--- /dev/null
+From 617eb7c0961a8dfcfc811844a6396e406b2923ea Mon Sep 17 00:00:00 2001
+From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+Date: Mon, 27 Apr 2026 10:57:45 +0800
+Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
+
+From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+
+commit 617eb7c0961a8dfcfc811844a6396e406b2923ea upstream.
+
+While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
+timeout value` warning was observed, accompanied by SMBus controller
+state machine corruption.
+
+The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
+10 ms. The user argument is checked against INT_MAX, but it is
+subsequently multiplied by 10 before being passed to msecs_to_jiffies().
+
+A malicious user can pass a large value (e.g., 429496729) that passes
+the `arg > INT_MAX` check but overflows when multiplied by 10. This
+results in a truncated 32-bit unsigned value that bypasses the
+internal `(int)m < 0` check in `msecs_to_jiffies()`.
+
+The truncated value is then assigned to `client->adapter->timeout`
+(a signed 32-bit int), which is reinterpreted as a negative number.
+When passed to wait_for_completion_timeout(), this negative value
+undergoes sign extension to a 64-bit unsigned long, triggering the
+`schedule_timeout` warning and causing premature returns. This leaves
+the SMBus state machine in an unrecoverable state, constituting a
+local Denial of Service (DoS).
+
+Fix this by bounding the user argument to `INT_MAX / 10`.
+
+Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+[wsa: move the comment as well]
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/i2c-dev.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/i2c/i2c-dev.c
++++ b/drivers/i2c/i2c-dev.c
+@@ -487,12 +487,13 @@ static long i2cdev_ioctl(struct file *fi
+ client->adapter->retries = arg;
+ break;
+ case I2C_TIMEOUT:
+- if (arg > INT_MAX)
++ /*
++ * For historical reasons, user-space sets the timeout value in
++ * units of 10 ms.
++ */
++ if (arg > INT_MAX / 10)
+ return -EINVAL;
+
+- /* For historical reasons, user-space sets the timeout
+- * value in units of 10 ms.
+- */
+ client->adapter->timeout = msecs_to_jiffies(arg * 10);
+ break;
+ default:
--- /dev/null
+From 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 Mon Sep 17 00:00:00 2001
+From: Ido Schimmel <idosch@nvidia.com>
+Date: Wed, 3 Jun 2026 13:18:11 +0300
+Subject: ipv6: mcast: Fix use-after-free when processing MLD queries
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 upstream.
+
+When processing an MLD query, a pointer to the multicast group address
+is retrieved when initially parsing the packet. This pointer is later
+dereferenced without being reloaded despite the fact that the skb header
+might have been reallocated following the pskb_may_pull() calls, leading
+to a use-after-free [1].
+
+Fix by copying the multicast group address when the packet is initially
+parsed.
+
+[1]
+BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512)
+Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118
+
+Workqueue: mld mld_query_work
+Call Trace:
+<TASK>
+dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
+print_address_description.constprop.0 (mm/kasan/report.c:378)
+print_report (mm/kasan/report.c:482)
+kasan_report (mm/kasan/report.c:595)
+__mld_query_work (net/ipv6/mcast.c:1512)
+mld_query_work (net/ipv6/mcast.c:1563)
+process_one_work (kernel/workqueue.c:3314)
+worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
+kthread (kernel/kthread.c:436)
+ret_from_fork (arch/x86/kernel/process.c:158)
+ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
+</TASK>
+
+[...]
+
+Freed by task 118:
+kasan_save_stack (mm/kasan/common.c:57)
+kasan_save_track (mm/kasan/common.c:78)
+kasan_save_free_info (mm/kasan/generic.c:584)
+__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
+kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
+pskb_expand_head (net/core/skbuff.c:2335)
+__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4))
+__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1))
+mld_query_work (net/ipv6/mcast.c:1563)
+process_one_work (kernel/workqueue.c:3314)
+worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
+kthread (kernel/kthread.c:436)
+ret_from_fork (arch/x86/kernel/process.c:158)
+ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
+
+Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast")
+Reported-by: Leo Lin <leo@depthfirst.com>
+Reviewed-by: David Ahern <dahern@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/mcast.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/ipv6/mcast.c
++++ b/net/ipv6/mcast.c
+@@ -1393,9 +1393,9 @@ out:
+ static void __mld_query_work(struct sk_buff *skb)
+ {
+ struct mld2_query *mlh2 = NULL;
+- const struct in6_addr *group;
+ unsigned long max_delay;
+ struct inet6_dev *idev;
++ struct in6_addr group;
+ struct ifmcaddr6 *ma;
+ struct mld_msg *mld;
+ int group_type;
+@@ -1427,8 +1427,8 @@ static void __mld_query_work(struct sk_b
+ goto kfree_skb;
+
+ mld = (struct mld_msg *)icmp6_hdr(skb);
+- group = &mld->mld_mca;
+- group_type = ipv6_addr_type(group);
++ group = mld->mld_mca;
++ group_type = ipv6_addr_type(&group);
+
+ if (group_type != IPV6_ADDR_ANY &&
+ !(group_type&IPV6_ADDR_MULTICAST))
+@@ -1478,7 +1478,7 @@ static void __mld_query_work(struct sk_b
+ }
+ } else {
+ for_each_mc_mclock(idev, ma) {
+- if (!ipv6_addr_equal(group, &ma->mca_addr))
++ if (!ipv6_addr_equal(&group, &ma->mca_addr))
+ continue;
+ if (ma->mca_flags & MAF_TIMER_RUNNING) {
+ /* gsquery <- gsquery && mark */
--- /dev/null
+From a3fdd924d88c30b9f488636ce0e4696012cf5511 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nicol=C3=B2=20Coccia?= <n.coccia96@gmail.com>
+Date: Sun, 10 May 2026 12:34:13 -0400
+Subject: net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nicolò Coccia <n.coccia96@gmail.com>
+
+commit a3fdd924d88c30b9f488636ce0e4696012cf5511 upstream.
+
+A logic flaw in __smc_setsockopt() allows a local unprivileged user to
+cause a Denial of Service (DoS) by holding the socket lock indefinitely.
+
+The function __smc_setsockopt() calls copy_from_sockptr() while holding
+lock_sock(sk). By passing a userfaultfd-monitored memory page (or
+FUSE-backed memory on systems where unprivileged userfaultfd is disabled)
+as the optval, an attacker can halt execution during the copy operation,
+keeping the lock held.
+
+Combined with asynchronous tear-down operations like shutdown(), this
+exhausts the kernel wq (kworkers) and triggers the hung task watchdog.
+
+[ 240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds.
+[ 240.123489] Call Trace:
+[ 240.123501] smc_shutdown+...
+[ 240.123512] lock_sock_nested+...
+
+This patch moves the user-space copy outside the lock_sock() critical
+section to prevent the issue.
+
+Fixes: a6a6fe27bab4 ("net/smc: Dynamic control handshake limitation by socket options")
+Signed-off-by: Nicolò Coccia <n.coccia96@gmail.com>
+Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
+Tested-by: Dust Li <dust.li@linux.alibaba.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/af_smc.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -3060,18 +3060,17 @@ static int __smc_setsockopt(struct socke
+
+ smc = smc_sk(sk);
+
++ /* pre-fetch user data outside the lock */
++ if (optname == SMC_LIMIT_HS) {
++ if (optlen < sizeof(int))
++ return -EINVAL;
++ if (copy_from_sockptr(&val, optval, sizeof(int)))
++ return -EFAULT;
++ }
++
+ lock_sock(sk);
+ switch (optname) {
+ case SMC_LIMIT_HS:
+- if (optlen < sizeof(int)) {
+- rc = -EINVAL;
+- break;
+- }
+- if (copy_from_sockptr(&val, optval, sizeof(int))) {
+- rc = -EFAULT;
+- break;
+- }
+-
+ smc->limit_smc_hs = !!val;
+ rc = 0;
+ break;
arm-fix-branch-predictor-hardening.patch
net-phy-micrel-fix-lan8814-qsgmii-soft-reset.patch
wifi-remove-zero-length-arrays.patch
+i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioctl.patch
+ipv6-mcast-fix-use-after-free-when-processing-mld-queries.patch
+net-smc-fix-sleep-inside-lock-in-__smc_setsockopt-causing-local-dos.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
