From: Greg Kroah-Hartman Date: Fri, 21 Nov 2025 10:45:09 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v6.6.117~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5191ff0a9d8dcbd9472f8824d229f9672d4836a7;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: bluetooth-mgmt-fix-crash-in-set_mesh_sync-and-set_mesh_complete.patch net-netpoll-ensure-skb_pool-list-is-always-initialized.patch proc-proc_maps_open-allow-proc_mem_open-to-return-null.patch --- diff --git a/queue-6.12/bluetooth-mgmt-fix-crash-in-set_mesh_sync-and-set_mesh_complete.patch b/queue-6.12/bluetooth-mgmt-fix-crash-in-set_mesh_sync-and-set_mesh_complete.patch new file mode 100644 index 0000000000..584dca3969 --- /dev/null +++ b/queue-6.12/bluetooth-mgmt-fix-crash-in-set_mesh_sync-and-set_mesh_complete.patch @@ -0,0 +1,107 @@ +From e8785404de06a69d89dcdd1e9a0b6ea42dc6d327 Mon Sep 17 00:00:00 2001 +From: Pauli Virtanen +Date: Fri, 3 Oct 2025 22:07:32 +0300 +Subject: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete + +From: Pauli Virtanen + +commit e8785404de06a69d89dcdd1e9a0b6ea42dc6d327 upstream. + +There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to +memcpy from badly declared on-stack flexible array. + +Another crash is in set_mesh_complete() due to double list_del via +mgmt_pending_valid + mgmt_pending_remove. + +Use DEFINE_FLEX to declare the flexible array right, and don't memcpy +outside bounds. + +As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, +and also report status on error. + +Fixes: 302a1f674c00d ("Bluetooth: MGMT: Fix possible UAFs") +Signed-off-by: Pauli Virtanen +Reviewed-by: Paul Menzel +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + include/net/bluetooth/mgmt.h | 2 +- + net/bluetooth/mgmt.c | 26 +++++++++++++++----------- + 2 files changed, 16 insertions(+), 12 deletions(-) + +--- a/include/net/bluetooth/mgmt.h ++++ b/include/net/bluetooth/mgmt.h +@@ -847,7 +847,7 @@ struct mgmt_cp_set_mesh { + __le16 window; + __le16 period; + __u8 num_ad_types; +- __u8 ad_types[]; ++ __u8 ad_types[] __counted_by(num_ad_types); + } __packed; + #define MGMT_SET_MESH_RECEIVER_SIZE 6 + +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -2170,19 +2170,24 @@ static void set_mesh_complete(struct hci + sk = cmd->sk; + + if (status) { ++ mgmt_cmd_status(cmd->sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, ++ status); + mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true, + cmd_status_rsp, &status); +- return; ++ goto done; + } + +- mgmt_pending_remove(cmd); + mgmt_cmd_complete(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, 0, NULL, 0); ++ ++done: ++ mgmt_pending_free(cmd); + } + + static int set_mesh_sync(struct hci_dev *hdev, void *data) + { + struct mgmt_pending_cmd *cmd = data; +- struct mgmt_cp_set_mesh cp; ++ DEFINE_FLEX(struct mgmt_cp_set_mesh, cp, ad_types, num_ad_types, ++ sizeof(hdev->mesh_ad_types)); + size_t len; + + mutex_lock(&hdev->mgmt_pending_lock); +@@ -2192,27 +2197,26 @@ static int set_mesh_sync(struct hci_dev + return -ECANCELED; + } + +- memcpy(&cp, cmd->param, sizeof(cp)); ++ len = cmd->param_len; ++ memcpy(cp, cmd->param, min(__struct_size(cp), len)); + + mutex_unlock(&hdev->mgmt_pending_lock); + +- len = cmd->param_len; +- + memset(hdev->mesh_ad_types, 0, sizeof(hdev->mesh_ad_types)); + +- if (cp.enable) ++ if (cp->enable) + hci_dev_set_flag(hdev, HCI_MESH); + else + hci_dev_clear_flag(hdev, HCI_MESH); + +- hdev->le_scan_interval = __le16_to_cpu(cp.period); +- hdev->le_scan_window = __le16_to_cpu(cp.window); ++ hdev->le_scan_interval = __le16_to_cpu(cp->period); ++ hdev->le_scan_window = __le16_to_cpu(cp->window); + +- len -= sizeof(cp); ++ len -= sizeof(struct mgmt_cp_set_mesh); + + /* If filters don't fit, forward all adv pkts */ + if (len <= sizeof(hdev->mesh_ad_types)) +- memcpy(hdev->mesh_ad_types, cp.ad_types, len); ++ memcpy(hdev->mesh_ad_types, cp->ad_types, len); + + hci_update_passive_scan_sync(hdev); + return 0; diff --git a/queue-6.12/net-netpoll-ensure-skb_pool-list-is-always-initialized.patch b/queue-6.12/net-netpoll-ensure-skb_pool-list-is-always-initialized.patch new file mode 100644 index 0000000000..f819a40188 --- /dev/null +++ b/queue-6.12/net-netpoll-ensure-skb_pool-list-is-always-initialized.patch @@ -0,0 +1,91 @@ +From f0d0277796db613c124206544b6dbe95b520ab6c Mon Sep 17 00:00:00 2001 +From: John Sperbeck +Date: Mon, 13 Jan 2025 17:13:54 -0800 +Subject: net: netpoll: ensure skb_pool list is always initialized + +From: John Sperbeck + +commit f0d0277796db613c124206544b6dbe95b520ab6c upstream. + +When __netpoll_setup() is called directly, instead of through +netpoll_setup(), the np->skb_pool list head isn't initialized. +If skb_pool_flush() is later called, then we hit a NULL pointer +in skb_queue_purge_reason(). This can be seen with this repro, +when CONFIG_NETCONSOLE is enabled as a module: + + ip tuntap add mode tap tap0 + ip link add name br0 type bridge + ip link set dev tap0 master br0 + modprobe netconsole netconsole=4444@10.0.0.1/br0,9353@10.0.0.2/ + rmmod netconsole + +The backtrace is: + + BUG: kernel NULL pointer dereference, address: 0000000000000008 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + ... ... ... + Call Trace: + + __netpoll_free+0xa5/0xf0 + br_netpoll_cleanup+0x43/0x50 [bridge] + do_netpoll_cleanup+0x43/0xc0 + netconsole_netdev_event+0x1e3/0x300 [netconsole] + unregister_netdevice_notifier+0xd9/0x150 + cleanup_module+0x45/0x920 [netconsole] + __se_sys_delete_module+0x205/0x290 + do_syscall_64+0x70/0x150 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Move the skb_pool list setup and initial skb fill into __netpoll_setup(). + +Fixes: 221a9c1df790 ("net: netpoll: Individualize the skb pool") +Signed-off-by: John Sperbeck +Reviewed-by: Breno Leitao +Link: https://patch.msgid.link/20250114011354.2096812-1-jsperbeck@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/netpoll.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/net/core/netpoll.c ++++ b/net/core/netpoll.c +@@ -632,6 +632,8 @@ int __netpoll_setup(struct netpoll *np, + const struct net_device_ops *ops; + int err; + ++ skb_queue_head_init(&np->skb_pool); ++ + if (ndev->priv_flags & IFF_DISABLE_NETPOLL) { + np_err(np, "%s doesn't support polling, aborting\n", + ndev->name); +@@ -667,6 +669,9 @@ int __netpoll_setup(struct netpoll *np, + strscpy(np->dev_name, ndev->name, IFNAMSIZ); + npinfo->netpoll = np; + ++ /* fill up the skb queue */ ++ refill_skbs(np); ++ + /* last thing to do is link it to the net device structure */ + rcu_assign_pointer(ndev->npinfo, npinfo); + +@@ -686,8 +691,6 @@ int netpoll_setup(struct netpoll *np) + struct in_device *in_dev; + int err; + +- skb_queue_head_init(&np->skb_pool); +- + rtnl_lock(); + if (np->dev_name[0]) { + struct net *net = current->nsproxy->net_ns; +@@ -787,9 +790,6 @@ put_noaddr: + } + } + +- /* fill up the skb queue */ +- refill_skbs(np); +- + err = __netpoll_setup(np, ndev); + if (err) + goto flush; diff --git a/queue-6.12/proc-proc_maps_open-allow-proc_mem_open-to-return-null.patch b/queue-6.12/proc-proc_maps_open-allow-proc_mem_open-to-return-null.patch new file mode 100644 index 0000000000..26a90bc506 --- /dev/null +++ b/queue-6.12/proc-proc_maps_open-allow-proc_mem_open-to-return-null.patch @@ -0,0 +1,47 @@ +From c0e1b774f68bdbea1618e356e30672c7f1e32509 Mon Sep 17 00:00:00 2001 +From: Jialin Wang +Date: Fri, 8 Aug 2025 00:54:55 +0800 +Subject: proc: proc_maps_open allow proc_mem_open to return NULL + +From: Jialin Wang + +commit c0e1b774f68bdbea1618e356e30672c7f1e32509 upstream. + +The commit 65c66047259f ("proc: fix the issue of proc_mem_open returning +NULL") caused proc_maps_open() to return -ESRCH when proc_mem_open() +returns NULL. This breaks legitimate /proc//maps access for kernel +threads since kernel threads have NULL mm_struct. + +The regression causes perf to fail and exit when profiling a kernel +thread: + + # perf record -v -g -p $(pgrep kswapd0) + ... + couldn't open /proc/65/task/65/maps + +This patch partially reverts the commit to fix it. + +Link: https://lkml.kernel.org/r/20250807165455.73656-1-wjl.linux@gmail.com +Fixes: 65c66047259f ("proc: fix the issue of proc_mem_open returning NULL") +Signed-off-by: Jialin Wang +Cc: Penglei Jiang +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/task_mmu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -212,8 +212,8 @@ static int proc_maps_open(struct inode * + + priv->inode = inode; + priv->mm = proc_mem_open(inode, PTRACE_MODE_READ); +- if (IS_ERR_OR_NULL(priv->mm)) { +- int err = priv->mm ? PTR_ERR(priv->mm) : -ESRCH; ++ if (IS_ERR(priv->mm)) { ++ int err = PTR_ERR(priv->mm); + + seq_release_private(inode, file); + return err; diff --git a/queue-6.12/series b/queue-6.12/series index 1ca8862ecc..c7bdffbad2 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -180,3 +180,6 @@ mm-huge_memory-do-not-change-split_huge_page-target-order-silently.patch mm-huge_memory-preserve-pg_has_hwpoisoned-if-a-folio-is-split-to-0-order.patch isdn-misdn-hfcsusb-fix-memory-leak-in-hfcsusb_probe.patch net-phy-micrel-fix-lan8814_config_init.patch +net-netpoll-ensure-skb_pool-list-is-always-initialized.patch +proc-proc_maps_open-allow-proc_mem_open-to-return-null.patch +bluetooth-mgmt-fix-crash-in-set_mesh_sync-and-set_mesh_complete.patch