--- /dev/null
+From f7406415556568d708f9a24230f4687267b1719e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 22:39:38 +0200
+Subject: ARM: dts: rockchip: drop grf reference from rk3036 hdmi
+
+From: Heiko Stuebner <heiko@sntech.de>
+
+[ Upstream commit 1580ccb6ed9dc76b8ff3e2d8912e8215c8b0fa6d ]
+
+Neither the binding nor the driver implementation specify/use the grf
+reference provided in the rk3036. And neither does the newer rk3128
+user of the hdmi controller. So drop the rockchip,grf property.
+
+Fixes: b7217cf19c63 ("ARM: dts: rockchip: add hdmi device node for rk3036")
+Cc: Caesar Wang <wxt@rock-chips.com>
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://lore.kernel.org/r/20241008203940.2573684-13-heiko@sntech.de
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/rk3036.dtsi | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/rk3036.dtsi b/arch/arm/boot/dts/rk3036.dtsi
+index f7b5853aeb79f..9e30c726b7082 100644
+--- a/arch/arm/boot/dts/rk3036.dtsi
++++ b/arch/arm/boot/dts/rk3036.dtsi
+@@ -332,7 +332,6 @@
+ interrupts = <GIC_SPI 45 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&cru PCLK_HDMI>;
+ clock-names = "pclk";
+- rockchip,grf = <&grf>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&hdmi_ctl>;
+ status = "disabled";
+--
+2.43.0
+
--- /dev/null
+From d41e2a5123bc6ad5fe02dd6db94c164c352a3947 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 22:39:37 +0200
+Subject: ARM: dts: rockchip: fix rk3036 acodec node
+
+From: Heiko Stuebner <heiko@sntech.de>
+
+[ Upstream commit c7206853cd7d31c52575fb1dc7616b4398f3bc8f ]
+
+The acodec node is not conformant to the binding.
+
+Set the correct nodename, use the correct compatible, add the needed
+#sound-dai-cells and sort the rockchip,grf below clocks properties
+as expected.
+
+Fixes: faea098e1808 ("ARM: dts: rockchip: add core rk3036 dtsi")
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://lore.kernel.org/r/20241008203940.2573684-12-heiko@sntech.de
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/rk3036.dtsi | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/boot/dts/rk3036.dtsi b/arch/arm/boot/dts/rk3036.dtsi
+index c5144f06c3e70..f7b5853aeb79f 100644
+--- a/arch/arm/boot/dts/rk3036.dtsi
++++ b/arch/arm/boot/dts/rk3036.dtsi
+@@ -316,12 +316,13 @@
+ };
+ };
+
+- acodec: acodec-ana@20030000 {
+- compatible = "rk3036-codec";
++ acodec: audio-codec@20030000 {
++ compatible = "rockchip,rk3036-codec";
+ reg = <0x20030000 0x4000>;
+- rockchip,grf = <&grf>;
+ clock-names = "acodec_pclk";
+ clocks = <&cru PCLK_ACODEC>;
++ rockchip,grf = <&grf>;
++ #sound-dai-cells = <0>;
+ status = "disabled";
+ };
+
+--
+2.43.0
+
--- /dev/null
+From d434893981966b0128a5f72a84eb3a535893f7a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 22:39:40 +0200
+Subject: ARM: dts: rockchip: Fix the realtek audio codec on rk3036-kylin
+
+From: Heiko Stuebner <heiko@sntech.de>
+
+[ Upstream commit 77a9a7f2d3b94d29d13d71b851114d593a2147cf ]
+
+Both the node name as well as the compatible were not named
+according to the binding expectations, fix that.
+
+Fixes: 47bf3a5c9e2a ("ARM: dts: rockchip: add the sound setup for rk3036-kylin board")
+Cc: Caesar Wang <wxt@rock-chips.com>
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://lore.kernel.org/r/20241008203940.2573684-15-heiko@sntech.de
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/rk3036-kylin.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm/boot/dts/rk3036-kylin.dts b/arch/arm/boot/dts/rk3036-kylin.dts
+index cd109aebb7831..c7fda457e5a81 100644
+--- a/arch/arm/boot/dts/rk3036-kylin.dts
++++ b/arch/arm/boot/dts/rk3036-kylin.dts
+@@ -300,8 +300,8 @@
+ &i2c2 {
+ status = "okay";
+
+- rt5616: rt5616@1b {
+- compatible = "rt5616";
++ rt5616: audio-codec@1b {
++ compatible = "realtek,rt5616";
+ reg = <0x1b>;
+ clocks = <&cru SCLK_I2S_OUT>;
+ clock-names = "mclk";
+--
+2.43.0
+
--- /dev/null
+From 3b7721882d70fd71b584592db30eb37836dd15f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Sep 2024 15:48:41 +0200
+Subject: arm64: dts: rockchip: Fix rt5651 compatible value on
+ rk3399-sapphire-excavator
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 577b5761679da90e691acc939ebbe7879fff5f31 ]
+
+There are no DT bindings and driver support for a "rockchip,rt5651"
+codec. Replace "rockchip,rt5651" by "realtek,rt5651", which matches the
+"simple-audio-card,name" property in the "rt5651-sound" node.
+
+Fixes: 0a3c78e251b3a266 ("arm64: dts: rockchip: Add support for rk3399 excavator main board")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/abc6c89811b3911785601d6d590483eacb145102.1727358193.git.geert+renesas@glider.be
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts b/arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts
+index b14d83919f14c..dacb1331ae9cd 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3399-sapphire-excavator.dts
+@@ -123,7 +123,7 @@
+ status = "okay";
+
+ rt5651: rt5651@1a {
+- compatible = "rockchip,rt5651";
++ compatible = "realtek,rt5651";
+ reg = <0x1a>;
+ clocks = <&cru SCLK_I2S_8CH_OUT>;
+ clock-names = "mclk";
+--
+2.43.0
+
--- /dev/null
+From 7ad76cf670c0ac6fc5160c65daefcc735d1fdb64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 15:53:13 +0200
+Subject: can: c_can: fix {rx,tx}_errors statistics
+
+From: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+
+[ Upstream commit 4d6d26537940f3b3e17138987ed9e4a334780bf7 ]
+
+The c_can_handle_bus_err() function was incorrectly incrementing only the
+receive error counter, even in cases of bit or acknowledgment errors that
+occur during transmission. The patch fixes the issue by incrementing the
+appropriate counter based on the type of error.
+
+Fixes: 881ff67ad450 ("can: c_can: Added support for Bosch C_CAN controller")
+Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+Link: https://patch.msgid.link/20241014135319.2009782-1-dario.binacchi@amarulasolutions.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/c_can/c_can.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/c_can/c_can.c b/drivers/net/can/c_can/c_can.c
+index 2278c5fff5c69..8e72c379740c7 100644
+--- a/drivers/net/can/c_can/c_can.c
++++ b/drivers/net/can/c_can/c_can.c
+@@ -991,7 +991,6 @@ static int c_can_handle_bus_err(struct net_device *dev,
+
+ /* common for all type of bus errors */
+ priv->can.can_stats.bus_error++;
+- stats->rx_errors++;
+
+ /* propagate the error condition to the CAN stack */
+ skb = alloc_can_err_skb(dev, &cf);
+@@ -1008,26 +1007,32 @@ static int c_can_handle_bus_err(struct net_device *dev,
+ case LEC_STUFF_ERROR:
+ netdev_dbg(dev, "stuff error\n");
+ cf->data[2] |= CAN_ERR_PROT_STUFF;
++ stats->rx_errors++;
+ break;
+ case LEC_FORM_ERROR:
+ netdev_dbg(dev, "form error\n");
+ cf->data[2] |= CAN_ERR_PROT_FORM;
++ stats->rx_errors++;
+ break;
+ case LEC_ACK_ERROR:
+ netdev_dbg(dev, "ack error\n");
+ cf->data[3] = CAN_ERR_PROT_LOC_ACK;
++ stats->tx_errors++;
+ break;
+ case LEC_BIT1_ERROR:
+ netdev_dbg(dev, "bit1 error\n");
+ cf->data[2] |= CAN_ERR_PROT_BIT1;
++ stats->tx_errors++;
+ break;
+ case LEC_BIT0_ERROR:
+ netdev_dbg(dev, "bit0 error\n");
+ cf->data[2] |= CAN_ERR_PROT_BIT0;
++ stats->tx_errors++;
+ break;
+ case LEC_CRC_ERROR:
+ netdev_dbg(dev, "CRC error\n");
+ cf->data[3] = CAN_ERR_PROT_LOC_CRC_SEQ;
++ stats->rx_errors++;
+ break;
+ default:
+ break;
+--
+2.43.0
+
--- /dev/null
+From 0b385f38ed644237087e45d052a209dc2b15d3be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2024 15:44:35 +0100
+Subject: HID: core: zero-initialize the report buffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jiri Kosina <jkosina@suse.com>
+
+[ Upstream commit 177f25d1292c7e16e1199b39c85480f7f8815552 ]
+
+Since the report buffer is used by all kinds of drivers in various ways, let's
+zero-initialize it during allocation to make sure that it can't be ever used
+to leak kernel memory via specially-crafted report.
+
+Fixes: 27ce405039bf ("HID: fix data access in implement()")
+Reported-by: BenoƮt Sevens <bsevens@google.com>
+Acked-by: Benjamin Tissoires <bentiss@kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
+index 0757097d25507..3387e64d84412 100644
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -1482,7 +1482,7 @@ u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags)
+
+ u32 len = hid_report_len(report) + 7;
+
+- return kmalloc(len, flags);
++ return kzalloc(len, flags);
+ }
+ EXPORT_SYMBOL_GPL(hid_alloc_report_buf);
+
+--
+2.43.0
+
--- /dev/null
+From f04755318c9a22e7e3a6201c378675c7588c58c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Nov 2024 17:15:07 +0800
+Subject: net: hns3: fix kernel crash when uninstalling driver
+
+From: Peiyang Wang <wangpeiyang1@huawei.com>
+
+[ Upstream commit df3dff8ab6d79edc942464999d06fbaedf8cdd18 ]
+
+When the driver is uninstalled and the VF is disabled concurrently, a
+kernel crash occurs. The reason is that the two actions call function
+pci_disable_sriov(). The num_VFs is checked to determine whether to
+release the corresponding resources. During the second calling, num_VFs
+is not 0 and the resource release function is called. However, the
+corresponding resource has been released during the first invoking.
+Therefore, the problem occurs:
+
+[15277.839633][T50670] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
+...
+[15278.131557][T50670] Call trace:
+[15278.134686][T50670] klist_put+0x28/0x12c
+[15278.138682][T50670] klist_del+0x14/0x20
+[15278.142592][T50670] device_del+0xbc/0x3c0
+[15278.146676][T50670] pci_remove_bus_device+0x84/0x120
+[15278.151714][T50670] pci_stop_and_remove_bus_device+0x6c/0x80
+[15278.157447][T50670] pci_iov_remove_virtfn+0xb4/0x12c
+[15278.162485][T50670] sriov_disable+0x50/0x11c
+[15278.166829][T50670] pci_disable_sriov+0x24/0x30
+[15278.171433][T50670] hnae3_unregister_ae_algo_prepare+0x60/0x90 [hnae3]
+[15278.178039][T50670] hclge_exit+0x28/0xd0 [hclge]
+[15278.182730][T50670] __se_sys_delete_module.isra.0+0x164/0x230
+[15278.188550][T50670] __arm64_sys_delete_module+0x1c/0x30
+[15278.193848][T50670] invoke_syscall+0x50/0x11c
+[15278.198278][T50670] el0_svc_common.constprop.0+0x158/0x164
+[15278.203837][T50670] do_el0_svc+0x34/0xcc
+[15278.207834][T50670] el0_svc+0x20/0x30
+
+For details, see the following figure.
+
+ rmmod hclge disable VFs
+----------------------------------------------------
+hclge_exit() sriov_numvfs_store()
+ ... device_lock()
+ pci_disable_sriov() hns3_pci_sriov_configure()
+ pci_disable_sriov()
+ sriov_disable()
+ sriov_disable() if !num_VFs :
+ if !num_VFs : return;
+ return; sriov_del_vfs()
+ sriov_del_vfs() ...
+ ... klist_put()
+ klist_put() ...
+ ... num_VFs = 0;
+ num_VFs = 0; device_unlock();
+
+In this patch, when driver is removing, we get the device_lock()
+to protect num_VFs, just like sriov_numvfs_store().
+
+Fixes: 0dd8a25f355b ("net: hns3: disable sriov before unload hclge layer")
+Signed-off-by: Peiyang Wang <wangpeiyang1@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20241101091507.3644584-1-shaojijie@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hnae3.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hnae3.c b/drivers/net/ethernet/hisilicon/hns3/hnae3.c
+index b250d0fe9ac50..1265010f063fe 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.c
+@@ -25,8 +25,11 @@ void hnae3_unregister_ae_algo_prepare(struct hnae3_ae_algo *ae_algo)
+ pci_id = pci_match_id(ae_algo->pdev_id_table, ae_dev->pdev);
+ if (!pci_id)
+ continue;
+- if (IS_ENABLED(CONFIG_PCI_IOV))
++ if (IS_ENABLED(CONFIG_PCI_IOV)) {
++ device_lock(&ae_dev->pdev->dev);
+ pci_disable_sriov(ae_dev->pdev);
++ device_unlock(&ae_dev->pdev->dev);
++ }
+ }
+ }
+ EXPORT_SYMBOL(hnae3_unregister_ae_algo_prepare);
+--
+2.43.0
+
--- /dev/null
+From dd28630790d48a386cbbeff9f91d86a5697e2b00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Oct 2024 13:46:21 -0400
+Subject: sctp: properly validate chunk size in sctp_sf_ootb()
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 0ead60804b64f5bd6999eec88e503c6a1a242d41 ]
+
+A size validation fix similar to that in Commit 50619dbf8db7 ("sctp: add
+size validation when walking chunks") is also required in sctp_sf_ootb()
+to address a crash reported by syzbot:
+
+ BUG: KMSAN: uninit-value in sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
+ sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
+ sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166
+ sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407
+ sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88
+ sctp_rcv+0x3831/0x3b20 net/sctp/input.c:243
+ sctp4_rcv+0x42/0x50 net/sctp/protocol.c:1159
+ ip_protocol_deliver_rcu+0xb51/0x13d0 net/ipv4/ip_input.c:205
+ ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233
+
+Reported-by: syzbot+f0cbb34d39392f2746ca@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Link: https://patch.msgid.link/a29ebb6d8b9f8affd0f9abb296faafafe10c17d8.1730223981.git.lucien.xin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/sm_statefuns.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
+index 8298f27e8de0d..0b44ad00dbb69 100644
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -3652,7 +3652,7 @@ enum sctp_disposition sctp_sf_ootb(struct net *net,
+ }
+
+ ch = (struct sctp_chunkhdr *)ch_end;
+- } while (ch_end < skb_tail_pointer(skb));
++ } while (ch_end + sizeof(*ch) < skb_tail_pointer(skb));
+
+ if (ootb_shut_ack)
+ return sctp_sf_shut_8_4_5(net, ep, asoc, type, arg, commands);
+--
+2.43.0
+
--- /dev/null
+From 7517e362d7ee189ebb425444f69711b0cc9f02f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 12:46:39 +0000
+Subject: security/keys: fix slab-out-of-bounds in key_task_permission
+
+From: Chen Ridong <chenridong@huawei.com>
+
+[ Upstream commit 4a74da044ec9ec8679e6beccc4306b936b62873f ]
+
+KASAN reports an out of bounds read:
+BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36
+BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline]
+BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410
+security/keys/permission.c:54
+Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362
+
+CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15
+Call Trace:
+ __dump_stack lib/dump_stack.c:82 [inline]
+ dump_stack+0x107/0x167 lib/dump_stack.c:123
+ print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400
+ __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
+ kasan_report+0x3a/0x50 mm/kasan/report.c:585
+ __kuid_val include/linux/uidgid.h:36 [inline]
+ uid_eq include/linux/uidgid.h:63 [inline]
+ key_task_permission+0x394/0x410 security/keys/permission.c:54
+ search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793
+
+This issue was also reported by syzbot.
+
+It can be reproduced by following these steps(more details [1]):
+1. Obtain more than 32 inputs that have similar hashes, which ends with the
+ pattern '0xxxxxxxe6'.
+2. Reboot and add the keys obtained in step 1.
+
+The reproducer demonstrates how this issue happened:
+1. In the search_nested_keyrings function, when it iterates through the
+ slots in a node(below tag ascend_to_node), if the slot pointer is meta
+ and node->back_pointer != NULL(it means a root), it will proceed to
+ descend_to_node. However, there is an exception. If node is the root,
+ and one of the slots points to a shortcut, it will be treated as a
+ keyring.
+2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function.
+ However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as
+ ASSOC_ARRAY_PTR_SUBTYPE_MASK.
+3. When 32 keys with the similar hashes are added to the tree, the ROOT
+ has keys with hashes that are not similar (e.g. slot 0) and it splits
+ NODE A without using a shortcut. When NODE A is filled with keys that
+ all hashes are xxe6, the keys are similar, NODE A will split with a
+ shortcut. Finally, it forms the tree as shown below, where slot 6 points
+ to a shortcut.
+
+ NODE A
+ +------>+---+
+ ROOT | | 0 | xxe6
+ +---+ | +---+
+ xxxx | 0 | shortcut : : xxe6
+ +---+ | +---+
+ xxe6 : : | | | xxe6
+ +---+ | +---+
+ | 6 |---+ : : xxe6
+ +---+ +---+
+ xxe6 : : | f | xxe6
+ +---+ +---+
+ xxe6 | f |
+ +---+
+
+4. As mentioned above, If a slot(slot 6) of the root points to a shortcut,
+ it may be mistakenly transferred to a key*, leading to a read
+ out-of-bounds read.
+
+To fix this issue, one should jump to descend_to_node if the ptr is a
+shortcut, regardless of whether the node is root or not.
+
+[1] https://lore.kernel.org/linux-kernel/1cfa878e-8c7b-4570-8606-21daf5e13ce7@huaweicloud.com/
+
+[jarkko: tweaked the commit message a bit to have an appropriate closes
+ tag.]
+Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring")
+Reported-by: syzbot+5b415c07907a2990d1a3@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/000000000000cbb7860611f61147@google.com/T/
+Signed-off-by: Chen Ridong <chenridong@huawei.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/keys/keyring.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/security/keys/keyring.c b/security/keys/keyring.c
+index e8f2366021ea3..0f414a114729a 100644
+--- a/security/keys/keyring.c
++++ b/security/keys/keyring.c
+@@ -739,8 +739,11 @@ static bool search_nested_keyrings(struct key *keyring,
+ for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) {
+ ptr = READ_ONCE(node->slots[slot]);
+
+- if (assoc_array_ptr_is_meta(ptr) && node->back_pointer)
+- goto descend_to_node;
++ if (assoc_array_ptr_is_meta(ptr)) {
++ if (node->back_pointer ||
++ assoc_array_ptr_is_shortcut(ptr))
++ goto descend_to_node;
++ }
+
+ if (!keyring_ptr_is_keyring(ptr))
+ continue;
+--
+2.43.0
+
+arm64-dts-rockchip-fix-rt5651-compatible-value-on-rk.patch
+arm-dts-rockchip-fix-rk3036-acodec-node.patch
+arm-dts-rockchip-drop-grf-reference-from-rk3036-hdmi.patch
+arm-dts-rockchip-fix-the-realtek-audio-codec-on-rk30.patch
+hid-core-zero-initialize-the-report-buffer.patch
+security-keys-fix-slab-out-of-bounds-in-key_task_per.patch
+sctp-properly-validate-chunk-size-in-sctp_sf_ootb.patch
+can-c_can-fix-rx-tx-_errors-statistics.patch
+net-hns3-fix-kernel-crash-when-uninstalling-driver.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
