From: Greg Kroah-Hartman Date: Thu, 30 Apr 2026 09:36:20 +0000 (+0200) Subject: drop xen patches that are already in a release X-Git-Tag: v6.12.86~95 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c0a55c4d018c5dd5a39886da8772b6a6c04b85f1;p=thirdparty%2Fkernel%2Fstable-queue.git drop xen patches that are already in a release Signed-off-by: Greg Kroah-Hartman --- diff --git a/queue-5.10/buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch b/queue-5.10/buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch deleted file mode 100644 index 283403c85e..0000000000 --- a/queue-5.10/buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 87069af79fcabd7861a132ae04ca7c808c927090 Mon Sep 17 00:00:00 2001 -From: Juergen Gross -Date: Fri, 27 Mar 2026 14:13:38 +0100 -Subject: Buffer overflow in drivers/xen/sys-hypervisor.c - -From: Juergen Gross - -commit 27fdbab4221b375de54bf91919798d88520c6e28 upstream. - -The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is -neither NUL terminated nor a string. - -The first causes a buffer overflow as sprintf in buildid_show will -read and copy till it finds a NUL. - -00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P| -00000010 b9 a8 01 42 6f 2e 32 |...Bo.2| -00000017 - -So use a memcpy instead of sprintf to have the correct value: - -00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P| -00000010 b9 a8 01 42 |...B| -00000014 - -(the above have a hack to embed a zero inside and check it's -returned correctly). - -This is XSA-485 / CVE-2026-31786 - -Fixes: 84b7625728ea ("xen: add sysfs node for hypervisor build id") -Signed-off-by: Frediano Ziglio -Reviewed-by: Juergen Gross -Signed-off-by: Juergen Gross -Signed-off-by: Greg Kroah-Hartman ---- - drivers/xen/sys-hypervisor.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - ---- a/drivers/xen/sys-hypervisor.c -+++ b/drivers/xen/sys-hypervisor.c -@@ -364,6 +364,8 @@ static ssize_t buildid_show(struct hyp_s - ret = sprintf(buffer, ""); - return ret; - } -+ if (ret > PAGE_SIZE) -+ return -ENOSPC; - - buildid = kmalloc(sizeof(*buildid) + ret, GFP_KERNEL); - if (!buildid) -@@ -371,8 +373,10 @@ static ssize_t buildid_show(struct hyp_s - - buildid->len = ret; - ret = HYPERVISOR_xen_version(XENVER_build_id, buildid); -- if (ret > 0) -- ret = sprintf(buffer, "%s", buildid->buf); -+ if (ret > 0) { -+ /* Build id is binary, not a string. */ -+ memcpy(buffer, buildid->buf, ret); -+ } - kfree(buildid); - - return ret; diff --git a/queue-5.10/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch b/queue-5.10/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch deleted file mode 100644 index 9ba54d4e74..0000000000 --- a/queue-5.10/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 885290a37a84fd51c1466b08b32f9524a46e8087 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 12 Apr 2026 13:32:21 +0800 -Subject: crypto: algif_aead - Fix minimum RX size check for decryption - -From: Herbert Xu - -[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ] - -The check for the minimum receive buffer size did not take the -tag size into account during decryption. Fix this by adding the -required extra length. - -Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com -Reported-by: Daniel Pouzzner -Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") -Signed-off-by: Herbert Xu -Signed-off-by: Sasha Levin ---- - crypto/algif_aead.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c -index 42493b4d8ce46..cb3959e2c435e 100644 ---- a/crypto/algif_aead.c -+++ b/crypto/algif_aead.c -@@ -170,7 +170,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg, - if (usedpages < outlen) { - size_t less = outlen - usedpages; - -- if (used < less) { -+ if (used < less + (ctx->enc ? 0 : as)) { - err = -EINVAL; - goto free; - } --- -2.53.0 - diff --git a/queue-5.10/series b/queue-5.10/series index e930533a67..e6ae19a280 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -31,7 +31,6 @@ netfilter-xt_multiport-validate-range-encoding-in-ch.patch netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch l2tp-drop-large-packets-with-udp-encap.patch -crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch netfilter-conntrack-add-missing-netlink-policy-valid.patch drm-i915-gt-fix-refcount-underflow-in-intel_engine_p.patch mips-mm-kmalloc-tlb_vpn-array-to-avoid-stack-overflo.patch @@ -150,5 +149,3 @@ ocfs2-split-transactions-in-dio-completion-to-avoid-credit-exhaustion.patch padata-fix-pd-uaf-once-and-for-all.patch padata-remove-comment-for-reorder_work.patch driver-core-don-t-let-a-device-probe-until-it-s-read.patch -buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch -xen-privcmd-fix-double-free-via-vma-splitting.patch diff --git a/queue-5.10/xen-privcmd-fix-double-free-via-vma-splitting.patch b/queue-5.10/xen-privcmd-fix-double-free-via-vma-splitting.patch deleted file mode 100644 index b1a15b3380..0000000000 --- a/queue-5.10/xen-privcmd-fix-double-free-via-vma-splitting.patch +++ /dev/null @@ -1,62 +0,0 @@ -From ec411bb4cfd9df3df02df06bccdced9639b0601f Mon Sep 17 00:00:00 2001 -From: Juergen Gross -Date: Fri, 10 Apr 2026 09:20:04 +0200 -Subject: xen/privcmd: fix double free via VMA splitting - -From: Juergen Gross - -commit 24daca4fc07f3ff8cd0e3f629cd982187f48436a upstream. - -privcmd_vm_ops defines .close (privcmd_close), but neither .may_split -nor .open. When userspace does a partial munmap() on a privcmd mapping, -the kernel splits the VMA via __split_vma(). Since may_split is NULL, -the split is allowed. vm_area_dup() copies vm_private_data (a pages -array allocated in alloc_empty_pages()) into the new VMA without any -fixup, because there is no .open callback. - -Both VMAs now point to the same pages array. When the unmapped portion -is closed, privcmd_close() calls: - - xen_unmap_domain_gfn_range() - - xen_free_unpopulated_pages() - - kvfree(pages) - -The surviving VMA still holds the dangling pointer. When it is later -destroyed, the same sequence runs again, which leads to a double free. - -Fix this issue by adding a .may_split callback denying the VMA split. - -This is XSA-487 / CVE-2026-31787 - -Fixes: d71f513985c2 ("xen: privcmd: support autotranslated physmap guests.") -Reported-by: Atharva Vartak -Suggested-by: Atharva Vartak -Signed-off-by: Juergen Gross -Reviewed-by: Jan Beulich -Signed-off-by: Greg Kroah-Hartman ---- - drivers/xen/privcmd.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/drivers/xen/privcmd.c -+++ b/drivers/xen/privcmd.c -@@ -935,6 +935,12 @@ static void privcmd_close(struct vm_area - kfree(pages); - } - -+static int privcmd_may_split(struct vm_area_struct *area, unsigned long addr) -+{ -+ /* Forbid splitting, avoids double free via privcmd_close(). */ -+ return -EINVAL; -+} -+ - static vm_fault_t privcmd_fault(struct vm_fault *vmf) - { - printk(KERN_DEBUG "privcmd_fault: vma=%p %lx-%lx, pgoff=%lx, uv=%p\n", -@@ -946,6 +952,7 @@ static vm_fault_t privcmd_fault(struct v - - static const struct vm_operations_struct privcmd_vm_ops = { - .close = privcmd_close, -+ .split = privcmd_may_split, - .fault = privcmd_fault - }; - diff --git a/queue-5.15/buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch b/queue-5.15/buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch deleted file mode 100644 index e8c4017048..0000000000 --- a/queue-5.15/buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch +++ /dev/null @@ -1,63 +0,0 @@ -From c4766f7754a4c3dd5d9765aa773bb89013c9c703 Mon Sep 17 00:00:00 2001 -From: Juergen Gross -Date: Fri, 27 Mar 2026 14:13:38 +0100 -Subject: Buffer overflow in drivers/xen/sys-hypervisor.c - -From: Juergen Gross - -commit 27fdbab4221b375de54bf91919798d88520c6e28 upstream. - -The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is -neither NUL terminated nor a string. - -The first causes a buffer overflow as sprintf in buildid_show will -read and copy till it finds a NUL. - -00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P| -00000010 b9 a8 01 42 6f 2e 32 |...Bo.2| -00000017 - -So use a memcpy instead of sprintf to have the correct value: - -00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P| -00000010 b9 a8 01 42 |...B| -00000014 - -(the above have a hack to embed a zero inside and check it's -returned correctly). - -This is XSA-485 / CVE-2026-31786 - -Fixes: 84b7625728ea ("xen: add sysfs node for hypervisor build id") -Signed-off-by: Frediano Ziglio -Reviewed-by: Juergen Gross -Signed-off-by: Juergen Gross -Signed-off-by: Greg Kroah-Hartman ---- - drivers/xen/sys-hypervisor.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - ---- a/drivers/xen/sys-hypervisor.c -+++ b/drivers/xen/sys-hypervisor.c -@@ -364,6 +364,8 @@ static ssize_t buildid_show(struct hyp_s - ret = sprintf(buffer, ""); - return ret; - } -+ if (ret > PAGE_SIZE) -+ return -ENOSPC; - - buildid = kmalloc(sizeof(*buildid) + ret, GFP_KERNEL); - if (!buildid) -@@ -371,8 +373,10 @@ static ssize_t buildid_show(struct hyp_s - - buildid->len = ret; - ret = HYPERVISOR_xen_version(XENVER_build_id, buildid); -- if (ret > 0) -- ret = sprintf(buffer, "%s", buildid->buf); -+ if (ret > 0) { -+ /* Build id is binary, not a string. */ -+ memcpy(buffer, buildid->buf, ret); -+ } - kfree(buildid); - - return ret; diff --git a/queue-5.15/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch b/queue-5.15/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch deleted file mode 100644 index 554c66d69f..0000000000 --- a/queue-5.15/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch +++ /dev/null @@ -1,38 +0,0 @@ -From f6ae8b47a19b534a5ee12a0eda3717f2cf48635d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 12 Apr 2026 13:32:21 +0800 -Subject: crypto: algif_aead - Fix minimum RX size check for decryption - -From: Herbert Xu - -[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ] - -The check for the minimum receive buffer size did not take the -tag size into account during decryption. Fix this by adding the -required extra length. - -Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com -Reported-by: Daniel Pouzzner -Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") -Signed-off-by: Herbert Xu -Signed-off-by: Sasha Levin ---- - crypto/algif_aead.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c -index 42493b4d8ce46..cb3959e2c435e 100644 ---- a/crypto/algif_aead.c -+++ b/crypto/algif_aead.c -@@ -170,7 +170,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg, - if (usedpages < outlen) { - size_t less = outlen - usedpages; - -- if (used < less) { -+ if (used < less + (ctx->enc ? 0 : as)) { - err = -EINVAL; - goto free; - } --- -2.53.0 - diff --git a/queue-5.15/series b/queue-5.15/series index 1c0eb49672..a658dfef8f 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -38,7 +38,6 @@ af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch l2tp-drop-large-packets-with-udp-encap.patch gpio-tegra-fix-irq_release_resources-calling-enable-.patch perf-x86-intel-uncore-skip-discovery-table-for-offli.patch -crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch i3c-fix-uninitialized-variable-use-in-i2c-setup.patch netfilter-conntrack-add-missing-netlink-policy-valid.patch mips-mm-kmalloc-tlb_vpn-array-to-avoid-stack-overflo.patch @@ -197,5 +196,3 @@ ocfs2-split-transactions-in-dio-completion-to-avoid-credit-exhaustion.patch padata-fix-pd-uaf-once-and-for-all.patch padata-remove-comment-for-reorder_work.patch driver-core-don-t-let-a-device-probe-until-it-s-read.patch -buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch -xen-privcmd-fix-double-free-via-vma-splitting.patch diff --git a/queue-5.15/xen-privcmd-fix-double-free-via-vma-splitting.patch b/queue-5.15/xen-privcmd-fix-double-free-via-vma-splitting.patch deleted file mode 100644 index 0855e1f203..0000000000 --- a/queue-5.15/xen-privcmd-fix-double-free-via-vma-splitting.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 44dbba7706ec59e8d13abb107f568faf779a05a9 Mon Sep 17 00:00:00 2001 -From: Juergen Gross -Date: Fri, 10 Apr 2026 09:20:04 +0200 -Subject: xen/privcmd: fix double free via VMA splitting - -From: Juergen Gross - -commit 24daca4fc07f3ff8cd0e3f629cd982187f48436a upstream. - -privcmd_vm_ops defines .close (privcmd_close), but neither .may_split -nor .open. When userspace does a partial munmap() on a privcmd mapping, -the kernel splits the VMA via __split_vma(). Since may_split is NULL, -the split is allowed. vm_area_dup() copies vm_private_data (a pages -array allocated in alloc_empty_pages()) into the new VMA without any -fixup, because there is no .open callback. - -Both VMAs now point to the same pages array. When the unmapped portion -is closed, privcmd_close() calls: - - xen_unmap_domain_gfn_range() - - xen_free_unpopulated_pages() - - kvfree(pages) - -The surviving VMA still holds the dangling pointer. When it is later -destroyed, the same sequence runs again, which leads to a double free. - -Fix this issue by adding a .may_split callback denying the VMA split. - -This is XSA-487 / CVE-2026-31787 - -Fixes: d71f513985c2 ("xen: privcmd: support autotranslated physmap guests.") -Reported-by: Atharva Vartak -Suggested-by: Atharva Vartak -Signed-off-by: Juergen Gross -Reviewed-by: Jan Beulich -Signed-off-by: Greg Kroah-Hartman ---- - drivers/xen/privcmd.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/drivers/xen/privcmd.c -+++ b/drivers/xen/privcmd.c -@@ -934,6 +934,12 @@ static void privcmd_close(struct vm_area - kvfree(pages); - } - -+static int privcmd_may_split(struct vm_area_struct *area, unsigned long addr) -+{ -+ /* Forbid splitting, avoids double free via privcmd_close(). */ -+ return -EINVAL; -+} -+ - static vm_fault_t privcmd_fault(struct vm_fault *vmf) - { - printk(KERN_DEBUG "privcmd_fault: vma=%p %lx-%lx, pgoff=%lx, uv=%p\n", -@@ -945,6 +951,7 @@ static vm_fault_t privcmd_fault(struct v - - static const struct vm_operations_struct privcmd_vm_ops = { - .close = privcmd_close, -+ .may_split = privcmd_may_split, - .fault = privcmd_fault - }; - diff --git a/queue-6.1/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch b/queue-6.1/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch deleted file mode 100644 index 0f620ebd80..0000000000 --- a/queue-6.1/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch +++ /dev/null @@ -1,38 +0,0 @@ -From dbc10c174fbadb68b2d3e5fd7e4b2c432576b643 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 12 Apr 2026 13:32:21 +0800 -Subject: crypto: algif_aead - Fix minimum RX size check for decryption - -From: Herbert Xu - -[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ] - -The check for the minimum receive buffer size did not take the -tag size into account during decryption. Fix this by adding the -required extra length. - -Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com -Reported-by: Daniel Pouzzner -Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") -Signed-off-by: Herbert Xu -Signed-off-by: Sasha Levin ---- - crypto/algif_aead.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c -index 42493b4d8ce46..cb3959e2c435e 100644 ---- a/crypto/algif_aead.c -+++ b/crypto/algif_aead.c -@@ -170,7 +170,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg, - if (usedpages < outlen) { - size_t less = outlen - usedpages; - -- if (used < less) { -+ if (used < less + (ctx->enc ? 0 : as)) { - err = -EINVAL; - goto free; - } --- -2.53.0 - diff --git a/queue-6.1/series b/queue-6.1/series index 4de6e548f1..4e6bf49e24 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -49,7 +49,6 @@ af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch l2tp-drop-large-packets-with-udp-encap.patch gpio-tegra-fix-irq_release_resources-calling-enable-.patch perf-x86-intel-uncore-skip-discovery-table-for-offli.patch -crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch revert-drm-fix-use-after-free-on-framebuffers-and-pr.patch netfilter-conntrack-add-missing-netlink-policy-valid.patch alsa-usb-audio-improve-focusrite-sample-rate-filteri.patch diff --git a/queue-6.12/buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch b/queue-6.12/buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch deleted file mode 100644 index 95effc0aa8..0000000000 --- a/queue-6.12/buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch +++ /dev/null @@ -1,63 +0,0 @@ -From e3f1fffa2599582af75c7d368e9658b2d27708fb Mon Sep 17 00:00:00 2001 -From: Juergen Gross -Date: Fri, 27 Mar 2026 14:13:38 +0100 -Subject: Buffer overflow in drivers/xen/sys-hypervisor.c - -From: Juergen Gross - -commit 27fdbab4221b375de54bf91919798d88520c6e28 upstream. - -The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is -neither NUL terminated nor a string. - -The first causes a buffer overflow as sprintf in buildid_show will -read and copy till it finds a NUL. - -00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P| -00000010 b9 a8 01 42 6f 2e 32 |...Bo.2| -00000017 - -So use a memcpy instead of sprintf to have the correct value: - -00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P| -00000010 b9 a8 01 42 |...B| -00000014 - -(the above have a hack to embed a zero inside and check it's -returned correctly). - -This is XSA-485 / CVE-2026-31786 - -Fixes: 84b7625728ea ("xen: add sysfs node for hypervisor build id") -Signed-off-by: Frediano Ziglio -Reviewed-by: Juergen Gross -Signed-off-by: Juergen Gross -Signed-off-by: Greg Kroah-Hartman ---- - drivers/xen/sys-hypervisor.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - ---- a/drivers/xen/sys-hypervisor.c -+++ b/drivers/xen/sys-hypervisor.c -@@ -366,6 +366,8 @@ static ssize_t buildid_show(struct hyp_s - ret = sprintf(buffer, ""); - return ret; - } -+ if (ret > PAGE_SIZE) -+ return -ENOSPC; - - buildid = kmalloc(sizeof(*buildid) + ret, GFP_KERNEL); - if (!buildid) -@@ -373,8 +375,10 @@ static ssize_t buildid_show(struct hyp_s - - buildid->len = ret; - ret = HYPERVISOR_xen_version(XENVER_build_id, buildid); -- if (ret > 0) -- ret = sprintf(buffer, "%s", buildid->buf); -+ if (ret > 0) { -+ /* Build id is binary, not a string. */ -+ memcpy(buffer, buildid->buf, ret); -+ } - kfree(buildid); - - return ret; diff --git a/queue-6.12/series b/queue-6.12/series index d0023a7741..339de80510 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -25,5 +25,3 @@ drm-amdgpu-use-vmemdup_array_user-in-amdgpu_bo_creat.patch drm-amdgpu-limit-bo-list-entry-count-to-prevent-reso.patch device-property-make-modifications-of-fwnode-flags-thread-safe.patch ocfs2-split-transactions-in-dio-completion-to-avoid-credit-exhaustion.patch -buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch -xen-privcmd-fix-double-free-via-vma-splitting.patch diff --git a/queue-6.12/xen-privcmd-fix-double-free-via-vma-splitting.patch b/queue-6.12/xen-privcmd-fix-double-free-via-vma-splitting.patch deleted file mode 100644 index e3984bd1df..0000000000 --- a/queue-6.12/xen-privcmd-fix-double-free-via-vma-splitting.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 75fbb2133406db20964cbe925fcff0c107af787f Mon Sep 17 00:00:00 2001 -From: Juergen Gross -Date: Fri, 10 Apr 2026 09:20:04 +0200 -Subject: xen/privcmd: fix double free via VMA splitting - -From: Juergen Gross - -commit 24daca4fc07f3ff8cd0e3f629cd982187f48436a upstream. - -privcmd_vm_ops defines .close (privcmd_close), but neither .may_split -nor .open. When userspace does a partial munmap() on a privcmd mapping, -the kernel splits the VMA via __split_vma(). Since may_split is NULL, -the split is allowed. vm_area_dup() copies vm_private_data (a pages -array allocated in alloc_empty_pages()) into the new VMA without any -fixup, because there is no .open callback. - -Both VMAs now point to the same pages array. When the unmapped portion -is closed, privcmd_close() calls: - - xen_unmap_domain_gfn_range() - - xen_free_unpopulated_pages() - - kvfree(pages) - -The surviving VMA still holds the dangling pointer. When it is later -destroyed, the same sequence runs again, which leads to a double free. - -Fix this issue by adding a .may_split callback denying the VMA split. - -This is XSA-487 / CVE-2026-31787 - -Fixes: d71f513985c2 ("xen: privcmd: support autotranslated physmap guests.") -Reported-by: Atharva Vartak -Suggested-by: Atharva Vartak -Signed-off-by: Juergen Gross -Reviewed-by: Jan Beulich -Signed-off-by: Greg Kroah-Hartman ---- - drivers/xen/privcmd.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/drivers/xen/privcmd.c -+++ b/drivers/xen/privcmd.c -@@ -1639,6 +1639,12 @@ static void privcmd_close(struct vm_area - kvfree(pages); - } - -+static int privcmd_may_split(struct vm_area_struct *area, unsigned long addr) -+{ -+ /* Forbid splitting, avoids double free via privcmd_close(). */ -+ return -EINVAL; -+} -+ - static vm_fault_t privcmd_fault(struct vm_fault *vmf) - { - printk(KERN_DEBUG "privcmd_fault: vma=%p %lx-%lx, pgoff=%lx, uv=%p\n", -@@ -1650,6 +1656,7 @@ static vm_fault_t privcmd_fault(struct v - - static const struct vm_operations_struct privcmd_vm_ops = { - .close = privcmd_close, -+ .may_split = privcmd_may_split, - .fault = privcmd_fault - }; - diff --git a/queue-6.18/buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch b/queue-6.18/buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch deleted file mode 100644 index 8f447ed4d0..0000000000 --- a/queue-6.18/buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 45d6d2dd7ae32bc230890e733a926bce7dbe09bf Mon Sep 17 00:00:00 2001 -From: Juergen Gross -Date: Fri, 27 Mar 2026 14:13:38 +0100 -Subject: Buffer overflow in drivers/xen/sys-hypervisor.c - -From: Juergen Gross - -commit 27fdbab4221b375de54bf91919798d88520c6e28 upstream. - -The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is -neither NUL terminated nor a string. - -The first causes a buffer overflow as sprintf in buildid_show will -read and copy till it finds a NUL. - -00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P| -00000010 b9 a8 01 42 6f 2e 32 |...Bo.2| -00000017 - -So use a memcpy instead of sprintf to have the correct value: - -00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P| -00000010 b9 a8 01 42 |...B| -00000014 - -(the above have a hack to embed a zero inside and check it's -returned correctly). - -This is XSA-485 / CVE-2026-31786 - -Fixes: 84b7625728ea ("xen: add sysfs node for hypervisor build id") -Signed-off-by: Frediano Ziglio -Reviewed-by: Juergen Gross -Signed-off-by: Juergen Gross -Signed-off-by: Greg Kroah-Hartman ---- - drivers/xen/sys-hypervisor.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - ---- a/drivers/xen/sys-hypervisor.c -+++ b/drivers/xen/sys-hypervisor.c -@@ -366,6 +366,8 @@ static ssize_t buildid_show(struct hyp_s - ret = sprintf(buffer, ""); - return ret; - } -+ if (ret > PAGE_SIZE) -+ return -ENOSPC; - - buildid = kmalloc(sizeof(*buildid) + ret, GFP_KERNEL); - if (!buildid) -@@ -373,8 +375,10 @@ static ssize_t buildid_show(struct hyp_s - - buildid->len = ret; - ret = HYPERVISOR_xen_version(XENVER_build_id, buildid); -- if (ret > 0) -- ret = sprintf(buffer, "%s", buildid->buf); -+ if (ret > 0) { -+ /* Build id is binary, not a string. */ -+ memcpy(buffer, buildid->buf, ret); -+ } - kfree(buildid); - - return ret; diff --git a/queue-6.18/series b/queue-6.18/series index 293f4dfd5b..51bb111424 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -23,5 +23,3 @@ firmware-google-framebuffer-do-not-mark-framebuffer-as-busy.patch arm64-mm-enable-batched-tlb-flush-in-unmap_hotplug_range.patch mm-migrate-requeue-destination-folio-on-deferred-split-queue.patch ocfs2-split-transactions-in-dio-completion-to-avoid-credit-exhaustion.patch -buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch -xen-privcmd-fix-double-free-via-vma-splitting.patch diff --git a/queue-6.18/xen-privcmd-fix-double-free-via-vma-splitting.patch b/queue-6.18/xen-privcmd-fix-double-free-via-vma-splitting.patch deleted file mode 100644 index 868222711e..0000000000 --- a/queue-6.18/xen-privcmd-fix-double-free-via-vma-splitting.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 4ad984ad2a76e59f285d3f73ce0198aad2c24890 Mon Sep 17 00:00:00 2001 -From: Juergen Gross -Date: Fri, 10 Apr 2026 09:20:04 +0200 -Subject: xen/privcmd: fix double free via VMA splitting - -From: Juergen Gross - -commit 24daca4fc07f3ff8cd0e3f629cd982187f48436a upstream. - -privcmd_vm_ops defines .close (privcmd_close), but neither .may_split -nor .open. When userspace does a partial munmap() on a privcmd mapping, -the kernel splits the VMA via __split_vma(). Since may_split is NULL, -the split is allowed. vm_area_dup() copies vm_private_data (a pages -array allocated in alloc_empty_pages()) into the new VMA without any -fixup, because there is no .open callback. - -Both VMAs now point to the same pages array. When the unmapped portion -is closed, privcmd_close() calls: - - xen_unmap_domain_gfn_range() - - xen_free_unpopulated_pages() - - kvfree(pages) - -The surviving VMA still holds the dangling pointer. When it is later -destroyed, the same sequence runs again, which leads to a double free. - -Fix this issue by adding a .may_split callback denying the VMA split. - -This is XSA-487 / CVE-2026-31787 - -Fixes: d71f513985c2 ("xen: privcmd: support autotranslated physmap guests.") -Reported-by: Atharva Vartak -Suggested-by: Atharva Vartak -Signed-off-by: Juergen Gross -Reviewed-by: Jan Beulich -Signed-off-by: Greg Kroah-Hartman ---- - drivers/xen/privcmd.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/drivers/xen/privcmd.c -+++ b/drivers/xen/privcmd.c -@@ -1619,6 +1619,12 @@ static void privcmd_close(struct vm_area - kvfree(pages); - } - -+static int privcmd_may_split(struct vm_area_struct *area, unsigned long addr) -+{ -+ /* Forbid splitting, avoids double free via privcmd_close(). */ -+ return -EINVAL; -+} -+ - static vm_fault_t privcmd_fault(struct vm_fault *vmf) - { - printk(KERN_DEBUG "privcmd_fault: vma=%p %lx-%lx, pgoff=%lx, uv=%p\n", -@@ -1630,6 +1636,7 @@ static vm_fault_t privcmd_fault(struct v - - static const struct vm_operations_struct privcmd_vm_ops = { - .close = privcmd_close, -+ .may_split = privcmd_may_split, - .fault = privcmd_fault - }; - diff --git a/queue-6.6/buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch b/queue-6.6/buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch deleted file mode 100644 index 1303de6adb..0000000000 --- a/queue-6.6/buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch +++ /dev/null @@ -1,63 +0,0 @@ -From b48b4a0fe9c892182fa6c2b209f720e06a2da2e4 Mon Sep 17 00:00:00 2001 -From: Juergen Gross -Date: Fri, 27 Mar 2026 14:13:38 +0100 -Subject: Buffer overflow in drivers/xen/sys-hypervisor.c - -From: Juergen Gross - -commit 27fdbab4221b375de54bf91919798d88520c6e28 upstream. - -The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is -neither NUL terminated nor a string. - -The first causes a buffer overflow as sprintf in buildid_show will -read and copy till it finds a NUL. - -00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P| -00000010 b9 a8 01 42 6f 2e 32 |...Bo.2| -00000017 - -So use a memcpy instead of sprintf to have the correct value: - -00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P| -00000010 b9 a8 01 42 |...B| -00000014 - -(the above have a hack to embed a zero inside and check it's -returned correctly). - -This is XSA-485 / CVE-2026-31786 - -Fixes: 84b7625728ea ("xen: add sysfs node for hypervisor build id") -Signed-off-by: Frediano Ziglio -Reviewed-by: Juergen Gross -Signed-off-by: Juergen Gross -Signed-off-by: Greg Kroah-Hartman ---- - drivers/xen/sys-hypervisor.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - ---- a/drivers/xen/sys-hypervisor.c -+++ b/drivers/xen/sys-hypervisor.c -@@ -366,6 +366,8 @@ static ssize_t buildid_show(struct hyp_s - ret = sprintf(buffer, ""); - return ret; - } -+ if (ret > PAGE_SIZE) -+ return -ENOSPC; - - buildid = kmalloc(sizeof(*buildid) + ret, GFP_KERNEL); - if (!buildid) -@@ -373,8 +375,10 @@ static ssize_t buildid_show(struct hyp_s - - buildid->len = ret; - ret = HYPERVISOR_xen_version(XENVER_build_id, buildid); -- if (ret > 0) -- ret = sprintf(buffer, "%s", buildid->buf); -+ if (ret > 0) { -+ /* Build id is binary, not a string. */ -+ memcpy(buffer, buildid->buf, ret); -+ } - kfree(buildid); - - return ret; diff --git a/queue-6.6/series b/queue-6.6/series index 1e2ece573f..6366d05db4 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -21,5 +21,3 @@ device-property-make-modifications-of-fwnode-flags-thread-safe.patch ocfs2-split-transactions-in-dio-completion-to-avoid-credit-exhaustion.patch driver-core-don-t-let-a-device-probe-until-it-s-read.patch loongarch-add-spectre-boundry-for-syscall-dispatch-t.patch -buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch -xen-privcmd-fix-double-free-via-vma-splitting.patch diff --git a/queue-6.6/xen-privcmd-fix-double-free-via-vma-splitting.patch b/queue-6.6/xen-privcmd-fix-double-free-via-vma-splitting.patch deleted file mode 100644 index 8314bc1b33..0000000000 --- a/queue-6.6/xen-privcmd-fix-double-free-via-vma-splitting.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 02c742b226a483d487a851ead1759b8529292c64 Mon Sep 17 00:00:00 2001 -From: Juergen Gross -Date: Fri, 10 Apr 2026 09:20:04 +0200 -Subject: xen/privcmd: fix double free via VMA splitting - -From: Juergen Gross - -commit 24daca4fc07f3ff8cd0e3f629cd982187f48436a upstream. - -privcmd_vm_ops defines .close (privcmd_close), but neither .may_split -nor .open. When userspace does a partial munmap() on a privcmd mapping, -the kernel splits the VMA via __split_vma(). Since may_split is NULL, -the split is allowed. vm_area_dup() copies vm_private_data (a pages -array allocated in alloc_empty_pages()) into the new VMA without any -fixup, because there is no .open callback. - -Both VMAs now point to the same pages array. When the unmapped portion -is closed, privcmd_close() calls: - - xen_unmap_domain_gfn_range() - - xen_free_unpopulated_pages() - - kvfree(pages) - -The surviving VMA still holds the dangling pointer. When it is later -destroyed, the same sequence runs again, which leads to a double free. - -Fix this issue by adding a .may_split callback denying the VMA split. - -This is XSA-487 / CVE-2026-31787 - -Fixes: d71f513985c2 ("xen: privcmd: support autotranslated physmap guests.") -Reported-by: Atharva Vartak -Suggested-by: Atharva Vartak -Signed-off-by: Juergen Gross -Reviewed-by: Jan Beulich -Signed-off-by: Greg Kroah-Hartman ---- - drivers/xen/privcmd.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/drivers/xen/privcmd.c -+++ b/drivers/xen/privcmd.c -@@ -1213,6 +1213,12 @@ static void privcmd_close(struct vm_area - kvfree(pages); - } - -+static int privcmd_may_split(struct vm_area_struct *area, unsigned long addr) -+{ -+ /* Forbid splitting, avoids double free via privcmd_close(). */ -+ return -EINVAL; -+} -+ - static vm_fault_t privcmd_fault(struct vm_fault *vmf) - { - printk(KERN_DEBUG "privcmd_fault: vma=%p %lx-%lx, pgoff=%lx, uv=%p\n", -@@ -1224,6 +1230,7 @@ static vm_fault_t privcmd_fault(struct v - - static const struct vm_operations_struct privcmd_vm_ops = { - .close = privcmd_close, -+ .may_split = privcmd_may_split, - .fault = privcmd_fault - }; - diff --git a/queue-7.0/buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch b/queue-7.0/buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch deleted file mode 100644 index 289eb654cb..0000000000 --- a/queue-7.0/buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 2605bd8aa92807c3047545a639680c545aeb61a7 Mon Sep 17 00:00:00 2001 -From: Juergen Gross -Date: Fri, 27 Mar 2026 14:13:38 +0100 -Subject: Buffer overflow in drivers/xen/sys-hypervisor.c - -From: Juergen Gross - -commit 27fdbab4221b375de54bf91919798d88520c6e28 upstream. - -The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is -neither NUL terminated nor a string. - -The first causes a buffer overflow as sprintf in buildid_show will -read and copy till it finds a NUL. - -00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P| -00000010 b9 a8 01 42 6f 2e 32 |...Bo.2| -00000017 - -So use a memcpy instead of sprintf to have the correct value: - -00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P| -00000010 b9 a8 01 42 |...B| -00000014 - -(the above have a hack to embed a zero inside and check it's -returned correctly). - -This is XSA-485 / CVE-2026-31786 - -Fixes: 84b7625728ea ("xen: add sysfs node for hypervisor build id") -Signed-off-by: Frediano Ziglio -Reviewed-by: Juergen Gross -Signed-off-by: Juergen Gross -Signed-off-by: Greg Kroah-Hartman ---- - drivers/xen/sys-hypervisor.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - ---- a/drivers/xen/sys-hypervisor.c -+++ b/drivers/xen/sys-hypervisor.c -@@ -366,6 +366,8 @@ static ssize_t buildid_show(struct hyp_s - ret = sprintf(buffer, ""); - return ret; - } -+ if (ret > PAGE_SIZE) -+ return -ENOSPC; - - buildid = kmalloc(sizeof(*buildid) + ret, GFP_KERNEL); - if (!buildid) -@@ -373,8 +375,10 @@ static ssize_t buildid_show(struct hyp_s - - buildid->len = ret; - ret = HYPERVISOR_xen_version(XENVER_build_id, buildid); -- if (ret > 0) -- ret = sprintf(buffer, "%s", buildid->buf); -+ if (ret > 0) { -+ /* Build id is binary, not a string. */ -+ memcpy(buffer, buildid->buf, ret); -+ } - kfree(buildid); - - return ret; diff --git a/queue-7.0/series b/queue-7.0/series index 308279a10f..947d320c52 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -28,5 +28,3 @@ mm-migrate-requeue-destination-folio-on-deferred-split-queue.patch mm-prevent-droppable-mappings-from-being-locked.patch mm-fix-deferred-split-queue-races-during-migration.patch ocfs2-split-transactions-in-dio-completion-to-avoid-credit-exhaustion.patch -buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch -xen-privcmd-fix-double-free-via-vma-splitting.patch diff --git a/queue-7.0/xen-privcmd-fix-double-free-via-vma-splitting.patch b/queue-7.0/xen-privcmd-fix-double-free-via-vma-splitting.patch deleted file mode 100644 index 166477f01d..0000000000 --- a/queue-7.0/xen-privcmd-fix-double-free-via-vma-splitting.patch +++ /dev/null @@ -1,62 +0,0 @@ -From e8787a0c1618a1a4d594eaaf907c36d372bdb5a1 Mon Sep 17 00:00:00 2001 -From: Juergen Gross -Date: Fri, 10 Apr 2026 09:20:04 +0200 -Subject: xen/privcmd: fix double free via VMA splitting - -From: Juergen Gross - -commit 24daca4fc07f3ff8cd0e3f629cd982187f48436a upstream. - -privcmd_vm_ops defines .close (privcmd_close), but neither .may_split -nor .open. When userspace does a partial munmap() on a privcmd mapping, -the kernel splits the VMA via __split_vma(). Since may_split is NULL, -the split is allowed. vm_area_dup() copies vm_private_data (a pages -array allocated in alloc_empty_pages()) into the new VMA without any -fixup, because there is no .open callback. - -Both VMAs now point to the same pages array. When the unmapped portion -is closed, privcmd_close() calls: - - xen_unmap_domain_gfn_range() - - xen_free_unpopulated_pages() - - kvfree(pages) - -The surviving VMA still holds the dangling pointer. When it is later -destroyed, the same sequence runs again, which leads to a double free. - -Fix this issue by adding a .may_split callback denying the VMA split. - -This is XSA-487 / CVE-2026-31787 - -Fixes: d71f513985c2 ("xen: privcmd: support autotranslated physmap guests.") -Reported-by: Atharva Vartak -Suggested-by: Atharva Vartak -Signed-off-by: Juergen Gross -Reviewed-by: Jan Beulich -Signed-off-by: Greg Kroah-Hartman ---- - drivers/xen/privcmd.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/drivers/xen/privcmd.c -+++ b/drivers/xen/privcmd.c -@@ -1620,6 +1620,12 @@ static void privcmd_close(struct vm_area - kvfree(pages); - } - -+static int privcmd_may_split(struct vm_area_struct *area, unsigned long addr) -+{ -+ /* Forbid splitting, avoids double free via privcmd_close(). */ -+ return -EINVAL; -+} -+ - static vm_fault_t privcmd_fault(struct vm_fault *vmf) - { - printk(KERN_DEBUG "privcmd_fault: vma=%p %lx-%lx, pgoff=%lx, uv=%p\n", -@@ -1631,6 +1637,7 @@ static vm_fault_t privcmd_fault(struct v - - static const struct vm_operations_struct privcmd_vm_ops = { - .close = privcmd_close, -+ .may_split = privcmd_may_split, - .fault = privcmd_fault - }; -