fix up duplicates

diff --git a/queue-5.10/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch b/queue-5.10/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
deleted file mode 100644 (file)
index a411d4a..0000000
--- a/queue-5.10/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From e19e48d6663d064c2ef53e206b125981164876db Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 27 Apr 2026 10:57:45 +0800
-Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
-
-From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-
-[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ]
-
-While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
-timeout value` warning was observed, accompanied by SMBus controller
-state machine corruption.
-
-The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
-10 ms. The user argument is checked against INT_MAX, but it is
-subsequently multiplied by 10 before being passed to msecs_to_jiffies().
-
-A malicious user can pass a large value (e.g., 429496729) that passes
-the `arg > INT_MAX` check but overflows when multiplied by 10. This
-results in a truncated 32-bit unsigned value that bypasses the
-internal `(int)m < 0` check in `msecs_to_jiffies()`.
-
-The truncated value is then assigned to `client->adapter->timeout`
-(a signed 32-bit int), which is reinterpreted as a negative number.
-When passed to wait_for_completion_timeout(), this negative value
-undergoes sign extension to a 64-bit unsigned long, triggering the
-`schedule_timeout` warning and causing premature returns. This leaves
-the SMBus state machine in an unrecoverable state, constituting a
-local Denial of Service (DoS).
-
-Fix this by bounding the user argument to `INT_MAX / 10`.
-
-Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-[wsa: move the comment as well]
-Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/i2c/i2c-dev.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
-index f0bd4ae19df67f..25438ba6bdfb72 100644
---- a/drivers/i2c/i2c-dev.c
-+++ b/drivers/i2c/i2c-dev.c
-@@ -477,12 +477,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-               client->adapter->retries = arg;
-               break;
-       case I2C_TIMEOUT:
--              if (arg > INT_MAX)
-+              /*
-+               * For historical reasons, user-space sets the timeout value in
-+               * units of 10 ms.
-+               */
-+              if (arg > INT_MAX / 10)
-                       return -EINVAL;
- 
--              /* For historical reasons, user-space sets the timeout
--               * value in units of 10 ms.
--               */
-               client->adapter->timeout = msecs_to_jiffies(arg * 10);
-               break;
-       default:
--- 
-2.53.0
-

diff --git a/queue-5.10/series b/queue-5.10/series
index 9c7b0d9eadbfeb206906eeb669adf49865108b44..bc48984b39b4c61fb5d1cbc68b3e01ce52d67c02 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -147,7 +147,6 @@ ipv4-restrict-ipopt_ssrr-and-ipopt_lsrr-options.patch
 ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
 net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
 sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
 ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
 net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
 sctp-purge-outqueue-on-stale-cookie-echo-handling.patch

-i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch

 signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
 time-fix-off-by-one-in-settimeofday-usec-validation.patch
 alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch
 signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
 time-fix-off-by-one-in-settimeofday-usec-validation.patch
 alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch

diff --git a/queue-5.15/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch b/queue-5.15/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
deleted file mode 100644 (file)
index e9d0c7f..0000000
--- a/queue-5.15/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From f14b9824b6fb9b3f6e2a94de10b36ea7fe1a64a4 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 27 Apr 2026 10:57:45 +0800
-Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
-
-From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-
-[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ]
-
-While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
-timeout value` warning was observed, accompanied by SMBus controller
-state machine corruption.
-
-The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
-10 ms. The user argument is checked against INT_MAX, but it is
-subsequently multiplied by 10 before being passed to msecs_to_jiffies().
-
-A malicious user can pass a large value (e.g., 429496729) that passes
-the `arg > INT_MAX` check but overflows when multiplied by 10. This
-results in a truncated 32-bit unsigned value that bypasses the
-internal `(int)m < 0` check in `msecs_to_jiffies()`.
-
-The truncated value is then assigned to `client->adapter->timeout`
-(a signed 32-bit int), which is reinterpreted as a negative number.
-When passed to wait_for_completion_timeout(), this negative value
-undergoes sign extension to a 64-bit unsigned long, triggering the
-`schedule_timeout` warning and causing premature returns. This leaves
-the SMBus state machine in an unrecoverable state, constituting a
-local Denial of Service (DoS).
-
-Fix this by bounding the user argument to `INT_MAX / 10`.
-
-Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-[wsa: move the comment as well]
-Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/i2c/i2c-dev.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
-index 9fefceb3a95d46..e18d14bf94a9be 100644
---- a/drivers/i2c/i2c-dev.c
-+++ b/drivers/i2c/i2c-dev.c
-@@ -476,12 +476,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-               client->adapter->retries = arg;
-               break;
-       case I2C_TIMEOUT:
--              if (arg > INT_MAX)
-+              /*
-+               * For historical reasons, user-space sets the timeout value in
-+               * units of 10 ms.
-+               */
-+              if (arg > INT_MAX / 10)
-                       return -EINVAL;
- 
--              /* For historical reasons, user-space sets the timeout
--               * value in units of 10 ms.
--               */
-               client->adapter->timeout = msecs_to_jiffies(arg * 10);
-               break;
-       default:
--- 
-2.53.0
-

diff --git a/queue-5.15/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch b/queue-5.15/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch
deleted file mode 100644 (file)
index 57ee14e..0000000
--- a/queue-5.15/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From b9869d1ed6d30a63dc017f9a20f9b54491a7754e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 3 Jun 2026 13:18:11 +0300
-Subject: ipv6: mcast: Fix use-after-free when processing MLD queries
-
-From: Ido Schimmel <idosch@nvidia.com>
-
-[ Upstream commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 ]
-
-When processing an MLD query, a pointer to the multicast group address
-is retrieved when initially parsing the packet. This pointer is later
-dereferenced without being reloaded despite the fact that the skb header
-might have been reallocated following the pskb_may_pull() calls, leading
-to a use-after-free [1].
-
-Fix by copying the multicast group address when the packet is initially
-parsed.
-
-[1]
-BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512)
-Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118
-
-Workqueue: mld mld_query_work
-Call Trace:
-<TASK>
-dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
-print_address_description.constprop.0 (mm/kasan/report.c:378)
-print_report (mm/kasan/report.c:482)
-kasan_report (mm/kasan/report.c:595)
-__mld_query_work (net/ipv6/mcast.c:1512)
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-</TASK>
-
-[...]
-
-Freed by task 118:
-kasan_save_stack (mm/kasan/common.c:57)
-kasan_save_track (mm/kasan/common.c:78)
-kasan_save_free_info (mm/kasan/generic.c:584)
-__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
-kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
-pskb_expand_head (net/core/skbuff.c:2335)
-__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4))
-__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1))
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-
-Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast")
-Reported-by: Leo Lin <leo@depthfirst.com>
-Reviewed-by: David Ahern <dahern@nvidia.com>
-Signed-off-by: Ido Schimmel <idosch@nvidia.com>
-Reviewed-by: Eric Dumazet <edumazet@google.com>
-Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
-Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv6/mcast.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
-index 77a9f17c816b5d..18a3516abb586e 100644
---- a/net/ipv6/mcast.c
-+++ b/net/ipv6/mcast.c
-@@ -1392,9 +1392,9 @@ void igmp6_event_query(struct sk_buff *skb)
- static void __mld_query_work(struct sk_buff *skb)
- {
-       struct mld2_query *mlh2 = NULL;
--      const struct in6_addr *group;
-       unsigned long max_delay;
-       struct inet6_dev *idev;
-+      struct in6_addr group;
-       struct ifmcaddr6 *ma;
-       struct mld_msg *mld;
-       int group_type;
-@@ -1426,8 +1426,8 @@ static void __mld_query_work(struct sk_buff *skb)
-               goto kfree_skb;
- 
-       mld = (struct mld_msg *)icmp6_hdr(skb);
--      group = &mld->mld_mca;
--      group_type = ipv6_addr_type(group);
-+      group = mld->mld_mca;
-+      group_type = ipv6_addr_type(&group);
- 
-       if (group_type != IPV6_ADDR_ANY &&
-           !(group_type&IPV6_ADDR_MULTICAST))
-@@ -1477,7 +1477,7 @@ static void __mld_query_work(struct sk_buff *skb)
-               }
-       } else {
-               for_each_mc_mclock(idev, ma) {
--                      if (!ipv6_addr_equal(group, &ma->mca_addr))
-+                      if (!ipv6_addr_equal(&group, &ma->mca_addr))
-                               continue;
-                       if (ma->mca_flags & MAF_TIMER_RUNNING) {
-                               /* gsquery <- gsquery && mark */
--- 
-2.53.0
-

diff --git a/queue-5.15/series b/queue-5.15/series
index a0d78c6c99adff1ed20d1c4be270a068ba9d92db..c8e5e0acd5662c8732757c66f75f3b5e719255e7 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -166,11 +166,9 @@ bluetooth-bnep-fix-incorrect-length-parsing-in-bnep_.patch
 bluetooth-bnep-reject-short-frames-before-parsing.patch
 bluetooth-fix-memory-leak-in-error-path-of-hci_alloc.patch
 ipv4-restrict-ipopt_ssrr-and-ipopt_lsrr-options.patch
 bluetooth-bnep-reject-short-frames-before-parsing.patch
 bluetooth-fix-memory-leak-in-error-path-of-hci_alloc.patch
 ipv4-restrict-ipopt_ssrr-and-ipopt_lsrr-options.patch

-ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch

 ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
 net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
 sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
 ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
 net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
 sctp-purge-outqueue-on-stale-cookie-echo-handling.patch

-i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch

 signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
 time-fix-off-by-one-in-settimeofday-usec-validation.patch
 ext4-validate-p_idx-bounds-in-ext4_ext_correct_index.patch
 signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
 time-fix-off-by-one-in-settimeofday-usec-validation.patch
 ext4-validate-p_idx-bounds-in-ext4_ext_correct_index.patch

diff --git a/queue-6.1/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch b/queue-6.1/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
deleted file mode 100644 (file)
index 85258e7..0000000
--- a/queue-6.1/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 2af63b4f342848bc4201b9020bbea401c09cd2da Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 27 Apr 2026 10:57:45 +0800
-Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
-
-From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-
-[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ]
-
-While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
-timeout value` warning was observed, accompanied by SMBus controller
-state machine corruption.
-
-The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
-10 ms. The user argument is checked against INT_MAX, but it is
-subsequently multiplied by 10 before being passed to msecs_to_jiffies().
-
-A malicious user can pass a large value (e.g., 429496729) that passes
-the `arg > INT_MAX` check but overflows when multiplied by 10. This
-results in a truncated 32-bit unsigned value that bypasses the
-internal `(int)m < 0` check in `msecs_to_jiffies()`.
-
-The truncated value is then assigned to `client->adapter->timeout`
-(a signed 32-bit int), which is reinterpreted as a negative number.
-When passed to wait_for_completion_timeout(), this negative value
-undergoes sign extension to a 64-bit unsigned long, triggering the
-`schedule_timeout` warning and causing premature returns. This leaves
-the SMBus state machine in an unrecoverable state, constituting a
-local Denial of Service (DoS).
-
-Fix this by bounding the user argument to `INT_MAX / 10`.
-
-Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-[wsa: move the comment as well]
-Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/i2c/i2c-dev.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
-index dd35f341b16fd3..d10d8fe29a73b9 100644
---- a/drivers/i2c/i2c-dev.c
-+++ b/drivers/i2c/i2c-dev.c
-@@ -476,12 +476,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-               client->adapter->retries = arg;
-               break;
-       case I2C_TIMEOUT:
--              if (arg > INT_MAX)
-+              /*
-+               * For historical reasons, user-space sets the timeout value in
-+               * units of 10 ms.
-+               */
-+              if (arg > INT_MAX / 10)
-                       return -EINVAL;
- 
--              /* For historical reasons, user-space sets the timeout
--               * value in units of 10 ms.
--               */
-               client->adapter->timeout = msecs_to_jiffies(arg * 10);
-               break;
-       default:
--- 
-2.53.0
-

diff --git a/queue-6.1/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch b/queue-6.1/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch
deleted file mode 100644 (file)
index 5a809fd..0000000
--- a/queue-6.1/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From 069404dfdfb6001db5fc68846b408ca92c65ec83 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 3 Jun 2026 13:18:11 +0300
-Subject: ipv6: mcast: Fix use-after-free when processing MLD queries
-
-From: Ido Schimmel <idosch@nvidia.com>
-
-[ Upstream commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 ]
-
-When processing an MLD query, a pointer to the multicast group address
-is retrieved when initially parsing the packet. This pointer is later
-dereferenced without being reloaded despite the fact that the skb header
-might have been reallocated following the pskb_may_pull() calls, leading
-to a use-after-free [1].
-
-Fix by copying the multicast group address when the packet is initially
-parsed.
-
-[1]
-BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512)
-Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118
-
-Workqueue: mld mld_query_work
-Call Trace:
-<TASK>
-dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
-print_address_description.constprop.0 (mm/kasan/report.c:378)
-print_report (mm/kasan/report.c:482)
-kasan_report (mm/kasan/report.c:595)
-__mld_query_work (net/ipv6/mcast.c:1512)
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-</TASK>
-
-[...]
-
-Freed by task 118:
-kasan_save_stack (mm/kasan/common.c:57)
-kasan_save_track (mm/kasan/common.c:78)
-kasan_save_free_info (mm/kasan/generic.c:584)
-__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
-kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
-pskb_expand_head (net/core/skbuff.c:2335)
-__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4))
-__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1))
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-
-Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast")
-Reported-by: Leo Lin <leo@depthfirst.com>
-Reviewed-by: David Ahern <dahern@nvidia.com>
-Signed-off-by: Ido Schimmel <idosch@nvidia.com>
-Reviewed-by: Eric Dumazet <edumazet@google.com>
-Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
-Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv6/mcast.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
-index e7f569875e7186..f6af19b873a41d 100644
---- a/net/ipv6/mcast.c
-+++ b/net/ipv6/mcast.c
-@@ -1392,9 +1392,9 @@ void igmp6_event_query(struct sk_buff *skb)
- static void __mld_query_work(struct sk_buff *skb)
- {
-       struct mld2_query *mlh2 = NULL;
--      const struct in6_addr *group;
-       unsigned long max_delay;
-       struct inet6_dev *idev;
-+      struct in6_addr group;
-       struct ifmcaddr6 *ma;
-       struct mld_msg *mld;
-       int group_type;
-@@ -1426,8 +1426,8 @@ static void __mld_query_work(struct sk_buff *skb)
-               goto kfree_skb;
- 
-       mld = (struct mld_msg *)icmp6_hdr(skb);
--      group = &mld->mld_mca;
--      group_type = ipv6_addr_type(group);
-+      group = mld->mld_mca;
-+      group_type = ipv6_addr_type(&group);
- 
-       if (group_type != IPV6_ADDR_ANY &&
-           !(group_type&IPV6_ADDR_MULTICAST))
-@@ -1477,7 +1477,7 @@ static void __mld_query_work(struct sk_buff *skb)
-               }
-       } else {
-               for_each_mc_mclock(idev, ma) {
--                      if (!ipv6_addr_equal(group, &ma->mca_addr))
-+                      if (!ipv6_addr_equal(&group, &ma->mca_addr))
-                               continue;
-                       if (ma->mca_flags & MAF_TIMER_RUNNING) {
-                               /* gsquery <- gsquery && mark */
--- 
-2.53.0
-

diff --git a/queue-6.1/series b/queue-6.1/series
index 693ba82b3b7d793568f4a9dcb3024016cd4a2baf..ecad61d2e807136742128f29a7c25bd441e874ab 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -221,11 +221,9 @@ ptp-vclock-switch-from-rcu-to-srcu.patch
 octeontx2-af-npc-fix-cpt-channel-mask-in-npc_install.patch
 vxlan-vnifilter-send-notification-on-vni-add.patch
 vxlan-vnifilter-fix-spurious-notification-on-vni-upd.patch
 octeontx2-af-npc-fix-cpt-channel-mask-in-npc_install.patch
 vxlan-vnifilter-send-notification-on-vni-add.patch
 vxlan-vnifilter-fix-spurious-notification-on-vni-upd.patch

-ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch

 ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
 net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
 sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
 ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
 net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
 sctp-purge-outqueue-on-stale-cookie-echo-handling.patch

-i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch

 ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch
 signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
 time-fix-off-by-one-in-settimeofday-usec-validation.patch
 ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch
 signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
 time-fix-off-by-one-in-settimeofday-usec-validation.patch

diff --git a/queue-6.12/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch b/queue-6.12/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
deleted file mode 100644 (file)
index 2822b77..0000000
--- a/queue-6.12/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From ba552ad18875cc90f6b8a704c8b3539f7634ab30 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 27 Apr 2026 10:57:45 +0800
-Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
-
-From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-
-[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ]
-
-While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
-timeout value` warning was observed, accompanied by SMBus controller
-state machine corruption.
-
-The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
-10 ms. The user argument is checked against INT_MAX, but it is
-subsequently multiplied by 10 before being passed to msecs_to_jiffies().
-
-A malicious user can pass a large value (e.g., 429496729) that passes
-the `arg > INT_MAX` check but overflows when multiplied by 10. This
-results in a truncated 32-bit unsigned value that bypasses the
-internal `(int)m < 0` check in `msecs_to_jiffies()`.
-
-The truncated value is then assigned to `client->adapter->timeout`
-(a signed 32-bit int), which is reinterpreted as a negative number.
-When passed to wait_for_completion_timeout(), this negative value
-undergoes sign extension to a 64-bit unsigned long, triggering the
-`schedule_timeout` warning and causing premature returns. This leaves
-the SMBus state machine in an unrecoverable state, constituting a
-local Denial of Service (DoS).
-
-Fix this by bounding the user argument to `INT_MAX / 10`.
-
-Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-[wsa: move the comment as well]
-Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/i2c/i2c-dev.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
-index e9577f920286d0..c8715df8b08b1d 100644
---- a/drivers/i2c/i2c-dev.c
-+++ b/drivers/i2c/i2c-dev.c
-@@ -487,12 +487,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-               client->adapter->retries = arg;
-               break;
-       case I2C_TIMEOUT:
--              if (arg > INT_MAX)
-+              /*
-+               * For historical reasons, user-space sets the timeout value in
-+               * units of 10 ms.
-+               */
-+              if (arg > INT_MAX / 10)
-                       return -EINVAL;
- 
--              /* For historical reasons, user-space sets the timeout
--               * value in units of 10 ms.
--               */
-               client->adapter->timeout = msecs_to_jiffies(arg * 10);
-               break;
-       default:
--- 
-2.53.0
-

diff --git a/queue-6.12/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch b/queue-6.12/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch
deleted file mode 100644 (file)
index e3796f9..0000000
--- a/queue-6.12/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From f9ac9192b424b7eab8e2819013c2d9a82cb473d5 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 3 Jun 2026 13:18:11 +0300
-Subject: ipv6: mcast: Fix use-after-free when processing MLD queries
-
-From: Ido Schimmel <idosch@nvidia.com>
-
-[ Upstream commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 ]
-
-When processing an MLD query, a pointer to the multicast group address
-is retrieved when initially parsing the packet. This pointer is later
-dereferenced without being reloaded despite the fact that the skb header
-might have been reallocated following the pskb_may_pull() calls, leading
-to a use-after-free [1].
-
-Fix by copying the multicast group address when the packet is initially
-parsed.
-
-[1]
-BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512)
-Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118
-
-Workqueue: mld mld_query_work
-Call Trace:
-<TASK>
-dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
-print_address_description.constprop.0 (mm/kasan/report.c:378)
-print_report (mm/kasan/report.c:482)
-kasan_report (mm/kasan/report.c:595)
-__mld_query_work (net/ipv6/mcast.c:1512)
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-</TASK>
-
-[...]
-
-Freed by task 118:
-kasan_save_stack (mm/kasan/common.c:57)
-kasan_save_track (mm/kasan/common.c:78)
-kasan_save_free_info (mm/kasan/generic.c:584)
-__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
-kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
-pskb_expand_head (net/core/skbuff.c:2335)
-__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4))
-__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1))
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-
-Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast")
-Reported-by: Leo Lin <leo@depthfirst.com>
-Reviewed-by: David Ahern <dahern@nvidia.com>
-Signed-off-by: Ido Schimmel <idosch@nvidia.com>
-Reviewed-by: Eric Dumazet <edumazet@google.com>
-Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
-Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv6/mcast.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
-index e2a11a2f3b255d..b769e856a068d2 100644
---- a/net/ipv6/mcast.c
-+++ b/net/ipv6/mcast.c
-@@ -1393,9 +1393,9 @@ void igmp6_event_query(struct sk_buff *skb)
- static void __mld_query_work(struct sk_buff *skb)
- {
-       struct mld2_query *mlh2 = NULL;
--      const struct in6_addr *group;
-       unsigned long max_delay;
-       struct inet6_dev *idev;
-+      struct in6_addr group;
-       struct ifmcaddr6 *ma;
-       struct mld_msg *mld;
-       int group_type;
-@@ -1427,8 +1427,8 @@ static void __mld_query_work(struct sk_buff *skb)
-               goto kfree_skb;
- 
-       mld = (struct mld_msg *)icmp6_hdr(skb);
--      group = &mld->mld_mca;
--      group_type = ipv6_addr_type(group);
-+      group = mld->mld_mca;
-+      group_type = ipv6_addr_type(&group);
- 
-       if (group_type != IPV6_ADDR_ANY &&
-           !(group_type&IPV6_ADDR_MULTICAST))
-@@ -1478,7 +1478,7 @@ static void __mld_query_work(struct sk_buff *skb)
-               }
-       } else {
-               for_each_mc_mclock(idev, ma) {
--                      if (!ipv6_addr_equal(group, &ma->mca_addr))
-+                      if (!ipv6_addr_equal(&group, &ma->mca_addr))
-                               continue;
-                       if (ma->mca_flags & MAF_TIMER_RUNNING) {
-                               /* gsquery <- gsquery && mark */
--- 
-2.53.0
-

diff --git a/queue-6.12/series b/queue-6.12/series
index f255d28d3b47cc6cc667c1ba62bb8f6a0566ea90..96b7290a6a681226579b2e21d70c2603c366bf89 100644 (file)
--- a/queue-6.12/series
+++ b/queue-6.12/series
@@ -54,11 +54,9 @@ net-sched-fix-pedit-partial-cow-leading-to-page-cach.patch
 octeontx2-af-npc-fix-cpt-channel-mask-in-npc_install.patch
 vxlan-vnifilter-send-notification-on-vni-add.patch
 vxlan-vnifilter-fix-spurious-notification-on-vni-upd.patch
 octeontx2-af-npc-fix-cpt-channel-mask-in-npc_install.patch
 vxlan-vnifilter-send-notification-on-vni-add.patch
 vxlan-vnifilter-fix-spurious-notification-on-vni-upd.patch

-ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch

 ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
 net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
 sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
 ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
 net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
 sctp-purge-outqueue-on-stale-cookie-echo-handling.patch

-i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch

 ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch
 signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
 time-fix-off-by-one-in-settimeofday-usec-validation.patch
 ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch
 signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
 time-fix-off-by-one-in-settimeofday-usec-validation.patch

diff --git a/queue-6.18/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch b/queue-6.18/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
deleted file mode 100644 (file)
index 0bd6147..0000000
--- a/queue-6.18/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From ce65f2949f6432822977613ca7101d6a86254f9a Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 27 Apr 2026 10:57:45 +0800
-Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
-
-From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-
-[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ]
-
-While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
-timeout value` warning was observed, accompanied by SMBus controller
-state machine corruption.
-
-The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
-10 ms. The user argument is checked against INT_MAX, but it is
-subsequently multiplied by 10 before being passed to msecs_to_jiffies().
-
-A malicious user can pass a large value (e.g., 429496729) that passes
-the `arg > INT_MAX` check but overflows when multiplied by 10. This
-results in a truncated 32-bit unsigned value that bypasses the
-internal `(int)m < 0` check in `msecs_to_jiffies()`.
-
-The truncated value is then assigned to `client->adapter->timeout`
-(a signed 32-bit int), which is reinterpreted as a negative number.
-When passed to wait_for_completion_timeout(), this negative value
-undergoes sign extension to a 64-bit unsigned long, triggering the
-`schedule_timeout` warning and causing premature returns. This leaves
-the SMBus state machine in an unrecoverable state, constituting a
-local Denial of Service (DoS).
-
-Fix this by bounding the user argument to `INT_MAX / 10`.
-
-Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-[wsa: move the comment as well]
-Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/i2c/i2c-dev.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
-index e9577f920286d0..c8715df8b08b1d 100644
---- a/drivers/i2c/i2c-dev.c
-+++ b/drivers/i2c/i2c-dev.c
-@@ -487,12 +487,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-               client->adapter->retries = arg;
-               break;
-       case I2C_TIMEOUT:
--              if (arg > INT_MAX)
-+              /*
-+               * For historical reasons, user-space sets the timeout value in
-+               * units of 10 ms.
-+               */
-+              if (arg > INT_MAX / 10)
-                       return -EINVAL;
- 
--              /* For historical reasons, user-space sets the timeout
--               * value in units of 10 ms.
--               */
-               client->adapter->timeout = msecs_to_jiffies(arg * 10);
-               break;
-       default:
--- 
-2.53.0
-

diff --git a/queue-6.18/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch b/queue-6.18/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch
deleted file mode 100644 (file)
index f39b33b..0000000
--- a/queue-6.18/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From 5a688c86061ed594756a1c02aa894a2400dbad73 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 3 Jun 2026 13:18:11 +0300
-Subject: ipv6: mcast: Fix use-after-free when processing MLD queries
-
-From: Ido Schimmel <idosch@nvidia.com>
-
-[ Upstream commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 ]
-
-When processing an MLD query, a pointer to the multicast group address
-is retrieved when initially parsing the packet. This pointer is later
-dereferenced without being reloaded despite the fact that the skb header
-might have been reallocated following the pskb_may_pull() calls, leading
-to a use-after-free [1].
-
-Fix by copying the multicast group address when the packet is initially
-parsed.
-
-[1]
-BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512)
-Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118
-
-Workqueue: mld mld_query_work
-Call Trace:
-<TASK>
-dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
-print_address_description.constprop.0 (mm/kasan/report.c:378)
-print_report (mm/kasan/report.c:482)
-kasan_report (mm/kasan/report.c:595)
-__mld_query_work (net/ipv6/mcast.c:1512)
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-</TASK>
-
-[...]
-
-Freed by task 118:
-kasan_save_stack (mm/kasan/common.c:57)
-kasan_save_track (mm/kasan/common.c:78)
-kasan_save_free_info (mm/kasan/generic.c:584)
-__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
-kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
-pskb_expand_head (net/core/skbuff.c:2335)
-__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4))
-__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1))
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-
-Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast")
-Reported-by: Leo Lin <leo@depthfirst.com>
-Reviewed-by: David Ahern <dahern@nvidia.com>
-Signed-off-by: Ido Schimmel <idosch@nvidia.com>
-Reviewed-by: Eric Dumazet <edumazet@google.com>
-Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
-Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv6/mcast.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
-index 016b572e7d6f02..f4b3cb48387096 100644
---- a/net/ipv6/mcast.c
-+++ b/net/ipv6/mcast.c
-@@ -1424,9 +1424,9 @@ void igmp6_event_query(struct sk_buff *skb)
- static void __mld_query_work(struct sk_buff *skb)
- {
-       struct mld2_query *mlh2 = NULL;
--      const struct in6_addr *group;
-       unsigned long max_delay;
-       struct inet6_dev *idev;
-+      struct in6_addr group;
-       struct ifmcaddr6 *ma;
-       struct mld_msg *mld;
-       int group_type;
-@@ -1458,8 +1458,8 @@ static void __mld_query_work(struct sk_buff *skb)
-               goto kfree_skb;
- 
-       mld = (struct mld_msg *)icmp6_hdr(skb);
--      group = &mld->mld_mca;
--      group_type = ipv6_addr_type(group);
-+      group = mld->mld_mca;
-+      group_type = ipv6_addr_type(&group);
- 
-       if (group_type != IPV6_ADDR_ANY &&
-           !(group_type&IPV6_ADDR_MULTICAST))
-@@ -1509,7 +1509,7 @@ static void __mld_query_work(struct sk_buff *skb)
-               }
-       } else {
-               for_each_mc_mclock(idev, ma) {
--                      if (!ipv6_addr_equal(group, &ma->mca_addr))
-+                      if (!ipv6_addr_equal(&group, &ma->mca_addr))
-                               continue;
-                       if (ma->mca_flags & MAF_TIMER_RUNNING) {
-                               /* gsquery <- gsquery && mark */
--- 
-2.53.0
-

diff --git a/queue-6.18/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch b/queue-6.18/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch
deleted file mode 100644 (file)
index 72f42f8..0000000
--- a/queue-6.18/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From cac4acb1b336b27232ae740be39eaa1034ecb0dd Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 9 Jun 2026 18:48:08 +0900
-Subject: KVM: arm64: Take the SRCU lock for page table walks in fault
- injection and AT emulation
-
-From: Hyunwoo Kim <imv4bel@gmail.com>
-
-[ Upstream commit f2ca45b50d4216c9cc7ffabf50d9ad1932209251 ]
-
-walk_s1() and kvm_walk_nested_s2() expect to be called while holding
-kvm->srcu to guard against memslot changes. While this is generally
-the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the
-respective walkers without taking kvm->srcu.
-
-Fix by acquiring kvm->srcu prior to the table walk in both instances.
-
-Cc: stable@vger.kernel.org
-Fixes: 50f77dc87f13 ("KVM: arm64: Populate level on S1PTW SEA injection")
-Fixes: be04cebf3e78 ("KVM: arm64: nv: Add emulation of AT S12E{0,1}{R,W}")
-Suggested-by: Oliver Upton <oupton@kernel.org>
-Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
-Reviewed-by: Oliver Upton <oupton@kernel.org>
-Link: https://patch.msgid.link/aiAZfdeyanIvP8SD@v4bel
-Signed-off-by: Marc Zyngier <maz@kernel.org>
-[ Hyunwoo Kim: __kvm_at_s12() still returns void in 6.18.y, so the
-  surrounding context differs from upstream (return; instead of
-  return ret;); the added scoped_guard() is unchanged. ]
-Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/arm64/kvm/at.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/arch/arm64/kvm/at.c b/arch/arm64/kvm/at.c
-index be26d5aa668c39..e6de6aac6ede20 100644
---- a/arch/arm64/kvm/at.c
-+++ b/arch/arm64/kvm/at.c
-@@ -1528,7 +1528,8 @@ void __kvm_at_s12(struct kvm_vcpu *vcpu, u32 op, u64 vaddr)
-       /* Do the stage-2 translation */
-       ipa = (par & GENMASK_ULL(47, 12)) | (vaddr & GENMASK_ULL(11, 0));
-       out.esr = 0;
--      ret = kvm_walk_nested_s2(vcpu, ipa, &out);
-+      scoped_guard(srcu, &vcpu->kvm->srcu)
-+              ret = kvm_walk_nested_s2(vcpu, ipa, &out);
-       if (ret < 0)
-               return;
- 
-@@ -1623,7 +1624,8 @@ int __kvm_find_s1_desc_level(struct kvm_vcpu *vcpu, u64 va, u64 ipa, int *level)
-       }
- 
-       /* Walk the guest's PT, looking for a match along the way */
--      ret = walk_s1(vcpu, &wi, &wr, va);
-+      scoped_guard(srcu, &vcpu->kvm->srcu)
-+              ret = walk_s1(vcpu, &wi, &wr, va);
-       switch (ret) {
-       case -EINTR:
-               /* We interrupted the walk on a match, return the level */
--- 
-2.53.0
-

diff --git a/queue-6.18/series b/queue-6.18/series
index 364dbbdc3c1b3f56c32a0a011aa48783d15e7dbe..fa432a98688155acf05127f97b9ed3bbb87869cb 100644 (file)
--- a/queue-6.18/series
+++ b/queue-6.18/series
@@ -62,12 +62,9 @@ sctp-validate-cached-peer-init-chunk-length-in-cooki.patch
 octeontx2-af-npc-fix-cpt-channel-mask-in-npc_install.patch
 vxlan-vnifilter-send-notification-on-vni-add.patch
 vxlan-vnifilter-fix-spurious-notification-on-vni-upd.patch
 octeontx2-af-npc-fix-cpt-channel-mask-in-npc_install.patch
 vxlan-vnifilter-send-notification-on-vni-add.patch
 vxlan-vnifilter-fix-spurious-notification-on-vni-upd.patch

-ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch

 ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
 net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
 sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
 ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
 net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
 sctp-purge-outqueue-on-stale-cookie-echo-handling.patch

-i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
-kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch

 drivers-hv-vmbus-protocol-version-6.0.patch
 drivers-hv-vmbus-provide-option-to-skip-vmbus-unload.patch
 drm-hyperv-during-panic-do-vmbus-unload-after-frame-.patch
 drivers-hv-vmbus-protocol-version-6.0.patch
 drivers-hv-vmbus-provide-option-to-skip-vmbus-unload.patch
 drm-hyperv-during-panic-do-vmbus-unload-after-frame-.patch

diff --git a/queue-6.6/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch b/queue-6.6/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
deleted file mode 100644 (file)
index d3e8ecd..0000000
--- a/queue-6.6/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From a0c0fa10ee209567b685a35881676d4e0fadfa14 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 27 Apr 2026 10:57:45 +0800
-Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
-
-From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-
-[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ]
-
-While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
-timeout value` warning was observed, accompanied by SMBus controller
-state machine corruption.
-
-The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
-10 ms. The user argument is checked against INT_MAX, but it is
-subsequently multiplied by 10 before being passed to msecs_to_jiffies().
-
-A malicious user can pass a large value (e.g., 429496729) that passes
-the `arg > INT_MAX` check but overflows when multiplied by 10. This
-results in a truncated 32-bit unsigned value that bypasses the
-internal `(int)m < 0` check in `msecs_to_jiffies()`.
-
-The truncated value is then assigned to `client->adapter->timeout`
-(a signed 32-bit int), which is reinterpreted as a negative number.
-When passed to wait_for_completion_timeout(), this negative value
-undergoes sign extension to a 64-bit unsigned long, triggering the
-`schedule_timeout` warning and causing premature returns. This leaves
-the SMBus state machine in an unrecoverable state, constituting a
-local Denial of Service (DoS).
-
-Fix this by bounding the user argument to `INT_MAX / 10`.
-
-Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-[wsa: move the comment as well]
-Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/i2c/i2c-dev.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
-index 7d337380a05d99..2ee07fc675d63a 100644
---- a/drivers/i2c/i2c-dev.c
-+++ b/drivers/i2c/i2c-dev.c
-@@ -476,12 +476,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-               client->adapter->retries = arg;
-               break;
-       case I2C_TIMEOUT:
--              if (arg > INT_MAX)
-+              /*
-+               * For historical reasons, user-space sets the timeout value in
-+               * units of 10 ms.
-+               */
-+              if (arg > INT_MAX / 10)
-                       return -EINVAL;
- 
--              /* For historical reasons, user-space sets the timeout
--               * value in units of 10 ms.
--               */
-               client->adapter->timeout = msecs_to_jiffies(arg * 10);
-               break;
-       default:
--- 
-2.53.0
-

diff --git a/queue-6.6/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch b/queue-6.6/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch
deleted file mode 100644 (file)
index a4d7443..0000000
--- a/queue-6.6/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From 1bb28a2c0b24a60a2a573a9a1664c70a7b819c84 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 3 Jun 2026 13:18:11 +0300
-Subject: ipv6: mcast: Fix use-after-free when processing MLD queries
-
-From: Ido Schimmel <idosch@nvidia.com>
-
-[ Upstream commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 ]
-
-When processing an MLD query, a pointer to the multicast group address
-is retrieved when initially parsing the packet. This pointer is later
-dereferenced without being reloaded despite the fact that the skb header
-might have been reallocated following the pskb_may_pull() calls, leading
-to a use-after-free [1].
-
-Fix by copying the multicast group address when the packet is initially
-parsed.
-
-[1]
-BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512)
-Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118
-
-Workqueue: mld mld_query_work
-Call Trace:
-<TASK>
-dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
-print_address_description.constprop.0 (mm/kasan/report.c:378)
-print_report (mm/kasan/report.c:482)
-kasan_report (mm/kasan/report.c:595)
-__mld_query_work (net/ipv6/mcast.c:1512)
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-</TASK>
-
-[...]
-
-Freed by task 118:
-kasan_save_stack (mm/kasan/common.c:57)
-kasan_save_track (mm/kasan/common.c:78)
-kasan_save_free_info (mm/kasan/generic.c:584)
-__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
-kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
-pskb_expand_head (net/core/skbuff.c:2335)
-__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4))
-__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1))
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-
-Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast")
-Reported-by: Leo Lin <leo@depthfirst.com>
-Reviewed-by: David Ahern <dahern@nvidia.com>
-Signed-off-by: Ido Schimmel <idosch@nvidia.com>
-Reviewed-by: Eric Dumazet <edumazet@google.com>
-Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
-Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv6/mcast.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
-index 160b452f75e7d2..c52865e20a4114 100644
---- a/net/ipv6/mcast.c
-+++ b/net/ipv6/mcast.c
-@@ -1392,9 +1392,9 @@ void igmp6_event_query(struct sk_buff *skb)
- static void __mld_query_work(struct sk_buff *skb)
- {
-       struct mld2_query *mlh2 = NULL;
--      const struct in6_addr *group;
-       unsigned long max_delay;
-       struct inet6_dev *idev;
-+      struct in6_addr group;
-       struct ifmcaddr6 *ma;
-       struct mld_msg *mld;
-       int group_type;
-@@ -1426,8 +1426,8 @@ static void __mld_query_work(struct sk_buff *skb)
-               goto kfree_skb;
- 
-       mld = (struct mld_msg *)icmp6_hdr(skb);
--      group = &mld->mld_mca;
--      group_type = ipv6_addr_type(group);
-+      group = mld->mld_mca;
-+      group_type = ipv6_addr_type(&group);
- 
-       if (group_type != IPV6_ADDR_ANY &&
-           !(group_type&IPV6_ADDR_MULTICAST))
-@@ -1477,7 +1477,7 @@ static void __mld_query_work(struct sk_buff *skb)
-               }
-       } else {
-               for_each_mc_mclock(idev, ma) {
--                      if (!ipv6_addr_equal(group, &ma->mca_addr))
-+                      if (!ipv6_addr_equal(&group, &ma->mca_addr))
-                               continue;
-                       if (ma->mca_flags & MAF_TIMER_RUNNING) {
-                               /* gsquery <- gsquery && mark */
--- 
-2.53.0
-

diff --git a/queue-6.6/series b/queue-6.6/series
index 47bfd088db55cc4b3d9c585d50295f89c1dcf6c6..e4abe2fc91ccdb229124112533de39349aa5dc28 100644 (file)
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -241,11 +241,9 @@ net-ethernet-mtk_eth_soc-fix-use-after-free-in-metad.patch
 octeontx2-af-npc-fix-cpt-channel-mask-in-npc_install.patch
 vxlan-vnifilter-send-notification-on-vni-add.patch
 vxlan-vnifilter-fix-spurious-notification-on-vni-upd.patch
 octeontx2-af-npc-fix-cpt-channel-mask-in-npc_install.patch
 vxlan-vnifilter-send-notification-on-vni-add.patch
 vxlan-vnifilter-fix-spurious-notification-on-vni-upd.patch

-ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch

 ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
 net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
 sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
 ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
 net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
 sctp-purge-outqueue-on-stale-cookie-echo-handling.patch

-i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch

 ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch
 signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
 time-fix-off-by-one-in-settimeofday-usec-validation.patch
 ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch
 signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch
 time-fix-off-by-one-in-settimeofday-usec-validation.patch

diff --git a/queue-7.0/bluetooth-iso-fix-a-use-after-free-of-the-hci_conn-p.patch b/queue-7.0/bluetooth-iso-fix-a-use-after-free-of-the-hci_conn-p.patch
deleted file mode 100644 (file)
index 50d9cd2..0000000
--- a/queue-7.0/bluetooth-iso-fix-a-use-after-free-of-the-hci_conn-p.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From a7e58d3d636a0a157ef84216335f4832960d0d10 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 1 Jun 2026 14:52:09 -0400
-Subject: Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer
-
-From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-
-[ Upstream commit f50331f2a1441ec49988832c3a95f2edacc47322 ]
-
-In iso_sock_rebind_bc(), the bis pointer is cached, then the socket lock is
-dropped:
-       bis = iso_pi(sk)->conn->hcon;
-       /* Release the socket before lookups since that requires hci_dev_lock
-        * which shall not be acquired while holding sock_lock for proper
-        * ordering.
-        */
-       release_sock(sk);
-       hci_dev_lock(bis->hdev);
-
-During the unlocked window, could a concurrent close() destroy the connection
-and free the bis structure, causing hci_dev_lock(bis->hdev) to access memory
-after it is freed, fix this by using the hdev reference which was safely
-acquired via iso_conn_get_hdev().
-
-Fixes: d3413703d5f8 ("Bluetooth: ISO: Add support to bind to trigger PAST")
-Reported-by: Sashiko <sashiko-bot@kernel.org>
-Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/bluetooth/iso.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
-index 2363b6135c6f1b..05a3f1e554fe67 100644
---- a/net/bluetooth/iso.c
-+++ b/net/bluetooth/iso.c
-@@ -1090,7 +1090,7 @@ static int iso_sock_rebind_bc(struct sock *sk, struct sockaddr_iso *sa,
-        * ordering.
-        */
-       release_sock(sk);
--      hci_dev_lock(bis->hdev);
-+      hci_dev_lock(hdev);
-       lock_sock(sk);
- 
-       if (!iso_pi(sk)->conn || iso_pi(sk)->conn->hcon != bis) {
--- 
-2.53.0
-

diff --git a/queue-7.0/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch b/queue-7.0/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
deleted file mode 100644 (file)
index 8f15c2e..0000000
--- a/queue-7.0/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From d4d49d7d68259828c44eb97566b49cfcc45b2d80 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 27 Apr 2026 10:57:45 +0800
-Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
-
-From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-
-[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ]
-
-While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong
-timeout value` warning was observed, accompanied by SMBus controller
-state machine corruption.
-
-The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of
-10 ms. The user argument is checked against INT_MAX, but it is
-subsequently multiplied by 10 before being passed to msecs_to_jiffies().
-
-A malicious user can pass a large value (e.g., 429496729) that passes
-the `arg > INT_MAX` check but overflows when multiplied by 10. This
-results in a truncated 32-bit unsigned value that bypasses the
-internal `(int)m < 0` check in `msecs_to_jiffies()`.
-
-The truncated value is then assigned to `client->adapter->timeout`
-(a signed 32-bit int), which is reinterpreted as a negative number.
-When passed to wait_for_completion_timeout(), this negative value
-undergoes sign extension to a 64-bit unsigned long, triggering the
-`schedule_timeout` warning and causing premature returns. This leaves
-the SMBus state machine in an unrecoverable state, constituting a
-local Denial of Service (DoS).
-
-Fix this by bounding the user argument to `INT_MAX / 10`.
-
-Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
-[wsa: move the comment as well]
-Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/i2c/i2c-dev.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
-index 7bbe0263411eb7..ccaac5e29f906b 100644
---- a/drivers/i2c/i2c-dev.c
-+++ b/drivers/i2c/i2c-dev.c
-@@ -487,12 +487,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
-               client->adapter->retries = arg;
-               break;
-       case I2C_TIMEOUT:
--              if (arg > INT_MAX)
-+              /*
-+               * For historical reasons, user-space sets the timeout value in
-+               * units of 10 ms.
-+               */
-+              if (arg > INT_MAX / 10)
-                       return -EINVAL;
- 
--              /* For historical reasons, user-space sets the timeout
--               * value in units of 10 ms.
--               */
-               client->adapter->timeout = msecs_to_jiffies(arg * 10);
-               break;
-       default:
--- 
-2.53.0
-

diff --git a/queue-7.0/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch b/queue-7.0/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch
deleted file mode 100644 (file)
index c57410b..0000000
--- a/queue-7.0/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From c9d11fe24aba67d9adbd03e528b6adc93bb27b39 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 3 Jun 2026 13:18:11 +0300
-Subject: ipv6: mcast: Fix use-after-free when processing MLD queries
-
-From: Ido Schimmel <idosch@nvidia.com>
-
-[ Upstream commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 ]
-
-When processing an MLD query, a pointer to the multicast group address
-is retrieved when initially parsing the packet. This pointer is later
-dereferenced without being reloaded despite the fact that the skb header
-might have been reallocated following the pskb_may_pull() calls, leading
-to a use-after-free [1].
-
-Fix by copying the multicast group address when the packet is initially
-parsed.
-
-[1]
-BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512)
-Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118
-
-Workqueue: mld mld_query_work
-Call Trace:
-<TASK>
-dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
-print_address_description.constprop.0 (mm/kasan/report.c:378)
-print_report (mm/kasan/report.c:482)
-kasan_report (mm/kasan/report.c:595)
-__mld_query_work (net/ipv6/mcast.c:1512)
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-</TASK>
-
-[...]
-
-Freed by task 118:
-kasan_save_stack (mm/kasan/common.c:57)
-kasan_save_track (mm/kasan/common.c:78)
-kasan_save_free_info (mm/kasan/generic.c:584)
-__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
-kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
-pskb_expand_head (net/core/skbuff.c:2335)
-__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4))
-__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1))
-mld_query_work (net/ipv6/mcast.c:1563)
-process_one_work (kernel/workqueue.c:3314)
-worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
-kthread (kernel/kthread.c:436)
-ret_from_fork (arch/x86/kernel/process.c:158)
-ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
-
-Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast")
-Reported-by: Leo Lin <leo@depthfirst.com>
-Reviewed-by: David Ahern <dahern@nvidia.com>
-Signed-off-by: Ido Schimmel <idosch@nvidia.com>
-Reviewed-by: Eric Dumazet <edumazet@google.com>
-Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
-Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/ipv6/mcast.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
-index 3330adcf26db24..d9b855d5191bf6 100644
---- a/net/ipv6/mcast.c
-+++ b/net/ipv6/mcast.c
-@@ -1424,9 +1424,9 @@ void igmp6_event_query(struct sk_buff *skb)
- static void __mld_query_work(struct sk_buff *skb)
- {
-       struct mld2_query *mlh2 = NULL;
--      const struct in6_addr *group;
-       unsigned long max_delay;
-       struct inet6_dev *idev;
-+      struct in6_addr group;
-       struct ifmcaddr6 *ma;
-       struct mld_msg *mld;
-       int group_type;
-@@ -1458,8 +1458,8 @@ static void __mld_query_work(struct sk_buff *skb)
-               goto kfree_skb;
- 
-       mld = (struct mld_msg *)icmp6_hdr(skb);
--      group = &mld->mld_mca;
--      group_type = ipv6_addr_type(group);
-+      group = mld->mld_mca;
-+      group_type = ipv6_addr_type(&group);
- 
-       if (group_type != IPV6_ADDR_ANY &&
-           !(group_type&IPV6_ADDR_MULTICAST))
-@@ -1509,7 +1509,7 @@ static void __mld_query_work(struct sk_buff *skb)
-               }
-       } else {
-               for_each_mc_mclock(idev, ma) {
--                      if (!ipv6_addr_equal(group, &ma->mca_addr))
-+                      if (!ipv6_addr_equal(&group, &ma->mca_addr))
-                               continue;
-                       if (ma->mca_flags & MAF_TIMER_RUNNING) {
-                               /* gsquery <- gsquery && mark */
--- 
-2.53.0
-

diff --git a/queue-7.0/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch b/queue-7.0/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch
deleted file mode 100644 (file)
index 1ef9964..0000000
--- a/queue-7.0/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 971c15264302a47c87e42cb68fba5033109d2522 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 3 Jun 2026 21:09:33 +0900
-Subject: KVM: arm64: Take the SRCU lock for page table walks in fault
- injection and AT emulation
-
-From: Hyunwoo Kim <imv4bel@gmail.com>
-
-[ Upstream commit f2ca45b50d4216c9cc7ffabf50d9ad1932209251 ]
-
-walk_s1() and kvm_walk_nested_s2() expect to be called while holding
-kvm->srcu to guard against memslot changes. While this is generally
-the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the
-respective walkers without taking kvm->srcu.
-
-Fix by acquiring kvm->srcu prior to the table walk in both instances.
-
-Cc: stable@vger.kernel.org
-Fixes: 50f77dc87f13 ("KVM: arm64: Populate level on S1PTW SEA injection")
-Fixes: be04cebf3e78 ("KVM: arm64: nv: Add emulation of AT S12E{0,1}{R,W}")
-Suggested-by: Oliver Upton <oupton@kernel.org>
-Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
-Reviewed-by: Oliver Upton <oupton@kernel.org>
-Link: https://patch.msgid.link/aiAZfdeyanIvP8SD@v4bel
-Signed-off-by: Marc Zyngier <maz@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/arm64/kvm/at.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/arch/arm64/kvm/at.c b/arch/arm64/kvm/at.c
-index a024d9a770dc74..1d563070526c4d 100644
---- a/arch/arm64/kvm/at.c
-+++ b/arch/arm64/kvm/at.c
-@@ -1568,7 +1568,8 @@ int __kvm_at_s12(struct kvm_vcpu *vcpu, u32 op, u64 vaddr)
-       /* Do the stage-2 translation */
-       ipa = (par & GENMASK_ULL(47, 12)) | (vaddr & GENMASK_ULL(11, 0));
-       out.esr = 0;
--      ret = kvm_walk_nested_s2(vcpu, ipa, &out);
-+      scoped_guard(srcu, &vcpu->kvm->srcu)
-+              ret = kvm_walk_nested_s2(vcpu, ipa, &out);
-       if (ret < 0)
-               return ret;
- 
-@@ -1664,7 +1665,8 @@ int __kvm_find_s1_desc_level(struct kvm_vcpu *vcpu, u64 va, u64 ipa, int *level)
-       }
- 
-       /* Walk the guest's PT, looking for a match along the way */
--      ret = walk_s1(vcpu, &wi, &wr, va);
-+      scoped_guard(srcu, &vcpu->kvm->srcu)
-+              ret = walk_s1(vcpu, &wi, &wr, va);
-       switch (ret) {
-       case -EINTR:
-               /* We interrupted the walk on a match, return the level */
--- 
-2.53.0
-

diff --git a/queue-7.0/series b/queue-7.0/series
index 8fe7de11a120d4201b1d48c775d4e93a54b5b48c..4032117909874f1f5a86f8dc6ef4dcfcbff4ac55 100644 (file)
--- a/queue-7.0/series
+++ b/queue-7.0/series
@@ -48,7 +48,6 @@ bluetooth-bnep-fix-incorrect-length-parsing-in-bnep_.patch
 bluetooth-bnep-reject-short-frames-before-parsing.patch
 bluetooth-fix-memory-leak-in-error-path-of-hci_alloc.patch
 bluetooth-iso-fix-not-releasing-hdev-reference-on-is.patch
 bluetooth-bnep-reject-short-frames-before-parsing.patch
 bluetooth-fix-memory-leak-in-error-path-of-hci_alloc.patch
 bluetooth-iso-fix-not-releasing-hdev-reference-on-is.patch

-bluetooth-iso-fix-a-use-after-free-of-the-hci_conn-p.patch

 bluetooth-iso-fix-data-race-on-iso_pi-fields-in-hci_.patch
 bluetooth-sco-fix-data-race-on-sco_pi-fields-in-sco_.patch
 bluetooth-mgmt-fix-backward-compatibility-with-users.patch
 bluetooth-iso-fix-data-race-on-iso_pi-fields-in-hci_.patch
 bluetooth-sco-fix-data-race-on-sco_pi-fields-in-sco_.patch
 bluetooth-mgmt-fix-backward-compatibility-with-users.patch


@@ -66,7 +65,6 @@ sctp-validate-cached-peer-init-chunk-length-in-cooki.patch
 octeontx2-af-npc-fix-cpt-channel-mask-in-npc_install.patch
 vxlan-vnifilter-send-notification-on-vni-add.patch
 vxlan-vnifilter-fix-spurious-notification-on-vni-upd.patch
 octeontx2-af-npc-fix-cpt-channel-mask-in-npc_install.patch
 vxlan-vnifilter-send-notification-on-vni-add.patch
 vxlan-vnifilter-fix-spurious-notification-on-vni-upd.patch

-ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch

 ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
 net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
 bonding-annotate-data-races-arcound-churn-variables.patch
 ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch
 net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch
 bonding-annotate-data-races-arcound-churn-variables.patch


@@ -74,8 +72,6 @@ sctp-purge-outqueue-on-stale-cookie-echo-handling.patch
 fwctl-bnxt_en-move-common-definitions-to-include-lin.patch
 fwctl-bnxt_en-refactor-aux-bus-functions-to-be-more-.patch
 reapply-bnxt_en-bring-back-rtnl_lock-in-the-bnxt_ope.patch
 fwctl-bnxt_en-move-common-definitions-to-include-lin.patch
 fwctl-bnxt_en-refactor-aux-bus-functions-to-be-more-.patch
 reapply-bnxt_en-bring-back-rtnl_lock-in-the-bnxt_ope.patch

-i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch
-kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch

 drivers-hv-vmbus-provide-option-to-skip-vmbus-unload.patch
 drm-hyperv-during-panic-do-vmbus-unload-after-frame-.patch
 selftests-harness-fix-pidfd-leak-in-__wait_for_test.patch
 drivers-hv-vmbus-provide-option-to-skip-vmbus-unload.patch
 drm-hyperv-during-panic-do-vmbus-unload-after-frame-.patch
 selftests-harness-fix-pidfd-leak-in-__wait_for_test.patch