From: Sasha Levin Date: Mon, 8 Jun 2026 00:19:38 +0000 (-0400) Subject: drop 4 patches based on RC review feedback X-Git-Tag: v6.12.93~9 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bebad396ebf699e9e385a5564919d88014b7e3b2;p=thirdparty%2Fkernel%2Fstable-queue.git drop 4 patches based on RC review feedback Dropped patches: - "KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor" Queues: 6.18 Reason: maintainer (Marc Zyngier) drop request - does not backport cleanly before 7.0; 6.18 build break ('resx' undeclared, too few args to set_sysreg_masks). Kept in 7.0 where the struct-resx API matches. Report: https://lore.kernel.org/stable/87y0gq8cov.wl-maz@kernel.org/ - "kernel/fork: validate exit_signal in kernel_clone()" Queues: 7.0, 6.18, 6.12, 6.6, 6.1, 5.15, 5.10 Reason: co-author/Acked-by Oleg Nesterov says not -stable material; it is prep for un-backported commit 0f8e38eeb995b and is a user-visible behavior change. Report: https://lore.kernel.org/stable/aiVOEKt9QL5cvkwz@redhat.com/ - "esp: fix page frag reference leak on skb_to_sgvec failure" Queues: 7.0 Reason: upstream commit reverted by 6851161feb01 (Steffen Klassert) - does not fully fix the issue. Report: https://lore.kernel.org/stable/dd36757c-62b3-476e-bc9f-09231c495ebc@kernel.org/ - "gpib: cb7210: Fix region leak when request_irq fails" Queues: 7.0, 6.18 Reason: upstream commit reverted by 05d5d79440c2 (Greg KH) - "turns out not to be correct"; release_region() on never-acquired region. Report: https://lore.kernel.org/stable/148e4311-5d45-4c89-b93d-898282282f7b@kernel.org/ Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/kernel-fork-validate-exit_signal-in-kernel_clone.patch b/queue-5.10/kernel-fork-validate-exit_signal-in-kernel_clone.patch deleted file mode 100644 index 4c30f726b6..0000000000 --- a/queue-5.10/kernel-fork-validate-exit_signal-in-kernel_clone.patch +++ /dev/null @@ -1,116 +0,0 @@ -From a0005d47f58bc6f93e86a11077474ff6486760e2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 16 Mar 2026 20:49:56 +0530 -Subject: kernel/fork: validate exit_signal in kernel_clone() - -From: Deepanshu Kartikey - -[ Upstream commit 09e7827e785729f391c8d46dc71becce70d296ab ] - -When a child process exits, it sends exit_signal to its parent via -do_notify_parent(). The clone() syscall constructs exit_signal as: - -(lower_32_bits(clone_flags) & CSIGNAL) - -CSIGNAL is 0xff, so values in the range 65-255 are possible. However, -valid_signal() only accepts signals up to _NSIG (64 on x86_64). A -non-zero non-valid exit_signal acts the same as exit_signal == 0: the -parent process is not signaled when the child terminates. - -The syzkaller reproducer triggers this by calling clone() with flags=0x80, -resulting in exit_signal = (0x80 & CSIGNAL) = 128, which exceeds _NSIG and -is not a valid signal. - -The v1 of this patch added the check only in the clone() syscall handler, -which is incomplete. kernel_clone() has other callers such as -sys_ia32_clone() which would remain unprotected. Move the check to -kernel_clone() to cover all callers. - -Since the valid_signal() check is now in kernel_clone() and covers all -callers including clone3(), the same check in copy_clone_args_from_user() -becomes redundant and is removed. The higher 32bits check for clone3() is -kept as it is clone3() specific. - -Note that this is a user-visible change: previously, passing an invalid -exit_signal to clone() was silently accepted. The man page for clone() -does not document any defined behavior for invalid exit_signal values, so -rejecting them with -EINVAL is the correct behavior. It is unlikely that -any sane application relies on passing an invalid exit_signal. - -[oleg@redhat.com: the comment above kernel_clone() should be updated] - Link: https://lore.kernel.org/abwvgU17W8wuW2-J@redhat.com -Link: https://lore.kernel.org/20260316151956.563558-1-kartikey406@gmail.com -Fixes: 3f2c788a1314 ("fork: prevent accidental access to clone3 features") -Signed-off-by: Deepanshu Kartikey -Signed-off-by: Oleg Nesterov -Reported-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=bbe6b99feefc3a0842de -Tested-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com -Link: https://lore.kernel.org/all/20260307064202.353405-1-kartikey406@gmail.com/T/ [v1] -Link: https://lore.kernel.org/all/20260316104536.558108-1-kartikey406@gmail.com/T/ [v2] -Acked-by: Oleg Nesterov -Acked-by: Michal Hocko -Cc: Ben Segall -Cc: Christian Brauner -Cc: David Hildenbrand -Cc: Dietmar Eggemann -Cc: Ingo Molnar -Cc: Juri Lelli -Cc: Kees Cook -Cc: Liam Howlett -Cc: Lorenzo Stoakes (Oracle) -Cc: Mel Gorman -Cc: Mike Rapoport -Cc: Peter Zijlstra -Cc: Steven Rostedt -Cc: Suren Baghdasaryan -Cc: Valentin Schneider -Cc: Vincent Guittot -Cc: Vlastimil Babka -Cc: Tetsuo Handa -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - kernel/fork.c | 11 +++++------ - 1 file changed, 5 insertions(+), 6 deletions(-) - -diff --git a/kernel/fork.c b/kernel/fork.c -index 531de2d1b3bfeb..d35416380c6344 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -2535,8 +2535,6 @@ struct task_struct *create_io_thread(int (*fn)(void *), void *arg, int node) - * - * It copies the process, and if successful kick-starts - * it and waits for it to finish using the VM if required. -- * -- * args->exit_signal is expected to be checked for sanity by the caller. - */ - pid_t kernel_clone(struct kernel_clone_args *args) - { -@@ -2561,6 +2559,9 @@ pid_t kernel_clone(struct kernel_clone_args *args) - (args->pidfd == args->parent_tid)) - return -EINVAL; - -+ if (!valid_signal(args->exit_signal)) -+ return -EINVAL; -+ - /* - * Determine whether and which event to report to ptracer. When - * called from kernel_thread or CLONE_UNTRACED is explicitly -@@ -2737,11 +2738,9 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs, - return -EINVAL; - - /* -- * Verify that higher 32bits of exit_signal are unset and that -- * it is a valid signal -+ * Verify that higher 32bits of exit_signal are unset - */ -- if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) || -- !valid_signal(args.exit_signal))) -+ if (unlikely(args.exit_signal & ~((u64)CSIGNAL))) - return -EINVAL; - - if ((args.flags & CLONE_INTO_CGROUP) && --- -2.53.0 - diff --git a/queue-5.10/series b/queue-5.10/series index 5c70e50000..9c50c581f3 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -8,7 +8,6 @@ nfc-llcp-fix-use-after-free-in-llcp_sock_release.patch nfc-llcp-fix-use-after-free-race-in-nfc_llcp_recv_cc.patch xfrm-check-for-underflow-in-xfrm_state_mtu.patch nfc-nxp-nci-i2c-use-rising-edge-irq-on-acpi-systems.patch -kernel-fork-validate-exit_signal-in-kernel_clone.patch netfilter-synproxy-refresh-tcphdr-after-skb_ensure_w.patch netfilter-xt_cpu-prefer-raw_smp_processor_id.patch netfilter-ebtables-fix-oob-read-in-compat_mtw_from_u.patch diff --git a/queue-5.15/kernel-fork-validate-exit_signal-in-kernel_clone.patch b/queue-5.15/kernel-fork-validate-exit_signal-in-kernel_clone.patch deleted file mode 100644 index e376e672c0..0000000000 --- a/queue-5.15/kernel-fork-validate-exit_signal-in-kernel_clone.patch +++ /dev/null @@ -1,116 +0,0 @@ -From a672b7dc40692524e3cd2127ccf43f1bb8109361 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 16 Mar 2026 20:49:56 +0530 -Subject: kernel/fork: validate exit_signal in kernel_clone() - -From: Deepanshu Kartikey - -[ Upstream commit 09e7827e785729f391c8d46dc71becce70d296ab ] - -When a child process exits, it sends exit_signal to its parent via -do_notify_parent(). The clone() syscall constructs exit_signal as: - -(lower_32_bits(clone_flags) & CSIGNAL) - -CSIGNAL is 0xff, so values in the range 65-255 are possible. However, -valid_signal() only accepts signals up to _NSIG (64 on x86_64). A -non-zero non-valid exit_signal acts the same as exit_signal == 0: the -parent process is not signaled when the child terminates. - -The syzkaller reproducer triggers this by calling clone() with flags=0x80, -resulting in exit_signal = (0x80 & CSIGNAL) = 128, which exceeds _NSIG and -is not a valid signal. - -The v1 of this patch added the check only in the clone() syscall handler, -which is incomplete. kernel_clone() has other callers such as -sys_ia32_clone() which would remain unprotected. Move the check to -kernel_clone() to cover all callers. - -Since the valid_signal() check is now in kernel_clone() and covers all -callers including clone3(), the same check in copy_clone_args_from_user() -becomes redundant and is removed. The higher 32bits check for clone3() is -kept as it is clone3() specific. - -Note that this is a user-visible change: previously, passing an invalid -exit_signal to clone() was silently accepted. The man page for clone() -does not document any defined behavior for invalid exit_signal values, so -rejecting them with -EINVAL is the correct behavior. It is unlikely that -any sane application relies on passing an invalid exit_signal. - -[oleg@redhat.com: the comment above kernel_clone() should be updated] - Link: https://lore.kernel.org/abwvgU17W8wuW2-J@redhat.com -Link: https://lore.kernel.org/20260316151956.563558-1-kartikey406@gmail.com -Fixes: 3f2c788a1314 ("fork: prevent accidental access to clone3 features") -Signed-off-by: Deepanshu Kartikey -Signed-off-by: Oleg Nesterov -Reported-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=bbe6b99feefc3a0842de -Tested-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com -Link: https://lore.kernel.org/all/20260307064202.353405-1-kartikey406@gmail.com/T/ [v1] -Link: https://lore.kernel.org/all/20260316104536.558108-1-kartikey406@gmail.com/T/ [v2] -Acked-by: Oleg Nesterov -Acked-by: Michal Hocko -Cc: Ben Segall -Cc: Christian Brauner -Cc: David Hildenbrand -Cc: Dietmar Eggemann -Cc: Ingo Molnar -Cc: Juri Lelli -Cc: Kees Cook -Cc: Liam Howlett -Cc: Lorenzo Stoakes (Oracle) -Cc: Mel Gorman -Cc: Mike Rapoport -Cc: Peter Zijlstra -Cc: Steven Rostedt -Cc: Suren Baghdasaryan -Cc: Valentin Schneider -Cc: Vincent Guittot -Cc: Vlastimil Babka -Cc: Tetsuo Handa -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - kernel/fork.c | 11 +++++------ - 1 file changed, 5 insertions(+), 6 deletions(-) - -diff --git a/kernel/fork.c b/kernel/fork.c -index eb772b1e819f2f..faf9d68fae3029 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -2632,8 +2632,6 @@ struct task_struct *create_io_thread(int (*fn)(void *), void *arg, int node) - * - * It copies the process, and if successful kick-starts - * it and waits for it to finish using the VM if required. -- * -- * args->exit_signal is expected to be checked for sanity by the caller. - */ - pid_t kernel_clone(struct kernel_clone_args *args) - { -@@ -2658,6 +2656,9 @@ pid_t kernel_clone(struct kernel_clone_args *args) - (args->pidfd == args->parent_tid)) - return -EINVAL; - -+ if (!valid_signal(args->exit_signal)) -+ return -EINVAL; -+ - /* - * Determine whether and which event to report to ptracer. When - * called from kernel_thread or CLONE_UNTRACED is explicitly -@@ -2834,11 +2835,9 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs, - return -EINVAL; - - /* -- * Verify that higher 32bits of exit_signal are unset and that -- * it is a valid signal -+ * Verify that higher 32bits of exit_signal are unset - */ -- if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) || -- !valid_signal(args.exit_signal))) -+ if (unlikely(args.exit_signal & ~((u64)CSIGNAL))) - return -EINVAL; - - if ((args.flags & CLONE_INTO_CGROUP) && --- -2.53.0 - diff --git a/queue-5.15/series b/queue-5.15/series index e7bdca0a69..f70d3e7e28 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -9,7 +9,6 @@ nfc-llcp-fix-use-after-free-in-llcp_sock_release.patch nfc-llcp-fix-use-after-free-race-in-nfc_llcp_recv_cc.patch xfrm-check-for-underflow-in-xfrm_state_mtu.patch nfc-nxp-nci-i2c-use-rising-edge-irq-on-acpi-systems.patch -kernel-fork-validate-exit_signal-in-kernel_clone.patch netfilter-synproxy-refresh-tcphdr-after-skb_ensure_w.patch netfilter-xt_cpu-prefer-raw_smp_processor_id.patch netfilter-ebtables-fix-oob-read-in-compat_mtw_from_u.patch diff --git a/queue-6.1/kernel-fork-validate-exit_signal-in-kernel_clone.patch b/queue-6.1/kernel-fork-validate-exit_signal-in-kernel_clone.patch deleted file mode 100644 index 8f74d4f6de..0000000000 --- a/queue-6.1/kernel-fork-validate-exit_signal-in-kernel_clone.patch +++ /dev/null @@ -1,116 +0,0 @@ -From b8ed18def3adb8737a3547e5363196f58fd7c05e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 16 Mar 2026 20:49:56 +0530 -Subject: kernel/fork: validate exit_signal in kernel_clone() - -From: Deepanshu Kartikey - -[ Upstream commit 09e7827e785729f391c8d46dc71becce70d296ab ] - -When a child process exits, it sends exit_signal to its parent via -do_notify_parent(). The clone() syscall constructs exit_signal as: - -(lower_32_bits(clone_flags) & CSIGNAL) - -CSIGNAL is 0xff, so values in the range 65-255 are possible. However, -valid_signal() only accepts signals up to _NSIG (64 on x86_64). A -non-zero non-valid exit_signal acts the same as exit_signal == 0: the -parent process is not signaled when the child terminates. - -The syzkaller reproducer triggers this by calling clone() with flags=0x80, -resulting in exit_signal = (0x80 & CSIGNAL) = 128, which exceeds _NSIG and -is not a valid signal. - -The v1 of this patch added the check only in the clone() syscall handler, -which is incomplete. kernel_clone() has other callers such as -sys_ia32_clone() which would remain unprotected. Move the check to -kernel_clone() to cover all callers. - -Since the valid_signal() check is now in kernel_clone() and covers all -callers including clone3(), the same check in copy_clone_args_from_user() -becomes redundant and is removed. The higher 32bits check for clone3() is -kept as it is clone3() specific. - -Note that this is a user-visible change: previously, passing an invalid -exit_signal to clone() was silently accepted. The man page for clone() -does not document any defined behavior for invalid exit_signal values, so -rejecting them with -EINVAL is the correct behavior. It is unlikely that -any sane application relies on passing an invalid exit_signal. - -[oleg@redhat.com: the comment above kernel_clone() should be updated] - Link: https://lore.kernel.org/abwvgU17W8wuW2-J@redhat.com -Link: https://lore.kernel.org/20260316151956.563558-1-kartikey406@gmail.com -Fixes: 3f2c788a1314 ("fork: prevent accidental access to clone3 features") -Signed-off-by: Deepanshu Kartikey -Signed-off-by: Oleg Nesterov -Reported-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=bbe6b99feefc3a0842de -Tested-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com -Link: https://lore.kernel.org/all/20260307064202.353405-1-kartikey406@gmail.com/T/ [v1] -Link: https://lore.kernel.org/all/20260316104536.558108-1-kartikey406@gmail.com/T/ [v2] -Acked-by: Oleg Nesterov -Acked-by: Michal Hocko -Cc: Ben Segall -Cc: Christian Brauner -Cc: David Hildenbrand -Cc: Dietmar Eggemann -Cc: Ingo Molnar -Cc: Juri Lelli -Cc: Kees Cook -Cc: Liam Howlett -Cc: Lorenzo Stoakes (Oracle) -Cc: Mel Gorman -Cc: Mike Rapoport -Cc: Peter Zijlstra -Cc: Steven Rostedt -Cc: Suren Baghdasaryan -Cc: Valentin Schneider -Cc: Vincent Guittot -Cc: Vlastimil Babka -Cc: Tetsuo Handa -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - kernel/fork.c | 11 +++++------ - 1 file changed, 5 insertions(+), 6 deletions(-) - -diff --git a/kernel/fork.c b/kernel/fork.c -index db2a9016f636f4..9931ee7e1dfa4a 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -2717,8 +2717,6 @@ struct task_struct *create_io_thread(int (*fn)(void *), void *arg, int node) - * - * It copies the process, and if successful kick-starts - * it and waits for it to finish using the VM if required. -- * -- * args->exit_signal is expected to be checked for sanity by the caller. - */ - pid_t kernel_clone(struct kernel_clone_args *args) - { -@@ -2743,6 +2741,9 @@ pid_t kernel_clone(struct kernel_clone_args *args) - (args->pidfd == args->parent_tid)) - return -EINVAL; - -+ if (!valid_signal(args->exit_signal)) -+ return -EINVAL; -+ - /* - * Determine whether and which event to report to ptracer. When - * called from kernel_thread or CLONE_UNTRACED is explicitly -@@ -2943,11 +2944,9 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs, - return -EINVAL; - - /* -- * Verify that higher 32bits of exit_signal are unset and that -- * it is a valid signal -+ * Verify that higher 32bits of exit_signal are unset - */ -- if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) || -- !valid_signal(args.exit_signal))) -+ if (unlikely(args.exit_signal & ~((u64)CSIGNAL))) - return -EINVAL; - - if ((args.flags & CLONE_INTO_CGROUP) && --- -2.53.0 - diff --git a/queue-6.1/series b/queue-6.1/series index bfa0b44c6e..e54251a6eb 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -10,7 +10,6 @@ xfrm-check-for-underflow-in-xfrm_state_mtu.patch nfc-nxp-nci-i2c-use-rising-edge-irq-on-acpi-systems.patch tools-bootconfig-cleanup-bootconfig-footer-size-calc.patch tools-bootconfig-fix-buf-leaks-in-apply_xbc.patch -kernel-fork-validate-exit_signal-in-kernel_clone.patch netfilter-synproxy-refresh-tcphdr-after-skb_ensure_w.patch netfilter-xt_cpu-prefer-raw_smp_processor_id.patch netfilter-ebtables-fix-oob-read-in-compat_mtw_from_u.patch diff --git a/queue-6.12/kernel-fork-validate-exit_signal-in-kernel_clone.patch b/queue-6.12/kernel-fork-validate-exit_signal-in-kernel_clone.patch deleted file mode 100644 index 92079d7824..0000000000 --- a/queue-6.12/kernel-fork-validate-exit_signal-in-kernel_clone.patch +++ /dev/null @@ -1,116 +0,0 @@ -From a82d548757479b3ca17d9a83621823a9b630a9c5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 16 Mar 2026 20:49:56 +0530 -Subject: kernel/fork: validate exit_signal in kernel_clone() - -From: Deepanshu Kartikey - -[ Upstream commit 09e7827e785729f391c8d46dc71becce70d296ab ] - -When a child process exits, it sends exit_signal to its parent via -do_notify_parent(). The clone() syscall constructs exit_signal as: - -(lower_32_bits(clone_flags) & CSIGNAL) - -CSIGNAL is 0xff, so values in the range 65-255 are possible. However, -valid_signal() only accepts signals up to _NSIG (64 on x86_64). A -non-zero non-valid exit_signal acts the same as exit_signal == 0: the -parent process is not signaled when the child terminates. - -The syzkaller reproducer triggers this by calling clone() with flags=0x80, -resulting in exit_signal = (0x80 & CSIGNAL) = 128, which exceeds _NSIG and -is not a valid signal. - -The v1 of this patch added the check only in the clone() syscall handler, -which is incomplete. kernel_clone() has other callers such as -sys_ia32_clone() which would remain unprotected. Move the check to -kernel_clone() to cover all callers. - -Since the valid_signal() check is now in kernel_clone() and covers all -callers including clone3(), the same check in copy_clone_args_from_user() -becomes redundant and is removed. The higher 32bits check for clone3() is -kept as it is clone3() specific. - -Note that this is a user-visible change: previously, passing an invalid -exit_signal to clone() was silently accepted. The man page for clone() -does not document any defined behavior for invalid exit_signal values, so -rejecting them with -EINVAL is the correct behavior. It is unlikely that -any sane application relies on passing an invalid exit_signal. - -[oleg@redhat.com: the comment above kernel_clone() should be updated] - Link: https://lore.kernel.org/abwvgU17W8wuW2-J@redhat.com -Link: https://lore.kernel.org/20260316151956.563558-1-kartikey406@gmail.com -Fixes: 3f2c788a1314 ("fork: prevent accidental access to clone3 features") -Signed-off-by: Deepanshu Kartikey -Signed-off-by: Oleg Nesterov -Reported-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=bbe6b99feefc3a0842de -Tested-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com -Link: https://lore.kernel.org/all/20260307064202.353405-1-kartikey406@gmail.com/T/ [v1] -Link: https://lore.kernel.org/all/20260316104536.558108-1-kartikey406@gmail.com/T/ [v2] -Acked-by: Oleg Nesterov -Acked-by: Michal Hocko -Cc: Ben Segall -Cc: Christian Brauner -Cc: David Hildenbrand -Cc: Dietmar Eggemann -Cc: Ingo Molnar -Cc: Juri Lelli -Cc: Kees Cook -Cc: Liam Howlett -Cc: Lorenzo Stoakes (Oracle) -Cc: Mel Gorman -Cc: Mike Rapoport -Cc: Peter Zijlstra -Cc: Steven Rostedt -Cc: Suren Baghdasaryan -Cc: Valentin Schneider -Cc: Vincent Guittot -Cc: Vlastimil Babka -Cc: Tetsuo Handa -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - kernel/fork.c | 11 +++++------ - 1 file changed, 5 insertions(+), 6 deletions(-) - -diff --git a/kernel/fork.c b/kernel/fork.c -index c4955cffcb6f4e..1f306743832b3e 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -2773,8 +2773,6 @@ struct task_struct *create_io_thread(int (*fn)(void *), void *arg, int node) - * - * It copies the process, and if successful kick-starts - * it and waits for it to finish using the VM if required. -- * -- * args->exit_signal is expected to be checked for sanity by the caller. - */ - pid_t kernel_clone(struct kernel_clone_args *args) - { -@@ -2799,6 +2797,9 @@ pid_t kernel_clone(struct kernel_clone_args *args) - (args->pidfd == args->parent_tid)) - return -EINVAL; - -+ if (!valid_signal(args->exit_signal)) -+ return -EINVAL; -+ - /* - * Determine whether and which event to report to ptracer. When - * called from kernel_thread or CLONE_UNTRACED is explicitly -@@ -2999,11 +3000,9 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs, - return -EINVAL; - - /* -- * Verify that higher 32bits of exit_signal are unset and that -- * it is a valid signal -+ * Verify that higher 32bits of exit_signal are unset - */ -- if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) || -- !valid_signal(args.exit_signal))) -+ if (unlikely(args.exit_signal & ~((u64)CSIGNAL))) - return -EINVAL; - - if ((args.flags & CLONE_INTO_CGROUP) && --- -2.53.0 - diff --git a/queue-6.12/series b/queue-6.12/series index 567a975235..a1f8af8c7e 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -27,7 +27,6 @@ nfc-llcp-fix-use-after-free-race-in-nfc_llcp_recv_cc.patch xfrm-check-for-underflow-in-xfrm_state_mtu.patch nfc-nxp-nci-i2c-use-rising-edge-irq-on-acpi-systems.patch kunit-fix-use-after-free-in-debugfs-when-using-kunit.patch -kernel-fork-validate-exit_signal-in-kernel_clone.patch netfilter-synproxy-refresh-tcphdr-after-skb_ensure_w.patch netfilter-xt_cpu-prefer-raw_smp_processor_id.patch netfilter-ebtables-fix-oob-read-in-compat_mtw_from_u.patch diff --git a/queue-6.18/gpib-cb7210-fix-region-leak-when-request_irq-fails.patch b/queue-6.18/gpib-cb7210-fix-region-leak-when-request_irq-fails.patch deleted file mode 100644 index 46f90c24fa..0000000000 --- a/queue-6.18/gpib-cb7210-fix-region-leak-when-request_irq-fails.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 2eae90a457baa0048a96ed38ad93090ee38c8b2f Mon Sep 17 00:00:00 2001 -From: Hongling Zeng -Date: Mon, 18 May 2026 10:29:39 +0800 -Subject: gpib: cb7210: Fix region leak when request_irq fails - -From: Hongling Zeng - -commit 2eae90a457baa0048a96ed38ad93090ee38c8b2f upstream. - -When request_irq() fails, the region allocated by request_region() -is not released. Fix this by adding an error handling path with -proper goto labels to release the region. - -Fixes: e9dc69956d4d ("staging: gpib: Add Computer Boards GPIB driver") -Closes: https://lore.kernel.org/oe-kbuild-all/202605160620.ReBOadPX-lkp@intel.com/ -Signed-off-by: Hongling Zeng -Cc: stable -Link: https://patch.msgid.link/20260518022939.16881-1-zenghongling@kylinos.cn -Signed-off-by: Greg Kroah-Hartman ---- - drivers/staging/gpib/cb7210/cb7210.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - ---- a/drivers/staging/gpib/cb7210/cb7210.c -+++ b/drivers/staging/gpib/cb7210/cb7210.c -@@ -1048,7 +1048,8 @@ static int cb_isa_attach(struct gpib_boa - if (!request_region(config->ibbase, cb7210_iosize, DRV_NAME)) { - dev_err(board->gpib_dev, "ioports starting at 0x%x are already in use\n", - config->ibbase); -- return -EBUSY; -+ retval = -EBUSY; -+ goto err_release_region; - } - nec_priv->iobase = config->ibbase; - cb_priv->fifo_iobase = nec7210_iobase(cb_priv); -@@ -1061,11 +1062,16 @@ static int cb_isa_attach(struct gpib_boa - // install interrupt handler - if (request_irq(config->ibirq, cb7210_interrupt, isr_flags, DRV_NAME, board)) { - dev_err(board->gpib_dev, "failed to obtain IRQ %d\n", config->ibirq); -- return -EBUSY; -+ retval = -EBUSY; -+ goto err_release_region; - } - cb_priv->irq = config->ibirq; - - return cb7210_init(cb_priv, board); -+ -+err_release_region: -+ release_region(nec7210_iobase(cb_priv), cb7210_iosize); -+ return retval; - } - - static void cb_isa_detach(struct gpib_board *board) diff --git a/queue-6.18/kernel-fork-validate-exit_signal-in-kernel_clone.patch b/queue-6.18/kernel-fork-validate-exit_signal-in-kernel_clone.patch deleted file mode 100644 index 508285d2b9..0000000000 --- a/queue-6.18/kernel-fork-validate-exit_signal-in-kernel_clone.patch +++ /dev/null @@ -1,116 +0,0 @@ -From fcca61d3635730759712bd3d6b18c31021219c96 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 16 Mar 2026 20:49:56 +0530 -Subject: kernel/fork: validate exit_signal in kernel_clone() - -From: Deepanshu Kartikey - -[ Upstream commit 09e7827e785729f391c8d46dc71becce70d296ab ] - -When a child process exits, it sends exit_signal to its parent via -do_notify_parent(). The clone() syscall constructs exit_signal as: - -(lower_32_bits(clone_flags) & CSIGNAL) - -CSIGNAL is 0xff, so values in the range 65-255 are possible. However, -valid_signal() only accepts signals up to _NSIG (64 on x86_64). A -non-zero non-valid exit_signal acts the same as exit_signal == 0: the -parent process is not signaled when the child terminates. - -The syzkaller reproducer triggers this by calling clone() with flags=0x80, -resulting in exit_signal = (0x80 & CSIGNAL) = 128, which exceeds _NSIG and -is not a valid signal. - -The v1 of this patch added the check only in the clone() syscall handler, -which is incomplete. kernel_clone() has other callers such as -sys_ia32_clone() which would remain unprotected. Move the check to -kernel_clone() to cover all callers. - -Since the valid_signal() check is now in kernel_clone() and covers all -callers including clone3(), the same check in copy_clone_args_from_user() -becomes redundant and is removed. The higher 32bits check for clone3() is -kept as it is clone3() specific. - -Note that this is a user-visible change: previously, passing an invalid -exit_signal to clone() was silently accepted. The man page for clone() -does not document any defined behavior for invalid exit_signal values, so -rejecting them with -EINVAL is the correct behavior. It is unlikely that -any sane application relies on passing an invalid exit_signal. - -[oleg@redhat.com: the comment above kernel_clone() should be updated] - Link: https://lore.kernel.org/abwvgU17W8wuW2-J@redhat.com -Link: https://lore.kernel.org/20260316151956.563558-1-kartikey406@gmail.com -Fixes: 3f2c788a1314 ("fork: prevent accidental access to clone3 features") -Signed-off-by: Deepanshu Kartikey -Signed-off-by: Oleg Nesterov -Reported-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=bbe6b99feefc3a0842de -Tested-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com -Link: https://lore.kernel.org/all/20260307064202.353405-1-kartikey406@gmail.com/T/ [v1] -Link: https://lore.kernel.org/all/20260316104536.558108-1-kartikey406@gmail.com/T/ [v2] -Acked-by: Oleg Nesterov -Acked-by: Michal Hocko -Cc: Ben Segall -Cc: Christian Brauner -Cc: David Hildenbrand -Cc: Dietmar Eggemann -Cc: Ingo Molnar -Cc: Juri Lelli -Cc: Kees Cook -Cc: Liam Howlett -Cc: Lorenzo Stoakes (Oracle) -Cc: Mel Gorman -Cc: Mike Rapoport -Cc: Peter Zijlstra -Cc: Steven Rostedt -Cc: Suren Baghdasaryan -Cc: Valentin Schneider -Cc: Vincent Guittot -Cc: Vlastimil Babka -Cc: Tetsuo Handa -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - kernel/fork.c | 11 +++++------ - 1 file changed, 5 insertions(+), 6 deletions(-) - -diff --git a/kernel/fork.c b/kernel/fork.c -index 1215d3f52c6d21..521e9d2be6f097 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -2562,8 +2562,6 @@ struct task_struct *create_io_thread(int (*fn)(void *), void *arg, int node) - * - * It copies the process, and if successful kick-starts - * it and waits for it to finish using the VM if required. -- * -- * args->exit_signal is expected to be checked for sanity by the caller. - */ - pid_t kernel_clone(struct kernel_clone_args *args) - { -@@ -2588,6 +2586,9 @@ pid_t kernel_clone(struct kernel_clone_args *args) - (args->pidfd == args->parent_tid)) - return -EINVAL; - -+ if (!valid_signal(args->exit_signal)) -+ return -EINVAL; -+ - /* - * Determine whether and which event to report to ptracer. When - * called from kernel_thread or CLONE_UNTRACED is explicitly -@@ -2786,11 +2787,9 @@ static noinline int copy_clone_args_from_user(struct kernel_clone_args *kargs, - return -EINVAL; - - /* -- * Verify that higher 32bits of exit_signal are unset and that -- * it is a valid signal -+ * Verify that higher 32bits of exit_signal are unset - */ -- if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) || -- !valid_signal(args.exit_signal))) -+ if (unlikely(args.exit_signal & ~((u64)CSIGNAL))) - return -EINVAL; - - if ((args.flags & CLONE_INTO_CGROUP) && --- -2.53.0 - diff --git a/queue-6.18/kvm-arm64-correctly-cap-zcr_el2-provided-by-a-guest-hypervisor.patch b/queue-6.18/kvm-arm64-correctly-cap-zcr_el2-provided-by-a-guest-hypervisor.patch deleted file mode 100644 index f52b03cada..0000000000 --- a/queue-6.18/kvm-arm64-correctly-cap-zcr_el2-provided-by-a-guest-hypervisor.patch +++ /dev/null @@ -1,159 +0,0 @@ -From 83726330748981372bde86ed5411d7b306612991 Mon Sep 17 00:00:00 2001 -From: Mark Brown -Date: Fri, 29 May 2026 00:01:44 +0100 -Subject: KVM: arm64: Correctly cap ZCR_EL2 provided by a guest hypervisor - -From: Mark Brown - -commit 83726330748981372bde86ed5411d7b306612991 upstream. - -ZCR_EL2 can be updated by a VHE guest hypervisor either using ZCR_EL2 -(which traps) or ZCR_EL1 (which does not trap). KVM handles both in -different way: - -- on ZCR_EL2 trap, ZCR_EL2.LEN is immediately capped at the VM's own - VL limit. This has the potential to break existing SW that relies - on the full LEN field to be stateful. - -- on ZCR_EL1 access, we do absolutely nothing. - -On restoring the SVE context for an L2 guest, we directly restore the -guest hypervisor's view of ZCR_EL2 into the physical ZCR_EL2. If the -guest's view of the register was updated using the ZCR_EL2 accessor, -the value has already been sanitised (with the caveat mentioned above). - -But if the guest used ZCR_EL1, the raw value is written into the HW, -and the L2 guest can now access VLs that it shouldn't. - -Fix all the above by moving the VL capping to the restore points, -ensuring that: - -- the HW is always programmed with a capped value, irrespective of - the accessor being used, - -- the ZCR_EL2.LEN field is always completely stateful, irrespective - of the accessor being used. - -Additionally, move ZCR_EL2 to be a sanitised register, ensuring that -only the LEN field is actually stateful. This requires some creative -construction of the RES0 mask, as the sysreg generation script does -not yet generate RAZ/WI fields. - -Fixes: b3d29a823099 ("KVM: arm64: nv: Handle ZCR_EL2 traps") -Signed-off-by: Mark Brown -Cc: stable@vger.kernel.org -Link: https://patch.msgid.link/20260529-kvm-arm64-fix-zcr-len-nv-v2-1-86cad51992bd@kernel.org -[maz: rewrote commit message, tidy up access_zcr_el2()] -Signed-off-by: Marc Zyngier -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm64/include/asm/kvm_host.h | 2 +- - arch/arm64/kvm/hyp/include/hyp/switch.h | 16 ++++++++++------ - arch/arm64/kvm/nested.c | 5 +++++ - arch/arm64/kvm/sys_regs.c | 11 +++-------- - 4 files changed, 19 insertions(+), 15 deletions(-) - ---- a/arch/arm64/include/asm/kvm_host.h -+++ b/arch/arm64/include/asm/kvm_host.h -@@ -496,7 +496,6 @@ enum vcpu_sysreg { - ACTLR_EL2, /* Auxiliary Control Register (EL2) */ - CPTR_EL2, /* Architectural Feature Trap Register (EL2) */ - HACR_EL2, /* Hypervisor Auxiliary Control Register */ -- ZCR_EL2, /* SVE Control Register (EL2) */ - TTBR0_EL2, /* Translation Table Base Register 0 (EL2) */ - TTBR1_EL2, /* Translation Table Base Register 1 (EL2) */ - TCR_EL2, /* Translation Control Register (EL2) */ -@@ -527,6 +526,7 @@ enum vcpu_sysreg { - SCTLR2_EL2, /* System Control Register 2 (EL2) */ - MDCR_EL2, /* Monitor Debug Configuration Register (EL2) */ - CNTHCTL_EL2, /* Counter-timer Hypervisor Control register */ -+ ZCR_EL2, /* SVE Control Register (EL2) */ - - /* Any VNCR-capable reg goes after this point */ - MARKER(__VNCR_START__), ---- a/arch/arm64/kvm/hyp/include/hyp/switch.h -+++ b/arch/arm64/kvm/hyp/include/hyp/switch.h -@@ -433,11 +433,13 @@ static inline bool kvm_hyp_handle_mops(s - - static inline void __hyp_sve_restore_guest(struct kvm_vcpu *vcpu) - { -+ u64 zcr_el2 = vcpu_sve_max_vq(vcpu) - 1; -+ - /* - * The vCPU's saved SVE state layout always matches the max VL of the - * vCPU. Start off with the max VL so we can load the SVE state. - */ -- sve_cond_update_zcr_vq(vcpu_sve_max_vq(vcpu) - 1, SYS_ZCR_EL2); -+ sve_cond_update_zcr_vq(zcr_el2, SYS_ZCR_EL2); - __sve_restore_state(vcpu_sve_pffr(vcpu), - &vcpu->arch.ctxt.fp_regs.fpsr, - true); -@@ -447,8 +449,10 @@ static inline void __hyp_sve_restore_gue - * nested guest, as the guest hypervisor could select a smaller VL. Slap - * that into hardware before wrapping up. - */ -- if (is_nested_ctxt(vcpu)) -- sve_cond_update_zcr_vq(__vcpu_sys_reg(vcpu, ZCR_EL2), SYS_ZCR_EL2); -+ if (is_nested_ctxt(vcpu)) { -+ zcr_el2 = min(zcr_el2, __vcpu_sys_reg(vcpu, ZCR_EL2)); -+ sve_cond_update_zcr_vq(zcr_el2, SYS_ZCR_EL2); -+ } - - write_sysreg_el1(__vcpu_sys_reg(vcpu, vcpu_sve_zcr_elx(vcpu)), SYS_ZCR); - } -@@ -472,11 +476,11 @@ static inline void fpsimd_lazy_switch_to - return; - - if (vcpu_has_sve(vcpu)) { -+ zcr_el2 = vcpu_sve_max_vq(vcpu) - 1; -+ - /* A guest hypervisor may restrict the effective max VL. */ - if (is_nested_ctxt(vcpu)) -- zcr_el2 = __vcpu_sys_reg(vcpu, ZCR_EL2); -- else -- zcr_el2 = vcpu_sve_max_vq(vcpu) - 1; -+ zcr_el2 = min(zcr_el2, __vcpu_sys_reg(vcpu, ZCR_EL2)); - - write_sysreg_el2(zcr_el2, SYS_ZCR); - ---- a/arch/arm64/kvm/nested.c -+++ b/arch/arm64/kvm/nested.c -@@ -1772,6 +1772,11 @@ int kvm_init_nv_sysregs(struct kvm_vcpu - /* VNCR_EL2 */ - set_sysreg_masks(kvm, VNCR_EL2, VNCR_EL2_RES0, VNCR_EL2_RES1); - -+ /* ZCR_EL2 - bits 8:4 are RAZ/WI so treat them as RES0 */ -+ resx.res0 = ZCR_ELx_RES0 | GENMASK_ULL(8, 4); -+ resx.res1 = ZCR_ELx_RES1; -+ set_sysreg_masks(kvm, ZCR_EL2, resx); -+ - out: - for (enum vcpu_sysreg sr = __SANITISED_REG_START__; sr < NR_SYS_REGS; sr++) - __vcpu_rmw_sys_reg(vcpu, sr, |=, 0); ---- a/arch/arm64/kvm/sys_regs.c -+++ b/arch/arm64/kvm/sys_regs.c -@@ -2749,21 +2749,16 @@ static bool access_zcr_el2(struct kvm_vc - struct sys_reg_params *p, - const struct sys_reg_desc *r) - { -- unsigned int vq; -- - if (guest_hyp_sve_traps_enabled(vcpu)) { - kvm_inject_nested_sve_trap(vcpu); - return false; - } - -- if (!p->is_write) { -+ if (!p->is_write) - p->regval = __vcpu_sys_reg(vcpu, ZCR_EL2); -- return true; -- } -+ else -+ __vcpu_assign_sys_reg(vcpu, ZCR_EL2, p->regval); - -- vq = SYS_FIELD_GET(ZCR_ELx, LEN, p->regval) + 1; -- vq = min(vq, vcpu_sve_max_vq(vcpu)); -- __vcpu_assign_sys_reg(vcpu, ZCR_EL2, vq - 1); - return true; - } - diff --git a/queue-6.18/series b/queue-6.18/series index 37f55371f2..e4211462d6 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -12,7 +12,6 @@ tools-bootconfig-fix-buf-leaks-in-apply_xbc.patch hid-remove-duplicate-hid_warn_ratelimited-definition.patch kunit-fix-use-after-free-in-debugfs-when-using-kunit.patch accel-rocket-fix-uaf-via-dangling-gem-handle-in-crea.patch -kernel-fork-validate-exit_signal-in-kernel_clone.patch netfilter-synproxy-refresh-tcphdr-after-skb_ensure_w.patch netfilter-xt_cpu-prefer-raw_smp_processor_id.patch netfilter-ebtables-fix-oob-read-in-compat_mtw_from_u.patch @@ -138,7 +137,6 @@ parport-fix-race-between-port-and-client-registration.patch rust_binder-avoid-holding-lock-when-dropping-delivered_death.patch rust_binder-avoid-calling-pending_oneway_finished-on-tf_update_txn.patch usb-cdc-acm-fix-bit-overlap-and-move-quirk-definitions-to-header.patch -kvm-arm64-correctly-cap-zcr_el2-provided-by-a-guest-hypervisor.patch kvm-arm64-pmu-preserve-aarch32-counter-low-bits.patch kvm-svm-flush-the-current-tlb-when-transitioning-from-xavic-x2avic.patch kvm-sev-require-in-ghcb-scratch-area-if-ghcb-v2-is-in-use.patch @@ -213,7 +211,6 @@ ksmbd-oob-read-regression-in-smb_check_perm_dacl-ace-walk-loops.patch misc-rp1-send-iack-on-irq-activate-to-fix-kdump-kexec.patch input-atmel_mxt_ts-fix-boundary-check-in-mxt_prepare_cfg_mem.patch input-synaptics-add-len2058-to-smbus-passlist-for-thinkpad-e490.patch -gpib-cb7210-fix-region-leak-when-request_irq-fails.patch comedi-comedi_test-fix-check-for-valid-scan_begin_src-in-waveform_ai_cmdtest.patch comedi-comedi_test-fix-limiting-of-convert_arg-in-waveform_ai_cmdtest.patch counter-fix-refcount-leak-in-counter_alloc-error-path.patch diff --git a/queue-6.6/kernel-fork-validate-exit_signal-in-kernel_clone.patch b/queue-6.6/kernel-fork-validate-exit_signal-in-kernel_clone.patch deleted file mode 100644 index d542ba6298..0000000000 --- a/queue-6.6/kernel-fork-validate-exit_signal-in-kernel_clone.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 36851a9ce229b214ca137515fd27a44d87e2f55a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 16 Mar 2026 20:49:56 +0530 -Subject: kernel/fork: validate exit_signal in kernel_clone() - -From: Deepanshu Kartikey - -[ Upstream commit 09e7827e785729f391c8d46dc71becce70d296ab ] - -When a child process exits, it sends exit_signal to its parent via -do_notify_parent(). The clone() syscall constructs exit_signal as: - -(lower_32_bits(clone_flags) & CSIGNAL) - -CSIGNAL is 0xff, so values in the range 65-255 are possible. However, -valid_signal() only accepts signals up to _NSIG (64 on x86_64). A -non-zero non-valid exit_signal acts the same as exit_signal == 0: the -parent process is not signaled when the child terminates. - -The syzkaller reproducer triggers this by calling clone() with flags=0x80, -resulting in exit_signal = (0x80 & CSIGNAL) = 128, which exceeds _NSIG and -is not a valid signal. - -The v1 of this patch added the check only in the clone() syscall handler, -which is incomplete. kernel_clone() has other callers such as -sys_ia32_clone() which would remain unprotected. Move the check to -kernel_clone() to cover all callers. - -Since the valid_signal() check is now in kernel_clone() and covers all -callers including clone3(), the same check in copy_clone_args_from_user() -becomes redundant and is removed. The higher 32bits check for clone3() is -kept as it is clone3() specific. - -Note that this is a user-visible change: previously, passing an invalid -exit_signal to clone() was silently accepted. The man page for clone() -does not document any defined behavior for invalid exit_signal values, so -rejecting them with -EINVAL is the correct behavior. It is unlikely that -any sane application relies on passing an invalid exit_signal. - -[oleg@redhat.com: the comment above kernel_clone() should be updated] - Link: https://lore.kernel.org/abwvgU17W8wuW2-J@redhat.com -Link: https://lore.kernel.org/20260316151956.563558-1-kartikey406@gmail.com -Fixes: 3f2c788a1314 ("fork: prevent accidental access to clone3 features") -Signed-off-by: Deepanshu Kartikey -Signed-off-by: Oleg Nesterov -Reported-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=bbe6b99feefc3a0842de -Tested-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com -Link: https://lore.kernel.org/all/20260307064202.353405-1-kartikey406@gmail.com/T/ [v1] -Link: https://lore.kernel.org/all/20260316104536.558108-1-kartikey406@gmail.com/T/ [v2] -Acked-by: Oleg Nesterov -Acked-by: Michal Hocko -Cc: Ben Segall -Cc: Christian Brauner -Cc: David Hildenbrand -Cc: Dietmar Eggemann -Cc: Ingo Molnar -Cc: Juri Lelli -Cc: Kees Cook -Cc: Liam Howlett -Cc: Lorenzo Stoakes (Oracle) -Cc: Mel Gorman -Cc: Mike Rapoport -Cc: Peter Zijlstra -Cc: Steven Rostedt -Cc: Suren Baghdasaryan -Cc: Valentin Schneider -Cc: Vincent Guittot -Cc: Vlastimil Babka -Cc: Tetsuo Handa -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - kernel/fork.c | 11 +++++------ - 1 file changed, 5 insertions(+), 6 deletions(-) - -diff --git a/kernel/fork.c b/kernel/fork.c -index e280f02b6446ab..d68d40735a082a 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -2870,8 +2870,6 @@ struct task_struct *create_io_thread(int (*fn)(void *), void *arg, int node) - * - * It copies the process, and if successful kick-starts - * it and waits for it to finish using the VM if required. -- * -- * args->exit_signal is expected to be checked for sanity by the caller. - */ - pid_t kernel_clone(struct kernel_clone_args *args) - { -@@ -2896,6 +2894,9 @@ pid_t kernel_clone(struct kernel_clone_args *args) - (args->pidfd == args->parent_tid)) - return -EINVAL; - -+ if (!valid_signal(args->exit_signal)) -+ return -EINVAL; -+ - /* - * Determine whether and which event to report to ptracer. When - * called from kernel_thread or CLONE_UNTRACED is explicitly -@@ -3098,11 +3099,9 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs, - return -EINVAL; - - /* -- * Verify that higher 32bits of exit_signal are unset and that -- * it is a valid signal -+ * Verify that higher 32bits of exit_signal are unset - */ -- if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) || -- !valid_signal(args.exit_signal))) -+ if (unlikely(args.exit_signal & ~((u64)CSIGNAL))) - return -EINVAL; - - if ((args.flags & CLONE_INTO_CGROUP) && --- -2.53.0 - diff --git a/queue-6.6/series b/queue-6.6/series index 495723ba98..e4809e7b04 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -9,7 +9,6 @@ nfc-llcp-fix-use-after-free-in-llcp_sock_release.patch nfc-llcp-fix-use-after-free-race-in-nfc_llcp_recv_cc.patch xfrm-check-for-underflow-in-xfrm_state_mtu.patch nfc-nxp-nci-i2c-use-rising-edge-irq-on-acpi-systems.patch -kernel-fork-validate-exit_signal-in-kernel_clone.patch netfilter-synproxy-refresh-tcphdr-after-skb_ensure_w.patch netfilter-xt_cpu-prefer-raw_smp_processor_id.patch netfilter-ebtables-fix-oob-read-in-compat_mtw_from_u.patch diff --git a/queue-7.0/esp-fix-page-frag-reference-leak-on-skb_to_sgvec-fai.patch b/queue-7.0/esp-fix-page-frag-reference-leak-on-skb_to_sgvec-fai.patch deleted file mode 100644 index cbb4be9280..0000000000 --- a/queue-7.0/esp-fix-page-frag-reference-leak-on-skb_to_sgvec-fai.patch +++ /dev/null @@ -1,152 +0,0 @@ -From e3d5ae76091ea58f31ca35eee643a7f009d535da Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 20 May 2026 09:27:17 +0200 -Subject: esp: fix page frag reference leak on skb_to_sgvec failure - -From: e521588 - -[ Upstream commit 2982e599fff6faa21c8df147d96fc7af6c1a2f24 ] - -In esp_output_tail(), when esp->inplace is false, the old skb page frags -are replaced with a new page from the xfrm page_frag cache. The source -scatterlist (sg) is built from the old frags before the replacement, and -esp_ssg_unref() is responsible for releasing the old page references -after the crypto operation completes. - -However, if the second skb_to_sgvec() call (which builds the destination -scatterlist from the new page) fails, the code jumps to error_free which -only calls kfree(tmp). The old page frag references captured in the -source scatterlist are never released: - - 1. sg[] is built from old frags via skb_to_sgvec() (no extra get_page) - 2. nr_frags is set to 1 and frag[0] is replaced with the new page - 3. Second skb_to_sgvec() fails -> goto error_free - 4. kfree(tmp) frees the sg[] memory but old frags are not unref'd - 5. kfree_skb() only releases frag[0] (the new page), not the old ones - -Fix this by adding a bool parameter to esp_ssg_unref() that, when true, -unconditionally unrefs the source scatterlist frags without checking -req->src and req->dst, since those fields are not yet initialized by -aead_request_set_crypt() at the point of the error. Existing callers -pass false to preserve the original behavior. - -The same issue exists in both esp4 and esp6 as the code is identical. - -Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") -Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") - -Signed-off-by: Alessandro Schino <7991aleschino@gmail.com> -Signed-off-by: Steffen Klassert -Signed-off-by: Sasha Levin ---- - net/ipv4/esp4.c | 12 +++++++----- - net/ipv6/esp6.c | 12 +++++++----- - 2 files changed, 14 insertions(+), 10 deletions(-) - -diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c -index 6a5febbdbee493..8314d7bddcb715 100644 ---- a/net/ipv4/esp4.c -+++ b/net/ipv4/esp4.c -@@ -96,7 +96,7 @@ static inline struct scatterlist *esp_req_sg(struct crypto_aead *aead, - __alignof__(struct scatterlist)); - } - --static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb) -+static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb, bool already_unref) - { - struct crypto_aead *aead = x->data; - int extralen = 0; -@@ -113,7 +113,7 @@ static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb) - /* Unref skb_frag_pages in the src scatterlist if necessary. - * Skip the first sg which comes from skb->data. - */ -- if (req->src != req->dst) -+ if (already_unref || req->src != req->dst) - for (sg = sg_next(req->src); sg; sg = sg_next(sg)) - skb_page_unref(page_to_netmem(sg_page(sg)), - skb->pp_recycle); -@@ -220,7 +220,7 @@ static void esp_output_done(void *data, int err) - } - - tmp = ESP_SKB_CB(skb)->tmp; -- esp_ssg_unref(x, tmp, skb); -+ esp_ssg_unref(x, tmp, skb, false); - kfree(tmp); - - if (xo && (xo->flags & XFRM_DEV_RESUME)) { -@@ -569,8 +569,10 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * - err = skb_to_sgvec(skb, dsg, - (unsigned char *)esph - skb->data, - assoclen + ivlen + esp->clen + alen); -- if (unlikely(err < 0)) -+ if (unlikely(err < 0)) { -+ esp_ssg_unref(x, tmp, skb, true); - goto error_free; -+ } - } - - if ((x->props.flags & XFRM_STATE_ESN)) -@@ -602,7 +604,7 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * - } - - if (sg != dsg) -- esp_ssg_unref(x, tmp, skb); -+ esp_ssg_unref(x, tmp, skb, false); - - if (!err && x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP) - err = esp_output_tail_tcp(x, skb); -diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c -index 9c06c5a1419dc4..9d0c4957ac6276 100644 ---- a/net/ipv6/esp6.c -+++ b/net/ipv6/esp6.c -@@ -113,7 +113,7 @@ static inline struct scatterlist *esp_req_sg(struct crypto_aead *aead, - __alignof__(struct scatterlist)); - } - --static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb) -+static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb, bool already_unref) - { - struct crypto_aead *aead = x->data; - int extralen = 0; -@@ -130,7 +130,7 @@ static void esp_ssg_unref(struct xfrm_state *x, void *tmp, struct sk_buff *skb) - /* Unref skb_frag_pages in the src scatterlist if necessary. - * Skip the first sg which comes from skb->data. - */ -- if (req->src != req->dst) -+ if (already_unref || req->src != req->dst) - for (sg = sg_next(req->src); sg; sg = sg_next(sg)) - skb_page_unref(page_to_netmem(sg_page(sg)), - skb->pp_recycle); -@@ -254,7 +254,7 @@ static void esp_output_done(void *data, int err) - } - - tmp = ESP_SKB_CB(skb)->tmp; -- esp_ssg_unref(x, tmp, skb); -+ esp_ssg_unref(x, tmp, skb, false); - kfree(tmp); - - esp_output_encap_csum(skb); -@@ -600,8 +600,10 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info - err = skb_to_sgvec(skb, dsg, - (unsigned char *)esph - skb->data, - assoclen + ivlen + esp->clen + alen); -- if (unlikely(err < 0)) -+ if (unlikely(err < 0)) { -+ esp_ssg_unref(x, tmp, skb, true); - goto error_free; -+ } - } - - if ((x->props.flags & XFRM_STATE_ESN)) -@@ -634,7 +636,7 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info - } - - if (sg != dsg) -- esp_ssg_unref(x, tmp, skb); -+ esp_ssg_unref(x, tmp, skb, false); - - if (!err && x->encap && x->encap->encap_type == TCP_ENCAP_ESPINTCP) - err = esp_output_tail_tcp(x, skb); --- -2.53.0 - diff --git a/queue-7.0/gpib-cb7210-fix-region-leak-when-request_irq-fails.patch b/queue-7.0/gpib-cb7210-fix-region-leak-when-request_irq-fails.patch deleted file mode 100644 index db475ae02b..0000000000 --- a/queue-7.0/gpib-cb7210-fix-region-leak-when-request_irq-fails.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 2eae90a457baa0048a96ed38ad93090ee38c8b2f Mon Sep 17 00:00:00 2001 -From: Hongling Zeng -Date: Mon, 18 May 2026 10:29:39 +0800 -Subject: gpib: cb7210: Fix region leak when request_irq fails - -From: Hongling Zeng - -commit 2eae90a457baa0048a96ed38ad93090ee38c8b2f upstream. - -When request_irq() fails, the region allocated by request_region() -is not released. Fix this by adding an error handling path with -proper goto labels to release the region. - -Fixes: e9dc69956d4d ("staging: gpib: Add Computer Boards GPIB driver") -Closes: https://lore.kernel.org/oe-kbuild-all/202605160620.ReBOadPX-lkp@intel.com/ -Signed-off-by: Hongling Zeng -Cc: stable -Link: https://patch.msgid.link/20260518022939.16881-1-zenghongling@kylinos.cn -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpib/cb7210/cb7210.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - ---- a/drivers/gpib/cb7210/cb7210.c -+++ b/drivers/gpib/cb7210/cb7210.c -@@ -1049,7 +1049,8 @@ static int cb_isa_attach(struct gpib_boa - if (!request_region(config->ibbase, cb7210_iosize, DRV_NAME)) { - dev_err(board->gpib_dev, "ioports starting at 0x%x are already in use\n", - config->ibbase); -- return -EBUSY; -+ retval = -EBUSY; -+ goto err_release_region; - } - nec_priv->iobase = config->ibbase; - cb_priv->fifo_iobase = nec7210_iobase(cb_priv); -@@ -1062,11 +1063,16 @@ static int cb_isa_attach(struct gpib_boa - // install interrupt handler - if (request_irq(config->ibirq, cb7210_interrupt, isr_flags, DRV_NAME, board)) { - dev_err(board->gpib_dev, "failed to obtain IRQ %d\n", config->ibirq); -- return -EBUSY; -+ retval = -EBUSY; -+ goto err_release_region; - } - cb_priv->irq = config->ibirq; - - return cb7210_init(cb_priv, board); -+ -+err_release_region: -+ release_region(nec7210_iobase(cb_priv), cb7210_iosize); -+ return retval; - } - - static void cb_isa_detach(struct gpib_board *board) diff --git a/queue-7.0/kernel-fork-validate-exit_signal-in-kernel_clone.patch b/queue-7.0/kernel-fork-validate-exit_signal-in-kernel_clone.patch deleted file mode 100644 index 0e037b6d42..0000000000 --- a/queue-7.0/kernel-fork-validate-exit_signal-in-kernel_clone.patch +++ /dev/null @@ -1,116 +0,0 @@ -From 8e2042f9ba5741e337370a16551934b0f431b7b6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 16 Mar 2026 20:49:56 +0530 -Subject: kernel/fork: validate exit_signal in kernel_clone() - -From: Deepanshu Kartikey - -[ Upstream commit 09e7827e785729f391c8d46dc71becce70d296ab ] - -When a child process exits, it sends exit_signal to its parent via -do_notify_parent(). The clone() syscall constructs exit_signal as: - -(lower_32_bits(clone_flags) & CSIGNAL) - -CSIGNAL is 0xff, so values in the range 65-255 are possible. However, -valid_signal() only accepts signals up to _NSIG (64 on x86_64). A -non-zero non-valid exit_signal acts the same as exit_signal == 0: the -parent process is not signaled when the child terminates. - -The syzkaller reproducer triggers this by calling clone() with flags=0x80, -resulting in exit_signal = (0x80 & CSIGNAL) = 128, which exceeds _NSIG and -is not a valid signal. - -The v1 of this patch added the check only in the clone() syscall handler, -which is incomplete. kernel_clone() has other callers such as -sys_ia32_clone() which would remain unprotected. Move the check to -kernel_clone() to cover all callers. - -Since the valid_signal() check is now in kernel_clone() and covers all -callers including clone3(), the same check in copy_clone_args_from_user() -becomes redundant and is removed. The higher 32bits check for clone3() is -kept as it is clone3() specific. - -Note that this is a user-visible change: previously, passing an invalid -exit_signal to clone() was silently accepted. The man page for clone() -does not document any defined behavior for invalid exit_signal values, so -rejecting them with -EINVAL is the correct behavior. It is unlikely that -any sane application relies on passing an invalid exit_signal. - -[oleg@redhat.com: the comment above kernel_clone() should be updated] - Link: https://lore.kernel.org/abwvgU17W8wuW2-J@redhat.com -Link: https://lore.kernel.org/20260316151956.563558-1-kartikey406@gmail.com -Fixes: 3f2c788a1314 ("fork: prevent accidental access to clone3 features") -Signed-off-by: Deepanshu Kartikey -Signed-off-by: Oleg Nesterov -Reported-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=bbe6b99feefc3a0842de -Tested-by: syzbot+bbe6b99feefc3a0842de@syzkaller.appspotmail.com -Link: https://lore.kernel.org/all/20260307064202.353405-1-kartikey406@gmail.com/T/ [v1] -Link: https://lore.kernel.org/all/20260316104536.558108-1-kartikey406@gmail.com/T/ [v2] -Acked-by: Oleg Nesterov -Acked-by: Michal Hocko -Cc: Ben Segall -Cc: Christian Brauner -Cc: David Hildenbrand -Cc: Dietmar Eggemann -Cc: Ingo Molnar -Cc: Juri Lelli -Cc: Kees Cook -Cc: Liam Howlett -Cc: Lorenzo Stoakes (Oracle) -Cc: Mel Gorman -Cc: Mike Rapoport -Cc: Peter Zijlstra -Cc: Steven Rostedt -Cc: Suren Baghdasaryan -Cc: Valentin Schneider -Cc: Vincent Guittot -Cc: Vlastimil Babka -Cc: Tetsuo Handa -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - kernel/fork.c | 11 +++++------ - 1 file changed, 5 insertions(+), 6 deletions(-) - -diff --git a/kernel/fork.c b/kernel/fork.c -index 73622ad0665a07..bcde8e2843fb97 100644 ---- a/kernel/fork.c -+++ b/kernel/fork.c -@@ -2606,8 +2606,6 @@ struct task_struct *create_io_thread(int (*fn)(void *), void *arg, int node) - * - * It copies the process, and if successful kick-starts - * it and waits for it to finish using the VM if required. -- * -- * args->exit_signal is expected to be checked for sanity by the caller. - */ - pid_t kernel_clone(struct kernel_clone_args *args) - { -@@ -2632,6 +2630,9 @@ pid_t kernel_clone(struct kernel_clone_args *args) - (args->pidfd == args->parent_tid)) - return -EINVAL; - -+ if (!valid_signal(args->exit_signal)) -+ return -EINVAL; -+ - /* - * Determine whether and which event to report to ptracer. When - * called from kernel_thread or CLONE_UNTRACED is explicitly -@@ -2830,11 +2831,9 @@ static noinline int copy_clone_args_from_user(struct kernel_clone_args *kargs, - return -EINVAL; - - /* -- * Verify that higher 32bits of exit_signal are unset and that -- * it is a valid signal -+ * Verify that higher 32bits of exit_signal are unset - */ -- if (unlikely((args.exit_signal & ~((u64)CSIGNAL)) || -- !valid_signal(args.exit_signal))) -+ if (unlikely(args.exit_signal & ~((u64)CSIGNAL))) - return -EINVAL; - - if ((args.flags & CLONE_INTO_CGROUP) && --- -2.53.0 - diff --git a/queue-7.0/series b/queue-7.0/series index ba417b8b51..b930cf588d 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -12,8 +12,6 @@ tools-bootconfig-fix-buf-leaks-in-apply_xbc.patch hid-remove-duplicate-hid_warn_ratelimited-definition.patch kunit-fix-use-after-free-in-debugfs-when-using-kunit.patch accel-rocket-fix-uaf-via-dangling-gem-handle-in-crea.patch -kernel-fork-validate-exit_signal-in-kernel_clone.patch -esp-fix-page-frag-reference-leak-on-skb_to_sgvec-fai.patch netfilter-synproxy-refresh-tcphdr-after-skb_ensure_w.patch netfilter-xt_cpu-prefer-raw_smp_processor_id.patch netfilter-ebtables-fix-oob-read-in-compat_mtw_from_u.patch @@ -240,7 +238,6 @@ ksmbd-oob-read-regression-in-smb_check_perm_dacl-ace-walk-loops.patch misc-rp1-send-iack-on-irq-activate-to-fix-kdump-kexec.patch input-atmel_mxt_ts-fix-boundary-check-in-mxt_prepare_cfg_mem.patch input-synaptics-add-len2058-to-smbus-passlist-for-thinkpad-e490.patch -gpib-cb7210-fix-region-leak-when-request_irq-fails.patch dt-bindings-usb-fix-eic7700-usb-reset-s-issue.patch comedi-comedi_test-fix-check-for-valid-scan_begin_src-in-waveform_ai_cmdtest.patch comedi-comedi_test-fix-limiting-of-convert_arg-in-waveform_ai_cmdtest.patch