+++ /dev/null
-From e19e48d6663d064c2ef53e206b125981164876db Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 27 Apr 2026 10:57:45 +0800
-Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
-
-From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-
-[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ]
-
-While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
-timeout value` warning was observed, accompanied by SMBus controller
-state machine corruption.
-
-The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
-10 ms. The user argument is checked against INT_MAX, but it is
-subsequently multiplied by 10 before being passed to msecs_to_jiffies().
-
-A malicious user can pass a large value (e.g., 429496729) that passes
-the `arg > INT_MAX` check but overflows when multiplied by 10. This
-results in a truncated 32-bit unsigned value that bypasses the
-internal `(int)m < 0` check in `msecs_to_jiffies()`.
-
-The truncated value is then assigned to `client->adapter->timeout`
-(a signed 32-bit int), which is reinterpreted as a negative number.
-When passed to wait_for_completion_timeout(), this negative value
-undergoes sign extension to a 64-bit unsigned long, triggering the
-`schedule_timeout` warning and causing premature returns. This leaves
-the SMBus state machine in an unrecoverable state, constituting a
-local Denial of Service (DoS).
-
-Fix this by bounding the user argument to `INT_MAX / 10`.
-
-Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-[wsa: move the comment as well]
-Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/i2c/i2c-dev.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
-index f0bd4ae19df67f..25438ba6bdfb72 100644
---- a/drivers/i2c/i2c-dev.c
-+++ b/drivers/i2c/i2c-dev.c
-@@ -477,12 +477,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- client->adapter->retries = arg;
- break;
- case I2C_TIMEOUT:
-- if (arg > INT_MAX)
-+ /*
-+ * For historical reasons, user-space sets the timeout value in
-+ * units of 10 ms.
-+ */
-+ if (arg > INT_MAX / 10)
- return -EINVAL;
-
-- /* For historical reasons, user-space sets the timeout
-- * value in units of 10 ms.
-- */
- client->adapter->timeout = msecs_to_jiffies(arg * 10);
- break;
- default:
---
-2.53.0
-
ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
-i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
time-fix-off-by-one-in-settimeofday-usec-validation.patch
alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch
+++ /dev/null
-From f14b9824b6fb9b3f6e2a94de10b36ea7fe1a64a4 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 27 Apr 2026 10:57:45 +0800
-Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
-
-From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-
-[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ]
-
-While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
-timeout value` warning was observed, accompanied by SMBus controller
-state machine corruption.
-
-The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
-10 ms. The user argument is checked against INT_MAX, but it is
-subsequently multiplied by 10 before being passed to msecs_to_jiffies().
-
-A malicious user can pass a large value (e.g., 429496729) that passes
-the `arg > INT_MAX` check but overflows when multiplied by 10. This
-results in a truncated 32-bit unsigned value that bypasses the
-internal `(int)m < 0` check in `msecs_to_jiffies()`.
-
-The truncated value is then assigned to `client->adapter->timeout`
-(a signed 32-bit int), which is reinterpreted as a negative number.
-When passed to wait_for_completion_timeout(), this negative value
-undergoes sign extension to a 64-bit unsigned long, triggering the
-`schedule_timeout` warning and causing premature returns. This leaves
-the SMBus state machine in an unrecoverable state, constituting a
-local Denial of Service (DoS).
-
-Fix this by bounding the user argument to `INT_MAX / 10`.
-
-Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-[wsa: move the comment as well]
-Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/i2c/i2c-dev.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
-index 9fefceb3a95d46..e18d14bf94a9be 100644
---- a/drivers/i2c/i2c-dev.c
-+++ b/drivers/i2c/i2c-dev.c
-@@ -476,12 +476,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- client->adapter->retries = arg;
- break;
- case I2C_TIMEOUT:
-- if (arg > INT_MAX)
-+ /*
-+ * For historical reasons, user-space sets the timeout value in
-+ * units of 10 ms.
-+ */
-+ if (arg > INT_MAX / 10)
- return -EINVAL;
-
-- /* For historical reasons, user-space sets the timeout
-- * value in units of 10 ms.
-- */
- client->adapter->timeout = msecs_to_jiffies(arg * 10);
- break;
- default:
---
-2.53.0
-
+++ /dev/null
-From b9869d1ed6d30a63dc017f9a20f9b54491a7754e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 3 Jun 2026 13:18:11 +0300
-Subject: ipv6: mcast: Fix use-after-free when processing MLD queries
-
-From: Ido Schimmel <idosch@nvidia.com>
-
-[ Upstream commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 ]
-
-When processing an MLD query, a pointer to the multicast group address
-is retrieved when initially parsing the packet. This pointer is later
-dereferenced without being reloaded despite the fact that the skb header
-might have been reallocated following the pskb_may_pull() calls, leading
-to a use-after-free [1].
-
-Fix by copying the multicast group address when the packet is initially
-parsed.
-
-[1]
-BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512)
-Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118
-
-Workqueue: mld mld_query_work
-Call Trace:
-<TASK>
-dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
-print_address_description.constprop.0 (mm/kasan/report.c:378)
-print_report (mm/kasan/report.c:482)
-kasan_report (mm/kasan/report.c:595)
-__mld_query_work (net/ipv6/mcast.c:1512)
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-</TASK>
-
-[...]
-
-Freed by task 118:
-kasan_save_stack (mm/kasan/common.c:57)
-kasan_save_track (mm/kasan/common.c:78)
-kasan_save_free_info (mm/kasan/generic.c:584)
-__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
-kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
-pskb_expand_head (net/core/skbuff.c:2335)
-__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4))
-__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1))
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-
-Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast")
-Reported-by: Leo Lin <leo@depthfirst.com>
-Reviewed-by: David Ahern <dahern@nvidia.com>
-Signed-off-by: Ido Schimmel <idosch@nvidia.com>
-Reviewed-by: Eric Dumazet <edumazet@google.com>
-Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
-Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv6/mcast.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
-index 77a9f17c816b5d..18a3516abb586e 100644
---- a/net/ipv6/mcast.c
-+++ b/net/ipv6/mcast.c
-@@ -1392,9 +1392,9 @@ void igmp6_event_query(struct sk_buff *skb)
- static void __mld_query_work(struct sk_buff *skb)
- {
- struct mld2_query *mlh2 = NULL;
-- const struct in6_addr *group;
- unsigned long max_delay;
- struct inet6_dev *idev;
-+ struct in6_addr group;
- struct ifmcaddr6 *ma;
- struct mld_msg *mld;
- int group_type;
-@@ -1426,8 +1426,8 @@ static void __mld_query_work(struct sk_buff *skb)
- goto kfree_skb;
-
- mld = (struct mld_msg *)icmp6_hdr(skb);
-- group = &mld->mld_mca;
-- group_type = ipv6_addr_type(group);
-+ group = mld->mld_mca;
-+ group_type = ipv6_addr_type(&group);
-
- if (group_type != IPV6_ADDR_ANY &&
- !(group_type&IPV6_ADDR_MULTICAST))
-@@ -1477,7 +1477,7 @@ static void __mld_query_work(struct sk_buff *skb)
- }
- } else {
- for_each_mc_mclock(idev, ma) {
-- if (!ipv6_addr_equal(group, &ma->mca_addr))
-+ if (!ipv6_addr_equal(&group, &ma->mca_addr))
- continue;
- if (ma->mca_flags & MAF_TIMER_RUNNING) {
- /* gsquery <- gsquery && mark */
---
-2.53.0
-
bluetooth-bnep-reject-short-frames-before-parsing.patch
bluetooth-fix-memory-leak-in-error-path-of-hci_alloc.patch
ipv4-restrict-ipopt_ssrr-and-ipopt_lsrr-options.patch
-ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch
ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
-i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
time-fix-off-by-one-in-settimeofday-usec-validation.patch
ext4-validate-p_idx-bounds-in-ext4_ext_correct_index.patch
+++ /dev/null
-From 2af63b4f342848bc4201b9020bbea401c09cd2da Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 27 Apr 2026 10:57:45 +0800
-Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
-
-From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-
-[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ]
-
-While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
-timeout value` warning was observed, accompanied by SMBus controller
-state machine corruption.
-
-The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
-10 ms. The user argument is checked against INT_MAX, but it is
-subsequently multiplied by 10 before being passed to msecs_to_jiffies().
-
-A malicious user can pass a large value (e.g., 429496729) that passes
-the `arg > INT_MAX` check but overflows when multiplied by 10. This
-results in a truncated 32-bit unsigned value that bypasses the
-internal `(int)m < 0` check in `msecs_to_jiffies()`.
-
-The truncated value is then assigned to `client->adapter->timeout`
-(a signed 32-bit int), which is reinterpreted as a negative number.
-When passed to wait_for_completion_timeout(), this negative value
-undergoes sign extension to a 64-bit unsigned long, triggering the
-`schedule_timeout` warning and causing premature returns. This leaves
-the SMBus state machine in an unrecoverable state, constituting a
-local Denial of Service (DoS).
-
-Fix this by bounding the user argument to `INT_MAX / 10`.
-
-Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-[wsa: move the comment as well]
-Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/i2c/i2c-dev.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
-index dd35f341b16fd3..d10d8fe29a73b9 100644
---- a/drivers/i2c/i2c-dev.c
-+++ b/drivers/i2c/i2c-dev.c
-@@ -476,12 +476,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- client->adapter->retries = arg;
- break;
- case I2C_TIMEOUT:
-- if (arg > INT_MAX)
-+ /*
-+ * For historical reasons, user-space sets the timeout value in
-+ * units of 10 ms.
-+ */
-+ if (arg > INT_MAX / 10)
- return -EINVAL;
-
-- /* For historical reasons, user-space sets the timeout
-- * value in units of 10 ms.
-- */
- client->adapter->timeout = msecs_to_jiffies(arg * 10);
- break;
- default:
---
-2.53.0
-
+++ /dev/null
-From 069404dfdfb6001db5fc68846b408ca92c65ec83 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 3 Jun 2026 13:18:11 +0300
-Subject: ipv6: mcast: Fix use-after-free when processing MLD queries
-
-From: Ido Schimmel <idosch@nvidia.com>
-
-[ Upstream commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 ]
-
-When processing an MLD query, a pointer to the multicast group address
-is retrieved when initially parsing the packet. This pointer is later
-dereferenced without being reloaded despite the fact that the skb header
-might have been reallocated following the pskb_may_pull() calls, leading
-to a use-after-free [1].
-
-Fix by copying the multicast group address when the packet is initially
-parsed.
-
-[1]
-BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512)
-Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118
-
-Workqueue: mld mld_query_work
-Call Trace:
-<TASK>
-dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
-print_address_description.constprop.0 (mm/kasan/report.c:378)
-print_report (mm/kasan/report.c:482)
-kasan_report (mm/kasan/report.c:595)
-__mld_query_work (net/ipv6/mcast.c:1512)
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-</TASK>
-
-[...]
-
-Freed by task 118:
-kasan_save_stack (mm/kasan/common.c:57)
-kasan_save_track (mm/kasan/common.c:78)
-kasan_save_free_info (mm/kasan/generic.c:584)
-__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
-kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
-pskb_expand_head (net/core/skbuff.c:2335)
-__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4))
-__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1))
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-
-Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast")
-Reported-by: Leo Lin <leo@depthfirst.com>
-Reviewed-by: David Ahern <dahern@nvidia.com>
-Signed-off-by: Ido Schimmel <idosch@nvidia.com>
-Reviewed-by: Eric Dumazet <edumazet@google.com>
-Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
-Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv6/mcast.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
-index e7f569875e7186..f6af19b873a41d 100644
---- a/net/ipv6/mcast.c
-+++ b/net/ipv6/mcast.c
-@@ -1392,9 +1392,9 @@ void igmp6_event_query(struct sk_buff *skb)
- static void __mld_query_work(struct sk_buff *skb)
- {
- struct mld2_query *mlh2 = NULL;
-- const struct in6_addr *group;
- unsigned long max_delay;
- struct inet6_dev *idev;
-+ struct in6_addr group;
- struct ifmcaddr6 *ma;
- struct mld_msg *mld;
- int group_type;
-@@ -1426,8 +1426,8 @@ static void __mld_query_work(struct sk_buff *skb)
- goto kfree_skb;
-
- mld = (struct mld_msg *)icmp6_hdr(skb);
-- group = &mld->mld_mca;
-- group_type = ipv6_addr_type(group);
-+ group = mld->mld_mca;
-+ group_type = ipv6_addr_type(&group);
-
- if (group_type != IPV6_ADDR_ANY &&
- !(group_type&IPV6_ADDR_MULTICAST))
-@@ -1477,7 +1477,7 @@ static void __mld_query_work(struct sk_buff *skb)
- }
- } else {
- for_each_mc_mclock(idev, ma) {
-- if (!ipv6_addr_equal(group, &ma->mca_addr))
-+ if (!ipv6_addr_equal(&group, &ma->mca_addr))
- continue;
- if (ma->mca_flags & MAF_TIMER_RUNNING) {
- /* gsquery <- gsquery && mark */
---
-2.53.0
-
octeontx2-af-npc-fix-cpt-channel-mask-in-npc_install.patch
vxlan-vnifilter-send-notification-on-vni-add.patch
vxlan-vnifilter-fix-spurious-notification-on-vni-upd.patch
-ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch
ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
-i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch
signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
time-fix-off-by-one-in-settimeofday-usec-validation.patch
+++ /dev/null
-From ba552ad18875cc90f6b8a704c8b3539f7634ab30 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 27 Apr 2026 10:57:45 +0800
-Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
-
-From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-
-[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ]
-
-While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
-timeout value` warning was observed, accompanied by SMBus controller
-state machine corruption.
-
-The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
-10 ms. The user argument is checked against INT_MAX, but it is
-subsequently multiplied by 10 before being passed to msecs_to_jiffies().
-
-A malicious user can pass a large value (e.g., 429496729) that passes
-the `arg > INT_MAX` check but overflows when multiplied by 10. This
-results in a truncated 32-bit unsigned value that bypasses the
-internal `(int)m < 0` check in `msecs_to_jiffies()`.
-
-The truncated value is then assigned to `client->adapter->timeout`
-(a signed 32-bit int), which is reinterpreted as a negative number.
-When passed to wait_for_completion_timeout(), this negative value
-undergoes sign extension to a 64-bit unsigned long, triggering the
-`schedule_timeout` warning and causing premature returns. This leaves
-the SMBus state machine in an unrecoverable state, constituting a
-local Denial of Service (DoS).
-
-Fix this by bounding the user argument to `INT_MAX / 10`.
-
-Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-[wsa: move the comment as well]
-Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/i2c/i2c-dev.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
-index e9577f920286d0..c8715df8b08b1d 100644
---- a/drivers/i2c/i2c-dev.c
-+++ b/drivers/i2c/i2c-dev.c
-@@ -487,12 +487,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- client->adapter->retries = arg;
- break;
- case I2C_TIMEOUT:
-- if (arg > INT_MAX)
-+ /*
-+ * For historical reasons, user-space sets the timeout value in
-+ * units of 10 ms.
-+ */
-+ if (arg > INT_MAX / 10)
- return -EINVAL;
-
-- /* For historical reasons, user-space sets the timeout
-- * value in units of 10 ms.
-- */
- client->adapter->timeout = msecs_to_jiffies(arg * 10);
- break;
- default:
---
-2.53.0
-
+++ /dev/null
-From f9ac9192b424b7eab8e2819013c2d9a82cb473d5 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 3 Jun 2026 13:18:11 +0300
-Subject: ipv6: mcast: Fix use-after-free when processing MLD queries
-
-From: Ido Schimmel <idosch@nvidia.com>
-
-[ Upstream commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 ]
-
-When processing an MLD query, a pointer to the multicast group address
-is retrieved when initially parsing the packet. This pointer is later
-dereferenced without being reloaded despite the fact that the skb header
-might have been reallocated following the pskb_may_pull() calls, leading
-to a use-after-free [1].
-
-Fix by copying the multicast group address when the packet is initially
-parsed.
-
-[1]
-BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512)
-Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118
-
-Workqueue: mld mld_query_work
-Call Trace:
-<TASK>
-dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
-print_address_description.constprop.0 (mm/kasan/report.c:378)
-print_report (mm/kasan/report.c:482)
-kasan_report (mm/kasan/report.c:595)
-__mld_query_work (net/ipv6/mcast.c:1512)
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-</TASK>
-
-[...]
-
-Freed by task 118:
-kasan_save_stack (mm/kasan/common.c:57)
-kasan_save_track (mm/kasan/common.c:78)
-kasan_save_free_info (mm/kasan/generic.c:584)
-__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
-kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
-pskb_expand_head (net/core/skbuff.c:2335)
-__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4))
-__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1))
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-
-Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast")
-Reported-by: Leo Lin <leo@depthfirst.com>
-Reviewed-by: David Ahern <dahern@nvidia.com>
-Signed-off-by: Ido Schimmel <idosch@nvidia.com>
-Reviewed-by: Eric Dumazet <edumazet@google.com>
-Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
-Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv6/mcast.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
-index e2a11a2f3b255d..b769e856a068d2 100644
---- a/net/ipv6/mcast.c
-+++ b/net/ipv6/mcast.c
-@@ -1393,9 +1393,9 @@ void igmp6_event_query(struct sk_buff *skb)
- static void __mld_query_work(struct sk_buff *skb)
- {
- struct mld2_query *mlh2 = NULL;
-- const struct in6_addr *group;
- unsigned long max_delay;
- struct inet6_dev *idev;
-+ struct in6_addr group;
- struct ifmcaddr6 *ma;
- struct mld_msg *mld;
- int group_type;
-@@ -1427,8 +1427,8 @@ static void __mld_query_work(struct sk_buff *skb)
- goto kfree_skb;
-
- mld = (struct mld_msg *)icmp6_hdr(skb);
-- group = &mld->mld_mca;
-- group_type = ipv6_addr_type(group);
-+ group = mld->mld_mca;
-+ group_type = ipv6_addr_type(&group);
-
- if (group_type != IPV6_ADDR_ANY &&
- !(group_type&IPV6_ADDR_MULTICAST))
-@@ -1478,7 +1478,7 @@ static void __mld_query_work(struct sk_buff *skb)
- }
- } else {
- for_each_mc_mclock(idev, ma) {
-- if (!ipv6_addr_equal(group, &ma->mca_addr))
-+ if (!ipv6_addr_equal(&group, &ma->mca_addr))
- continue;
- if (ma->mca_flags & MAF_TIMER_RUNNING) {
- /* gsquery <- gsquery && mark */
---
-2.53.0
-
octeontx2-af-npc-fix-cpt-channel-mask-in-npc_install.patch
vxlan-vnifilter-send-notification-on-vni-add.patch
vxlan-vnifilter-fix-spurious-notification-on-vni-upd.patch
-ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch
ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
-i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch
signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
time-fix-off-by-one-in-settimeofday-usec-validation.patch
+++ /dev/null
-From ce65f2949f6432822977613ca7101d6a86254f9a Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 27 Apr 2026 10:57:45 +0800
-Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
-
-From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-
-[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ]
-
-While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
-timeout value` warning was observed, accompanied by SMBus controller
-state machine corruption.
-
-The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
-10 ms. The user argument is checked against INT_MAX, but it is
-subsequently multiplied by 10 before being passed to msecs_to_jiffies().
-
-A malicious user can pass a large value (e.g., 429496729) that passes
-the `arg > INT_MAX` check but overflows when multiplied by 10. This
-results in a truncated 32-bit unsigned value that bypasses the
-internal `(int)m < 0` check in `msecs_to_jiffies()`.
-
-The truncated value is then assigned to `client->adapter->timeout`
-(a signed 32-bit int), which is reinterpreted as a negative number.
-When passed to wait_for_completion_timeout(), this negative value
-undergoes sign extension to a 64-bit unsigned long, triggering the
-`schedule_timeout` warning and causing premature returns. This leaves
-the SMBus state machine in an unrecoverable state, constituting a
-local Denial of Service (DoS).
-
-Fix this by bounding the user argument to `INT_MAX / 10`.
-
-Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-[wsa: move the comment as well]
-Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/i2c/i2c-dev.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
-index e9577f920286d0..c8715df8b08b1d 100644
---- a/drivers/i2c/i2c-dev.c
-+++ b/drivers/i2c/i2c-dev.c
-@@ -487,12 +487,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- client->adapter->retries = arg;
- break;
- case I2C_TIMEOUT:
-- if (arg > INT_MAX)
-+ /*
-+ * For historical reasons, user-space sets the timeout value in
-+ * units of 10 ms.
-+ */
-+ if (arg > INT_MAX / 10)
- return -EINVAL;
-
-- /* For historical reasons, user-space sets the timeout
-- * value in units of 10 ms.
-- */
- client->adapter->timeout = msecs_to_jiffies(arg * 10);
- break;
- default:
---
-2.53.0
-
+++ /dev/null
-From 5a688c86061ed594756a1c02aa894a2400dbad73 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 3 Jun 2026 13:18:11 +0300
-Subject: ipv6: mcast: Fix use-after-free when processing MLD queries
-
-From: Ido Schimmel <idosch@nvidia.com>
-
-[ Upstream commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 ]
-
-When processing an MLD query, a pointer to the multicast group address
-is retrieved when initially parsing the packet. This pointer is later
-dereferenced without being reloaded despite the fact that the skb header
-might have been reallocated following the pskb_may_pull() calls, leading
-to a use-after-free [1].
-
-Fix by copying the multicast group address when the packet is initially
-parsed.
-
-[1]
-BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512)
-Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118
-
-Workqueue: mld mld_query_work
-Call Trace:
-<TASK>
-dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
-print_address_description.constprop.0 (mm/kasan/report.c:378)
-print_report (mm/kasan/report.c:482)
-kasan_report (mm/kasan/report.c:595)
-__mld_query_work (net/ipv6/mcast.c:1512)
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-</TASK>
-
-[...]
-
-Freed by task 118:
-kasan_save_stack (mm/kasan/common.c:57)
-kasan_save_track (mm/kasan/common.c:78)
-kasan_save_free_info (mm/kasan/generic.c:584)
-__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
-kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
-pskb_expand_head (net/core/skbuff.c:2335)
-__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4))
-__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1))
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-
-Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast")
-Reported-by: Leo Lin <leo@depthfirst.com>
-Reviewed-by: David Ahern <dahern@nvidia.com>
-Signed-off-by: Ido Schimmel <idosch@nvidia.com>
-Reviewed-by: Eric Dumazet <edumazet@google.com>
-Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
-Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv6/mcast.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
-index 016b572e7d6f02..f4b3cb48387096 100644
---- a/net/ipv6/mcast.c
-+++ b/net/ipv6/mcast.c
-@@ -1424,9 +1424,9 @@ void igmp6_event_query(struct sk_buff *skb)
- static void __mld_query_work(struct sk_buff *skb)
- {
- struct mld2_query *mlh2 = NULL;
-- const struct in6_addr *group;
- unsigned long max_delay;
- struct inet6_dev *idev;
-+ struct in6_addr group;
- struct ifmcaddr6 *ma;
- struct mld_msg *mld;
- int group_type;
-@@ -1458,8 +1458,8 @@ static void __mld_query_work(struct sk_buff *skb)
- goto kfree_skb;
-
- mld = (struct mld_msg *)icmp6_hdr(skb);
-- group = &mld->mld_mca;
-- group_type = ipv6_addr_type(group);
-+ group = mld->mld_mca;
-+ group_type = ipv6_addr_type(&group);
-
- if (group_type != IPV6_ADDR_ANY &&
- !(group_type&IPV6_ADDR_MULTICAST))
-@@ -1509,7 +1509,7 @@ static void __mld_query_work(struct sk_buff *skb)
- }
- } else {
- for_each_mc_mclock(idev, ma) {
-- if (!ipv6_addr_equal(group, &ma->mca_addr))
-+ if (!ipv6_addr_equal(&group, &ma->mca_addr))
- continue;
- if (ma->mca_flags & MAF_TIMER_RUNNING) {
- /* gsquery <- gsquery && mark */
---
-2.53.0
-
+++ /dev/null
-From cac4acb1b336b27232ae740be39eaa1034ecb0dd Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 9 Jun 2026 18:48:08 +0900
-Subject: KVM: arm64: Take the SRCU lock for page table walks in fault
- injection and AT emulation
-
-From: Hyunwoo Kim <imv4bel@gmail.com>
-
-[ Upstream commit f2ca45b50d4216c9cc7ffabf50d9ad1932209251 ]
-
-walk_s1() and kvm_walk_nested_s2() expect to be called while holding
-kvm->srcu to guard against memslot changes. While this is generally
-the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the
-respective walkers without taking kvm->srcu.
-
-Fix by acquiring kvm->srcu prior to the table walk in both instances.
-
-Cc: stable@vger.kernel.org
-Fixes: 50f77dc87f13 ("KVM: arm64: Populate level on S1PTW SEA injection")
-Fixes: be04cebf3e78 ("KVM: arm64: nv: Add emulation of AT S12E{0,1}{R,W}")
-Suggested-by: Oliver Upton <oupton@kernel.org>
-Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
-Reviewed-by: Oliver Upton <oupton@kernel.org>
-Link: https://patch.msgid.link/aiAZfdeyanIvP8SD@v4bel
-Signed-off-by: Marc Zyngier <maz@kernel.org>
-[ Hyunwoo Kim: __kvm_at_s12() still returns void in 6.18.y, so the
- surrounding context differs from upstream (return; instead of
- return ret;); the added scoped_guard() is unchanged. ]
-Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/arm64/kvm/at.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/arch/arm64/kvm/at.c b/arch/arm64/kvm/at.c
-index be26d5aa668c39..e6de6aac6ede20 100644
---- a/arch/arm64/kvm/at.c
-+++ b/arch/arm64/kvm/at.c
-@@ -1528,7 +1528,8 @@ void __kvm_at_s12(struct kvm_vcpu *vcpu, u32 op, u64 vaddr)
- /* Do the stage-2 translation */
- ipa = (par & GENMASK_ULL(47, 12)) | (vaddr & GENMASK_ULL(11, 0));
- out.esr = 0;
-- ret = kvm_walk_nested_s2(vcpu, ipa, &out);
-+ scoped_guard(srcu, &vcpu->kvm->srcu)
-+ ret = kvm_walk_nested_s2(vcpu, ipa, &out);
- if (ret < 0)
- return;
-
-@@ -1623,7 +1624,8 @@ int __kvm_find_s1_desc_level(struct kvm_vcpu *vcpu, u64 va, u64 ipa, int *level)
- }
-
- /* Walk the guest's PT, looking for a match along the way */
-- ret = walk_s1(vcpu, &wi, &wr, va);
-+ scoped_guard(srcu, &vcpu->kvm->srcu)
-+ ret = walk_s1(vcpu, &wi, &wr, va);
- switch (ret) {
- case -EINTR:
- /* We interrupted the walk on a match, return the level */
---
-2.53.0
-
octeontx2-af-npc-fix-cpt-channel-mask-in-npc_install.patch
vxlan-vnifilter-send-notification-on-vni-add.patch
vxlan-vnifilter-fix-spurious-notification-on-vni-upd.patch
-ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch
ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
-i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
-kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch
drivers-hv-vmbus-protocol-version-6.0.patch
drivers-hv-vmbus-provide-option-to-skip-vmbus-unload.patch
drm-hyperv-during-panic-do-vmbus-unload-after-frame-.patch
+++ /dev/null
-From a0c0fa10ee209567b685a35881676d4e0fadfa14 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 27 Apr 2026 10:57:45 +0800
-Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
-
-From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-
-[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ]
-
-While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
-timeout value` warning was observed, accompanied by SMBus controller
-state machine corruption.
-
-The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
-10 ms. The user argument is checked against INT_MAX, but it is
-subsequently multiplied by 10 before being passed to msecs_to_jiffies().
-
-A malicious user can pass a large value (e.g., 429496729) that passes
-the `arg > INT_MAX` check but overflows when multiplied by 10. This
-results in a truncated 32-bit unsigned value that bypasses the
-internal `(int)m < 0` check in `msecs_to_jiffies()`.
-
-The truncated value is then assigned to `client->adapter->timeout`
-(a signed 32-bit int), which is reinterpreted as a negative number.
-When passed to wait_for_completion_timeout(), this negative value
-undergoes sign extension to a 64-bit unsigned long, triggering the
-`schedule_timeout` warning and causing premature returns. This leaves
-the SMBus state machine in an unrecoverable state, constituting a
-local Denial of Service (DoS).
-
-Fix this by bounding the user argument to `INT_MAX / 10`.
-
-Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-[wsa: move the comment as well]
-Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/i2c/i2c-dev.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
-index 7d337380a05d99..2ee07fc675d63a 100644
---- a/drivers/i2c/i2c-dev.c
-+++ b/drivers/i2c/i2c-dev.c
-@@ -476,12 +476,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- client->adapter->retries = arg;
- break;
- case I2C_TIMEOUT:
-- if (arg > INT_MAX)
-+ /*
-+ * For historical reasons, user-space sets the timeout value in
-+ * units of 10 ms.
-+ */
-+ if (arg > INT_MAX / 10)
- return -EINVAL;
-
-- /* For historical reasons, user-space sets the timeout
-- * value in units of 10 ms.
-- */
- client->adapter->timeout = msecs_to_jiffies(arg * 10);
- break;
- default:
---
-2.53.0
-
+++ /dev/null
-From 1bb28a2c0b24a60a2a573a9a1664c70a7b819c84 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 3 Jun 2026 13:18:11 +0300
-Subject: ipv6: mcast: Fix use-after-free when processing MLD queries
-
-From: Ido Schimmel <idosch@nvidia.com>
-
-[ Upstream commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 ]
-
-When processing an MLD query, a pointer to the multicast group address
-is retrieved when initially parsing the packet. This pointer is later
-dereferenced without being reloaded despite the fact that the skb header
-might have been reallocated following the pskb_may_pull() calls, leading
-to a use-after-free [1].
-
-Fix by copying the multicast group address when the packet is initially
-parsed.
-
-[1]
-BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512)
-Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118
-
-Workqueue: mld mld_query_work
-Call Trace:
-<TASK>
-dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
-print_address_description.constprop.0 (mm/kasan/report.c:378)
-print_report (mm/kasan/report.c:482)
-kasan_report (mm/kasan/report.c:595)
-__mld_query_work (net/ipv6/mcast.c:1512)
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-</TASK>
-
-[...]
-
-Freed by task 118:
-kasan_save_stack (mm/kasan/common.c:57)
-kasan_save_track (mm/kasan/common.c:78)
-kasan_save_free_info (mm/kasan/generic.c:584)
-__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
-kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
-pskb_expand_head (net/core/skbuff.c:2335)
-__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4))
-__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1))
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-
-Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast")
-Reported-by: Leo Lin <leo@depthfirst.com>
-Reviewed-by: David Ahern <dahern@nvidia.com>
-Signed-off-by: Ido Schimmel <idosch@nvidia.com>
-Reviewed-by: Eric Dumazet <edumazet@google.com>
-Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
-Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv6/mcast.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
-index 160b452f75e7d2..c52865e20a4114 100644
---- a/net/ipv6/mcast.c
-+++ b/net/ipv6/mcast.c
-@@ -1392,9 +1392,9 @@ void igmp6_event_query(struct sk_buff *skb)
- static void __mld_query_work(struct sk_buff *skb)
- {
- struct mld2_query *mlh2 = NULL;
-- const struct in6_addr *group;
- unsigned long max_delay;
- struct inet6_dev *idev;
-+ struct in6_addr group;
- struct ifmcaddr6 *ma;
- struct mld_msg *mld;
- int group_type;
-@@ -1426,8 +1426,8 @@ static void __mld_query_work(struct sk_buff *skb)
- goto kfree_skb;
-
- mld = (struct mld_msg *)icmp6_hdr(skb);
-- group = &mld->mld_mca;
-- group_type = ipv6_addr_type(group);
-+ group = mld->mld_mca;
-+ group_type = ipv6_addr_type(&group);
-
- if (group_type != IPV6_ADDR_ANY &&
- !(group_type&IPV6_ADDR_MULTICAST))
-@@ -1477,7 +1477,7 @@ static void __mld_query_work(struct sk_buff *skb)
- }
- } else {
- for_each_mc_mclock(idev, ma) {
-- if (!ipv6_addr_equal(group, &ma->mca_addr))
-+ if (!ipv6_addr_equal(&group, &ma->mca_addr))
- continue;
- if (ma->mca_flags & MAF_TIMER_RUNNING) {
- /* gsquery <- gsquery && mark */
---
-2.53.0
-
octeontx2-af-npc-fix-cpt-channel-mask-in-npc_install.patch
vxlan-vnifilter-send-notification-on-vni-add.patch
vxlan-vnifilter-fix-spurious-notification-on-vni-upd.patch
-ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch
ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
-i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch
signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
time-fix-off-by-one-in-settimeofday-usec-validation.patch
+++ /dev/null
-From a7e58d3d636a0a157ef84216335f4832960d0d10 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 1 Jun 2026 14:52:09 -0400
-Subject: Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer
-
-From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-
-[ Upstream commit f50331f2a1441ec49988832c3a95f2edacc47322 ]
-
-In iso_sock_rebind_bc(), the bis pointer is cached, then the socket lock is
-dropped:
- bis = iso_pi(sk)->conn->hcon;
- /* Release the socket before lookups since that requires hci_dev_lock
- * which shall not be acquired while holding sock_lock for proper
- * ordering.
- */
- release_sock(sk);
- hci_dev_lock(bis->hdev);
-
-During the unlocked window, could a concurrent close() destroy the connection
-and free the bis structure, causing hci_dev_lock(bis->hdev) to access memory
-after it is freed, fix this by using the hdev reference which was safely
-acquired via iso_conn_get_hdev().
-
-Fixes: d3413703d5f8 ("Bluetooth: ISO: Add support to bind to trigger PAST")
-Reported-by: Sashiko <sashiko-bot@kernel.org>
-Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/bluetooth/iso.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
-index 2363b6135c6f1b..05a3f1e554fe67 100644
---- a/net/bluetooth/iso.c
-+++ b/net/bluetooth/iso.c
-@@ -1090,7 +1090,7 @@ static int iso_sock_rebind_bc(struct sock *sk, struct sockaddr_iso *sa,
- * ordering.
- */
- release_sock(sk);
-- hci_dev_lock(bis->hdev);
-+ hci_dev_lock(hdev);
- lock_sock(sk);
-
- if (!iso_pi(sk)->conn || iso_pi(sk)->conn->hcon != bis) {
---
-2.53.0
-
+++ /dev/null
-From d4d49d7d68259828c44eb97566b49cfcc45b2d80 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 27 Apr 2026 10:57:45 +0800
-Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
-
-From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-
-[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ]
-
-While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
-timeout value` warning was observed, accompanied by SMBus controller
-state machine corruption.
-
-The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
-10 ms. The user argument is checked against INT_MAX, but it is
-subsequently multiplied by 10 before being passed to msecs_to_jiffies().
-
-A malicious user can pass a large value (e.g., 429496729) that passes
-the `arg > INT_MAX` check but overflows when multiplied by 10. This
-results in a truncated 32-bit unsigned value that bypasses the
-internal `(int)m < 0` check in `msecs_to_jiffies()`.
-
-The truncated value is then assigned to `client->adapter->timeout`
-(a signed 32-bit int), which is reinterpreted as a negative number.
-When passed to wait_for_completion_timeout(), this negative value
-undergoes sign extension to a 64-bit unsigned long, triggering the
-`schedule_timeout` warning and causing premature returns. This leaves
-the SMBus state machine in an unrecoverable state, constituting a
-local Denial of Service (DoS).
-
-Fix this by bounding the user argument to `INT_MAX / 10`.
-
-Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-[wsa: move the comment as well]
-Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/i2c/i2c-dev.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
-index 7bbe0263411eb7..ccaac5e29f906b 100644
---- a/drivers/i2c/i2c-dev.c
-+++ b/drivers/i2c/i2c-dev.c
-@@ -487,12 +487,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- client->adapter->retries = arg;
- break;
- case I2C_TIMEOUT:
-- if (arg > INT_MAX)
-+ /*
-+ * For historical reasons, user-space sets the timeout value in
-+ * units of 10 ms.
-+ */
-+ if (arg > INT_MAX / 10)
- return -EINVAL;
-
-- /* For historical reasons, user-space sets the timeout
-- * value in units of 10 ms.
-- */
- client->adapter->timeout = msecs_to_jiffies(arg * 10);
- break;
- default:
---
-2.53.0
-
+++ /dev/null
-From c9d11fe24aba67d9adbd03e528b6adc93bb27b39 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 3 Jun 2026 13:18:11 +0300
-Subject: ipv6: mcast: Fix use-after-free when processing MLD queries
-
-From: Ido Schimmel <idosch@nvidia.com>
-
-[ Upstream commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 ]
-
-When processing an MLD query, a pointer to the multicast group address
-is retrieved when initially parsing the packet. This pointer is later
-dereferenced without being reloaded despite the fact that the skb header
-might have been reallocated following the pskb_may_pull() calls, leading
-to a use-after-free [1].
-
-Fix by copying the multicast group address when the packet is initially
-parsed.
-
-[1]
-BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512)
-Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118
-
-Workqueue: mld mld_query_work
-Call Trace:
-<TASK>
-dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
-print_address_description.constprop.0 (mm/kasan/report.c:378)
-print_report (mm/kasan/report.c:482)
-kasan_report (mm/kasan/report.c:595)
-__mld_query_work (net/ipv6/mcast.c:1512)
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-</TASK>
-
-[...]
-
-Freed by task 118:
-kasan_save_stack (mm/kasan/common.c:57)
-kasan_save_track (mm/kasan/common.c:78)
-kasan_save_free_info (mm/kasan/generic.c:584)
-__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
-kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
-pskb_expand_head (net/core/skbuff.c:2335)
-__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4))
-__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1))
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-
-Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast")
-Reported-by: Leo Lin <leo@depthfirst.com>
-Reviewed-by: David Ahern <dahern@nvidia.com>
-Signed-off-by: Ido Schimmel <idosch@nvidia.com>
-Reviewed-by: Eric Dumazet <edumazet@google.com>
-Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
-Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv6/mcast.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
-index 3330adcf26db24..d9b855d5191bf6 100644
---- a/net/ipv6/mcast.c
-+++ b/net/ipv6/mcast.c
-@@ -1424,9 +1424,9 @@ void igmp6_event_query(struct sk_buff *skb)
- static void __mld_query_work(struct sk_buff *skb)
- {
- struct mld2_query *mlh2 = NULL;
-- const struct in6_addr *group;
- unsigned long max_delay;
- struct inet6_dev *idev;
-+ struct in6_addr group;
- struct ifmcaddr6 *ma;
- struct mld_msg *mld;
- int group_type;
-@@ -1458,8 +1458,8 @@ static void __mld_query_work(struct sk_buff *skb)
- goto kfree_skb;
-
- mld = (struct mld_msg *)icmp6_hdr(skb);
-- group = &mld->mld_mca;
-- group_type = ipv6_addr_type(group);
-+ group = mld->mld_mca;
-+ group_type = ipv6_addr_type(&group);
-
- if (group_type != IPV6_ADDR_ANY &&
- !(group_type&IPV6_ADDR_MULTICAST))
-@@ -1509,7 +1509,7 @@ static void __mld_query_work(struct sk_buff *skb)
- }
- } else {
- for_each_mc_mclock(idev, ma) {
-- if (!ipv6_addr_equal(group, &ma->mca_addr))
-+ if (!ipv6_addr_equal(&group, &ma->mca_addr))
- continue;
- if (ma->mca_flags & MAF_TIMER_RUNNING) {
- /* gsquery <- gsquery && mark */
---
-2.53.0
-
+++ /dev/null
-From 971c15264302a47c87e42cb68fba5033109d2522 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 3 Jun 2026 21:09:33 +0900
-Subject: KVM: arm64: Take the SRCU lock for page table walks in fault
- injection and AT emulation
-
-From: Hyunwoo Kim <imv4bel@gmail.com>
-
-[ Upstream commit f2ca45b50d4216c9cc7ffabf50d9ad1932209251 ]
-
-walk_s1() and kvm_walk_nested_s2() expect to be called while holding
-kvm->srcu to guard against memslot changes. While this is generally
-the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the
-respective walkers without taking kvm->srcu.
-
-Fix by acquiring kvm->srcu prior to the table walk in both instances.
-
-Cc: stable@vger.kernel.org
-Fixes: 50f77dc87f13 ("KVM: arm64: Populate level on S1PTW SEA injection")
-Fixes: be04cebf3e78 ("KVM: arm64: nv: Add emulation of AT S12E{0,1}{R,W}")
-Suggested-by: Oliver Upton <oupton@kernel.org>
-Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
-Reviewed-by: Oliver Upton <oupton@kernel.org>
-Link: https://patch.msgid.link/aiAZfdeyanIvP8SD@v4bel
-Signed-off-by: Marc Zyngier <maz@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/arm64/kvm/at.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/arch/arm64/kvm/at.c b/arch/arm64/kvm/at.c
-index a024d9a770dc74..1d563070526c4d 100644
---- a/arch/arm64/kvm/at.c
-+++ b/arch/arm64/kvm/at.c
-@@ -1568,7 +1568,8 @@ int __kvm_at_s12(struct kvm_vcpu *vcpu, u32 op, u64 vaddr)
- /* Do the stage-2 translation */
- ipa = (par & GENMASK_ULL(47, 12)) | (vaddr & GENMASK_ULL(11, 0));
- out.esr = 0;
-- ret = kvm_walk_nested_s2(vcpu, ipa, &out);
-+ scoped_guard(srcu, &vcpu->kvm->srcu)
-+ ret = kvm_walk_nested_s2(vcpu, ipa, &out);
- if (ret < 0)
- return ret;
-
-@@ -1664,7 +1665,8 @@ int __kvm_find_s1_desc_level(struct kvm_vcpu *vcpu, u64 va, u64 ipa, int *level)
- }
-
- /* Walk the guest's PT, looking for a match along the way */
-- ret = walk_s1(vcpu, &wi, &wr, va);
-+ scoped_guard(srcu, &vcpu->kvm->srcu)
-+ ret = walk_s1(vcpu, &wi, &wr, va);
- switch (ret) {
- case -EINTR:
- /* We interrupted the walk on a match, return the level */
---
-2.53.0
-
bluetooth-bnep-reject-short-frames-before-parsing.patch
bluetooth-fix-memory-leak-in-error-path-of-hci_alloc.patch
bluetooth-iso-fix-not-releasing-hdev-reference-on-is.patch
-bluetooth-iso-fix-a-use-after-free-of-the-hci_conn-p.patch
bluetooth-iso-fix-data-race-on-iso_pi-fields-in-hci_.patch
bluetooth-sco-fix-data-race-on-sco_pi-fields-in-sco_.patch
bluetooth-mgmt-fix-backward-compatibility-with-users.patch
octeontx2-af-npc-fix-cpt-channel-mask-in-npc_install.patch
vxlan-vnifilter-send-notification-on-vni-add.patch
vxlan-vnifilter-fix-spurious-notification-on-vni-upd.patch
-ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch
ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
bonding-annotate-data-races-arcound-churn-variables.patch
fwctl-bnxt_en-move-common-definitions-to-include-lin.patch
fwctl-bnxt_en-refactor-aux-bus-functions-to-be-more-.patch
reapply-bnxt_en-bring-back-rtnl_lock-in-the-bnxt_ope.patch
-i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
-kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch
drivers-hv-vmbus-provide-option-to-skip-vmbus-unload.patch
drm-hyperv-during-panic-do-vmbus-unload-after-frame-.patch
selftests-harness-fix-pidfd-leak-in-__wait_for_test.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
