From: Greg Kroah-Hartman Date: Sun, 14 Jun 2026 17:33:51 +0000 (+0200) Subject: 6.12-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b98add11f8975fe2492b516f4f71637c0594b045;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioctl.patch ipv6-mcast-fix-use-after-free-when-processing-mld-queries.patch net-smc-fix-sleep-inside-lock-in-__smc_setsockopt-causing-local-dos.patch --- diff --git a/queue-6.12/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioctl.patch b/queue-6.12/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioctl.patch new file mode 100644 index 0000000000..7c447c17fe --- /dev/null +++ b/queue-6.12/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioctl.patch @@ -0,0 +1,60 @@ +From 617eb7c0961a8dfcfc811844a6396e406b2923ea Mon Sep 17 00:00:00 2001 +From: Mingyu Wang <25181214217@stu.xidian.edu.cn> +Date: Mon, 27 Apr 2026 10:57:45 +0800 +Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl + +From: Mingyu Wang <25181214217@stu.xidian.edu.cn> + +commit 617eb7c0961a8dfcfc811844a6396e406b2923ea upstream. + +While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong +timeout value` warning was observed, accompanied by SMBus controller +state machine corruption. + +The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of +10 ms. The user argument is checked against INT_MAX, but it is +subsequently multiplied by 10 before being passed to msecs_to_jiffies(). + +A malicious user can pass a large value (e.g., 429496729) that passes +the `arg > INT_MAX` check but overflows when multiplied by 10. This +results in a truncated 32-bit unsigned value that bypasses the +internal `(int)m < 0` check in `msecs_to_jiffies()`. + +The truncated value is then assigned to `client->adapter->timeout` +(a signed 32-bit int), which is reinterpreted as a negative number. +When passed to wait_for_completion_timeout(), this negative value +undergoes sign extension to a 64-bit unsigned long, triggering the +`schedule_timeout` warning and causing premature returns. This leaves +the SMBus state machine in an unrecoverable state, constituting a +local Denial of Service (DoS). + +Fix this by bounding the user argument to `INT_MAX / 10`. + +Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> +[wsa: move the comment as well] +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/i2c-dev.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/i2c/i2c-dev.c ++++ b/drivers/i2c/i2c-dev.c +@@ -487,12 +487,13 @@ static long i2cdev_ioctl(struct file *fi + client->adapter->retries = arg; + break; + case I2C_TIMEOUT: +- if (arg > INT_MAX) ++ /* ++ * For historical reasons, user-space sets the timeout value in ++ * units of 10 ms. ++ */ ++ if (arg > INT_MAX / 10) + return -EINVAL; + +- /* For historical reasons, user-space sets the timeout +- * value in units of 10 ms. +- */ + client->adapter->timeout = msecs_to_jiffies(arg * 10); + break; + default: diff --git a/queue-6.12/ipv6-mcast-fix-use-after-free-when-processing-mld-queries.patch b/queue-6.12/ipv6-mcast-fix-use-after-free-when-processing-mld-queries.patch new file mode 100644 index 0000000000..b7c27c0b86 --- /dev/null +++ b/queue-6.12/ipv6-mcast-fix-use-after-free-when-processing-mld-queries.patch @@ -0,0 +1,102 @@ +From 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 Mon Sep 17 00:00:00 2001 +From: Ido Schimmel +Date: Wed, 3 Jun 2026 13:18:11 +0300 +Subject: ipv6: mcast: Fix use-after-free when processing MLD queries + +From: Ido Schimmel + +commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 upstream. + +When processing an MLD query, a pointer to the multicast group address +is retrieved when initially parsing the packet. This pointer is later +dereferenced without being reloaded despite the fact that the skb header +might have been reallocated following the pskb_may_pull() calls, leading +to a use-after-free [1]. + +Fix by copying the multicast group address when the packet is initially +parsed. + +[1] +BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512) +Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118 + +Workqueue: mld mld_query_work +Call Trace: + +dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120) +print_address_description.constprop.0 (mm/kasan/report.c:378) +print_report (mm/kasan/report.c:482) +kasan_report (mm/kasan/report.c:595) +__mld_query_work (net/ipv6/mcast.c:1512) +mld_query_work (net/ipv6/mcast.c:1563) +process_one_work (kernel/workqueue.c:3314) +worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) +kthread (kernel/kthread.c:436) +ret_from_fork (arch/x86/kernel/process.c:158) +ret_from_fork_asm (arch/x86/entry/entry_64.S:245) + + +[...] + +Freed by task 118: +kasan_save_stack (mm/kasan/common.c:57) +kasan_save_track (mm/kasan/common.c:78) +kasan_save_free_info (mm/kasan/generic.c:584) +__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285) +kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566) +pskb_expand_head (net/core/skbuff.c:2335) +__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4)) +__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1)) +mld_query_work (net/ipv6/mcast.c:1563) +process_one_work (kernel/workqueue.c:3314) +worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) +kthread (kernel/kthread.c:436) +ret_from_fork (arch/x86/kernel/process.c:158) +ret_from_fork_asm (arch/x86/entry/entry_64.S:245) + +Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast") +Reported-by: Leo Lin +Reviewed-by: David Ahern +Signed-off-by: Ido Schimmel +Reviewed-by: Eric Dumazet +Reviewed-by: Jiayuan Chen +Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/mcast.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -1393,9 +1393,9 @@ out: + static void __mld_query_work(struct sk_buff *skb) + { + struct mld2_query *mlh2 = NULL; +- const struct in6_addr *group; + unsigned long max_delay; + struct inet6_dev *idev; ++ struct in6_addr group; + struct ifmcaddr6 *ma; + struct mld_msg *mld; + int group_type; +@@ -1427,8 +1427,8 @@ static void __mld_query_work(struct sk_b + goto kfree_skb; + + mld = (struct mld_msg *)icmp6_hdr(skb); +- group = &mld->mld_mca; +- group_type = ipv6_addr_type(group); ++ group = mld->mld_mca; ++ group_type = ipv6_addr_type(&group); + + if (group_type != IPV6_ADDR_ANY && + !(group_type&IPV6_ADDR_MULTICAST)) +@@ -1478,7 +1478,7 @@ static void __mld_query_work(struct sk_b + } + } else { + for_each_mc_mclock(idev, ma) { +- if (!ipv6_addr_equal(group, &ma->mca_addr)) ++ if (!ipv6_addr_equal(&group, &ma->mca_addr)) + continue; + if (ma->mca_flags & MAF_TIMER_RUNNING) { + /* gsquery <- gsquery && mark */ diff --git a/queue-6.12/net-smc-fix-sleep-inside-lock-in-__smc_setsockopt-causing-local-dos.patch b/queue-6.12/net-smc-fix-sleep-inside-lock-in-__smc_setsockopt-causing-local-dos.patch new file mode 100644 index 0000000000..c60e0c6e4d --- /dev/null +++ b/queue-6.12/net-smc-fix-sleep-inside-lock-in-__smc_setsockopt-causing-local-dos.patch @@ -0,0 +1,71 @@ +From a3fdd924d88c30b9f488636ce0e4696012cf5511 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nicol=C3=B2=20Coccia?= +Date: Sun, 10 May 2026 12:34:13 -0400 +Subject: net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nicolò Coccia + +commit a3fdd924d88c30b9f488636ce0e4696012cf5511 upstream. + +A logic flaw in __smc_setsockopt() allows a local unprivileged user to +cause a Denial of Service (DoS) by holding the socket lock indefinitely. + +The function __smc_setsockopt() calls copy_from_sockptr() while holding +lock_sock(sk). By passing a userfaultfd-monitored memory page (or +FUSE-backed memory on systems where unprivileged userfaultfd is disabled) +as the optval, an attacker can halt execution during the copy operation, +keeping the lock held. + +Combined with asynchronous tear-down operations like shutdown(), this +exhausts the kernel wq (kworkers) and triggers the hung task watchdog. + +[ 240.123456] INFO: task kworker/u8:2 blocked for more than 120 seconds. +[ 240.123489] Call Trace: +[ 240.123501] smc_shutdown+... +[ 240.123512] lock_sock_nested+... + +This patch moves the user-space copy outside the lock_sock() critical +section to prevent the issue. + +Fixes: a6a6fe27bab4 ("net/smc: Dynamic control handshake limitation by socket options") +Signed-off-by: Nicolò Coccia +Reviewed-by: Dust Li +Tested-by: Dust Li +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/af_smc.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -3060,18 +3060,17 @@ static int __smc_setsockopt(struct socke + + smc = smc_sk(sk); + ++ /* pre-fetch user data outside the lock */ ++ if (optname == SMC_LIMIT_HS) { ++ if (optlen < sizeof(int)) ++ return -EINVAL; ++ if (copy_from_sockptr(&val, optval, sizeof(int))) ++ return -EFAULT; ++ } ++ + lock_sock(sk); + switch (optname) { + case SMC_LIMIT_HS: +- if (optlen < sizeof(int)) { +- rc = -EINVAL; +- break; +- } +- if (copy_from_sockptr(&val, optval, sizeof(int))) { +- rc = -EFAULT; +- break; +- } +- + smc->limit_smc_hs = !!val; + rc = 0; + break; diff --git a/queue-6.12/series b/queue-6.12/series index 10876eb595..39bed0f510 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -6,3 +6,6 @@ arm-fix-hash_name-fault.patch arm-fix-branch-predictor-hardening.patch net-phy-micrel-fix-lan8814-qsgmii-soft-reset.patch wifi-remove-zero-length-arrays.patch +i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioctl.patch +ipv6-mcast-fix-use-after-free-when-processing-mld-queries.patch +net-smc-fix-sleep-inside-lock-in-__smc_setsockopt-causing-local-dos.patch