+++ /dev/null
-From a0005d47f58bc6f93e86a11077474ff6486760e2 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 16 Mar 2026 20:49:56 +0530
-Subject: kernel/fork: validate exit_signal in kernel_clone()
-
-From: Deepanshu Kartikey <kartikey406@gmail.com>
-
-[ Upstream commit 09e7827e785729f391c8d46dc71becce70d296ab ]
-
-When a child process exits, it sends exit_signal to its parent via
-do_notify_parent(). The clone() syscall constructs exit_signal as:
-
-(lower_32_bits(clone_flags) & CSIGNAL)
-
-CSIGNAL is 0xff, so values in the range 65-255 are possible. However,
-valid_signal() only accepts signals up to _NSIG (64 on x86_64). A
-non-zero non-valid exit_signal acts the same as exit_signal == 0: the
-parent process is not signaled when the child terminates.
-
-The syzkaller reproducer triggers this by calling clone() with flags=0x80,
-resulting in exit_signal = (0x80 & CSIGNAL) = 128, which exceeds _NSIG and
-is not a valid signal.
-
-The v1 of this patch added the check only in the clone() syscall handler,
-which is incomplete. kernel_clone() has other callers such as
-sys_ia32_clone() which would remain unprotected. Move the check to
-kernel_clone() to cover all callers.
-
-Since the valid_signal() check is now in kernel_clone() and covers all
-callers including clone3(), the same check in copy_clone_args_from_user()
-becomes redundant and is removed. The higher 32bits check for clone3() is
-kept as it is clone3() specific.
-
-Note that this is a user-visible change: previously, passing an invalid
-exit_signal to clone() was silently accepted. The man page for clone()
-does not document any defined behavior for invalid exit_signal values, so
-rejecting them with -EINVAL is the correct behavior. It is unlikely that
-any sane application relies on passing an invalid exit_signal.
-
-[oleg@redhat.com: the comment above kernel_clone() should be updated]
- Link: https://lore.kernel.org/abwvgU17W8wuW2-J@redhat.com
-Link: https://lore.kernel.org/20260316151956.563558-1-kartikey406@gmail.com
-Fixes: 3f2c788a1314 ("fork: prevent accidental access to clone3 features")
-Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
-Signed-off-by: Oleg Nesterov <oleg@redhat.com>
-Reported-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
-Closes: https://syzkaller.appspot.com/bug?extid=bbe6b99feefc3a0842de
-Tested-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
-Link: https://lore.kernel.org/all/20260307064202.353405-1-kartikey406@gmail.com/T/ [v1]
-Link: https://lore.kernel.org/all/20260316104536.558108-1-kartikey406@gmail.com/T/ [v2]
-Acked-by: Oleg Nesterov <oleg@redhat.com>
-Acked-by: Michal Hocko <mhocko@suse.com>
-Cc: Ben Segall <bsegall@google.com>
-Cc: Christian Brauner <brauner@kernel.org>
-Cc: David Hildenbrand <david@kernel.org>
-Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: Juri Lelli <juri.lelli@redhat.com>
-Cc: Kees Cook <kees@kernel.org>
-Cc: Liam Howlett <liam@infradead.org>
-Cc: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
-Cc: Mel Gorman <mgorman@suse.de>
-Cc: Mike Rapoport <rppt@kernel.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Steven Rostedt <rostedt@goodmis.org>
-Cc: Suren Baghdasaryan <surenb@google.com>
-Cc: Valentin Schneider <vschneid@redhat.com>
-Cc: Vincent Guittot <vincent.guittot@linaro.org>
-Cc: Vlastimil Babka <vbabka@kernel.org>
-Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/fork.c | 11 +++++------
- 1 file changed, 5 insertions(+), 6 deletions(-)
-
-diff --git a/kernel/fork.c b/kernel/fork.c
-index 531de2d1b3bfeb..d35416380c6344 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -2535,8 +2535,6 @@ struct task_struct *create_io_thread(int (*fn)(void *), void *arg, int node)
- *
- * It copies the process, and if successful kick-starts
- * it and waits for it to finish using the VM if required.
-- *
-- * args->exit_signal is expected to be checked for sanity by the caller.
- */
- pid_t kernel_clone(struct kernel_clone_args *args)
- {
-@@ -2561,6 +2559,9 @@ pid_t kernel_clone(struct kernel_clone_args *args)
- (args->pidfd == args->parent_tid))
- return -EINVAL;
-
-+ if (!valid_signal(args->exit_signal))
-+ return -EINVAL;
-+
- /*
- * Determine whether and which event to report to ptracer. When
- * called from kernel_thread or CLONE_UNTRACED is explicitly
-@@ -2737,11 +2738,9 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs,
- return -EINVAL;
-
- /*
-- * Verify that higher 32bits of exit_signal are unset and that
-- * it is a valid signal
-+ * Verify that higher 32bits of exit_signal are unset
- */
-- if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) ||
-- !valid_signal(args.exit_signal)))
-+ if (unlikely(args.exit_signal & ~((u64)CSIGNAL)))
- return -EINVAL;
-
- if ((args.flags & CLONE_INTO_CGROUP) &&
---
-2.53.0
-
nfc-llcp-fix-use-after-free-race-in-nfc_llcp_recv_cc.patch
xfrm-check-for-underflow-in-xfrm_state_mtu.patch
nfc-nxp-nci-i2c-use-rising-edge-irq-on-acpi-systems.patch
-kernel-fork-validate-exit_signal-in-kernel_clone.patch
netfilter-synproxy-refresh-tcphdr-after-skb_ensure_w.patch
netfilter-xt_cpu-prefer-raw_smp_processor_id.patch
netfilter-ebtables-fix-oob-read-in-compat_mtw_from_u.patch
+++ /dev/null
-From a672b7dc40692524e3cd2127ccf43f1bb8109361 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 16 Mar 2026 20:49:56 +0530
-Subject: kernel/fork: validate exit_signal in kernel_clone()
-
-From: Deepanshu Kartikey <kartikey406@gmail.com>
-
-[ Upstream commit 09e7827e785729f391c8d46dc71becce70d296ab ]
-
-When a child process exits, it sends exit_signal to its parent via
-do_notify_parent(). The clone() syscall constructs exit_signal as:
-
-(lower_32_bits(clone_flags) & CSIGNAL)
-
-CSIGNAL is 0xff, so values in the range 65-255 are possible. However,
-valid_signal() only accepts signals up to _NSIG (64 on x86_64). A
-non-zero non-valid exit_signal acts the same as exit_signal == 0: the
-parent process is not signaled when the child terminates.
-
-The syzkaller reproducer triggers this by calling clone() with flags=0x80,
-resulting in exit_signal = (0x80 & CSIGNAL) = 128, which exceeds _NSIG and
-is not a valid signal.
-
-The v1 of this patch added the check only in the clone() syscall handler,
-which is incomplete. kernel_clone() has other callers such as
-sys_ia32_clone() which would remain unprotected. Move the check to
-kernel_clone() to cover all callers.
-
-Since the valid_signal() check is now in kernel_clone() and covers all
-callers including clone3(), the same check in copy_clone_args_from_user()
-becomes redundant and is removed. The higher 32bits check for clone3() is
-kept as it is clone3() specific.
-
-Note that this is a user-visible change: previously, passing an invalid
-exit_signal to clone() was silently accepted. The man page for clone()
-does not document any defined behavior for invalid exit_signal values, so
-rejecting them with -EINVAL is the correct behavior. It is unlikely that
-any sane application relies on passing an invalid exit_signal.
-
-[oleg@redhat.com: the comment above kernel_clone() should be updated]
- Link: https://lore.kernel.org/abwvgU17W8wuW2-J@redhat.com
-Link: https://lore.kernel.org/20260316151956.563558-1-kartikey406@gmail.com
-Fixes: 3f2c788a1314 ("fork: prevent accidental access to clone3 features")
-Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
-Signed-off-by: Oleg Nesterov <oleg@redhat.com>
-Reported-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
-Closes: https://syzkaller.appspot.com/bug?extid=bbe6b99feefc3a0842de
-Tested-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
-Link: https://lore.kernel.org/all/20260307064202.353405-1-kartikey406@gmail.com/T/ [v1]
-Link: https://lore.kernel.org/all/20260316104536.558108-1-kartikey406@gmail.com/T/ [v2]
-Acked-by: Oleg Nesterov <oleg@redhat.com>
-Acked-by: Michal Hocko <mhocko@suse.com>
-Cc: Ben Segall <bsegall@google.com>
-Cc: Christian Brauner <brauner@kernel.org>
-Cc: David Hildenbrand <david@kernel.org>
-Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: Juri Lelli <juri.lelli@redhat.com>
-Cc: Kees Cook <kees@kernel.org>
-Cc: Liam Howlett <liam@infradead.org>
-Cc: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
-Cc: Mel Gorman <mgorman@suse.de>
-Cc: Mike Rapoport <rppt@kernel.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Steven Rostedt <rostedt@goodmis.org>
-Cc: Suren Baghdasaryan <surenb@google.com>
-Cc: Valentin Schneider <vschneid@redhat.com>
-Cc: Vincent Guittot <vincent.guittot@linaro.org>
-Cc: Vlastimil Babka <vbabka@kernel.org>
-Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/fork.c | 11 +++++------
- 1 file changed, 5 insertions(+), 6 deletions(-)
-
-diff --git a/kernel/fork.c b/kernel/fork.c
-index eb772b1e819f2f..faf9d68fae3029 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -2632,8 +2632,6 @@ struct task_struct *create_io_thread(int (*fn)(void *), void *arg, int node)
- *
- * It copies the process, and if successful kick-starts
- * it and waits for it to finish using the VM if required.
-- *
-- * args->exit_signal is expected to be checked for sanity by the caller.
- */
- pid_t kernel_clone(struct kernel_clone_args *args)
- {
-@@ -2658,6 +2656,9 @@ pid_t kernel_clone(struct kernel_clone_args *args)
- (args->pidfd == args->parent_tid))
- return -EINVAL;
-
-+ if (!valid_signal(args->exit_signal))
-+ return -EINVAL;
-+
- /*
- * Determine whether and which event to report to ptracer. When
- * called from kernel_thread or CLONE_UNTRACED is explicitly
-@@ -2834,11 +2835,9 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs,
- return -EINVAL;
-
- /*
-- * Verify that higher 32bits of exit_signal are unset and that
-- * it is a valid signal
-+ * Verify that higher 32bits of exit_signal are unset
- */
-- if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) ||
-- !valid_signal(args.exit_signal)))
-+ if (unlikely(args.exit_signal & ~((u64)CSIGNAL)))
- return -EINVAL;
-
- if ((args.flags & CLONE_INTO_CGROUP) &&
---
-2.53.0
-
nfc-llcp-fix-use-after-free-race-in-nfc_llcp_recv_cc.patch
xfrm-check-for-underflow-in-xfrm_state_mtu.patch
nfc-nxp-nci-i2c-use-rising-edge-irq-on-acpi-systems.patch
-kernel-fork-validate-exit_signal-in-kernel_clone.patch
netfilter-synproxy-refresh-tcphdr-after-skb_ensure_w.patch
netfilter-xt_cpu-prefer-raw_smp_processor_id.patch
netfilter-ebtables-fix-oob-read-in-compat_mtw_from_u.patch
+++ /dev/null
-From b8ed18def3adb8737a3547e5363196f58fd7c05e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 16 Mar 2026 20:49:56 +0530
-Subject: kernel/fork: validate exit_signal in kernel_clone()
-
-From: Deepanshu Kartikey <kartikey406@gmail.com>
-
-[ Upstream commit 09e7827e785729f391c8d46dc71becce70d296ab ]
-
-When a child process exits, it sends exit_signal to its parent via
-do_notify_parent(). The clone() syscall constructs exit_signal as:
-
-(lower_32_bits(clone_flags) & CSIGNAL)
-
-CSIGNAL is 0xff, so values in the range 65-255 are possible. However,
-valid_signal() only accepts signals up to _NSIG (64 on x86_64). A
-non-zero non-valid exit_signal acts the same as exit_signal == 0: the
-parent process is not signaled when the child terminates.
-
-The syzkaller reproducer triggers this by calling clone() with flags=0x80,
-resulting in exit_signal = (0x80 & CSIGNAL) = 128, which exceeds _NSIG and
-is not a valid signal.
-
-The v1 of this patch added the check only in the clone() syscall handler,
-which is incomplete. kernel_clone() has other callers such as
-sys_ia32_clone() which would remain unprotected. Move the check to
-kernel_clone() to cover all callers.
-
-Since the valid_signal() check is now in kernel_clone() and covers all
-callers including clone3(), the same check in copy_clone_args_from_user()
-becomes redundant and is removed. The higher 32bits check for clone3() is
-kept as it is clone3() specific.
-
-Note that this is a user-visible change: previously, passing an invalid
-exit_signal to clone() was silently accepted. The man page for clone()
-does not document any defined behavior for invalid exit_signal values, so
-rejecting them with -EINVAL is the correct behavior. It is unlikely that
-any sane application relies on passing an invalid exit_signal.
-
-[oleg@redhat.com: the comment above kernel_clone() should be updated]
- Link: https://lore.kernel.org/abwvgU17W8wuW2-J@redhat.com
-Link: https://lore.kernel.org/20260316151956.563558-1-kartikey406@gmail.com
-Fixes: 3f2c788a1314 ("fork: prevent accidental access to clone3 features")
-Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
-Signed-off-by: Oleg Nesterov <oleg@redhat.com>
-Reported-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
-Closes: https://syzkaller.appspot.com/bug?extid=bbe6b99feefc3a0842de
-Tested-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
-Link: https://lore.kernel.org/all/20260307064202.353405-1-kartikey406@gmail.com/T/ [v1]
-Link: https://lore.kernel.org/all/20260316104536.558108-1-kartikey406@gmail.com/T/ [v2]
-Acked-by: Oleg Nesterov <oleg@redhat.com>
-Acked-by: Michal Hocko <mhocko@suse.com>
-Cc: Ben Segall <bsegall@google.com>
-Cc: Christian Brauner <brauner@kernel.org>
-Cc: David Hildenbrand <david@kernel.org>
-Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: Juri Lelli <juri.lelli@redhat.com>
-Cc: Kees Cook <kees@kernel.org>
-Cc: Liam Howlett <liam@infradead.org>
-Cc: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
-Cc: Mel Gorman <mgorman@suse.de>
-Cc: Mike Rapoport <rppt@kernel.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Steven Rostedt <rostedt@goodmis.org>
-Cc: Suren Baghdasaryan <surenb@google.com>
-Cc: Valentin Schneider <vschneid@redhat.com>
-Cc: Vincent Guittot <vincent.guittot@linaro.org>
-Cc: Vlastimil Babka <vbabka@kernel.org>
-Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/fork.c | 11 +++++------
- 1 file changed, 5 insertions(+), 6 deletions(-)
-
-diff --git a/kernel/fork.c b/kernel/fork.c
-index db2a9016f636f4..9931ee7e1dfa4a 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -2717,8 +2717,6 @@ struct task_struct *create_io_thread(int (*fn)(void *), void *arg, int node)
- *
- * It copies the process, and if successful kick-starts
- * it and waits for it to finish using the VM if required.
-- *
-- * args->exit_signal is expected to be checked for sanity by the caller.
- */
- pid_t kernel_clone(struct kernel_clone_args *args)
- {
-@@ -2743,6 +2741,9 @@ pid_t kernel_clone(struct kernel_clone_args *args)
- (args->pidfd == args->parent_tid))
- return -EINVAL;
-
-+ if (!valid_signal(args->exit_signal))
-+ return -EINVAL;
-+
- /*
- * Determine whether and which event to report to ptracer. When
- * called from kernel_thread or CLONE_UNTRACED is explicitly
-@@ -2943,11 +2944,9 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs,
- return -EINVAL;
-
- /*
-- * Verify that higher 32bits of exit_signal are unset and that
-- * it is a valid signal
-+ * Verify that higher 32bits of exit_signal are unset
- */
-- if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) ||
-- !valid_signal(args.exit_signal)))
-+ if (unlikely(args.exit_signal & ~((u64)CSIGNAL)))
- return -EINVAL;
-
- if ((args.flags & CLONE_INTO_CGROUP) &&
---
-2.53.0
-
nfc-nxp-nci-i2c-use-rising-edge-irq-on-acpi-systems.patch
tools-bootconfig-cleanup-bootconfig-footer-size-calc.patch
tools-bootconfig-fix-buf-leaks-in-apply_xbc.patch
-kernel-fork-validate-exit_signal-in-kernel_clone.patch
netfilter-synproxy-refresh-tcphdr-after-skb_ensure_w.patch
netfilter-xt_cpu-prefer-raw_smp_processor_id.patch
netfilter-ebtables-fix-oob-read-in-compat_mtw_from_u.patch
+++ /dev/null
-From a82d548757479b3ca17d9a83621823a9b630a9c5 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 16 Mar 2026 20:49:56 +0530
-Subject: kernel/fork: validate exit_signal in kernel_clone()
-
-From: Deepanshu Kartikey <kartikey406@gmail.com>
-
-[ Upstream commit 09e7827e785729f391c8d46dc71becce70d296ab ]
-
-When a child process exits, it sends exit_signal to its parent via
-do_notify_parent(). The clone() syscall constructs exit_signal as:
-
-(lower_32_bits(clone_flags) & CSIGNAL)
-
-CSIGNAL is 0xff, so values in the range 65-255 are possible. However,
-valid_signal() only accepts signals up to _NSIG (64 on x86_64). A
-non-zero non-valid exit_signal acts the same as exit_signal == 0: the
-parent process is not signaled when the child terminates.
-
-The syzkaller reproducer triggers this by calling clone() with flags=0x80,
-resulting in exit_signal = (0x80 & CSIGNAL) = 128, which exceeds _NSIG and
-is not a valid signal.
-
-The v1 of this patch added the check only in the clone() syscall handler,
-which is incomplete. kernel_clone() has other callers such as
-sys_ia32_clone() which would remain unprotected. Move the check to
-kernel_clone() to cover all callers.
-
-Since the valid_signal() check is now in kernel_clone() and covers all
-callers including clone3(), the same check in copy_clone_args_from_user()
-becomes redundant and is removed. The higher 32bits check for clone3() is
-kept as it is clone3() specific.
-
-Note that this is a user-visible change: previously, passing an invalid
-exit_signal to clone() was silently accepted. The man page for clone()
-does not document any defined behavior for invalid exit_signal values, so
-rejecting them with -EINVAL is the correct behavior. It is unlikely that
-any sane application relies on passing an invalid exit_signal.
-
-[oleg@redhat.com: the comment above kernel_clone() should be updated]
- Link: https://lore.kernel.org/abwvgU17W8wuW2-J@redhat.com
-Link: https://lore.kernel.org/20260316151956.563558-1-kartikey406@gmail.com
-Fixes: 3f2c788a1314 ("fork: prevent accidental access to clone3 features")
-Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
-Signed-off-by: Oleg Nesterov <oleg@redhat.com>
-Reported-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
-Closes: https://syzkaller.appspot.com/bug?extid=bbe6b99feefc3a0842de
-Tested-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
-Link: https://lore.kernel.org/all/20260307064202.353405-1-kartikey406@gmail.com/T/ [v1]
-Link: https://lore.kernel.org/all/20260316104536.558108-1-kartikey406@gmail.com/T/ [v2]
-Acked-by: Oleg Nesterov <oleg@redhat.com>
-Acked-by: Michal Hocko <mhocko@suse.com>
-Cc: Ben Segall <bsegall@google.com>
-Cc: Christian Brauner <brauner@kernel.org>
-Cc: David Hildenbrand <david@kernel.org>
-Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: Juri Lelli <juri.lelli@redhat.com>
-Cc: Kees Cook <kees@kernel.org>
-Cc: Liam Howlett <liam@infradead.org>
-Cc: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
-Cc: Mel Gorman <mgorman@suse.de>
-Cc: Mike Rapoport <rppt@kernel.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Steven Rostedt <rostedt@goodmis.org>
-Cc: Suren Baghdasaryan <surenb@google.com>
-Cc: Valentin Schneider <vschneid@redhat.com>
-Cc: Vincent Guittot <vincent.guittot@linaro.org>
-Cc: Vlastimil Babka <vbabka@kernel.org>
-Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/fork.c | 11 +++++------
- 1 file changed, 5 insertions(+), 6 deletions(-)
-
-diff --git a/kernel/fork.c b/kernel/fork.c
-index c4955cffcb6f4e..1f306743832b3e 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -2773,8 +2773,6 @@ struct task_struct *create_io_thread(int (*fn)(void *), void *arg, int node)
- *
- * It copies the process, and if successful kick-starts
- * it and waits for it to finish using the VM if required.
-- *
-- * args->exit_signal is expected to be checked for sanity by the caller.
- */
- pid_t kernel_clone(struct kernel_clone_args *args)
- {
-@@ -2799,6 +2797,9 @@ pid_t kernel_clone(struct kernel_clone_args *args)
- (args->pidfd == args->parent_tid))
- return -EINVAL;
-
-+ if (!valid_signal(args->exit_signal))
-+ return -EINVAL;
-+
- /*
- * Determine whether and which event to report to ptracer. When
- * called from kernel_thread or CLONE_UNTRACED is explicitly
-@@ -2999,11 +3000,9 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs,
- return -EINVAL;
-
- /*
-- * Verify that higher 32bits of exit_signal are unset and that
-- * it is a valid signal
-+ * Verify that higher 32bits of exit_signal are unset
- */
-- if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) ||
-- !valid_signal(args.exit_signal)))
-+ if (unlikely(args.exit_signal & ~((u64)CSIGNAL)))
- return -EINVAL;
-
- if ((args.flags & CLONE_INTO_CGROUP) &&
---
-2.53.0
-
xfrm-check-for-underflow-in-xfrm_state_mtu.patch
nfc-nxp-nci-i2c-use-rising-edge-irq-on-acpi-systems.patch
kunit-fix-use-after-free-in-debugfs-when-using-kunit.patch
-kernel-fork-validate-exit_signal-in-kernel_clone.patch
netfilter-synproxy-refresh-tcphdr-after-skb_ensure_w.patch
netfilter-xt_cpu-prefer-raw_smp_processor_id.patch
netfilter-ebtables-fix-oob-read-in-compat_mtw_from_u.patch
+++ /dev/null
-From 2eae90a457baa0048a96ed38ad93090ee38c8b2f Mon Sep 17 00:00:00 2001
-From: Hongling Zeng <zenghongling@kylinos.cn>
-Date: Mon, 18 May 2026 10:29:39 +0800
-Subject: gpib: cb7210: Fix region leak when request_irq fails
-
-From: Hongling Zeng <zenghongling@kylinos.cn>
-
-commit 2eae90a457baa0048a96ed38ad93090ee38c8b2f upstream.
-
-When request_irq() fails, the region allocated by request_region()
-is not released. Fix this by adding an error handling path with
-proper goto labels to release the region.
-
-Fixes: e9dc69956d4d ("staging: gpib: Add Computer Boards GPIB driver")
-Closes: https://lore.kernel.org/oe-kbuild-all/202605160620.ReBOadPX-lkp@intel.com/
-Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
-Cc: stable <stable@kernel.org>
-Link: https://patch.msgid.link/20260518022939.16881-1-zenghongling@kylinos.cn
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/staging/gpib/cb7210/cb7210.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
---- a/drivers/staging/gpib/cb7210/cb7210.c
-+++ b/drivers/staging/gpib/cb7210/cb7210.c
-@@ -1048,7 +1048,8 @@ static int cb_isa_attach(struct gpib_boa
- if (!request_region(config->ibbase, cb7210_iosize, DRV_NAME)) {
- dev_err(board->gpib_dev, "ioports starting at 0x%x are already in use\n",
- config->ibbase);
-- return -EBUSY;
-+ retval = -EBUSY;
-+ goto err_release_region;
- }
- nec_priv->iobase = config->ibbase;
- cb_priv->fifo_iobase = nec7210_iobase(cb_priv);
-@@ -1061,11 +1062,16 @@ static int cb_isa_attach(struct gpib_boa
- // install interrupt handler
- if (request_irq(config->ibirq, cb7210_interrupt, isr_flags, DRV_NAME, board)) {
- dev_err(board->gpib_dev, "failed to obtain IRQ %d\n", config->ibirq);
-- return -EBUSY;
-+ retval = -EBUSY;
-+ goto err_release_region;
- }
- cb_priv->irq = config->ibirq;
-
- return cb7210_init(cb_priv, board);
-+
-+err_release_region:
-+ release_region(nec7210_iobase(cb_priv), cb7210_iosize);
-+ return retval;
- }
-
- static void cb_isa_detach(struct gpib_board *board)
+++ /dev/null
-From fcca61d3635730759712bd3d6b18c31021219c96 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 16 Mar 2026 20:49:56 +0530
-Subject: kernel/fork: validate exit_signal in kernel_clone()
-
-From: Deepanshu Kartikey <kartikey406@gmail.com>
-
-[ Upstream commit 09e7827e785729f391c8d46dc71becce70d296ab ]
-
-When a child process exits, it sends exit_signal to its parent via
-do_notify_parent(). The clone() syscall constructs exit_signal as:
-
-(lower_32_bits(clone_flags) & CSIGNAL)
-
-CSIGNAL is 0xff, so values in the range 65-255 are possible. However,
-valid_signal() only accepts signals up to _NSIG (64 on x86_64). A
-non-zero non-valid exit_signal acts the same as exit_signal == 0: the
-parent process is not signaled when the child terminates.
-
-The syzkaller reproducer triggers this by calling clone() with flags=0x80,
-resulting in exit_signal = (0x80 & CSIGNAL) = 128, which exceeds _NSIG and
-is not a valid signal.
-
-The v1 of this patch added the check only in the clone() syscall handler,
-which is incomplete. kernel_clone() has other callers such as
-sys_ia32_clone() which would remain unprotected. Move the check to
-kernel_clone() to cover all callers.
-
-Since the valid_signal() check is now in kernel_clone() and covers all
-callers including clone3(), the same check in copy_clone_args_from_user()
-becomes redundant and is removed. The higher 32bits check for clone3() is
-kept as it is clone3() specific.
-
-Note that this is a user-visible change: previously, passing an invalid
-exit_signal to clone() was silently accepted. The man page for clone()
-does not document any defined behavior for invalid exit_signal values, so
-rejecting them with -EINVAL is the correct behavior. It is unlikely that
-any sane application relies on passing an invalid exit_signal.
-
-[oleg@redhat.com: the comment above kernel_clone() should be updated]
- Link: https://lore.kernel.org/abwvgU17W8wuW2-J@redhat.com
-Link: https://lore.kernel.org/20260316151956.563558-1-kartikey406@gmail.com
-Fixes: 3f2c788a1314 ("fork: prevent accidental access to clone3 features")
-Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
-Signed-off-by: Oleg Nesterov <oleg@redhat.com>
-Reported-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
-Closes: https://syzkaller.appspot.com/bug?extid=bbe6b99feefc3a0842de
-Tested-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
-Link: https://lore.kernel.org/all/20260307064202.353405-1-kartikey406@gmail.com/T/ [v1]
-Link: https://lore.kernel.org/all/20260316104536.558108-1-kartikey406@gmail.com/T/ [v2]
-Acked-by: Oleg Nesterov <oleg@redhat.com>
-Acked-by: Michal Hocko <mhocko@suse.com>
-Cc: Ben Segall <bsegall@google.com>
-Cc: Christian Brauner <brauner@kernel.org>
-Cc: David Hildenbrand <david@kernel.org>
-Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: Juri Lelli <juri.lelli@redhat.com>
-Cc: Kees Cook <kees@kernel.org>
-Cc: Liam Howlett <liam@infradead.org>
-Cc: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
-Cc: Mel Gorman <mgorman@suse.de>
-Cc: Mike Rapoport <rppt@kernel.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Steven Rostedt <rostedt@goodmis.org>
-Cc: Suren Baghdasaryan <surenb@google.com>
-Cc: Valentin Schneider <vschneid@redhat.com>
-Cc: Vincent Guittot <vincent.guittot@linaro.org>
-Cc: Vlastimil Babka <vbabka@kernel.org>
-Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/fork.c | 11 +++++------
- 1 file changed, 5 insertions(+), 6 deletions(-)
-
-diff --git a/kernel/fork.c b/kernel/fork.c
-index 1215d3f52c6d21..521e9d2be6f097 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -2562,8 +2562,6 @@ struct task_struct *create_io_thread(int (*fn)(void *), void *arg, int node)
- *
- * It copies the process, and if successful kick-starts
- * it and waits for it to finish using the VM if required.
-- *
-- * args->exit_signal is expected to be checked for sanity by the caller.
- */
- pid_t kernel_clone(struct kernel_clone_args *args)
- {
-@@ -2588,6 +2586,9 @@ pid_t kernel_clone(struct kernel_clone_args *args)
- (args->pidfd == args->parent_tid))
- return -EINVAL;
-
-+ if (!valid_signal(args->exit_signal))
-+ return -EINVAL;
-+
- /*
- * Determine whether and which event to report to ptracer. When
- * called from kernel_thread or CLONE_UNTRACED is explicitly
-@@ -2786,11 +2787,9 @@ static noinline int copy_clone_args_from_user(struct kernel_clone_args *kargs,
- return -EINVAL;
-
- /*
-- * Verify that higher 32bits of exit_signal are unset and that
-- * it is a valid signal
-+ * Verify that higher 32bits of exit_signal are unset
- */
-- if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) ||
-- !valid_signal(args.exit_signal)))
-+ if (unlikely(args.exit_signal & ~((u64)CSIGNAL)))
- return -EINVAL;
-
- if ((args.flags & CLONE_INTO_CGROUP) &&
---
-2.53.0
-
+++ /dev/null
-From 83726330748981372bde86ed5411d7b306612991 Mon Sep 17 00:00:00 2001
-From: Mark Brown <broonie@kernel.org>
-Date: Fri, 29 May 2026 00:01:44 +0100
-Subject: KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor
-
-From: Mark Brown <broonie@kernel.org>
-
-commit 83726330748981372bde86ed5411d7b306612991 upstream.
-
-ZCR_EL2 can be updated by a VHE guest hypervisor either using ZCR_EL2
-(which traps) or ZCR_EL1 (which does not trap). KVM handles both in
-different way:
-
-- on ZCR_EL2 trap, ZCR_EL2.LEN is immediately capped at the VM's own
- VL limit. This has the potential to break existing SW that relies
- on the full LEN field to be stateful.
-
-- on ZCR_EL1 access, we do absolutely nothing.
-
-On restoring the SVE context for an L2 guest, we directly restore the
-guest hypervisor's view of ZCR_EL2 into the physical ZCR_EL2. If the
-guest's view of the register was updated using the ZCR_EL2 accessor,
-the value has already been sanitised (with the caveat mentioned above).
-
-But if the guest used ZCR_EL1, the raw value is written into the HW,
-and the L2 guest can now access VLs that it shouldn't.
-
-Fix all the above by moving the VL capping to the restore points,
-ensuring that:
-
-- the HW is always programmed with a capped value, irrespective of
- the accessor being used,
-
-- the ZCR_EL2.LEN field is always completely stateful, irrespective
- of the accessor being used.
-
-Additionally, move ZCR_EL2 to be a sanitised register, ensuring that
-only the LEN field is actually stateful. This requires some creative
-construction of the RES0 mask, as the sysreg generation script does
-not yet generate RAZ/WI fields.
-
-Fixes: b3d29a823099 ("KVM: arm64: nv: Handle ZCR_EL2 traps")
-Signed-off-by: Mark Brown <broonie@kernel.org>
-Cc: stable@vger.kernel.org
-Link: https://patch.msgid.link/20260529-kvm-arm64-fix-zcr-len-nv-v2-1-86cad51992bd@kernel.org
-[maz: rewrote commit message, tidy up access_zcr_el2()]
-Signed-off-by: Marc Zyngier <maz@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/arm64/include/asm/kvm_host.h | 2 +-
- arch/arm64/kvm/hyp/include/hyp/switch.h | 16 ++++++++++------
- arch/arm64/kvm/nested.c | 5 +++++
- arch/arm64/kvm/sys_regs.c | 11 +++--------
- 4 files changed, 19 insertions(+), 15 deletions(-)
-
---- a/arch/arm64/include/asm/kvm_host.h
-+++ b/arch/arm64/include/asm/kvm_host.h
-@@ -496,7 +496,6 @@ enum vcpu_sysreg {
- ACTLR_EL2, /* Auxiliary Control Register (EL2) */
- CPTR_EL2, /* Architectural Feature Trap Register (EL2) */
- HACR_EL2, /* Hypervisor Auxiliary Control Register */
-- ZCR_EL2, /* SVE Control Register (EL2) */
- TTBR0_EL2, /* Translation Table Base Register 0 (EL2) */
- TTBR1_EL2, /* Translation Table Base Register 1 (EL2) */
- TCR_EL2, /* Translation Control Register (EL2) */
-@@ -527,6 +526,7 @@ enum vcpu_sysreg {
- SCTLR2_EL2, /* System Control Register 2 (EL2) */
- MDCR_EL2, /* Monitor Debug Configuration Register (EL2) */
- CNTHCTL_EL2, /* Counter-timer Hypervisor Control register */
-+ ZCR_EL2, /* SVE Control Register (EL2) */
-
- /* Any VNCR-capable reg goes after this point */
- MARKER(__VNCR_START__),
---- a/arch/arm64/kvm/hyp/include/hyp/switch.h
-+++ b/arch/arm64/kvm/hyp/include/hyp/switch.h
-@@ -433,11 +433,13 @@ static inline bool kvm_hyp_handle_mops(s
-
- static inline void __hyp_sve_restore_guest(struct kvm_vcpu *vcpu)
- {
-+ u64 zcr_el2 = vcpu_sve_max_vq(vcpu) - 1;
-+
- /*
- * The vCPU's saved SVE state layout always matches the max VL of the
- * vCPU. Start off with the max VL so we can load the SVE state.
- */
-- sve_cond_update_zcr_vq(vcpu_sve_max_vq(vcpu) - 1, SYS_ZCR_EL2);
-+ sve_cond_update_zcr_vq(zcr_el2, SYS_ZCR_EL2);
- __sve_restore_state(vcpu_sve_pffr(vcpu),
- &vcpu->arch.ctxt.fp_regs.fpsr,
- true);
-@@ -447,8 +449,10 @@ static inline void __hyp_sve_restore_gue
- * nested guest, as the guest hypervisor could select a smaller VL. Slap
- * that into hardware before wrapping up.
- */
-- if (is_nested_ctxt(vcpu))
-- sve_cond_update_zcr_vq(__vcpu_sys_reg(vcpu, ZCR_EL2), SYS_ZCR_EL2);
-+ if (is_nested_ctxt(vcpu)) {
-+ zcr_el2 = min(zcr_el2, __vcpu_sys_reg(vcpu, ZCR_EL2));
-+ sve_cond_update_zcr_vq(zcr_el2, SYS_ZCR_EL2);
-+ }
-
- write_sysreg_el1(__vcpu_sys_reg(vcpu, vcpu_sve_zcr_elx(vcpu)), SYS_ZCR);
- }
-@@ -472,11 +476,11 @@ static inline void fpsimd_lazy_switch_to
- return;
-
- if (vcpu_has_sve(vcpu)) {
-+ zcr_el2 = vcpu_sve_max_vq(vcpu) - 1;
-+
- /* A guest hypervisor may restrict the effective max VL. */
- if (is_nested_ctxt(vcpu))
-- zcr_el2 = __vcpu_sys_reg(vcpu, ZCR_EL2);
-- else
-- zcr_el2 = vcpu_sve_max_vq(vcpu) - 1;
-+ zcr_el2 = min(zcr_el2, __vcpu_sys_reg(vcpu, ZCR_EL2));
-
- write_sysreg_el2(zcr_el2, SYS_ZCR);
-
---- a/arch/arm64/kvm/nested.c
-+++ b/arch/arm64/kvm/nested.c
-@@ -1772,6 +1772,11 @@ int kvm_init_nv_sysregs(struct kvm_vcpu
- /* VNCR_EL2 */
- set_sysreg_masks(kvm, VNCR_EL2, VNCR_EL2_RES0, VNCR_EL2_RES1);
-
-+ /* ZCR_EL2 - bits 8:4 are RAZ/WI so treat them as RES0 */
-+ resx.res0 = ZCR_ELx_RES0 | GENMASK_ULL(8, 4);
-+ resx.res1 = ZCR_ELx_RES1;
-+ set_sysreg_masks(kvm, ZCR_EL2, resx);
-+
- out:
- for (enum vcpu_sysreg sr = __SANITISED_REG_START__; sr < NR_SYS_REGS; sr++)
- __vcpu_rmw_sys_reg(vcpu, sr, |=, 0);
---- a/arch/arm64/kvm/sys_regs.c
-+++ b/arch/arm64/kvm/sys_regs.c
-@@ -2749,21 +2749,16 @@ static bool access_zcr_el2(struct kvm_vc
- struct sys_reg_params *p,
- const struct sys_reg_desc *r)
- {
-- unsigned int vq;
--
- if (guest_hyp_sve_traps_enabled(vcpu)) {
- kvm_inject_nested_sve_trap(vcpu);
- return false;
- }
-
-- if (!p->is_write) {
-+ if (!p->is_write)
- p->regval = __vcpu_sys_reg(vcpu, ZCR_EL2);
-- return true;
-- }
-+ else
-+ __vcpu_assign_sys_reg(vcpu, ZCR_EL2, p->regval);
-
-- vq = SYS_FIELD_GET(ZCR_ELx, LEN, p->regval) + 1;
-- vq = min(vq, vcpu_sve_max_vq(vcpu));
-- __vcpu_assign_sys_reg(vcpu, ZCR_EL2, vq - 1);
- return true;
- }
-
hid-remove-duplicate-hid_warn_ratelimited-definition.patch
kunit-fix-use-after-free-in-debugfs-when-using-kunit.patch
accel-rocket-fix-uaf-via-dangling-gem-handle-in-crea.patch
-kernel-fork-validate-exit_signal-in-kernel_clone.patch
netfilter-synproxy-refresh-tcphdr-after-skb_ensure_w.patch
netfilter-xt_cpu-prefer-raw_smp_processor_id.patch
netfilter-ebtables-fix-oob-read-in-compat_mtw_from_u.patch
rust_binder-avoid-holding-lock-when-dropping-delivered_death.patch
rust_binder-avoid-calling-pending_oneway_finished-on-tf_update_txn.patch
usb-cdc-acm-fix-bit-overlap-and-move-quirk-definitions-to-header.patch
-kvm-arm64-correctly-cap-zcr_el2-provided-by-a-guest-hypervisor.patch
kvm-arm64-pmu-preserve-aarch32-counter-low-bits.patch
kvm-svm-flush-the-current-tlb-when-transitioning-from-xavic-x2avic.patch
kvm-sev-require-in-ghcb-scratch-area-if-ghcb-v2-is-in-use.patch
misc-rp1-send-iack-on-irq-activate-to-fix-kdump-kexec.patch
input-atmel_mxt_ts-fix-boundary-check-in-mxt_prepare_cfg_mem.patch
input-synaptics-add-len2058-to-smbus-passlist-for-thinkpad-e490.patch
-gpib-cb7210-fix-region-leak-when-request_irq-fails.patch
comedi-comedi_test-fix-check-for-valid-scan_begin_src-in-waveform_ai_cmdtest.patch
comedi-comedi_test-fix-limiting-of-convert_arg-in-waveform_ai_cmdtest.patch
counter-fix-refcount-leak-in-counter_alloc-error-path.patch
+++ /dev/null
-From 36851a9ce229b214ca137515fd27a44d87e2f55a Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 16 Mar 2026 20:49:56 +0530
-Subject: kernel/fork: validate exit_signal in kernel_clone()
-
-From: Deepanshu Kartikey <kartikey406@gmail.com>
-
-[ Upstream commit 09e7827e785729f391c8d46dc71becce70d296ab ]
-
-When a child process exits, it sends exit_signal to its parent via
-do_notify_parent(). The clone() syscall constructs exit_signal as:
-
-(lower_32_bits(clone_flags) & CSIGNAL)
-
-CSIGNAL is 0xff, so values in the range 65-255 are possible. However,
-valid_signal() only accepts signals up to _NSIG (64 on x86_64). A
-non-zero non-valid exit_signal acts the same as exit_signal == 0: the
-parent process is not signaled when the child terminates.
-
-The syzkaller reproducer triggers this by calling clone() with flags=0x80,
-resulting in exit_signal = (0x80 & CSIGNAL) = 128, which exceeds _NSIG and
-is not a valid signal.
-
-The v1 of this patch added the check only in the clone() syscall handler,
-which is incomplete. kernel_clone() has other callers such as
-sys_ia32_clone() which would remain unprotected. Move the check to
-kernel_clone() to cover all callers.
-
-Since the valid_signal() check is now in kernel_clone() and covers all
-callers including clone3(), the same check in copy_clone_args_from_user()
-becomes redundant and is removed. The higher 32bits check for clone3() is
-kept as it is clone3() specific.
-
-Note that this is a user-visible change: previously, passing an invalid
-exit_signal to clone() was silently accepted. The man page for clone()
-does not document any defined behavior for invalid exit_signal values, so
-rejecting them with -EINVAL is the correct behavior. It is unlikely that
-any sane application relies on passing an invalid exit_signal.
-
-[oleg@redhat.com: the comment above kernel_clone() should be updated]
- Link: https://lore.kernel.org/abwvgU17W8wuW2-J@redhat.com
-Link: https://lore.kernel.org/20260316151956.563558-1-kartikey406@gmail.com
-Fixes: 3f2c788a1314 ("fork: prevent accidental access to clone3 features")
-Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
-Signed-off-by: Oleg Nesterov <oleg@redhat.com>
-Reported-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
-Closes: https://syzkaller.appspot.com/bug?extid=bbe6b99feefc3a0842de
-Tested-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
-Link: https://lore.kernel.org/all/20260307064202.353405-1-kartikey406@gmail.com/T/ [v1]
-Link: https://lore.kernel.org/all/20260316104536.558108-1-kartikey406@gmail.com/T/ [v2]
-Acked-by: Oleg Nesterov <oleg@redhat.com>
-Acked-by: Michal Hocko <mhocko@suse.com>
-Cc: Ben Segall <bsegall@google.com>
-Cc: Christian Brauner <brauner@kernel.org>
-Cc: David Hildenbrand <david@kernel.org>
-Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: Juri Lelli <juri.lelli@redhat.com>
-Cc: Kees Cook <kees@kernel.org>
-Cc: Liam Howlett <liam@infradead.org>
-Cc: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
-Cc: Mel Gorman <mgorman@suse.de>
-Cc: Mike Rapoport <rppt@kernel.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Steven Rostedt <rostedt@goodmis.org>
-Cc: Suren Baghdasaryan <surenb@google.com>
-Cc: Valentin Schneider <vschneid@redhat.com>
-Cc: Vincent Guittot <vincent.guittot@linaro.org>
-Cc: Vlastimil Babka <vbabka@kernel.org>
-Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/fork.c | 11 +++++------
- 1 file changed, 5 insertions(+), 6 deletions(-)
-
-diff --git a/kernel/fork.c b/kernel/fork.c
-index e280f02b6446ab..d68d40735a082a 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -2870,8 +2870,6 @@ struct task_struct *create_io_thread(int (*fn)(void *), void *arg, int node)
- *
- * It copies the process, and if successful kick-starts
- * it and waits for it to finish using the VM if required.
-- *
-- * args->exit_signal is expected to be checked for sanity by the caller.
- */
- pid_t kernel_clone(struct kernel_clone_args *args)
- {
-@@ -2896,6 +2894,9 @@ pid_t kernel_clone(struct kernel_clone_args *args)
- (args->pidfd == args->parent_tid))
- return -EINVAL;
-
-+ if (!valid_signal(args->exit_signal))
-+ return -EINVAL;
-+
- /*
- * Determine whether and which event to report to ptracer. When
- * called from kernel_thread or CLONE_UNTRACED is explicitly
-@@ -3098,11 +3099,9 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs,
- return -EINVAL;
-
- /*
-- * Verify that higher 32bits of exit_signal are unset and that
-- * it is a valid signal
-+ * Verify that higher 32bits of exit_signal are unset
- */
-- if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) ||
-- !valid_signal(args.exit_signal)))
-+ if (unlikely(args.exit_signal & ~((u64)CSIGNAL)))
- return -EINVAL;
-
- if ((args.flags & CLONE_INTO_CGROUP) &&
---
-2.53.0
-
nfc-llcp-fix-use-after-free-race-in-nfc_llcp_recv_cc.patch
xfrm-check-for-underflow-in-xfrm_state_mtu.patch
nfc-nxp-nci-i2c-use-rising-edge-irq-on-acpi-systems.patch
-kernel-fork-validate-exit_signal-in-kernel_clone.patch
netfilter-synproxy-refresh-tcphdr-after-skb_ensure_w.patch
netfilter-xt_cpu-prefer-raw_smp_processor_id.patch
netfilter-ebtables-fix-oob-read-in-compat_mtw_from_u.patch
+++ /dev/null
-From e3d5ae76091ea58f31ca35eee643a7f009d535da Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 20 May 2026 09:27:17 +0200
-Subject: esp: fix page frag reference leak on skb_to_sgvec failure
-
-From: e521588 <alessandro.schino@sbb.ch>
-
-[ Upstream commit 2982e599fff6faa21c8df147d96fc7af6c1a2f24 ]
-
-In esp_output_tail(), when esp->inplace is false, the old skb page frags
-are replaced with a new page from the xfrm page_frag cache. The source
-scatterlist (sg) is built from the old frags before the replacement, and
-esp_ssg_unref() is responsible for releasing the old page references
-after the crypto operation completes.
-
-However, if the second skb_to_sgvec() call (which builds the destination
-scatterlist from the new page) fails, the code jumps to error_free which
-only calls kfree(tmp). The old page frag references captured in the
-source scatterlist are never released:
-
- 1. sg[] is built from old frags via skb_to_sgvec() (no extra get_page)
- 2. nr_frags is set to 1 and frag[0] is replaced with the new page
- 3. Second skb_to_sgvec() fails -> goto error_free
- 4. kfree(tmp) frees the sg[] memory but old frags are not unref'd
- 5. kfree_skb() only releases frag[0] (the new page), not the old ones
-
-Fix this by adding a bool parameter to esp_ssg_unref() that, when true,
-unconditionally unrefs the source scatterlist frags without checking
-req->src and req->dst, since those fields are not yet initialized by
-aead_request_set_crypt() at the point of the error. Existing callers
-pass false to preserve the original behavior.
-
-The same issue exists in both esp4 and esp6 as the code is identical.
-
-Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
-Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
-
-Signed-off-by: Alessandro Schino <7991aleschino@gmail.com>
-Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv4/esp4.c | 12 +++++++-----
- net/ipv6/esp6.c | 12 +++++++-----
- 2 files changed, 14 insertions(+), 10 deletions(-)
-
-diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
-index 6a5febbdbee493..8314d7bddcb715 100644
---- a/net/ipv4/esp4.c
-+++ b/net/ipv4/esp4.c
-@@ -96,7 +96,7 @@ static inline struct scatterlist *esp_req_sg(struct crypto_aead *aead,
- __alignof__(struct scatterlist));
- }
-
--static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb)
-+static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb, bool already_unref)
- {
- struct crypto_aead *aead = x->data;
- int extralen = 0;
-@@ -113,7 +113,7 @@ static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb)
- /* Unref skb_frag_pages in the src scatterlist if necessary.
- * Skip the first sg which comes from skb->data.
- */
-- if (req->src != req->dst)
-+ if (already_unref || req->src != req->dst)
- for (sg = sg_next(req->src); sg; sg = sg_next(sg))
- skb_page_unref(page_to_netmem(sg_page(sg)),
- skb->pp_recycle);
-@@ -220,7 +220,7 @@ static void esp_output_done(void *data, int err)
- }
-
- tmp = ESP_SKB_CB(skb)->tmp;
-- esp_ssg_unref(x, tmp, skb);
-+ esp_ssg_unref(x, tmp, skb, false);
- kfree(tmp);
-
- if (xo && (xo->flags & XFRM_DEV_RESUME)) {
-@@ -569,8 +569,10 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
- err = skb_to_sgvec(skb, dsg,
- (unsigned char *)esph - skb->data,
- assoclen + ivlen + esp->clen + alen);
-- if (unlikely(err < 0))
-+ if (unlikely(err < 0)) {
-+ esp_ssg_unref(x, tmp, skb, true);
- goto error_free;
-+ }
- }
-
- if ((x->props.flags & XFRM_STATE_ESN))
-@@ -602,7 +604,7 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
- }
-
- if (sg != dsg)
-- esp_ssg_unref(x, tmp, skb);
-+ esp_ssg_unref(x, tmp, skb, false);
-
- if (!err && x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP)
- err = esp_output_tail_tcp(x, skb);
-diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
-index 9c06c5a1419dc4..9d0c4957ac6276 100644
---- a/net/ipv6/esp6.c
-+++ b/net/ipv6/esp6.c
-@@ -113,7 +113,7 @@ static inline struct scatterlist *esp_req_sg(struct crypto_aead *aead,
- __alignof__(struct scatterlist));
- }
-
--static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb)
-+static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb, bool already_unref)
- {
- struct crypto_aead *aead = x->data;
- int extralen = 0;
-@@ -130,7 +130,7 @@ static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb)
- /* Unref skb_frag_pages in the src scatterlist if necessary.
- * Skip the first sg which comes from skb->data.
- */
-- if (req->src != req->dst)
-+ if (already_unref || req->src != req->dst)
- for (sg = sg_next(req->src); sg; sg = sg_next(sg))
- skb_page_unref(page_to_netmem(sg_page(sg)),
- skb->pp_recycle);
-@@ -254,7 +254,7 @@ static void esp_output_done(void *data, int err)
- }
-
- tmp = ESP_SKB_CB(skb)->tmp;
-- esp_ssg_unref(x, tmp, skb);
-+ esp_ssg_unref(x, tmp, skb, false);
- kfree(tmp);
-
- esp_output_encap_csum(skb);
-@@ -600,8 +600,10 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
- err = skb_to_sgvec(skb, dsg,
- (unsigned char *)esph - skb->data,
- assoclen + ivlen + esp->clen + alen);
-- if (unlikely(err < 0))
-+ if (unlikely(err < 0)) {
-+ esp_ssg_unref(x, tmp, skb, true);
- goto error_free;
-+ }
- }
-
- if ((x->props.flags & XFRM_STATE_ESN))
-@@ -634,7 +636,7 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
- }
-
- if (sg != dsg)
-- esp_ssg_unref(x, tmp, skb);
-+ esp_ssg_unref(x, tmp, skb, false);
-
- if (!err && x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP)
- err = esp_output_tail_tcp(x, skb);
---
-2.53.0
-
+++ /dev/null
-From 2eae90a457baa0048a96ed38ad93090ee38c8b2f Mon Sep 17 00:00:00 2001
-From: Hongling Zeng <zenghongling@kylinos.cn>
-Date: Mon, 18 May 2026 10:29:39 +0800
-Subject: gpib: cb7210: Fix region leak when request_irq fails
-
-From: Hongling Zeng <zenghongling@kylinos.cn>
-
-commit 2eae90a457baa0048a96ed38ad93090ee38c8b2f upstream.
-
-When request_irq() fails, the region allocated by request_region()
-is not released. Fix this by adding an error handling path with
-proper goto labels to release the region.
-
-Fixes: e9dc69956d4d ("staging: gpib: Add Computer Boards GPIB driver")
-Closes: https://lore.kernel.org/oe-kbuild-all/202605160620.ReBOadPX-lkp@intel.com/
-Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
-Cc: stable <stable@kernel.org>
-Link: https://patch.msgid.link/20260518022939.16881-1-zenghongling@kylinos.cn
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/gpib/cb7210/cb7210.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
---- a/drivers/gpib/cb7210/cb7210.c
-+++ b/drivers/gpib/cb7210/cb7210.c
-@@ -1049,7 +1049,8 @@ static int cb_isa_attach(struct gpib_boa
- if (!request_region(config->ibbase, cb7210_iosize, DRV_NAME)) {
- dev_err(board->gpib_dev, "ioports starting at 0x%x are already in use\n",
- config->ibbase);
-- return -EBUSY;
-+ retval = -EBUSY;
-+ goto err_release_region;
- }
- nec_priv->iobase = config->ibbase;
- cb_priv->fifo_iobase = nec7210_iobase(cb_priv);
-@@ -1062,11 +1063,16 @@ static int cb_isa_attach(struct gpib_boa
- // install interrupt handler
- if (request_irq(config->ibirq, cb7210_interrupt, isr_flags, DRV_NAME, board)) {
- dev_err(board->gpib_dev, "failed to obtain IRQ %d\n", config->ibirq);
-- return -EBUSY;
-+ retval = -EBUSY;
-+ goto err_release_region;
- }
- cb_priv->irq = config->ibirq;
-
- return cb7210_init(cb_priv, board);
-+
-+err_release_region:
-+ release_region(nec7210_iobase(cb_priv), cb7210_iosize);
-+ return retval;
- }
-
- static void cb_isa_detach(struct gpib_board *board)
+++ /dev/null
-From 8e2042f9ba5741e337370a16551934b0f431b7b6 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 16 Mar 2026 20:49:56 +0530
-Subject: kernel/fork: validate exit_signal in kernel_clone()
-
-From: Deepanshu Kartikey <kartikey406@gmail.com>
-
-[ Upstream commit 09e7827e785729f391c8d46dc71becce70d296ab ]
-
-When a child process exits, it sends exit_signal to its parent via
-do_notify_parent(). The clone() syscall constructs exit_signal as:
-
-(lower_32_bits(clone_flags) & CSIGNAL)
-
-CSIGNAL is 0xff, so values in the range 65-255 are possible. However,
-valid_signal() only accepts signals up to _NSIG (64 on x86_64). A
-non-zero non-valid exit_signal acts the same as exit_signal == 0: the
-parent process is not signaled when the child terminates.
-
-The syzkaller reproducer triggers this by calling clone() with flags=0x80,
-resulting in exit_signal = (0x80 & CSIGNAL) = 128, which exceeds _NSIG and
-is not a valid signal.
-
-The v1 of this patch added the check only in the clone() syscall handler,
-which is incomplete. kernel_clone() has other callers such as
-sys_ia32_clone() which would remain unprotected. Move the check to
-kernel_clone() to cover all callers.
-
-Since the valid_signal() check is now in kernel_clone() and covers all
-callers including clone3(), the same check in copy_clone_args_from_user()
-becomes redundant and is removed. The higher 32bits check for clone3() is
-kept as it is clone3() specific.
-
-Note that this is a user-visible change: previously, passing an invalid
-exit_signal to clone() was silently accepted. The man page for clone()
-does not document any defined behavior for invalid exit_signal values, so
-rejecting them with -EINVAL is the correct behavior. It is unlikely that
-any sane application relies on passing an invalid exit_signal.
-
-[oleg@redhat.com: the comment above kernel_clone() should be updated]
- Link: https://lore.kernel.org/abwvgU17W8wuW2-J@redhat.com
-Link: https://lore.kernel.org/20260316151956.563558-1-kartikey406@gmail.com
-Fixes: 3f2c788a1314 ("fork: prevent accidental access to clone3 features")
-Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
-Signed-off-by: Oleg Nesterov <oleg@redhat.com>
-Reported-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
-Closes: https://syzkaller.appspot.com/bug?extid=bbe6b99feefc3a0842de
-Tested-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com
-Link: https://lore.kernel.org/all/20260307064202.353405-1-kartikey406@gmail.com/T/ [v1]
-Link: https://lore.kernel.org/all/20260316104536.558108-1-kartikey406@gmail.com/T/ [v2]
-Acked-by: Oleg Nesterov <oleg@redhat.com>
-Acked-by: Michal Hocko <mhocko@suse.com>
-Cc: Ben Segall <bsegall@google.com>
-Cc: Christian Brauner <brauner@kernel.org>
-Cc: David Hildenbrand <david@kernel.org>
-Cc: Dietmar Eggemann <dietmar.eggemann@arm.com>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: Juri Lelli <juri.lelli@redhat.com>
-Cc: Kees Cook <kees@kernel.org>
-Cc: Liam Howlett <liam@infradead.org>
-Cc: Lorenzo Stoakes (Oracle) <ljs@kernel.org>
-Cc: Mel Gorman <mgorman@suse.de>
-Cc: Mike Rapoport <rppt@kernel.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Steven Rostedt <rostedt@goodmis.org>
-Cc: Suren Baghdasaryan <surenb@google.com>
-Cc: Valentin Schneider <vschneid@redhat.com>
-Cc: Vincent Guittot <vincent.guittot@linaro.org>
-Cc: Vlastimil Babka <vbabka@kernel.org>
-Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/fork.c | 11 +++++------
- 1 file changed, 5 insertions(+), 6 deletions(-)
-
-diff --git a/kernel/fork.c b/kernel/fork.c
-index 73622ad0665a07..bcde8e2843fb97 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -2606,8 +2606,6 @@ struct task_struct *create_io_thread(int (*fn)(void *), void *arg, int node)
- *
- * It copies the process, and if successful kick-starts
- * it and waits for it to finish using the VM if required.
-- *
-- * args->exit_signal is expected to be checked for sanity by the caller.
- */
- pid_t kernel_clone(struct kernel_clone_args *args)
- {
-@@ -2632,6 +2630,9 @@ pid_t kernel_clone(struct kernel_clone_args *args)
- (args->pidfd == args->parent_tid))
- return -EINVAL;
-
-+ if (!valid_signal(args->exit_signal))
-+ return -EINVAL;
-+
- /*
- * Determine whether and which event to report to ptracer. When
- * called from kernel_thread or CLONE_UNTRACED is explicitly
-@@ -2830,11 +2831,9 @@ static noinline int copy_clone_args_from_user(struct kernel_clone_args *kargs,
- return -EINVAL;
-
- /*
-- * Verify that higher 32bits of exit_signal are unset and that
-- * it is a valid signal
-+ * Verify that higher 32bits of exit_signal are unset
- */
-- if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) ||
-- !valid_signal(args.exit_signal)))
-+ if (unlikely(args.exit_signal & ~((u64)CSIGNAL)))
- return -EINVAL;
-
- if ((args.flags & CLONE_INTO_CGROUP) &&
---
-2.53.0
-
hid-remove-duplicate-hid_warn_ratelimited-definition.patch
kunit-fix-use-after-free-in-debugfs-when-using-kunit.patch
accel-rocket-fix-uaf-via-dangling-gem-handle-in-crea.patch
-kernel-fork-validate-exit_signal-in-kernel_clone.patch
-esp-fix-page-frag-reference-leak-on-skb_to_sgvec-fai.patch
netfilter-synproxy-refresh-tcphdr-after-skb_ensure_w.patch
netfilter-xt_cpu-prefer-raw_smp_processor_id.patch
netfilter-ebtables-fix-oob-read-in-compat_mtw_from_u.patch
misc-rp1-send-iack-on-irq-activate-to-fix-kdump-kexec.patch
input-atmel_mxt_ts-fix-boundary-check-in-mxt_prepare_cfg_mem.patch
input-synaptics-add-len2058-to-smbus-passlist-for-thinkpad-e490.patch
-gpib-cb7210-fix-region-leak-when-request_irq-fails.patch
dt-bindings-usb-fix-eic7700-usb-reset-s-issue.patch
comedi-comedi_test-fix-check-for-valid-scan_begin_src-in-waveform_ai_cmdtest.patch
comedi-comedi_test-fix-limiting-of-convert_arg-in-waveform_ai_cmdtest.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
