From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 7 Apr 2026 11:35:17 +0000 (+0200)
Subject: 6.18-stable patches
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6b57ce7d011622931eed2f24364460f3f6bca3fe;p=thirdparty%2Fkernel%2Fstable-queue.git

6.18-stable patches

added patches:
	drm-ioc32-stop-speculation-on-the-drm_compat_ioctl-path.patch
	rust_binder-use-assertsync-for-binder_vm_ops.patch
	wifi-iwlwifi-mvm-fix-potential-out-of-bounds-read-in-iwl_mvm_nd_match_info_handler.patch
	wifi-wilc1000-fix-u8-overflow-in-ssid-scan-buffer-size-calculation.patch
---

diff --git a/queue-6.18/drm-ioc32-stop-speculation-on-the-drm_compat_ioctl-path.patch b/queue-6.18/drm-ioc32-stop-speculation-on-the-drm_compat_ioctl-path.patch
new file mode 100644
index 0000000000..3f7f08ad0b
--- /dev/null
+++ b/queue-6.18/drm-ioc32-stop-speculation-on-the-drm_compat_ioctl-path.patch
@@ -0,0 +1,51 @@
+From f8995c2df519f382525ca4bc90553ad2ec611067 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 24 Mar 2026 17:42:51 +0100
+Subject: drm/ioc32: stop speculation on the drm_compat_ioctl path
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit f8995c2df519f382525ca4bc90553ad2ec611067 upstream.
+
+The drm compat ioctl path takes a user controlled pointer, and then
+dereferences it into a table of function pointers, the signature method
+of spectre problems.  Fix this up by calling array_index_nospec() on the
+index to the function pointer list.
+
+Fixes: 505b5240329b ("drm/ioctl: Fix Spectre v1 vulnerabilities")
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Maxime Ripard <mripard@kernel.org>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: David Airlie <airlied@gmail.com>
+Cc: Simona Vetter <simona@ffwll.ch>
+Cc: stable <stable@kernel.org>
+Assisted-by: gkh_clanker_2000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+Acked-by: Maxime Ripard <mripard@kernel.org>
+Reviewed-by: Simona Vetter <simona@ffwll.ch>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patch.msgid.link/2026032451-playing-rummage-8fa2@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_ioc32.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/drm_ioc32.c
++++ b/drivers/gpu/drm/drm_ioc32.c
+@@ -28,6 +28,7 @@
+  * IN THE SOFTWARE.
+  */
+ #include <linux/compat.h>
++#include <linux/nospec.h>
+ #include <linux/ratelimit.h>
+ #include <linux/export.h>
+ 
+@@ -374,6 +375,7 @@ long drm_compat_ioctl(struct file *filp,
+ 	if (nr >= ARRAY_SIZE(drm_compat_ioctls))
+ 		return drm_ioctl(filp, cmd, arg);
+ 
++	nr = array_index_nospec(nr, ARRAY_SIZE(drm_compat_ioctls));
+ 	fn = drm_compat_ioctls[nr].fn;
+ 	if (!fn)
+ 		return drm_ioctl(filp, cmd, arg);
diff --git a/queue-6.18/rust_binder-use-assertsync-for-binder_vm_ops.patch b/queue-6.18/rust_binder-use-assertsync-for-binder_vm_ops.patch
new file mode 100644
index 0000000000..88bedf08d9
--- /dev/null
+++ b/queue-6.18/rust_binder-use-assertsync-for-binder_vm_ops.patch
@@ -0,0 +1,89 @@
+From ec327abae5edd1d5b60ea9f920212970133171d2 Mon Sep 17 00:00:00 2001
+From: Alice Ryhl <aliceryhl@google.com>
+Date: Sat, 14 Mar 2026 11:19:51 +0000
+Subject: rust_binder: use AssertSync for BINDER_VM_OPS
+
+From: Alice Ryhl <aliceryhl@google.com>
+
+commit ec327abae5edd1d5b60ea9f920212970133171d2 upstream.
+
+When declaring an immutable global variable in Rust, the compiler checks
+that it looks thread safe, because it is generally safe to access said
+global variable. When using C bindings types for these globals, we don't
+really want this check, because it is conservative and assumes pointers
+are not thread safe.
+
+In the case of BINDER_VM_OPS, this is a challenge when combined with the
+patch 'userfaultfd: introduce vm_uffd_ops' [1], which introduces a
+pointer field to vm_operations_struct. It previously only held function
+pointers, which are considered thread safe.
+
+Rust Binder should not be assuming that vm_operations_struct contains no
+pointer fields, so to fix this, use AssertSync (which Rust Binder has
+already declared for another similar global of type struct
+file_operations with the same problem). This ensures that even if
+another commit adds a pointer field to vm_operations_struct, this does
+not cause problems.
+
+Fixes: 8ef2c15aeae0 ("rust_binder: check ownership before using vma")
+Cc: stable <stable@kernel.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202603121235.tpnRxFKO-lkp@intel.com/
+Link: https://lore.kernel.org/r/20260306171815.3160826-8-rppt@kernel.org [1]
+Signed-off-by: Alice Ryhl <aliceryhl@google.com>
+Reviewed-by: Gary Guo <gary@garyguo.net>
+Link: https://patch.msgid.link/20260314111951.4139029-1-aliceryhl@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder/page_range.rs       |    8 +++++---
+ drivers/android/binder/rust_binder_main.rs |    2 +-
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/android/binder/page_range.rs
++++ b/drivers/android/binder/page_range.rs
+@@ -13,6 +13,8 @@
+ //
+ // The shrinker will use trylock methods because it locks them in a different order.
+ 
++use crate::AssertSync;
++
+ use core::{
+     marker::PhantomPinned,
+     mem::{size_of, size_of_val, MaybeUninit},
+@@ -143,14 +145,14 @@ pub(crate) struct ShrinkablePageRange {
+ }
+ 
+ // We do not define any ops. For now, used only to check identity of vmas.
+-static BINDER_VM_OPS: bindings::vm_operations_struct = pin_init::zeroed();
++static BINDER_VM_OPS: AssertSync<bindings::vm_operations_struct> = AssertSync(pin_init::zeroed());
+ 
+ // To ensure that we do not accidentally install pages into or zap pages from the wrong vma, we
+ // check its vm_ops and private data before using it.
+ fn check_vma(vma: &virt::VmaRef, owner: *const ShrinkablePageRange) -> Option<&virt::VmaMixedMap> {
+     // SAFETY: Just reading the vm_ops pointer of any active vma is safe.
+     let vm_ops = unsafe { (*vma.as_ptr()).vm_ops };
+-    if !ptr::eq(vm_ops, &BINDER_VM_OPS) {
++    if !ptr::eq(vm_ops, &BINDER_VM_OPS.0) {
+         return None;
+     }
+ 
+@@ -342,7 +344,7 @@ impl ShrinkablePageRange {
+ 
+         // SAFETY: We own the vma, and we don't use any methods on VmaNew that rely on
+         // `vm_ops`.
+-        unsafe { (*vma.as_ptr()).vm_ops = &BINDER_VM_OPS };
++        unsafe { (*vma.as_ptr()).vm_ops = &BINDER_VM_OPS.0 };
+ 
+         Ok(num_pages)
+     }
+--- a/drivers/android/binder/rust_binder_main.rs
++++ b/drivers/android/binder/rust_binder_main.rs
+@@ -300,7 +300,7 @@ impl kernel::Module for BinderModule {
+ /// Makes the inner type Sync.
+ #[repr(transparent)]
+ pub struct AssertSync<T>(T);
+-// SAFETY: Used only to insert `file_operations` into a global, which is safe.
++// SAFETY: Used only to insert C bindings types into globals, which is safe.
+ unsafe impl<T> Sync for AssertSync<T> {}
+ 
+ /// File operations that rust_binderfs.c can use.
diff --git a/queue-6.18/series b/queue-6.18/series
index 6bf2947bb4..ef3ace0745 100644
--- a/queue-6.18/series
+++ b/queue-6.18/series
@@ -126,3 +126,7 @@ perf-x86-fix-potential-bad-container_of-in-intel_pmu.patch
 riscv-kgdb-fix-several-debug-register-assignment-bug.patch
 riscv-reset-pmm-when-pr_tagged_addr_enable-is-not-se.patch
 acpi-rimt-add-dependency-between-iommu-and-devices.patch
+drm-ioc32-stop-speculation-on-the-drm_compat_ioctl-path.patch
+rust_binder-use-assertsync-for-binder_vm_ops.patch
+wifi-wilc1000-fix-u8-overflow-in-ssid-scan-buffer-size-calculation.patch
+wifi-iwlwifi-mvm-fix-potential-out-of-bounds-read-in-iwl_mvm_nd_match_info_handler.patch
diff --git a/queue-6.18/wifi-iwlwifi-mvm-fix-potential-out-of-bounds-read-in-iwl_mvm_nd_match_info_handler.patch b/queue-6.18/wifi-iwlwifi-mvm-fix-potential-out-of-bounds-read-in-iwl_mvm_nd_match_info_handler.patch
new file mode 100644
index 0000000000..fab61629c9
--- /dev/null
+++ b/queue-6.18/wifi-iwlwifi-mvm-fix-potential-out-of-bounds-read-in-iwl_mvm_nd_match_info_handler.patch
@@ -0,0 +1,37 @@
+From 744fabc338e87b95c4d1ff7c95bc8c0f834c6d99 Mon Sep 17 00:00:00 2001
+From: Alexey Velichayshiy <a.velichayshiy@ispras.ru>
+Date: Sat, 7 Feb 2026 18:03:22 +0300
+Subject: wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()
+
+From: Alexey Velichayshiy <a.velichayshiy@ispras.ru>
+
+commit 744fabc338e87b95c4d1ff7c95bc8c0f834c6d99 upstream.
+
+The memcpy function assumes the dynamic array notif->matches is at least
+as large as the number of bytes to copy. Otherwise, results->matches may
+contain unwanted data. To guarantee safety, extend the validation in one
+of the checks to ensure sufficient packet length.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Cc: stable@vger.kernel.org
+Fixes: 5ac54afd4d97 ("wifi: iwlwifi: mvm: Add handling for scan offload match info notification")
+Signed-off-by: Alexey Velichayshiy <a.velichayshiy@ispras.ru>
+Link: https://patch.msgid.link/20260207150335.1013646-1-a.velichayshiy@ispras.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/d3.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
+@@ -2834,7 +2834,7 @@ static void iwl_mvm_nd_match_info_handle
+ 	if (IS_ERR_OR_NULL(vif))
+ 		return;
+ 
+-	if (len < sizeof(struct iwl_scan_offload_match_info)) {
++	if (len < sizeof(struct iwl_scan_offload_match_info) + matches_len) {
+ 		IWL_ERR(mvm, "Invalid scan match info notification\n");
+ 		return;
+ 	}
diff --git a/queue-6.18/wifi-wilc1000-fix-u8-overflow-in-ssid-scan-buffer-size-calculation.patch b/queue-6.18/wifi-wilc1000-fix-u8-overflow-in-ssid-scan-buffer-size-calculation.patch
new file mode 100644
index 0000000000..7dc21a0bd8
--- /dev/null
+++ b/queue-6.18/wifi-wilc1000-fix-u8-overflow-in-ssid-scan-buffer-size-calculation.patch
@@ -0,0 +1,42 @@
+From d049e56b1739101d1c4d81deedb269c52a8dbba0 Mon Sep 17 00:00:00 2001
+From: Yasuaki Torimaru <yasuakitorimaru@gmail.com>
+Date: Tue, 24 Mar 2026 19:06:24 +0900
+Subject: wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation
+
+From: Yasuaki Torimaru <yasuakitorimaru@gmail.com>
+
+commit d049e56b1739101d1c4d81deedb269c52a8dbba0 upstream.
+
+The variable valuesize is declared as u8 but accumulates the total
+length of all SSIDs to scan. Each SSID contributes up to 33 bytes
+(IEEE80211_MAX_SSID_LEN + 1), and with WILC_MAX_NUM_PROBED_SSID (10)
+SSIDs the total can reach 330, which wraps around to 74 when stored
+in a u8.
+
+This causes kmalloc to allocate only 75 bytes while the subsequent
+memcpy writes up to 331 bytes into the buffer, resulting in a 256-byte
+heap buffer overflow.
+
+Widen valuesize from u8 to u32 to accommodate the full range.
+
+Fixes: c5c77ba18ea6 ("staging: wilc1000: Add SDIO/SPI 802.11 driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yasuaki Torimaru <yasuakitorimaru@gmail.com>
+Link: https://patch.msgid.link/20260324100624.983458-1-yasuakitorimaru@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/microchip/wilc1000/hif.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/microchip/wilc1000/hif.c
++++ b/drivers/net/wireless/microchip/wilc1000/hif.c
+@@ -163,7 +163,7 @@ int wilc_scan(struct wilc_vif *vif, u8 s
+ 	u32 index = 0;
+ 	u32 i, scan_timeout;
+ 	u8 *buffer;
+-	u8 valuesize = 0;
++	u32 valuesize = 0;
+ 	u8 *search_ssid_vals = NULL;
+ 	const u8 ch_list_len = request->n_channels;
+ 	struct host_if_drv *hif_drv = vif->hif_drv;