From: Greg Kroah-Hartman Date: Sun, 29 Mar 2026 12:48:28 +0000 (+0200) Subject: 6.19-stable patches X-Git-Tag: v6.6.131~50 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7183fc5c6fc85049567b94d5f100743973ce7594;p=thirdparty%2Fkernel%2Fstable-queue.git 6.19-stable patches added patches: hwmon-peci-cputemp-fix-crit_hyst-returning-delta-instead-of-absolute-temperature.patch hwmon-peci-cputemp-fix-off-by-one-in-cputemp_is_visible.patch hwmon-pmbus-ina233-fix-error-handling-and-sign-extension-in-shunt-voltage-read.patch hwmon-pmbus-isl68137-add-mutex-protection-for-avs-enable-sysfs-attributes.patch kvm-arm64-discard-pc-update-state-on-vcpu-reset.patch kvm-arm64-fix-the-descriptor-address-in-__kvm_at_swap_desc.patch media-mc-v4l2-serialize-reinit-and-reqbufs-with-req_queue_mutex.patch media-verisilicon-fix-kernel-panic-due-to-__initconst-misuse.patch platform-x86-isst-correct-locked-bit-width.patch rdma-ionic-preserve-and-set-ethernet-source-mac-after-ib_ud_header_init.patch thermal-intel-int340x-soc_slider-set-offset-only-for-balanced-mode.patch vfio-pci-fix-double-free-in-dma-buf-feature.patch virt-tdx-guest-fix-handling-of-host-controlled-quote-buffer-length.patch virtio_net-fix-uaf-on-dst_ops-when-iff_xmit_dst_release-is-cleared-and-napi_tx-is-false.patch xfrm-iptfs-only-publish-mode_data-after-clone-setup.patch xfrm-iptfs-validate-inner-ipv4-header-length-in-iptfs-payload.patch --- diff --git a/queue-6.19/hwmon-peci-cputemp-fix-crit_hyst-returning-delta-instead-of-absolute-temperature.patch b/queue-6.19/hwmon-peci-cputemp-fix-crit_hyst-returning-delta-instead-of-absolute-temperature.patch new file mode 100644 index 0000000000..88f84210dc --- /dev/null +++ b/queue-6.19/hwmon-peci-cputemp-fix-crit_hyst-returning-delta-instead-of-absolute-temperature.patch @@ -0,0 +1,67 @@ +From 0adc752b4f7d82af7bd14f7cad3091b3b5d702ba Mon Sep 17 00:00:00 2001 +From: Sanman Pradhan +Date: Mon, 23 Mar 2026 00:24:25 +0000 +Subject: hwmon: (peci/cputemp) Fix crit_hyst returning delta instead of absolute temperature + +From: Sanman Pradhan + +commit 0adc752b4f7d82af7bd14f7cad3091b3b5d702ba upstream. + +The hwmon sysfs ABI expects tempN_crit_hyst to report the temperature at +which the critical condition clears, not the hysteresis delta from the +critical limit. + +The peci cputemp driver currently returns tjmax - tcontrol for +crit_hyst_type, which is the hysteresis margin rather than the +corresponding absolute temperature. + +Return tcontrol directly, and update the documentation accordingly. + +Fixes: bf3608f338e9 ("hwmon: peci: Add cputemp driver") +Cc: stable@vger.kernel.org +Signed-off-by: Sanman Pradhan +Link: https://lore.kernel.org/r/20260323002352.93417-2-sanman.pradhan@hpe.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/hwmon/peci-cputemp.rst | 10 ++++++---- + drivers/hwmon/peci/cputemp.c | 2 +- + 2 files changed, 7 insertions(+), 5 deletions(-) + +--- a/Documentation/hwmon/peci-cputemp.rst ++++ b/Documentation/hwmon/peci-cputemp.rst +@@ -51,8 +51,9 @@ temp1_max Provides thermal control temp + temp1_crit Provides shutdown temperature of the CPU package which + is also known as the maximum processor junction + temperature, Tjmax or Tprochot. +-temp1_crit_hyst Provides the hysteresis value from Tcontrol to Tjmax of +- the CPU package. ++temp1_crit_hyst Provides the hysteresis temperature of the CPU ++ package. Returns Tcontrol, the temperature at which ++ the critical condition clears. + + temp2_label "DTS" + temp2_input Provides current temperature of the CPU package scaled +@@ -62,8 +63,9 @@ temp2_max Provides thermal control temp + temp2_crit Provides shutdown temperature of the CPU package which + is also known as the maximum processor junction + temperature, Tjmax or Tprochot. +-temp2_crit_hyst Provides the hysteresis value from Tcontrol to Tjmax of +- the CPU package. ++temp2_crit_hyst Provides the hysteresis temperature of the CPU ++ package. Returns Tcontrol, the temperature at which ++ the critical condition clears. + + temp3_label "Tcontrol" + temp3_input Provides current Tcontrol temperature of the CPU +--- a/drivers/hwmon/peci/cputemp.c ++++ b/drivers/hwmon/peci/cputemp.c +@@ -131,7 +131,7 @@ static int get_temp_target(struct peci_c + *val = priv->temp.target.tjmax; + break; + case crit_hyst_type: +- *val = priv->temp.target.tjmax - priv->temp.target.tcontrol; ++ *val = priv->temp.target.tcontrol; + break; + default: + ret = -EOPNOTSUPP; diff --git a/queue-6.19/hwmon-peci-cputemp-fix-off-by-one-in-cputemp_is_visible.patch b/queue-6.19/hwmon-peci-cputemp-fix-off-by-one-in-cputemp_is_visible.patch new file mode 100644 index 0000000000..9ad1459a3a --- /dev/null +++ b/queue-6.19/hwmon-peci-cputemp-fix-off-by-one-in-cputemp_is_visible.patch @@ -0,0 +1,38 @@ +From b0c9d8ae71509f25690d57f2efddebf7f4b12194 Mon Sep 17 00:00:00 2001 +From: Sanman Pradhan +Date: Mon, 23 Mar 2026 00:24:37 +0000 +Subject: hwmon: (peci/cputemp) Fix off-by-one in cputemp_is_visible() + +From: Sanman Pradhan + +commit b0c9d8ae71509f25690d57f2efddebf7f4b12194 upstream. + +cputemp_is_visible() validates the channel index against +CPUTEMP_CHANNEL_NUMS, but currently uses '>' instead of '>='. +As a result, channel == CPUTEMP_CHANNEL_NUMS is not rejected even though +valid indices are 0 .. CPUTEMP_CHANNEL_NUMS - 1. + +Fix the bounds check by using '>=' so invalid channel indices are +rejected before indexing the core bitmap. + +Fixes: bf3608f338e9 ("hwmon: peci: Add cputemp driver") +Cc: stable@vger.kernel.org +Signed-off-by: Sanman Pradhan +Link: https://lore.kernel.org/r/20260323002352.93417-3-sanman.pradhan@hpe.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/peci/cputemp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwmon/peci/cputemp.c ++++ b/drivers/hwmon/peci/cputemp.c +@@ -319,7 +319,7 @@ static umode_t cputemp_is_visible(const + { + const struct peci_cputemp *priv = data; + +- if (channel > CPUTEMP_CHANNEL_NUMS) ++ if (channel >= CPUTEMP_CHANNEL_NUMS) + return 0; + + if (channel < channel_core) diff --git a/queue-6.19/hwmon-pmbus-ina233-fix-error-handling-and-sign-extension-in-shunt-voltage-read.patch b/queue-6.19/hwmon-pmbus-ina233-fix-error-handling-and-sign-extension-in-shunt-voltage-read.patch new file mode 100644 index 0000000000..b1d0c869b2 --- /dev/null +++ b/queue-6.19/hwmon-pmbus-ina233-fix-error-handling-and-sign-extension-in-shunt-voltage-read.patch @@ -0,0 +1,51 @@ +From f7e775c4694782844c66da5316fed82881835cf8 Mon Sep 17 00:00:00 2001 +From: Sanman Pradhan +Date: Thu, 19 Mar 2026 17:31:19 +0000 +Subject: hwmon: (pmbus/ina233) Fix error handling and sign extension in shunt voltage read + +From: Sanman Pradhan + +commit f7e775c4694782844c66da5316fed82881835cf8 upstream. + +ina233_read_word_data() reads MFR_READ_VSHUNT via pmbus_read_word_data() +but has two issues: + +1. The return value is not checked for errors before being used in + arithmetic. A negative error code from a failed I2C transaction is + passed directly to DIV_ROUND_CLOSEST(), producing garbage data. + +2. MFR_READ_VSHUNT is a 16-bit two's complement value. Negative shunt + voltages (values with bit 15 set) are treated as large positive + values since pmbus_read_word_data() returns them zero-extended in an + int. This leads to incorrect scaling in the VIN coefficient + conversion. + +Fix both issues by adding an error check, casting to s16 for proper +sign extension, and clamping the result to a valid non-negative range. +The clamp is necessary because read_word_data callbacks must return +non-negative values on success (negative values indicate errors to the +pmbus core). + +Fixes: b64b6cb163f16 ("hwmon: Add driver for TI INA233 Current and Power Monitor") +Cc: stable@vger.kernel.org +Signed-off-by: Sanman Pradhan +Link: https://lore.kernel.org/r/20260319173055.125271-2-sanman.pradhan@hpe.com +[groeck: Fixed clamp to avoid losing the sign bit] +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/pmbus/ina233.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/hwmon/pmbus/ina233.c ++++ b/drivers/hwmon/pmbus/ina233.c +@@ -72,7 +72,8 @@ static int ina233_read_word_data(struct + + /* Adjust returned value to match VIN coefficients */ + /* VIN: 1.25 mV VSHUNT: 2.5 uV LSB */ +- ret = DIV_ROUND_CLOSEST(ret * 25, 12500); ++ ret = clamp_val(DIV_ROUND_CLOSEST((s16)ret * 25, 12500), ++ S16_MIN, S16_MAX) & 0xffff; + break; + default: + ret = -ENODATA; diff --git a/queue-6.19/hwmon-pmbus-isl68137-add-mutex-protection-for-avs-enable-sysfs-attributes.patch b/queue-6.19/hwmon-pmbus-isl68137-add-mutex-protection-for-avs-enable-sysfs-attributes.patch new file mode 100644 index 0000000000..b45ccd0744 --- /dev/null +++ b/queue-6.19/hwmon-pmbus-isl68137-add-mutex-protection-for-avs-enable-sysfs-attributes.patch @@ -0,0 +1,88 @@ +From 3075a3951f7708da5a8ab47b0b7d068a32f69e58 Mon Sep 17 00:00:00 2001 +From: Sanman Pradhan +Date: Thu, 19 Mar 2026 17:31:29 +0000 +Subject: hwmon: (pmbus/isl68137) Add mutex protection for AVS enable sysfs attributes + +From: Sanman Pradhan + +commit 3075a3951f7708da5a8ab47b0b7d068a32f69e58 upstream. + +The custom avs0_enable and avs1_enable sysfs attributes access PMBus +registers through the exported API helpers (pmbus_read_byte_data, +pmbus_read_word_data, pmbus_write_word_data, pmbus_update_byte_data) +without holding the PMBus update_lock mutex. These exported helpers do +not acquire the mutex internally, unlike the core's internal callers +which hold the lock before invoking them. + +The store callback is especially vulnerable: it performs a multi-step +read-modify-write sequence (read VOUT_COMMAND, write VOUT_COMMAND, then +update OPERATION) where concurrent access from another thread could +interleave and corrupt the register state. + +Add pmbus_lock_interruptible()/pmbus_unlock() around both the show and +store callbacks to serialize PMBus register access with the rest of the +driver. + +Fixes: 038a9c3d1e424 ("hwmon: (pmbus/isl68137) Add driver for Intersil ISL68137 PWM Controller") +Cc: stable@vger.kernel.org +Signed-off-by: Sanman Pradhan +Link: https://lore.kernel.org/r/20260319173055.125271-3-sanman.pradhan@hpe.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/pmbus/isl68137.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/drivers/hwmon/pmbus/isl68137.c ++++ b/drivers/hwmon/pmbus/isl68137.c +@@ -96,7 +96,15 @@ static ssize_t isl68137_avs_enable_show_ + int page, + char *buf) + { +- int val = pmbus_read_byte_data(client, page, PMBUS_OPERATION); ++ int val; ++ ++ val = pmbus_lock_interruptible(client); ++ if (val) ++ return val; ++ ++ val = pmbus_read_byte_data(client, page, PMBUS_OPERATION); ++ ++ pmbus_unlock(client); + + if (val < 0) + return val; +@@ -118,6 +126,10 @@ static ssize_t isl68137_avs_enable_store + + op_val = result ? ISL68137_VOUT_AVS : 0; + ++ rc = pmbus_lock_interruptible(client); ++ if (rc) ++ return rc; ++ + /* + * Writes to VOUT setpoint over AVSBus will persist after the VRM is + * switched to PMBus control. Switching back to AVSBus control +@@ -129,17 +141,20 @@ static ssize_t isl68137_avs_enable_store + rc = pmbus_read_word_data(client, page, 0xff, + PMBUS_VOUT_COMMAND); + if (rc < 0) +- return rc; ++ goto unlock; + + rc = pmbus_write_word_data(client, page, PMBUS_VOUT_COMMAND, + rc); + if (rc < 0) +- return rc; ++ goto unlock; + } + + rc = pmbus_update_byte_data(client, page, PMBUS_OPERATION, + ISL68137_VOUT_AVS, op_val); + ++unlock: ++ pmbus_unlock(client); ++ + return (rc < 0) ? rc : count; + } + diff --git a/queue-6.19/kvm-arm64-discard-pc-update-state-on-vcpu-reset.patch b/queue-6.19/kvm-arm64-discard-pc-update-state-on-vcpu-reset.patch new file mode 100644 index 0000000000..9588d88faf --- /dev/null +++ b/queue-6.19/kvm-arm64-discard-pc-update-state-on-vcpu-reset.patch @@ -0,0 +1,81 @@ +From 1744a6ef48b9a48f017e3e1a0d05de0a6978396e Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Thu, 12 Mar 2026 14:08:50 +0000 +Subject: KVM: arm64: Discard PC update state on vcpu reset + +From: Marc Zyngier + +commit 1744a6ef48b9a48f017e3e1a0d05de0a6978396e upstream. + +Our vcpu reset suffers from a particularly interesting flaw, as it +does not correctly deal with state that will have an effect on the +execution flow out of reset. + +Take the following completely random example, never seen in the wild +and that never resulted in a couple of sleepless nights: /s + +- vcpu-A issues a PSCI_CPU_OFF using the SMC conduit + +- SMC being a trapped instruction (as opposed to HVC which is always + normally executed), we annotate the vcpu as needing to skip the + next instruction, which is the SMC itself + +- vcpu-A is now safely off + +- vcpu-B issues a PSCI_CPU_ON for vcpu-A, providing a starting PC + +- vcpu-A gets reset, get the new PC, and is sent on its merry way + +- right at the point of entering the guest, we notice that a PC + increment is pending (remember the earlier SMC?) + +- vcpu-A skips its first instruction... + +What could possibly go wrong? + +Well, I'm glad you asked. For pKVM as a NV guest, that first instruction +is extremely significant, as it indicates whether the CPU is booting +or resuming. Having skipped that instruction, nothing makes any sense +anymore, and CPU hotplugging fails. + +This is all caused by the decoupling of PC update from the handling +of an exception that triggers such update, making it non-obvious +what affects what when. + +Fix this train wreck by discarding all the PC-affecting state on +vcpu reset. + +Fixes: f5e30680616ab ("KVM: arm64: Move __adjust_pc out of line") +Cc: stable@vger.kernel.org +Reviewed-by: Suzuki K Poulose +Reviewed-by: Joey Gouly +Link: https://patch.msgid.link/20260312140850.822968-1-maz@kernel.org +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/reset.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/arch/arm64/kvm/reset.c ++++ b/arch/arm64/kvm/reset.c +@@ -247,6 +247,20 @@ void kvm_reset_vcpu(struct kvm_vcpu *vcp + kvm_vcpu_set_be(vcpu); + + *vcpu_pc(vcpu) = target_pc; ++ ++ /* ++ * We may come from a state where either a PC update was ++ * pending (SMC call resulting in PC being increpented to ++ * skip the SMC) or a pending exception. Make sure we get ++ * rid of all that, as this cannot be valid out of reset. ++ * ++ * Note that clearing the exception mask also clears PC ++ * updates, but that's an implementation detail, and we ++ * really want to make it explicit. ++ */ ++ vcpu_clear_flag(vcpu, PENDING_EXCEPTION); ++ vcpu_clear_flag(vcpu, EXCEPT_MASK); ++ vcpu_clear_flag(vcpu, INCREMENT_PC); + vcpu_set_reg(vcpu, 0, reset_state.r0); + } + diff --git a/queue-6.19/kvm-arm64-fix-the-descriptor-address-in-__kvm_at_swap_desc.patch b/queue-6.19/kvm-arm64-fix-the-descriptor-address-in-__kvm_at_swap_desc.patch new file mode 100644 index 0000000000..451b53fa34 --- /dev/null +++ b/queue-6.19/kvm-arm64-fix-the-descriptor-address-in-__kvm_at_swap_desc.patch @@ -0,0 +1,36 @@ +From 0496acc42fb51eee040b5170cec05cec41385540 Mon Sep 17 00:00:00 2001 +From: "Zenghui Yu (Huawei)" +Date: Tue, 17 Mar 2026 19:57:48 +0800 +Subject: KVM: arm64: Fix the descriptor address in __kvm_at_swap_desc() + +From: Zenghui Yu (Huawei) + +commit 0496acc42fb51eee040b5170cec05cec41385540 upstream. + +Using "(u64 __user *)hva + offset" to get the virtual addresses of S1/S2 +descriptors looks really wrong, if offset is not zero. What we want to get +for swapping is hva + offset, not hva + offset*8. ;-) + +Fix it. + +Fixes: f6927b41d573 ("KVM: arm64: Add helper for swapping guest descriptor") +Signed-off-by: Zenghui Yu (Huawei) +Link: https://patch.msgid.link/20260317115748.47332-1-zenghui.yu@linux.dev +Signed-off-by: Marc Zyngier +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/at.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kvm/at.c ++++ b/arch/arm64/kvm/at.c +@@ -1785,7 +1785,7 @@ int __kvm_at_swap_desc(struct kvm *kvm, + if (!writable) + return -EPERM; + +- ptep = (u64 __user *)hva + offset; ++ ptep = (void __user *)hva + offset; + if (cpus_have_final_cap(ARM64_HAS_LSE_ATOMICS)) + r = __lse_swap_desc(ptep, old, new); + else diff --git a/queue-6.19/media-mc-v4l2-serialize-reinit-and-reqbufs-with-req_queue_mutex.patch b/queue-6.19/media-mc-v4l2-serialize-reinit-and-reqbufs-with-req_queue_mutex.patch new file mode 100644 index 0000000000..f13afedf36 --- /dev/null +++ b/queue-6.19/media-mc-v4l2-serialize-reinit-and-reqbufs-with-req_queue_mutex.patch @@ -0,0 +1,86 @@ +From bef4f4a88b73e4cc550d25f665b8a9952af22773 Mon Sep 17 00:00:00 2001 +From: Yuchan Nam +Date: Fri, 6 Mar 2026 21:52:23 +0900 +Subject: media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex + +From: Yuchan Nam + +commit bef4f4a88b73e4cc550d25f665b8a9952af22773 upstream. + +MEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0) +queue teardown paths. This can race request object cleanup against vb2 +queue cancellation and lead to use-after-free reports. + +We already serialize request queueing against STREAMON/OFF with +req_queue_mutex. Extend that serialization to REQBUFS, and also take +the same mutex in media_request_ioctl_reinit() so REINIT is in the +same exclusion domain. + +This keeps request cleanup and queue cancellation from running in +parallel for request-capable devices. + +Fixes: 6093d3002eab ("media: vb2: keep a reference to the request until dqbuf") +Cc: stable@vger.kernel.org +Signed-off-by: Yuchan Nam +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/mc/mc-request.c | 5 +++++ + drivers/media/v4l2-core/v4l2-ioctl.c | 5 +++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/media/mc/mc-request.c ++++ b/drivers/media/mc/mc-request.c +@@ -190,6 +190,8 @@ static long media_request_ioctl_reinit(s + struct media_device *mdev = req->mdev; + unsigned long flags; + ++ mutex_lock(&mdev->req_queue_mutex); ++ + spin_lock_irqsave(&req->lock, flags); + if (req->state != MEDIA_REQUEST_STATE_IDLE && + req->state != MEDIA_REQUEST_STATE_COMPLETE) { +@@ -197,6 +199,7 @@ static long media_request_ioctl_reinit(s + "request: %s not in idle or complete state, cannot reinit\n", + req->debug_str); + spin_unlock_irqrestore(&req->lock, flags); ++ mutex_unlock(&mdev->req_queue_mutex); + return -EBUSY; + } + if (req->access_count) { +@@ -204,6 +207,7 @@ static long media_request_ioctl_reinit(s + "request: %s is being accessed, cannot reinit\n", + req->debug_str); + spin_unlock_irqrestore(&req->lock, flags); ++ mutex_unlock(&mdev->req_queue_mutex); + return -EBUSY; + } + req->state = MEDIA_REQUEST_STATE_CLEANING; +@@ -214,6 +218,7 @@ static long media_request_ioctl_reinit(s + spin_lock_irqsave(&req->lock, flags); + req->state = MEDIA_REQUEST_STATE_IDLE; + spin_unlock_irqrestore(&req->lock, flags); ++ mutex_unlock(&mdev->req_queue_mutex); + + return 0; + } +--- a/drivers/media/v4l2-core/v4l2-ioctl.c ++++ b/drivers/media/v4l2-core/v4l2-ioctl.c +@@ -3081,13 +3081,14 @@ static long __video_do_ioctl(struct file + } + + /* +- * We need to serialize streamon/off with queueing new requests. ++ * We need to serialize streamon/off/reqbufs with queueing new requests. + * These ioctls may trigger the cancellation of a streaming + * operation, and that should not be mixed with queueing a new + * request at the same time. + */ + if (v4l2_device_supports_requests(vfd->v4l2_dev) && +- (cmd == VIDIOC_STREAMON || cmd == VIDIOC_STREAMOFF)) { ++ (cmd == VIDIOC_STREAMON || cmd == VIDIOC_STREAMOFF || ++ cmd == VIDIOC_REQBUFS)) { + req_queue_lock = &vfd->v4l2_dev->mdev->req_queue_mutex; + + if (mutex_lock_interruptible(req_queue_lock)) diff --git a/queue-6.19/media-verisilicon-fix-kernel-panic-due-to-__initconst-misuse.patch b/queue-6.19/media-verisilicon-fix-kernel-panic-due-to-__initconst-misuse.patch new file mode 100644 index 0000000000..f74b007211 --- /dev/null +++ b/queue-6.19/media-verisilicon-fix-kernel-panic-due-to-__initconst-misuse.patch @@ -0,0 +1,65 @@ +From e8d97c270cb46a2a88739019d0f8547adc7d97da Mon Sep 17 00:00:00 2001 +From: Ming Qian +Date: Fri, 6 Mar 2026 11:10:57 +0800 +Subject: media: verisilicon: Fix kernel panic due to __initconst misuse + +From: Ming Qian + +commit e8d97c270cb46a2a88739019d0f8547adc7d97da upstream. + +Fix a kernel panic when probing the driver as a module: + + Unable to handle kernel paging request at virtual address + ffffd9c18eb05000 + of_find_matching_node_and_match+0x5c/0x1a0 + hantro_probe+0x2f4/0x7d0 [hantro_vpu] + +The imx8mq_vpu_shared_resources array is referenced by variant +structures through their shared_devices field. When built as a +module, __initconst causes this data to be freed after module +init, but it's later accessed during probe, causing a page fault. + +The imx8mq_vpu_shared_resources is referenced from non-init code, +so keeping __initconst or __initconst_or_module here is wrong. + +Drop the __initconst annotation and let it live in the normal .rodata +section. + +A bug of __initconst called from regular non-init probe code +leading to bugs during probe deferrals or during unbind-bind cycles. + +Reported-by: Krzysztof Kozlowski +Closes: https://lore.kernel.org/all/68ef934f-baa0-4bf6-93d8-834bbc441e66@kernel.org/ +Reported-by: Franz Schnyder +Closes: https://lore.kernel.org/all/n3qmcb62tepxltoskpf7ws6yiirc2so62ia23b42rj3wlmpl67@rvkbuirx7kkp/ +Fixes: e0203ddf9af7 ("media: verisilicon: Avoid G2 bus error while decoding H.264 and HEVC") +Suggested-by: Krzysztof Kozlowski +Suggested-by: Marco Felsch +Reviewed-by: Marco Felsch +Signed-off-by: Ming Qian +Reviewed-by: Frank Li +Reviewed-by: Krzysztof Kozlowski +Cc: stable@kernel.org +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/verisilicon/imx8m_vpu_hw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/verisilicon/imx8m_vpu_hw.c b/drivers/media/platform/verisilicon/imx8m_vpu_hw.c +index 6f8e43b7f157..fa4224de4b99 100644 +--- a/drivers/media/platform/verisilicon/imx8m_vpu_hw.c ++++ b/drivers/media/platform/verisilicon/imx8m_vpu_hw.c +@@ -343,7 +343,7 @@ const struct hantro_variant imx8mq_vpu_variant = { + .num_regs = ARRAY_SIZE(imx8mq_reg_names) + }; + +-static const struct of_device_id imx8mq_vpu_shared_resources[] __initconst = { ++static const struct of_device_id imx8mq_vpu_shared_resources[] = { + { .compatible = "nxp,imx8mq-vpu-g1", }, + { .compatible = "nxp,imx8mq-vpu-g2", }, + { /* sentinel */ } +-- +2.53.0 + diff --git a/queue-6.19/platform-x86-isst-correct-locked-bit-width.patch b/queue-6.19/platform-x86-isst-correct-locked-bit-width.patch new file mode 100644 index 0000000000..684f240b44 --- /dev/null +++ b/queue-6.19/platform-x86-isst-correct-locked-bit-width.patch @@ -0,0 +1,37 @@ +From fbddf68d7b4e1e6da7a78dd7fbd8ec376536584a Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada +Date: Mon, 23 Mar 2026 08:36:35 -0700 +Subject: platform/x86: ISST: Correct locked bit width +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Srinivas Pandruvada + +commit fbddf68d7b4e1e6da7a78dd7fbd8ec376536584a upstream. + +SST-PP locked bit width is set to three bits. It should be only one bit. +Use SST_PP_LOCK_WIDTH define instead of SST_PP_LEVEL_WIDTH. + +Fixes: ea009e4769fa ("platform/x86: ISST: Add SST-PP support via TPMI") +Signed-off-by: Srinivas Pandruvada +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260323153635.3263828-1-srinivas.pandruvada@linux.intel.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c ++++ b/drivers/platform/x86/intel/speed_select_if/isst_tpmi_core.c +@@ -871,7 +871,7 @@ static int isst_if_get_perf_level(void _ + _read_pp_info("current_level", perf_level.current_level, SST_PP_STATUS_OFFSET, + SST_PP_LEVEL_START, SST_PP_LEVEL_WIDTH, SST_MUL_FACTOR_NONE) + _read_pp_info("locked", perf_level.locked, SST_PP_STATUS_OFFSET, +- SST_PP_LOCK_START, SST_PP_LEVEL_WIDTH, SST_MUL_FACTOR_NONE) ++ SST_PP_LOCK_START, SST_PP_LOCK_WIDTH, SST_MUL_FACTOR_NONE) + _read_pp_info("feature_state", perf_level.feature_state, SST_PP_STATUS_OFFSET, + SST_PP_FEATURE_STATE_START, SST_PP_FEATURE_STATE_WIDTH, SST_MUL_FACTOR_NONE) + perf_level.enabled = !!(power_domain_info->sst_header.cap_mask & BIT(1)); diff --git a/queue-6.19/rdma-ionic-preserve-and-set-ethernet-source-mac-after-ib_ud_header_init.patch b/queue-6.19/rdma-ionic-preserve-and-set-ethernet-source-mac-after-ib_ud_header_init.patch new file mode 100644 index 0000000000..31f5dbef21 --- /dev/null +++ b/queue-6.19/rdma-ionic-preserve-and-set-ethernet-source-mac-after-ib_ud_header_init.patch @@ -0,0 +1,58 @@ +From a08aaf3968aec5d05cd32c801b8cc0c61da69c41 Mon Sep 17 00:00:00 2001 +From: Abhijit Gangurde +Date: Fri, 27 Feb 2026 11:48:09 +0530 +Subject: RDMA/ionic: Preserve and set Ethernet source MAC after ib_ud_header_init() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Abhijit Gangurde + +commit a08aaf3968aec5d05cd32c801b8cc0c61da69c41 upstream. + +ionic_build_hdr() populated the Ethernet source MAC (hdr->eth.smac_h) by +passing the header’s storage directly to rdma_read_gid_l2_fields(). +However, ib_ud_header_init() is called after that and re-initializes the +UD header, which wipes the previously written smac_h. As a result, packets +are emitted with an zero source MAC address on the wire. + +Correct the source MAC by reading the GID-derived smac into a temporary +buffer and copy it after ib_ud_header_init() completes. + +Fixes: e8521822c733 ("RDMA/ionic: Register device ops for control path") +Cc: stable@vger.kernel.org # 6.18 +Signed-off-by: Abhijit Gangurde +Link: https://patch.msgid.link/20260227061809.2979990-1-abhijit.gangurde@amd.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/ionic/ionic_controlpath.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/ionic/ionic_controlpath.c ++++ b/drivers/infiniband/hw/ionic/ionic_controlpath.c +@@ -508,6 +508,7 @@ static int ionic_build_hdr(struct ionic_ + { + const struct ib_global_route *grh; + enum rdma_network_type net; ++ u8 smac[ETH_ALEN]; + u16 vlan; + int rc; + +@@ -518,7 +519,7 @@ static int ionic_build_hdr(struct ionic_ + + grh = rdma_ah_read_grh(attr); + +- rc = rdma_read_gid_l2_fields(grh->sgid_attr, &vlan, &hdr->eth.smac_h[0]); ++ rc = rdma_read_gid_l2_fields(grh->sgid_attr, &vlan, smac); + if (rc) + return rc; + +@@ -536,6 +537,7 @@ static int ionic_build_hdr(struct ionic_ + if (rc) + return rc; + ++ ether_addr_copy(hdr->eth.smac_h, smac); + ether_addr_copy(hdr->eth.dmac_h, attr->roce.dmac); + + if (net == RDMA_NETWORK_IPV4) { diff --git a/queue-6.19/series b/queue-6.19/series index 54cbdd2c0f..4b830974db 100644 --- a/queue-6.19/series +++ b/queue-6.19/series @@ -216,3 +216,19 @@ cpufreq-don-t-skip-cpufreq_frequency_table_cpuinfo.patch cpufreq-conservative-reset-requested_freq-on-limits-change.patch kbuild-delete-.builtin-dtbs.s-when-running-make-clean.patch mm-damon-stat-monitor-all-system-ram-resources.patch +thermal-intel-int340x-soc_slider-set-offset-only-for-balanced-mode.patch +rdma-ionic-preserve-and-set-ethernet-source-mac-after-ib_ud_header_init.patch +platform-x86-isst-correct-locked-bit-width.patch +kvm-arm64-discard-pc-update-state-on-vcpu-reset.patch +kvm-arm64-fix-the-descriptor-address-in-__kvm_at_swap_desc.patch +hwmon-pmbus-ina233-fix-error-handling-and-sign-extension-in-shunt-voltage-read.patch +hwmon-pmbus-isl68137-add-mutex-protection-for-avs-enable-sysfs-attributes.patch +hwmon-peci-cputemp-fix-crit_hyst-returning-delta-instead-of-absolute-temperature.patch +hwmon-peci-cputemp-fix-off-by-one-in-cputemp_is_visible.patch +media-mc-v4l2-serialize-reinit-and-reqbufs-with-req_queue_mutex.patch +media-verisilicon-fix-kernel-panic-due-to-__initconst-misuse.patch +xfrm-iptfs-validate-inner-ipv4-header-length-in-iptfs-payload.patch +xfrm-iptfs-only-publish-mode_data-after-clone-setup.patch +virt-tdx-guest-fix-handling-of-host-controlled-quote-buffer-length.patch +virtio_net-fix-uaf-on-dst_ops-when-iff_xmit_dst_release-is-cleared-and-napi_tx-is-false.patch +vfio-pci-fix-double-free-in-dma-buf-feature.patch diff --git a/queue-6.19/thermal-intel-int340x-soc_slider-set-offset-only-for-balanced-mode.patch b/queue-6.19/thermal-intel-int340x-soc_slider-set-offset-only-for-balanced-mode.patch new file mode 100644 index 0000000000..8f070f2b51 --- /dev/null +++ b/queue-6.19/thermal-intel-int340x-soc_slider-set-offset-only-for-balanced-mode.patch @@ -0,0 +1,50 @@ +From 7dfe9846016b15816e287a4650be1ff1b48c5ab4 Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada +Date: Tue, 24 Mar 2026 10:23:46 -0700 +Subject: thermal: intel: int340x: soc_slider: Set offset only for balanced mode + +From: Srinivas Pandruvada + +commit 7dfe9846016b15816e287a4650be1ff1b48c5ab4 upstream. + +The slider offset can be set via debugfs for balanced mode. The offset +should be only applicable in balanced mode. For other modes, it should +be 0 when writing to MMIO offset, + +Fixes: 8306bcaba06d ("thermal: intel: int340x: Add module parameter to change slider offset") +Tested-by: Erin Park +Signed-off-by: Srinivas Pandruvada +Cc: 6.18+ # 6.18+ +[ rjw: Subject and changelog tweaks ] +Link: https://patch.msgid.link/20260324172346.3317145-1-srinivas.pandruvada@linux.intel.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/intel/int340x_thermal/processor_thermal_soc_slider.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/thermal/intel/int340x_thermal/processor_thermal_soc_slider.c ++++ b/drivers/thermal/intel/int340x_thermal/processor_thermal_soc_slider.c +@@ -176,15 +176,21 @@ static inline void write_soc_slider(stru + + static void set_soc_power_profile(struct proc_thermal_device *proc_priv, int slider) + { ++ u8 offset; + u64 val; + + val = read_soc_slider(proc_priv); + val &= ~SLIDER_MASK; + val |= FIELD_PREP(SLIDER_MASK, slider) | BIT(SLIDER_ENABLE_BIT); + ++ if (slider == SOC_SLIDER_VALUE_MINIMUM || slider == SOC_SLIDER_VALUE_MAXIMUM) ++ offset = 0; ++ else ++ offset = slider_offset; ++ + /* Set the slider offset from module params */ + val &= ~SLIDER_OFFSET_MASK; +- val |= FIELD_PREP(SLIDER_OFFSET_MASK, slider_offset); ++ val |= FIELD_PREP(SLIDER_OFFSET_MASK, offset); + + write_soc_slider(proc_priv, val); + } diff --git a/queue-6.19/vfio-pci-fix-double-free-in-dma-buf-feature.patch b/queue-6.19/vfio-pci-fix-double-free-in-dma-buf-feature.patch new file mode 100644 index 0000000000..d1466f062e --- /dev/null +++ b/queue-6.19/vfio-pci-fix-double-free-in-dma-buf-feature.patch @@ -0,0 +1,48 @@ +From e98137f0a874ab36d0946de4707aa48cb7137d1c Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Mon, 23 Mar 2026 15:56:58 -0600 +Subject: vfio/pci: Fix double free in dma-buf feature + +From: Alex Williamson + +commit e98137f0a874ab36d0946de4707aa48cb7137d1c upstream. + +The error path through vfio_pci_core_feature_dma_buf() ignores its +own advice to only use dma_buf_put() after dma_buf_export(), instead +falling through the entire unwind chain. In the unlikely event that +we encounter file descriptor exhaustion, this can result in an +unbalanced refcount on the vfio device and double free of allocated +objects. + +Avoid this by moving the "put" directly into the error path and return +the errno rather than entering the unwind chain. + +Reported-by: Renato Marziano +Fixes: 5d74781ebc86 ("vfio/pci: Add dma-buf export support for MMIO regions") +Cc: stable@vger.kernel.org +Acked-by: Leon Romanovsky +Signed-off-by: Alex Williamson +Link: https://lore.kernel.org/r/20260323215659.2108191-3-alex.williamson@nvidia.com +Reviewed-by: Jason Gunthorpe +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vfio/pci/vfio_pci_dmabuf.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/vfio/pci/vfio_pci_dmabuf.c ++++ b/drivers/vfio/pci/vfio_pci_dmabuf.c +@@ -302,11 +302,10 @@ int vfio_pci_core_feature_dma_buf(struct + */ + ret = dma_buf_fd(priv->dmabuf, get_dma_buf.open_flags); + if (ret < 0) +- goto err_dma_buf; ++ dma_buf_put(priv->dmabuf); ++ + return ret; + +-err_dma_buf: +- dma_buf_put(priv->dmabuf); + err_dev_put: + vfio_device_put_registration(&vdev->vdev); + err_free_phys: diff --git a/queue-6.19/virt-tdx-guest-fix-handling-of-host-controlled-quote-buffer-length.patch b/queue-6.19/virt-tdx-guest-fix-handling-of-host-controlled-quote-buffer-length.patch new file mode 100644 index 0000000000..6040257ed2 --- /dev/null +++ b/queue-6.19/virt-tdx-guest-fix-handling-of-host-controlled-quote-buffer-length.patch @@ -0,0 +1,77 @@ +From c3fd16c3b98ed726294feab2f94f876290bf7b61 Mon Sep 17 00:00:00 2001 +From: Zubin Mithra +Date: Wed, 18 Mar 2026 13:40:13 +0000 +Subject: virt: tdx-guest: Fix handling of host controlled 'quote' buffer length + +From: Zubin Mithra + +commit c3fd16c3b98ed726294feab2f94f876290bf7b61 upstream. + +Validate host controlled value `quote_buf->out_len` that determines how +many bytes of the quote are copied out to guest userspace. In TDX +environments with remote attestation, quotes are not considered private, +and can be forwarded to an attestation server. + +Catch scenarios where the host specifies a response length larger than +the guest's allocation, or otherwise races modifying the response while +the guest consumes it. + +This prevents contents beyond the pages allocated for `quote_buf` +(up to TSM_REPORT_OUTBLOB_MAX) from being read out to guest userspace, +and possibly forwarded in attestation requests. + +Recall that some deployments want per-container configs-tsm-report +interfaces, so the leak may cross container protection boundaries, not +just local root. + +Fixes: f4738f56d1dc ("virt: tdx-guest: Add Quote generation support using TSM_REPORTS") +Cc: stable@vger.kernel.org +Signed-off-by: Zubin Mithra +Reviewed-by: Dan Williams +Reviewed-by: Kiryl Shutsemau (Meta) +Reviewed-by: Kuppuswamy Sathyanarayanan +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman +--- + drivers/virt/coco/tdx-guest/tdx-guest.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/virt/coco/tdx-guest/tdx-guest.c ++++ b/drivers/virt/coco/tdx-guest/tdx-guest.c +@@ -169,6 +169,8 @@ static void tdx_mr_deinit(const struct a + #define GET_QUOTE_SUCCESS 0 + #define GET_QUOTE_IN_FLIGHT 0xffffffffffffffff + ++#define TDX_QUOTE_MAX_LEN (GET_QUOTE_BUF_SIZE - sizeof(struct tdx_quote_buf)) ++ + /* struct tdx_quote_buf: Format of Quote request buffer. + * @version: Quote format version, filled by TD. + * @status: Status code of Quote request, filled by VMM. +@@ -267,6 +269,7 @@ static int tdx_report_new_locked(struct + u8 *buf; + struct tdx_quote_buf *quote_buf = quote_data; + struct tsm_report_desc *desc = &report->desc; ++ u32 out_len; + int ret; + u64 err; + +@@ -304,12 +307,17 @@ static int tdx_report_new_locked(struct + return ret; + } + +- buf = kvmemdup(quote_buf->data, quote_buf->out_len, GFP_KERNEL); ++ out_len = READ_ONCE(quote_buf->out_len); ++ ++ if (out_len > TDX_QUOTE_MAX_LEN) ++ return -EFBIG; ++ ++ buf = kvmemdup(quote_buf->data, out_len, GFP_KERNEL); + if (!buf) + return -ENOMEM; + + report->outblob = buf; +- report->outblob_len = quote_buf->out_len; ++ report->outblob_len = out_len; + + /* + * TODO: parse the PEM-formatted cert chain out of the quote buffer when diff --git a/queue-6.19/virtio_net-fix-uaf-on-dst_ops-when-iff_xmit_dst_release-is-cleared-and-napi_tx-is-false.patch b/queue-6.19/virtio_net-fix-uaf-on-dst_ops-when-iff_xmit_dst_release-is-cleared-and-napi_tx-is-false.patch new file mode 100644 index 0000000000..f6a2d4cf98 --- /dev/null +++ b/queue-6.19/virtio_net-fix-uaf-on-dst_ops-when-iff_xmit_dst_release-is-cleared-and-napi_tx-is-false.patch @@ -0,0 +1,90 @@ +From ba8bda9a0896746053aa97ac6c3e08168729172c Mon Sep 17 00:00:00 2001 +From: xietangxin +Date: Thu, 12 Mar 2026 10:54:06 +0800 +Subject: virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx is false + +From: xietangxin + +commit ba8bda9a0896746053aa97ac6c3e08168729172c upstream. + +A UAF issue occurs when the virtio_net driver is configured with napi_tx=N +and the device's IFF_XMIT_DST_RELEASE flag is cleared +(e.g., during the configuration of tc route filter rules). + +When IFF_XMIT_DST_RELEASE is removed from the net_device, the network stack +expects the driver to hold the reference to skb->dst until the packet +is fully transmitted and freed. In virtio_net with napi_tx=N, +skbs may remain in the virtio transmit ring for an extended period. + +If the network namespace is destroyed while these skbs are still pending, +the corresponding dst_ops structure has freed. When a subsequent packet +is transmitted, free_old_xmit() is triggered to clean up old skbs. +It then calls dst_release() on the skb associated with the stale dst_entry. +Since the dst_ops (referenced by the dst_entry) has already been freed, +a UAF kernel paging request occurs. + +fix it by adds skb_dst_drop(skb) in start_xmit to explicitly release +the dst reference before the skb is queued in virtio_net. + +Call Trace: + Unable to handle kernel paging request at virtual address ffff80007e150000 + CPU: 2 UID: 0 PID: 6236 Comm: ping Kdump: loaded Not tainted 7.0.0-rc1+ #6 PREEMPT + ... + percpu_counter_add_batch+0x3c/0x158 lib/percpu_counter.c:98 (P) + dst_release+0xe0/0x110 net/core/dst.c:177 + skb_release_head_state+0xe8/0x108 net/core/skbuff.c:1177 + sk_skb_reason_drop+0x54/0x2d8 net/core/skbuff.c:1255 + dev_kfree_skb_any_reason+0x64/0x78 net/core/dev.c:3469 + napi_consume_skb+0x1c4/0x3a0 net/core/skbuff.c:1527 + __free_old_xmit+0x164/0x230 drivers/net/virtio_net.c:611 [virtio_net] + free_old_xmit drivers/net/virtio_net.c:1081 [virtio_net] + start_xmit+0x7c/0x530 drivers/net/virtio_net.c:3329 [virtio_net] + ... + +Reproduction Steps: +NETDEV="enp3s0" + +config_qdisc_route_filter() { + tc qdisc del dev $NETDEV root + tc qdisc add dev $NETDEV root handle 1: prio + tc filter add dev $NETDEV parent 1:0 \ + protocol ip prio 100 route to 100 flowid 1:1 + ip route add 192.168.1.100/32 dev $NETDEV realm 100 +} + +test_ns() { + ip netns add testns + ip link set $NETDEV netns testns + ip netns exec testns ifconfig $NETDEV 10.0.32.46/24 + ip netns exec testns ping -c 1 10.0.32.1 + ip netns del testns +} + +config_qdisc_route_filter + +test_ns +sleep 2 +test_ns + +Fixes: f2fc6a54585a ("[NETNS][IPV6] route6 - move ip6_dst_ops inside the network namespace") +Cc: stable@vger.kernel.org +Signed-off-by: xietangxin +Reviewed-by: Xuan Zhuo +Fixes: 0287587884b1 ("net: better IFF_XMIT_DST_RELEASE support") +Link: https://patch.msgid.link/20260312025406.15641-1-xietangxin@yeah.net +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -3355,6 +3355,7 @@ static netdev_tx_t start_xmit(struct sk_ + /* Don't wait up for transmitted skbs to be freed. */ + if (!use_napi) { + skb_orphan(skb); ++ skb_dst_drop(skb); + nf_reset_ct(skb); + } + diff --git a/queue-6.19/xfrm-iptfs-only-publish-mode_data-after-clone-setup.patch b/queue-6.19/xfrm-iptfs-only-publish-mode_data-after-clone-setup.patch new file mode 100644 index 0000000000..860469d520 --- /dev/null +++ b/queue-6.19/xfrm-iptfs-only-publish-mode_data-after-clone-setup.patch @@ -0,0 +1,52 @@ +From d849a2f7309fc0616e79d13b008b0a47e0458b6e Mon Sep 17 00:00:00 2001 +From: Paul Moses +Date: Mon, 16 Mar 2026 14:56:51 +0000 +Subject: xfrm: iptfs: only publish mode_data after clone setup + +From: Paul Moses + +commit d849a2f7309fc0616e79d13b008b0a47e0458b6e upstream. + +iptfs_clone_state() stores x->mode_data before allocating the reorder +window. If that allocation fails, the code frees the cloned state and +returns -ENOMEM, leaving x->mode_data pointing at freed memory. + +The xfrm clone unwind later runs destroy_state() through x->mode_data, +so the failed clone path tears down IPTFS state that clone_state() +already freed. + +Keep the cloned IPTFS state private until all allocations succeed so +failed clones leave x->mode_data unset. The destroy path already +handles a NULL mode_data pointer. + +Fixes: 6be02e3e4f37 ("xfrm: iptfs: handle reordering of received packets") +Cc: stable@vger.kernel.org +Signed-off-by: Paul Moses +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_iptfs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/xfrm/xfrm_iptfs.c ++++ b/net/xfrm/xfrm_iptfs.c +@@ -2664,9 +2664,6 @@ static int iptfs_clone_state(struct xfrm + if (!xtfs) + return -ENOMEM; + +- x->mode_data = xtfs; +- xtfs->x = x; +- + xtfs->ra_newskb = NULL; + if (xtfs->cfg.reorder_win_size) { + xtfs->w_saved = kcalloc(xtfs->cfg.reorder_win_size, +@@ -2677,6 +2674,9 @@ static int iptfs_clone_state(struct xfrm + } + } + ++ x->mode_data = xtfs; ++ xtfs->x = x; ++ + return 0; + } + diff --git a/queue-6.19/xfrm-iptfs-validate-inner-ipv4-header-length-in-iptfs-payload.patch b/queue-6.19/xfrm-iptfs-validate-inner-ipv4-header-length-in-iptfs-payload.patch new file mode 100644 index 0000000000..6e80e2dc03 --- /dev/null +++ b/queue-6.19/xfrm-iptfs-validate-inner-ipv4-header-length-in-iptfs-payload.patch @@ -0,0 +1,45 @@ +From 0d10393d5eac33cbd92f7a41fddca12c41d3cb7e Mon Sep 17 00:00:00 2001 +From: Roshan Kumar +Date: Sun, 1 Mar 2026 10:56:38 +0000 +Subject: xfrm: iptfs: validate inner IPv4 header length in IPTFS payload + +From: Roshan Kumar + +commit 0d10393d5eac33cbd92f7a41fddca12c41d3cb7e upstream. + +Add validation of the inner IPv4 packet tot_len and ihl fields parsed +from decrypted IPTFS payloads in __input_process_payload(). A crafted +ESP packet containing an inner IPv4 header with tot_len=0 causes an +infinite loop: iplen=0 leads to capturelen=min(0, remaining)=0, so the +data offset never advances and the while(data < tail) loop never +terminates, spinning forever in softirq context. + +Reject inner IPv4 packets where tot_len < ihl*4 or ihl*4 < sizeof(struct +iphdr), which catches both the tot_len=0 case and malformed ihl values. +The normal IP stack performs this validation in ip_rcv_core(), but IPTFS +extracts and processes inner packets before they reach that layer. + +Reported-by: Roshan Kumar +Fixes: 6c82d2433671 ("xfrm: iptfs: add basic receive packet (tunnel egress) handling") +Cc: stable@vger.kernel.org +Signed-off-by: Roshan Kumar +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_iptfs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/xfrm/xfrm_iptfs.c ++++ b/net/xfrm/xfrm_iptfs.c +@@ -997,6 +997,11 @@ static bool __input_process_payload(stru + + iplen = be16_to_cpu(iph->tot_len); + iphlen = iph->ihl << 2; ++ if (iplen < iphlen || iphlen < sizeof(*iph)) { ++ XFRM_INC_STATS(net, ++ LINUX_MIB_XFRMINHDRERROR); ++ goto done; ++ } + protocol = cpu_to_be16(ETH_P_IP); + XFRM_MODE_SKB_CB(skbseq->root_skb)->tos = iph->tos; + } else if (iph->version == 0x6) {