From: Greg Kroah-Hartman Date: Fri, 15 May 2026 15:34:11 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.6.140~6 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5bd1eeac386b3b06ba71a99fd95633c2cd65fe0b;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: bluetooth-mgmt-fix-dangling-pointer-on-mgmt_add_adv_patterns_monitor_complete.patch bluetooth-mgmt-fix-memory-leak-in-set_ssp_complete.patch crypto-nx-fix-context-leak-in-nx842_crypto_free_ctx.patch drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch drm-amdgpu-vcn4-avoid-overflow-on-msg-bound-check.patch mtd-spi-nor-sst-fix-sst-write-failure.patch smb-client-use-kzalloc-to-zero-initialize-security-descriptor-buffer.patch --- diff --git a/queue-6.6/bluetooth-mgmt-fix-dangling-pointer-on-mgmt_add_adv_patterns_monitor_complete.patch b/queue-6.6/bluetooth-mgmt-fix-dangling-pointer-on-mgmt_add_adv_patterns_monitor_complete.patch new file mode 100644 index 0000000000..3c489f67b1 --- /dev/null +++ b/queue-6.6/bluetooth-mgmt-fix-dangling-pointer-on-mgmt_add_adv_patterns_monitor_complete.patch @@ -0,0 +1,36 @@ +From 5f5fa4cd35f707344f65ce9e225b6528691dbbaa Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Mon, 16 Mar 2026 15:03:27 -0400 +Subject: Bluetooth: MGMT: Fix dangling pointer on mgmt_add_adv_patterns_monitor_complete + +From: Luiz Augusto von Dentz + +commit 5f5fa4cd35f707344f65ce9e225b6528691dbbaa upstream. + +This fixes the condition checking so mgmt_pending_valid is executed +whenever status != -ECANCELED otherwise calling mgmt_pending_free(cmd) +would kfree(cmd) without unlinking it from the list first, leaving a +dangling pointer. Any subsequent list traversal (e.g., +mgmt_pending_foreach during __mgmt_power_off, or another +mgmt_pending_valid call) would dereference freed memory. + +Link: https://lore.kernel.org/linux-bluetooth/20260315132013.75ab40c5@kernel.org/T/#m1418f9c82eeff8510c1beaa21cf53af20db96c06 +Fixes: 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") +Signed-off-by: Luiz Augusto von Dentz +Reviewed-by: Paul Menzel +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/mgmt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -5332,7 +5332,7 @@ static void mgmt_add_adv_patterns_monito + * hci_adv_monitors_clear is about to be called which will take care of + * freeing the adv_monitor instances. + */ +- if (status == -ECANCELED && !mgmt_pending_valid(hdev, cmd)) ++ if (status == -ECANCELED || !mgmt_pending_valid(hdev, cmd)) + return; + + monitor = cmd->user_data; diff --git a/queue-6.6/bluetooth-mgmt-fix-memory-leak-in-set_ssp_complete.patch b/queue-6.6/bluetooth-mgmt-fix-memory-leak-in-set_ssp_complete.patch new file mode 100644 index 0000000000..a7d34a1f98 --- /dev/null +++ b/queue-6.6/bluetooth-mgmt-fix-memory-leak-in-set_ssp_complete.patch @@ -0,0 +1,58 @@ +From 1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2 Mon Sep 17 00:00:00 2001 +From: Jianpeng Chang +Date: Wed, 21 Jan 2026 13:29:26 +0800 +Subject: Bluetooth: MGMT: Fix memory leak in set_ssp_complete + +From: Jianpeng Chang + +commit 1b9c17fd0a7fdcbe69ec5d6fe8e50bc5ed7f01f2 upstream. + +Fix memory leak in set_ssp_complete() where mgmt_pending_cmd structures +are not freed after being removed from the pending list. + +Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") replaced +mgmt_pending_foreach() calls with individual command handling but missed +adding mgmt_pending_free() calls in both error and success paths of +set_ssp_complete(). Other completion functions like set_le_complete() +were fixed correctly in the same commit. + +This causes a memory leak of the mgmt_pending_cmd structure and its +associated parameter data for each SSP command that completes. + +Add the missing mgmt_pending_free(cmd) calls in both code paths to fix +the memory leak. Also fix the same issue in set_advertising_complete(). + +Fixes: 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") +Signed-off-by: Jianpeng Chang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/mgmt.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -1937,6 +1937,7 @@ static void set_ssp_complete(struct hci_ + } + + mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err); ++ mgmt_pending_free(cmd); + return; + } + +@@ -1955,6 +1956,7 @@ static void set_ssp_complete(struct hci_ + sock_put(match.sk); + + hci_update_eir_sync(hdev); ++ mgmt_pending_free(cmd); + } + + static int set_ssp_sync(struct hci_dev *hdev, void *data) +@@ -6452,6 +6454,7 @@ static void set_advertising_complete(str + hci_dev_clear_flag(hdev, HCI_ADVERTISING); + + settings_rsp(cmd, &match); ++ mgmt_pending_free(cmd); + + new_settings(hdev, match.sk); + diff --git a/queue-6.6/crypto-nx-fix-context-leak-in-nx842_crypto_free_ctx.patch b/queue-6.6/crypto-nx-fix-context-leak-in-nx842_crypto_free_ctx.patch new file mode 100644 index 0000000000..8068a81239 --- /dev/null +++ b/queue-6.6/crypto-nx-fix-context-leak-in-nx842_crypto_free_ctx.patch @@ -0,0 +1,46 @@ +From 344e6a4f7ff4756b9b3f75e0eb7eaec297e35540 Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Wed, 11 Mar 2026 16:56:49 +0100 +Subject: crypto: nx - fix context leak in nx842_crypto_free_ctx + +From: Thorsten Blum + +commit 344e6a4f7ff4756b9b3f75e0eb7eaec297e35540 upstream. + +Since the scomp conversion, nx842_crypto_alloc_ctx() allocates the +context separately, but nx842_crypto_free_ctx() never releases it. Add +the missing kfree(ctx) to nx842_crypto_free_ctx(), and reuse +nx842_crypto_free_ctx() in the allocation error path. + +Fixes: 980b5705f4e7 ("crypto: nx - Migrate to scomp API") +Cc: stable@vger.kernel.org +Signed-off-by: Thorsten Blum +Reviewed-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/nx/nx-842.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/crypto/nx/nx-842.c ++++ b/drivers/crypto/nx/nx-842.c +@@ -115,10 +115,7 @@ void *nx842_crypto_alloc_ctx(struct nx84 + ctx->sbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); + ctx->dbounce = (u8 *)__get_free_pages(GFP_KERNEL, BOUNCE_BUFFER_ORDER); + if (!ctx->wmem || !ctx->sbounce || !ctx->dbounce) { +- kfree(ctx->wmem); +- free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); +- free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); +- kfree(ctx); ++ nx842_crypto_free_ctx(ctx); + return ERR_PTR(-ENOMEM); + } + +@@ -133,6 +130,7 @@ void nx842_crypto_free_ctx(void *p) + kfree(ctx->wmem); + free_pages((unsigned long)ctx->sbounce, BOUNCE_BUFFER_ORDER); + free_pages((unsigned long)ctx->dbounce, BOUNCE_BUFFER_ORDER); ++ kfree(ctx); + } + EXPORT_SYMBOL_GPL(nx842_crypto_free_ctx); + diff --git a/queue-6.6/drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch b/queue-6.6/drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch new file mode 100644 index 0000000000..eec22aa623 --- /dev/null +++ b/queue-6.6/drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch @@ -0,0 +1,43 @@ +From e6e9faba8100628990cccd13f0f044a648c303cf Mon Sep 17 00:00:00 2001 +From: Benjamin Cheng +Date: Mon, 13 Apr 2026 09:22:15 -0400 +Subject: drm/amdgpu/vcn3: Avoid overflow on msg bound check + +From: Benjamin Cheng + +commit e6e9faba8100628990cccd13f0f044a648c303cf upstream. + +As pointed out by SDL, the previous condition may be vulnerable to +overflow. + +Fixes: b193019860d6 ("drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg") +Cc: SDL +Signed-off-by: Benjamin Cheng +Reviewed-by: Ruijing Dong +Signed-off-by: Alex Deucher +(cherry picked from commit db00257ac9e4a51eb2515aaea161a019f7125e10) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c +@@ -1852,6 +1852,7 @@ static int vcn_v3_0_dec_msg(struct amdgp + + for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) { + uint32_t offset, size, *create; ++ uint64_t buf_end; + + if (msg[0] != RDECODE_MESSAGE_CREATE) + continue; +@@ -1859,7 +1860,8 @@ static int vcn_v3_0_dec_msg(struct amdgp + offset = msg[1]; + size = msg[2]; + +- if (size < 4 || offset + size > end - addr) { ++ if (size < 4 || check_add_overflow(offset, size, &buf_end) || ++ buf_end > end - addr) { + DRM_ERROR("VCN message buffer exceeds BO bounds!\n"); + r = -EINVAL; + goto out; diff --git a/queue-6.6/drm-amdgpu-vcn4-avoid-overflow-on-msg-bound-check.patch b/queue-6.6/drm-amdgpu-vcn4-avoid-overflow-on-msg-bound-check.patch new file mode 100644 index 0000000000..147e0845f3 --- /dev/null +++ b/queue-6.6/drm-amdgpu-vcn4-avoid-overflow-on-msg-bound-check.patch @@ -0,0 +1,43 @@ +From 65bce27ea6192320448c30267ffc17ffa094e713 Mon Sep 17 00:00:00 2001 +From: Benjamin Cheng +Date: Mon, 13 Apr 2026 09:22:15 -0400 +Subject: drm/amdgpu/vcn4: Avoid overflow on msg bound check + +From: Benjamin Cheng + +commit 65bce27ea6192320448c30267ffc17ffa094e713 upstream. + +As pointed out by SDL, the previous condition may be vulnerable to +overflow. + +Fixes: 0a78f2bac142 ("drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg") +Cc: SDL +Signed-off-by: Benjamin Cheng +Reviewed-by: Ruijing Dong +Signed-off-by: Alex Deucher +(cherry picked from commit 3c5367d950140d4ec7af830b2268a5a6fdaa3885) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c +@@ -1731,6 +1731,7 @@ static int vcn_v4_0_dec_msg(struct amdgp + + for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) { + uint32_t offset, size, *create; ++ uint64_t buf_end; + + if (msg[0] != RDECODE_MESSAGE_CREATE) + continue; +@@ -1738,7 +1739,8 @@ static int vcn_v4_0_dec_msg(struct amdgp + offset = msg[1]; + size = msg[2]; + +- if (size < 4 || offset + size > end - addr) { ++ if (size < 4 || check_add_overflow(offset, size, &buf_end) || ++ buf_end > end - addr) { + DRM_ERROR("VCN message buffer exceeds BO bounds!\n"); + r = -EINVAL; + goto out; diff --git a/queue-6.6/mtd-spi-nor-sst-fix-sst-write-failure.patch b/queue-6.6/mtd-spi-nor-sst-fix-sst-write-failure.patch new file mode 100644 index 0000000000..8992c60112 --- /dev/null +++ b/queue-6.6/mtd-spi-nor-sst-fix-sst-write-failure.patch @@ -0,0 +1,83 @@ +From 539bd20352832b9244238a055eb169ccf1c41ff6 Mon Sep 17 00:00:00 2001 +From: Amit Kumar Mahapatra +Date: Thu, 13 Feb 2025 11:15:46 +0530 +Subject: mtd: spi-nor: sst: Fix SST write failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Amit Kumar Mahapatra + +commit 539bd20352832b9244238a055eb169ccf1c41ff6 upstream. + +'commit 18bcb4aa54ea ("mtd: spi-nor: sst: Factor out common write operation +to `sst_nor_write_data()`")' introduced a bug where only one byte of data +is written, regardless of the number of bytes passed to +sst_nor_write_data(), causing a kernel crash during the write operation. +Ensure the correct number of bytes are written as passed to +sst_nor_write_data(). + +Call trace: +[ 57.400180] ------------[ cut here ]------------ +[ 57.404842] While writing 2 byte written 1 bytes +[ 57.409493] WARNING: CPU: 0 PID: 737 at drivers/mtd/spi-nor/sst.c:187 sst_nor_write_data+0x6c/0x74 +[ 57.418464] Modules linked in: +[ 57.421517] CPU: 0 UID: 0 PID: 737 Comm: mtd_debug Not tainted 6.12.0-g5ad04afd91f9 #30 +[ 57.429517] Hardware name: Xilinx Versal A2197 Processor board revA - x-prc-02 revA (DT) +[ 57.437600] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 57.444557] pc : sst_nor_write_data+0x6c/0x74 +[ 57.448911] lr : sst_nor_write_data+0x6c/0x74 +[ 57.453264] sp : ffff80008232bb40 +[ 57.456570] x29: ffff80008232bb40 x28: 0000000000010000 x27: 0000000000000001 +[ 57.463708] x26: 000000000000ffff x25: 0000000000000000 x24: 0000000000000000 +[ 57.470843] x23: 0000000000010000 x22: ffff80008232bbf0 x21: ffff000816230000 +[ 57.477978] x20: ffff0008056c0080 x19: 0000000000000002 x18: 0000000000000006 +[ 57.485112] x17: 0000000000000000 x16: 0000000000000000 x15: ffff80008232b580 +[ 57.492246] x14: 0000000000000000 x13: ffff8000816d1530 x12: 00000000000004a4 +[ 57.499380] x11: 000000000000018c x10: ffff8000816fd530 x9 : ffff8000816d1530 +[ 57.506515] x8 : 00000000fffff7ff x7 : ffff8000816fd530 x6 : 0000000000000001 +[ 57.513649] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 +[ 57.520782] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0008049b0000 +[ 57.527916] Call trace: +[ 57.530354] sst_nor_write_data+0x6c/0x74 +[ 57.534361] sst_nor_write+0xb4/0x18c +[ 57.538019] mtd_write_oob_std+0x7c/0x88 +[ 57.541941] mtd_write_oob+0x70/0xbc +[ 57.545511] mtd_write+0x68/0xa8 +[ 57.548733] mtdchar_write+0x10c/0x290 +[ 57.552477] vfs_write+0xb4/0x3a8 +[ 57.555791] ksys_write+0x74/0x10c +[ 57.559189] __arm64_sys_write+0x1c/0x28 +[ 57.563109] invoke_syscall+0x54/0x11c +[ 57.566856] el0_svc_common.constprop.0+0xc0/0xe0 +[ 57.571557] do_el0_svc+0x1c/0x28 +[ 57.574868] el0_svc+0x30/0xcc +[ 57.577921] el0t_64_sync_handler+0x120/0x12c +[ 57.582276] el0t_64_sync+0x190/0x194 +[ 57.585933] ---[ end trace 0000000000000000 ]--- + +Cc: stable@vger.kernel.org +Fixes: 18bcb4aa54ea ("mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()`") +Signed-off-by: Amit Kumar Mahapatra +Reviewed-by: Pratyush Yadav +Reviewed-by: Tudor Ambarus +Reviewed-by: Bence Csókás +[pratyush@kernel.org: add Cc stable tag] +Signed-off-by: Pratyush Yadav +Link: https://lore.kernel.org/r/20250213054546.2078121-1-amit.kumar-mahapatra@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/sst.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/spi-nor/sst.c ++++ b/drivers/mtd/spi-nor/sst.c +@@ -130,7 +130,7 @@ static int sst_nor_write_data(struct spi + int ret; + + nor->program_opcode = op; +- ret = spi_nor_write_data(nor, to, 1, buf); ++ ret = spi_nor_write_data(nor, to, len, buf); + if (ret < 0) + return ret; + WARN(ret != len, "While writing %zu byte written %i bytes\n", len, ret); diff --git a/queue-6.6/series b/queue-6.6/series index 4e0986c77f..838d23c808 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -465,3 +465,10 @@ vsock-fix-buffer-size-clamping-order.patch vsock-virtio-fix-accept-queue-count-leak-on-transport-mismatch.patch vsock-virtio-fix-length-and-offset-in-tap-skb-for-split-packets.patch vsock-virtio-fix-potential-unbounded-skb-queue.patch +drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch +drm-amdgpu-vcn4-avoid-overflow-on-msg-bound-check.patch +mtd-spi-nor-sst-fix-sst-write-failure.patch +bluetooth-mgmt-fix-memory-leak-in-set_ssp_complete.patch +crypto-nx-fix-context-leak-in-nx842_crypto_free_ctx.patch +bluetooth-mgmt-fix-dangling-pointer-on-mgmt_add_adv_patterns_monitor_complete.patch +smb-client-use-kzalloc-to-zero-initialize-security-descriptor-buffer.patch diff --git a/queue-6.6/smb-client-use-kzalloc-to-zero-initialize-security-descriptor-buffer.patch b/queue-6.6/smb-client-use-kzalloc-to-zero-initialize-security-descriptor-buffer.patch new file mode 100644 index 0000000000..cfbd04b2d9 --- /dev/null +++ b/queue-6.6/smb-client-use-kzalloc-to-zero-initialize-security-descriptor-buffer.patch @@ -0,0 +1,49 @@ +From 5e489c6c47a2ac15edbaca153b9348e42c1eacab Mon Sep 17 00:00:00 2001 +From: Bjoern Doebel +Date: Thu, 30 Apr 2026 08:57:17 +0000 +Subject: smb: client: use kzalloc to zero-initialize security descriptor buffer + +From: Bjoern Doebel + +commit 5e489c6c47a2ac15edbaca153b9348e42c1eacab upstream. + +Commit 62e7dd0a39c2d ("smb: common: change the data type of num_aces +to le16") split struct smb_acl's __le32 num_aces field into __le16 +num_aces and __le16 reserved. The reserved field corresponds to Sbz2 +in the MS-DTYP ACL wire format, which must be zero [1]. + +When building an ACL descriptor in build_sec_desc(), we are using a +kmalloc()'ed descriptor buffer and writing the fields explicitly using +le16() writes now. This never writes to the 2 byte reserved field, +leaving it as uninitialized heap data. + +When the reserved field happens to contain non-zero slab garbage, +Samba rejects the security descriptor with "ndr_pull_security_descriptor +failed: Range Error", causing chmod to fail with EINVAL. + +Change kmalloc() to kzalloc() to ensure the entire buffer is +zero-initialized. + +Fixes: 62e7dd0a39c2d ("smb: common: change the data type of num_aces to le16") +Cc: stable@vger.kernel.org + +Signed-off-by: Bjoern Doebel +Assisted-by: Kiro:claude-opus-4.6 +[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428 +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsacl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/client/cifsacl.c ++++ b/fs/smb/client/cifsacl.c +@@ -1766,7 +1766,7 @@ id_mode_to_cifs_acl(struct inode *inode, + * descriptor parameters, and security descriptor itself + */ + nsecdesclen = max_t(u32, nsecdesclen, DEFAULT_SEC_DESC_LEN); +- pnntsd = kmalloc(nsecdesclen, GFP_KERNEL); ++ pnntsd = kzalloc(nsecdesclen, GFP_KERNEL); + if (!pnntsd) { + kfree(pntsd); + cifs_put_tlink(tlink);