From: Greg Kroah-Hartman Date: Mon, 15 Jun 2026 14:41:54 +0000 (+0200) Subject: 7.0-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=25d430251d51aeadda2ab773cda57f7a3fd1f454;p=thirdparty%2Fkernel%2Fstable-queue.git 7.0-stable patches added patches: alsa-timer-fix-uaf-at-snd_timer_user_params.patch alsa-timer-forcibly-close-timer-instances-at-closing.patch arm-9474-1-io-avoid-kasan-instrumentation-of-raw-halfword-i-o.patch arm-9475-1-entry-use-byte-load-for-kasan-vmap-stack-shadow.patch arm-socfpga-fix-of-node-refcount-leak-in-smp-setup.patch arm64-mm-call-pagetable-dtor-when-freeing-hot-removed-page-tables.patch asoc-fsl_sai-fix-32-slots-tdm-broken-by-integer-shift-ub-in-xmr-write.patch bnxt_en-fix-null-pointer-dereference.patch drivers-hv-vmbus-improve-the-logic-of-reserving-fb_mmio-on-gen2-vms.patch drm-amd-display-reject-gpio_bitshift-32-in-bios_parser_get_gpio_pin_info.patch drm-virtio-fix-dma_fence-refcount-leak-on-error-in-virtio_gpu_dma_fence_wait.patch fhandle-fix-uaf-due-to-unlocked-mnt_ns-read-in-may_decode_fh.patch hv-utils-handle-and-propagate-errors-in-kvp_register.patch ib-isert-reject-login-pdus-shorter-than-iser_headers_len.patch inet-frags-fix-use-after-free-caused-by-the-fqdir_pre_exit-flush.patch io_uring-kbuf-don-t-truncate-end-buffer-for-bundles.patch io_uring-net-inherit-ioring_cqe_f_buf_more-across-bundle-recv-retries.patch io_uring-wait-fix-min_timeout-behavior.patch ksmbd-fix-use-after-free-of-a-deferred-file_lock-on-double-smb2_cancel.patch mm-damon-ops-common-call-folio_test_lru-after-folio_get.patch mm-huge_memory-update-file-pmd-counter-before-folio_put.patch mm-huge_memory-update-file-pud-counter-before-folio_put.patch mptcp-add-addr-always-drop-other-suboptions.patch mptcp-allow-subflow-rcv-wnd-to-shrink.patch mptcp-check-desc-count-in-read_sock.patch mptcp-close-toctou-race-while-computing-rcv_wnd.patch mptcp-fix-missing-wakeups-in-edge-scenarios.patch mptcp-fix-retransmission-loop-when-csum-is-enabled.patch mptcp-pm-fix-extra_subflows-underflow-on-userspace-pm-subflow-creation.patch mptcp-sockopt-check-timestamping-ret-value.patch mptcp-sockopt-set-sockopt-on-all-subflows.patch ovl-keep-err-zero-after-successful-ovl_cache_get.patch pidfd-refuse-access-to-tasks-that-have-started-exiting-harder.patch rdma-core-validate-cpu_id-against-nr_cpu_ids-in-dmah-alloc.patch rdma-core-validate-the-passed-in-fops-for-ib_get_ucaps.patch rdma-srp-bound-srp_rsp-sense-copy-by-the-received-length.patch s390-remove-generic_lockbreak-kconfig-option.patch selftests-mptcp-add-test-for-extra_subflows-underflow-on-userspace-pm.patch spi-qcom-geni-fix-cs_change-handling-on-the-last-transfer.patch staging-rtl8723bs-fix-buffer-over-read-in-rtw_update_protection.patch staging-rtl8723bs-rtw_mlme-add-bounds-checks-before-ie_length-subtraction.patch timers-migration-fix-livelock-in-tmigr_handle_remote_up.patch udp-clear-skb-dev-before-running-a-sockmap-verdict.patch usb-serial-io_ti-fix-heap-overflow-in-build_i2c_fw_hdr.patch usb-serial-io_ti-fix-heap-overflow-in-get_manuf_info.patch usb-serial-kl5kusb105-fix-bulk-out-buffer-overflow.patch usb-serial-option-add-usb-id-for-dell-wireless-dw5826e-m.patch vsock-vmci-fix-sk_ack_backlog-leak-on-failed-handshake.patch wifi-iwlwifi-pcie-simplify-the-resume-flow-if-fast-resume-is-not-used.patch wifi-nl80211-reject-oversized-ema-rnr-lists.patch xfrm-espintcp-do-not-reuse-an-in-progress-partial-send.patch xfrm-iptfs-fix-abba-deadlock-in-iptfs_destroy_state.patch xfrm-iptfs-preserve-shared-frag-marker-in-iptfs_consume_frags.patch xfs-fix-error-returns-in-cow-fork-repair.patch xfs-fix-rtgroup-cleanup-in-cow-fork-repair.patch zram-fix-use-after-free-in-zram_bvec_write_partial.patch --- diff --git a/queue-7.0/alsa-timer-fix-uaf-at-snd_timer_user_params.patch b/queue-7.0/alsa-timer-fix-uaf-at-snd_timer_user_params.patch new file mode 100644 index 0000000000..874784686c --- /dev/null +++ b/queue-7.0/alsa-timer-fix-uaf-at-snd_timer_user_params.patch @@ -0,0 +1,46 @@ +From 053a401b592be424fea9d57c789f66cd5d8cec11 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sat, 6 Jun 2026 18:11:41 +0200 +Subject: ALSA: timer: Fix UAF at snd_timer_user_params() + +From: Takashi Iwai + +commit 053a401b592be424fea9d57c789f66cd5d8cec11 upstream. + +At releasing a timer object, e.g. when a userspace timer +(CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it +tries to detach the timer instances and release the resources. +However, it's still possible that other in-flight tasks are holding +the timer instance where the to-be-deleted timer object is associated, +and this may lead to racy accesses. + +Fortunately, most of ioctls dealing with the timer instance list +already have the protection with register_mutex, and this also avoids +such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the +concurrent ioctl may lead to use-after-free. + +This patch just adds the guard with register_mutex to protect +snd_timer_user_params() for covering the code path as a quick +workaround. It's no hot-path but rather a rarely issued ioctl, so the +performance penalty doesn't matter. + +Reported-by: Kyle Zeng +Tested-by: Kyle Zeng +Cc: +Link: https://patch.msgid.link/20260606161145.1933447-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1791,6 +1791,7 @@ static int snd_timer_user_params(struct + struct snd_timer *t; + int err; + ++ guard(mutex)(®ister_mutex); + tu = file->private_data; + if (!tu->timeri) + return -EBADFD; diff --git a/queue-7.0/alsa-timer-forcibly-close-timer-instances-at-closing.patch b/queue-7.0/alsa-timer-forcibly-close-timer-instances-at-closing.patch new file mode 100644 index 0000000000..c55cc3edef --- /dev/null +++ b/queue-7.0/alsa-timer-forcibly-close-timer-instances-at-closing.patch @@ -0,0 +1,77 @@ +From da3039e91d1f835874ed6e9a33ea19ee80c2cb92 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sat, 6 Jun 2026 18:11:40 +0200 +Subject: ALSA: timer: Forcibly close timer instances at closing + +From: Takashi Iwai + +commit da3039e91d1f835874ed6e9a33ea19ee80c2cb92 upstream. + +When snd_timer object is freed via snd_timer_free() and still pending +snd_timer_instance objects are assigned to the timer object, it tries +to unlink all instances and just set NULL to each ti->timer, then +releases the resources immediately. The problem is, however, when +there are slave timer instances that are associated with a master +instance linked to this timer: namely, those slave instances still +point to the freed timer object although the master instance is +unlinked, which may lead to user-after-free. The bug can be easily +triggered particularly when a new userspace-driven timers +(CONFIG_SND_UTIMER) is involved, since it can create and delete the +timer object via a simple file open/close, while the other +applications may keep accessing to that timer. + +This patch is an attempt to paper over the problem above: now instead +of just unlinking, call snd_timer_close[_locked]() forcibly for each +pending timer instance, so that all assigned slave timer instances are +properly detached, too. Since snd_timer_close() might be called later +by the driver that created that instance, the check of +SNDRV_TIMER_IFLG_DEAD is added at the beginning, too. + +Reported-by: Kyle Zeng +Tested-by: Kyle Zeng +Fixes: 37745918e0e7 ("ALSA: timer: Introduce virtual userspace-driven timers") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260606161145.1933447-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/timer.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -422,6 +422,8 @@ static void snd_timer_close_locked(struc + + if (timer) { + guard(spinlock_irq)(&timer->lock); ++ if (timeri->flags & SNDRV_TIMER_IFLG_DEAD) ++ return; /* already closed */ + timeri->flags |= SNDRV_TIMER_IFLG_DEAD; + } + +@@ -964,18 +966,18 @@ EXPORT_SYMBOL(snd_timer_new); + + static int snd_timer_free(struct snd_timer *timer) + { ++ struct snd_timer_instance *ti, *n; ++ + if (!timer) + return 0; + + guard(mutex)(®ister_mutex); + if (! list_empty(&timer->open_list_head)) { +- struct list_head *p, *n; +- struct snd_timer_instance *ti; +- pr_warn("ALSA: timer %p is busy?\n", timer); +- list_for_each_safe(p, n, &timer->open_list_head) { +- list_del_init(p); +- ti = list_entry(p, struct snd_timer_instance, open_list); +- ti->timer = NULL; ++ list_for_each_entry_safe(ti, n, &timer->open_list_head, open_list) { ++ struct device *card_dev_to_put = NULL; ++ ++ snd_timer_close_locked(ti, &card_dev_to_put); ++ put_device(card_dev_to_put); + } + } + list_del(&timer->device_list); diff --git a/queue-7.0/arm-9474-1-io-avoid-kasan-instrumentation-of-raw-halfword-i-o.patch b/queue-7.0/arm-9474-1-io-avoid-kasan-instrumentation-of-raw-halfword-i-o.patch new file mode 100644 index 0000000000..f4372116a0 --- /dev/null +++ b/queue-7.0/arm-9474-1-io-avoid-kasan-instrumentation-of-raw-halfword-i-o.patch @@ -0,0 +1,57 @@ +From d59ed803715a71fb9582e139d648ece8d66dc743 Mon Sep 17 00:00:00 2001 +From: Karl Mehltretter +Date: Sun, 24 May 2026 06:52:36 +0100 +Subject: ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O + +From: Karl Mehltretter + +commit d59ed803715a71fb9582e139d648ece8d66dc743 upstream. + +For CPUs before ARMv6, __raw_readw() and __raw_writew() are implemented +as C volatile halfword accesses so the compiler can generate an access +sequence that is safe for those machines. With KASAN enabled, those C +accesses are instrumented as normal memory accesses. + +That is not valid for MMIO. On ARM926/VersatilePB with KASAN enabled, +PL011 probing traps in __asan_store2() while registering the UART, because +the instrumented writew() tries to check KASAN shadow for an MMIO address. + +Keep the existing volatile halfword access, but move the ARMv5 definitions +into __no_kasan_or_inline functions so raw MMIO halfword accesses are not +instrumented by KASAN. The ARMv6-and-newer inline assembly path is +unchanged. + +Fixes: 421015713b30 ("ARM: 9017/2: Enable KASan for ARM") +Cc: stable@vger.kernel.org # v5.11+ +Signed-off-by: Karl Mehltretter +Reviewed-by: Linus Walleij +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/include/asm/io.h | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/arch/arm/include/asm/io.h ++++ b/arch/arm/include/asm/io.h +@@ -56,8 +56,19 @@ void __raw_readsl(const volatile void __ + * the bus. Rather than special-case the machine, just let the compiler + * generate the access for CPUs prior to ARMv6. + */ +-#define __raw_readw(a) (__chk_io_ptr(a), *(volatile unsigned short __force *)(a)) +-#define __raw_writew(v,a) ((void)(__chk_io_ptr(a), *(volatile unsigned short __force *)(a) = (v))) ++#define __raw_writew __raw_writew ++static __no_kasan_or_inline void __raw_writew(u16 val, volatile void __iomem *addr) ++{ ++ __chk_io_ptr(addr); ++ *(volatile unsigned short __force *)addr = val; ++} ++ ++#define __raw_readw __raw_readw ++static __no_kasan_or_inline u16 __raw_readw(const volatile void __iomem *addr) ++{ ++ __chk_io_ptr(addr); ++ return *(const volatile unsigned short __force *)addr; ++} + #else + /* + * When running under a hypervisor, we want to avoid I/O accesses with diff --git a/queue-7.0/arm-9475-1-entry-use-byte-load-for-kasan-vmap-stack-shadow.patch b/queue-7.0/arm-9475-1-entry-use-byte-load-for-kasan-vmap-stack-shadow.patch new file mode 100644 index 0000000000..8e4104c041 --- /dev/null +++ b/queue-7.0/arm-9475-1-entry-use-byte-load-for-kasan-vmap-stack-shadow.patch @@ -0,0 +1,43 @@ +From 77a1f6883dc6e837bb2cb30b9b02e2f94338e2c6 Mon Sep 17 00:00:00 2001 +From: Karl Mehltretter +Date: Sun, 24 May 2026 06:52:35 +0100 +Subject: ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow + +From: Karl Mehltretter + +commit 77a1f6883dc6e837bb2cb30b9b02e2f94338e2c6 upstream. + +Commit 44e9a3bb76e5 ("ARM: 9430/1: entry: Do a dummy read from +VMAP shadow") added a dummy read from the KASAN VMAP stack shadow in +__switch_to(). The read uses ldr, but the KASAN shadow address is +byte-granular and is not guaranteed to be word aligned. + +ARMv5 faults unaligned word loads. With CONFIG_KASAN_VMALLOC and +CONFIG_VMAP_STACK enabled, ARM926/VersatilePB crashes in __switch_to() +with an alignment exception before reaching init. + +Use ldrb for the dummy shadow access. The code only needs to fault in the +shadow mapping if the stack shadow is missing, so a byte load is sufficient +and matches the granularity of KASAN shadow memory. + +Fixes: 44e9a3bb76e5 ("ARM: 9430/1: entry: Do a dummy read from VMAP shadow") +Cc: stable@vger.kernel.org # v6.13+ +Signed-off-by: Karl Mehltretter +Reviewed-by: Linus Walleij +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/kernel/entry-armv.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/kernel/entry-armv.S ++++ b/arch/arm/kernel/entry-armv.S +@@ -567,7 +567,7 @@ ENTRY(__switch_to) + @ are using KASAN + mov_l r2, KASAN_SHADOW_OFFSET + add r2, r2, ip, lsr #KASAN_SHADOW_SCALE_SHIFT +- ldr r2, [r2] ++ ldrb r2, [r2] + #endif + #endif + diff --git a/queue-7.0/arm-socfpga-fix-of-node-refcount-leak-in-smp-setup.patch b/queue-7.0/arm-socfpga-fix-of-node-refcount-leak-in-smp-setup.patch new file mode 100644 index 0000000000..a961dedb52 --- /dev/null +++ b/queue-7.0/arm-socfpga-fix-of-node-refcount-leak-in-smp-setup.patch @@ -0,0 +1,39 @@ +From 63838c323924fe4a78b2323bd45aa1030f72ca60 Mon Sep 17 00:00:00 2001 +From: Yuho Choi +Date: Sun, 24 May 2026 22:47:09 -0400 +Subject: ARM: socfpga: Fix OF node refcount leak in SMP setup + +From: Yuho Choi + +commit 63838c323924fe4a78b2323bd45aa1030f72ca60 upstream. + +socfpga_smp_prepare_cpus() looks up the Cortex-A9 SCU node with +of_find_compatible_node(), which returns a node reference that must be +released with of_node_put(). + +The function maps the SCU registers and then returns without dropping +that reference, leaking the node on both the success path and the +of_iomap() failure path. + +Drop the reference once the mapping attempt is complete. The returned +MMIO mapping does not depend on keeping the device node reference held. + +Fixes: 122694a0c712 ("ARM: socfpga: use of_iomap to map the SCU") +Cc: stable@vger.kernel.org +Signed-off-by: Yuho Choi +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-socfpga/platsmp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/mach-socfpga/platsmp.c ++++ b/arch/arm/mach-socfpga/platsmp.c +@@ -78,6 +78,7 @@ static void __init socfpga_smp_prepare_c + } + + socfpga_scu_base_addr = of_iomap(np, 0); ++ of_node_put(np); + if (!socfpga_scu_base_addr) + return; + scu_enable(socfpga_scu_base_addr); diff --git a/queue-7.0/arm64-mm-call-pagetable-dtor-when-freeing-hot-removed-page-tables.patch b/queue-7.0/arm64-mm-call-pagetable-dtor-when-freeing-hot-removed-page-tables.patch new file mode 100644 index 0000000000..547483f605 --- /dev/null +++ b/queue-7.0/arm64-mm-call-pagetable-dtor-when-freeing-hot-removed-page-tables.patch @@ -0,0 +1,65 @@ +From c594b83457ccdee76d458416fb3bc9348a37592f Mon Sep 17 00:00:00 2001 +From: Alistair Popple +Date: Thu, 21 May 2026 13:27:30 +1000 +Subject: arm64: mm: call pagetable dtor when freeing hot-removed page tables + +From: Alistair Popple + +commit c594b83457ccdee76d458416fb3bc9348a37592f upstream. + +Since 5e8eb9aeeda3 ("arm64: mm: always call PTE/PMD ctor in +__create_pgd_mapping()") page-table allocation on ARM64 always calls +pagetable_{pte,pmd,pud,p4d}_ctor(). This sets the page_type to +PGTY_table, increments NR_PAGETABLE and possible allocates a PTL. However +the matching pagetable_dtor() calls were never added. + +With DEBUG_VM enabled on kernel versions prior to v6.17 without +2dfcd1608f3a9 ("mm/page_alloc: let page freeing clear any set page type") +this leads to the following warning when freeing these pages due to +page->page_type sharing page->_mapcount: + + BUG: Bad page state in process ... pfn:284fbb + page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x284fbb + flags: 0x17fffc000000000(node=0|zone=2|lastcpupid=0x1ffff) + page_type: f2(table) + page dumped because: nonzero mapcount + Call trace: + bad_page+0x13c/0x160 + __free_frozen_pages+0x6cc/0x860 + ___free_pages+0xf4/0x180 + free_pages+0x54/0x80 + free_hotplug_page_range.part.0+0x58/0x90 + free_empty_tables+0x438/0x500 + __remove_pgd_mapping.constprop.0+0x60/0xa8 + arch_remove_memory+0x48/0x80 + try_remove_memory+0x158/0x1d8 + offline_and_remove_memory+0x138/0x180 + +It can also lead to leaking the ptl allocation if ALLOC_SPLIT_PTLOCKS is +defined and incorrect NR_PAGETABLE stats. Fix this by calling +pagetable_dtor() in free_hotplug_pgtable_page() prior to freeing the page +to undo the effects of calling pagetable_*_ctor(). + +Link: https://lore.kernel.org/20260521032730.2104017-1-apopple@nvidia.com +Fixes: 5e8eb9aeeda3 ("arm64: mm: always call PTE/PMD ctor in __create_pgd_mapping()") +Signed-off-by: Alistair Popple +Cc: Catalin Marinas +Cc: David Hildenbrand +Cc: Will Deacon +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/mm/mmu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -1445,6 +1445,7 @@ static void free_hotplug_page_range(stru + + static void free_hotplug_pgtable_page(struct page *page) + { ++ pagetable_dtor(page_ptdesc(page)); + free_hotplug_page_range(page, PAGE_SIZE, NULL); + } + diff --git a/queue-7.0/asoc-fsl_sai-fix-32-slots-tdm-broken-by-integer-shift-ub-in-xmr-write.patch b/queue-7.0/asoc-fsl_sai-fix-32-slots-tdm-broken-by-integer-shift-ub-in-xmr-write.patch new file mode 100644 index 0000000000..a6018b5ebe --- /dev/null +++ b/queue-7.0/asoc-fsl_sai-fix-32-slots-tdm-broken-by-integer-shift-ub-in-xmr-write.patch @@ -0,0 +1,43 @@ +From 4790af1cc2e8871fb31f28c66e42b9a949a23992 Mon Sep 17 00:00:00 2001 +From: Chancel Liu +Date: Mon, 1 Jun 2026 17:33:27 +0900 +Subject: ASoC: fsl_sai: Fix 32 slots TDM broken by integer shift UB in xMR write + +From: Chancel Liu + +commit 4790af1cc2e8871fb31f28c66e42b9a949a23992 upstream. + +When configuring 32 slots TDM (channels == slots == 32), the xMR +(Mask Register) write used: +~0UL - ((1 << min(channels, slots)) - 1) + +The literal "1" is a signed 32-bit int. Shifting it by 32 positions is +undefined behaviour which may set this register to 0xFFFFFFFF, masking +all 32 slots. + +Use GENMASK_U32() macro instead. For 32 slots this produces a zero mask: +~GENMASK_U32(31, 0) = ~0xFFFFFFFF = 0x00000000 +Behaviour for fewer than 32 slots is unchanged. + +Fixes: 770f58d7d2c5 ("ASoC: fsl_sai: Support multiple data channel enable bits") +Cc: stable@vger.kernel.org +Signed-off-by: Chancel Liu +Reviewed-by: Shengjiu Wang +Link: https://patch.msgid.link/20260601083327.1535185-1-chancel.liu@oss.nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/fsl/fsl_sai.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -747,7 +747,7 @@ static int fsl_sai_hw_params(struct snd_ + FSL_SAI_CR4_FSD_MSTR, FSL_SAI_CR4_FSD_MSTR); + + regmap_write(sai->regmap, FSL_SAI_xMR(tx), +- ~0UL - ((1 << min(channels, slots)) - 1)); ++ ~GENMASK_U32(min(channels, slots) - 1, 0)); + + return 0; + } diff --git a/queue-7.0/bnxt_en-fix-null-pointer-dereference.patch b/queue-7.0/bnxt_en-fix-null-pointer-dereference.patch new file mode 100644 index 0000000000..c96bab0574 --- /dev/null +++ b/queue-7.0/bnxt_en-fix-null-pointer-dereference.patch @@ -0,0 +1,45 @@ +From d930276f2cddd0b7294cac7a8fe7b877f6d9e08d Mon Sep 17 00:00:00 2001 +From: Kyle Meyer +Date: Fri, 5 Jun 2026 17:25:24 -0500 +Subject: bnxt_en: Fix NULL pointer dereference + +From: Kyle Meyer + +commit d930276f2cddd0b7294cac7a8fe7b877f6d9e08d upstream. + +PCIe errors detected by a Root Port or Downstream Port cause error +recovery services to run on all subordinate devices regardless of +administrative state. + +The .error_detected() callback, bnxt_io_error_detected(), disables +and synchronizes IRQs via bnxt_disable_int_sync(), which calls +bnxt_cp_num_to_irq_num() to map completion rings to IRQs using +bp->bnapi. + +Since bp->bnapi is allocated on NIC open and freed on NIC close, PCIe +error recovery on a closed NIC can dereference a NULL pointer. + +Check if bp->bnapi is NULL before disabling and synchronizing IRQs. + +Fixes: e5811b8c09df ("bnxt_en: Add IRQ remapping logic.") +Cc: stable@vger.kernel.org +Signed-off-by: Kyle Meyer +Reviewed-by: Pavan Chebbi +Link: https://patch.msgid.link/aiNM1CY2-StPilxW@hpe.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -5656,7 +5656,7 @@ static void bnxt_disable_int_sync(struct + { + int i; + +- if (!bp->irq_tbl) ++ if (!bp->irq_tbl || !bp->bnapi) + return; + + atomic_inc(&bp->intr_sem); diff --git a/queue-7.0/drivers-hv-vmbus-improve-the-logic-of-reserving-fb_mmio-on-gen2-vms.patch b/queue-7.0/drivers-hv-vmbus-improve-the-logic-of-reserving-fb_mmio-on-gen2-vms.patch new file mode 100644 index 0000000000..07285eaeee --- /dev/null +++ b/queue-7.0/drivers-hv-vmbus-improve-the-logic-of-reserving-fb_mmio-on-gen2-vms.patch @@ -0,0 +1,149 @@ +From 016a25e4b0df4d77e7c258edee4aaf982e4ee809 Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Thu, 7 May 2026 14:28:38 -0700 +Subject: Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs + +From: Dexuan Cui + +commit 016a25e4b0df4d77e7c258edee4aaf982e4ee809 upstream. + +If vmbus_reserve_fb() in the kdump/kexec kernel fails to properly reserve +the framebuffer MMIO range (which is below 4GB) due to a Gen2 VM's +screen.lfb_base being zero [1], there is an MMIO conflict between the +drivers hyperv-drm and pci-hyperv: when the driver pci-hyperv's +hv_allocate_config_window() calls vmbus_allocate_mmio() to get an +MMIO range, typically it gets a 32-bit MMIO range that overlaps with the +framebuffer MMIO range, and later hv_pci_enter_d0() fails with an +error message "PCI Pass-through VSP failed D0 Entry with status" since +the host thinks that PCI devices must not use MMIO space that the +host has assigned to the framebuffer. + +This is especially an issue if pci-hyperv is built-in and hyperv-drm is +built as a module. Consequently, the kdump/kexec kernel fails to detect +PCI devices via pci-hyperv, and may fail to mount the root file system, +which may reside in a NVMe disk. The issue described here has existed +for SR-IOV VF NICs since day one of the pci-hyperv driver, and has been +worked around on x64 when possible. With the recent introduction of +ARM64 VMs that boot from NVMe, there is no workaround, so we need a +formal fix. + +On Gen2 VMs, if the screen.lfb_base is 0 in the kdump/kexec kernel [1], +fall back to the low MMIO base, which should be equal to the framebuffer +MMIO base [2] (the statement is true according to my testing on x64 +Windows Server 2016, and on x64 and ARM64 Windows Server 2025 and on +Azure. I checked with the Hyper-V team and they said the statement should +continue to be true for Gen2 VMs). In the first kernel, screen.lfb_base +is not 0; if the user specifies a very high resolution, it's not enough +to only reserve 8MB: let's always reserve half of the space below 4GB, +but cap the reservation to 128MB, which is the required framebuffer size +of the highest resolution 7680*4320 supported by Hyper-V. + +While at it, fix the comparison "end > VTPM_BASE_ADDRESS" by changing +the > to >=. Here the 'end' is an inclusive end (typically, it's +0xFFFF_FFFF for the low MMIO range). + +Note: vmbus_reserve_fb() now also reserves an MMIO range at the beginning +of the low MMIO range on CVMs, which have no framebuffers (the +'screen.lfb_base' in vmbus_reserve_fb() is 0 for CVMs), just in case the +host might treat the beginning of the low MMIO range specially [3]. BTW, +the OpenHCL kernel is not affected by the change, because that kernel +boots with DeviceTree rather than ACPI (so vmbus_reserve_fb() won't run +there), and there is no framebuffer device for that kernel. + +Note: normally Gen1 VMs don't have the MMIO conflict issue because the +framebuffer MMIO range (which is hardcoded to base=4GB-128MB and +size=64MB for Gen1 VMs by the host) is always reported via the legacy PCI +graphics device's BAR, so the kdump/kexec kernel can reserve the 64MB +MMIO range; however, if the VM is configured to use a very high resolution +and the required framebuffer size exceeds 64MB (AFAIK, in practice, this +isn't a typical configuration by users), the hyperv-drm driver may need to +allocate an MMIO range above 4GB and change the framebuffer MMIO location +to the allocated MMIO range -- in this case, there can still be issues [4] +which can't be easily fixed: any possible affected Gen1 users would have +to use a resolution whose framebuffer size is <= 64MB, or switch to Gen2 +VMs. + +[1] https://lore.kernel.org/all/SA1PR21MB692176C1BC53BFC9EAE5CF8EBF51A@SA1PR21MB6921.namprd21.prod.outlook.com/ +[2] https://lore.kernel.org/all/SA1PR21MB69218F955B62DFF62E3E88D2BF222@SA1PR21MB6921.namprd21.prod.outlook.com/ +[3] https://lore.kernel.org/all/SN6PR02MB415726B17D5A6027CD1717E8D4342@SN6PR02MB4157.namprd02.prod.outlook.com/ +[4] https://lore.kernel.org/all/SA1PR21MB69213486F821CA5A2C793C81BF342@SA1PR21MB6921.namprd21.prod.outlook.com/ + +Fixes: 4daace0d8ce8 ("PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs") +CC: stable@vger.kernel.org +Reviewed-by: Michael Kelley +Tested-by: Krister Johansen +Tested-by: Matthew Ruffell +Signed-off-by: Dexuan Cui +Signed-off-by: Wei Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hv/vmbus_drv.c | 29 ++++++++++++++++++++++++++--- + 1 file changed, 26 insertions(+), 3 deletions(-) + +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -2332,8 +2332,8 @@ static acpi_status vmbus_walk_resources( + return AE_NO_MEMORY; + + /* If this range overlaps the virtual TPM, truncate it. */ +- if (end > VTPM_BASE_ADDRESS && start < VTPM_BASE_ADDRESS) +- end = VTPM_BASE_ADDRESS; ++ if (end >= VTPM_BASE_ADDRESS && start < VTPM_BASE_ADDRESS) ++ end = VTPM_BASE_ADDRESS - 1; + + new_res->name = "hyperv mmio"; + new_res->flags = IORESOURCE_MEM; +@@ -2400,6 +2400,7 @@ static void vmbus_mmio_remove(void) + static void __maybe_unused vmbus_reserve_fb(void) + { + resource_size_t start = 0, size; ++ resource_size_t low_mmio_base; + struct pci_dev *pdev; + + if (efi_enabled(EFI_BOOT)) { +@@ -2407,6 +2408,24 @@ static void __maybe_unused vmbus_reserve + if (IS_ENABLED(CONFIG_SYSFB)) { + start = sysfb_primary_display.screen.lfb_base; + size = max_t(__u32, sysfb_primary_display.screen.lfb_size, 0x800000); ++ ++ low_mmio_base = hyperv_mmio->start; ++ if (!low_mmio_base || upper_32_bits(low_mmio_base) || ++ (start && start < low_mmio_base)) { ++ pr_warn("Unexpected low mmio base %pa\n", &low_mmio_base); ++ } else { ++ /* ++ * If the kdump/kexec or CVM kernel's lfb_base ++ * is 0, fall back to the low mmio base. ++ */ ++ if (!start) ++ start = low_mmio_base; ++ /* ++ * Reserve half of the space below 4GB for high ++ * resolutions, but cap the reservation to 128MB. ++ */ ++ size = min((SZ_4G - start) / 2, SZ_128M); ++ } + } + } else { + /* Gen1 VM: get FB base from PCI */ +@@ -2427,8 +2446,10 @@ static void __maybe_unused vmbus_reserve + pci_dev_put(pdev); + } + +- if (!start) ++ if (!start) { ++ pr_warn("Unexpected framebuffer mmio base of zero\n"); + return; ++ } + + /* + * Make a claim for the frame buffer in the resource tree under the +@@ -2438,6 +2459,8 @@ static void __maybe_unused vmbus_reserve + */ + for (; !fb_mmio && (size >= 0x100000); size >>= 1) + fb_mmio = __request_region(hyperv_mmio, start, size, fb_mmio_name, 0); ++ ++ pr_info("hv_mmio=%pR,%pR fb=%pR\n", hyperv_mmio, hyperv_mmio->sibling, fb_mmio); + } + + /** diff --git a/queue-7.0/drm-amd-display-reject-gpio_bitshift-32-in-bios_parser_get_gpio_pin_info.patch b/queue-7.0/drm-amd-display-reject-gpio_bitshift-32-in-bios_parser_get_gpio_pin_info.patch new file mode 100644 index 0000000000..37f0b69efc --- /dev/null +++ b/queue-7.0/drm-amd-display-reject-gpio_bitshift-32-in-bios_parser_get_gpio_pin_info.patch @@ -0,0 +1,48 @@ +From 49c3da65961fe9857c831d47fa1989084e87514a Mon Sep 17 00:00:00 2001 +From: Harry Wentland +Date: Tue, 5 May 2026 11:50:07 -0400 +Subject: drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info() + +From: Harry Wentland + +commit 49c3da65961fe9857c831d47fa1989084e87514a upstream. + +[Why & How] +gpio_bitshift is a uint8_t read directly from the VBIOS GPIO pin table. +If the value is >= 32, the expression "1 << gpio_bitshift" triggers +undefined behaviour in C (shift count exceeds type width). On x86 the +shift is silently masked to 5 bits, producing an incorrect GPIO mask +that may cause wrong MMIO register bits to be toggled. + +Validate gpio_bitshift before use and return BP_RESULT_BADBIOSTABLE for +out-of-range values. + +Fixes: ae79c310b1a6 ("drm/amd/display: Add DCE12 bios parser support") +Assisted-by: Copilot:claude-opus-4.6 +Reviewed-by: Alex Hung +Signed-off-by: Harry Wentland +Signed-off-by: Ray Wu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit eadf438ab8d370b9d19acee9359918c85afeb80d) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c ++++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c +@@ -700,8 +700,10 @@ static enum bp_result bios_parser_get_gp + info->offset_en = info->offset + 1; + info->offset_mask = info->offset - 1; + +- info->mask = (uint32_t) (1 << +- header->gpio_pin[i].gpio_bitshift); ++ if (header->gpio_pin[i].gpio_bitshift >= 32) ++ return BP_RESULT_BADBIOSTABLE; ++ ++ info->mask = 1u << header->gpio_pin[i].gpio_bitshift; + info->mask_y = info->mask + 2; + info->mask_en = info->mask + 1; + info->mask_mask = info->mask - 1; diff --git a/queue-7.0/drm-virtio-fix-dma_fence-refcount-leak-on-error-in-virtio_gpu_dma_fence_wait.patch b/queue-7.0/drm-virtio-fix-dma_fence-refcount-leak-on-error-in-virtio_gpu_dma_fence_wait.patch new file mode 100644 index 0000000000..e034a123be --- /dev/null +++ b/queue-7.0/drm-virtio-fix-dma_fence-refcount-leak-on-error-in-virtio_gpu_dma_fence_wait.patch @@ -0,0 +1,46 @@ +From 3f26bb732cc136ab20176697c92f32c9c84cb125 Mon Sep 17 00:00:00 2001 +From: Wentao Liang +Date: Sun, 7 Jun 2026 09:03:03 +0000 +Subject: drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait() + +From: Wentao Liang + +commit 3f26bb732cc136ab20176697c92f32c9c84cb125 upstream. + +dma_fence_unwrap_for_each() internally calls dma_fence_unwrap_first() +which does cursor->chain = dma_fence_get(head), taking an extra +reference. On normal loop completion, dma_fence_unwrap_next() +releases this via dma_fence_chain_walk() -> dma_fence_put(). + +When virtio_gpu_do_fence_wait() fails and the function returns early +from inside the loop, the cursor->chain reference is never released. +This is the only caller in the entire kernel that does an early return +inside dma_fence_unwrap_for_each. + +Add dma_fence_put(itr.chain) before the early return. + +Cc: stable@vger.kernel.org +Fixes: eba57fb5498f ("drm/virtio: Wait for each dma-fence of in-fence array individually") +Signed-off-by: Wentao Liang +Reviewed-by: Dmitry Osipenko +Signed-off-by: Dmitry Osipenko +Link: https://patch.msgid.link/20260607090303.92423-1-vulab@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/virtio/virtgpu_submit.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/virtio/virtgpu_submit.c ++++ b/drivers/gpu/drm/virtio/virtgpu_submit.c +@@ -65,8 +65,10 @@ static int virtio_gpu_dma_fence_wait(str + + dma_fence_unwrap_for_each(f, &itr, fence) { + err = virtio_gpu_do_fence_wait(submit, f); +- if (err) ++ if (err) { ++ dma_fence_put(itr.chain); + return err; ++ } + } + + return 0; diff --git a/queue-7.0/fhandle-fix-uaf-due-to-unlocked-mnt_ns-read-in-may_decode_fh.patch b/queue-7.0/fhandle-fix-uaf-due-to-unlocked-mnt_ns-read-in-may_decode_fh.patch new file mode 100644 index 0000000000..3025c7d848 --- /dev/null +++ b/queue-7.0/fhandle-fix-uaf-due-to-unlocked-mnt_ns-read-in-may_decode_fh.patch @@ -0,0 +1,149 @@ +From 40ab6644b99685755f740b872c00ef40d9aa870e Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 3 Jun 2026 21:31:57 +0200 +Subject: fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh() + +From: Jann Horn + +commit 40ab6644b99685755f740b872c00ef40d9aa870e upstream. + +may_decode_fh() accesses mount::mnt_ns without holding any locks; that +means the mount can concurrently be unmounted, and the mnt_namespace can +concurrently be freed after an RCU grace period. + +This race can happens as follows, assuming that the mount point was +created by open_tree(..., OPEN_TREE_CLONE): + +thread 1 thread 2 RCU + __do_sys_open_by_handle_at + do_handle_open + handle_to_path + may_decode_fh + is_mounted + [mount::mnt_ns access] + [mount::mnt_ns access] +__do_sys_close + fput_close_sync + __fput + dissolve_on_fput + umount_tree + class_namespace_excl_destructor + namespace_unlock + free_mnt_ns + mnt_ns_tree_remove + call_rcu(mnt_ns_release_rcu) + mnt_ns_release_rcu + mnt_ns_release + kfree + [mnt_namespace::user_ns access] **UAF** + +Fix it by taking rcu_read_lock() around the mount::mnt_ns access, like +in __prepend_path(). +Additionally, document the semantics of mount::mnt_ns, and use WRITE_ONCE() +for writers that can race with lockless readers. + +This bug is unreachable unless one of the following is set: + + - CONFIG_PREEMPTION + - CONFIG_RCU_STRICT_GRACE_PERIOD + +because it requires an RCU grace period to happen during a syscall without +an explicit preemption. + +This doesn't seem to have interesting security impact; worst-case, it could +leak the result of an integer comparison to userspace (from the level +check in cap_capable()), cause an endless loop, or crash the kernel by +dereferencing an invalid address. + +Fixes: 620c266f3949 ("fhandle: relax open_by_handle_at() permission checks") +Cc: stable@vger.kernel.org +Signed-off-by: Jann Horn +Link: https://patch.msgid.link/20260603-vfs-fhandle-uaf-fix-v2-1-d05db76a5084@google.com +Signed-off-by: Christian Brauner (Amutable) +Signed-off-by: Greg Kroah-Hartman +--- + fs/fhandle.c | 16 ++++++++++++++-- + fs/mount.h | 10 +++++++++- + fs/namespace.c | 6 +++--- + 3 files changed, 26 insertions(+), 6 deletions(-) + +--- a/fs/fhandle.c ++++ b/fs/fhandle.c +@@ -285,6 +285,19 @@ static int do_handle_to_path(struct file + return 0; + } + ++static bool capable_wrt_mount(struct mount *mount) ++{ ++ struct mnt_namespace *mnt_ns; ++ ++ /* ++ * For ->mnt_ns access. ++ * The following READ_ONCE() is semantically rcu_dereference(). ++ */ ++ guard(rcu)(); ++ mnt_ns = READ_ONCE(mount->mnt_ns); ++ return ns_capable(mnt_ns->user_ns, CAP_SYS_ADMIN); ++} ++ + static inline int may_decode_fh(struct handle_to_path_ctx *ctx, + unsigned int o_flags) + { +@@ -320,8 +333,7 @@ static inline int may_decode_fh(struct h + if (ns_capable(root->mnt->mnt_sb->s_user_ns, CAP_SYS_ADMIN)) + ctx->flags = HANDLE_CHECK_PERMS; + else if (is_mounted(root->mnt) && +- ns_capable(real_mount(root->mnt)->mnt_ns->user_ns, +- CAP_SYS_ADMIN) && ++ capable_wrt_mount(real_mount(root->mnt)) && + !has_locked_children(real_mount(root->mnt), root->dentry)) + ctx->flags = HANDLE_CHECK_PERMS | HANDLE_CHECK_SUBTREE; + else +--- a/fs/mount.h ++++ b/fs/mount.h +@@ -71,7 +71,15 @@ struct mount { + struct hlist_head mnt_slave_list;/* list of slave mounts */ + struct hlist_node mnt_slave; /* slave list entry */ + struct mount *mnt_master; /* slave is on master->mnt_slave_list */ +- struct mnt_namespace *mnt_ns; /* containing namespace */ ++ /* ++ * Containing namespace (active or deactivating, non-refcounted). ++ * Normally protected by namespace_sem. ++ * Can also be accessed locklessly under RCU. RCU readers can't rely on ++ * the namespace still being active, but implicitly hold a passive ++ * reference (because an RCU delay happens between a namespace being ++ * deactivated and the corresponding passive refcount drop). ++ */ ++ struct mnt_namespace *mnt_ns; + struct mountpoint *mnt_mp; /* where is it mounted */ + union { + struct hlist_node mnt_mp_list; /* list mounts with the same mountpoint */ +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -1079,7 +1079,7 @@ static void mnt_add_to_ns(struct mnt_nam + bool mnt_first_node = true, mnt_last_node = true; + + WARN_ON(mnt_ns_attached(mnt)); +- mnt->mnt_ns = ns; ++ WRITE_ONCE(mnt->mnt_ns, ns); + while (*link) { + parent = *link; + if (mnt->mnt_id_unique < node_to_mount(parent)->mnt_id_unique) { +@@ -1434,7 +1434,7 @@ EXPORT_SYMBOL(mntget); + void mnt_make_shortterm(struct vfsmount *mnt) + { + if (mnt) +- real_mount(mnt)->mnt_ns = NULL; ++ WRITE_ONCE(real_mount(mnt)->mnt_ns, NULL); + } + + /** +@@ -1806,7 +1806,7 @@ static void umount_tree(struct mount *mn + ns->nr_mounts--; + __touch_mnt_namespace(ns); + } +- p->mnt_ns = NULL; ++ WRITE_ONCE(p->mnt_ns, NULL); + if (how & UMOUNT_SYNC) + p->mnt.mnt_flags |= MNT_SYNC_UMOUNT; + diff --git a/queue-7.0/hv-utils-handle-and-propagate-errors-in-kvp_register.patch b/queue-7.0/hv-utils-handle-and-propagate-errors-in-kvp_register.patch new file mode 100644 index 0000000000..a378bac445 --- /dev/null +++ b/queue-7.0/hv-utils-handle-and-propagate-errors-in-kvp_register.patch @@ -0,0 +1,85 @@ +From 3fcf923302a8f5c0dc3af3d2ca2657cb5fae4297 Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Tue, 14 Apr 2026 13:10:08 +0200 +Subject: hv: utils: handle and propagate errors in kvp_register + +From: Thorsten Blum + +commit 3fcf923302a8f5c0dc3af3d2ca2657cb5fae4297 upstream. + +Make kvp_register() return an error code instead of silently ignoring +failures, and propagate the error from kvp_handle_handshake() instead of +returning success. + +This propagates both kzalloc_obj() and hvutil_transport_send() failures +to kvp_handle_handshake() and thus to kvp_on_msg(). + +Fixes: 245ba56a52a3 ("Staging: hv: Implement key/value pair (KVP)") +Cc: stable@vger.kernel.org +Signed-off-by: Thorsten Blum +Reviewed-by: Long Li +Signed-off-by: Wei Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hv/hv_kvp.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +--- a/drivers/hv/hv_kvp.c ++++ b/drivers/hv/hv_kvp.c +@@ -93,7 +93,7 @@ static void kvp_send_key(struct work_str + static void kvp_respond_to_host(struct hv_kvp_msg *msg, int error); + static void kvp_timeout_func(struct work_struct *dummy); + static void kvp_host_handshake_func(struct work_struct *dummy); +-static void kvp_register(int); ++static int kvp_register(int); + + static DECLARE_DELAYED_WORK(kvp_timeout_work, kvp_timeout_func); + static DECLARE_DELAYED_WORK(kvp_host_handshake_work, kvp_host_handshake_func); +@@ -127,24 +127,26 @@ static void kvp_register_done(void) + hv_poll_channel(kvp_transaction.recv_channel, kvp_poll_wrapper); + } + +-static void ++static int + kvp_register(int reg_value) + { + + struct hv_kvp_msg *kvp_msg; + char *version; ++ int ret; + + kvp_msg = kzalloc_obj(*kvp_msg); ++ if (!kvp_msg) ++ return -ENOMEM; + +- if (kvp_msg) { +- version = kvp_msg->body.kvp_register.version; +- kvp_msg->kvp_hdr.operation = reg_value; +- strcpy(version, HV_DRV_VERSION); +- +- hvutil_transport_send(hvt, kvp_msg, sizeof(*kvp_msg), +- kvp_register_done); +- kfree(kvp_msg); +- } ++ version = kvp_msg->body.kvp_register.version; ++ kvp_msg->kvp_hdr.operation = reg_value; ++ strcpy(version, HV_DRV_VERSION); ++ ++ ret = hvutil_transport_send(hvt, kvp_msg, sizeof(*kvp_msg), ++ kvp_register_done); ++ kfree(kvp_msg); ++ return ret; + } + + static void kvp_timeout_func(struct work_struct *dummy) +@@ -186,9 +188,8 @@ static int kvp_handle_handshake(struct h + */ + pr_debug("KVP: userspace daemon ver. %d connected\n", + msg->kvp_hdr.operation); +- kvp_register(dm_reg_value); + +- return 0; ++ return kvp_register(dm_reg_value); + } + + diff --git a/queue-7.0/ib-isert-reject-login-pdus-shorter-than-iser_headers_len.patch b/queue-7.0/ib-isert-reject-login-pdus-shorter-than-iser_headers_len.patch new file mode 100644 index 0000000000..03a1f17c73 --- /dev/null +++ b/queue-7.0/ib-isert-reject-login-pdus-shorter-than-iser_headers_len.patch @@ -0,0 +1,58 @@ +From 29e7b925ae6df64894e82ab6419994dc25580a8a Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Tue, 2 Jun 2026 15:46:42 -0400 +Subject: IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN + +From: Michael Bommarito + +commit 29e7b925ae6df64894e82ab6419994dc25580a8a upstream. + +In drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done() +computes the login request payload length as wc->byte_len minus +ISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int. +A remote iSER initiator can post a login Send work request carrying +fewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows +and login_req_len becomes negative. + +isert_rx_login_req() then reads that negative length back into a signed +int, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the +min() is signed it keeps the negative value; the value is then passed as +the memcpy() length and sign-extended to a multi-gigabyte size_t. The +copy into the 8192-byte login->req_buf runs far out of bounds and +faults, crashing the target node. The login phase precedes iSCSI +authentication, so no credentials are required to reach this path. + +Reject any login PDU shorter than ISER_HEADERS_LEN before the +subtraction, mirroring the existing early return on a failed work +completion, so login_req_len can never go negative. The upper bound was +already safe: a posted login buffer cannot deliver more than +ISER_RX_PAYLOAD_SIZE, so the difference stays at or below +MAX_KEY_VALUE_PAIRS and the existing min() clamps it; only the missing +lower bound needs to be added. + +Fixes: b8d26b3be8b3 ("iser-target: Add iSCSI Extensions for RDMA (iSER) target driver") +Link: https://patch.msgid.link/r/20260602194642.2273217-1-michael.bommarito@gmail.com +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-8 +Signed-off-by: Michael Bommarito +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/isert/ib_isert.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -1383,6 +1383,12 @@ isert_login_recv_done(struct ib_cq *cq, + ib_dma_sync_single_for_cpu(ib_dev, isert_conn->login_desc->dma_addr, + ISER_RX_SIZE, DMA_FROM_DEVICE); + ++ if (unlikely(wc->byte_len < ISER_HEADERS_LEN)) { ++ isert_dbg("login request length %u is too short\n", ++ wc->byte_len); ++ return; ++ } ++ + isert_conn->login_req_len = wc->byte_len - ISER_HEADERS_LEN; + + if (isert_conn->conn) { diff --git a/queue-7.0/inet-frags-fix-use-after-free-caused-by-the-fqdir_pre_exit-flush.patch b/queue-7.0/inet-frags-fix-use-after-free-caused-by-the-fqdir_pre_exit-flush.patch new file mode 100644 index 0000000000..f501d8512e --- /dev/null +++ b/queue-7.0/inet-frags-fix-use-after-free-caused-by-the-fqdir_pre_exit-flush.patch @@ -0,0 +1,70 @@ +From 32594b09854970d7ba83eb2dc8c69a2edd158c8e Mon Sep 17 00:00:00 2001 +From: Hyunwoo Kim +Date: Tue, 2 Jun 2026 19:21:05 +0900 +Subject: inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush + +From: Hyunwoo Kim + +commit 32594b09854970d7ba83eb2dc8c69a2edd158c8e upstream. + +On netns teardown, fqdir_pre_exit() walks the fqdir rhashtable and +flushes every fragment queue that is not yet complete using +inet_frag_queue_flush(). That helper frees all the skbs queued on the +fragment queue but does not set INET_FRAG_COMPLETE, and leaves +q->fragments_tail and q->last_run_head pointing at the freed skbs. +The queue itself stays in the rhashtable. + +fqdir_pre_exit() first lowers high_thresh to 0 to stop new queue lookups, +but it cannot stop a fragment that already obtained the queue through +inet_frag_find() earlier and stalled just before taking the queue lock. +Once that fragment resumes after the flush and takes the queue lock, +it passes the INET_FRAG_COMPLETE check and then dereferences the freed +fragments_tail. inet_frag_queue_insert() reads FRAG_CB() and ->len of +that pointer and, on the append path, writes ->next_frag, causing a +slab use-after-free. IPv6, nf_conntrack_reasm6 and 6lowpan reassembly +share the same flush path and are affected as well. + +Reset rb_fragments, fragments_tail and last_run_head in +inet_frag_queue_flush() so a flushed queue no longer points at the +freed skbs. A fragment that resumes after the flush and takes the +queue lock then finds an empty queue and starts a new run instead of +dereferencing the freed fragments_tail. ip_frag_reinit() already +performed this reset after its own flush, so drop the now duplicate +code there. + +Cc: stable@vger.kernel.org +Fixes: 006a5035b495 ("inet: frags: flush pending skbs in fqdir_pre_exit()") +Suggested-by: Eric Dumazet +Signed-off-by: Hyunwoo Kim +Link: https://patch.msgid.link/ah6ukYq5G98LshdA@v4bel +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/inet_fragment.c | 3 +++ + net/ipv4/ip_fragment.c | 3 --- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/net/ipv4/inet_fragment.c ++++ b/net/ipv4/inet_fragment.c +@@ -328,6 +328,9 @@ void inet_frag_queue_flush(struct inet_f + reason = reason ?: SKB_DROP_REASON_FRAG_REASM_TIMEOUT; + sum = inet_frag_rbtree_purge(&q->rb_fragments, reason); + sub_frag_mem_limit(q->fqdir, sum); ++ q->rb_fragments = RB_ROOT; ++ q->fragments_tail = NULL; ++ q->last_run_head = NULL; + } + EXPORT_SYMBOL(inet_frag_queue_flush); + +--- a/net/ipv4/ip_fragment.c ++++ b/net/ipv4/ip_fragment.c +@@ -250,9 +250,6 @@ static int ip_frag_reinit(struct ipq *qp + qp->q.flags = 0; + qp->q.len = 0; + qp->q.meat = 0; +- qp->q.rb_fragments = RB_ROOT; +- qp->q.fragments_tail = NULL; +- qp->q.last_run_head = NULL; + qp->iif = 0; + qp->ecn = 0; + diff --git a/queue-7.0/io_uring-kbuf-don-t-truncate-end-buffer-for-bundles.patch b/queue-7.0/io_uring-kbuf-don-t-truncate-end-buffer-for-bundles.patch new file mode 100644 index 0000000000..642256539e --- /dev/null +++ b/queue-7.0/io_uring-kbuf-don-t-truncate-end-buffer-for-bundles.patch @@ -0,0 +1,43 @@ +From 70f4886bcbb929e88038c8807f1daf7fc587ae7c Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Sun, 7 Jun 2026 16:05:47 -0600 +Subject: io_uring/kbuf: don't truncate end buffer for bundles + +From: Jens Axboe + +commit 70f4886bcbb929e88038c8807f1daf7fc587ae7c upstream. + +If buffers have been peeked for a bundle receive, the kernel will +truncate the end buffer, if the available length is shorter than the +buffer itself. This is unnecessary, as applications iterating bundle +receives must always use the minimum size of the buffer length and the +remaining number of bytes in the bundle. The examples in liburing do +that as well, eg examples/proxy.c. + +If the kernel does truncate this buffer AND the current transfer fails, +then the buffer will be left with a smaller size than what is otherwise +available. + +Just remove the buffer truncation, as it's not necessary in the first +place. + +Link: https://lore.kernel.org/io-uring/CAAEr8jbY60noGj1fw_k91UJRBkyiRVoS6=nLhZ7Svwidjn4CAA@mail.gmail.com/ +Reported-by: Federico Brasili +Cc: stable@vger.kernel.org +Fixes: 35c8711c8fc4 ("io_uring/kbuf: add helpers for getting/peeking multiple buffers") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/kbuf.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/io_uring/kbuf.c ++++ b/io_uring/kbuf.c +@@ -305,7 +305,6 @@ static int io_ring_buffers_peek(struct i + arg->partial_map = 1; + if (iov != arg->iovs) + break; +- WRITE_ONCE(buf->len, len); + } + } + diff --git a/queue-7.0/io_uring-net-inherit-ioring_cqe_f_buf_more-across-bundle-recv-retries.patch b/queue-7.0/io_uring-net-inherit-ioring_cqe_f_buf_more-across-bundle-recv-retries.patch new file mode 100644 index 0000000000..d4944cd5e2 --- /dev/null +++ b/queue-7.0/io_uring-net-inherit-ioring_cqe_f_buf_more-across-bundle-recv-retries.patch @@ -0,0 +1,62 @@ +From ed46f39c47eb5530a9c161481a2080d3a869cfaf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Cl=C3=A9ment=20L=C3=A9ger?= +Date: Thu, 4 Jun 2026 09:07:13 -0700 +Subject: io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Clément Léger + +commit ed46f39c47eb5530a9c161481a2080d3a869cfaf upstream. + +When a bundle recv retries inside io_recv_finish(), the merge logic OR +the saved cflags from the previous iteration with the cflags returned by +the new iteration: + cflags = req->cqe.flags | (cflags & CQE_F_MASK); + +Bits listed in CQE_F_MASK are inherited from the new iteration, and all +other bits (notably IORING_CQE_F_BUFFER and the buffer ID) come from the +saved cflags. Before this change CQE_F_MASK covered only +IORING_CQE_F_SOCK_NONEMPTY and IORING_CQE_F_MORE. + +When using provided buffer rings (IOU_PBUF_RING_INC) with incremental +mode, and bundle recv, io_kbuf_inc_commit() can leave the head ring +entry partially consumed, __io_put_kbufs() then sets +IORING_CQE_F_BUF_MORE on the returned cflags so userspace knows the +buffer ID will be reused for subsequent completions. + +Because IORING_CQE_F_BUF_MORE was not in CQE_F_MASK, the merge above +silently dropped it whenever the final retry iteration partially +consumed the buffer, and the subsequent req->cqe.flags = cflags & +~CQE_F_MASK save would have left a stale IORING_CQE_F_BUF_MORE in the +carried-over cflags had one been present. Userspace would then +wrongfully advance it ring head past an entry the kernel still uses. + +Add IORING_CQE_F_BUF_MORE to CQE_F_MASK so it is both inherited from the +new iteration into the user-visible CQE and stripped from the saved +cflags between iterations. + +Cc: stable@vger.kernel.org +Signed-off-by: Clément Léger +Assisted-by: Claude:claude-opus-4.6 +Fixes: ae98dbf43d75 ("io_uring/kbuf: add support for incremental buffer consumption") +Link: https://patch.msgid.link/20260604160715.2482972-1-cleger@meta.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/net.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/io_uring/net.c ++++ b/io_uring/net.c +@@ -838,7 +838,8 @@ int io_recvmsg_prep(struct io_kiocb *req + } + + /* bits to clear in old and inherit in new cflags on bundle retry */ +-#define CQE_F_MASK (IORING_CQE_F_SOCK_NONEMPTY|IORING_CQE_F_MORE) ++#define CQE_F_MASK (IORING_CQE_F_SOCK_NONEMPTY|IORING_CQE_F_MORE|\ ++ IORING_CQE_F_BUF_MORE) + + /* + * Finishes io_recv and io_recvmsg. diff --git a/queue-7.0/io_uring-wait-fix-min_timeout-behavior.patch b/queue-7.0/io_uring-wait-fix-min_timeout-behavior.patch new file mode 100644 index 0000000000..af6c1b00d2 --- /dev/null +++ b/queue-7.0/io_uring-wait-fix-min_timeout-behavior.patch @@ -0,0 +1,37 @@ +From 29fe1bd01b99714f3136f922230a643c2742cda9 Mon Sep 17 00:00:00 2001 +From: "Christian A. Ehrhardt" +Date: Sat, 6 Jun 2026 22:11:20 +0200 +Subject: io_uring/wait: fix min_timeout behavior + +From: Christian A. Ehrhardt + +commit 29fe1bd01b99714f3136f922230a643c2742cda9 upstream. + +The wakeup condition if a min timeout is present and has expired is that +at least _one_ CQE was posted. Thus set the cq_tail target to +->cq_min_tail + 1. Without this commit a spurious wakeup can result in a +premature wakeup because io_should_wake() will return true even if _no_ +CQE was posted at all. + +Cc: Tip ten Brink +Fixes: e15cb2200b93 ("io_uring: fix min_wait wakeups for SQPOLL") +Cc: stable@vger.kernel.org +Signed-off-by: Christian A. Ehrhardt +Link: https://patch.msgid.link/20260606201120.1441447-1-lk@c--e.de +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/wait.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/io_uring/wait.c ++++ b/io_uring/wait.c +@@ -102,7 +102,7 @@ static enum hrtimer_restart io_cqring_mi + } + + /* any generated CQE posted past this time should wake us up */ +- iowq->cq_tail = iowq->cq_min_tail; ++ iowq->cq_tail = iowq->cq_min_tail + 1; + + hrtimer_update_function(&iowq->t, io_cqring_timer_wakeup); + hrtimer_set_expires(timer, iowq->timeout); diff --git a/queue-7.0/ksmbd-fix-use-after-free-of-a-deferred-file_lock-on-double-smb2_cancel.patch b/queue-7.0/ksmbd-fix-use-after-free-of-a-deferred-file_lock-on-double-smb2_cancel.patch new file mode 100644 index 0000000000..0d7cd06d33 --- /dev/null +++ b/queue-7.0/ksmbd-fix-use-after-free-of-a-deferred-file_lock-on-double-smb2_cancel.patch @@ -0,0 +1,69 @@ +From f580d27e8928828693df44ba2db0fffdbe11dfea Mon Sep 17 00:00:00 2001 +From: Gil Portnoy +Date: Mon, 1 Jun 2026 08:27:56 +0900 +Subject: ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL + +From: Gil Portnoy + +commit f580d27e8928828693df44ba2db0fffdbe11dfea upstream. + +A deferred byte-range lock (an SMB2_LOCK that blocks) registers an async work on +conn->async_requests via setup_async_work(), with cancel_fn = +smb2_remove_blocked_lock and cancel_argv[0] pointing at the struct file_lock. + +When the request is cancelled, the worker frees the file_lock with +locks_free_lock() and takes the cancelled early-exit, which "goto out"s and never +reaches release_async_work() -- the only site that unlinks the work from +conn->async_requests and clears cancel_fn/cancel_argv. The work therefore stays +matchable on async_requests with a live cancel_fn pointing at the freed file_lock, +until connection teardown finally runs release_async_work(). + +smb2_cancel() fires cancel_fn unconditionally with no state guard, so a second +SMB2_CANCEL for the same AsyncId, arriving in that window, re-runs +smb2_remove_blocked_lock() on the freed file_lock -- a slab use-after-free: + + BUG: KASAN: slab-use-after-free in __locks_delete_block + __locks_delete_block + locks_delete_block + ksmbd_vfs_posix_lock_unblock + smb2_remove_blocked_lock + smb2_cancel <- 2nd SMB2_CANCEL fires cancel_fn + handle_ksmbd_work + Allocated by ...: locks_alloc_lock <- smb2_lock + Freed by ...: locks_free_lock <- smb2_lock (cancelled branch) + ... cache file_lock_cache of size 192 + +Reproduced on mainline with KASAN by an authenticated SMB client. + +Skip a work whose state is already KSMBD_WORK_CANCELLED so its cancel callback +cannot be fired a second time. + +Cc: stable@vger.kernel.org +Signed-off-by: Gil Portnoy +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -7327,6 +7327,17 @@ int smb2_cancel(struct ksmbd_work *work) + le64_to_cpu(hdr->Id.AsyncId)) + continue; + ++ /* ++ * A cancelled deferred byte-range lock frees its ++ * file_lock and takes the smb2_lock() early-exit that ++ * skips release_async_work(), so the work stays on ++ * conn->async_requests with a live cancel_fn pointing ++ * at the freed file_lock. Re-firing it on a second ++ * SMB2_CANCEL is a use-after-free. ++ */ ++ if (iter->state == KSMBD_WORK_CANCELLED) ++ break; ++ + ksmbd_debug(SMB, + "smb2 with AsyncId %llu cancelled command = 0x%x\n", + le64_to_cpu(hdr->Id.AsyncId), diff --git a/queue-7.0/mm-damon-ops-common-call-folio_test_lru-after-folio_get.patch b/queue-7.0/mm-damon-ops-common-call-folio_test_lru-after-folio_get.patch new file mode 100644 index 0000000000..ded719c918 --- /dev/null +++ b/queue-7.0/mm-damon-ops-common-call-folio_test_lru-after-folio_get.patch @@ -0,0 +1,57 @@ +From d6b8b02a27b3dd09ec12144322b3dac46d9bc9ef Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Mon, 25 May 2026 09:22:55 -0700 +Subject: mm/damon/ops-common: call folio_test_lru() after folio_get() + +From: SeongJae Park + +commit d6b8b02a27b3dd09ec12144322b3dac46d9bc9ef upstream. + +damon_get_folio() speculatively calls folio_test_lru() before +folio_try_get(). The folio can get freed and reallocated to a tail page. +In the case, VM_BUG_ON_PGFLAGS() in const_folio_flags() can be triggered. +Remove the speculative call. + +Also mark folio_test_lru() check right after folio_try_get() success as no +more unlikely. + +The race should be rare. Also the problem can happen only if the kernel +has enabled CONFIG_DEBUG_VM_PGFLAGS. No real world report of this issue +has been made so far. This fix is based on only theoretical analysis. +That said, a bug is a bug. A similar issue was also fixed via commit +3203b3ab0fcf ("mm/filemap: don't call folio_test_locked() without a +reference in next_uptodate_folio()"). I don't expect this change will +make a meaningful impact to DAMON performance in the real world, though I +will be happy to be corrected from the real world reports. + +The issue was discovered [1] by Sashiko. + + +Link: https://lore.kernel.org/20260525162256.8317-1-sj@kernel.org +Link: https://lore.kernel.org/20260517234112.89245-1-sj@kernel.org [1] +Fixes: 3f49584b262c ("mm/damon: implement primitives for the virtual memory address spaces") +Signed-off-by: SeongJae Park +Cc: Fernand Sieber +Cc: Leonard Foerster +Cc: Shakeel Butt +Cc: # 5.15.x +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/ops-common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/mm/damon/ops-common.c ++++ b/mm/damon/ops-common.c +@@ -32,9 +32,9 @@ struct folio *damon_get_folio(unsigned l + return NULL; + + folio = page_folio(page); +- if (!folio_test_lru(folio) || !folio_try_get(folio)) ++ if (!folio_try_get(folio)) + return NULL; +- if (unlikely(page_folio(page) != folio || !folio_test_lru(folio))) { ++ if (unlikely(page_folio(page) != folio) || !folio_test_lru(folio)) { + folio_put(folio); + folio = NULL; + } diff --git a/queue-7.0/mm-huge_memory-update-file-pmd-counter-before-folio_put.patch b/queue-7.0/mm-huge_memory-update-file-pmd-counter-before-folio_put.patch new file mode 100644 index 0000000000..809db26219 --- /dev/null +++ b/queue-7.0/mm-huge_memory-update-file-pmd-counter-before-folio_put.patch @@ -0,0 +1,52 @@ +From 8d878059924f12c1bc24556a92ec56add74de3c8 Mon Sep 17 00:00:00 2001 +From: Yin Tirui +Date: Tue, 26 May 2026 18:13:37 +0800 +Subject: mm/huge_memory: update file PMD counter before folio_put() + +From: Yin Tirui + +commit 8d878059924f12c1bc24556a92ec56add74de3c8 upstream. + +__split_huge_pmd_locked() updates the file/shmem RSS counter after +dropping the PMD mapping's folio reference. If folio_put() drops the last +reference, mm_counter_file() can later read freed folio state via +folio_test_swapbacked(). + +Move the counter update before folio_put(). + +Link: https://lore.kernel.org/20260526101337.1984081-1-yintirui@huawei.com +Fixes: fadae2953072 ("thp: use mm_file_counter to determine update which rss counter") +Signed-off-by: Yin Tirui +Reviewed-by: Lorenzo Stoakes +Acked-by: David Hildenbrand (arm) +Reviewed-by: Lance Yang +Reviewed-by: Dev Jain +Cc: Baolin Wang +Cc: Barry Song +Cc: Chen Jun +Cc: Kefeng Wang +Cc: Liam R. Howlett +Cc: Nico Pache +Cc: Ryan Roberts +Cc: Vlastimil Babka +Cc: Yang Shi +Cc: Zi Yan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/huge_memory.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -3031,7 +3031,9 @@ static void __split_huge_pmd_locked(stru + if (!folio_test_referenced(folio) && pmd_young(old_pmd)) + folio_set_referenced(folio); + folio_remove_rmap_pmd(folio, page, vma); ++ add_mm_counter(mm, mm_counter_file(folio), -HPAGE_PMD_NR); + folio_put(folio); ++ return; + } + add_mm_counter(mm, mm_counter_file(folio), -HPAGE_PMD_NR); + return; diff --git a/queue-7.0/mm-huge_memory-update-file-pud-counter-before-folio_put.patch b/queue-7.0/mm-huge_memory-update-file-pud-counter-before-folio_put.patch new file mode 100644 index 0000000000..33f6957731 --- /dev/null +++ b/queue-7.0/mm-huge_memory-update-file-pud-counter-before-folio_put.patch @@ -0,0 +1,52 @@ +From 40990c87a26e371594475acdc560c93cfae308a1 Mon Sep 17 00:00:00 2001 +From: Yin Tirui +Date: Tue, 26 May 2026 18:13:55 +0800 +Subject: mm/huge_memory: update file PUD counter before folio_put() + +From: Yin Tirui + +commit 40990c87a26e371594475acdc560c93cfae308a1 upstream. + +__split_huge_pud_locked() updates the file/shmem RSS counter after +dropping the PUD mapping's folio reference. If folio_put() drops the last +reference, mm_counter_file() can later read freed folio state via +folio_test_swapbacked(). + +Move the counter update before folio_put(). + +Link: https://lore.kernel.org/20260526101355.1984244-1-yintirui@huawei.com +Fixes: dbe54153296d ("mm/huge_memory: add vmf_insert_folio_pud()") +Signed-off-by: Yin Tirui +Reviewed-by: Lorenzo Stoakes +Acked-by: David Hildenbrand (arm) +Reviewed-by: Lance Yang +Reviewed-by: Dev Jain +Cc: Alistair Popple +Cc: Baolin Wang +Cc: Barry Song +Cc: Chen Jun +Cc: Kefeng Wang +Cc: Liam R. Howlett +Cc: Nico Pache +Cc: Ryan Roberts +Cc: Zi Yan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/huge_memory.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2913,9 +2913,9 @@ static void __split_huge_pud_locked(stru + if (!folio_test_referenced(folio) && pud_young(old_pud)) + folio_set_referenced(folio); + folio_remove_rmap_pud(folio, page, vma); +- folio_put(folio); + add_mm_counter(vma->vm_mm, mm_counter_file(folio), + -HPAGE_PUD_NR); ++ folio_put(folio); + } + + void __split_huge_pud(struct vm_area_struct *vma, pud_t *pud, diff --git a/queue-7.0/mptcp-add-addr-always-drop-other-suboptions.patch b/queue-7.0/mptcp-add-addr-always-drop-other-suboptions.patch new file mode 100644 index 0000000000..23bac1b0be --- /dev/null +++ b/queue-7.0/mptcp-add-addr-always-drop-other-suboptions.patch @@ -0,0 +1,164 @@ +From bd34fa0257261b76964df1c98f44b3cb4ee14620 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Tue, 2 Jun 2026 22:14:18 +1000 +Subject: mptcp: add-addr: always drop other suboptions + +From: Matthieu Baerts (NGI0) + +commit bd34fa0257261b76964df1c98f44b3cb4ee14620 upstream. + +When an ADD_ADDR needs to be sent, it could be prepared if there is +enough remaining space and even if the packet is not a pure ACK. But it +would be dropped soon after. + +Indeed, in mptcp_pm_add_addr_signal(), there is enough space to fit a +DSS of 20 octets and an ADD_ADDR echo containing an IPv4 address on 8 +octets for example. In this case, the packet would be prepared, the +MPTCP_ADD_ADDR_ECHO bit would be removed from pm->addr_signal, but the +option would be silently dropped in mptcp_established_options_add_addr() +not to override DSS info in the union from 'struct mptcp_out_options', +and also because mptcp_write_options() will enforce mutually exclusion +with DSS. + +Instead, don't even try to send an ADD_ADDR if it is not a pure ACK. +Retry for each new packet until a pure-ACK is emitted. That's fine to do +that, because each time an ADD_ADDR (echo) is scheduled, a pure ACK is +queued. + +This also simplifies the code, and the skb checks can be done earlier, +before the lock. + +Note: also, since commit 6d0060f600ad ("mptcp: Write MPTCP DSS headers +to outgoing data packets"), opts->ahmac would not have been set to 0 +when other suboptions were not dropped, and when sending an ADD_ADDR +echo. That would have resulted in sending an ADD_ADDR using garbage +info, where there was not enough space, instead of an echo one without +the ADD_ADDR HMAC. + +Fixes: 1bff1e43a30e ("mptcp: optimize out option generation") +Cc: stable@vger.kernel.org +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-11-856831229976@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/options.c | 30 +++++++----------------------- + net/mptcp/pm.c | 15 ++++----------- + net/mptcp/protocol.h | 7 +++---- + 3 files changed, 14 insertions(+), 38 deletions(-) + +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -661,7 +661,6 @@ static bool mptcp_established_options_ad + { + struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk); + struct mptcp_sock *msk = mptcp_sk(subflow->conn); +- bool drop_other_suboptions = false; + unsigned int opt_size = *size; + struct mptcp_addr_info addr; + bool echo; +@@ -672,36 +671,20 @@ static bool mptcp_established_options_ad + */ + if (!mptcp_pm_should_add_signal(msk) || + (opts->suboptions & (OPTION_MPTCP_MPJ_ACK | OPTION_MPTCP_MPC_ACK)) || +- !mptcp_pm_add_addr_signal(msk, skb, opt_size, remaining, &addr, +- &echo, &drop_other_suboptions)) ++ !skb || !skb_is_tcp_pure_ack(skb) || ++ !mptcp_pm_add_addr_signal(msk, opt_size, remaining, &addr, &echo)) + return false; + +- /* +- * Later on, mptcp_write_options() will enforce mutually exclusion with +- * DSS, bail out if such option is set and we can't drop it. +- */ +- if (drop_other_suboptions) +- remaining += opt_size; +- else if (opts->suboptions & OPTION_MPTCP_DSS) +- return false; ++ remaining += opt_size; + + len = mptcp_add_addr_len(addr.family, echo, !!addr.port); + if (remaining < len) + return false; + + *size = len; +- if (drop_other_suboptions) { +- pr_debug("drop other suboptions\n"); +- opts->suboptions = 0; +- +- /* note that e.g. DSS could have written into the memory +- * aliased by ahmac, we must reset the field here +- * to avoid appending the hmac even for ADD_ADDR echo +- * options +- */ +- opts->ahmac = 0; +- *size -= opt_size; +- } ++ pr_debug("drop other suboptions\n"); ++ opts->suboptions = 0; ++ *size -= opt_size; + opts->addr = addr; + opts->suboptions |= OPTION_MPTCP_ADD_ADDR; + if (!echo) { +@@ -711,6 +694,7 @@ static bool mptcp_established_options_ad + &opts->addr); + } else { + MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_ECHOADDTX); ++ opts->ahmac = 0; + } + pr_debug("addr_id=%d, ahmac=%llu, echo=%d, port=%d\n", + opts->addr.id, opts->ahmac, echo, ntohs(opts->addr.port)); +--- a/net/mptcp/pm.c ++++ b/net/mptcp/pm.c +@@ -887,10 +887,9 @@ void mptcp_pm_mp_fail_received(struct so + } + } + +-bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, const struct sk_buff *skb, +- unsigned int opt_size, unsigned int remaining, +- struct mptcp_addr_info *addr, bool *echo, +- bool *drop_other_suboptions) ++bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, unsigned int opt_size, ++ unsigned int remaining, ++ struct mptcp_addr_info *addr, bool *echo) + { + bool skip_add_addr = false; + int ret = false; +@@ -908,10 +907,7 @@ bool mptcp_pm_add_addr_signal(struct mpt + * plain dup-ack from TCP perspective. The other MPTCP-relevant info, + * if any, will be carried by the 'original' TCP ack + */ +- if (skb && skb_is_tcp_pure_ack(skb)) { +- remaining += opt_size; +- *drop_other_suboptions = true; +- } ++ remaining += opt_size; + + *echo = mptcp_pm_should_add_signal_echo(msk); + if (*echo) { +@@ -929,9 +925,6 @@ bool mptcp_pm_add_addr_signal(struct mpt + if (remaining < mptcp_add_addr_len(family, *echo, port)) { + struct net *net = sock_net((struct sock *)msk); + +- if (!*drop_other_suboptions) +- goto out_unlock; +- + if (*echo) { + MPTCP_INC_STATS(net, MPTCP_MIB_ECHOADDTXDROP); + } else { +--- a/net/mptcp/protocol.h ++++ b/net/mptcp/protocol.h +@@ -1228,10 +1228,9 @@ static inline int mptcp_rm_addr_len(cons + return TCPOLEN_MPTCP_RM_ADDR_BASE + roundup(rm_list->nr - 1, 4) + 1; + } + +-bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, const struct sk_buff *skb, +- unsigned int opt_size, unsigned int remaining, +- struct mptcp_addr_info *addr, bool *echo, +- bool *drop_other_suboptions); ++bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, unsigned int opt_size, ++ unsigned int remaining, ++ struct mptcp_addr_info *addr, bool *echo); + bool mptcp_pm_rm_addr_signal(struct mptcp_sock *msk, unsigned int remaining, + struct mptcp_rm_list *rm_list); + int mptcp_pm_get_local_id(struct mptcp_sock *msk, struct sock_common *skc); diff --git a/queue-7.0/mptcp-allow-subflow-rcv-wnd-to-shrink.patch b/queue-7.0/mptcp-allow-subflow-rcv-wnd-to-shrink.patch new file mode 100644 index 0000000000..f2e5dcc973 --- /dev/null +++ b/queue-7.0/mptcp-allow-subflow-rcv-wnd-to-shrink.patch @@ -0,0 +1,59 @@ +From da23be77e1292cd611e736c3aa17da633d7ddce7 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 2 Jun 2026 22:14:11 +1000 +Subject: mptcp: allow subflow rcv wnd to shrink + +From: Paolo Abeni + +commit da23be77e1292cd611e736c3aa17da633d7ddce7 upstream. + +In MPTCP connection, the `window` field in the TCP header refers to the +MPTCP-level rcv_nxt and it's right edge should not move backward. Such +constraint is enforced at DSS option generation time. + +At the same time, the TCP stack ensures independently that the TCP-level +rcv wnd right's edge does not move backward. That in turn causes artificial +inflating of the MPTCP rcv window when the incoming data is acked at the +TCP level and is OoO in the MPTCP sequence space (or lands in the backlog). + +As a consequence, the incoming traffic can exceed the receiver rcvbuf size +even when the sender is not misbehaving. + +Prevent such scenario forcibly allowing the TCP subflow to shrink the +TCP-level rcv wnd regardless of the current netns setting. + +Fixes: f3589be0c420 ("mptcp: never shrink offered window") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-4-856831229976@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/options.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -566,6 +566,7 @@ static bool mptcp_established_options_ds + { + struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk); + struct mptcp_sock *msk = mptcp_sk(subflow->conn); ++ struct tcp_sock *tp = tcp_sk(sk); + unsigned int dss_size = 0; + struct mptcp_ext *mpext; + unsigned int ack_size; +@@ -614,6 +615,12 @@ static bool mptcp_established_options_ds + if (dss_size == 0) + ack_size += TCPOLEN_MPTCP_DSS_BASE; + ++ /* The caller is __tcp_transmit_skb(), and will compute the new rcv ++ * wnd soon: ensure that the window can shrink. ++ */ ++ if (skb) ++ tp->rcv_wnd = tp->rcv_nxt - tp->rcv_wup; ++ + dss_size += ack_size; + + *size = ALIGN(dss_size, 4); diff --git a/queue-7.0/mptcp-check-desc-count-in-read_sock.patch b/queue-7.0/mptcp-check-desc-count-in-read_sock.patch new file mode 100644 index 0000000000..f6f37393ba --- /dev/null +++ b/queue-7.0/mptcp-check-desc-count-in-read_sock.patch @@ -0,0 +1,44 @@ +From c378b1a6f8dd3e02eb08661f4d5d50f236eead03 Mon Sep 17 00:00:00 2001 +From: Gang Yan +Date: Tue, 2 Jun 2026 22:14:16 +1000 +Subject: mptcp: check desc->count in read_sock + +From: Gang Yan + +commit c378b1a6f8dd3e02eb08661f4d5d50f236eead03 upstream. + +__tcp_read_sock() checks desc->count after each skb is consumed and +breaks the loop when it reaches 0. The MPTCP variant lacks this check. + +This is a functional bug, other subsystems also rely on this check: +TLS strparser sets desc->count to 0 once a full TLS record is assembled +and depends on this break to stop reading. + +Add the same desc->count check to __mptcp_read_sock(), mirroring +__tcp_read_sock(). + +Fixes: 250d9766a984 ("mptcp: implement .read_sock") +Cc: stable@vger.kernel.org +Co-developed-by: Geliang Tang +Signed-off-by: Geliang Tang +Signed-off-by: Gang Yan +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-9-856831229976@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -4411,6 +4411,8 @@ static int __mptcp_read_sock(struct sock + } + + mptcp_eat_recv_skb(sk, skb); ++ if (!desc->count) ++ break; + } + + if (noack) diff --git a/queue-7.0/mptcp-close-toctou-race-while-computing-rcv_wnd.patch b/queue-7.0/mptcp-close-toctou-race-while-computing-rcv_wnd.patch new file mode 100644 index 0000000000..18177dd9cd --- /dev/null +++ b/queue-7.0/mptcp-close-toctou-race-while-computing-rcv_wnd.patch @@ -0,0 +1,125 @@ +From 8ab24fdebc369c0dfb90f82c1650b1e66662bb45 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 2 Jun 2026 22:14:10 +1000 +Subject: mptcp: close TOCTOU race while computing rcv_wnd + +From: Paolo Abeni + +commit 8ab24fdebc369c0dfb90f82c1650b1e66662bb45 upstream. + +The MPTCP output path access locklessly the MPTCP-level ack_seq +in multiple times, using possibly different values for the data_ack +in the DSS option and to compute the announced rcv wnd for the same +packet. + +Refactor the cote to avoid inconsistencies which may confuse the +peer. Also ensure that the MPTCP level rcv wnd is updated only when +the egress packet actually contains a DSS ack. + +Fixes: fa3fe2b15031 ("mptcp: track window announced to peer") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-3-856831229976@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/options.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -570,7 +570,6 @@ static bool mptcp_established_options_ds + struct mptcp_ext *mpext; + unsigned int ack_size; + bool ret = false; +- u64 ack_seq; + + opts->csum_reqd = READ_ONCE(msk->csum_enabled); + mpext = skb ? mptcp_get_ext(skb) : NULL; +@@ -601,14 +600,11 @@ static bool mptcp_established_options_ds + return ret; + } + +- ack_seq = READ_ONCE(msk->ack_seq); + if (READ_ONCE(msk->use_64bit_ack)) { + ack_size = TCPOLEN_MPTCP_DSS_ACK64; +- opts->ext_copy.data_ack = ack_seq; + opts->ext_copy.ack64 = 1; + } else { + ack_size = TCPOLEN_MPTCP_DSS_ACK32; +- opts->ext_copy.data_ack32 = (uint32_t)ack_seq; + opts->ext_copy.ack64 = 0; + } + opts->ext_copy.use_ack = 1; +@@ -1296,19 +1292,14 @@ bool mptcp_incoming_options(struct sock + return true; + } + +-static void mptcp_set_rwin(struct tcp_sock *tp, struct tcphdr *th) ++static u64 mptcp_set_rwin(struct mptcp_sock *msk, struct tcp_sock *tp, ++ struct tcphdr *th, u64 ack_seq) + { + const struct sock *ssk = (const struct sock *)tp; +- struct mptcp_subflow_context *subflow; +- u64 ack_seq, rcv_wnd_old, rcv_wnd_new; +- struct mptcp_sock *msk; ++ u64 rcv_wnd_old, rcv_wnd_new; + u32 new_win; + u64 win; + +- subflow = mptcp_subflow_ctx(ssk); +- msk = mptcp_sk(subflow->conn); +- +- ack_seq = READ_ONCE(msk->ack_seq); + rcv_wnd_new = ack_seq + tp->rcv_wnd; + + rcv_wnd_old = atomic64_read(&msk->rcv_wnd_sent); +@@ -1360,7 +1351,7 @@ raise_win: + + update_wspace: + WRITE_ONCE(msk->old_wspace, tp->rcv_wnd); +- subflow->rcv_wnd_sent = rcv_wnd_new; ++ return rcv_wnd_new; + } + + static void mptcp_track_rwin(struct tcp_sock *tp) +@@ -1472,13 +1463,25 @@ void mptcp_write_options(struct tcphdr * + *ptr++ = mptcp_option(MPTCPOPT_DSS, len, 0, flags); + + if (mpext->use_ack) { ++ struct mptcp_sock *msk; ++ u64 ack_seq; ++ ++ /* DSS option is set only by mptcp_established_options, ++ * the caller is __tcp_transmit_skb() and ssk is always ++ * not NULL. ++ */ ++ subflow = mptcp_subflow_ctx(ssk); ++ msk = mptcp_sk(subflow->conn); ++ ack_seq = READ_ONCE(msk->ack_seq); + if (mpext->ack64) { +- put_unaligned_be64(mpext->data_ack, ptr); ++ put_unaligned_be64(ack_seq, ptr); + ptr += 2; + } else { +- put_unaligned_be32(mpext->data_ack32, ptr); ++ put_unaligned_be32(ack_seq, ptr); + ptr += 1; + } ++ subflow->rcv_wnd_sent = mptcp_set_rwin(msk, tp, th, ++ ack_seq); + } + + if (mpext->use_map) { +@@ -1706,9 +1709,6 @@ mp_capable_done: + i += 4; + } + } +- +- if (tp) +- mptcp_set_rwin(tp, th); + } + + __be32 mptcp_get_reset_option(const struct sk_buff *skb) diff --git a/queue-7.0/mptcp-fix-missing-wakeups-in-edge-scenarios.patch b/queue-7.0/mptcp-fix-missing-wakeups-in-edge-scenarios.patch new file mode 100644 index 0000000000..f5306d4b98 --- /dev/null +++ b/queue-7.0/mptcp-fix-missing-wakeups-in-edge-scenarios.patch @@ -0,0 +1,41 @@ +From 9d8d28738f24b75616d6ca7a27cb4aed88520343 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 2 Jun 2026 22:14:08 +1000 +Subject: mptcp: fix missing wakeups in edge scenarios + +From: Paolo Abeni + +commit 9d8d28738f24b75616d6ca7a27cb4aed88520343 upstream. + +The mptcp_recvmsg() can fill MPTCP socket receive queue via +mptcp_move_skbs(), but currently does not try to wakeup any listener, +because the same process is going to check the receive queue soon. + +When multiple threads are reading from the same fd, the above can +cause stall. Add the missing wakeup. + +Fixes: 6771bfd9ee24 ("mptcp: update mptcp ack sequence from work queue") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-1-856831229976@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -2256,6 +2256,10 @@ static bool mptcp_move_skbs(struct sock + mptcp_backlog_spooled(sk, moved, &skbs); + } + mptcp_data_unlock(sk); ++ ++ if (enqueued && mptcp_epollin_ready(sk)) ++ sk->sk_data_ready(sk); ++ + return enqueued; + } + diff --git a/queue-7.0/mptcp-fix-retransmission-loop-when-csum-is-enabled.patch b/queue-7.0/mptcp-fix-retransmission-loop-when-csum-is-enabled.patch new file mode 100644 index 0000000000..78ecb5f105 --- /dev/null +++ b/queue-7.0/mptcp-fix-retransmission-loop-when-csum-is-enabled.patch @@ -0,0 +1,42 @@ +From d1918b36edcaed0ec4ef6888b2358c6b1ddcff47 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 2 Jun 2026 22:14:09 +1000 +Subject: mptcp: fix retransmission loop when csum is enabled + +From: Paolo Abeni + +commit d1918b36edcaed0ec4ef6888b2358c6b1ddcff47 upstream. + +Sashiko noted that retransmission with csum enabled can actually +transmit new data, but currently the relevant code does not update +accordingly snd_nxt. + +The may cause incoming ack drop and an endless retransmission loop. + +Address the issue incrementing snd_nxt as needed. + +Fixes: 4e14867d5e91 ("mptcp: tune re-injections for csum enabled mode") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-2-856831229976@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -2852,6 +2852,10 @@ static void __mptcp_retrans(struct sock + msk->bytes_retrans += len; + dfrag->already_sent = max(dfrag->already_sent, len); + ++ /* With csum enabled retransmission can send new data. */ ++ if (after64(dfrag->already_sent + dfrag->data_seq, msk->snd_nxt)) ++ WRITE_ONCE(msk->snd_nxt, dfrag->already_sent + dfrag->data_seq); ++ + reset_timer: + mptcp_check_and_set_pending(sk); + diff --git a/queue-7.0/mptcp-pm-fix-extra_subflows-underflow-on-userspace-pm-subflow-creation.patch b/queue-7.0/mptcp-pm-fix-extra_subflows-underflow-on-userspace-pm-subflow-creation.patch new file mode 100644 index 0000000000..917717aea6 --- /dev/null +++ b/queue-7.0/mptcp-pm-fix-extra_subflows-underflow-on-userspace-pm-subflow-creation.patch @@ -0,0 +1,62 @@ +From 14e9fea30b68fc75b2b3d97396a7e6adb544bd2a Mon Sep 17 00:00:00 2001 +From: Tao Cui +Date: Tue, 2 Jun 2026 22:14:12 +1000 +Subject: mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation + +From: Tao Cui + +commit 14e9fea30b68fc75b2b3d97396a7e6adb544bd2a upstream. + +The userspace PM increments extra_subflows after __mptcp_subflow_connect() +succeeds, but __mptcp_subflow_connect() calls mptcp_pm_close_subflow() +on failure to roll back the pre-increment done by the kernel PM's fill_*() +helpers. Because the userspace PM hasn't incremented yet at that point, +this decrement is spurious and causes extra_subflows to underflow. + +Fix it by aligning the userspace PM with the kernel PM: increment +extra_subflows before calling __mptcp_subflow_connect(), so the existing +error path in subflow.c correctly rolls it back on failure. Also simplify +the error handling by taking pm.lock only when needed for cleanup. + +Fixes: 77e4b94a3de6 ("mptcp: update userspace pm infos") +Cc: stable@vger.kernel.org +Signed-off-by: Tao Cui +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-5-856831229976@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_userspace.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/net/mptcp/pm_userspace.c ++++ b/net/mptcp/pm_userspace.c +@@ -408,19 +408,21 @@ int mptcp_pm_nl_subflow_create_doit(stru + local.flags = entry.flags; + local.ifindex = entry.ifindex; + ++ spin_lock_bh(&msk->pm.lock); ++ msk->pm.extra_subflows++; ++ spin_unlock_bh(&msk->pm.lock); ++ + lock_sock(sk); + err = __mptcp_subflow_connect(sk, &local, &addr_r); + release_sock(sk); + +- if (err) ++ if (err) { + GENL_SET_ERR_MSG_FMT(info, "connect error: %d", err); + +- spin_lock_bh(&msk->pm.lock); +- if (err) ++ spin_lock_bh(&msk->pm.lock); + mptcp_userspace_pm_delete_local_addr(msk, &entry); +- else +- msk->pm.extra_subflows++; +- spin_unlock_bh(&msk->pm.lock); ++ spin_unlock_bh(&msk->pm.lock); ++ } + + create_err: + sock_put(sk); diff --git a/queue-7.0/mptcp-sockopt-check-timestamping-ret-value.patch b/queue-7.0/mptcp-sockopt-check-timestamping-ret-value.patch new file mode 100644 index 0000000000..ed1d1b61c0 --- /dev/null +++ b/queue-7.0/mptcp-sockopt-check-timestamping-ret-value.patch @@ -0,0 +1,53 @@ +From 57132affbc89c02e1bf73fdf5724311bdc9a29da Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Tue, 2 Jun 2026 22:14:14 +1000 +Subject: mptcp: sockopt: check timestamping ret value + +From: Matthieu Baerts (NGI0) + +commit 57132affbc89c02e1bf73fdf5724311bdc9a29da upstream. + +sock_set_timestamping() can fail for different reasons. The returned +value should then be checked. + +If sock_set_timestamping() fails for at least one subflow, the first +error is now reported to the userspace, similar to what is done with +other socket options. + +Fixes: 9061f24bf82e ("mptcp: sockopt: propagate timestamp request to subflows") +Cc: stable@vger.kernel.org +Reported-by: Willem de Bruijn +Closes: https://lore.kernel.org/willemdebruijn.kernel.178a41a53d041@gmail.com +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-7-856831229976@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/sockopt.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/mptcp/sockopt.c ++++ b/net/mptcp/sockopt.c +@@ -235,15 +235,19 @@ static int mptcp_setsockopt_sol_socket_t + + mptcp_for_each_subflow(msk, subflow) { + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); ++ int err; + + lock_sock(ssk); +- sock_set_timestamping(ssk, optname, timestamping); ++ err = sock_set_timestamping(ssk, optname, timestamping); + release_sock(ssk); ++ ++ if (err < 0 && ret == 0) ++ ret = err; + } + + release_sock(sk); + +- return 0; ++ return ret; + } + + static int mptcp_setsockopt_sol_socket_linger(struct mptcp_sock *msk, sockptr_t optval, diff --git a/queue-7.0/mptcp-sockopt-set-sockopt-on-all-subflows.patch b/queue-7.0/mptcp-sockopt-set-sockopt-on-all-subflows.patch new file mode 100644 index 0000000000..01af86d0c5 --- /dev/null +++ b/queue-7.0/mptcp-sockopt-set-sockopt-on-all-subflows.patch @@ -0,0 +1,46 @@ +From 7690137e70ab0fb1f8b5a30e6f087f8ee908b680 Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Tue, 2 Jun 2026 22:14:15 +1000 +Subject: mptcp: sockopt: set sockopt on all subflows + +From: Matthieu Baerts (NGI0) + +commit 7690137e70ab0fb1f8b5a30e6f087f8ee908b680 upstream. + +The mptcp_setsockopt_all_sf(), currently used only with TCP_MAXSEG, +stopped when one subflow returned an error. + +Even if it is not wrong, this is different from the other helpers trying +to set the option on all subflows, and then returning an error if at +least one of them had an issue. + +Follow this behaviour, for a question of uniformity. + +Fixes: 51c5fd09e1b4 ("mptcp: add TCP_MAXSEG sockopt support") +Cc: stable@vger.kernel.org +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-8-856831229976@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/sockopt.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/mptcp/sockopt.c ++++ b/net/mptcp/sockopt.c +@@ -811,10 +811,11 @@ static int mptcp_setsockopt_all_sf(struc + + mptcp_for_each_subflow(msk, subflow) { + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); ++ int err; + +- ret = tcp_setsockopt(ssk, level, optname, optval, optlen); +- if (ret) +- break; ++ err = tcp_setsockopt(ssk, level, optname, optval, optlen); ++ if (err < 0 && ret == 0) ++ ret = err; + } + + if (!ret) diff --git a/queue-7.0/ovl-keep-err-zero-after-successful-ovl_cache_get.patch b/queue-7.0/ovl-keep-err-zero-after-successful-ovl_cache_get.patch new file mode 100644 index 0000000000..6e2f4ea7de --- /dev/null +++ b/queue-7.0/ovl-keep-err-zero-after-successful-ovl_cache_get.patch @@ -0,0 +1,67 @@ +From 1711b6ed6953cee5940ca4c3a6e77f1b3798cee2 Mon Sep 17 00:00:00 2001 +From: Nirmoy Das +Date: Thu, 14 May 2026 07:42:57 -0700 +Subject: ovl: keep err zero after successful ovl_cache_get() + +From: Nirmoy Das + +commit 1711b6ed6953cee5940ca4c3a6e77f1b3798cee2 upstream. + +ovl_iterate_merged() stores PTR_ERR(cache) in err before checking +IS_ERR(cache). On success err holds the truncated cache pointer and +can be returned as a bogus non-zero error. + +The syzbot reproducer reaches this through overlay-on-overlay readdir: + + getdents64 + iterate_dir(outer overlay file) + ovl_iterate_merged() + ovl_cache_get() + ovl_dir_read_merged() + ovl_dir_read() + iterate_dir(inner overlay file) + ovl_iterate_merged() + +Only compute PTR_ERR(cache) on the error path. + +Fixes: d25e4b739f83 ("ovl: refactor ovl_iterate() and port to cred guard") +Reported-by: syzbot+a16fb0cce329a320661c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=a16fb0cce329a320661c +Cc: stable@vger.kernel.org +Signed-off-by: Nirmoy Das +Link: https://patch.msgid.link/20260514144258.3068715-1-nirmoyd@nvidia.com +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/overlayfs/readdir.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/fs/overlayfs/readdir.c ++++ b/fs/overlayfs/readdir.c +@@ -838,15 +838,14 @@ static int ovl_iterate_merged(struct fil + struct ovl_dir_file *od = file->private_data; + struct dentry *dentry = file->f_path.dentry; + struct ovl_cache_entry *p; +- int err = 0; ++ int err; + + if (!od->cache) { + struct ovl_dir_cache *cache; + + cache = ovl_cache_get(dentry); +- err = PTR_ERR(cache); + if (IS_ERR(cache)) +- return err; ++ return PTR_ERR(cache); + + od->cache = cache; + ovl_seek_cursor(od, ctx->pos); +@@ -869,7 +868,7 @@ static int ovl_iterate_merged(struct fil + od->cursor = p->l_node.next; + ctx->pos++; + } +- return err; ++ return 0; + } + + static bool ovl_need_adjust_d_ino(struct file *file) diff --git a/queue-7.0/pidfd-refuse-access-to-tasks-that-have-started-exiting-harder.patch b/queue-7.0/pidfd-refuse-access-to-tasks-that-have-started-exiting-harder.patch new file mode 100644 index 0000000000..0155315e21 --- /dev/null +++ b/queue-7.0/pidfd-refuse-access-to-tasks-that-have-started-exiting-harder.patch @@ -0,0 +1,46 @@ +From 62c4d31d78294bd61cf3403626b789e854357177 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Mon, 18 May 2026 10:32:11 +0200 +Subject: pidfd: refuse access to tasks that have started exiting harder + +From: Christian Brauner + +commit 62c4d31d78294bd61cf3403626b789e854357177 upstream. + +The recent ptrace fix closed a hole where someone could rely on task->mm +becoming NULL during do_exit() to bypass dumpability checks. This api +here leans on on the very same check and so inherits the fix. + +But there is no good reason to let it succeed at all once the target has +entered do_exit(). PF_EXITING is set by exit_signals() at the very top +of do_exit(), before exit_mm() and exit_files() run. Once we observe it, +the task is committed to dying and exit_files() will release the fdtable +shortly. + +Fixes: 8649c322f75c ("pid: Implement pidfd_getfd syscall") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260518-obgleich-petersilie-2d77ccccf9b9@brauner +Signed-off-by: Christian Brauner (Amutable) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/pid.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/kernel/pid.c ++++ b/kernel/pid.c +@@ -878,10 +878,12 @@ static struct file *__pidfd_fget(struct + if (ret) + return ERR_PTR(ret); + +- if (ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS)) +- file = fget_task(task, fd); +- else ++ if (!ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS)) + file = ERR_PTR(-EPERM); ++ else if (task->flags & PF_EXITING) ++ file = ERR_PTR(-ESRCH); ++ else ++ file = fget_task(task, fd); + + up_read(&task->signal->exec_update_lock); + diff --git a/queue-7.0/rdma-core-validate-cpu_id-against-nr_cpu_ids-in-dmah-alloc.patch b/queue-7.0/rdma-core-validate-cpu_id-against-nr_cpu_ids-in-dmah-alloc.patch new file mode 100644 index 0000000000..fc3414424a --- /dev/null +++ b/queue-7.0/rdma-core-validate-cpu_id-against-nr_cpu_ids-in-dmah-alloc.patch @@ -0,0 +1,53 @@ +From 323c98a4ff06aa28114f2bf658fb43eb3b536bbc Mon Sep 17 00:00:00 2001 +From: Yishai Hadas +Date: Mon, 25 May 2026 17:21:36 +0300 +Subject: RDMA/core: Validate cpu_id against nr_cpu_ids in DMAH alloc + +From: Yishai Hadas + +commit 323c98a4ff06aa28114f2bf658fb43eb3b536bbc upstream. + +The cpu_id attribute supplied by user space through +UVERBS_ATTR_ALLOC_DMAH_CPU_ID is passed directly to cpumask_test_cpu() +without first verifying that the value is within the valid CPU range. + +Passing such untrusted data to cpumask_test_cpu() may lead to an +out-of-bounds read of the underlying cpumask bitmap: the helper expands +to a test_bit() that indexes the bitmap by cpu_id / BITS_PER_LONG with +no bound check. + +In addition, on kernels built with CONFIG_DEBUG_PER_CPU_MAPS it trips +the WARN_ON_ONCE() in cpumask_check(); combined with panic_on_warn this +turns a bad user input into a machine reboot. + +Reject any cpu_id that is not smaller than nr_cpu_ids with -EINVAL +before it is used. + +Reported by Smatch. + +Fixes: d83edab562a4 ("RDMA/core: Introduce a DMAH object and its alloc/free APIs") +Link: https://patch.msgid.link/r/20260525142136.28165-1-yishaih@nvidia.com +Cc: stable@vger.kernel.org +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/ag68qoAW3P04J7pT@stanley.mountain/ +Signed-off-by: Yishai Hadas +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/uverbs_std_types_dmah.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/infiniband/core/uverbs_std_types_dmah.c ++++ b/drivers/infiniband/core/uverbs_std_types_dmah.c +@@ -47,6 +47,11 @@ static int UVERBS_HANDLER(UVERBS_METHOD_ + if (ret) + goto err; + ++ if (dmah->cpu_id >= nr_cpu_ids) { ++ ret = -EINVAL; ++ goto err; ++ } ++ + if (!cpumask_test_cpu(dmah->cpu_id, current->cpus_ptr)) { + ret = -EPERM; + goto err; diff --git a/queue-7.0/rdma-core-validate-the-passed-in-fops-for-ib_get_ucaps.patch b/queue-7.0/rdma-core-validate-the-passed-in-fops-for-ib_get_ucaps.patch new file mode 100644 index 0000000000..e922a0adf1 --- /dev/null +++ b/queue-7.0/rdma-core-validate-the-passed-in-fops-for-ib_get_ucaps.patch @@ -0,0 +1,44 @@ +From 4a1b1ac2744694a2ecd66a84bdb1445f4ef24bee Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Tue, 26 May 2026 12:40:25 -0300 +Subject: RDMA/core: Validate the passed in fops for ib_get_ucaps() + +From: Jason Gunthorpe + +commit 4a1b1ac2744694a2ecd66a84bdb1445f4ef24bee upstream. + +Sashiko pointed out it is not safe to rely only on the devt because +char/block alias so if the user finds a block device with the same dev_t +it can masquerade as a ucap cdev fd. + +Test the f_ops to only accept authentic cdevs. + +Link: https://patch.msgid.link/r/0-v1-fd9482545e37+1e25-ib_ucaps_fd_ops_jgg@nvidia.com +Cc: stable@vger.kernel.org +Fixes: 61e51682816d ("RDMA/uverbs: Introduce UCAP (User CAPabilities) API") +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/ucaps.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/infiniband/core/ucaps.c ++++ b/drivers/infiniband/core/ucaps.c +@@ -82,14 +82,12 @@ static int get_ucap_from_devt(dev_t devt + + static int get_devt_from_fd(unsigned int fd, dev_t *ret_dev) + { +- struct file *file; ++ CLASS(fd, f)(fd); + +- file = fget(fd); +- if (!file) ++ if (fd_empty(f) || fd_file(f)->f_op != &ucaps_cdev_fops) + return -EBADF; + +- *ret_dev = file_inode(file)->i_rdev; +- fput(file); ++ *ret_dev = file_inode(fd_file(f))->i_rdev; + return 0; + } + diff --git a/queue-7.0/rdma-srp-bound-srp_rsp-sense-copy-by-the-received-length.patch b/queue-7.0/rdma-srp-bound-srp_rsp-sense-copy-by-the-received-length.patch new file mode 100644 index 0000000000..8696b1827f --- /dev/null +++ b/queue-7.0/rdma-srp-bound-srp_rsp-sense-copy-by-the-received-length.patch @@ -0,0 +1,93 @@ +From 13e91fd076306f5d0cdfa14f53d69e37274723c4 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Tue, 2 Jun 2026 18:04:57 -0400 +Subject: RDMA/srp: bound SRP_RSP sense copy by the received length + +From: Michael Bommarito + +commit 13e91fd076306f5d0cdfa14f53d69e37274723c4 upstream. + +srp_process_rsp() copies sense data from rsp->data + resp_data_len, +where resp_data_len is the full 32-bit value supplied by the SRP target +and is never checked against the number of bytes actually received +(wc->byte_len). The copy length is bounded to SCSI_SENSE_BUFFERSIZE, so +at most 96 bytes are copied, but the source offset is not bounded. + +A malicious or compromised SRP target on the InfiniBand/RoCE fabric that +the initiator has logged into can return an SRP_RSP with +SRP_RSP_FLAG_SNSVALID set and a large resp_data_len. The receive buffer +is allocated at the target-chosen max_ti_iu_len, so the source of the +sense copy lands past the bytes actually received; with resp_data_len +near 0xFFFFFFFF it is gigabytes past the buffer and the read faults. + +Copy the sense data only if it has not been truncated, that is, only if +the response header, the response data, and the sense region fit within +the bytes actually received; otherwise drop the sense and log. The +in-tree iSER and NVMe-RDMA receive paths already bound their parse by +wc->byte_len; this brings ib_srp into line with them. + +Fixes: aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator") +Link: https://patch.msgid.link/r/20260602220457.2542840-1-michael.bommarito@gmail.com +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-8 +Signed-off-by: Michael Bommarito +Reviewed-by: Bart Van Assche +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/srp/ib_srp.c | 30 ++++++++++++++++++++++++------ + 1 file changed, 24 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -1932,7 +1932,8 @@ static int srp_post_recv(struct srp_rdma + return ib_post_recv(ch->qp, &wr, NULL); + } + +-static void srp_process_rsp(struct srp_rdma_ch *ch, struct srp_rsp *rsp) ++static void srp_process_rsp(struct srp_rdma_ch *ch, struct srp_rsp *rsp, ++ u32 byte_len) + { + struct srp_target_port *target = ch->target; + struct srp_request *req; +@@ -1973,10 +1974,27 @@ static void srp_process_rsp(struct srp_r + scmnd->result = rsp->status; + + if (rsp->flags & SRP_RSP_FLAG_SNSVALID) { +- memcpy(scmnd->sense_buffer, rsp->data + +- be32_to_cpu(rsp->resp_data_len), +- min_t(int, be32_to_cpu(rsp->sense_data_len), +- SCSI_SENSE_BUFFERSIZE)); ++ u32 resp_len = be32_to_cpu(rsp->resp_data_len); ++ u32 sense_len = be32_to_cpu(rsp->sense_data_len); ++ ++ /* ++ * The sense data starts resp_data_len bytes past the ++ * response data area; both lengths come from the ++ * target-controlled response. Copy the sense data ++ * only if it has not been truncated, that is, only if ++ * the full sense region fits within the bytes actually ++ * received. Otherwise the copy source would run past ++ * the receive buffer (sized to the target-chosen ++ * max_ti_iu_len), reading out of bounds. ++ */ ++ if (sizeof(*rsp) + (u64)resp_len + sense_len <= byte_len) ++ memcpy(scmnd->sense_buffer, ++ rsp->data + resp_len, ++ min(sense_len, SCSI_SENSE_BUFFERSIZE)); ++ else ++ shost_printk(KERN_ERR, target->scsi_host, ++ "dropping truncated sense data (resp_data_len %u sense_data_len %u, %u bytes received)\n", ++ resp_len, sense_len, byte_len); + } + + if (unlikely(rsp->flags & SRP_RSP_FLAG_DIUNDER)) +@@ -2086,7 +2104,7 @@ static void srp_recv_done(struct ib_cq * + + switch (opcode) { + case SRP_RSP: +- srp_process_rsp(ch, iu->buf); ++ srp_process_rsp(ch, iu->buf, wc->byte_len); + break; + + case SRP_CRED_REQ: diff --git a/queue-7.0/s390-remove-generic_lockbreak-kconfig-option.patch b/queue-7.0/s390-remove-generic_lockbreak-kconfig-option.patch new file mode 100644 index 0000000000..a4010aac00 --- /dev/null +++ b/queue-7.0/s390-remove-generic_lockbreak-kconfig-option.patch @@ -0,0 +1,47 @@ +From 1f57f68c4dd101e5e8ffc9ffa6428f45bcdd776a Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Fri, 5 Jun 2026 17:32:06 +0200 +Subject: s390: Remove GENERIC_LOCKBREAK Kconfig option + +From: Heiko Carstens + +commit 1f57f68c4dd101e5e8ffc9ffa6428f45bcdd776a upstream. + +s390 selects GENERIC_LOCKBREAK if PREEMPT is enabled. Reason is a historic +18 years old commit [1] which fixed a compile error for PREEMPT enabled +kernels. Back than only PREEMPT_NONE and PREEMPT_VOLUNTARY kernels were +considered to be important for s390. PREEMPT should "just work". + +However, since recently PREEMPT is always enabled [2], which also causes +GENERIC_LOCKBREAK to be always enabled. For some workloads this leads to +massive performance degradation; e.g. a simple kernel compile on machines +with many CPUs may take up to four times longer. + +To fix this just remove the GENERIC_LOCKBREAK from s390's Kconfig, since +the compile error from 18 years ago does not exist anymore. + +[1] commit b6b40c532a36 ("[S390] Define GENERIC_LOCKBREAK.") +[2] commit 7dadeaa6e851 ("sched: Further restrict the preemption modes") + +Cc: stable@vger.kernel.org +Reported-by: Massimiliano Pellizzer +Reviewed-by: Sven Schnelle +Signed-off-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/Kconfig | 3 --- + 1 file changed, 3 deletions(-) + +--- a/arch/s390/Kconfig ++++ b/arch/s390/Kconfig +@@ -29,9 +29,6 @@ config GENERIC_BUG + config GENERIC_BUG_RELATIVE_POINTERS + def_bool y + +-config GENERIC_LOCKBREAK +- def_bool y if PREEMPTION +- + config AUDIT_ARCH + def_bool y + diff --git a/queue-7.0/selftests-mptcp-add-test-for-extra_subflows-underflow-on-userspace-pm.patch b/queue-7.0/selftests-mptcp-add-test-for-extra_subflows-underflow-on-userspace-pm.patch new file mode 100644 index 0000000000..3a6956496b --- /dev/null +++ b/queue-7.0/selftests-mptcp-add-test-for-extra_subflows-underflow-on-userspace-pm.patch @@ -0,0 +1,38 @@ +From 06fd2bec7aebf393288e4b78924482fe170caabc Mon Sep 17 00:00:00 2001 +From: Tao Cui +Date: Tue, 2 Jun 2026 22:14:13 +1000 +Subject: selftests: mptcp: add test for extra_subflows underflow on userspace PM + +From: Tao Cui + +commit 06fd2bec7aebf393288e4b78924482fe170caabc upstream. + +Add a test to verify that when userspace PM fails to create a subflow +(e.g. using an unreachable address), the extra_subflows counter is not +decremented below zero. + +Fixes: 77e4b94a3de6 ("mptcp: update userspace pm infos") +Cc: stable@vger.kernel.org +Signed-off-by: Tao Cui +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-6-856831229976@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -4069,6 +4069,10 @@ userspace_tests() + chk_rm_nr 0 1 + chk_mptcp_info subflows 0 subflows 0 + chk_subflows_total 1 1 ++ # check counters are not affected by errors at creation time ++ userspace_pm_add_sf $ns2 10.0.12.2 10 2>/dev/null ++ chk_mptcp_info subflows 0 subflows 0 ++ chk_subflows_total 1 1 + kill_events_pids + mptcp_lib_kill_group_wait $tests_pid + fi diff --git a/queue-7.0/series b/queue-7.0/series index 2fce9f86d7..9330851d43 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -200,3 +200,59 @@ kvm-arm64-restore-por_el0-access-to-host-el0.patch drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch hv_netvsc-use-kmap_local_page-in-netvsc_copy_to_send_buf.patch pinctrl-mcp23s08-initialize-mcp-dev-and-mcp-addr-before-regmap-init.patch +ksmbd-fix-use-after-free-of-a-deferred-file_lock-on-double-smb2_cancel.patch +xfrm-espintcp-do-not-reuse-an-in-progress-partial-send.patch +xfrm-iptfs-preserve-shared-frag-marker-in-iptfs_consume_frags.patch +xfrm-iptfs-fix-abba-deadlock-in-iptfs_destroy_state.patch +usb-serial-io_ti-fix-heap-overflow-in-get_manuf_info.patch +usb-serial-io_ti-fix-heap-overflow-in-build_i2c_fw_hdr.patch +usb-serial-option-add-usb-id-for-dell-wireless-dw5826e-m.patch +usb-serial-kl5kusb105-fix-bulk-out-buffer-overflow.patch +alsa-timer-forcibly-close-timer-instances-at-closing.patch +alsa-timer-fix-uaf-at-snd_timer_user_params.patch +io_uring-wait-fix-min_timeout-behavior.patch +io_uring-kbuf-don-t-truncate-end-buffer-for-bundles.patch +io_uring-net-inherit-ioring_cqe_f_buf_more-across-bundle-recv-retries.patch +drm-virtio-fix-dma_fence-refcount-leak-on-error-in-virtio_gpu_dma_fence_wait.patch +drm-amd-display-reject-gpio_bitshift-32-in-bios_parser_get_gpio_pin_info.patch +mm-huge_memory-update-file-pmd-counter-before-folio_put.patch +mm-damon-ops-common-call-folio_test_lru-after-folio_get.patch +mm-huge_memory-update-file-pud-counter-before-folio_put.patch +rdma-core-validate-the-passed-in-fops-for-ib_get_ucaps.patch +rdma-core-validate-cpu_id-against-nr_cpu_ids-in-dmah-alloc.patch +rdma-srp-bound-srp_rsp-sense-copy-by-the-received-length.patch +zram-fix-use-after-free-in-zram_bvec_write_partial.patch +udp-clear-skb-dev-before-running-a-sockmap-verdict.patch +arm-socfpga-fix-of-node-refcount-leak-in-smp-setup.patch +arm-9474-1-io-avoid-kasan-instrumentation-of-raw-halfword-i-o.patch +arm-9475-1-entry-use-byte-load-for-kasan-vmap-stack-shadow.patch +arm64-mm-call-pagetable-dtor-when-freeing-hot-removed-page-tables.patch +mptcp-fix-missing-wakeups-in-edge-scenarios.patch +mptcp-fix-retransmission-loop-when-csum-is-enabled.patch +mptcp-close-toctou-race-while-computing-rcv_wnd.patch +mptcp-allow-subflow-rcv-wnd-to-shrink.patch +mptcp-pm-fix-extra_subflows-underflow-on-userspace-pm-subflow-creation.patch +mptcp-check-desc-count-in-read_sock.patch +mptcp-sockopt-check-timestamping-ret-value.patch +mptcp-sockopt-set-sockopt-on-all-subflows.patch +selftests-mptcp-add-test-for-extra_subflows-underflow-on-userspace-pm.patch +mptcp-add-addr-always-drop-other-suboptions.patch +xfs-fix-error-returns-in-cow-fork-repair.patch +xfs-fix-rtgroup-cleanup-in-cow-fork-repair.patch +wifi-iwlwifi-pcie-simplify-the-resume-flow-if-fast-resume-is-not-used.patch +wifi-nl80211-reject-oversized-ema-rnr-lists.patch +vsock-vmci-fix-sk_ack_backlog-leak-on-failed-handshake.patch +timers-migration-fix-livelock-in-tmigr_handle_remote_up.patch +spi-qcom-geni-fix-cs_change-handling-on-the-last-transfer.patch +staging-rtl8723bs-fix-buffer-over-read-in-rtw_update_protection.patch +staging-rtl8723bs-rtw_mlme-add-bounds-checks-before-ie_length-subtraction.patch +asoc-fsl_sai-fix-32-slots-tdm-broken-by-integer-shift-ub-in-xmr-write.patch +bnxt_en-fix-null-pointer-dereference.patch +drivers-hv-vmbus-improve-the-logic-of-reserving-fb_mmio-on-gen2-vms.patch +fhandle-fix-uaf-due-to-unlocked-mnt_ns-read-in-may_decode_fh.patch +hv-utils-handle-and-propagate-errors-in-kvp_register.patch +ib-isert-reject-login-pdus-shorter-than-iser_headers_len.patch +inet-frags-fix-use-after-free-caused-by-the-fqdir_pre_exit-flush.patch +ovl-keep-err-zero-after-successful-ovl_cache_get.patch +pidfd-refuse-access-to-tasks-that-have-started-exiting-harder.patch +s390-remove-generic_lockbreak-kconfig-option.patch diff --git a/queue-7.0/spi-qcom-geni-fix-cs_change-handling-on-the-last-transfer.patch b/queue-7.0/spi-qcom-geni-fix-cs_change-handling-on-the-last-transfer.patch new file mode 100644 index 0000000000..df1cc64cda --- /dev/null +++ b/queue-7.0/spi-qcom-geni-fix-cs_change-handling-on-the-last-transfer.patch @@ -0,0 +1,100 @@ +From 5ac5ec84734fd338867055d4d7b650f18a023cb0 Mon Sep 17 00:00:00 2001 +From: Viken Dadhaniya +Date: Tue, 9 Jun 2026 14:13:09 +0530 +Subject: spi: qcom-geni: Fix cs_change handling on the last transfer + +From: Viken Dadhaniya + +commit 5ac5ec84734fd338867055d4d7b650f18a023cb0 upstream. + +TPM TIS SPI probe fails with: + + tpm_tis_spi: probe of spi11.0 failed with error -110 + +TPM TIS SPI sets cs_change=1 on single-transfer messages to keep CS +asserted across the header, wait-state, and data phases of a transaction. +CS deassertion between these phases violates the TCG SPI flow control +specification. + +This bug was introduced by commit b99181cdf9fa ("spi-geni-qcom: remove +manual CS control"), which replaced manual CS control with automatic CS +control via the FRAGMENTATION bit. The FRAGMENTATION bit controls CS +behavior after a transfer: when set to 1, CS remains asserted; when +cleared to 0, CS is deasserted. + +The commit correctly sets FRAGMENTATION for non-last transfers with +cs_change=0 to keep CS asserted between chained transfers, but misses the +case where cs_change=1 is set on the last transfer. When cs_change=1 on +the last transfer, the client requests CS to remain asserted after the +message completes, so FRAGMENTATION must be set to 1 in this case as well. + +Fix setup_se_xfer() to set FRAGMENTATION when cs_change=1 on the last +transfer. + +Also fix the same missing case in setup_gsi_xfer() and correct it to +write 1 instead of the raw bitmask FRAGMENTATION (value 4) to +peripheral.fragmentation. This field is a 1-bit boolean consumed by +gpi_create_spi_tre() via u32_encode_bits(..., TRE_SPI_GO_FRAG). Writing 4 +to a 1-bit field causes u32_encode_bits() to mask it to 0, silently +disabling the FRAGMENTATION bit in the GPI TRE regardless of the +cs_change logic. + +Fixes: b99181cdf9fa ("spi-geni-qcom: remove manual CS control") +Cc: stable@vger.kernel.org +Reviewed-by: Jonathan Marek +Signed-off-by: Viken Dadhaniya +Link: https://patch.msgid.link/20260609-fix-spi-fragmentation-bit-logic-v2-1-e18efc255563@oss.qualcomm.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-geni-qcom.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +diff --git a/drivers/spi/spi-geni-qcom.c b/drivers/spi/spi-geni-qcom.c +index d5fb0edc8e0c..23c6d3a37341 100644 +--- a/drivers/spi/spi-geni-qcom.c ++++ b/drivers/spi/spi-geni-qcom.c +@@ -440,10 +440,15 @@ static int setup_gsi_xfer(struct spi_transfer *xfer, struct spi_geni_master *mas + return ret; + } + +- if (!xfer->cs_change) { +- if (!list_is_last(&xfer->transfer_list, &spi->cur_msg->transfers)) +- peripheral.fragmentation = FRAGMENTATION; +- } ++ /* ++ * Set fragmentation to keep CS asserted after this transfer when: ++ * - non-last transfer with cs_change=0: keep CS asserted between chained transfers ++ * - last transfer with cs_change=1: keep CS asserted after the message ++ * (e.g. TPM TIS SPI uses cs_change=1 on single-transfer messages to ++ * keep CS asserted across header, wait-state and data phases) ++ */ ++ peripheral.fragmentation = list_is_last(&xfer->transfer_list, &spi->cur_msg->transfers) ? ++ xfer->cs_change : !xfer->cs_change; + + if (peripheral.cmd & SPI_RX) { + dmaengine_slave_config(mas->rx, &config); +@@ -849,10 +854,16 @@ static int setup_se_xfer(struct spi_transfer *xfer, + mas->cur_xfer_mode = GENI_SE_DMA; + geni_se_select_mode(se, mas->cur_xfer_mode); + +- if (!xfer->cs_change) { +- if (!list_is_last(&xfer->transfer_list, &spi->cur_msg->transfers)) +- m_params = FRAGMENTATION; +- } ++ /* ++ * Set FRAGMENTATION to keep CS asserted after this transfer when: ++ * - non-last transfer with cs_change=0: keep CS asserted between chained transfers ++ * - last transfer with cs_change=1: keep CS asserted after the message ++ * (e.g. TPM TIS SPI uses cs_change=1 on single-transfer messages to ++ * keep CS asserted across header, wait-state and data phases) ++ */ ++ if (list_is_last(&xfer->transfer_list, &spi->cur_msg->transfers) ? ++ xfer->cs_change : !xfer->cs_change) ++ m_params = FRAGMENTATION; + + /* + * Lock around right before we start the transfer since our +-- +2.54.0 + diff --git a/queue-7.0/staging-rtl8723bs-fix-buffer-over-read-in-rtw_update_protection.patch b/queue-7.0/staging-rtl8723bs-fix-buffer-over-read-in-rtw_update_protection.patch new file mode 100644 index 0000000000..1d0221ccd2 --- /dev/null +++ b/queue-7.0/staging-rtl8723bs-fix-buffer-over-read-in-rtw_update_protection.patch @@ -0,0 +1,54 @@ +From 514ab98364595007d4557ecc85d7e5f012c504d3 Mon Sep 17 00:00:00 2001 +From: Salman Alghamdi +Date: Sat, 9 May 2026 01:26:14 +0300 +Subject: staging: rtl8723bs: fix buffer over-read in rtw_update_protection + +From: Salman Alghamdi + +commit 514ab98364595007d4557ecc85d7e5f012c504d3 upstream. + +rtw_update_protection() is called with a pointer offset into the +ies buffer but the full ie_length is passed, causing a potential +buffer over-read. + +Fixes: e945c43df60b ("Staging: rtl8723bs: Delete dead code from update_current_network()") +Fixes: d3fcee1b78a5 ("staging: rtl8723bs: fix camel case in struct wlan_bssid_ex") +Reported-by: Luka Gejak +Closes: https://lore.kernel.org/linux-staging/DI2H39EAAFBZ.3KI5NWN02AQ2S@linux.dev +Cc: stable@vger.kernel.org +Signed-off-by: Salman Alghamdi +Reviewed-by: Luka Gejak +Link: https://patch.msgid.link/20260508222649.23989-1-me@cipherat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8723bs/core/rtw_mlme.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c ++++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c +@@ -471,8 +471,11 @@ static void update_current_network(struc + + if (check_fwstate(pmlmepriv, _FW_LINKED) && (is_same_network(&pmlmepriv->cur_network.network, pnetwork, 0))) { + update_network(&pmlmepriv->cur_network.network, pnetwork, adapter, true); ++ if (pmlmepriv->cur_network.network.ie_length < sizeof(struct ndis_802_11_fix_ie)) ++ return; ++ + rtw_update_protection(adapter, (pmlmepriv->cur_network.network.ies) + sizeof(struct ndis_802_11_fix_ie), +- pmlmepriv->cur_network.network.ie_length); ++ pmlmepriv->cur_network.network.ie_length - sizeof(struct ndis_802_11_fix_ie)); + } + } + +@@ -1081,8 +1084,11 @@ static void rtw_joinbss_update_network(s + break; + } + ++ if (cur_network->network.ie_length < sizeof(struct ndis_802_11_fix_ie)) ++ return; ++ + rtw_update_protection(padapter, (cur_network->network.ies) + sizeof(struct ndis_802_11_fix_ie), +- (cur_network->network.ie_length)); ++ (cur_network->network.ie_length - sizeof(struct ndis_802_11_fix_ie))); + + rtw_update_ht_cap(padapter, cur_network->network.ies, cur_network->network.ie_length, (u8) cur_network->network.configuration.ds_config); + } diff --git a/queue-7.0/staging-rtl8723bs-rtw_mlme-add-bounds-checks-before-ie_length-subtraction.patch b/queue-7.0/staging-rtl8723bs-rtw_mlme-add-bounds-checks-before-ie_length-subtraction.patch new file mode 100644 index 0000000000..d7e4e81266 --- /dev/null +++ b/queue-7.0/staging-rtl8723bs-rtw_mlme-add-bounds-checks-before-ie_length-subtraction.patch @@ -0,0 +1,55 @@ +From 88e994c57a79f62d5338231d8d37ee8dd98baffe Mon Sep 17 00:00:00 2001 +From: Salman Alghamdi +Date: Wed, 13 May 2026 23:34:40 +0300 +Subject: staging: rtl8723bs: rtw_mlme: add bounds checks before ie_length subtraction + +From: Salman Alghamdi + +commit 88e994c57a79f62d5338231d8d37ee8dd98baffe upstream. + +Add guards to ensure ie_length is large enough before subtracting +fixed IE offsets to prevent unsigned integer underflow. + +Fixes: 2038fe84b8bd ("staging: rtl8723bs: fix spacing around operators") +Fixes: d3fcee1b78a5 ("staging: rtl8723bs: fix camel case in struct wlan_bssid_ex") +Closes: https://lore.kernel.org/linux-staging/DI2H39EAAFBZ.3KI5NWN02AQ2S@linux.dev/ +Cc: stable +Signed-off-by: Salman Alghamdi +Reviewed-by: Luka Gejak +Link: https://patch.msgid.link/20260513203455.31792-1-me@cipherat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8723bs/core/rtw_mlme.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c ++++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c +@@ -612,6 +612,8 @@ int rtw_is_desired_network(struct adapte + privacy = pnetwork->network.privacy; + + if (check_fwstate(pmlmepriv, WIFI_UNDER_WPS)) { ++ if (pnetwork->network.ie_length < _FIXED_IE_LENGTH_) ++ return false; + if (rtw_get_wps_ie(pnetwork->network.ies + _FIXED_IE_LENGTH_, pnetwork->network.ie_length - _FIXED_IE_LENGTH_, NULL, &wps_ielen)) + return true; + else +@@ -625,11 +627,15 @@ int rtw_is_desired_network(struct adapte + bselected = false; + + if (psecuritypriv->ndisauthtype == Ndis802_11AuthModeWPA2PSK) { +- p = rtw_get_ie(pnetwork->network.ies + _BEACON_IE_OFFSET_, WLAN_EID_RSN, &ie_len, (pnetwork->network.ie_length - _BEACON_IE_OFFSET_)); +- if (p && ie_len > 0) +- bselected = true; +- else ++ if (pnetwork->network.ie_length < _BEACON_IE_OFFSET_) { + bselected = false; ++ } else { ++ p = rtw_get_ie(pnetwork->network.ies + _BEACON_IE_OFFSET_, WLAN_EID_RSN, &ie_len, (pnetwork->network.ie_length - _BEACON_IE_OFFSET_)); ++ if (p && ie_len > 0) ++ bselected = true; ++ else ++ bselected = false; ++ } + } + } + diff --git a/queue-7.0/timers-migration-fix-livelock-in-tmigr_handle_remote_up.patch b/queue-7.0/timers-migration-fix-livelock-in-tmigr_handle_remote_up.patch new file mode 100644 index 0000000000..50f9055896 --- /dev/null +++ b/queue-7.0/timers-migration-fix-livelock-in-tmigr_handle_remote_up.patch @@ -0,0 +1,59 @@ +From d486b4934a8e504376b85cdb3766f306d57aff5b Mon Sep 17 00:00:00 2001 +From: Amit Matityahu +Date: Wed, 3 Jun 2026 17:01:39 +0000 +Subject: timers/migration: Fix livelock in tmigr_handle_remote_up() + +From: Amit Matityahu + +commit d486b4934a8e504376b85cdb3766f306d57aff5b upstream. + +tmigr_handle_remote_cpu() skips timer_expire_remote() when cpu == +smp_processor_id(), assuming the local softirq path already handled this +CPU's timers. + +This assumption is wrong because jiffies can advance after the handling of +the CPU's global timers in run_timer_base(BASE_GLOBAL) and before +tmigr_handle_remote() evaluates the expiry times. + +As a consequence a timer which expires after the CPU local timer wheel +advanced and becomes expired in the remote handling is ignored and the +callback is never invoked and removed from the timer wheel. + +What's worse is that fetch_next_timer_interrupt_remote() keeps reporting it +as expired, and the event is re-queued with expires == now on each +iteration. The goto-again loop spins indefinitely. + +Fix this by calling timer_expire_remote() unconditionally. That's minimal +overhead for the common case as __run_timer_base() returns immediately if +there is nothing to expire in the local wheel. + +[ tglx: Amend change log and add a comment ] + +Fixes: 7ee988770326 ("timers: Implement the hierarchical pull model") +Reported-by: Alon Kariv +Signed-off-by: Amit Matityahu +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260603170139.33628-1-amitmat@amazon.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/timer_migration.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/kernel/time/timer_migration.c ++++ b/kernel/time/timer_migration.c +@@ -978,8 +978,12 @@ static void tmigr_handle_remote_cpu(unsi + /* Drop the lock to allow the remote CPU to exit idle */ + raw_spin_unlock_irq(&tmc->lock); + +- if (cpu != smp_processor_id()) +- timer_expire_remote(cpu); ++ /* ++ * This can't exclude the local CPU because jiffies might have advanced ++ * after the timer softirq invoked run_timer_base(BASE_GLOBAL) and the ++ * point where the jiffies snapshot @jif was taken in tmigr_handle_remote(). ++ */ ++ timer_expire_remote(cpu); + + /* + * Lock ordering needs to be preserved - timer_base locks before tmigr diff --git a/queue-7.0/udp-clear-skb-dev-before-running-a-sockmap-verdict.patch b/queue-7.0/udp-clear-skb-dev-before-running-a-sockmap-verdict.patch new file mode 100644 index 0000000000..223309cd75 --- /dev/null +++ b/queue-7.0/udp-clear-skb-dev-before-running-a-sockmap-verdict.patch @@ -0,0 +1,87 @@ +From 3c94f241f776562c489876ff506f366224565c21 Mon Sep 17 00:00:00 2001 +From: Sechang Lim +Date: Wed, 3 Jun 2026 16:27:33 +0000 +Subject: udp: clear skb->dev before running a sockmap verdict + +From: Sechang Lim + +commit 3c94f241f776562c489876ff506f366224565c21 upstream. + +On the UDP receive path skb->dev is repurposed as dev_scratch (the +truesize/state cache set by udp_set_dev_scratch()), through the +union { struct net_device *dev; unsigned long dev_scratch; } in sk_buff. + +When a UDP socket is in a sockmap, sk_data_ready is +sk_psock_verdict_data_ready(), which calls udp_read_skb() -> recv_actor() +(sk_psock_verdict_recv) to run the attached SK_SKB verdict program in softirq. +If that program calls a socket-lookup helper (bpf_sk_lookup_tcp/udp, +bpf_skc_lookup_tcp), bpf_skc_lookup() does: + + if (skb->dev) + caller_net = dev_net(skb->dev); + +skb->dev still holds the dev_scratch value (a non-NULL integer), so dev_net() +dereferences it as a struct net_device * and the kernel takes a general +protection fault on a non-canonical address in softirq: + + Oops: general protection fault, probably for non-canonical address 0x1010000800004a0 + CPU: 1 UID: 0 PID: 1406 Comm: syz.2.19 Not tainted 7.1.0-rc6 #1 PREEMPT(full) + RIP: 0010:bpf_skc_lookup net/core/filter.c:7033 [inline] + RIP: 0010:bpf_sk_lookup+0x45/0x160 net/core/filter.c:7047 + Call Trace: + + bpf_prog_4675cb904b7071f8+0x12e/0x14e + bpf_prog_run_pin_on_cpu+0xc6/0x1f0 + sk_psock_verdict_recv+0x1ba/0x350 + udp_read_skb+0x31a/0x370 + sk_psock_verdict_data_ready+0x2e3/0x600 + __udp_enqueue_schedule_skb+0x4c8/0x650 + udpv6_queue_rcv_one_skb+0x3ec/0x740 + udp6_unicast_rcv_skb+0x11d/0x140 + ip6_protocol_deliver_rcu+0x61e/0x950 + ip6_input_finish+0xa9/0x150 + NF_HOOK+0x286/0x2f0 + ip6_input+0x117/0x220 + NF_HOOK+0x286/0x2f0 + __netif_receive_skb+0x85/0x200 + process_backlog+0x374/0x9a0 + __napi_poll+0x4f/0x1c0 + net_rx_action+0x3b0/0x770 + handle_softirqs+0x15a/0x460 + do_softirq+0x57/0x80 + + +The rmem charge that dev_scratch accounted for is released by skb_recv_udp() on +dequeue, just above, so the scratch is dead by the time recv_actor() runs. Clear +skb->dev so bpf_skc_lookup() falls back to sock_net(skb->sk), which +skb_set_owner_sk_safe() set just above. + +Fixes: 965b57b469a5 ("net: Introduce a new proto_ops ->read_skb()") +Cc: stable@vger.kernel.org +Signed-off-by: Sechang Lim +Reviewed-by: Jiayuan Chen +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260603162737.697215-1-rhkrqnwk98@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -2061,6 +2061,14 @@ try_again: + } + + WARN_ON_ONCE(!skb_set_owner_sk_safe(skb, sk)); ++ ++ /* ++ * skb->dev still aliases the UDP rx dev_scratch (its charge was freed ++ * on dequeue above); a sockmap verdict program may deref it via ++ * bpf_sk_lookup_*(), so clear it -> bpf_skc_lookup() uses skb->sk ++ */ ++ skb->dev = NULL; ++ + return recv_actor(sk, skb); + } + EXPORT_IPV6_MOD(udp_read_skb); diff --git a/queue-7.0/usb-serial-io_ti-fix-heap-overflow-in-build_i2c_fw_hdr.patch b/queue-7.0/usb-serial-io_ti-fix-heap-overflow-in-build_i2c_fw_hdr.patch new file mode 100644 index 0000000000..52b6a1f5cb --- /dev/null +++ b/queue-7.0/usb-serial-io_ti-fix-heap-overflow-in-build_i2c_fw_hdr.patch @@ -0,0 +1,45 @@ +From 0fd2b00b2d3d05e3eaa13342b3dfb0fa85c226ae Mon Sep 17 00:00:00 2001 +From: Adrian Korwel +Date: Mon, 25 May 2026 09:58:32 -0500 +Subject: USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() + +From: Adrian Korwel + +commit 0fd2b00b2d3d05e3eaa13342b3dfb0fa85c226ae upstream. + +build_i2c_fw_hdr() allocates a fixed-size buffer of +(16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes, then +copies le16_to_cpu(img_header->Length) bytes into it without +validating that Length fits within the available space after the +firmware record header. + +img_header->Length is a __le16 from the firmware file and can be +up to 65535. check_fw_sanity() validates the total firmware size +but not img_header->Length specifically. + +Fix by rejecting images where img_header->Length exceeds the +available destination space. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Adrian Korwel +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/io_ti.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/serial/io_ti.c ++++ b/drivers/usb/serial/io_ti.c +@@ -844,6 +844,11 @@ static int build_i2c_fw_hdr(u8 *header, + /* Pointer to fw_down memory image */ + img_header = (struct ti_i2c_image_header *)&fw->data[4]; + ++ if (le16_to_cpu(img_header->Length) > ++ buffer_size - sizeof(struct ti_i2c_firmware_rec)) { ++ kfree(buffer); ++ return -EINVAL; ++ } + memcpy(buffer + sizeof(struct ti_i2c_firmware_rec), + &fw->data[4 + sizeof(struct ti_i2c_image_header)], + le16_to_cpu(img_header->Length)); diff --git a/queue-7.0/usb-serial-io_ti-fix-heap-overflow-in-get_manuf_info.patch b/queue-7.0/usb-serial-io_ti-fix-heap-overflow-in-get_manuf_info.patch new file mode 100644 index 0000000000..1f902fc9f9 --- /dev/null +++ b/queue-7.0/usb-serial-io_ti-fix-heap-overflow-in-get_manuf_info.patch @@ -0,0 +1,51 @@ +From 183c1076eca43bbb3e7bdf597456f91d81c73e74 Mon Sep 17 00:00:00 2001 +From: Adrian Korwel +Date: Mon, 25 May 2026 09:58:31 -0500 +Subject: USB: serial: io_ti: fix heap overflow in get_manuf_info() + +From: Adrian Korwel + +commit 183c1076eca43bbb3e7bdf597456f91d81c73e74 upstream. + +get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the +device I2C EEPROM into a buffer allocated with kmalloc_obj(), which +is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes. + +The Size field comes from the device and is only validated (in +check_i2c_image()) to make sure the descriptor fits within +TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size. +A malicious USB device can therefore set Size to any value up to 16377, +causing a heap overflow of up to 16367 bytes when plugged into a host +running this driver. + +valid_csum() is called after read_rom() and also iterates +buffer[0..Size-1], compounding the out-of-bounds access. + +Fix by rejecting descriptors with unexpected length before calling +read_rom(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Adrian Korwel +[ johan: amend commit message; also check for short descriptors ] +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/io_ti.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/serial/io_ti.c ++++ b/drivers/usb/serial/io_ti.c +@@ -773,6 +773,12 @@ static int get_manuf_info(struct edgepor + } + + /* Read the descriptor data */ ++ if (le16_to_cpu(rom_desc->Size) != sizeof(struct edge_ti_manuf_descriptor)) { ++ dev_err(dev, "unexpected Edge descriptor length: %u\n", ++ le16_to_cpu(rom_desc->Size)); ++ status = -EINVAL; ++ goto exit; ++ } + status = read_rom(serial, start_address+sizeof(struct ti_i2c_desc), + le16_to_cpu(rom_desc->Size), buffer); + if (status) diff --git a/queue-7.0/usb-serial-kl5kusb105-fix-bulk-out-buffer-overflow.patch b/queue-7.0/usb-serial-kl5kusb105-fix-bulk-out-buffer-overflow.patch new file mode 100644 index 0000000000..d1aeb14b5c --- /dev/null +++ b/queue-7.0/usb-serial-kl5kusb105-fix-bulk-out-buffer-overflow.patch @@ -0,0 +1,61 @@ +From 96d47e40bf9db4a9efd5c8fb53287a508d165f14 Mon Sep 17 00:00:00 2001 +From: HyeongJun An +Date: Mon, 8 Jun 2026 18:09:26 +0900 +Subject: USB: serial: kl5kusb105: fix bulk-out buffer overflow + +From: HyeongJun An + +commit 96d47e40bf9db4a9efd5c8fb53287a508d165f14 upstream. + +klsi_105_prepare_write_buffer() is called by the generic write path +with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It +stores a two-byte length header at the start of the buffer and copies +the payload from the write fifo starting at buf + KLSI_HDR_LEN, but +passes the full buffer size as the number of bytes to copy: + + count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, + size, &port->lock); + +When the fifo holds at least size bytes, size bytes are copied starting +two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its +end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for +the header as safe_serial already does. + +Writing bulk_out_size or more bytes to the tty triggers a slab +out-of-bounds write, observed with KASAN by emulating the device with +dummy_hcd and raw-gadget: + + BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0 + Write of size 64 at addr ffff888112c62202 by task python3 + kfifo_copy_out + klsi_105_prepare_write_buffer [kl5kusb105] + usb_serial_generic_write_start [usbserial] + Allocated by task 139: + usb_serial_probe [usbserial] + The buggy address is located 2 bytes inside of allocated 64-byte region + +The out-of-bounds write no longer occurs with this change applied. + +Fixes: 60b3013cdaf3 ("USB: kl5usb105: reimplement using generic framework") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-8 +Signed-off-by: HyeongJun An +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/kl5kusb105.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/kl5kusb105.c ++++ b/drivers/usb/serial/kl5kusb105.c +@@ -330,8 +330,8 @@ static int klsi_105_prepare_write_buffer + unsigned char *buf = dest; + int count; + +- count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, size, +- &port->lock); ++ count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, ++ size - KLSI_HDR_LEN, &port->lock); + put_unaligned_le16(count, buf); + + return count + KLSI_HDR_LEN; diff --git a/queue-7.0/usb-serial-option-add-usb-id-for-dell-wireless-dw5826e-m.patch b/queue-7.0/usb-serial-option-add-usb-id-for-dell-wireless-dw5826e-m.patch new file mode 100644 index 0000000000..ad79a2c2a8 --- /dev/null +++ b/queue-7.0/usb-serial-option-add-usb-id-for-dell-wireless-dw5826e-m.patch @@ -0,0 +1,71 @@ +From 1938fb9fe38c4f04a3f30bea44f8071c80a63be4 Mon Sep 17 00:00:00 2001 +From: Jack Wu +Date: Thu, 4 Jun 2026 10:04:40 +0800 +Subject: USB: serial: option: add usb-id for Dell Wireless DW5826e-m + +From: Jack Wu + +commit 1938fb9fe38c4f04a3f30bea44f8071c80a63be4 upstream. + +Add support for Dell DW5826e-m with USB-id 0x413c:0x81ea + +T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 8 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=413c ProdID=81ea Rev= 5.04 +S: Manufacturer=DELL +S: Product=DW5826e-m Qualcomm Snapdragon X12 Global LTE-A +S: SerialNumber=358988870177734 +C:* #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA +A: FirstIf#=12 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00 +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I:* If#=12 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=88(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#=13 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +I:* If#=13 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Jack Wu +Reviewed-by: Lars Melin +Cc: stable@vger.kernel.org +[ johan: reserve also interface 4 ] +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -202,6 +202,7 @@ static void option_instat_callback(struc + #define DELL_PRODUCT_5821E_ESIM 0x81e0 + #define DELL_PRODUCT_5829E_ESIM 0x81e4 + #define DELL_PRODUCT_5829E 0x81e6 ++#define DELL_PRODUCT_5826E_ESIM 0x81ea + + #define DELL_PRODUCT_FM101R_ESIM 0x8213 + #define DELL_PRODUCT_FM101R 0x8215 +@@ -1123,6 +1124,8 @@ static const struct usb_device_id option + .driver_info = RSVD(0) | RSVD(6) }, + { USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5829E_ESIM), + .driver_info = RSVD(0) | RSVD(6) }, ++ { USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_5826E_ESIM, 0xff), ++ .driver_info = RSVD(1) | RSVD(4) }, + { USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_FM101R, 0xff) }, + { USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_FM101R_ESIM, 0xff) }, + { USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_E100A) }, /* ADU-E100, ADU-310 */ diff --git a/queue-7.0/vsock-vmci-fix-sk_ack_backlog-leak-on-failed-handshake.patch b/queue-7.0/vsock-vmci-fix-sk_ack_backlog-leak-on-failed-handshake.patch new file mode 100644 index 0000000000..d50fc3465e --- /dev/null +++ b/queue-7.0/vsock-vmci-fix-sk_ack_backlog-leak-on-failed-handshake.patch @@ -0,0 +1,53 @@ +From c05fa14db43ebef3bd862ca9d073981c0358b3f0 Mon Sep 17 00:00:00 2001 +From: Raf Dickson +Date: Tue, 26 May 2026 10:43:56 +0000 +Subject: vsock/vmci: fix sk_ack_backlog leak on failed handshake + +From: Raf Dickson + +commit c05fa14db43ebef3bd862ca9d073981c0358b3f0 upstream. + +When vmci_transport_recv_connecting_server() returns an error, +vmci_transport_recv_listen() calls vsock_remove_pending() but never +calls sk_acceptq_removed(). This leaves sk_ack_backlog incremented +permanently. + +Repeated handshake failures (malformed packets, queue pair alloc +failure, event subscribe failure) cause sk_ack_backlog to climb +toward sk_max_ack_backlog. Once it reaches the limit the listener +permanently refuses all new connections with -ECONNREFUSED, a +silent denial of service requiring a process restart to recover. + +The two existing sk_acceptq_removed() calls in af_vsock.c do not +cover this path: line 764 checks vsock_is_pending() which returns +false after vsock_remove_pending(), and line 1889 is only reached +on successful accept(). + +Fix by balancing sk_acceptq_added() with sk_acceptq_removed() on +the error path. + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Cc: stable@vger.kernel.org +Signed-off-by: Raf Dickson +Acked-by: Stefano Garzarella +Link: https://patch.msgid.link/20260526104356.469928-1-rafdog35@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/vmci_transport.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/vmw_vsock/vmci_transport.c ++++ b/net/vmw_vsock/vmci_transport.c +@@ -980,8 +980,10 @@ static int vmci_transport_recv_listen(st + err = -EINVAL; + } + +- if (err < 0) ++ if (err < 0) { + vsock_remove_pending(sk, pending); ++ sk_acceptq_removed(sk); ++ } + + release_sock(pending); + vmci_transport_release_pending(pending); diff --git a/queue-7.0/wifi-iwlwifi-pcie-simplify-the-resume-flow-if-fast-resume-is-not-used.patch b/queue-7.0/wifi-iwlwifi-pcie-simplify-the-resume-flow-if-fast-resume-is-not-used.patch new file mode 100644 index 0000000000..b0d90652d7 --- /dev/null +++ b/queue-7.0/wifi-iwlwifi-pcie-simplify-the-resume-flow-if-fast-resume-is-not-used.patch @@ -0,0 +1,102 @@ +From 093305d801fae6ff9b8bb531fd78b579794c4f80 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Sun, 31 May 2026 13:30:19 +0300 +Subject: wifi: iwlwifi: pcie: simplify the resume flow if fast resume is not used + +From: Emmanuel Grumbach + +commit 093305d801fae6ff9b8bb531fd78b579794c4f80 upstream. + +In most distributions, NetworkManager shuts the device down before +entering system suspend, so fast suspend is typically not used. + +On older devices, resume currently tries to grab NIC access to infer +whether the device was powered off while suspended. That probe is only +meaningful for the fast-suspend path where the device is expected to +remain alive. + +Unfortunately, for unclear reasons, grabbing NIC access was harmful as +reported in the bugzilla ticket below. + +Workaround this issue by simply not grabbing NIC access if fast suspend +is not used. + +Cc: stable@vger.kernel.org +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221501 +Assisted-by: GitHub Copilot:gpt-5.3-codex +Signed-off-by: Emmanuel Grumbach +Link: https://patch.msgid.link/20260531133005.e2ed9e0cd44f.If283625983a843933e0c01561a421daff184e9e9@changeid +Signed-off-by: Miri Korenblit +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 56 ++++++++++++++------------ + 1 file changed, 32 insertions(+), 24 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -1225,33 +1225,41 @@ static int _iwl_pci_resume(struct device + if (!trans->op_mode) + return 0; + +- /* +- * Scratch value was altered, this means the device was powered off, we +- * need to reset it completely. +- * Note: MAC (bits 0:7) will be cleared upon suspend even with wowlan, +- * but not bits [15:8]. So if we have bits set in lower word, assume +- * the device is alive. +- * Alternatively, if the scratch value is 0xFFFFFFFF, then we no longer +- * have access to the device and consider it powered off. +- * For older devices, just try silently to grab the NIC. +- */ +- if (trans->mac_cfg->device_family >= IWL_DEVICE_FAMILY_BZ) { +- u32 scratch = iwl_read32(trans, CSR_FUNC_SCRATCH); +- +- if (!(scratch & CSR_FUNC_SCRATCH_POWER_OFF_MASK) || +- scratch == ~0U) +- device_was_powered_off = true; +- } else { ++ if (test_bit(STATUS_DEVICE_ENABLED, &trans->status)) { + /* +- * bh are re-enabled by iwl_trans_pcie_release_nic_access, +- * so re-enable them if _iwl_trans_pcie_grab_nic_access fails. ++ * Scratch value was altered, this means the device was powered ++ * off, we need to reset it completely. ++ * Note: MAC (bits 0:7) will be cleared upon suspend even with ++ * wowlan, but not bits [15:8]. So if we have bits set in lower ++ * word, assume the device is alive. ++ * Alternatively, if the scratch value is 0xFFFFFFFF, then we ++ * no longer have access to the device and consider it powered ++ * off. ++ * For older devices, just try silently to grab the NIC. + */ +- local_bh_disable(); +- if (_iwl_trans_pcie_grab_nic_access(trans, true)) { +- iwl_trans_pcie_release_nic_access(trans); ++ if (trans->mac_cfg->device_family >= IWL_DEVICE_FAMILY_BZ) { ++ u32 scratch = iwl_read32(trans, CSR_FUNC_SCRATCH); ++ ++ if (!(scratch & CSR_FUNC_SCRATCH_POWER_OFF_MASK) || ++ scratch == ~0U) { ++ IWL_DEBUG_WOWLAN(trans, ++ "Scratch 0x%08x indicates device was powered off\n", ++ scratch); ++ device_was_powered_off = true; ++ } + } else { +- device_was_powered_off = true; +- local_bh_enable(); ++ /* ++ * bh are re-enabled by iwl_trans_pcie_release_nic_access, ++ * so re-enable them if _iwl_trans_pcie_grab_nic_access ++ * fails. ++ */ ++ local_bh_disable(); ++ if (_iwl_trans_pcie_grab_nic_access(trans, true)) { ++ iwl_trans_pcie_release_nic_access(trans); ++ } else { ++ device_was_powered_off = true; ++ local_bh_enable(); ++ } + } + } + diff --git a/queue-7.0/wifi-nl80211-reject-oversized-ema-rnr-lists.patch b/queue-7.0/wifi-nl80211-reject-oversized-ema-rnr-lists.patch new file mode 100644 index 0000000000..5191dec830 --- /dev/null +++ b/queue-7.0/wifi-nl80211-reject-oversized-ema-rnr-lists.patch @@ -0,0 +1,45 @@ +From 4cd92957e8f8cc4ebfe8a5d4203c14c592fde6b1 Mon Sep 17 00:00:00 2001 +From: Yuqi Xu +Date: Fri, 29 May 2026 23:25:37 +0800 +Subject: wifi: nl80211: reject oversized EMA RNR lists + +From: Yuqi Xu + +commit 4cd92957e8f8cc4ebfe8a5d4203c14c592fde6b1 upstream. + +nl80211_parse_rnr_elems() stores the parsed element count in a +u8-backed cfg80211_rnr_elems::cnt field and uses that count to size +the flexible array allocation. + +Reject nested NL80211_ATTR_EMA_RNR_ELEMS input once the count reaches +255, before incrementing it again. This keeps the parser aligned with +the data structure it fills and matches the existing bound check used +by nl80211_parse_mbssid_elems(). + +Fixes: dbbb27e183b1 ("cfg80211: support RNR for EMA AP") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Zhengchuan Liang +Reported-by: Xin Liu +Assisted-by: Codex:gpt-5.4 +Signed-off-by: Yuqi Xu +Signed-off-by: Ren Wei +Link: https://patch.msgid.link/20260529152542.1412734-1-n05ec@lzu.edu.cn +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/nl80211.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -6154,6 +6154,9 @@ nl80211_parse_rnr_elems(struct wiphy *wi + if (ret) + return ERR_PTR(ret); + ++ if (num_elems >= 255) ++ return ERR_PTR(-EINVAL); ++ + num_elems++; + } + diff --git a/queue-7.0/xfrm-espintcp-do-not-reuse-an-in-progress-partial-send.patch b/queue-7.0/xfrm-espintcp-do-not-reuse-an-in-progress-partial-send.patch new file mode 100644 index 0000000000..259ae4ca14 --- /dev/null +++ b/queue-7.0/xfrm-espintcp-do-not-reuse-an-in-progress-partial-send.patch @@ -0,0 +1,59 @@ +From c381039ade2e161ab08c0eda73c4f8b9a7115928 Mon Sep 17 00:00:00 2001 +From: Wyatt Feng +Date: Wed, 3 Jun 2026 00:46:27 +0800 +Subject: xfrm: espintcp: do not reuse an in-progress partial send + +From: Wyatt Feng + +commit c381039ade2e161ab08c0eda73c4f8b9a7115928 upstream. + +espintcp keeps a single in-flight transmit in ctx->partial. +Before building a new sk_msg, espintcp_sendmsg() first tries to flush +that state through espintcp_push_msgs(). + +For blocking callers, espintcp_push_msgs() may return success even when +the previous partial send is still pending. espintcp_sendmsg() would +then reinitialize emsg->skmsg and reuse ctx->partial while the old +transfer still owns that state. + +Do not rebuild the send message when ctx->partial is still in progress. +If espintcp_push_msgs() returns with emsg->len still set, fail the new +send instead of overwriting the live partial state. + +This is a memory-safety fix: reusing the live partial-send state can +leave a stale offset attached to a new sk_msg and lead to an out-of- +bounds read in the send path. + +tcp_sendmsg_locked() already handles waiting for send buffer memory, so +the fix here is just to preserve espintcp's one-message-at-a-time +transmit state. + +Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Zhengchuan Liang +Reported-by: Xin Liu +Assisted-by: Codex:GPT-5.4 +Signed-off-by: Wyatt Feng +Signed-off-by: Ren Wei +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/espintcp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/xfrm/espintcp.c ++++ b/net/xfrm/espintcp.c +@@ -349,6 +349,10 @@ static int espintcp_sendmsg(struct sock + err = -ENOBUFS; + goto unlock; + } ++ if (emsg->len) { ++ err = -ENOBUFS; ++ goto unlock; ++ } + + sk_msg_init(&emsg->skmsg); + while (1) { diff --git a/queue-7.0/xfrm-iptfs-fix-abba-deadlock-in-iptfs_destroy_state.patch b/queue-7.0/xfrm-iptfs-fix-abba-deadlock-in-iptfs_destroy_state.patch new file mode 100644 index 0000000000..84bba7f83a --- /dev/null +++ b/queue-7.0/xfrm-iptfs-fix-abba-deadlock-in-iptfs_destroy_state.patch @@ -0,0 +1,75 @@ +From c8a8a75b733467b00c08b91a38dbaf207a08ed6e Mon Sep 17 00:00:00 2001 +From: Tristan Madani +Date: Tue, 2 Jun 2026 17:16:41 +0000 +Subject: xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state() + +From: Tristan Madani + +commit c8a8a75b733467b00c08b91a38dbaf207a08ed6e upstream. + +iptfs_destroy_state() calls hrtimer_cancel() while holding a spinlock +that the timer callback also acquires, leading to an ABBA deadlock on +SMP systems. + +For the output timer (iptfs_timer): + - iptfs_destroy_state() holds x->lock, calls hrtimer_cancel() + - iptfs_delay_timer() callback takes x->lock + +For the drop timer (drop_timer): + - iptfs_destroy_state() holds drop_lock, calls hrtimer_cancel() + - iptfs_drop_timer() callback takes drop_lock + +Both timers use HRTIMER_MODE_REL_SOFT, so their callbacks run in softirq +context. When hrtimer_cancel() is called for a soft timer that is +currently executing on another CPU, hrtimer_cancel_wait_running() spins +on softirq_expiry_lock -- the same lock held by the softirq running the +callback. If the callback is blocked waiting for the spinlock held by +the caller of hrtimer_cancel(), a circular dependency forms: + + CPU 0: holds lock_A -> waits for softirq_expiry_lock + CPU 1: holds softirq_expiry_lock -> waits for lock_A + +Fix by calling hrtimer_cancel() before acquiring the respective locks. +hrtimer_cancel() is safe to call without holding any lock and will wait +for any in-progress callback to complete. For the output timer, the +lock is still acquired afterwards to drain the packet queue. For the +drop timer, the lock/unlock pair is removed entirely since it only +existed to serialize with the timer callback, which hrtimer_cancel() +already guarantees. + +Found by source code audit. + +Fixes: 4b3faf610cc6 ("xfrm: iptfs: add new iptfs xfrm mode impl") +Cc: Christian Hopps +Cc: Steffen Klassert +Cc: stable@vger.kernel.org +Signed-off-by: Tristan Madani +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_iptfs.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/net/xfrm/xfrm_iptfs.c ++++ b/net/xfrm/xfrm_iptfs.c +@@ -2730,8 +2730,9 @@ static void iptfs_destroy_state(struct x + if (!xtfs) + return; + +- spin_lock_bh(&xtfs->x->lock); + hrtimer_cancel(&xtfs->iptfs_timer); ++ ++ spin_lock_bh(&xtfs->x->lock); + __skb_queue_head_init(&list); + skb_queue_splice_init(&xtfs->queue, &list); + spin_unlock_bh(&xtfs->x->lock); +@@ -2739,9 +2740,7 @@ static void iptfs_destroy_state(struct x + while ((skb = __skb_dequeue(&list))) + kfree_skb(skb); + +- spin_lock_bh(&xtfs->drop_lock); + hrtimer_cancel(&xtfs->drop_timer); +- spin_unlock_bh(&xtfs->drop_lock); + + if (xtfs->ra_newskb) + kfree_skb(xtfs->ra_newskb); diff --git a/queue-7.0/xfrm-iptfs-preserve-shared-frag-marker-in-iptfs_consume_frags.patch b/queue-7.0/xfrm-iptfs-preserve-shared-frag-marker-in-iptfs_consume_frags.patch new file mode 100644 index 0000000000..6fa69e3cd8 --- /dev/null +++ b/queue-7.0/xfrm-iptfs-preserve-shared-frag-marker-in-iptfs_consume_frags.patch @@ -0,0 +1,39 @@ +From e9096a5a170e7ecd6467bc2e08668ec39897cda7 Mon Sep 17 00:00:00 2001 +From: Takao Sato +Date: Tue, 26 May 2026 13:09:57 -0300 +Subject: xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags() + +From: Takao Sato + +commit e9096a5a170e7ecd6467bc2e08668ec39897cda7 upstream. + +iptfs_consume_frags() transfers paged fragments from one socket buffer +to another but fails to propagate the SKBFL_SHARED_FRAG flag. This is +the same class of bug that was fixed in skb_try_coalesce() for +CVE-2026-46300: when fragments backed by read-only page-cache pages are +merged, the marker indicating their shared nature must be preserved so +that ESP can decide correctly whether in-place encryption is safe. + +Apply the same two-line fix used in skb_try_coalesce() to +iptfs_consume_frags(). + +Fixes: b96ba312e21c ("xfrm: iptfs: share page fragments of inner packets") +Cc: stable@vger.kernel.org # 6.14+ +Signed-off-by: Takao Sato +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_iptfs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/xfrm/xfrm_iptfs.c ++++ b/net/xfrm/xfrm_iptfs.c +@@ -2170,6 +2170,8 @@ static void iptfs_consume_frags(struct s + memcpy(&toi->frags[toi->nr_frags], fromi->frags, + sizeof(fromi->frags[0]) * fromi->nr_frags); + toi->nr_frags += fromi->nr_frags; ++ if (fromi->nr_frags) ++ toi->flags |= fromi->flags & SKBFL_SHARED_FRAG; + fromi->nr_frags = 0; + from->data_len = 0; + from->len = 0; diff --git a/queue-7.0/xfs-fix-error-returns-in-cow-fork-repair.patch b/queue-7.0/xfs-fix-error-returns-in-cow-fork-repair.patch new file mode 100644 index 0000000000..c3257efe2b --- /dev/null +++ b/queue-7.0/xfs-fix-error-returns-in-cow-fork-repair.patch @@ -0,0 +1,54 @@ +From fcf4faba9f986b3bb528da11913c9ec5d6e8f689 Mon Sep 17 00:00:00 2001 +From: Yingjie Gao +Date: Wed, 27 May 2026 12:31:33 +0800 +Subject: xfs: fix error returns in CoW fork repair + +From: Yingjie Gao + +commit fcf4faba9f986b3bb528da11913c9ec5d6e8f689 upstream. + +xrep_cow_find_bad() returns success after the cleanup labels even if +AG setup, btree queries, or bitmap updates failed. This can make +repair continue with an incomplete bad-file-offset bitmap instead of +stopping at the original error. + +The force-rebuild path has a related cleanup problem. If +xrep_cow_mark_file_range() fails, the function returns directly and +skips the scrub AG context and perag cleanup. + +Let the force-rebuild path fall through to the existing cleanup code +and return the saved error after cleanup. + +Fixes: dbbdbd008632 ("xfs: repair problems in CoW forks") +Cc: # v6.8 +Signed-off-by: Yingjie Gao +Reviewed-by: "Darrick J. Wong" +Signed-off-by: Carlos Maiolino +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/scrub/cow_repair.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/fs/xfs/scrub/cow_repair.c ++++ b/fs/xfs/scrub/cow_repair.c +@@ -300,18 +300,15 @@ xrep_cow_find_bad( + * on the debugging knob, replace everything in the CoW fork. + */ + if ((sc->sm->sm_flags & XFS_SCRUB_IFLAG_FORCE_REBUILD) || +- XFS_TEST_ERROR(sc->mp, XFS_ERRTAG_FORCE_SCRUB_REPAIR)) { ++ XFS_TEST_ERROR(sc->mp, XFS_ERRTAG_FORCE_SCRUB_REPAIR)) + error = xrep_cow_mark_file_range(xc, xc->irec.br_startblock, + xc->irec.br_blockcount); +- if (error) +- return error; +- } + + out_sa: + xchk_ag_free(sc, &sc->sa); + out_pag: + xfs_perag_put(pag); +- return 0; ++ return error; + } + + /* diff --git a/queue-7.0/xfs-fix-rtgroup-cleanup-in-cow-fork-repair.patch b/queue-7.0/xfs-fix-rtgroup-cleanup-in-cow-fork-repair.patch new file mode 100644 index 0000000000..ed62e6bef8 --- /dev/null +++ b/queue-7.0/xfs-fix-rtgroup-cleanup-in-cow-fork-repair.patch @@ -0,0 +1,44 @@ +From c3e073894379532c00cca7ba5762e18fafe29da8 Mon Sep 17 00:00:00 2001 +From: Yingjie Gao +Date: Wed, 27 May 2026 12:31:34 +0800 +Subject: xfs: fix rtgroup cleanup in CoW fork repair + +From: Yingjie Gao + +commit c3e073894379532c00cca7ba5762e18fafe29da8 upstream. + +xrep_cow_find_bad_rt() initializes scrub rtgroup state before the +force-rebuild path calls xrep_cow_mark_file_range(). If that call +fails, the code jumps directly to out_rtg, which skips the scrub +rtgroup cleanup and only drops the local rtgroup reference. + +Remove the unnecessary jump so the function falls through to out_sr, +ensuring the realtime cursors, lock state, and sr->rtg reference are +released before returning. + +Fixes: fd97fe111208 ("xfs: fix CoW forks for realtime files") +Cc: # v6.14 +Signed-off-by: Yingjie Gao +Reviewed-by: "Darrick J. Wong" +Signed-off-by: Carlos Maiolino +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/scrub/cow_repair.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/fs/xfs/scrub/cow_repair.c ++++ b/fs/xfs/scrub/cow_repair.c +@@ -382,12 +382,9 @@ xrep_cow_find_bad_rt( + * CoW fork and then scan for staging extents in the refcountbt. + */ + if ((sc->sm->sm_flags & XFS_SCRUB_IFLAG_FORCE_REBUILD) || +- XFS_TEST_ERROR(sc->mp, XFS_ERRTAG_FORCE_SCRUB_REPAIR)) { ++ XFS_TEST_ERROR(sc->mp, XFS_ERRTAG_FORCE_SCRUB_REPAIR)) + error = xrep_cow_mark_file_range(xc, xc->irec.br_startblock, + xc->irec.br_blockcount); +- if (error) +- goto out_rtg; +- } + + out_sr: + xchk_rtgroup_btcur_free(&sc->sr); diff --git a/queue-7.0/zram-fix-use-after-free-in-zram_bvec_write_partial.patch b/queue-7.0/zram-fix-use-after-free-in-zram_bvec_write_partial.patch new file mode 100644 index 0000000000..af428fc504 --- /dev/null +++ b/queue-7.0/zram-fix-use-after-free-in-zram_bvec_write_partial.patch @@ -0,0 +1,47 @@ +From 732fd9f0b9c1cdc6dfd77162ded60df005182cc0 Mon Sep 17 00:00:00 2001 +From: Cunlong Li +Date: Thu, 28 May 2026 10:48:44 +0800 +Subject: zram: fix use-after-free in zram_bvec_write_partial() + +From: Cunlong Li + +commit 732fd9f0b9c1cdc6dfd77162ded60df005182cc0 upstream. + +zram_read_page() picks the sync or async backing device read path based on +whether the parent bio is NULL. zram_bvec_write_partial() passes its +parent bio down, so for ZRAM_WB slots the read is dispatched +asynchronously and zram_read_page() returns 0 while the bio is still in +flight. The caller then runs memcpy_from_bvec(), zram_write_page() and +__free_page() on the buffer, leaving the async read to write into a freed +page. + +zram_bvec_read_partial() was switched to NULL in commit 4e3c87b9421d +("zram: fix synchronous reads") for the same reason; the write_partial +counterpart was missed. + +Link: https://lore.kernel.org/20260528-zram-v3-1-cab86eef8764@gmail.com +Fixes: 8e654f8fbff5 ("zram: read page from backing device") +Reviewed-by: Christoph Hellwig +Reviewed-by: Sergey Senozhatsky +Signed-off-by: Cunlong Li +Cc: Jens Axboe +Cc: Minchan Kim +Cc: Yisheng Xie +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/zram/zram_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/block/zram/zram_drv.c ++++ b/drivers/block/zram/zram_drv.c +@@ -2321,7 +2321,7 @@ static int zram_bvec_write_partial(struc + if (!page) + return -ENOMEM; + +- ret = zram_read_page(zram, page, index, bio); ++ ret = zram_read_page(zram, page, index, NULL); + if (!ret) { + memcpy_from_bvec(page_address(page) + offset, bvec); + ret = zram_write_page(zram, page, index);