From: Greg Kroah-Hartman Date: Mon, 15 Jun 2026 14:41:39 +0000 (+0200) Subject: 6.1-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a369f74ee6904e98b7ea3bc2a1a4f385332ee351;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: alsa-timer-fix-uaf-at-snd_timer_user_params.patch arm-9474-1-io-avoid-kasan-instrumentation-of-raw-halfword-i-o.patch arm-9475-1-entry-use-byte-load-for-kasan-vmap-stack-shadow.patch arm-socfpga-fix-of-node-refcount-leak-in-smp-setup.patch bnxt_en-fix-null-pointer-dereference.patch drm-amd-display-reject-gpio_bitshift-32-in-bios_parser_get_gpio_pin_info.patch ib-isert-reject-login-pdus-shorter-than-iser_headers_len.patch ksmbd-fix-use-after-free-of-a-deferred-file_lock-on-double-smb2_cancel.patch mptcp-allow-subflow-rcv-wnd-to-shrink.patch mptcp-close-toctou-race-while-computing-rcv_wnd.patch mptcp-fix-retransmission-loop-when-csum-is-enabled.patch mptcp-sockopt-check-timestamping-ret-value.patch pidfd-refuse-access-to-tasks-that-have-started-exiting-harder.patch rdma-srp-bound-srp_rsp-sense-copy-by-the-received-length.patch udp-clear-skb-dev-before-running-a-sockmap-verdict.patch usb-serial-io_ti-fix-heap-overflow-in-build_i2c_fw_hdr.patch usb-serial-io_ti-fix-heap-overflow-in-get_manuf_info.patch usb-serial-kl5kusb105-fix-bulk-out-buffer-overflow.patch usb-serial-option-add-usb-id-for-dell-wireless-dw5826e-m.patch vsock-vmci-fix-sk_ack_backlog-leak-on-failed-handshake.patch wifi-nl80211-reject-oversized-ema-rnr-lists.patch xfrm-espintcp-do-not-reuse-an-in-progress-partial-send.patch --- diff --git a/queue-6.1/alsa-timer-fix-uaf-at-snd_timer_user_params.patch b/queue-6.1/alsa-timer-fix-uaf-at-snd_timer_user_params.patch new file mode 100644 index 0000000000..6de3a3782e --- /dev/null +++ b/queue-6.1/alsa-timer-fix-uaf-at-snd_timer_user_params.patch @@ -0,0 +1,46 @@ +From 053a401b592be424fea9d57c789f66cd5d8cec11 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sat, 6 Jun 2026 18:11:41 +0200 +Subject: ALSA: timer: Fix UAF at snd_timer_user_params() + +From: Takashi Iwai + +commit 053a401b592be424fea9d57c789f66cd5d8cec11 upstream. + +At releasing a timer object, e.g. when a userspace timer +(CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it +tries to detach the timer instances and release the resources. +However, it's still possible that other in-flight tasks are holding +the timer instance where the to-be-deleted timer object is associated, +and this may lead to racy accesses. + +Fortunately, most of ioctls dealing with the timer instance list +already have the protection with register_mutex, and this also avoids +such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the +concurrent ioctl may lead to use-after-free. + +This patch just adds the guard with register_mutex to protect +snd_timer_user_params() for covering the code path as a quick +workaround. It's no hot-path but rather a rarely issued ioctl, so the +performance penalty doesn't matter. + +Reported-by: Kyle Zeng +Tested-by: Kyle Zeng +Cc: +Link: https://patch.msgid.link/20260606161145.1933447-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1842,6 +1842,7 @@ static int snd_timer_user_params(struct + struct snd_timer *t; + int err; + ++ guard(mutex)(®ister_mutex); + tu = file->private_data; + if (!tu->timeri) + return -EBADFD; diff --git a/queue-6.1/arm-9474-1-io-avoid-kasan-instrumentation-of-raw-halfword-i-o.patch b/queue-6.1/arm-9474-1-io-avoid-kasan-instrumentation-of-raw-halfword-i-o.patch new file mode 100644 index 0000000000..f4372116a0 --- /dev/null +++ b/queue-6.1/arm-9474-1-io-avoid-kasan-instrumentation-of-raw-halfword-i-o.patch @@ -0,0 +1,57 @@ +From d59ed803715a71fb9582e139d648ece8d66dc743 Mon Sep 17 00:00:00 2001 +From: Karl Mehltretter +Date: Sun, 24 May 2026 06:52:36 +0100 +Subject: ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O + +From: Karl Mehltretter + +commit d59ed803715a71fb9582e139d648ece8d66dc743 upstream. + +For CPUs before ARMv6, __raw_readw() and __raw_writew() are implemented +as C volatile halfword accesses so the compiler can generate an access +sequence that is safe for those machines. With KASAN enabled, those C +accesses are instrumented as normal memory accesses. + +That is not valid for MMIO. On ARM926/VersatilePB with KASAN enabled, +PL011 probing traps in __asan_store2() while registering the UART, because +the instrumented writew() tries to check KASAN shadow for an MMIO address. + +Keep the existing volatile halfword access, but move the ARMv5 definitions +into __no_kasan_or_inline functions so raw MMIO halfword accesses are not +instrumented by KASAN. The ARMv6-and-newer inline assembly path is +unchanged. + +Fixes: 421015713b30 ("ARM: 9017/2: Enable KASan for ARM") +Cc: stable@vger.kernel.org # v5.11+ +Signed-off-by: Karl Mehltretter +Reviewed-by: Linus Walleij +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/include/asm/io.h | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/arch/arm/include/asm/io.h ++++ b/arch/arm/include/asm/io.h +@@ -56,8 +56,19 @@ void __raw_readsl(const volatile void __ + * the bus. Rather than special-case the machine, just let the compiler + * generate the access for CPUs prior to ARMv6. + */ +-#define __raw_readw(a) (__chk_io_ptr(a), *(volatile unsigned short __force *)(a)) +-#define __raw_writew(v,a) ((void)(__chk_io_ptr(a), *(volatile unsigned short __force *)(a) = (v))) ++#define __raw_writew __raw_writew ++static __no_kasan_or_inline void __raw_writew(u16 val, volatile void __iomem *addr) ++{ ++ __chk_io_ptr(addr); ++ *(volatile unsigned short __force *)addr = val; ++} ++ ++#define __raw_readw __raw_readw ++static __no_kasan_or_inline u16 __raw_readw(const volatile void __iomem *addr) ++{ ++ __chk_io_ptr(addr); ++ return *(const volatile unsigned short __force *)addr; ++} + #else + /* + * When running under a hypervisor, we want to avoid I/O accesses with diff --git a/queue-6.1/arm-9475-1-entry-use-byte-load-for-kasan-vmap-stack-shadow.patch b/queue-6.1/arm-9475-1-entry-use-byte-load-for-kasan-vmap-stack-shadow.patch new file mode 100644 index 0000000000..3c3316284a --- /dev/null +++ b/queue-6.1/arm-9475-1-entry-use-byte-load-for-kasan-vmap-stack-shadow.patch @@ -0,0 +1,43 @@ +From 77a1f6883dc6e837bb2cb30b9b02e2f94338e2c6 Mon Sep 17 00:00:00 2001 +From: Karl Mehltretter +Date: Sun, 24 May 2026 06:52:35 +0100 +Subject: ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow + +From: Karl Mehltretter + +commit 77a1f6883dc6e837bb2cb30b9b02e2f94338e2c6 upstream. + +Commit 44e9a3bb76e5 ("ARM: 9430/1: entry: Do a dummy read from +VMAP shadow") added a dummy read from the KASAN VMAP stack shadow in +__switch_to(). The read uses ldr, but the KASAN shadow address is +byte-granular and is not guaranteed to be word aligned. + +ARMv5 faults unaligned word loads. With CONFIG_KASAN_VMALLOC and +CONFIG_VMAP_STACK enabled, ARM926/VersatilePB crashes in __switch_to() +with an alignment exception before reaching init. + +Use ldrb for the dummy shadow access. The code only needs to fault in the +shadow mapping if the stack shadow is missing, so a byte load is sufficient +and matches the granularity of KASAN shadow memory. + +Fixes: 44e9a3bb76e5 ("ARM: 9430/1: entry: Do a dummy read from VMAP shadow") +Cc: stable@vger.kernel.org # v6.13+ +Signed-off-by: Karl Mehltretter +Reviewed-by: Linus Walleij +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/kernel/entry-armv.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/kernel/entry-armv.S ++++ b/arch/arm/kernel/entry-armv.S +@@ -793,7 +793,7 @@ ENTRY(__switch_to) + @ are using KASAN + mov_l r2, KASAN_SHADOW_OFFSET + add r2, r2, ip, lsr #KASAN_SHADOW_SCALE_SHIFT +- ldr r2, [r2] ++ ldrb r2, [r2] + #endif + #endif + diff --git a/queue-6.1/arm-socfpga-fix-of-node-refcount-leak-in-smp-setup.patch b/queue-6.1/arm-socfpga-fix-of-node-refcount-leak-in-smp-setup.patch new file mode 100644 index 0000000000..a961dedb52 --- /dev/null +++ b/queue-6.1/arm-socfpga-fix-of-node-refcount-leak-in-smp-setup.patch @@ -0,0 +1,39 @@ +From 63838c323924fe4a78b2323bd45aa1030f72ca60 Mon Sep 17 00:00:00 2001 +From: Yuho Choi +Date: Sun, 24 May 2026 22:47:09 -0400 +Subject: ARM: socfpga: Fix OF node refcount leak in SMP setup + +From: Yuho Choi + +commit 63838c323924fe4a78b2323bd45aa1030f72ca60 upstream. + +socfpga_smp_prepare_cpus() looks up the Cortex-A9 SCU node with +of_find_compatible_node(), which returns a node reference that must be +released with of_node_put(). + +The function maps the SCU registers and then returns without dropping +that reference, leaking the node on both the success path and the +of_iomap() failure path. + +Drop the reference once the mapping attempt is complete. The returned +MMIO mapping does not depend on keeping the device node reference held. + +Fixes: 122694a0c712 ("ARM: socfpga: use of_iomap to map the SCU") +Cc: stable@vger.kernel.org +Signed-off-by: Yuho Choi +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-socfpga/platsmp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/mach-socfpga/platsmp.c ++++ b/arch/arm/mach-socfpga/platsmp.c +@@ -78,6 +78,7 @@ static void __init socfpga_smp_prepare_c + } + + socfpga_scu_base_addr = of_iomap(np, 0); ++ of_node_put(np); + if (!socfpga_scu_base_addr) + return; + scu_enable(socfpga_scu_base_addr); diff --git a/queue-6.1/bnxt_en-fix-null-pointer-dereference.patch b/queue-6.1/bnxt_en-fix-null-pointer-dereference.patch new file mode 100644 index 0000000000..162e4bb39d --- /dev/null +++ b/queue-6.1/bnxt_en-fix-null-pointer-dereference.patch @@ -0,0 +1,45 @@ +From d930276f2cddd0b7294cac7a8fe7b877f6d9e08d Mon Sep 17 00:00:00 2001 +From: Kyle Meyer +Date: Fri, 5 Jun 2026 17:25:24 -0500 +Subject: bnxt_en: Fix NULL pointer dereference + +From: Kyle Meyer + +commit d930276f2cddd0b7294cac7a8fe7b877f6d9e08d upstream. + +PCIe errors detected by a Root Port or Downstream Port cause error +recovery services to run on all subordinate devices regardless of +administrative state. + +The .error_detected() callback, bnxt_io_error_detected(), disables +and synchronizes IRQs via bnxt_disable_int_sync(), which calls +bnxt_cp_num_to_irq_num() to map completion rings to IRQs using +bp->bnapi. + +Since bp->bnapi is allocated on NIC open and freed on NIC close, PCIe +error recovery on a closed NIC can dereference a NULL pointer. + +Check if bp->bnapi is NULL before disabling and synchronizing IRQs. + +Fixes: e5811b8c09df ("bnxt_en: Add IRQ remapping logic.") +Cc: stable@vger.kernel.org +Signed-off-by: Kyle Meyer +Reviewed-by: Pavan Chebbi +Link: https://patch.msgid.link/aiNM1CY2-StPilxW@hpe.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -4747,7 +4747,7 @@ static void bnxt_disable_int_sync(struct + { + int i; + +- if (!bp->irq_tbl) ++ if (!bp->irq_tbl || !bp->bnapi) + return; + + atomic_inc(&bp->intr_sem); diff --git a/queue-6.1/drm-amd-display-reject-gpio_bitshift-32-in-bios_parser_get_gpio_pin_info.patch b/queue-6.1/drm-amd-display-reject-gpio_bitshift-32-in-bios_parser_get_gpio_pin_info.patch new file mode 100644 index 0000000000..37f0b69efc --- /dev/null +++ b/queue-6.1/drm-amd-display-reject-gpio_bitshift-32-in-bios_parser_get_gpio_pin_info.patch @@ -0,0 +1,48 @@ +From 49c3da65961fe9857c831d47fa1989084e87514a Mon Sep 17 00:00:00 2001 +From: Harry Wentland +Date: Tue, 5 May 2026 11:50:07 -0400 +Subject: drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info() + +From: Harry Wentland + +commit 49c3da65961fe9857c831d47fa1989084e87514a upstream. + +[Why & How] +gpio_bitshift is a uint8_t read directly from the VBIOS GPIO pin table. +If the value is >= 32, the expression "1 << gpio_bitshift" triggers +undefined behaviour in C (shift count exceeds type width). On x86 the +shift is silently masked to 5 bits, producing an incorrect GPIO mask +that may cause wrong MMIO register bits to be toggled. + +Validate gpio_bitshift before use and return BP_RESULT_BADBIOSTABLE for +out-of-range values. + +Fixes: ae79c310b1a6 ("drm/amd/display: Add DCE12 bios parser support") +Assisted-by: Copilot:claude-opus-4.6 +Reviewed-by: Alex Hung +Signed-off-by: Harry Wentland +Signed-off-by: Ray Wu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit eadf438ab8d370b9d19acee9359918c85afeb80d) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c ++++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c +@@ -700,8 +700,10 @@ static enum bp_result bios_parser_get_gp + info->offset_en = info->offset + 1; + info->offset_mask = info->offset - 1; + +- info->mask = (uint32_t) (1 << +- header->gpio_pin[i].gpio_bitshift); ++ if (header->gpio_pin[i].gpio_bitshift >= 32) ++ return BP_RESULT_BADBIOSTABLE; ++ ++ info->mask = 1u << header->gpio_pin[i].gpio_bitshift; + info->mask_y = info->mask + 2; + info->mask_en = info->mask + 1; + info->mask_mask = info->mask - 1; diff --git a/queue-6.1/ib-isert-reject-login-pdus-shorter-than-iser_headers_len.patch b/queue-6.1/ib-isert-reject-login-pdus-shorter-than-iser_headers_len.patch new file mode 100644 index 0000000000..f2c7c32689 --- /dev/null +++ b/queue-6.1/ib-isert-reject-login-pdus-shorter-than-iser_headers_len.patch @@ -0,0 +1,58 @@ +From 29e7b925ae6df64894e82ab6419994dc25580a8a Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Tue, 2 Jun 2026 15:46:42 -0400 +Subject: IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN + +From: Michael Bommarito + +commit 29e7b925ae6df64894e82ab6419994dc25580a8a upstream. + +In drivers/infiniband/ulp/isert/ib_isert.c, isert_login_recv_done() +computes the login request payload length as wc->byte_len minus +ISER_HEADERS_LEN with no lower bound, and login_req_len is a signed int. +A remote iSER initiator can post a login Send work request carrying +fewer than ISER_HEADERS_LEN (76) bytes, so the subtraction underflows +and login_req_len becomes negative. + +isert_rx_login_req() then reads that negative length back into a signed +int, takes size = min(rx_buflen, MAX_KEY_VALUE_PAIRS), and because the +min() is signed it keeps the negative value; the value is then passed as +the memcpy() length and sign-extended to a multi-gigabyte size_t. The +copy into the 8192-byte login->req_buf runs far out of bounds and +faults, crashing the target node. The login phase precedes iSCSI +authentication, so no credentials are required to reach this path. + +Reject any login PDU shorter than ISER_HEADERS_LEN before the +subtraction, mirroring the existing early return on a failed work +completion, so login_req_len can never go negative. The upper bound was +already safe: a posted login buffer cannot deliver more than +ISER_RX_PAYLOAD_SIZE, so the difference stays at or below +MAX_KEY_VALUE_PAIRS and the existing min() clamps it; only the missing +lower bound needs to be added. + +Fixes: b8d26b3be8b3 ("iser-target: Add iSCSI Extensions for RDMA (iSER) target driver") +Link: https://patch.msgid.link/r/20260602194642.2273217-1-michael.bommarito@gmail.com +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-8 +Signed-off-by: Michael Bommarito +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/isert/ib_isert.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -1389,6 +1389,12 @@ isert_login_recv_done(struct ib_cq *cq, + ib_dma_sync_single_for_cpu(ib_dev, isert_conn->login_desc->dma_addr, + ISER_RX_SIZE, DMA_FROM_DEVICE); + ++ if (unlikely(wc->byte_len < ISER_HEADERS_LEN)) { ++ isert_dbg("login request length %u is too short\n", ++ wc->byte_len); ++ return; ++ } ++ + isert_conn->login_req_len = wc->byte_len - ISER_HEADERS_LEN; + + if (isert_conn->conn) { diff --git a/queue-6.1/ksmbd-fix-use-after-free-of-a-deferred-file_lock-on-double-smb2_cancel.patch b/queue-6.1/ksmbd-fix-use-after-free-of-a-deferred-file_lock-on-double-smb2_cancel.patch new file mode 100644 index 0000000000..823b406dfd --- /dev/null +++ b/queue-6.1/ksmbd-fix-use-after-free-of-a-deferred-file_lock-on-double-smb2_cancel.patch @@ -0,0 +1,69 @@ +From f580d27e8928828693df44ba2db0fffdbe11dfea Mon Sep 17 00:00:00 2001 +From: Gil Portnoy +Date: Mon, 1 Jun 2026 08:27:56 +0900 +Subject: ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL + +From: Gil Portnoy + +commit f580d27e8928828693df44ba2db0fffdbe11dfea upstream. + +A deferred byte-range lock (an SMB2_LOCK that blocks) registers an async work on +conn->async_requests via setup_async_work(), with cancel_fn = +smb2_remove_blocked_lock and cancel_argv[0] pointing at the struct file_lock. + +When the request is cancelled, the worker frees the file_lock with +locks_free_lock() and takes the cancelled early-exit, which "goto out"s and never +reaches release_async_work() -- the only site that unlinks the work from +conn->async_requests and clears cancel_fn/cancel_argv. The work therefore stays +matchable on async_requests with a live cancel_fn pointing at the freed file_lock, +until connection teardown finally runs release_async_work(). + +smb2_cancel() fires cancel_fn unconditionally with no state guard, so a second +SMB2_CANCEL for the same AsyncId, arriving in that window, re-runs +smb2_remove_blocked_lock() on the freed file_lock -- a slab use-after-free: + + BUG: KASAN: slab-use-after-free in __locks_delete_block + __locks_delete_block + locks_delete_block + ksmbd_vfs_posix_lock_unblock + smb2_remove_blocked_lock + smb2_cancel <- 2nd SMB2_CANCEL fires cancel_fn + handle_ksmbd_work + Allocated by ...: locks_alloc_lock <- smb2_lock + Freed by ...: locks_free_lock <- smb2_lock (cancelled branch) + ... cache file_lock_cache of size 192 + +Reproduced on mainline with KASAN by an authenticated SMB client. + +Skip a work whose state is already KSMBD_WORK_CANCELLED so its cancel callback +cannot be fired a second time. + +Cc: stable@vger.kernel.org +Signed-off-by: Gil Portnoy +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -6810,6 +6810,17 @@ int smb2_cancel(struct ksmbd_work *work) + le64_to_cpu(hdr->Id.AsyncId)) + continue; + ++ /* ++ * A cancelled deferred byte-range lock frees its ++ * file_lock and takes the smb2_lock() early-exit that ++ * skips release_async_work(), so the work stays on ++ * conn->async_requests with a live cancel_fn pointing ++ * at the freed file_lock. Re-firing it on a second ++ * SMB2_CANCEL is a use-after-free. ++ */ ++ if (iter->state == KSMBD_WORK_CANCELLED) ++ break; ++ + ksmbd_debug(SMB, + "smb2 with AsyncId %llu cancelled command = 0x%x\n", + le64_to_cpu(hdr->Id.AsyncId), diff --git a/queue-6.1/mptcp-allow-subflow-rcv-wnd-to-shrink.patch b/queue-6.1/mptcp-allow-subflow-rcv-wnd-to-shrink.patch new file mode 100644 index 0000000000..895ae2ba1d --- /dev/null +++ b/queue-6.1/mptcp-allow-subflow-rcv-wnd-to-shrink.patch @@ -0,0 +1,59 @@ +From da23be77e1292cd611e736c3aa17da633d7ddce7 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 2 Jun 2026 22:14:11 +1000 +Subject: mptcp: allow subflow rcv wnd to shrink + +From: Paolo Abeni + +commit da23be77e1292cd611e736c3aa17da633d7ddce7 upstream. + +In MPTCP connection, the `window` field in the TCP header refers to the +MPTCP-level rcv_nxt and it's right edge should not move backward. Such +constraint is enforced at DSS option generation time. + +At the same time, the TCP stack ensures independently that the TCP-level +rcv wnd right's edge does not move backward. That in turn causes artificial +inflating of the MPTCP rcv window when the incoming data is acked at the +TCP level and is OoO in the MPTCP sequence space (or lands in the backlog). + +As a consequence, the incoming traffic can exceed the receiver rcvbuf size +even when the sender is not misbehaving. + +Prevent such scenario forcibly allowing the TCP subflow to shrink the +TCP-level rcv wnd regardless of the current netns setting. + +Fixes: f3589be0c420 ("mptcp: never shrink offered window") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-4-856831229976@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/options.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -564,6 +564,7 @@ static bool mptcp_established_options_ds + { + struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk); + struct mptcp_sock *msk = mptcp_sk(subflow->conn); ++ struct tcp_sock *tp = tcp_sk(sk); + unsigned int dss_size = 0; + struct mptcp_ext *mpext; + unsigned int ack_size; +@@ -613,6 +614,12 @@ static bool mptcp_established_options_ds + if (dss_size == 0) + ack_size += TCPOLEN_MPTCP_DSS_BASE; + ++ /* The caller is __tcp_transmit_skb(), and will compute the new rcv ++ * wnd soon: ensure that the window can shrink. ++ */ ++ if (skb) ++ tp->rcv_wnd = tp->rcv_nxt - tp->rcv_wup; ++ + dss_size += ack_size; + + *size = ALIGN(dss_size, 4); diff --git a/queue-6.1/mptcp-close-toctou-race-while-computing-rcv_wnd.patch b/queue-6.1/mptcp-close-toctou-race-while-computing-rcv_wnd.patch new file mode 100644 index 0000000000..4a924d1f52 --- /dev/null +++ b/queue-6.1/mptcp-close-toctou-race-while-computing-rcv_wnd.patch @@ -0,0 +1,125 @@ +From 8ab24fdebc369c0dfb90f82c1650b1e66662bb45 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 2 Jun 2026 22:14:10 +1000 +Subject: mptcp: close TOCTOU race while computing rcv_wnd + +From: Paolo Abeni + +commit 8ab24fdebc369c0dfb90f82c1650b1e66662bb45 upstream. + +The MPTCP output path access locklessly the MPTCP-level ack_seq +in multiple times, using possibly different values for the data_ack +in the DSS option and to compute the announced rcv wnd for the same +packet. + +Refactor the cote to avoid inconsistencies which may confuse the +peer. Also ensure that the MPTCP level rcv wnd is updated only when +the egress packet actually contains a DSS ack. + +Fixes: fa3fe2b15031 ("mptcp: track window announced to peer") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-3-856831229976@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/options.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -568,7 +568,6 @@ static bool mptcp_established_options_ds + struct mptcp_ext *mpext; + unsigned int ack_size; + bool ret = false; +- u64 ack_seq; + + opts->csum_reqd = READ_ONCE(msk->csum_enabled); + mpext = skb ? mptcp_get_ext(skb) : NULL; +@@ -600,14 +599,11 @@ static bool mptcp_established_options_ds + return ret; + } + +- ack_seq = READ_ONCE(msk->ack_seq); + if (READ_ONCE(msk->use_64bit_ack)) { + ack_size = TCPOLEN_MPTCP_DSS_ACK64; +- opts->ext_copy.data_ack = ack_seq; + opts->ext_copy.ack64 = 1; + } else { + ack_size = TCPOLEN_MPTCP_DSS_ACK32; +- opts->ext_copy.data_ack32 = (uint32_t)ack_seq; + opts->ext_copy.ack64 = 0; + } + opts->ext_copy.use_ack = 1; +@@ -1273,19 +1269,14 @@ bool mptcp_incoming_options(struct sock + return true; + } + +-static void mptcp_set_rwin(struct tcp_sock *tp, struct tcphdr *th) ++static u64 mptcp_set_rwin(struct mptcp_sock *msk, struct tcp_sock *tp, ++ struct tcphdr *th, u64 ack_seq) + { + const struct sock *ssk = (const struct sock *)tp; +- struct mptcp_subflow_context *subflow; +- u64 ack_seq, rcv_wnd_old, rcv_wnd_new; +- struct mptcp_sock *msk; ++ u64 rcv_wnd_old, rcv_wnd_new; + u32 new_win; + u64 win; + +- subflow = mptcp_subflow_ctx(ssk); +- msk = mptcp_sk(subflow->conn); +- +- ack_seq = READ_ONCE(msk->ack_seq); + rcv_wnd_new = ack_seq + tp->rcv_wnd; + + rcv_wnd_old = atomic64_read(&msk->rcv_wnd_sent); +@@ -1337,7 +1328,7 @@ raise_win: + + update_wspace: + WRITE_ONCE(msk->old_wspace, tp->rcv_wnd); +- subflow->rcv_wnd_sent = rcv_wnd_new; ++ return rcv_wnd_new; + } + + static void mptcp_track_rwin(struct tcp_sock *tp) +@@ -1449,13 +1440,25 @@ void mptcp_write_options(struct tcphdr * + *ptr++ = mptcp_option(MPTCPOPT_DSS, len, 0, flags); + + if (mpext->use_ack) { ++ struct mptcp_sock *msk; ++ u64 ack_seq; ++ ++ /* DSS option is set only by mptcp_established_options, ++ * the caller is __tcp_transmit_skb() and ssk is always ++ * not NULL. ++ */ ++ subflow = mptcp_subflow_ctx(ssk); ++ msk = mptcp_sk(subflow->conn); ++ ack_seq = READ_ONCE(msk->ack_seq); + if (mpext->ack64) { +- put_unaligned_be64(mpext->data_ack, ptr); ++ put_unaligned_be64(ack_seq, ptr); + ptr += 2; + } else { +- put_unaligned_be32(mpext->data_ack32, ptr); ++ put_unaligned_be32(ack_seq, ptr); + ptr += 1; + } ++ subflow->rcv_wnd_sent = mptcp_set_rwin(msk, tp, th, ++ ack_seq); + } + + if (mpext->use_map) { +@@ -1684,9 +1687,6 @@ mp_capable_done: + i += 4; + } + } +- +- if (tp) +- mptcp_set_rwin(tp, th); + } + + __be32 mptcp_get_reset_option(const struct sk_buff *skb) diff --git a/queue-6.1/mptcp-fix-retransmission-loop-when-csum-is-enabled.patch b/queue-6.1/mptcp-fix-retransmission-loop-when-csum-is-enabled.patch new file mode 100644 index 0000000000..3387b8c759 --- /dev/null +++ b/queue-6.1/mptcp-fix-retransmission-loop-when-csum-is-enabled.patch @@ -0,0 +1,42 @@ +From d1918b36edcaed0ec4ef6888b2358c6b1ddcff47 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Tue, 2 Jun 2026 22:14:09 +1000 +Subject: mptcp: fix retransmission loop when csum is enabled + +From: Paolo Abeni + +commit d1918b36edcaed0ec4ef6888b2358c6b1ddcff47 upstream. + +Sashiko noted that retransmission with csum enabled can actually +transmit new data, but currently the relevant code does not update +accordingly snd_nxt. + +The may cause incoming ack drop and an endless retransmission loop. + +Address the issue incrementing snd_nxt as needed. + +Fixes: 4e14867d5e91 ("mptcp: tune re-injections for csum enabled mode") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts (NGI0) +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-2-856831229976@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -2752,6 +2752,10 @@ static void __mptcp_retrans(struct sock + + release_sock(ssk); + ++ /* With csum enabled retransmission can send new data. */ ++ if (after64(dfrag->already_sent + dfrag->data_seq, msk->snd_nxt)) ++ WRITE_ONCE(msk->snd_nxt, dfrag->already_sent + dfrag->data_seq); ++ + reset_timer: + mptcp_check_and_set_pending(sk); + diff --git a/queue-6.1/mptcp-sockopt-check-timestamping-ret-value.patch b/queue-6.1/mptcp-sockopt-check-timestamping-ret-value.patch new file mode 100644 index 0000000000..6b944e48a8 --- /dev/null +++ b/queue-6.1/mptcp-sockopt-check-timestamping-ret-value.patch @@ -0,0 +1,53 @@ +From 57132affbc89c02e1bf73fdf5724311bdc9a29da Mon Sep 17 00:00:00 2001 +From: "Matthieu Baerts (NGI0)" +Date: Tue, 2 Jun 2026 22:14:14 +1000 +Subject: mptcp: sockopt: check timestamping ret value + +From: Matthieu Baerts (NGI0) + +commit 57132affbc89c02e1bf73fdf5724311bdc9a29da upstream. + +sock_set_timestamping() can fail for different reasons. The returned +value should then be checked. + +If sock_set_timestamping() fails for at least one subflow, the first +error is now reported to the userspace, similar to what is done with +other socket options. + +Fixes: 9061f24bf82e ("mptcp: sockopt: propagate timestamp request to subflows") +Cc: stable@vger.kernel.org +Reported-by: Willem de Bruijn +Closes: https://lore.kernel.org/willemdebruijn.kernel.178a41a53d041@gmail.com +Reviewed-by: Mat Martineau +Signed-off-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20260602-net-mptcp-misc-fixes-7-1-rc7-v2-7-856831229976@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/sockopt.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/mptcp/sockopt.c ++++ b/net/mptcp/sockopt.c +@@ -233,15 +233,19 @@ static int mptcp_setsockopt_sol_socket_t + + mptcp_for_each_subflow(msk, subflow) { + struct sock *ssk = mptcp_subflow_tcp_sock(subflow); ++ int err; + + lock_sock(ssk); +- sock_set_timestamping(ssk, optname, timestamping); ++ err = sock_set_timestamping(ssk, optname, timestamping); + release_sock(ssk); ++ ++ if (err < 0 && ret == 0) ++ ret = err; + } + + release_sock(sk); + +- return 0; ++ return ret; + } + + static int mptcp_setsockopt_sol_socket_linger(struct mptcp_sock *msk, sockptr_t optval, diff --git a/queue-6.1/pidfd-refuse-access-to-tasks-that-have-started-exiting-harder.patch b/queue-6.1/pidfd-refuse-access-to-tasks-that-have-started-exiting-harder.patch new file mode 100644 index 0000000000..5f5fdc3cf7 --- /dev/null +++ b/queue-6.1/pidfd-refuse-access-to-tasks-that-have-started-exiting-harder.patch @@ -0,0 +1,46 @@ +From 62c4d31d78294bd61cf3403626b789e854357177 Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Mon, 18 May 2026 10:32:11 +0200 +Subject: pidfd: refuse access to tasks that have started exiting harder + +From: Christian Brauner + +commit 62c4d31d78294bd61cf3403626b789e854357177 upstream. + +The recent ptrace fix closed a hole where someone could rely on task->mm +becoming NULL during do_exit() to bypass dumpability checks. This api +here leans on on the very same check and so inherits the fix. + +But there is no good reason to let it succeed at all once the target has +entered do_exit(). PF_EXITING is set by exit_signals() at the very top +of do_exit(), before exit_mm() and exit_files() run. Once we observe it, +the task is committed to dying and exit_files() will release the fdtable +shortly. + +Fixes: 8649c322f75c ("pid: Implement pidfd_getfd syscall") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260518-obgleich-petersilie-2d77ccccf9b9@brauner +Signed-off-by: Christian Brauner (Amutable) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/pid.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/kernel/pid.c ++++ b/kernel/pid.c +@@ -672,10 +672,12 @@ static struct file *__pidfd_fget(struct + if (ret) + return ERR_PTR(ret); + +- if (ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS)) +- file = fget_task(task, fd); +- else ++ if (!ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS)) + file = ERR_PTR(-EPERM); ++ else if (task->flags & PF_EXITING) ++ file = ERR_PTR(-ESRCH); ++ else ++ file = fget_task(task, fd); + + up_read(&task->signal->exec_update_lock); + diff --git a/queue-6.1/rdma-srp-bound-srp_rsp-sense-copy-by-the-received-length.patch b/queue-6.1/rdma-srp-bound-srp_rsp-sense-copy-by-the-received-length.patch new file mode 100644 index 0000000000..b251517fd1 --- /dev/null +++ b/queue-6.1/rdma-srp-bound-srp_rsp-sense-copy-by-the-received-length.patch @@ -0,0 +1,93 @@ +From 13e91fd076306f5d0cdfa14f53d69e37274723c4 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Tue, 2 Jun 2026 18:04:57 -0400 +Subject: RDMA/srp: bound SRP_RSP sense copy by the received length + +From: Michael Bommarito + +commit 13e91fd076306f5d0cdfa14f53d69e37274723c4 upstream. + +srp_process_rsp() copies sense data from rsp->data + resp_data_len, +where resp_data_len is the full 32-bit value supplied by the SRP target +and is never checked against the number of bytes actually received +(wc->byte_len). The copy length is bounded to SCSI_SENSE_BUFFERSIZE, so +at most 96 bytes are copied, but the source offset is not bounded. + +A malicious or compromised SRP target on the InfiniBand/RoCE fabric that +the initiator has logged into can return an SRP_RSP with +SRP_RSP_FLAG_SNSVALID set and a large resp_data_len. The receive buffer +is allocated at the target-chosen max_ti_iu_len, so the source of the +sense copy lands past the bytes actually received; with resp_data_len +near 0xFFFFFFFF it is gigabytes past the buffer and the read faults. + +Copy the sense data only if it has not been truncated, that is, only if +the response header, the response data, and the sense region fit within +the bytes actually received; otherwise drop the sense and log. The +in-tree iSER and NVMe-RDMA receive paths already bound their parse by +wc->byte_len; this brings ib_srp into line with them. + +Fixes: aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator") +Link: https://patch.msgid.link/r/20260602220457.2542840-1-michael.bommarito@gmail.com +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-8 +Signed-off-by: Michael Bommarito +Reviewed-by: Bart Van Assche +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/srp/ib_srp.c | 30 ++++++++++++++++++++++++------ + 1 file changed, 24 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -1935,7 +1935,8 @@ static int srp_post_recv(struct srp_rdma + return ib_post_recv(ch->qp, &wr, NULL); + } + +-static void srp_process_rsp(struct srp_rdma_ch *ch, struct srp_rsp *rsp) ++static void srp_process_rsp(struct srp_rdma_ch *ch, struct srp_rsp *rsp, ++ u32 byte_len) + { + struct srp_target_port *target = ch->target; + struct srp_request *req; +@@ -1976,10 +1977,27 @@ static void srp_process_rsp(struct srp_r + scmnd->result = rsp->status; + + if (rsp->flags & SRP_RSP_FLAG_SNSVALID) { +- memcpy(scmnd->sense_buffer, rsp->data + +- be32_to_cpu(rsp->resp_data_len), +- min_t(int, be32_to_cpu(rsp->sense_data_len), +- SCSI_SENSE_BUFFERSIZE)); ++ u32 resp_len = be32_to_cpu(rsp->resp_data_len); ++ u32 sense_len = be32_to_cpu(rsp->sense_data_len); ++ ++ /* ++ * The sense data starts resp_data_len bytes past the ++ * response data area; both lengths come from the ++ * target-controlled response. Copy the sense data ++ * only if it has not been truncated, that is, only if ++ * the full sense region fits within the bytes actually ++ * received. Otherwise the copy source would run past ++ * the receive buffer (sized to the target-chosen ++ * max_ti_iu_len), reading out of bounds. ++ */ ++ if (sizeof(*rsp) + (u64)resp_len + sense_len <= byte_len) ++ memcpy(scmnd->sense_buffer, ++ rsp->data + resp_len, ++ min(sense_len, SCSI_SENSE_BUFFERSIZE)); ++ else ++ shost_printk(KERN_ERR, target->scsi_host, ++ "dropping truncated sense data (resp_data_len %u sense_data_len %u, %u bytes received)\n", ++ resp_len, sense_len, byte_len); + } + + if (unlikely(rsp->flags & SRP_RSP_FLAG_DIUNDER)) +@@ -2089,7 +2107,7 @@ static void srp_recv_done(struct ib_cq * + + switch (opcode) { + case SRP_RSP: +- srp_process_rsp(ch, iu->buf); ++ srp_process_rsp(ch, iu->buf, wc->byte_len); + break; + + case SRP_CRED_REQ: diff --git a/queue-6.1/series b/queue-6.1/series index b70c1046bc..09b43486ef 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -269,3 +269,25 @@ bluetooth-hci_sync-reject-oversized-broadcast-announcement-prepend.patch bluetooth-l2cap-reject-br-edr-signaling-packets-over-mtusig.patch mmc-litex_mmc-use-div_round_up-for-more-accurate-clock-calculation.patch drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch +ksmbd-fix-use-after-free-of-a-deferred-file_lock-on-double-smb2_cancel.patch +xfrm-espintcp-do-not-reuse-an-in-progress-partial-send.patch +usb-serial-io_ti-fix-heap-overflow-in-get_manuf_info.patch +usb-serial-io_ti-fix-heap-overflow-in-build_i2c_fw_hdr.patch +usb-serial-option-add-usb-id-for-dell-wireless-dw5826e-m.patch +usb-serial-kl5kusb105-fix-bulk-out-buffer-overflow.patch +alsa-timer-fix-uaf-at-snd_timer_user_params.patch +drm-amd-display-reject-gpio_bitshift-32-in-bios_parser_get_gpio_pin_info.patch +rdma-srp-bound-srp_rsp-sense-copy-by-the-received-length.patch +udp-clear-skb-dev-before-running-a-sockmap-verdict.patch +arm-socfpga-fix-of-node-refcount-leak-in-smp-setup.patch +arm-9474-1-io-avoid-kasan-instrumentation-of-raw-halfword-i-o.patch +arm-9475-1-entry-use-byte-load-for-kasan-vmap-stack-shadow.patch +mptcp-fix-retransmission-loop-when-csum-is-enabled.patch +mptcp-close-toctou-race-while-computing-rcv_wnd.patch +mptcp-allow-subflow-rcv-wnd-to-shrink.patch +mptcp-sockopt-check-timestamping-ret-value.patch +wifi-nl80211-reject-oversized-ema-rnr-lists.patch +vsock-vmci-fix-sk_ack_backlog-leak-on-failed-handshake.patch +bnxt_en-fix-null-pointer-dereference.patch +ib-isert-reject-login-pdus-shorter-than-iser_headers_len.patch +pidfd-refuse-access-to-tasks-that-have-started-exiting-harder.patch diff --git a/queue-6.1/udp-clear-skb-dev-before-running-a-sockmap-verdict.patch b/queue-6.1/udp-clear-skb-dev-before-running-a-sockmap-verdict.patch new file mode 100644 index 0000000000..d8ac0ccd6d --- /dev/null +++ b/queue-6.1/udp-clear-skb-dev-before-running-a-sockmap-verdict.patch @@ -0,0 +1,87 @@ +From 3c94f241f776562c489876ff506f366224565c21 Mon Sep 17 00:00:00 2001 +From: Sechang Lim +Date: Wed, 3 Jun 2026 16:27:33 +0000 +Subject: udp: clear skb->dev before running a sockmap verdict + +From: Sechang Lim + +commit 3c94f241f776562c489876ff506f366224565c21 upstream. + +On the UDP receive path skb->dev is repurposed as dev_scratch (the +truesize/state cache set by udp_set_dev_scratch()), through the +union { struct net_device *dev; unsigned long dev_scratch; } in sk_buff. + +When a UDP socket is in a sockmap, sk_data_ready is +sk_psock_verdict_data_ready(), which calls udp_read_skb() -> recv_actor() +(sk_psock_verdict_recv) to run the attached SK_SKB verdict program in softirq. +If that program calls a socket-lookup helper (bpf_sk_lookup_tcp/udp, +bpf_skc_lookup_tcp), bpf_skc_lookup() does: + + if (skb->dev) + caller_net = dev_net(skb->dev); + +skb->dev still holds the dev_scratch value (a non-NULL integer), so dev_net() +dereferences it as a struct net_device * and the kernel takes a general +protection fault on a non-canonical address in softirq: + + Oops: general protection fault, probably for non-canonical address 0x1010000800004a0 + CPU: 1 UID: 0 PID: 1406 Comm: syz.2.19 Not tainted 7.1.0-rc6 #1 PREEMPT(full) + RIP: 0010:bpf_skc_lookup net/core/filter.c:7033 [inline] + RIP: 0010:bpf_sk_lookup+0x45/0x160 net/core/filter.c:7047 + Call Trace: + + bpf_prog_4675cb904b7071f8+0x12e/0x14e + bpf_prog_run_pin_on_cpu+0xc6/0x1f0 + sk_psock_verdict_recv+0x1ba/0x350 + udp_read_skb+0x31a/0x370 + sk_psock_verdict_data_ready+0x2e3/0x600 + __udp_enqueue_schedule_skb+0x4c8/0x650 + udpv6_queue_rcv_one_skb+0x3ec/0x740 + udp6_unicast_rcv_skb+0x11d/0x140 + ip6_protocol_deliver_rcu+0x61e/0x950 + ip6_input_finish+0xa9/0x150 + NF_HOOK+0x286/0x2f0 + ip6_input+0x117/0x220 + NF_HOOK+0x286/0x2f0 + __netif_receive_skb+0x85/0x200 + process_backlog+0x374/0x9a0 + __napi_poll+0x4f/0x1c0 + net_rx_action+0x3b0/0x770 + handle_softirqs+0x15a/0x460 + do_softirq+0x57/0x80 + + +The rmem charge that dev_scratch accounted for is released by skb_recv_udp() on +dequeue, just above, so the scratch is dead by the time recv_actor() runs. Clear +skb->dev so bpf_skc_lookup() falls back to sock_net(skb->sk), which +skb_set_owner_sk_safe() set just above. + +Fixes: 965b57b469a5 ("net: Introduce a new proto_ops ->read_skb()") +Cc: stable@vger.kernel.org +Signed-off-by: Sechang Lim +Reviewed-by: Jiayuan Chen +Reviewed-by: Eric Dumazet +Link: https://patch.msgid.link/20260603162737.697215-1-rhkrqnwk98@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/udp.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1822,6 +1822,14 @@ try_again: + } + + WARN_ON_ONCE(!skb_set_owner_sk_safe(skb, sk)); ++ ++ /* ++ * skb->dev still aliases the UDP rx dev_scratch (its charge was freed ++ * on dequeue above); a sockmap verdict program may deref it via ++ * bpf_sk_lookup_*(), so clear it -> bpf_skc_lookup() uses skb->sk ++ */ ++ skb->dev = NULL; ++ + return recv_actor(sk, skb); + } + EXPORT_SYMBOL(udp_read_skb); diff --git a/queue-6.1/usb-serial-io_ti-fix-heap-overflow-in-build_i2c_fw_hdr.patch b/queue-6.1/usb-serial-io_ti-fix-heap-overflow-in-build_i2c_fw_hdr.patch new file mode 100644 index 0000000000..52b6a1f5cb --- /dev/null +++ b/queue-6.1/usb-serial-io_ti-fix-heap-overflow-in-build_i2c_fw_hdr.patch @@ -0,0 +1,45 @@ +From 0fd2b00b2d3d05e3eaa13342b3dfb0fa85c226ae Mon Sep 17 00:00:00 2001 +From: Adrian Korwel +Date: Mon, 25 May 2026 09:58:32 -0500 +Subject: USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() + +From: Adrian Korwel + +commit 0fd2b00b2d3d05e3eaa13342b3dfb0fa85c226ae upstream. + +build_i2c_fw_hdr() allocates a fixed-size buffer of +(16*1024 - 512) + sizeof(struct ti_i2c_firmware_rec) bytes, then +copies le16_to_cpu(img_header->Length) bytes into it without +validating that Length fits within the available space after the +firmware record header. + +img_header->Length is a __le16 from the firmware file and can be +up to 65535. check_fw_sanity() validates the total firmware size +but not img_header->Length specifically. + +Fix by rejecting images where img_header->Length exceeds the +available destination space. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Adrian Korwel +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/io_ti.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/serial/io_ti.c ++++ b/drivers/usb/serial/io_ti.c +@@ -844,6 +844,11 @@ static int build_i2c_fw_hdr(u8 *header, + /* Pointer to fw_down memory image */ + img_header = (struct ti_i2c_image_header *)&fw->data[4]; + ++ if (le16_to_cpu(img_header->Length) > ++ buffer_size - sizeof(struct ti_i2c_firmware_rec)) { ++ kfree(buffer); ++ return -EINVAL; ++ } + memcpy(buffer + sizeof(struct ti_i2c_firmware_rec), + &fw->data[4 + sizeof(struct ti_i2c_image_header)], + le16_to_cpu(img_header->Length)); diff --git a/queue-6.1/usb-serial-io_ti-fix-heap-overflow-in-get_manuf_info.patch b/queue-6.1/usb-serial-io_ti-fix-heap-overflow-in-get_manuf_info.patch new file mode 100644 index 0000000000..1f902fc9f9 --- /dev/null +++ b/queue-6.1/usb-serial-io_ti-fix-heap-overflow-in-get_manuf_info.patch @@ -0,0 +1,51 @@ +From 183c1076eca43bbb3e7bdf597456f91d81c73e74 Mon Sep 17 00:00:00 2001 +From: Adrian Korwel +Date: Mon, 25 May 2026 09:58:31 -0500 +Subject: USB: serial: io_ti: fix heap overflow in get_manuf_info() + +From: Adrian Korwel + +commit 183c1076eca43bbb3e7bdf597456f91d81c73e74 upstream. + +get_manuf_info() reads le16_to_cpu(rom_desc->Size) bytes from the +device I2C EEPROM into a buffer allocated with kmalloc_obj(), which +is sizeof(struct edge_ti_manuf_descriptor) = 10 bytes. + +The Size field comes from the device and is only validated (in +check_i2c_image()) to make sure the descriptor fits within +TI_MAX_I2C_SIZE (16384 bytes), not against the destination buffer size. +A malicious USB device can therefore set Size to any value up to 16377, +causing a heap overflow of up to 16367 bytes when plugged into a host +running this driver. + +valid_csum() is called after read_rom() and also iterates +buffer[0..Size-1], compounding the out-of-bounds access. + +Fix by rejecting descriptors with unexpected length before calling +read_rom(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Adrian Korwel +[ johan: amend commit message; also check for short descriptors ] +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/io_ti.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/serial/io_ti.c ++++ b/drivers/usb/serial/io_ti.c +@@ -773,6 +773,12 @@ static int get_manuf_info(struct edgepor + } + + /* Read the descriptor data */ ++ if (le16_to_cpu(rom_desc->Size) != sizeof(struct edge_ti_manuf_descriptor)) { ++ dev_err(dev, "unexpected Edge descriptor length: %u\n", ++ le16_to_cpu(rom_desc->Size)); ++ status = -EINVAL; ++ goto exit; ++ } + status = read_rom(serial, start_address+sizeof(struct ti_i2c_desc), + le16_to_cpu(rom_desc->Size), buffer); + if (status) diff --git a/queue-6.1/usb-serial-kl5kusb105-fix-bulk-out-buffer-overflow.patch b/queue-6.1/usb-serial-kl5kusb105-fix-bulk-out-buffer-overflow.patch new file mode 100644 index 0000000000..4253c97929 --- /dev/null +++ b/queue-6.1/usb-serial-kl5kusb105-fix-bulk-out-buffer-overflow.patch @@ -0,0 +1,61 @@ +From 96d47e40bf9db4a9efd5c8fb53287a508d165f14 Mon Sep 17 00:00:00 2001 +From: HyeongJun An +Date: Mon, 8 Jun 2026 18:09:26 +0900 +Subject: USB: serial: kl5kusb105: fix bulk-out buffer overflow + +From: HyeongJun An + +commit 96d47e40bf9db4a9efd5c8fb53287a508d165f14 upstream. + +klsi_105_prepare_write_buffer() is called by the generic write path +with the bulk-out buffer and its size (bulk_out_size, 64 bytes). It +stores a two-byte length header at the start of the buffer and copies +the payload from the write fifo starting at buf + KLSI_HDR_LEN, but +passes the full buffer size as the number of bytes to copy: + + count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, + size, &port->lock); + +When the fifo holds at least size bytes, size bytes are copied starting +two bytes into the size-byte buffer, writing KLSI_HDR_LEN bytes past its +end. Copy at most size - KLSI_HDR_LEN bytes instead, leaving room for +the header as safe_serial already does. + +Writing bulk_out_size or more bytes to the tty triggers a slab +out-of-bounds write, observed with KASAN by emulating the device with +dummy_hcd and raw-gadget: + + BUG: KASAN: slab-out-of-bounds in kfifo_copy_out+0x83/0xc0 + Write of size 64 at addr ffff888112c62202 by task python3 + kfifo_copy_out + klsi_105_prepare_write_buffer [kl5kusb105] + usb_serial_generic_write_start [usbserial] + Allocated by task 139: + usb_serial_probe [usbserial] + The buggy address is located 2 bytes inside of allocated 64-byte region + +The out-of-bounds write no longer occurs with this change applied. + +Fixes: 60b3013cdaf3 ("USB: kl5usb105: reimplement using generic framework") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-8 +Signed-off-by: HyeongJun An +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/kl5kusb105.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/kl5kusb105.c ++++ b/drivers/usb/serial/kl5kusb105.c +@@ -331,8 +331,8 @@ static int klsi_105_prepare_write_buffer + unsigned char *buf = dest; + int count; + +- count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, size, +- &port->lock); ++ count = kfifo_out_locked(&port->write_fifo, buf + KLSI_HDR_LEN, ++ size - KLSI_HDR_LEN, &port->lock); + put_unaligned_le16(count, buf); + + return count + KLSI_HDR_LEN; diff --git a/queue-6.1/usb-serial-option-add-usb-id-for-dell-wireless-dw5826e-m.patch b/queue-6.1/usb-serial-option-add-usb-id-for-dell-wireless-dw5826e-m.patch new file mode 100644 index 0000000000..ad79a2c2a8 --- /dev/null +++ b/queue-6.1/usb-serial-option-add-usb-id-for-dell-wireless-dw5826e-m.patch @@ -0,0 +1,71 @@ +From 1938fb9fe38c4f04a3f30bea44f8071c80a63be4 Mon Sep 17 00:00:00 2001 +From: Jack Wu +Date: Thu, 4 Jun 2026 10:04:40 +0800 +Subject: USB: serial: option: add usb-id for Dell Wireless DW5826e-m + +From: Jack Wu + +commit 1938fb9fe38c4f04a3f30bea44f8071c80a63be4 upstream. + +Add support for Dell DW5826e-m with USB-id 0x413c:0x81ea + +T: Bus=03 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 8 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=413c ProdID=81ea Rev= 5.04 +S: Manufacturer=DELL +S: Product=DW5826e-m Qualcomm Snapdragon X12 Global LTE-A +S: SerialNumber=358988870177734 +C:* #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA +A: FirstIf#=12 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00 +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option +E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) +E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I:* If#=12 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=88(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#=13 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +I:* If#=13 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: Jack Wu +Reviewed-by: Lars Melin +Cc: stable@vger.kernel.org +[ johan: reserve also interface 4 ] +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -202,6 +202,7 @@ static void option_instat_callback(struc + #define DELL_PRODUCT_5821E_ESIM 0x81e0 + #define DELL_PRODUCT_5829E_ESIM 0x81e4 + #define DELL_PRODUCT_5829E 0x81e6 ++#define DELL_PRODUCT_5826E_ESIM 0x81ea + + #define DELL_PRODUCT_FM101R_ESIM 0x8213 + #define DELL_PRODUCT_FM101R 0x8215 +@@ -1123,6 +1124,8 @@ static const struct usb_device_id option + .driver_info = RSVD(0) | RSVD(6) }, + { USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5829E_ESIM), + .driver_info = RSVD(0) | RSVD(6) }, ++ { USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_5826E_ESIM, 0xff), ++ .driver_info = RSVD(1) | RSVD(4) }, + { USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_FM101R, 0xff) }, + { USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_FM101R_ESIM, 0xff) }, + { USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_E100A) }, /* ADU-E100, ADU-310 */ diff --git a/queue-6.1/vsock-vmci-fix-sk_ack_backlog-leak-on-failed-handshake.patch b/queue-6.1/vsock-vmci-fix-sk_ack_backlog-leak-on-failed-handshake.patch new file mode 100644 index 0000000000..fd0be61d14 --- /dev/null +++ b/queue-6.1/vsock-vmci-fix-sk_ack_backlog-leak-on-failed-handshake.patch @@ -0,0 +1,53 @@ +From c05fa14db43ebef3bd862ca9d073981c0358b3f0 Mon Sep 17 00:00:00 2001 +From: Raf Dickson +Date: Tue, 26 May 2026 10:43:56 +0000 +Subject: vsock/vmci: fix sk_ack_backlog leak on failed handshake + +From: Raf Dickson + +commit c05fa14db43ebef3bd862ca9d073981c0358b3f0 upstream. + +When vmci_transport_recv_connecting_server() returns an error, +vmci_transport_recv_listen() calls vsock_remove_pending() but never +calls sk_acceptq_removed(). This leaves sk_ack_backlog incremented +permanently. + +Repeated handshake failures (malformed packets, queue pair alloc +failure, event subscribe failure) cause sk_ack_backlog to climb +toward sk_max_ack_backlog. Once it reaches the limit the listener +permanently refuses all new connections with -ECONNREFUSED, a +silent denial of service requiring a process restart to recover. + +The two existing sk_acceptq_removed() calls in af_vsock.c do not +cover this path: line 764 checks vsock_is_pending() which returns +false after vsock_remove_pending(), and line 1889 is only reached +on successful accept(). + +Fix by balancing sk_acceptq_added() with sk_acceptq_removed() on +the error path. + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Cc: stable@vger.kernel.org +Signed-off-by: Raf Dickson +Acked-by: Stefano Garzarella +Link: https://patch.msgid.link/20260526104356.469928-1-rafdog35@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/vmci_transport.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/vmw_vsock/vmci_transport.c ++++ b/net/vmw_vsock/vmci_transport.c +@@ -972,8 +972,10 @@ static int vmci_transport_recv_listen(st + err = -EINVAL; + } + +- if (err < 0) ++ if (err < 0) { + vsock_remove_pending(sk, pending); ++ sk_acceptq_removed(sk); ++ } + + release_sock(pending); + vmci_transport_release_pending(pending); diff --git a/queue-6.1/wifi-nl80211-reject-oversized-ema-rnr-lists.patch b/queue-6.1/wifi-nl80211-reject-oversized-ema-rnr-lists.patch new file mode 100644 index 0000000000..55f7ee300d --- /dev/null +++ b/queue-6.1/wifi-nl80211-reject-oversized-ema-rnr-lists.patch @@ -0,0 +1,45 @@ +From 4cd92957e8f8cc4ebfe8a5d4203c14c592fde6b1 Mon Sep 17 00:00:00 2001 +From: Yuqi Xu +Date: Fri, 29 May 2026 23:25:37 +0800 +Subject: wifi: nl80211: reject oversized EMA RNR lists + +From: Yuqi Xu + +commit 4cd92957e8f8cc4ebfe8a5d4203c14c592fde6b1 upstream. + +nl80211_parse_rnr_elems() stores the parsed element count in a +u8-backed cfg80211_rnr_elems::cnt field and uses that count to size +the flexible array allocation. + +Reject nested NL80211_ATTR_EMA_RNR_ELEMS input once the count reaches +255, before incrementing it again. This keeps the parser aligned with +the data structure it fills and matches the existing bound check used +by nl80211_parse_mbssid_elems(). + +Fixes: dbbb27e183b1 ("cfg80211: support RNR for EMA AP") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Zhengchuan Liang +Reported-by: Xin Liu +Assisted-by: Codex:gpt-5.4 +Signed-off-by: Yuqi Xu +Signed-off-by: Ren Wei +Link: https://patch.msgid.link/20260529152542.1412734-1-n05ec@lzu.edu.cn +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/nl80211.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -5478,6 +5478,9 @@ nl80211_parse_rnr_elems(struct wiphy *wi + if (ret) + return ERR_PTR(ret); + ++ if (num_elems >= 255) ++ return ERR_PTR(-EINVAL); ++ + num_elems++; + } + diff --git a/queue-6.1/xfrm-espintcp-do-not-reuse-an-in-progress-partial-send.patch b/queue-6.1/xfrm-espintcp-do-not-reuse-an-in-progress-partial-send.patch new file mode 100644 index 0000000000..1e9e77972b --- /dev/null +++ b/queue-6.1/xfrm-espintcp-do-not-reuse-an-in-progress-partial-send.patch @@ -0,0 +1,59 @@ +From c381039ade2e161ab08c0eda73c4f8b9a7115928 Mon Sep 17 00:00:00 2001 +From: Wyatt Feng +Date: Wed, 3 Jun 2026 00:46:27 +0800 +Subject: xfrm: espintcp: do not reuse an in-progress partial send + +From: Wyatt Feng + +commit c381039ade2e161ab08c0eda73c4f8b9a7115928 upstream. + +espintcp keeps a single in-flight transmit in ctx->partial. +Before building a new sk_msg, espintcp_sendmsg() first tries to flush +that state through espintcp_push_msgs(). + +For blocking callers, espintcp_push_msgs() may return success even when +the previous partial send is still pending. espintcp_sendmsg() would +then reinitialize emsg->skmsg and reuse ctx->partial while the old +transfer still owns that state. + +Do not rebuild the send message when ctx->partial is still in progress. +If espintcp_push_msgs() returns with emsg->len still set, fail the new +send instead of overwriting the live partial state. + +This is a memory-safety fix: reusing the live partial-send state can +leave a stale offset attached to a new sk_msg and lead to an out-of- +bounds read in the send path. + +tcp_sendmsg_locked() already handles waiting for send buffer memory, so +the fix here is just to preserve espintcp's one-message-at-a-time +transmit state. + +Fixes: e27cca96cd68 ("xfrm: add espintcp (RFC 8229)") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Zhengchuan Liang +Reported-by: Xin Liu +Assisted-by: Codex:GPT-5.4 +Signed-off-by: Wyatt Feng +Signed-off-by: Ren Wei +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/espintcp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/xfrm/espintcp.c ++++ b/net/xfrm/espintcp.c +@@ -340,6 +340,10 @@ static int espintcp_sendmsg(struct sock + err = -ENOBUFS; + goto unlock; + } ++ if (emsg->len) { ++ err = -ENOBUFS; ++ goto unlock; ++ } + + sk_msg_init(&emsg->skmsg); + while (1) {