From: Greg Kroah-Hartman Date: Sun, 14 Jun 2026 17:34:07 +0000 (+0200) Subject: 7.0-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=07b175a3f2c1ebd9204f7bd386a388b65457065c;p=thirdparty%2Fkernel%2Fstable-queue.git 7.0-stable patches added patches: bluetooth-iso-fix-a-use-after-free-of-the-hci_conn-pointer.patch i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioctl.patch ipv6-mcast-fix-use-after-free-when-processing-mld-queries.patch kvm-arm64-take-the-srcu-lock-for-page-table-walks-in-fault-injection-and-at-emulation.patch net-smc-fix-sleep-inside-lock-in-__smc_setsockopt-causing-local-dos.patch --- diff --git a/queue-7.0/bluetooth-iso-fix-a-use-after-free-of-the-hci_conn-pointer.patch b/queue-7.0/bluetooth-iso-fix-a-use-after-free-of-the-hci_conn-pointer.patch new file mode 100644 index 0000000000..02ecc973d9 --- /dev/null +++ b/queue-7.0/bluetooth-iso-fix-a-use-after-free-of-the-hci_conn-pointer.patch @@ -0,0 +1,43 @@ +From f50331f2a1441ec49988832c3a95f2edacc47322 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Mon, 1 Jun 2026 14:52:09 -0400 +Subject: Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer + +From: Luiz Augusto von Dentz + +commit f50331f2a1441ec49988832c3a95f2edacc47322 upstream. + +In iso_sock_rebind_bc(), the bis pointer is cached, then the socket lock is +dropped: + bis = iso_pi(sk)->conn->hcon; + /* Release the socket before lookups since that requires hci_dev_lock + * which shall not be acquired while holding sock_lock for proper + * ordering. + */ + release_sock(sk); + hci_dev_lock(bis->hdev); + +During the unlocked window, could a concurrent close() destroy the connection +and free the bis structure, causing hci_dev_lock(bis->hdev) to access memory +after it is freed, fix this by using the hdev reference which was safely +acquired via iso_conn_get_hdev(). + +Fixes: d3413703d5f8 ("Bluetooth: ISO: Add support to bind to trigger PAST") +Reported-by: Sashiko +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/iso.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/iso.c ++++ b/net/bluetooth/iso.c +@@ -1090,7 +1090,7 @@ static int iso_sock_rebind_bc(struct soc + * ordering. + */ + release_sock(sk); +- hci_dev_lock(bis->hdev); ++ hci_dev_lock(hdev); + lock_sock(sk); + + if (!iso_pi(sk)->conn || iso_pi(sk)->conn->hcon != bis) { diff --git a/queue-7.0/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioctl.patch b/queue-7.0/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioctl.patch new file mode 100644 index 0000000000..7c447c17fe --- /dev/null +++ b/queue-7.0/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioctl.patch @@ -0,0 +1,60 @@ +From 617eb7c0961a8dfcfc811844a6396e406b2923ea Mon Sep 17 00:00:00 2001 +From: Mingyu Wang <25181214217@stu.xidian.edu.cn> +Date: Mon, 27 Apr 2026 10:57:45 +0800 +Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl + +From: Mingyu Wang <25181214217@stu.xidian.edu.cn> + +commit 617eb7c0961a8dfcfc811844a6396e406b2923ea upstream. + +While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong +timeout value` warning was observed, accompanied by SMBus controller +state machine corruption. + +The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of +10 ms. The user argument is checked against INT_MAX, but it is +subsequently multiplied by 10 before being passed to msecs_to_jiffies(). + +A malicious user can pass a large value (e.g., 429496729) that passes +the `arg > INT_MAX` check but overflows when multiplied by 10. This +results in a truncated 32-bit unsigned value that bypasses the +internal `(int)m < 0` check in `msecs_to_jiffies()`. + +The truncated value is then assigned to `client->adapter->timeout` +(a signed 32-bit int), which is reinterpreted as a negative number. +When passed to wait_for_completion_timeout(), this negative value +undergoes sign extension to a 64-bit unsigned long, triggering the +`schedule_timeout` warning and causing premature returns. This leaves +the SMBus state machine in an unrecoverable state, constituting a +local Denial of Service (DoS). + +Fix this by bounding the user argument to `INT_MAX / 10`. + +Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> +[wsa: move the comment as well] +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/i2c-dev.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/i2c/i2c-dev.c ++++ b/drivers/i2c/i2c-dev.c +@@ -487,12 +487,13 @@ static long i2cdev_ioctl(struct file *fi + client->adapter->retries = arg; + break; + case I2C_TIMEOUT: +- if (arg > INT_MAX) ++ /* ++ * For historical reasons, user-space sets the timeout value in ++ * units of 10 ms. ++ */ ++ if (arg > INT_MAX / 10) + return -EINVAL; + +- /* For historical reasons, user-space sets the timeout +- * value in units of 10 ms. +- */ + client->adapter->timeout = msecs_to_jiffies(arg * 10); + break; + default: diff --git a/queue-7.0/ipv6-mcast-fix-use-after-free-when-processing-mld-queries.patch b/queue-7.0/ipv6-mcast-fix-use-after-free-when-processing-mld-queries.patch new file mode 100644 index 0000000000..ddfa549306 --- /dev/null +++ b/queue-7.0/ipv6-mcast-fix-use-after-free-when-processing-mld-queries.patch @@ -0,0 +1,102 @@ +From 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Wed, 3 Jun 2026 13:18:11 +0300 +Subject: ipv6: mcast: Fix use-after-free when processing MLD queries + +From: Ido Schimmel + +commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 upstream. + +When processing an MLD query, a pointer to the multicast group address +is retrieved when initially parsing the packet. This pointer is later +dereferenced without being reloaded despite the fact that the skb header +might have been reallocated following the pskb_may_pull() calls, leading +to a use-after-free [1]. + +Fix by copying the multicast group address when the packet is initially +parsed. + +[1] +BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512) +Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118 + +Workqueue: mld mld_query_work +Call Trace: + +dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120) +print_address_description.constprop.0 (mm/kasan/report.c:378) +print_report (mm/kasan/report.c:482) +kasan_report (mm/kasan/report.c:595) +__mld_query_work (net/ipv6/mcast.c:1512) +mld_query_work (net/ipv6/mcast.c:1563) +process_one_work (kernel/workqueue.c:3314) +worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) +kthread (kernel/kthread.c:436) +ret_from_fork (arch/x86/kernel/process.c:158) +ret_from_fork_asm (arch/x86/entry/entry_64.S:245) + + +[...] + +Freed by task 118: +kasan_save_stack (mm/kasan/common.c:57) +kasan_save_track (mm/kasan/common.c:78) +kasan_save_free_info (mm/kasan/generic.c:584) +__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285) +kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566) +pskb_expand_head (net/core/skbuff.c:2335) +__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4)) +__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1)) +mld_query_work (net/ipv6/mcast.c:1563) +process_one_work (kernel/workqueue.c:3314) +worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) +kthread (kernel/kthread.c:436) +ret_from_fork (arch/x86/kernel/process.c:158) +ret_from_fork_asm (arch/x86/entry/entry_64.S:245) + +Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast") +Reported-by: Leo Lin +Reviewed-by: David Ahern +Signed-off-by: Ido Schimmel +Reviewed-by: Eric Dumazet +Reviewed-by: Jiayuan Chen +Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/mcast.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -1424,9 +1424,9 @@ out: + static void __mld_query_work(struct sk_buff *skb) + { + struct mld2_query *mlh2 = NULL; +- const struct in6_addr *group; + unsigned long max_delay; + struct inet6_dev *idev; ++ struct in6_addr group; + struct ifmcaddr6 *ma; + struct mld_msg *mld; + int group_type; +@@ -1458,8 +1458,8 @@ static void __mld_query_work(struct sk_b + goto kfree_skb; + + mld = (struct mld_msg *)icmp6_hdr(skb); +- group = &mld->mld_mca; +- group_type = ipv6_addr_type(group); ++ group = mld->mld_mca; ++ group_type = ipv6_addr_type(&group); + + if (group_type != IPV6_ADDR_ANY && + !(group_type&IPV6_ADDR_MULTICAST)) +@@ -1509,7 +1509,7 @@ static void __mld_query_work(struct sk_b + } + } else { + for_each_mc_mclock(idev, ma) { +- if (!ipv6_addr_equal(group, &ma->mca_addr)) ++ if (!ipv6_addr_equal(&group, &ma->mca_addr)) + continue; + if (ma->mca_flags & MAF_TIMER_RUNNING) { + /* gsquery <- gsquery && mark */ diff --git a/queue-7.0/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in-fault-injection-and-at-emulation.patch b/queue-7.0/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in-fault-injection-and-at-emulation.patch new file mode 100644 index 0000000000..f4d94eb1bf --- /dev/null +++ b/queue-7.0/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in-fault-injection-and-at-emulation.patch @@ -0,0 +1,51 @@ +From f2ca45b50d4216c9cc7ffabf50d9ad1932209251 Mon Sep 17 00:00:00 2001 +From: Hyunwoo Kim +Date: Wed, 3 Jun 2026 21:09:33 +0900 +Subject: KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation + +From: Hyunwoo Kim + +commit f2ca45b50d4216c9cc7ffabf50d9ad1932209251 upstream. + +walk_s1() and kvm_walk_nested_s2() expect to be called while holding +kvm->srcu to guard against memslot changes. While this is generally +the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the +respective walkers without taking kvm->srcu. + +Fix by acquiring kvm->srcu prior to the table walk in both instances. + +Cc: stable@vger.kernel.org +Fixes: 50f77dc87f13 ("KVM: arm64: Populate level on S1PTW SEA injection") +Fixes: be04cebf3e78 ("KVM: arm64: nv: Add emulation of AT S12E{0,1}{R,W}") +Suggested-by: Oliver Upton +Signed-off-by: Hyunwoo Kim +Reviewed-by: Oliver Upton +Link: https://patch.msgid.link/aiAZfdeyanIvP8SD@v4bel +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/at.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kvm/at.c ++++ b/arch/arm64/kvm/at.c +@@ -1568,7 +1568,8 @@ int __kvm_at_s12(struct kvm_vcpu *vcpu, + /* Do the stage-2 translation */ + ipa = (par & GENMASK_ULL(47, 12)) | (vaddr & GENMASK_ULL(11, 0)); + out.esr = 0; +- ret = kvm_walk_nested_s2(vcpu, ipa, &out); ++ scoped_guard(srcu, &vcpu->kvm->srcu) ++ ret = kvm_walk_nested_s2(vcpu, ipa, &out); + if (ret < 0) + return ret; + +@@ -1664,7 +1665,8 @@ int __kvm_find_s1_desc_level(struct kvm_ + } + + /* Walk the guest's PT, looking for a match along the way */ +- ret = walk_s1(vcpu, &wi, &wr, va); ++ scoped_guard(srcu, &vcpu->kvm->srcu) ++ ret = walk_s1(vcpu, &wi, &wr, va); + switch (ret) { + case -EINTR: + /* We interrupted the walk on a match, return the level */ diff --git a/queue-7.0/net-smc-fix-sleep-inside-lock-in-__smc_setsockopt-causing-local-dos.patch b/queue-7.0/net-smc-fix-sleep-inside-lock-in-__smc_setsockopt-causing-local-dos.patch new file mode 100644 index 0000000000..411b131214 --- /dev/null +++ b/queue-7.0/net-smc-fix-sleep-inside-lock-in-__smc_setsockopt-causing-local-dos.patch @@ -0,0 +1,71 @@ +From a3fdd924d88c30b9f488636ce0e4696012cf5511 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nicol=C3=B2=20Coccia?= +Date: Sun, 10 May 2026 12:34:13 -0400 +Subject: net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nicolò Coccia + +commit a3fdd924d88c30b9f488636ce0e4696012cf5511 upstream. + +A logic flaw in __smc_setsockopt() allows a local unprivileged user to +cause a Denial of Service (DoS) by holding the socket lock indefinitely. + +The function __smc_setsockopt() calls copy_from_sockptr() while holding +lock_sock(sk). By passing a userfaultfd-monitored memory page (or +FUSE-backed memory on systems where unprivileged userfaultfd is disabled) +as the optval, an attacker can halt execution during the copy operation, +keeping the lock held. + +Combined with asynchronous tear-down operations like shutdown(), this +exhausts the kernel wq (kworkers) and triggers the hung task watchdog. + +[ 240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds. +[ 240.123489] Call Trace: +[ 240.123501] smc_shutdown+... +[ 240.123512] lock_sock_nested+... + +This patch moves the user-space copy outside the lock_sock() critical +section to prevent the issue. + +Fixes: a6a6fe27bab4 ("net/smc: Dynamic control handshake limitation by socket options") +Signed-off-by: Nicolò Coccia +Reviewed-by: Dust Li +Tested-by: Dust Li +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/af_smc.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -3061,18 +3061,17 @@ static int __smc_setsockopt(struct socke + + smc = smc_sk(sk); + ++ /* pre-fetch user data outside the lock */ ++ if (optname == SMC_LIMIT_HS) { ++ if (optlen < sizeof(int)) ++ return -EINVAL; ++ if (copy_from_sockptr(&val, optval, sizeof(int))) ++ return -EFAULT; ++ } ++ + lock_sock(sk); + switch (optname) { + case SMC_LIMIT_HS: +- if (optlen < sizeof(int)) { +- rc = -EINVAL; +- break; +- } +- if (copy_from_sockptr(&val, optval, sizeof(int))) { +- rc = -EFAULT; +- break; +- } +- + smc->limit_smc_hs = !!val; + rc = 0; + break; diff --git a/queue-7.0/series b/queue-7.0/series index e1fbbdd171..d3411a3fef 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -1 +1,6 @@ bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch +kvm-arm64-take-the-srcu-lock-for-page-table-walks-in-fault-injection-and-at-emulation.patch +i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioctl.patch +bluetooth-iso-fix-a-use-after-free-of-the-hci_conn-pointer.patch +ipv6-mcast-fix-use-after-free-when-processing-mld-queries.patch +net-smc-fix-sleep-inside-lock-in-__smc_setsockopt-causing-local-dos.patch