patch create mode 100644 queue-6.12/xfrm-defensively-unhash-xfrm_state-lists-in-__xfrm_state_delete.patch create mode 100644 queue-6.12/xfrm-provide-message-size-for-xfrm_msg_mapping.patch diff --git a/queue-6.12/bluetooth-btmtk-validate-wmt-event-skb-length-before-struct-access.patch b/queue-6.12/bluetooth-btmtk-validate-wmt-event-skb-length-before-struct-access.patch new file mode 100644 index 0000000000..5192a93cd5 --- /dev/null +++ b/queue-6.12/bluetooth-btmtk-validate-wmt-event-skb-length-before-struct-access.patch @@ -0,0 +1,58 @@ +From 634a4408c0615c523cf7531790f4f14a422b9206 Mon Sep 17 00:00:00 2001 +From: Tristan Madani +Date: Tue, 21 Apr 2026 11:14:54 +0000 +Subject: Bluetooth: btmtk: validate WMT event SKB length before struct access + +From: Tristan Madani + +commit 634a4408c0615c523cf7531790f4f14a422b9206 upstream. + +btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to +struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc +(9 bytes) without first checking that the SKB contains enough data. +A short firmware response causes out-of-bounds reads from SKB tailroom. + +Use skb_pull_data() to validate and advance past the base WMT event +header. For the FUNC_CTRL case, pull the additional status field bytes +before accessing them. + +Fixes: d019930b0049 ("Bluetooth: btmtk: move btusb_mtk_hci_wmt_sync to btmtk.c") +Cc: stable@vger.kernel.org +Signed-off-by: Tristan Madani +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btmtk.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/bluetooth/btmtk.c ++++ b/drivers/bluetooth/btmtk.c +@@ -654,8 +654,13 @@ static int btmtk_usb_hci_wmt_sync(struct + if (data->evt_skb == NULL) + goto err_free_wc; + +- /* Parse and handle the return WMT event */ +- wmt_evt = (struct btmtk_hci_wmt_evt *)data->evt_skb->data; ++ wmt_evt = skb_pull_data(data->evt_skb, sizeof(*wmt_evt)); ++ if (!wmt_evt) { ++ bt_dev_err(hdev, "WMT event too short (%u bytes)", ++ data->evt_skb->len); ++ err = -EINVAL; ++ goto err_free_skb; ++ } + if (wmt_evt->whdr.op != hdr->op) { + bt_dev_err(hdev, "Wrong op received %d expected %d", + wmt_evt->whdr.op, hdr->op); +@@ -671,6 +676,12 @@ static int btmtk_usb_hci_wmt_sync(struct + status = BTMTK_WMT_PATCH_DONE; + break; + case BTMTK_WMT_FUNC_CTRL: ++ if (!skb_pull_data(data->evt_skb, ++ sizeof(wmt_evt_funcc->status))) { ++ err = -EINVAL; ++ goto err_free_skb; ++ } ++ + wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt; + if (be16_to_cpu(wmt_evt_funcc->status) == 0x404) + status = BTMTK_WMT_ON_DONE; diff --git a/queue-6.12/bluetooth-hci_event-fix-oob-read-and-infinite-loop-in-hci_le_create_big_complete_evt.patch b/queue-6.12/bluetooth-hci_event-fix-oob-read-and-infinite-loop-in-hci_le_create_big_complete_evt.patch new file mode 100644 index 0000000000..4cee064cf1 --- /dev/null +++ b/queue-6.12/bluetooth-hci_event-fix-oob-read-and-infinite-loop-in-hci_le_create_big_complete_evt.patch @@ -0,0 +1,80 @@ +From 5ddb8014261137cadaf83ab5617a588d80a22586 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Fri, 10 Apr 2026 15:29:52 -0400 +Subject: Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt + +From: Luiz Augusto von Dentz + +commit 5ddb8014261137cadaf83ab5617a588d80a22586 upstream. + +hci_le_create_big_complete_evt() iterates over BT_BOUND connections for +a BIG handle using a while loop, accessing ev->bis_handle[i++] on each +iteration. However, there is no check that i stays within ev->num_bis +before the array access. + +When a controller sends a LE_Create_BIG_Complete event with fewer +bis_handle entries than there are BT_BOUND connections for that BIG, +or with num_bis=0, the loop reads beyond the valid bis_handle[] flex +array into adjacent heap memory. Since the out-of-bounds values +typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() +rejects them and the connection remains in BT_BOUND state. The same +connection is then found again by hci_conn_hash_lookup_big_state(), +creating an infinite loop with hci_dev_lock held. + +Fix this by terminating the BIG if in case not all BIS could be setup +properly. + +Fixes: a0bfde167b50 ("Bluetooth: ISO: Add support for connecting multiple BISes") +Cc: stable@vger.kernel.org +Signed-off-by: ZhiTao Ou +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_event.c | 27 +++++++++++++++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -6935,9 +6935,29 @@ static void hci_le_create_big_complete_e + continue; + } + ++ if (ev->num_bis <= i) { ++ bt_dev_err(hdev, ++ "Not enough BIS handles for BIG 0x%2.2x", ++ ev->handle); ++ ev->status = HCI_ERROR_UNSPECIFIED; ++ hci_connect_cfm(conn, ev->status); ++ hci_conn_del(conn); ++ continue; ++ } ++ + if (hci_conn_set_handle(conn, +- __le16_to_cpu(ev->bis_handle[i++]))) ++ __le16_to_cpu(ev->bis_handle[i++]))) { ++ bt_dev_err(hdev, ++ "Failed to set BIS handle for BIG 0x%2.2x", ++ ev->handle); ++ /* Force error so BIG gets terminated as not all BIS ++ * could be connected. ++ */ ++ ev->status = HCI_ERROR_UNSPECIFIED; ++ hci_connect_cfm(conn, ev->status); ++ hci_conn_del(conn); + continue; ++ } + + conn->state = BT_CONNECTED; + set_bit(HCI_CONN_BIG_CREATED, &conn->flags); +@@ -6946,7 +6966,10 @@ static void hci_le_create_big_complete_e + hci_iso_setup_path(conn); + } + +- if (!ev->status && !i) ++ /* If there is an unexpected error or if no BISes have been connected ++ * for the BIG, terminate it. ++ */ ++ if (ev->status == HCI_ERROR_UNSPECIFIED || (!ev->status && !i)) + /* If no BISes have been connected for the BIG, + * terminate. This is in case all bound connections + * have been closed before the BIG creation diff --git a/queue-6.12/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch b/queue-6.12/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch new file mode 100644 index 0000000000..f245af8ec5 --- /dev/null +++ b/queue-6.12/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch @@ -0,0 +1,33 @@ +From 0a120d96166301d7a95be75b52f843837dbd1219 Mon Sep 17 00:00:00 2001 +From: Siwei Zhang +Date: Wed, 15 Apr 2026 16:49:59 -0400 +Subject: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() + +From: Siwei Zhang + +commit 0a120d96166301d7a95be75b52f843837dbd1219 upstream. + +Add the same NULL guard already present in +l2cap_sock_resume_cb() and l2cap_sock_ready_cb(). + +Fixes: 80808e431e1e ("Bluetooth: Add l2cap_chan_ops abstraction") +Cc: stable@kernel.org +Signed-off-by: Siwei Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1467,6 +1467,9 @@ static struct l2cap_chan *l2cap_sock_new + { + struct sock *sk, *parent = chan->data; + ++ if (!parent) ++ return NULL; ++ + lock_sock(parent); + + /* Check for backlog size */ diff --git a/queue-6.12/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch b/queue-6.12/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch new file mode 100644 index 0000000000..444edf991a --- /dev/null +++ b/queue-6.12/bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch @@ -0,0 +1,33 @@ +From 2ff1a41a912de8517b4482e946dd951b7d80edbf Mon Sep 17 00:00:00 2001 +From: Siwei Zhang +Date: Wed, 15 Apr 2026 16:51:36 -0400 +Subject: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() + +From: Siwei Zhang + +commit 2ff1a41a912de8517b4482e946dd951b7d80edbf upstream. + +Add the same NULL guard already present in +l2cap_sock_resume_cb() and l2cap_sock_ready_cb(). + +Fixes: 89bc500e41fc ("Bluetooth: Add state tracking to struct l2cap_chan") +Cc: stable@kernel.org +Signed-off-by: Siwei Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1630,6 +1630,9 @@ static void l2cap_sock_state_change_cb(s + { + struct sock *sk = chan->data; + ++ if (!sk) ++ return; ++ + sk->sk_state = state; + + if (err) diff --git a/queue-6.12/bluetooth-virtio_bt-clamp-rx-length-before-skb_put.patch b/queue-6.12/bluetooth-virtio_bt-clamp-rx-length-before-skb_put.patch new file mode 100644 index 0000000000..2374c59b4d --- /dev/null +++ b/queue-6.12/bluetooth-virtio_bt-clamp-rx-length-before-skb_put.patch @@ -0,0 +1,91 @@ +From 21bd244b6de5d2fe1063c23acc93fbdd2b20d112 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Tue, 21 Apr 2026 13:08:44 -0400 +Subject: Bluetooth: virtio_bt: clamp rx length before skb_put + +From: Michael Bommarito + +commit 21bd244b6de5d2fe1063c23acc93fbdd2b20d112 upstream. + +virtbt_rx_work() calls skb_put(skb, len) where len comes directly +from virtqueue_get_buf() with no validation against the buffer we +posted to the device. The RX skb is allocated in virtbt_add_inbuf() +and exposed to virtio as exactly 1000 bytes via sg_init_one(). + +Checking len against skb_tailroom(skb) is not sufficient because +alloc_skb() can leave more tailroom than the 1000 bytes actually +handed to the device. A malicious or buggy backend can therefore +report used.len between 1001 and skb_tailroom(skb), causing skb_put() +to include uninitialized kernel heap bytes that were never written by +the device. + +The same path also accepts len == 0, in which case skb_put(skb, 0) +leaves the skb empty but virtbt_rx_handle() still reads the pkt_type +byte from skb->data, consuming uninitialized memory. + +Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and +sg_init_one(), and gate virtbt_rx_work() on that same constant so +the bound checked matches the buffer actually exposed to the device. +Reject used.len == 0 in the same gate so an empty completion can +no longer reach virtbt_rx_handle(). + +Use bt_dev_err_ratelimited() because the length value comes from an +untrusted backend that can otherwise flood the kernel log. + +Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer +overflow in USB transport layer"), which hardened the USB 9p +transport against unchecked device-reported length. + +Fixes: 160fbcf3bfb9 ("Bluetooth: virtio_bt: Use skb_put to set length") +Cc: stable@vger.kernel.org +Cc: Soenke Huster +Signed-off-by: Michael Bommarito +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/virtio_bt.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/bluetooth/virtio_bt.c ++++ b/drivers/bluetooth/virtio_bt.c +@@ -12,6 +12,7 @@ + #include + + #define VERSION "0.1" ++#define VIRTBT_RX_BUF_SIZE 1000 + + enum { + VIRTBT_VQ_TX, +@@ -33,11 +34,11 @@ static int virtbt_add_inbuf(struct virti + struct sk_buff *skb; + int err; + +- skb = alloc_skb(1000, GFP_KERNEL); ++ skb = alloc_skb(VIRTBT_RX_BUF_SIZE, GFP_KERNEL); + if (!skb) + return -ENOMEM; + +- sg_init_one(sg, skb->data, 1000); ++ sg_init_one(sg, skb->data, VIRTBT_RX_BUF_SIZE); + + err = virtqueue_add_inbuf(vq, sg, 1, skb, GFP_KERNEL); + if (err < 0) { +@@ -227,8 +228,15 @@ static void virtbt_rx_work(struct work_s + if (!skb) + return; + +- skb_put(skb, len); +- virtbt_rx_handle(vbt, skb); ++ if (!len || len > VIRTBT_RX_BUF_SIZE) { ++ bt_dev_err_ratelimited(vbt->hdev, ++ "rx reply len %u outside [1, %u]\n", ++ len, VIRTBT_RX_BUF_SIZE); ++ kfree_skb(skb); ++ } else { ++ skb_put(skb, len); ++ virtbt_rx_handle(vbt, skb); ++ } + + if (virtbt_add_inbuf(vbt) < 0) + return; diff --git a/queue-6.12/bluetooth-virtio_bt-validate-rx-pkt_type-header-length.patch b/queue-6.12/bluetooth-virtio_bt-validate-rx-pkt_type-header-length.patch new file mode 100644 index 0000000000..eb5d769036 --- /dev/null +++ b/queue-6.12/bluetooth-virtio_bt-validate-rx-pkt_type-header-length.patch @@ -0,0 +1,93 @@ +From daf23014e5d975e72ea9c02b5160d3fcf070ea47 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Tue, 21 Apr 2026 13:08:45 -0400 +Subject: Bluetooth: virtio_bt: validate rx pkt_type header length + +From: Michael Bommarito + +commit daf23014e5d975e72ea9c02b5160d3fcf070ea47 upstream. + +virtbt_rx_handle() reads the leading pkt_type byte from the RX skb +and forwards the remainder to hci_recv_frame() for every +event/ACL/SCO/ISO type, without checking that the remaining payload +is at least the fixed HCI header for that type. + +After the preceding patch bounds the backend-supplied used.len to +[1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches +hci_recv_frame() with skb->len already pulled to 0. If the byte +happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification +fast-path in hci_dev_classify_pkt_type() dereferences +hci_acl_hdr(skb)->handle whenever the HCI device has an active +CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of +uninitialized RX-buffer data. The same hazard exists for every +packet type the driver accepts because none of the switch cases in +virtbt_rx_handle() check skb->len against the per-type minimum HCI +header size before handing the frame to the core. + +After stripping pkt_type, require skb->len to cover the fixed +header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) +before calling hci_recv_frame(); drop ratelimited otherwise. +Unknown pkt_type values still take the original kfree_skb() default +path. + +Use bt_dev_err_ratelimited() because both the length and pkt_type +values come from an untrusted backend that can otherwise flood the +kernel log. + +Fixes: 160fbcf3bfb9 ("Bluetooth: virtio_bt: Use skb_put to set length") +Cc: stable@vger.kernel.org +Cc: Soenke Huster +Signed-off-by: Michael Bommarito +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/virtio_bt.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +--- a/drivers/bluetooth/virtio_bt.c ++++ b/drivers/bluetooth/virtio_bt.c +@@ -198,6 +198,7 @@ static int virtbt_shutdown_generic(struc + + static void virtbt_rx_handle(struct virtio_bluetooth *vbt, struct sk_buff *skb) + { ++ size_t min_hdr; + __u8 pkt_type; + + pkt_type = *((__u8 *) skb->data); +@@ -205,16 +206,32 @@ static void virtbt_rx_handle(struct virt + + switch (pkt_type) { + case HCI_EVENT_PKT: ++ min_hdr = sizeof(struct hci_event_hdr); ++ break; + case HCI_ACLDATA_PKT: ++ min_hdr = sizeof(struct hci_acl_hdr); ++ break; + case HCI_SCODATA_PKT: ++ min_hdr = sizeof(struct hci_sco_hdr); ++ break; + case HCI_ISODATA_PKT: +- hci_skb_pkt_type(skb) = pkt_type; +- hci_recv_frame(vbt->hdev, skb); ++ min_hdr = sizeof(struct hci_iso_hdr); + break; + default: + kfree_skb(skb); +- break; ++ return; + } ++ ++ if (skb->len < min_hdr) { ++ bt_dev_err_ratelimited(vbt->hdev, ++ "rx pkt_type 0x%02x payload %u < hdr %zu\n", ++ pkt_type, skb->len, min_hdr); ++ kfree_skb(skb); ++ return; ++ } ++ ++ hci_skb_pkt_type(skb) = pkt_type; ++ hci_recv_frame(vbt->hdev, skb); + } + + static void virtbt_rx_work(struct work_struct *work) diff --git a/queue-6.12/ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch b/queue-6.12/ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch new file mode 100644 index 0000000000..22d7660771 --- /dev/null +++ b/queue-6.12/ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch @@ -0,0 +1,50 @@ +From bc0fcb9823cd0894934cf968b525c575833d7078 Mon Sep 17 00:00:00 2001 +From: Yilin Zhu +Date: Sun, 12 Apr 2026 13:07:54 +0800 +Subject: ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() + +From: Yilin Zhu + +commit bc0fcb9823cd0894934cf968b525c575833d7078 upstream. + +xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not +already have a dst attached. ip6_route_input_lookup() returns a +referenced dst entry even when the lookup resolves to an error route. + +If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching +the dst to the skb and without releasing the reference returned by the +lookup. Repeated packets hitting this path therefore leak dst entries. + +Release the dst before jumping to the drop path. + +Fixes: 0146dca70b87 ("xfrm: add support for UDPv6 encapsulation of ESP") +Cc: stable@kernel.org +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ruide Cao +Signed-off-by: Yilin Zhu +Signed-off-by: Ren Wei +Reviewed-by: Simon Horman +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/xfrm6_protocol.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv6/xfrm6_protocol.c ++++ b/net/ipv6/xfrm6_protocol.c +@@ -88,8 +88,10 @@ int xfrm6_rcv_encap(struct sk_buff *skb, + + dst = ip6_route_input_lookup(dev_net(skb->dev), skb->dev, &fl6, + skb, flags); +- if (dst->error) ++ if (dst->error) { ++ dst_release(dst); + goto drop; ++ } + skb_dst_set(skb, dst); + } + diff --git a/queue-6.12/loongarch-kvm-fix-missing-emulate_fail-in-kvm_emu_mmio_read.patch b/queue-6.12/loongarch-kvm-fix-missing-emulate_fail-in-kvm_emu_mmio_read.patch new file mode 100644 index 0000000000..639bfb212e --- /dev/null +++ b/queue-6.12/loongarch-kvm-fix-missing-emulate_fail-in-kvm_emu_mmio_read.patch @@ -0,0 +1,37 @@ +From f26faae96c411a70641e4d21b759475caa6122d5 Mon Sep 17 00:00:00 2001 +From: Tao Cui +Date: Mon, 4 May 2026 09:00:38 +0800 +Subject: LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read() + +From: Tao Cui + +commit f26faae96c411a70641e4d21b759475caa6122d5 upstream. + +In the ldptr (0x24...0x27) opcode decoding path, the default case only +breaks out but without setting "ret" value to EMULATE_FAIL. This leaves +run->mmio.len uninitialized (stale from a previous MMIO operation) while +"ret" value remains EMULATE_DO_MMIO, causing the code to proceed with an +incorrect MMIO length. + +Add "ret = EMULATE_FAIL" to match the other default branches in the same +function (e.g. the 0x28...0x2e and 0x38 cases). + +Cc: stable@vger.kernel.org +Reviewed-by: Bibo Mao +Signed-off-by: Tao Cui +Signed-off-by: Huacai Chen +Signed-off-by: Greg Kroah-Hartman +--- + arch/loongarch/kvm/exit.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/loongarch/kvm/exit.c ++++ b/arch/loongarch/kvm/exit.c +@@ -371,6 +371,7 @@ int kvm_emu_mmio_read(struct kvm_vcpu *v + run->mmio.len = 8; + break; + default: ++ ret = EMULATE_FAIL; + break; + } + break; diff --git a/queue-6.12/selinux-don-t-reserve-xattr-slot-when-we-won-t-fill-it.patch b/queue-6.12/selinux-don-t-reserve-xattr-slot-when-we-won-t-fill-it.patch new file mode 100644 index 0000000000..87df095303 --- /dev/null +++ b/queue-6.12/selinux-don-t-reserve-xattr-slot-when-we-won-t-fill-it.patch @@ -0,0 +1,41 @@ +From 1e5a8eed7821e7a43a31b4c1b3675a91be6bc6f6 Mon Sep 17 00:00:00 2001 +From: David Windsor +Date: Sun, 26 Apr 2026 19:23:49 -0400 +Subject: selinux: don't reserve xattr slot when we won't fill it + +From: David Windsor + +commit 1e5a8eed7821e7a43a31b4c1b3675a91be6bc6f6 upstream. + +Move lsm_get_xattr_slot() below the SBLABEL_MNT check so we don't leave +a NULL-named slot in the array when returning -EOPNOTSUPP; filesystem +initxattrs() callbacks stop iterating at the first NULL ->name, silently +dropping xattrs installed by later LSMs. + +Cc: stable@vger.kernel.org +Signed-off-by: David Windsor +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/hooks.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -2916,7 +2916,7 @@ static int selinux_inode_init_security(s + { + const struct task_security_struct *tsec = selinux_cred(current_cred()); + struct superblock_security_struct *sbsec; +- struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); ++ struct xattr *xattr; + u32 newsid, clen; + u16 newsclass; + int rc; +@@ -2942,6 +2942,7 @@ static int selinux_inode_init_security(s + !(sbsec->flags & SBLABEL_MNT)) + return -EOPNOTSUPP; + ++ xattr = lsm_get_xattr_slot(xattrs, xattr_count); + if (xattr) { + rc = security_sid_to_context_force(newsid, + &context, &clen); diff --git a/queue-6.12/selinux-prune-sys-fs-selinux-disable.patch b/queue-6.12/selinux-prune-sys-fs-selinux-disable.patch new file mode 100644 index 0000000000..1688f532e9 --- /dev/null +++ b/queue-6.12/selinux-prune-sys-fs-selinux-disable.patch @@ -0,0 +1,71 @@ +From 19cfa0099024bb9cd40f6d950caa7f47ff8e77f6 Mon Sep 17 00:00:00 2001 +From: Stephen Smalley +Date: Tue, 5 May 2026 08:49:49 -0400 +Subject: selinux: prune /sys/fs/selinux/disable + +From: Stephen Smalley + +commit 19cfa0099024bb9cd40f6d950caa7f47ff8e77f6 upstream. + +Commit f22f9aaf6c3d ("selinux: remove the runtime disable +functionality") removed the underlying SELinux runtime disable +functionality but left everything else intact and started logging an +error message to warn any residual users. + +Prune it to just log an error message once and to return count +(i.e. all bytes written successfully) to avoid breaking +userspace. This also fixes a local DoS from logspam. + +Cc: stable@vger.kernel.org +Signed-off-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/selinuxfs.c | 36 +++++++----------------------------- + 1 file changed, 7 insertions(+), 29 deletions(-) + +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -272,35 +272,13 @@ static ssize_t sel_write_disable(struct + size_t count, loff_t *ppos) + + { +- char *page; +- ssize_t length; +- int new_value; +- +- if (count >= PAGE_SIZE) +- return -ENOMEM; +- +- /* No partial writes. */ +- if (*ppos != 0) +- return -EINVAL; +- +- page = memdup_user_nul(buf, count); +- if (IS_ERR(page)) +- return PTR_ERR(page); +- +- if (sscanf(page, "%d", &new_value) != 1) { +- length = -EINVAL; +- goto out; +- } +- length = count; +- +- if (new_value) { +- pr_err("SELinux: https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable\n"); +- pr_err("SELinux: Runtime disable is not supported, use selinux=0 on the kernel cmdline.\n"); +- } +- +-out: +- kfree(page); +- return length; ++ /* ++ * Setting disable is no longer supported, see ++ * https://github.com/SELinuxProject/selinux-kernel/wiki/DEPRECATE-runtime-disable ++ */ ++ pr_err_once("SELinux: %s (%d) wrote to disable. This is no longer supported.\n", ++ current->comm, current->pid); ++ return count; + } + + static const struct file_operations sel_disable_ops = { diff --git a/queue-6.12/selinux-shrink-critical-section-in-sel_write_load.patch b/queue-6.12/selinux-shrink-critical-section-in-sel_write_load.patch new file mode 100644 index 0000000000..06e3dccef2 --- /dev/null +++ b/queue-6.12/selinux-shrink-critical-section-in-sel_write_load.patch @@ -0,0 +1,76 @@ +From 868f31e4061eca8c3cd607d79d954d5e54f204aa Mon Sep 17 00:00:00 2001 +From: Stephen Smalley +Date: Thu, 30 Apr 2026 14:36:52 -0400 +Subject: selinux: shrink critical section in sel_write_load() + +From: Stephen Smalley + +commit 868f31e4061eca8c3cd607d79d954d5e54f204aa upstream. + +Currently sel_write_load() takes the policy mutex earlier than +necessary. Move the taking of the mutex later. This avoids +holding it unnecessarily across the vmalloc() and copy_from_user() +of the policy data. + +Cc: stable@vger.kernel.org +Signed-off-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/selinuxfs.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -583,34 +583,31 @@ static ssize_t sel_write_load(struct fil + if (!count) + return -EINVAL; + +- mutex_lock(&selinux_state.policy_mutex); +- + length = avc_has_perm(current_sid(), SECINITSID_SECURITY, + SECCLASS_SECURITY, SECURITY__LOAD_POLICY, NULL); + if (length) +- goto out; ++ return length; + + data = vmalloc(count); +- if (!data) { +- length = -ENOMEM; +- goto out; +- } ++ if (!data) ++ return -ENOMEM; + if (copy_from_user(data, buf, count) != 0) { + length = -EFAULT; + goto out; + } + ++ mutex_lock(&selinux_state.policy_mutex); + length = security_load_policy(data, count, &load_state); + if (length) { + pr_warn_ratelimited("SELinux: failed to load policy\n"); +- goto out; ++ goto out_unlock; + } + fsi = file_inode(file)->i_sb->s_fs_info; + length = sel_make_policy_nodes(fsi, load_state.policy); + if (length) { + pr_warn_ratelimited("SELinux: failed to initialize selinuxfs\n"); + selinux_policy_cancel(&load_state); +- goto out; ++ goto out_unlock; + } + + selinux_policy_commit(&load_state); +@@ -620,8 +617,9 @@ static ssize_t sel_write_load(struct fil + from_kuid(&init_user_ns, audit_get_loginuid(current)), + audit_get_sessionid(current)); + +-out: ++out_unlock: + mutex_unlock(&selinux_state.policy_mutex); ++out: + vfree(data); + return length; + } diff --git a/queue-6.12/series b/queue-6.12/series index 62cda6d777..a674297286 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -50,3 +50,24 @@ usb-ulpi-fix-memory-leak-on-ulpi_register-error-paths.patch alsa-pcm-oss-fix-data-race-at-accessing-runtime.oss.trigger.patch alsa-firewire-tascam-do-not-drop-unread-control-events.patch powerpc-kdump-fix-kasan-sanitization-flag-for-core_-bits-.o.patch +xfrm-provide-message-size-for-xfrm_msg_mapping.patch +xfrm-defensively-unhash-xfrm_state-lists-in-__xfrm_state_delete.patch +ipv6-xfrm6-release-dst-on-error-in-xfrm6_rcv_encap.patch +xfrm-ah-account-for-esn-high-bits-in-async-callbacks.patch +selinux-don-t-reserve-xattr-slot-when-we-won-t-fill-it.patch +selinux-shrink-critical-section-in-sel_write_load.patch +selinux-prune-sys-fs-selinux-disable.patch +loongarch-kvm-fix-missing-emulate_fail-in-kvm_emu_mmio_read.patch +bluetooth-virtio_bt-clamp-rx-length-before-skb_put.patch +bluetooth-virtio_bt-validate-rx-pkt_type-header-length.patch +bluetooth-btmtk-validate-wmt-event-skb-length-before-struct-access.patch +bluetooth-hci_event-fix-oob-read-and-infinite-loop-in-hci_le_create_big_complete_evt.patch +bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_new_connection_cb.patch +bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch +spi-syncuacer-fix-controller-deregistration.patch +spi-sun4i-fix-controller-deregistration.patch +spi-ti-qspi-fix-controller-deregistration.patch +spi-sun6i-fix-controller-deregistration.patch +spi-zynqmp-gqspi-fix-controller-deregistration.patch +spi-s3c64xx-fix-null-deref-on-driver-unbind.patch +staging-vme_user-fix-root-device-leak-on-init-failure.patch diff --git a/queue-6.12/spi-s3c64xx-fix-null-deref-on-driver-unbind.patch b/queue-6.12/spi-s3c64xx-fix-null-deref-on-driver-unbind.patch new file mode 100644 index 0000000000..7380c8926e --- /dev/null +++ b/queue-6.12/spi-s3c64xx-fix-null-deref-on-driver-unbind.patch @@ -0,0 +1,45 @@ +From 45daacbead8a009844bd5dba6cfa731332184d17 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Apr 2026 11:49:25 +0200 +Subject: spi: s3c64xx: fix NULL-deref on driver unbind + +From: Johan Hovold + +commit 45daacbead8a009844bd5dba6cfa731332184d17 upstream. + +A change moving DMA channel allocation from probe() back to +s3c64xx_spi_prepare_transfer() failed to remove the corresponding +deallocation from remove(). + +Drop the bogus DMA channel release from remove() to avoid triggering a +NULL-pointer dereference on driver unbind. + +This issue was flagged by Sashiko when reviewing a controller +deregistration fix. + +Fixes: f52b03c70744 ("spi: s3c64xx: requests spi-dma channel only during data transfer") +Cc: stable@vger.kernel.org # 6.0 +Cc: Adithya K V +Link: https://sashiko.dev/#/patchset/20260410081757.503099-1-johan%40kernel.org +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260410094925.518343-1-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-s3c64xx.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/drivers/spi/spi-s3c64xx.c ++++ b/drivers/spi/spi-s3c64xx.c +@@ -1404,11 +1404,6 @@ static void s3c64xx_spi_remove(struct pl + + writel(0, sdd->regs + S3C64XX_SPI_INT_EN); + +- if (!is_polling(sdd)) { +- dma_release_channel(sdd->rx_dma.ch); +- dma_release_channel(sdd->tx_dma.ch); +- } +- + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_disable(&pdev->dev); + pm_runtime_set_suspended(&pdev->dev); diff --git a/queue-6.12/spi-sun4i-fix-controller-deregistration.patch b/queue-6.12/spi-sun4i-fix-controller-deregistration.patch new file mode 100644 index 0000000000..7d0d6c2a90 --- /dev/null +++ b/queue-6.12/spi-sun4i-fix-controller-deregistration.patch @@ -0,0 +1,50 @@ +From 42108a2f03e0fdeabe9d02d085bdb058baa1189f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Apr 2026 10:17:48 +0200 +Subject: spi: sun4i: fix controller deregistration + +From: Johan Hovold + +commit 42108a2f03e0fdeabe9d02d085bdb058baa1189f upstream. + +Make sure to deregister the controller before disabling underlying +resources like clocks during driver unbind. + +Fixes: b5f6517948cc ("spi: sunxi: Add Allwinner A10 SPI controller driver") +Cc: stable@vger.kernel.org # 3.15 +Cc: Maxime Ripard +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260410081757.503099-19-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-sun4i.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-sun4i.c ++++ b/drivers/spi/spi-sun4i.c +@@ -504,7 +504,7 @@ static int sun4i_spi_probe(struct platfo + pm_runtime_enable(&pdev->dev); + pm_runtime_idle(&pdev->dev); + +- ret = devm_spi_register_controller(&pdev->dev, host); ++ ret = spi_register_controller(host); + if (ret) { + dev_err(&pdev->dev, "cannot register SPI host\n"); + goto err_pm_disable; +@@ -522,7 +522,15 @@ err_free_host: + + static void sun4i_spi_remove(struct platform_device *pdev) + { ++ struct spi_controller *host = platform_get_drvdata(pdev); ++ ++ spi_controller_get(host); ++ ++ spi_unregister_controller(host); ++ + pm_runtime_force_suspend(&pdev->dev); ++ ++ spi_controller_put(host); + } + + static const struct of_device_id sun4i_spi_match[] = { diff --git a/queue-6.12/spi-sun6i-fix-controller-deregistration.patch b/queue-6.12/spi-sun6i-fix-controller-deregistration.patch new file mode 100644 index 0000000000..a8a8046bef --- /dev/null +++ b/queue-6.12/spi-sun6i-fix-controller-deregistration.patch @@ -0,0 +1,53 @@ +From d874a1c33aee0d88fb4ba2f8aeadaa9f1965209a Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Apr 2026 10:17:49 +0200 +Subject: spi: sun6i: fix controller deregistration + +From: Johan Hovold + +commit d874a1c33aee0d88fb4ba2f8aeadaa9f1965209a upstream. + +Make sure to deregister the controller before disabling underlying +resources like clocks during driver unbind. + +Fixes: 3558fe900e8a ("spi: sunxi: Add Allwinner A31 SPI controller driver") +Cc: stable@vger.kernel.org # 3.15 +Cc: Maxime Ripard +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260410081757.503099-20-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-sun6i.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-sun6i.c ++++ b/drivers/spi/spi-sun6i.c +@@ -743,7 +743,7 @@ static int sun6i_spi_probe(struct platfo + pm_runtime_set_active(&pdev->dev); + pm_runtime_enable(&pdev->dev); + +- ret = devm_spi_register_controller(&pdev->dev, host); ++ ret = spi_register_controller(host); + if (ret) { + dev_err(&pdev->dev, "cannot register SPI host\n"); + goto err_pm_disable; +@@ -769,12 +769,18 @@ static void sun6i_spi_remove(struct plat + { + struct spi_controller *host = platform_get_drvdata(pdev); + ++ spi_controller_get(host); ++ ++ spi_unregister_controller(host); ++ + pm_runtime_force_suspend(&pdev->dev); + + if (host->dma_tx) + dma_release_channel(host->dma_tx); + if (host->dma_rx) + dma_release_channel(host->dma_rx); ++ ++ spi_controller_put(host); + } + + static const struct sun6i_spi_cfg sun6i_a31_spi_cfg = { diff --git a/queue-6.12/spi-syncuacer-fix-controller-deregistration.patch b/queue-6.12/spi-syncuacer-fix-controller-deregistration.patch new file mode 100644 index 0000000000..063358bb01 --- /dev/null +++ b/queue-6.12/spi-syncuacer-fix-controller-deregistration.patch @@ -0,0 +1,50 @@ +From 75d849c3452e9611de031db45b3149ba9a99035f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Apr 2026 10:17:50 +0200 +Subject: spi: syncuacer: fix controller deregistration + +From: Johan Hovold + +commit 75d849c3452e9611de031db45b3149ba9a99035f upstream. + +Make sure to deregister the controller before disabling underlying +resources like clocks during driver unbind. + +Fixes: b0823ee35cf9 ("spi: Add spi driver for Socionext SynQuacer platform") +Cc: stable@vger.kernel.org # 5.3 +Cc: Masahisa Kojima +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260410081757.503099-21-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-synquacer.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-synquacer.c ++++ b/drivers/spi/spi-synquacer.c +@@ -719,7 +719,7 @@ static int synquacer_spi_probe(struct pl + pm_runtime_set_active(sspi->dev); + pm_runtime_enable(sspi->dev); + +- ret = devm_spi_register_controller(sspi->dev, host); ++ ret = spi_register_controller(host); + if (ret) + goto disable_pm; + +@@ -740,9 +740,15 @@ static void synquacer_spi_remove(struct + struct spi_controller *host = platform_get_drvdata(pdev); + struct synquacer_spi *sspi = spi_controller_get_devdata(host); + ++ spi_controller_get(host); ++ ++ spi_unregister_controller(host); ++ + pm_runtime_disable(sspi->dev); + + clk_disable_unprepare(sspi->clk); ++ ++ spi_controller_put(host); + } + + static int __maybe_unused synquacer_spi_suspend(struct device *dev) diff --git a/queue-6.12/spi-ti-qspi-fix-controller-deregistration.patch b/queue-6.12/spi-ti-qspi-fix-controller-deregistration.patch new file mode 100644 index 0000000000..718c2f0984 --- /dev/null +++ b/queue-6.12/spi-ti-qspi-fix-controller-deregistration.patch @@ -0,0 +1,65 @@ +From 0c18a1bacbb1d8b8aa34d3d004a2cb8226c8b1ea Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Apr 2026 10:17:53 +0200 +Subject: spi: ti-qspi: fix controller deregistration + +From: Johan Hovold + +commit 0c18a1bacbb1d8b8aa34d3d004a2cb8226c8b1ea upstream. + +Make sure to deregister the controller before disabling underlying +resources like clocks during driver unbind. + +Note that the controller is suspended before disabling and releasing +resources since commit 3ac066e2227c ("spi: spi-ti-qspi: Suspend the +queue before removing the device") which avoids issues like unclocked +accesses but prevents SPI device drivers from doing I/O during +deregistration. + +Fixes: 3b3a80019ff1 ("spi: ti-qspi: one only one interrupt handler") +Cc: stable@vger.kernel.org # 3.13 +Cc: Sebastian Andrzej Siewior +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260410081757.503099-24-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-ti-qspi.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +--- a/drivers/spi/spi-ti-qspi.c ++++ b/drivers/spi/spi-ti-qspi.c +@@ -895,7 +895,7 @@ no_dma: + qspi->mmap_enabled = false; + qspi->current_cs = -1; + +- ret = devm_spi_register_controller(&pdev->dev, host); ++ ret = spi_register_controller(host); + if (!ret) + return 0; + +@@ -910,19 +910,17 @@ free_host: + static void ti_qspi_remove(struct platform_device *pdev) + { + struct ti_qspi *qspi = platform_get_drvdata(pdev); +- int rc; + +- rc = spi_controller_suspend(qspi->host); +- if (rc) { +- dev_alert(&pdev->dev, "spi_controller_suspend() failed (%pe)\n", +- ERR_PTR(rc)); +- return; +- } ++ spi_controller_get(qspi->host); ++ ++ spi_unregister_controller(qspi->host); + + pm_runtime_put_sync(&pdev->dev); + pm_runtime_disable(&pdev->dev); + + ti_qspi_dma_cleanup(qspi); ++ ++ spi_controller_put(qspi->host); + } + + static const struct dev_pm_ops ti_qspi_pm_ops = { diff --git a/queue-6.12/spi-zynqmp-gqspi-fix-controller-deregistration.patch b/queue-6.12/spi-zynqmp-gqspi-fix-controller-deregistration.patch new file mode 100644 index 0000000000..169b2bb89c --- /dev/null +++ b/queue-6.12/spi-zynqmp-gqspi-fix-controller-deregistration.patch @@ -0,0 +1,44 @@ +From 6895fc4faafc9082e15e4e624b23dd5f0c98feb5 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Apr 2026 10:17:55 +0200 +Subject: spi: zynqmp-gqspi: fix controller deregistration + +From: Johan Hovold + +commit 6895fc4faafc9082e15e4e624b23dd5f0c98feb5 upstream. + +Make sure to deregister the controller before disabling underlying +resources like clocks during driver unbind. + +Fixes: dfe11a11d523 ("spi: Add support for Zynq Ultrascale+ MPSoC GQSPI controller") +Cc: stable@vger.kernel.org # 4.2: 64640f6c972e +Cc: stable@vger.kernel.org # 4.2 +Cc: Ranjit Waghmode +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260410081757.503099-26-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-zynqmp-gqspi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-zynqmp-gqspi.c ++++ b/drivers/spi/spi-zynqmp-gqspi.c +@@ -1334,7 +1334,7 @@ static int zynqmp_qspi_probe(struct plat + ctlr->dev.of_node = np; + ctlr->auto_runtime_pm = true; + +- ret = devm_spi_register_controller(&pdev->dev, ctlr); ++ ret = spi_register_controller(ctlr); + if (ret) { + dev_err(&pdev->dev, "spi_register_controller failed\n"); + goto clk_dis_all; +@@ -1373,6 +1373,8 @@ static void zynqmp_qspi_remove(struct pl + + pm_runtime_get_sync(&pdev->dev); + ++ spi_unregister_controller(xqspi->ctlr); ++ + zynqmp_gqspi_write(xqspi, GQSPI_EN_OFST, 0x0); + + pm_runtime_disable(&pdev->dev); diff --git a/queue-6.12/staging-vme_user-fix-root-device-leak-on-init-failure.patch b/queue-6.12/staging-vme_user-fix-root-device-leak-on-init-failure.patch new file mode 100644 index 0000000000..af5ffc70c3 --- /dev/null +++ b/queue-6.12/staging-vme_user-fix-root-device-leak-on-init-failure.patch @@ -0,0 +1,33 @@ +From 32c91e8ee039777d0b95b914633fc6a42607959c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 24 Apr 2026 12:49:10 +0200 +Subject: staging: vme_user: fix root device leak on init failure + +From: Johan Hovold + +commit 32c91e8ee039777d0b95b914633fc6a42607959c upstream. + +Make sure to deregister and free the root device in case module +initialisation fails. + +Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver") +Cc: stable@vger.kernel.org # 4.9 +Cc: Martyn Welch +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260424104910.2619349-1-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/vme_user/vme_fake.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/staging/vme_user/vme_fake.c ++++ b/drivers/staging/vme_user/vme_fake.c +@@ -1230,6 +1230,8 @@ err_master: + err_driver: + kfree(fake_bridge); + err_struct: ++ root_device_unregister(vme_root); ++ + return retval; + } + diff --git a/queue-6.12/xfrm-ah-account-for-esn-high-bits-in-async-callbacks.patch b/queue-6.12/xfrm-ah-account-for-esn-high-bits-in-async-callbacks.patch new file mode 100644 index 0000000000..42724a701e --- /dev/null +++ b/queue-6.12/xfrm-ah-account-for-esn-high-bits-in-async-callbacks.patch @@ -0,0 +1,128 @@ +From ec54093e6a8f87e800bb6aa15eb7fc1e33faa524 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Sun, 19 Apr 2026 18:35:42 -0400 +Subject: xfrm: ah: account for ESN high bits in async callbacks + +From: Michael Bommarito + +commit ec54093e6a8f87e800bb6aa15eb7fc1e33faa524 upstream. + +AH allocates its temporary auth/ICV layout differently when ESN is enabled: +the async ahash setup appends a 4-byte seqhi slot before the ICV or +auth_data area, but the async completion callbacks still reconstruct the +temporary layout as if seqhi were absent. + +With an async AH implementation selected, that makes AH copy or compare +the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH +with ESN and forced async hmac(sha1), ping fails with 100% packet loss, +and the callback logs show the pre-fix drift: + + ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24 + ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36 + +Reconstruct the callback-side layout the same way the setup path built it +by skipping the ESN seqhi slot before locating the saved auth_data or ICV. +Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV +computation, so the async callbacks must account for the seqhi slot. + +Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows +the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 +expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o +build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the +change has not been tested against a real async hardware AH engine. + +Fixes: d4d573d0334d ("{IPv4,xfrm} Add ESN support for AH egress part") +Fixes: d8b2a8600b0e ("{IPv4,xfrm} Add ESN support for AH ingress part") +Fixes: 26dd70c3fad3 ("{IPv6,xfrm} Add ESN support for AH egress part") +Fixes: 8d6da6f32557 ("{IPv6,xfrm} Add ESN support for AH ingress part") +Cc: stable@vger.kernel.org +Assisted-by: Codex:gpt-5-4 +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Michael Bommarito +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ah4.c | 14 ++++++++++++-- + net/ipv6/ah6.c | 14 ++++++++++++-- + 2 files changed, 24 insertions(+), 4 deletions(-) + +--- a/net/ipv4/ah4.c ++++ b/net/ipv4/ah4.c +@@ -124,9 +124,14 @@ static void ah_output_done(void *data, i + struct iphdr *top_iph = ip_hdr(skb); + struct ip_auth_hdr *ah = ip_auth_hdr(skb); + int ihl = ip_hdrlen(skb); ++ int seqhi_len = 0; ++ __be32 *seqhi; + ++ if (x->props.flags & XFRM_STATE_ESN) ++ seqhi_len = sizeof(*seqhi); + iph = AH_SKB_CB(skb)->tmp; +- icv = ah_tmp_icv(iph, ihl); ++ seqhi = (__be32 *)((char *)iph + ihl); ++ icv = ah_tmp_icv(seqhi, seqhi_len); + memcpy(ah->auth_data, icv, ahp->icv_trunc_len); + + top_iph->tos = iph->tos; +@@ -270,12 +275,17 @@ static void ah_input_done(void *data, in + struct ip_auth_hdr *ah = ip_auth_hdr(skb); + int ihl = ip_hdrlen(skb); + int ah_hlen = (ah->hdrlen + 2) << 2; ++ int seqhi_len = 0; ++ __be32 *seqhi; + + if (err) + goto out; + ++ if (x->props.flags & XFRM_STATE_ESN) ++ seqhi_len = sizeof(*seqhi); + work_iph = AH_SKB_CB(skb)->tmp; +- auth_data = ah_tmp_auth(work_iph, ihl); ++ seqhi = (__be32 *)((char *)work_iph + ihl); ++ auth_data = ah_tmp_auth(seqhi, seqhi_len); + icv = ah_tmp_icv(auth_data, ahp->icv_trunc_len); + + err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0; +--- a/net/ipv6/ah6.c ++++ b/net/ipv6/ah6.c +@@ -317,14 +317,19 @@ static void ah6_output_done(void *data, + struct ipv6hdr *top_iph = ipv6_hdr(skb); + struct ip_auth_hdr *ah = ip_auth_hdr(skb); + struct tmp_ext *iph_ext; ++ int seqhi_len = 0; ++ __be32 *seqhi; + + extlen = skb_network_header_len(skb) - sizeof(struct ipv6hdr); + if (extlen) + extlen += sizeof(*iph_ext); + ++ if (x->props.flags & XFRM_STATE_ESN) ++ seqhi_len = sizeof(*seqhi); + iph_base = AH_SKB_CB(skb)->tmp; + iph_ext = ah_tmp_ext(iph_base); +- icv = ah_tmp_icv(iph_ext, extlen); ++ seqhi = (__be32 *)((char *)iph_ext + extlen); ++ icv = ah_tmp_icv(seqhi, seqhi_len); + + memcpy(ah->auth_data, icv, ahp->icv_trunc_len); + memcpy(top_iph, iph_base, IPV6HDR_BASELEN); +@@ -471,13 +476,18 @@ static void ah6_input_done(void *data, i + struct ip_auth_hdr *ah = ip_auth_hdr(skb); + int hdr_len = skb_network_header_len(skb); + int ah_hlen = ipv6_authlen(ah); ++ int seqhi_len = 0; ++ __be32 *seqhi; + + if (err) + goto out; + ++ if (x->props.flags & XFRM_STATE_ESN) ++ seqhi_len = sizeof(*seqhi); + work_iph = AH_SKB_CB(skb)->tmp; + auth_data = ah_tmp_auth(work_iph, hdr_len); +- icv = ah_tmp_icv(auth_data, ahp->icv_trunc_len); ++ seqhi = (__be32 *)(auth_data + ahp->icv_trunc_len); ++ icv = ah_tmp_icv(seqhi, seqhi_len); + + err = crypto_memneq(icv, auth_data, ahp->icv_trunc_len) ? -EBADMSG : 0; + if (err) diff --git a/queue-6.12/xfrm-defensively-unhash-xfrm_state-lists-in-__xfrm_state_delete.patch b/queue-6.12/xfrm-defensively-unhash-xfrm_state-lists-in-__xfrm_state_delete.patch new file mode 100644 index 0000000000..55abebcdea --- /dev/null +++ b/queue-6.12/xfrm-defensively-unhash-xfrm_state-lists-in-__xfrm_state_delete.patch @@ -0,0 +1,119 @@ +From 14acf9652e5690de3c7486c6db5fb8dafd0a32a3 Mon Sep 17 00:00:00 2001 +From: Michal Kosiorek +Date: Wed, 29 Apr 2026 10:54:51 +0200 +Subject: xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete + +From: Michal Kosiorek + +commit 14acf9652e5690de3c7486c6db5fb8dafd0a32a3 upstream. + +KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s +hlist_del_rcu calls under syzkaller load on linux-6.12.y stable +(reproduced on 6.12.47, also reachable via the same code path on +torvalds/master and on the ipsec tree). Nine unique signatures cluster +in the xfrm_state lifecycle, the load-bearing one being: + + BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline] + BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline] + BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c + Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435 + + Workqueue: netns cleanup_net + Call Trace: + __hlist_del / hlist_del_rcu + __xfrm_state_delete + xfrm_state_delete + xfrm_state_flush + xfrm_state_fini + ops_exit_list + cleanup_net + +The other observed signatures hit the same slab object from +__xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB +write variant of __xfrm_state_delete, all on the byseq/byspi +hash chains. + +__xfrm_state_delete() guards its byseq and byspi unhashes with +value-based predicates: + + if (x->km.seq) + hlist_del_rcu(&x->byseq); + if (x->id.spi) + hlist_del_rcu(&x->byspi); + +while everywhere else in the file (e.g. state_cache, state_cache_input) +the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets +x->id.spi = newspi inside xfrm_state_lock and then immediately inserts +into byspi, but a path that observes x->id.spi != 0 outside of +xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently +with whether x is actually on the list. The same holds for x->km.seq +versus byseq, and the bydst/bysrc unhashes have no predicate at all, +so a second __xfrm_state_delete() on the same object writes through +LIST_POISON pprev. + +The defensive change here: + + - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst, + bysrc, byseq and byspi so a second deletion is a no-op rather + than a write through LIST_POISON pprev. The byseq/byspi nodes + are already initialised in xfrm_state_alloc(). + - Test hlist_unhashed() rather than the value predicate for + byseq/byspi, so the unhash decision tracks list state rather than + mutable scalar fields. + +Empirical verification: applied this patch on top of v6.12.47, rebuilt, +and re-ran the same syzkaller harness for 1h16m on a previously-crashy +configuration that produced ~100 hits each of slab-use-after-free +Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in +__xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at +~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo +confirms the xfrm_state slab is actively allocated and freed during +the run (~143 KiB resident), so the fuzzer is still exercising those +code paths -- they just no longer crash. + +Reproduction: + + - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV + - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db + - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal + - 9 unique signatures collected in ~9h, all within xfrm_state + lifecycle + +Fixes: fe9f1d8779cb ("xfrm: add state hashtable keyed by seq") +Fixes: 7b4dc3600e48 ("[XFRM]: Do not add a state whose SPI is zero to the SPI hash.") +Reported-by: Michal Kosiorek +Tested-by: Michal Kosiorek +Cc: stable@vger.kernel.org +Signed-off-by: Michal Kosiorek +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_state.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -755,17 +755,17 @@ int __xfrm_state_delete(struct xfrm_stat + + spin_lock(&net->xfrm.xfrm_state_lock); + list_del(&x->km.all); +- hlist_del_rcu(&x->bydst); +- hlist_del_rcu(&x->bysrc); +- if (x->km.seq) +- hlist_del_rcu(&x->byseq); ++ hlist_del_init_rcu(&x->bydst); ++ hlist_del_init_rcu(&x->bysrc); ++ if (!hlist_unhashed(&x->byseq)) ++ hlist_del_init_rcu(&x->byseq); + if (!hlist_unhashed(&x->state_cache)) + hlist_del_rcu(&x->state_cache); + if (!hlist_unhashed(&x->state_cache_input)) + hlist_del_rcu(&x->state_cache_input); + +- if (x->id.spi) +- hlist_del_rcu(&x->byspi); ++ if (!hlist_unhashed(&x->byspi)) ++ hlist_del_init_rcu(&x->byspi); + net->xfrm.state_num--; + xfrm_nat_keepalive_state_updated(x); + spin_unlock(&net->xfrm.xfrm_state_lock); diff --git a/queue-6.12/xfrm-provide-message-size-for-xfrm_msg_mapping.patch b/queue-6.12/xfrm-provide-message-size-for-xfrm_msg_mapping.patch new file mode 100644 index 0000000000..11674761e0 --- /dev/null +++ b/queue-6.12/xfrm-provide-message-size-for-xfrm_msg_mapping.patch @@ -0,0 +1,40 @@ +From 28465227c80fe417b4013c432be1f3737cb9f9a3 Mon Sep 17 00:00:00 2001 +From: Ruijie Li +Date: Wed, 29 Apr 2026 00:41:43 +0800 +Subject: xfrm: provide message size for XFRM_MSG_MAPPING + +From: Ruijie Li + +commit 28465227c80fe417b4013c432be1f3737cb9f9a3 upstream. + +The compat 64=>32 translation path handles XFRM_MSG_MAPPING, but +xfrm_msg_min[] does not provide the native payload size for this +message type. + +Add the missing XFRM_MSG_MAPPING entry so compat translation can size +and translate mapping notifications correctly. + +Fixes: 5461fc0c8d9f ("xfrm/compat: Add 64=>32-bit messages translator") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Signed-off-by: Ruijie Li +Signed-off-by: Ren Wei +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_user.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -3235,6 +3235,7 @@ const int xfrm_msg_min[XFRM_NR_MSGTYPES] + [XFRM_MSG_GETSADINFO - XFRM_MSG_BASE] = sizeof(u32), + [XFRM_MSG_NEWSPDINFO - XFRM_MSG_BASE] = sizeof(u32), + [XFRM_MSG_GETSPDINFO - XFRM_MSG_BASE] = sizeof(u32), ++ [XFRM_MSG_MAPPING - XFRM_MSG_BASE] = XMSGSIZE(xfrm_user_mapping), + [XFRM_MSG_SETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default), + [XFRM_MSG_GETDEFAULT - XFRM_MSG_BASE] = XMSGSIZE(xfrm_userpolicy_default), + }; -- 2.47.3