From: Greg Kroah-Hartman Date: Sun, 29 Mar 2026 07:58:50 +0000 (+0200) Subject: 6.12-stable patches X-Git-Tag: v6.6.131~59 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=77b674cc24716569a35953f52552b0f5951215f5;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: alsa-firewire-lib-fix-uninitialized-local-variable.patch asoc-sof-ipc4-topology-allow-bytes-controls-without-initial-payload.patch can-gw-fix-oob-heap-access-in-cgw_csum_crc8_rel.patch can-isotp-fix-tx.buf-use-after-free-in-isotp_sendmsg.patch cpufreq-conservative-reset-requested_freq-on-limits-change.patch ksmbd-do-not-expire-session-on-binding-failure.patch ksmbd-fix-memory-leaks-and-null-deref-in-smb2_lock.patch ksmbd-fix-potencial-oob-in-get_file_all_info-for-compound-requests.patch ksmbd-replace-hardcoded-hdr2_len-with-offsetof-in-smb2_calc_max_out_buf_len.patch s390-barrier-make-array_index_mask_nospec-__always_inline.patch s390-entry-scrub-r12-register-on-kernel-entry.patch s390-syscalls-add-spectre-boundary-for-syscall-dispatch-table.patch --- diff --git a/queue-6.12/alsa-firewire-lib-fix-uninitialized-local-variable.patch b/queue-6.12/alsa-firewire-lib-fix-uninitialized-local-variable.patch new file mode 100644 index 0000000000..ba143a1f2a --- /dev/null +++ b/queue-6.12/alsa-firewire-lib-fix-uninitialized-local-variable.patch @@ -0,0 +1,41 @@ +From bb120ad57def62e3f23e3d999c5fbed11f610993 Mon Sep 17 00:00:00 2001 +From: Alexey Nepomnyashih +Date: Mon, 16 Mar 2026 19:18:22 +0000 +Subject: ALSA: firewire-lib: fix uninitialized local variable + +From: Alexey Nepomnyashih + +commit bb120ad57def62e3f23e3d999c5fbed11f610993 upstream. + +Similar to commit d8dc8720468a ("ALSA: firewire-lib: fix uninitialized +local variable"), the local variable `curr_cycle_time` in +process_rx_packets() is declared without initialization. + +When the tracepoint event is not probed, the variable may appear to be +used without being initialized. In practice the value is only relevant +when the tracepoint is enabled, however initializing it avoids potential +use of an uninitialized value and improves code safety. + +Initialize `curr_cycle_time` to zero. + +Fixes: fef4e61b0b76 ("ALSA: firewire-lib: extend tracepoints event including CYCLE_TIME of 1394 OHCI") +Cc: stable@vger.kernel.org +Signed-off-by: Alexey Nepomnyashih +Link: https://patch.msgid.link/20260316191824.83249-1-sdl@nppct.ru +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/firewire/amdtp-stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/firewire/amdtp-stream.c ++++ b/sound/firewire/amdtp-stream.c +@@ -1179,7 +1179,7 @@ static void process_rx_packets(struct fw + struct pkt_desc *desc = s->packet_descs_cursor; + unsigned int pkt_header_length; + unsigned int packets; +- u32 curr_cycle_time; ++ u32 curr_cycle_time = 0; + bool need_hw_irq; + int i; + diff --git a/queue-6.12/asoc-sof-ipc4-topology-allow-bytes-controls-without-initial-payload.patch b/queue-6.12/asoc-sof-ipc4-topology-allow-bytes-controls-without-initial-payload.patch new file mode 100644 index 0000000000..7e801e1943 --- /dev/null +++ b/queue-6.12/asoc-sof-ipc4-topology-allow-bytes-controls-without-initial-payload.patch @@ -0,0 +1,40 @@ +From d40a198e2b7821197c5c77b89d0130cc90f400f5 Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Thu, 26 Mar 2026 09:56:18 +0200 +Subject: ASoC: SOF: ipc4-topology: Allow bytes controls without initial payload + +From: Peter Ujfalusi + +commit d40a198e2b7821197c5c77b89d0130cc90f400f5 upstream. + +It is unexpected, but allowed to have no initial payload for a bytes +control and the code is prepared to handle this case, but the size check +missed this corner case. + +Update the check for minimal size to allow the initial size to be 0. + +Cc: stable@vger.kernel.org +Fixes: a653820700b8 ("ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls") +Signed-off-by: Peter Ujfalusi +Reviewed-by: Bard Liao +Reviewed-by: Liam Girdwood +Reviewed-by: Seppo Ingalsuo +Reviewed-by: Kai Vehmanen +Link: https://patch.msgid.link/20260326075618.1603-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sof/ipc4-topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/sof/ipc4-topology.c ++++ b/sound/soc/sof/ipc4-topology.c +@@ -2527,7 +2527,7 @@ static int sof_ipc4_control_load_bytes(s + return -EINVAL; + } + +- if (scontrol->priv_size < sizeof(struct sof_abi_hdr)) { ++ if (scontrol->priv_size && scontrol->priv_size < sizeof(struct sof_abi_hdr)) { + dev_err(sdev->dev, + "bytes control %s initial data size %zu is insufficient.\n", + scontrol->name, scontrol->priv_size); diff --git a/queue-6.12/can-gw-fix-oob-heap-access-in-cgw_csum_crc8_rel.patch b/queue-6.12/can-gw-fix-oob-heap-access-in-cgw_csum_crc8_rel.patch new file mode 100644 index 0000000000..26e5d773af --- /dev/null +++ b/queue-6.12/can-gw-fix-oob-heap-access-in-cgw_csum_crc8_rel.patch @@ -0,0 +1,77 @@ +From b9c310d72783cc2f30d103eed83920a5a29c671a Mon Sep 17 00:00:00 2001 +From: Ali Norouzi +Date: Thu, 19 Mar 2026 16:47:44 +0100 +Subject: can: gw: fix OOB heap access in cgw_csum_crc8_rel() + +From: Ali Norouzi + +commit b9c310d72783cc2f30d103eed83920a5a29c671a upstream. + +cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx(): + + int from = calc_idx(crc8->from_idx, cf->len); + int to = calc_idx(crc8->to_idx, cf->len); + int res = calc_idx(crc8->result_idx, cf->len); + + if (from < 0 || to < 0 || res < 0) + return; + +However, the loop and the result write then use the raw s8 fields directly +instead of the computed variables: + + for (i = crc8->from_idx; ...) /* BUG: raw negative index */ + cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */ + +With from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame, +calc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with +i = -64, reading cf->data[-64], and the write goes to cf->data[-64]. +This write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the +start of the canfd_frame on the heap. + +The companion function cgw_csum_xor_rel() uses `from`/`to`/`res` +correctly throughout; fix cgw_csum_crc8_rel() to match. + +Confirmed with KASAN on linux-7.0-rc2: + BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0 + Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62 + +To configure the can-gw crc8 checksums CAP_NET_ADMIN is needed. + +Fixes: 456a8a646b25 ("can: gw: add support for CAN FD frames") +Cc: stable@vger.kernel.org +Reported-by: Ali Norouzi +Reviewed-by: Oliver Hartkopp +Acked-by: Oliver Hartkopp +Signed-off-by: Ali Norouzi +Signed-off-by: Oliver Hartkopp +Link: https://patch.msgid.link/20260319-fix-can-gw-and-can-isotp-v2-1-c45d52c6d2d8@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/gw.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/can/gw.c ++++ b/net/can/gw.c +@@ -374,10 +374,10 @@ static void cgw_csum_crc8_rel(struct can + return; + + if (from <= to) { +- for (i = crc8->from_idx; i <= crc8->to_idx; i++) ++ for (i = from; i <= to; i++) + crc = crc8->crctab[crc ^ cf->data[i]]; + } else { +- for (i = crc8->from_idx; i >= crc8->to_idx; i--) ++ for (i = from; i >= to; i--) + crc = crc8->crctab[crc ^ cf->data[i]]; + } + +@@ -396,7 +396,7 @@ static void cgw_csum_crc8_rel(struct can + break; + } + +- cf->data[crc8->result_idx] = crc ^ crc8->final_xor_val; ++ cf->data[res] = crc ^ crc8->final_xor_val; + } + + static void cgw_csum_crc8_pos(struct canfd_frame *cf, diff --git a/queue-6.12/can-isotp-fix-tx.buf-use-after-free-in-isotp_sendmsg.patch b/queue-6.12/can-isotp-fix-tx.buf-use-after-free-in-isotp_sendmsg.patch new file mode 100644 index 0000000000..be1aa1fa49 --- /dev/null +++ b/queue-6.12/can-isotp-fix-tx.buf-use-after-free-in-isotp_sendmsg.patch @@ -0,0 +1,83 @@ +From 424e95d62110cdbc8fd12b40918f37e408e35a92 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp +Date: Thu, 19 Mar 2026 16:47:45 +0100 +Subject: can: isotp: fix tx.buf use-after-free in isotp_sendmsg() + +From: Oliver Hartkopp + +commit 424e95d62110cdbc8fd12b40918f37e408e35a92 upstream. + +isotp_sendmsg() uses only cmpxchg() on so->tx.state to serialize access +to so->tx.buf. isotp_release() waits for ISOTP_IDLE via +wait_event_interruptible() and then calls kfree(so->tx.buf). + +If a signal interrupts the wait_event_interruptible() inside close() +while tx.state is ISOTP_SENDING, the loop exits early and release +proceeds to force ISOTP_SHUTDOWN and continues to kfree(so->tx.buf) +while sendmsg may still be reading so->tx.buf for the final CAN frame +in isotp_fill_dataframe(). + +The so->tx.buf can be allocated once when the standard tx.buf length needs +to be extended. Move the kfree() of this potentially extended tx.buf to +sk_destruct time when either isotp_sendmsg() and isotp_release() are done. + +Fixes: 96d1c81e6a04 ("can: isotp: add module parameter for maximum pdu size") +Cc: stable@vger.kernel.org +Reported-by: Ali Norouzi +Co-developed-by: Ali Norouzi +Signed-off-by: Ali Norouzi +Signed-off-by: Oliver Hartkopp +Link: https://patch.msgid.link/20260319-fix-can-gw-and-can-isotp-v2-2-c45d52c6d2d8@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/isotp.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +--- a/net/can/isotp.c ++++ b/net/can/isotp.c +@@ -1229,12 +1229,6 @@ static int isotp_release(struct socket * + so->ifindex = 0; + so->bound = 0; + +- if (so->rx.buf != so->rx.sbuf) +- kfree(so->rx.buf); +- +- if (so->tx.buf != so->tx.sbuf) +- kfree(so->tx.buf); +- + sock_orphan(sk); + sock->sk = NULL; + +@@ -1602,6 +1596,21 @@ static int isotp_notifier(struct notifie + return NOTIFY_DONE; + } + ++static void isotp_sock_destruct(struct sock *sk) ++{ ++ struct isotp_sock *so = isotp_sk(sk); ++ ++ /* do the standard CAN sock destruct work */ ++ can_sock_destruct(sk); ++ ++ /* free potential extended PDU buffers */ ++ if (so->rx.buf != so->rx.sbuf) ++ kfree(so->rx.buf); ++ ++ if (so->tx.buf != so->tx.sbuf) ++ kfree(so->tx.buf); ++} ++ + static int isotp_init(struct sock *sk) + { + struct isotp_sock *so = isotp_sk(sk); +@@ -1648,6 +1657,9 @@ static int isotp_init(struct sock *sk) + list_add_tail(&so->notifier, &isotp_notifier_list); + spin_unlock(&isotp_notifier_lock); + ++ /* re-assign default can_sock_destruct() reference */ ++ sk->sk_destruct = isotp_sock_destruct; ++ + return 0; + } + diff --git a/queue-6.12/cpufreq-conservative-reset-requested_freq-on-limits-change.patch b/queue-6.12/cpufreq-conservative-reset-requested_freq-on-limits-change.patch new file mode 100644 index 0000000000..7c7cc2f6a6 --- /dev/null +++ b/queue-6.12/cpufreq-conservative-reset-requested_freq-on-limits-change.patch @@ -0,0 +1,95 @@ +From 6a28fb8cb28b9eb39a392e531d938a889eacafc5 Mon Sep 17 00:00:00 2001 +From: Viresh Kumar +Date: Fri, 20 Mar 2026 15:08:14 +0530 +Subject: cpufreq: conservative: Reset requested_freq on limits change + +From: Viresh Kumar + +commit 6a28fb8cb28b9eb39a392e531d938a889eacafc5 upstream. + +A recently reported issue highlighted that the cached requested_freq +is not guaranteed to stay in sync with policy->cur. If the platform +changes the actual CPU frequency after the governor sets one (e.g. +due to platform-specific frequency scaling) and a re-sync occurs +later, policy->cur may diverge from requested_freq. + +This can lead to incorrect behavior in the conservative governor. +For example, the governor may assume the CPU is already running at +the maximum frequency and skip further increases even though there +is still headroom. + +Avoid this by resetting the cached requested_freq to policy->cur on +detecting a change in policy limits. + +Reported-by: Lifeng Zheng +Tested-by: Lifeng Zheng +Link: https://lore.kernel.org/all/20260210115458.3493646-1-zhenglifeng1@huawei.com/ +Signed-off-by: Viresh Kumar +Reviewed-by: Zhongqiu Han +Cc: All applicable +Link: https://patch.msgid.link/d846a141a98ac0482f20560fcd7525c0f0ec2f30.1773999467.git.viresh.kumar@linaro.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cpufreq_conservative.c | 12 ++++++++++++ + drivers/cpufreq/cpufreq_governor.c | 3 +++ + drivers/cpufreq/cpufreq_governor.h | 1 + + 3 files changed, 16 insertions(+) + +--- a/drivers/cpufreq/cpufreq_conservative.c ++++ b/drivers/cpufreq/cpufreq_conservative.c +@@ -313,6 +313,17 @@ static void cs_start(struct cpufreq_poli + dbs_info->requested_freq = policy->cur; + } + ++static void cs_limits(struct cpufreq_policy *policy) ++{ ++ struct cs_policy_dbs_info *dbs_info = to_dbs_info(policy->governor_data); ++ ++ /* ++ * The limits have changed, so may have the current frequency. Reset ++ * requested_freq to avoid any unintended outcomes due to the mismatch. ++ */ ++ dbs_info->requested_freq = policy->cur; ++} ++ + static struct dbs_governor cs_governor = { + .gov = CPUFREQ_DBS_GOVERNOR_INITIALIZER("conservative"), + .kobj_type = { .default_groups = cs_groups }, +@@ -322,6 +333,7 @@ static struct dbs_governor cs_governor = + .init = cs_init, + .exit = cs_exit, + .start = cs_start, ++ .limits = cs_limits, + }; + + #define CPU_FREQ_GOV_CONSERVATIVE (cs_governor.gov) +--- a/drivers/cpufreq/cpufreq_governor.c ++++ b/drivers/cpufreq/cpufreq_governor.c +@@ -563,6 +563,7 @@ EXPORT_SYMBOL_GPL(cpufreq_dbs_governor_s + + void cpufreq_dbs_governor_limits(struct cpufreq_policy *policy) + { ++ struct dbs_governor *gov = dbs_governor_of(policy); + struct policy_dbs_info *policy_dbs; + + /* Protect gov->gdbs_data against cpufreq_dbs_governor_exit() */ +@@ -574,6 +575,8 @@ void cpufreq_dbs_governor_limits(struct + mutex_lock(&policy_dbs->update_mutex); + cpufreq_policy_apply_limits(policy); + gov_update_sample_delay(policy_dbs, 0); ++ if (gov->limits) ++ gov->limits(policy); + mutex_unlock(&policy_dbs->update_mutex); + + out: +--- a/drivers/cpufreq/cpufreq_governor.h ++++ b/drivers/cpufreq/cpufreq_governor.h +@@ -138,6 +138,7 @@ struct dbs_governor { + int (*init)(struct dbs_data *dbs_data); + void (*exit)(struct dbs_data *dbs_data); + void (*start)(struct cpufreq_policy *policy); ++ void (*limits)(struct cpufreq_policy *policy); + }; + + static inline struct dbs_governor *dbs_governor_of(struct cpufreq_policy *policy) diff --git a/queue-6.12/ksmbd-do-not-expire-session-on-binding-failure.patch b/queue-6.12/ksmbd-do-not-expire-session-on-binding-failure.patch new file mode 100644 index 0000000000..df6b48d76d --- /dev/null +++ b/queue-6.12/ksmbd-do-not-expire-session-on-binding-failure.patch @@ -0,0 +1,49 @@ +From 9bbb19d21ded7d78645506f20d8c44895e3d0fb9 Mon Sep 17 00:00:00 2001 +From: Hyunwoo Kim +Date: Tue, 17 Mar 2026 08:52:01 +0900 +Subject: ksmbd: do not expire session on binding failure + +From: Hyunwoo Kim + +commit 9bbb19d21ded7d78645506f20d8c44895e3d0fb9 upstream. + +When a multichannel session binding request fails (e.g. wrong password), +the error path unconditionally sets sess->state = SMB2_SESSION_EXPIRED. +However, during binding, sess points to the target session looked up via +ksmbd_session_lookup_slowpath() -- which belongs to another connection's +user. This allows a remote attacker to invalidate any active session by +simply sending a binding request with a wrong password (DoS). + +Fix this by skipping session expiration when the failed request was +a binding attempt, since the session does not belong to the current +connection. The reference taken by ksmbd_session_lookup_slowpath() is +still correctly released via ksmbd_user_session_put(). + +Cc: stable@vger.kernel.org +Signed-off-by: Hyunwoo Kim +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -1945,8 +1945,14 @@ out_err: + if (sess->user && sess->user->flags & KSMBD_USER_FLAG_DELAY_SESSION) + try_delay = true; + +- sess->last_active = jiffies; +- sess->state = SMB2_SESSION_EXPIRED; ++ /* ++ * For binding requests, session belongs to another ++ * connection. Do not expire it. ++ */ ++ if (!(req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) { ++ sess->last_active = jiffies; ++ sess->state = SMB2_SESSION_EXPIRED; ++ } + ksmbd_user_session_put(sess); + work->sess = NULL; + if (try_delay) { diff --git a/queue-6.12/ksmbd-fix-memory-leaks-and-null-deref-in-smb2_lock.patch b/queue-6.12/ksmbd-fix-memory-leaks-and-null-deref-in-smb2_lock.patch new file mode 100644 index 0000000000..4a634a80fc --- /dev/null +++ b/queue-6.12/ksmbd-fix-memory-leaks-and-null-deref-in-smb2_lock.patch @@ -0,0 +1,114 @@ +From 309b44ed684496ed3f9c5715d10b899338623512 Mon Sep 17 00:00:00 2001 +From: Werner Kasselman +Date: Tue, 17 Mar 2026 07:55:37 +0000 +Subject: ksmbd: fix memory leaks and NULL deref in smb2_lock() + +From: Werner Kasselman + +commit 309b44ed684496ed3f9c5715d10b899338623512 upstream. + +smb2_lock() has three error handling issues after list_del() detaches +smb_lock from lock_list at no_check_cl: + +1) If vfs_lock_file() returns an unexpected error in the non-UNLOCK + path, goto out leaks smb_lock and its flock because the out: + handler only iterates lock_list and rollback_list, neither of + which contains the detached smb_lock. + +2) If vfs_lock_file() returns -ENOENT in the UNLOCK path, goto out + leaks smb_lock and flock for the same reason. The error code + returned to the dispatcher is also stale. + +3) In the rollback path, smb_flock_init() can return NULL on + allocation failure. The result is dereferenced unconditionally, + causing a kernel NULL pointer dereference. Add a NULL check to + prevent the crash and clean up the bookkeeping; the VFS lock + itself cannot be rolled back without the allocation and will be + released at file or connection teardown. + +Fix cases 1 and 2 by hoisting the locks_free_lock()/kfree() to before +the if(!rc) check in the UNLOCK branch so all exit paths share one +free site, and by freeing smb_lock and flock before goto out in the +non-UNLOCK branch. Propagate the correct error code in both cases. +Fix case 3 by wrapping the VFS unlock in an if(rlock) guard and adding +a NULL check for locks_free_lock(rlock) in the shared cleanup. + +Found via call-graph analysis using sqry. + +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Cc: stable@vger.kernel.org +Suggested-by: ChenXiaoSong +Signed-off-by: Werner Kasselman +Reviewed-by: ChenXiaoSong +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 29 +++++++++++++++++++---------- + 1 file changed, 19 insertions(+), 10 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -7552,14 +7552,15 @@ retry: + rc = vfs_lock_file(filp, smb_lock->cmd, flock, NULL); + skip: + if (smb_lock->flags & SMB2_LOCKFLAG_UNLOCK) { ++ locks_free_lock(flock); ++ kfree(smb_lock); + if (!rc) { + ksmbd_debug(SMB, "File unlocked\n"); + } else if (rc == -ENOENT) { + rsp->hdr.Status = STATUS_NOT_LOCKED; ++ err = rc; + goto out; + } +- locks_free_lock(flock); +- kfree(smb_lock); + } else { + if (rc == FILE_LOCK_DEFERRED) { + void **argv; +@@ -7628,6 +7629,9 @@ skip: + spin_unlock(&work->conn->llist_lock); + ksmbd_debug(SMB, "successful in taking lock\n"); + } else { ++ locks_free_lock(flock); ++ kfree(smb_lock); ++ err = rc; + goto out; + } + } +@@ -7658,13 +7662,17 @@ out: + struct file_lock *rlock = NULL; + + rlock = smb_flock_init(filp); +- rlock->c.flc_type = F_UNLCK; +- rlock->fl_start = smb_lock->start; +- rlock->fl_end = smb_lock->end; +- +- rc = vfs_lock_file(filp, F_SETLK, rlock, NULL); +- if (rc) +- pr_err("rollback unlock fail : %d\n", rc); ++ if (rlock) { ++ rlock->c.flc_type = F_UNLCK; ++ rlock->fl_start = smb_lock->start; ++ rlock->fl_end = smb_lock->end; ++ ++ rc = vfs_lock_file(filp, F_SETLK, rlock, NULL); ++ if (rc) ++ pr_err("rollback unlock fail : %d\n", rc); ++ } else { ++ pr_err("rollback unlock alloc failed\n"); ++ } + + list_del(&smb_lock->llist); + spin_lock(&work->conn->llist_lock); +@@ -7674,7 +7682,8 @@ out: + spin_unlock(&work->conn->llist_lock); + + locks_free_lock(smb_lock->fl); +- locks_free_lock(rlock); ++ if (rlock) ++ locks_free_lock(rlock); + kfree(smb_lock); + } + out2: diff --git a/queue-6.12/ksmbd-fix-potencial-oob-in-get_file_all_info-for-compound-requests.patch b/queue-6.12/ksmbd-fix-potencial-oob-in-get_file_all_info-for-compound-requests.patch new file mode 100644 index 0000000000..9dc45ee723 --- /dev/null +++ b/queue-6.12/ksmbd-fix-potencial-oob-in-get_file_all_info-for-compound-requests.patch @@ -0,0 +1,72 @@ +From beef2634f81f1c086208191f7228bce1d366493d Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Thu, 19 Mar 2026 21:00:02 +0900 +Subject: ksmbd: fix potencial OOB in get_file_all_info() for compound requests + +From: Namjae Jeon + +commit beef2634f81f1c086208191f7228bce1d366493d upstream. + +When a compound request consists of QUERY_DIRECTORY + QUERY_INFO +(FILE_ALL_INFORMATION) and the first command consumes nearly the entire +max_trans_size, get_file_all_info() would blindly call smbConvertToUTF16() +with PATH_MAX, causing out-of-bounds write beyond the response buffer. +In get_file_all_info(), there was a missing validation check for +the client-provided OutputBufferLength before copying the filename into +FileName field of the smb2_file_all_info structure. +If the filename length exceeds the available buffer space, it could lead to +potential buffer overflows or memory corruption during smbConvertToUTF16 +conversion. This calculating the actual free buffer size using +smb2_calc_max_out_buf_len() and returning -EINVAL if the buffer is +insufficient and updating smbConvertToUTF16 to use the actual filename +length (clamped by PATH_MAX) to ensure a safe copy operation. + +Cc: stable@vger.kernel.org +Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound") +Reported-by: Asim Viladi Oglu Manizada +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -4941,7 +4941,8 @@ static int get_file_all_info(struct ksmb + int conv_len; + char *filename; + u64 time; +- int ret; ++ int ret, buf_free_len, filename_len; ++ struct smb2_query_info_req *req = ksmbd_req_buf_next(work); + + if (!(fp->daccess & FILE_READ_ATTRIBUTES_LE)) { + ksmbd_debug(SMB, "no right to read the attributes : 0x%x\n", +@@ -4953,6 +4954,16 @@ static int get_file_all_info(struct ksmb + if (IS_ERR(filename)) + return PTR_ERR(filename); + ++ filename_len = strlen(filename); ++ buf_free_len = smb2_calc_max_out_buf_len(work, ++ offsetof(struct smb2_query_info_rsp, Buffer) + ++ offsetof(struct smb2_file_all_info, FileName), ++ le32_to_cpu(req->OutputBufferLength)); ++ if (buf_free_len < (filename_len + 1) * 2) { ++ kfree(filename); ++ return -EINVAL; ++ } ++ + ret = vfs_getattr(&fp->filp->f_path, &stat, STATX_BASIC_STATS, + AT_STATX_SYNC_AS_STAT); + if (ret) { +@@ -4988,7 +4999,8 @@ static int get_file_all_info(struct ksmb + file_info->Mode = fp->coption; + file_info->AlignmentRequirement = 0; + conv_len = smbConvertToUTF16((__le16 *)file_info->FileName, filename, +- PATH_MAX, conn->local_nls, 0); ++ min(filename_len, PATH_MAX), ++ conn->local_nls, 0); + conv_len *= 2; + file_info->FileNameLength = cpu_to_le32(conv_len); + rsp->OutputBufferLength = diff --git a/queue-6.12/ksmbd-replace-hardcoded-hdr2_len-with-offsetof-in-smb2_calc_max_out_buf_len.patch b/queue-6.12/ksmbd-replace-hardcoded-hdr2_len-with-offsetof-in-smb2_calc_max_out_buf_len.patch new file mode 100644 index 0000000000..70d30960b8 --- /dev/null +++ b/queue-6.12/ksmbd-replace-hardcoded-hdr2_len-with-offsetof-in-smb2_calc_max_out_buf_len.patch @@ -0,0 +1,75 @@ +From 0e55f63dd08f09651d39e1b709a91705a8a0ddcb Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Fri, 13 Mar 2026 14:45:58 +0900 +Subject: ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len() + +From: Namjae Jeon + +commit 0e55f63dd08f09651d39e1b709a91705a8a0ddcb upstream. + +After this commit (e2b76ab8b5c9 "ksmbd: add support for read compound"), +response buffer management was changed to use dynamic iov array. +In the new design, smb2_calc_max_out_buf_len() expects the second +argument (hdr2_len) to be the offset of ->Buffer field in the +response structure, not a hardcoded magic number. +Fix the remaining call sites to use the correct offsetof() value. + +Cc: stable@vger.kernel.org +Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound") +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -4458,8 +4458,9 @@ int smb2_query_dir(struct ksmbd_work *wo + d_info.wptr = (char *)rsp->Buffer; + d_info.rptr = (char *)rsp->Buffer; + d_info.out_buf_len = +- smb2_calc_max_out_buf_len(work, 8, +- le32_to_cpu(req->OutputBufferLength)); ++ smb2_calc_max_out_buf_len(work, ++ offsetof(struct smb2_query_directory_rsp, Buffer), ++ le32_to_cpu(req->OutputBufferLength)); + if (d_info.out_buf_len < 0) { + rc = -EINVAL; + goto err_out; +@@ -4726,8 +4727,9 @@ static int smb2_get_ea(struct ksmbd_work + } + + buf_free_len = +- smb2_calc_max_out_buf_len(work, 8, +- le32_to_cpu(req->OutputBufferLength)); ++ smb2_calc_max_out_buf_len(work, ++ offsetof(struct smb2_query_info_rsp, Buffer), ++ le32_to_cpu(req->OutputBufferLength)); + if (buf_free_len < 0) + return -EINVAL; + +@@ -5040,8 +5042,9 @@ static int get_file_stream_info(struct k + file_info = (struct smb2_file_stream_info *)rsp->Buffer; + + buf_free_len = +- smb2_calc_max_out_buf_len(work, 8, +- le32_to_cpu(req->OutputBufferLength)); ++ smb2_calc_max_out_buf_len(work, ++ offsetof(struct smb2_query_info_rsp, Buffer), ++ le32_to_cpu(req->OutputBufferLength)); + if (buf_free_len < 0) + goto out; + +@@ -8140,8 +8143,9 @@ int smb2_ioctl(struct ksmbd_work *work) + buffer = (char *)req + le32_to_cpu(req->InputOffset); + + cnt_code = le32_to_cpu(req->CtlCode); +- ret = smb2_calc_max_out_buf_len(work, 48, +- le32_to_cpu(req->MaxOutputResponse)); ++ ret = smb2_calc_max_out_buf_len(work, ++ offsetof(struct smb2_ioctl_rsp, Buffer), ++ le32_to_cpu(req->MaxOutputResponse)); + if (ret < 0) { + rsp->hdr.Status = STATUS_INVALID_PARAMETER; + goto out; diff --git a/queue-6.12/s390-barrier-make-array_index_mask_nospec-__always_inline.patch b/queue-6.12/s390-barrier-make-array_index_mask_nospec-__always_inline.patch new file mode 100644 index 0000000000..5865dbbc0f --- /dev/null +++ b/queue-6.12/s390-barrier-make-array_index_mask_nospec-__always_inline.patch @@ -0,0 +1,34 @@ +From c5c0a268b38adffbb2e70e6957017537ff54c157 Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Thu, 26 Mar 2026 14:38:44 +0100 +Subject: s390/barrier: Make array_index_mask_nospec() __always_inline + +From: Vasily Gorbik + +commit c5c0a268b38adffbb2e70e6957017537ff54c157 upstream. + +Mark array_index_mask_nospec() as __always_inline to guarantee the +mitigation is emitted inline regardless of compiler inlining decisions. + +Fixes: e2dd833389cc ("s390: add optimized array_index_mask_nospec") +Cc: stable@kernel.org +Reviewed-by: Ilya Leoshkevich +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/barrier.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/s390/include/asm/barrier.h ++++ b/arch/s390/include/asm/barrier.h +@@ -62,8 +62,8 @@ do { \ + * @size: number of elements in array + */ + #define array_index_mask_nospec array_index_mask_nospec +-static inline unsigned long array_index_mask_nospec(unsigned long index, +- unsigned long size) ++static __always_inline unsigned long array_index_mask_nospec(unsigned long index, ++ unsigned long size) + { + unsigned long mask; + diff --git a/queue-6.12/s390-entry-scrub-r12-register-on-kernel-entry.patch b/queue-6.12/s390-entry-scrub-r12-register-on-kernel-entry.patch new file mode 100644 index 0000000000..a5636d848a --- /dev/null +++ b/queue-6.12/s390-entry-scrub-r12-register-on-kernel-entry.patch @@ -0,0 +1,54 @@ +From 0738d395aab8fae3b5a3ad3fc640630c91693c27 Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Thu, 26 Mar 2026 19:50:14 +0100 +Subject: s390/entry: Scrub r12 register on kernel entry + +From: Vasily Gorbik + +commit 0738d395aab8fae3b5a3ad3fc640630c91693c27 upstream. + +Before commit f33f2d4c7c80 ("s390/bp: remove TIF_ISOLATE_BP"), +all entry handlers loaded r12 with the current task pointer +(lg %r12,__LC_CURRENT) for use by the BPENTER/BPEXIT macros. That +commit removed TIF_ISOLATE_BP, dropping both the branch prediction +macros and the r12 load, but did not add r12 to the register clearing +sequence. + +Add the missing xgr %r12,%r12 to make the register scrub consistent +across all entry points. + +Fixes: f33f2d4c7c80 ("s390/bp: remove TIF_ISOLATE_BP") +Cc: stable@kernel.org +Reviewed-by: Ilya Leoshkevich +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/entry.S | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/s390/kernel/entry.S ++++ b/arch/s390/kernel/entry.S +@@ -286,6 +286,7 @@ SYM_CODE_START(system_call) + xgr %r9,%r9 + xgr %r10,%r10 + xgr %r11,%r11 ++ xgr %r12,%r12 + la %r2,STACK_FRAME_OVERHEAD(%r15) # pointer to pt_regs + mvc __PT_R8(64,%r2),__LC_SAVE_AREA(%r13) + MBEAR %r2,%r13 +@@ -431,6 +432,7 @@ SYM_CODE_START(\name) + xgr %r6,%r6 + xgr %r7,%r7 + xgr %r10,%r10 ++ xgr %r12,%r12 + xc __PT_FLAGS(8,%r11),__PT_FLAGS(%r11) + mvc __PT_R8(64,%r11),__LC_SAVE_AREA(%r13) + MBEAR %r11,%r13 +@@ -523,6 +525,7 @@ SYM_CODE_START(mcck_int_handler) + xgr %r6,%r6 + xgr %r7,%r7 + xgr %r10,%r10 ++ xgr %r12,%r12 + stmg %r8,%r9,__PT_PSW(%r11) + xc __PT_FLAGS(8,%r11),__PT_FLAGS(%r11) + xc __SF_BACKCHAIN(8,%r15),__SF_BACKCHAIN(%r15) diff --git a/queue-6.12/s390-syscalls-add-spectre-boundary-for-syscall-dispatch-table.patch b/queue-6.12/s390-syscalls-add-spectre-boundary-for-syscall-dispatch-table.patch new file mode 100644 index 0000000000..e1ecac17ef --- /dev/null +++ b/queue-6.12/s390-syscalls-add-spectre-boundary-for-syscall-dispatch-table.patch @@ -0,0 +1,49 @@ +From 48b8814e25d073dd84daf990a879a820bad2bcbd Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 24 Mar 2026 17:34:05 +0100 +Subject: s390/syscalls: Add spectre boundary for syscall dispatch table + +From: Greg Kroah-Hartman + +commit 48b8814e25d073dd84daf990a879a820bad2bcbd upstream. + +The s390 syscall number is directly controlled by userspace, but does +not have an array_index_nospec() boundary to prevent access past the +syscall function pointer tables. + +Cc: Heiko Carstens +Cc: Vasily Gorbik +Cc: Alexander Gordeev +Cc: Christian Borntraeger +Cc: Sven Schnelle +Cc: Arnd Bergmann +Fixes: 56e62a737028 ("s390: convert to generic entry") +Cc: stable@kernel.org +Assisted-by: gkh_clanker_2000 +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: Vasily Gorbik +Link: https://lore.kernel.org/r/2026032404-sterling-swoosh-43e6@gregkh +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/syscall.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/s390/kernel/syscall.c ++++ b/arch/s390/kernel/syscall.c +@@ -13,6 +13,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -114,6 +115,7 @@ static void do_syscall(struct pt_regs *r + if (likely(nr >= NR_syscalls)) + goto out; + do { ++ nr = array_index_nospec(nr, NR_syscalls); + regs->gprs[2] = current->thread.sys_call_table[nr](regs); + } while (test_and_clear_pt_regs_flag(regs, PIF_EXECVE_PGSTE_RESTART)); + out: diff --git a/queue-6.12/series b/queue-6.12/series index 83ce794576..dae14da884 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -132,3 +132,15 @@ sysctl-fix-uninitialized-variable-in-proc_do_large_b.patch asoc-adau1372-fix-unchecked-clk_prepare_enable-retur.patch asoc-adau1372-fix-clock-leak-on-pll-lock-failure.patch spi-spi-fsl-lpspi-fix-teardown-order-issue-uaf.patch +s390-syscalls-add-spectre-boundary-for-syscall-dispatch-table.patch +s390-barrier-make-array_index_mask_nospec-__always_inline.patch +s390-entry-scrub-r12-register-on-kernel-entry.patch +ksmbd-replace-hardcoded-hdr2_len-with-offsetof-in-smb2_calc_max_out_buf_len.patch +ksmbd-fix-potencial-oob-in-get_file_all_info-for-compound-requests.patch +ksmbd-fix-memory-leaks-and-null-deref-in-smb2_lock.patch +ksmbd-do-not-expire-session-on-binding-failure.patch +alsa-firewire-lib-fix-uninitialized-local-variable.patch +asoc-sof-ipc4-topology-allow-bytes-controls-without-initial-payload.patch +can-gw-fix-oob-heap-access-in-cgw_csum_crc8_rel.patch +can-isotp-fix-tx.buf-use-after-free-in-isotp_sendmsg.patch +cpufreq-conservative-reset-requested_freq-on-limits-change.patch