From 9cee9bf64eb88fe47d23e31a29e56d13c321633b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 2 Jul 2026 14:58:07 +0200 Subject: [PATCH] 5.15-stable patches added patches: keys-fix-overflow-in-keyctl_pkey_params_get_2.patch keys-pin-request_key_auth-payload-in-instantiate-paths.patch wifi-ath11k-fix-warning-when-unbinding.patch wifi-mt76-mt76x2u-add-support-for-elecom-wdc-867su3s.patch wifi-rtlwifi-rtl8821ae-fix-c2h-bit-location-in-rx-descriptor.patch --- ...overflow-in-keyctl_pkey_params_get_2.patch | 65 ++++++ ...ey_auth-payload-in-instantiate-paths.patch | 215 ++++++++++++++++++ queue-5.15/series | 5 + ...fi-ath11k-fix-warning-when-unbinding.patch | 49 ++++ ...u-add-support-for-elecom-wdc-867su3s.patch | 34 +++ ...ix-c2h-bit-location-in-rx-descriptor.patch | 39 ++++ 6 files changed, 407 insertions(+) create mode 100644 queue-5.15/keys-fix-overflow-in-keyctl_pkey_params_get_2.patch create mode 100644 queue-5.15/keys-pin-request_key_auth-payload-in-instantiate-paths.patch create mode 100644 queue-5.15/wifi-ath11k-fix-warning-when-unbinding.patch create mode 100644 queue-5.15/wifi-mt76-mt76x2u-add-support-for-elecom-wdc-867su3s.patch create mode 100644 queue-5.15/wifi-rtlwifi-rtl8821ae-fix-c2h-bit-location-in-rx-descriptor.patch diff --git a/queue-5.15/keys-fix-overflow-in-keyctl_pkey_params_get_2.patch b/queue-5.15/keys-fix-overflow-in-keyctl_pkey_params_get_2.patch new file mode 100644 index 0000000000..5236b820bb --- /dev/null +++ b/queue-5.15/keys-fix-overflow-in-keyctl_pkey_params_get_2.patch @@ -0,0 +1,65 @@ +From cb481e59ea6cae3b7796ac1d7a22b6b24c3f3c0b Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Mon, 1 Jun 2026 23:11:54 +0300 +Subject: KEYS: fix overflow in keyctl_pkey_params_get_2() + +From: Jarkko Sakkinen + +commit cb481e59ea6cae3b7796ac1d7a22b6b24c3f3c0b upstream. + +The length for the internal output buffer is calculated incorrectly, which +can result overflow when a too small buffer is provided. + +Fix the bug by allocating internal output with the size of the maximum +length of the cryptographic primitive instead of caller provided size. + +Link: https://lore.kernel.org/keyrings/20260531024914.3712130-1-jarkko@kernel.org/ +Cc: stable@vger.kernel.org # v4.20+ +Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]") +Reported-by: Alessandro Groppo +Tested-by: Alessandro Groppo +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/keyctl_pkey.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/security/keys/keyctl_pkey.c ++++ b/security/keys/keyctl_pkey.c +@@ -138,28 +138,35 @@ static int keyctl_pkey_params_get_2(cons + if (uparams.in_len > info.max_dec_size || + uparams.out_len > info.max_enc_size) + return -EINVAL; ++ ++ params->out_len = info.max_enc_size; + break; + case KEYCTL_PKEY_DECRYPT: + if (uparams.in_len > info.max_enc_size || + uparams.out_len > info.max_dec_size) + return -EINVAL; ++ ++ params->out_len = info.max_dec_size; + break; + case KEYCTL_PKEY_SIGN: + if (uparams.in_len > info.max_data_size || + uparams.out_len > info.max_sig_size) + return -EINVAL; ++ ++ params->out_len = info.max_sig_size; + break; + case KEYCTL_PKEY_VERIFY: + if (uparams.in_len > info.max_data_size || + uparams.in2_len > info.max_sig_size) + return -EINVAL; ++ ++ params->out_len = info.max_sig_size; + break; + default: + BUG(); + } + + params->in_len = uparams.in_len; +- params->out_len = uparams.out_len; /* Note: same as in2_len */ + return 0; + } + diff --git a/queue-5.15/keys-pin-request_key_auth-payload-in-instantiate-paths.patch b/queue-5.15/keys-pin-request_key_auth-payload-in-instantiate-paths.patch new file mode 100644 index 0000000000..a23244bef5 --- /dev/null +++ b/queue-5.15/keys-pin-request_key_auth-payload-in-instantiate-paths.patch @@ -0,0 +1,215 @@ +From fd15b457a86939c38aa12116adabd8ff686c5e51 Mon Sep 17 00:00:00 2001 +From: Shaomin Chen +Date: Wed, 10 Jun 2026 13:10:05 +0300 +Subject: keys: Pin request_key_auth payload in instantiate paths + +From: Shaomin Chen + +commit fd15b457a86939c38aa12116adabd8ff686c5e51 upstream. + +A: request_key() B: KEYCTL_INSTANTIATE_IOV +================ ========================= + +create auth key +store rka in auth key +wait for helper + get auth key + load rka from auth key + copy user payload + sleep on #PF + +helper completed +detach and free rka +destroy auth key + wake up + use rka->target_key + **USE-AFTER-FREE** + +Give request_key_auth payloads a refcount. Take a payload reference while +authkey->sem stabilizes the payload and revocation state. Hold that +reference across the instantiate and reject paths. Drop the auth key +owning reference from revoke and destroy. + +[jarkko: Replaced the first two paragraphs of text with an actual + concurrency scenario.] +Cc: stable@vger.kernel.org # v5.10+ +Fixes: b5f545c880a2 ("[PATCH] keys: Permit running process to instantiate keys") +Reported-by: Shaomin Chen +Closes: https://lore.kernel.org/r/20260519144403.436694-1-eeesssooo020@gmail.com +Signed-off-by: Shaomin Chen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + include/keys/request_key_auth-type.h | 2 ++ + security/keys/internal.h | 2 ++ + security/keys/keyctl.c | 24 ++++++++++++++++++------ + security/keys/request_key_auth.c | 33 +++++++++++++++++++++++++++++++-- + 4 files changed, 53 insertions(+), 8 deletions(-) + +--- a/include/keys/request_key_auth-type.h ++++ b/include/keys/request_key_auth-type.h +@@ -9,12 +9,14 @@ + #define _KEYS_REQUEST_KEY_AUTH_TYPE_H + + #include ++#include + + /* + * Authorisation record for request_key(). + */ + struct request_key_auth { + struct rcu_head rcu; ++ refcount_t usage; + struct key *target_key; + struct key *dest_keyring; + const struct cred *cred; +--- a/security/keys/internal.h ++++ b/security/keys/internal.h +@@ -217,6 +217,8 @@ extern struct key *request_key_auth_new( + const void *callout_info, + size_t callout_len, + struct key *dest_keyring); ++struct request_key_auth *request_key_auth_get(struct key *authkey); ++void request_key_auth_put(struct request_key_auth *rka); + + extern struct key *key_get_instantiation_authkey(key_serial_t target_id); + +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -1196,9 +1196,13 @@ static long keyctl_instantiate_key_commo + if (!instkey) + goto error; + +- rka = instkey->payload.data[0]; +- if (rka->target_key->serial != id) ++ rka = request_key_auth_get(instkey); ++ if (!rka) { ++ ret = -EKEYREVOKED; + goto error; ++ } ++ if (rka->target_key->serial != id) ++ goto error_put_rka; + + /* pull the payload in if one was supplied */ + payload = NULL; +@@ -1207,7 +1211,7 @@ static long keyctl_instantiate_key_commo + ret = -ENOMEM; + payload = kvmalloc(plen, GFP_KERNEL); + if (!payload) +- goto error; ++ goto error_put_rka; + + ret = -EFAULT; + if (!copy_from_iter_full(payload, plen, from)) +@@ -1233,6 +1237,8 @@ static long keyctl_instantiate_key_commo + + error2: + kvfree_sensitive(payload, plen); ++error_put_rka: ++ request_key_auth_put(rka); + error: + return ret; + } +@@ -1358,15 +1364,19 @@ long keyctl_reject_key(key_serial_t id, + if (!instkey) + goto error; + +- rka = instkey->payload.data[0]; +- if (rka->target_key->serial != id) ++ rka = request_key_auth_get(instkey); ++ if (!rka) { ++ ret = -EKEYREVOKED; + goto error; ++ } ++ if (rka->target_key->serial != id) ++ goto error_put_rka; + + /* find the destination keyring if present (which must also be + * writable) */ + ret = get_instantiation_keyring(ringid, rka, &dest_keyring); + if (ret < 0) +- goto error; ++ goto error_put_rka; + + /* instantiate the key and link it into a keyring */ + ret = key_reject_and_link(rka->target_key, timeout, error, +@@ -1379,6 +1389,8 @@ long keyctl_reject_key(key_serial_t id, + if (ret == 0) + keyctl_change_reqkey_auth(NULL); + ++error_put_rka: ++ request_key_auth_put(rka); + error: + return ret; + } +--- a/security/keys/request_key_auth.c ++++ b/security/keys/request_key_auth.c +@@ -23,6 +23,7 @@ static void request_key_auth_describe(co + static void request_key_auth_revoke(struct key *); + static void request_key_auth_destroy(struct key *); + static long request_key_auth_read(const struct key *, char *, size_t); ++static void request_key_auth_rcu_disposal(struct rcu_head *); + + /* + * The request-key authorisation key type definition. +@@ -116,6 +117,31 @@ static void free_request_key_auth(struct + } + + /* ++ * Take a reference to the request-key authorisation payload so callers can ++ * drop authkey->sem before doing operations that may sleep. ++ */ ++struct request_key_auth *request_key_auth_get(struct key *authkey) ++{ ++ struct request_key_auth *rka; ++ ++ down_read(&authkey->sem); ++ rka = dereference_key_locked(authkey); ++ if (rka && !test_bit(KEY_FLAG_REVOKED, &authkey->flags)) ++ refcount_inc(&rka->usage); ++ else ++ rka = NULL; ++ up_read(&authkey->sem); ++ ++ return rka; ++} ++ ++void request_key_auth_put(struct request_key_auth *rka) ++{ ++ if (rka && refcount_dec_and_test(&rka->usage)) ++ call_rcu(&rka->rcu, request_key_auth_rcu_disposal); ++} ++ ++/* + * Dispose of the request_key_auth record under RCU conditions + */ + static void request_key_auth_rcu_disposal(struct rcu_head *rcu) +@@ -136,8 +162,10 @@ static void request_key_auth_revoke(stru + struct request_key_auth *rka = dereference_key_locked(key); + + kenter("{%d}", key->serial); ++ if (!rka) ++ return; + rcu_assign_keypointer(key, NULL); +- call_rcu(&rka->rcu, request_key_auth_rcu_disposal); ++ request_key_auth_put(rka); + } + + /* +@@ -150,7 +178,7 @@ static void request_key_auth_destroy(str + kenter("{%d}", key->serial); + if (rka) { + rcu_assign_keypointer(key, NULL); +- call_rcu(&rka->rcu, request_key_auth_rcu_disposal); ++ request_key_auth_put(rka); + } + } + +@@ -174,6 +202,7 @@ struct key *request_key_auth_new(struct + rka = kzalloc(sizeof(*rka), GFP_KERNEL); + if (!rka) + goto error; ++ refcount_set(&rka->usage, 1); + rka->callout_info = kmemdup(callout_info, callout_len, GFP_KERNEL); + if (!rka->callout_info) + goto error_free_rka; diff --git a/queue-5.15/series b/queue-5.15/series index 6309f81f9b..be01019076 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -55,3 +55,8 @@ ntfs3-reject-direct-userspace-writes-to-reserved-lx-xattrs.patch ext4-add-bounds-check-for-inline-data-length-in-ext4.patch crypto-af_alg-set-merge-to-zero-early-in-af_alg_send.patch mac802154-llsec-add-skb_cow_data-before-in-place-crypto.patch +keys-fix-overflow-in-keyctl_pkey_params_get_2.patch +keys-pin-request_key_auth-payload-in-instantiate-paths.patch +wifi-mt76-mt76x2u-add-support-for-elecom-wdc-867su3s.patch +wifi-ath11k-fix-warning-when-unbinding.patch +wifi-rtlwifi-rtl8821ae-fix-c2h-bit-location-in-rx-descriptor.patch diff --git a/queue-5.15/wifi-ath11k-fix-warning-when-unbinding.patch b/queue-5.15/wifi-ath11k-fix-warning-when-unbinding.patch new file mode 100644 index 0000000000..ad8b46c61a --- /dev/null +++ b/queue-5.15/wifi-ath11k-fix-warning-when-unbinding.patch @@ -0,0 +1,49 @@ +From 8b7a26b6681922a38cd5a7829ace61f8e54df9b7 Mon Sep 17 00:00:00 2001 +From: Jose Ignacio Tornos Martinez +Date: Mon, 20 Apr 2026 13:01:29 +0200 +Subject: wifi: ath11k: fix warning when unbinding + +From: Jose Ignacio Tornos Martinez + +commit 8b7a26b6681922a38cd5a7829ace61f8e54df9b7 upstream. + +If there is an error during some initialization related to firmware, +the buffers dp->tx_ring[i].tx_status are released. +However this is released again when the device is unbinded (ath11k_pci), +and we get: +WARNING: CPU: 0 PID: 6231 at mm/slub.c:4368 free_large_kmalloc+0x57/0x90 +Call Trace: +free_large_kmalloc +ath11k_dp_free +ath11k_core_deinit +ath11k_pci_remove +... + +The issue is always reproducible from a VM because the MSI addressing +initialization is failing. + +In order to fix the issue, just set the buffers to NULL after releasing in +order to avoid the double free. + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Cc: stable@vger.kernel.org +Signed-off-by: Jose Ignacio Tornos Martinez +Reviewed-by: Baochen Qiang +Reviewed-by: Rameshkumar Sundaram +Link: https://patch.msgid.link/20260420110130.509670-1-jtornosm@redhat.com +Signed-off-by: Jeff Johnson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/dp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/ath/ath11k/dp.c ++++ b/drivers/net/wireless/ath/ath11k/dp.c +@@ -1003,6 +1003,7 @@ void ath11k_dp_free(struct ath11k_base * + idr_destroy(&dp->tx_ring[i].txbuf_idr); + spin_unlock_bh(&dp->tx_ring[i].tx_idr_lock); + kfree(dp->tx_ring[i].tx_status); ++ dp->tx_ring[i].tx_status = NULL; + } + + /* Deinit any SOC level resource */ diff --git a/queue-5.15/wifi-mt76-mt76x2u-add-support-for-elecom-wdc-867su3s.patch b/queue-5.15/wifi-mt76-mt76x2u-add-support-for-elecom-wdc-867su3s.patch new file mode 100644 index 0000000000..9b20946419 --- /dev/null +++ b/queue-5.15/wifi-mt76-mt76x2u-add-support-for-elecom-wdc-867su3s.patch @@ -0,0 +1,34 @@ +From f4ce0664e9f0387873b181777891741c33e19465 Mon Sep 17 00:00:00 2001 +From: Zenm Chen +Date: Tue, 7 Apr 2026 23:44:30 +0800 +Subject: wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S + +From: Zenm Chen + +commit f4ce0664e9f0387873b181777891741c33e19465 upstream. + +Add the ID 056e:400a to the table to support an additional MT7612U +adapter: ELECOM WDC-867SU3S. + +Compile tested only. + +Cc: stable@vger.kernel.org # 5.10.x +Signed-off-by: Zenm Chen +Acked-by: Lorenzo Bianconi +Link: https://patch.msgid.link/20260407154430.9184-1-zenmchen@gmail.com +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c +@@ -16,6 +16,7 @@ static const struct usb_device_id mt76x2 + { USB_DEVICE(0x0e8d, 0x7612) }, /* Aukey USBAC1200 - Alfa AWUS036ACM */ + { USB_DEVICE(0x057c, 0x8503) }, /* Avm FRITZ!WLAN AC860 */ + { USB_DEVICE(0x7392, 0xb711) }, /* Edimax EW 7722 UAC */ ++ { USB_DEVICE(0x056e, 0x400a) }, /* ELECOM WDC-867SU3S */ + { USB_DEVICE(0x0e8d, 0x7632) }, /* HC-M7662BU1 */ + { USB_DEVICE(0x0471, 0x2126) }, /* LiteOn WN4516R module, nonstandard USB connector */ + { USB_DEVICE(0x0471, 0x7600) }, /* LiteOn WN4519R module, nonstandard USB connector */ diff --git a/queue-5.15/wifi-rtlwifi-rtl8821ae-fix-c2h-bit-location-in-rx-descriptor.patch b/queue-5.15/wifi-rtlwifi-rtl8821ae-fix-c2h-bit-location-in-rx-descriptor.patch new file mode 100644 index 0000000000..1f59c9a2d0 --- /dev/null +++ b/queue-5.15/wifi-rtlwifi-rtl8821ae-fix-c2h-bit-location-in-rx-descriptor.patch @@ -0,0 +1,39 @@ +From 83d38df6929118c3f996b9e3351c2d5014073d87 Mon Sep 17 00:00:00 2001 +From: Bitterblue Smith +Date: Sat, 25 Apr 2026 22:32:58 +0300 +Subject: wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor + +From: Bitterblue Smith + +commit 83d38df6929118c3f996b9e3351c2d5014073d87 upstream. + +Bit 28 of double word 2 in the RX descriptor indicates if the packet is +a normal 802.11 frame, or a message from the wifi firmware to the +driver (Card 2 Host). + +Commit f5678bfe1cdc ("rtlwifi: rtl8821ae: Replace local bit manipulation +macros") mistakenly made the driver look for this bit in double word 1, +causing packet loss and Bluetooth coexistence problems. + +Fixes: f5678bfe1cdc ("rtlwifi: rtl8821ae: Replace local bit manipulation macros") +Cc: +Signed-off-by: Bitterblue Smith +Acked-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/04da7398-cedb-425a-a810-5772ab10139d@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtlwifi/rtl8821ae/trx.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/trx.h ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/trx.h +@@ -291,7 +291,7 @@ static inline int get_rx_desc_paggr(__le + + static inline int get_rx_status_desc_rpt_sel(__le32 *__pdesc) + { +- return le32_get_bits(*(__pdesc + 1), BIT(28)); ++ return le32_get_bits(*(__pdesc + 2), BIT(28)); + } + + static inline int get_rx_desc_rxmcs(__le32 *__pdesc) -- 2.47.3