--- /dev/null
+From 915fab69823a14c170dbaa3b41978768e0fe62fc Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Tue, 12 May 2026 16:51:14 -0400
+Subject: ipv4: raw: reject IP_HDRINCL packets with ihl < 5
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 915fab69823a14c170dbaa3b41978768e0fe62fc upstream.
+
+raw_send_hdrinc() validates that the caller-supplied IPv4 header
+fits within the message length:
+
+ iphlen = iph->ihl * 4;
+ err = -EINVAL;
+ if (iphlen > length)
+ goto error_free;
+
+ if (iphlen >= sizeof(*iph)) {
+ /* fix up saddr, tot_len, id, csum, transport_header */
+ }
+
+It does not, however, reject ihl < 5. For such a packet the
+"if (iphlen >= sizeof(*iph))" branch is skipped, leaving the
+crafted iphdr untouched, but the packet is still handed to
+__ip_local_out() and onward. Downstream consumers that read
+iph->ihl assume a sane value: net/ipv4/ah4.c:ah_output() in
+particular subtracts sizeof(struct iphdr) from top_iph->ihl * 4
+and passes the (signed-int-negative, then cast to size_t)
+result to memcpy(), producing an OOB access of length close to
+SIZE_MAX and a host kernel panic.
+
+An IPv4 header with ihl < 5 is malformed by definition (RFC 791:
+"Internet Header Length is the length of the internet header in
+32 bit words ... Note that the minimum value for a correct header
+is 5."). The kernel should not be willing to inject such a
+packet into its own output path.
+
+Reject "iphlen < sizeof(*iph)" alongside the existing
+"iphlen > length" check. This matches the principle that locally
+constructed packets that re-enter the IP stack must pass the same
+basic sanity tests that a foreign packet would be subjected to.
+
+Once this lands, the "if (iphlen >= sizeof(*iph))" wrapper around
+the fixup branch becomes redundant; left in place to keep the
+patch minimal and backport-friendly. A follow-up can unwrap it.
+
+Note that commit 86f4c90a1c5c ("ipv4, ipv6: ensure raw socket
+message is big enough to hold an IP header") ensures the message
+buffer is large enough to hold an iphdr, but does not constrain
+the self-reported iph->ihl.
+
+Reachability: the malformed packet source is any caller with
+CAP_NET_RAW, including an unprivileged process in a user+net
+namespace on a kernel with CONFIG_USER_NS=y. The reproduced AH
+crash also requires a matching xfrm AH policy on the outgoing
+route; a container granted CAP_NET_ADMIN can install that state
+and policy in its netns. Loopback bypasses xfrm_output, so the
+trigger uses a real netdev.
+
+Reproduced on UML + KASAN: kernel-mode fault at addr 0x0 with
+memcpy_orig at the crash site. Same shape reproduces inside a
+rootless Docker container with --cap-add NET_ADMIN on a stock
+distro kernel.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Suggested-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Link: https://patch.msgid.link/77ec2b5e8111961c2c39883c92e8aa2709039c17.1778614451.git.michael.bommarito@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/raw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -407,7 +407,7 @@ static int raw_send_hdrinc(struct sock *
+ * in, reject the frame as invalid
+ */
+ err = -EINVAL;
+- if (iphlen > length)
++ if (iphlen > length || iphlen < sizeof(*iph))
+ goto error_free;
+
+ if (iphlen >= sizeof(*iph)) {
--- /dev/null
+From 5d49b568c188dc77199d8d2b959c91da8cc27cf1 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Fri, 15 May 2026 11:24:14 -0700
+Subject: ixgbevf: fix use-after-free in VEPA multicast source pruning
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 5d49b568c188dc77199d8d2b959c91da8cc27cf1 upstream.
+
+ixgbevf_clean_rx_irq() prunes frames whose source MAC matches the VF's
+own address (VEPA multicast workaround) by freeing the skb and
+continuing to the next descriptor:
+
+ dev_kfree_skb_irq(skb);
+ continue;
+
+The skb pointer is declared outside the while loop and persists across
+iterations. Because the continue skips the "skb = NULL" reset at the
+bottom of the loop, the next iteration enters the "else if (skb)" path
+and calls ixgbevf_add_rx_frag() on the freed skb, dereferencing
+skb_shinfo(skb)->nr_frags - a use-after-free in NAPI softirq context.
+
+The sibling driver iavf already handles this correctly by nulling the
+pointer before continuing. Apply the same pattern here.
+
+I do not have ixgbevf hardware; the bug was found by static analysis
+(scan_drop_continue_loops.py + semgrep drop_continue_in_loop, multi-tool
+corroboration with the highest score in the scan). The UAF was confirmed
+under KASAN by loading a test module that reproduces the exact code
+pattern (alloc skb, kfree_skb, then read skb_shinfo(skb)->nr_frags):
+
+ BUG: KASAN: slab-use-after-free in ixgbevf_uaf_test_init+0x100/0x1000
+ Read of size 8 at addr 000000006163ae78 by task insmod/30
+ freed 208-byte region [000000006163adc0, 000000006163ae90)
+
+QEMU emulates igb (82576) but not ixgbe (82599), and the igbvf VF
+driver does not include the VEPA source pruning path, so a full
+end-to-end reproduction with emulated hardware was not possible.
+
+Fixes: bad17234ba70 ("ixgbevf: Change receive model to use double buffered page based receives")
+Cc: stable@vger.kernel.org
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Link: https://patch.msgid.link/20260515182419.1597859-8-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
+@@ -1220,6 +1220,7 @@ static int ixgbevf_clean_rx_irq(struct i
+ ether_addr_equal(rx_ring->netdev->dev_addr,
+ eth_hdr(skb)->h_source)) {
+ dev_kfree_skb_irq(skb);
++ skb = NULL;
+ continue;
+ }
+
--- /dev/null
+From a254b6d13b0edd6272926674d2afc46d46e496b7 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Wed, 20 May 2026 22:08:01 -0400
+Subject: ring-buffer: Fix reporting of missed events in iterator
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit a254b6d13b0edd6272926674d2afc46d46e496b7 upstream.
+
+When tracing is active while reading the trace file, if the iterator
+reading the buffer detects that the writer has passed the iterator head,
+it will reset and set a "missed events" flag. This flag is passed to the
+output processing to show the user that events were missed:
+
+ CPU:4 [LOST EVENTS]
+
+The problem is that the flag is reset after it is checked in
+ring_buffer_iter_dropped(). But the "trace" file iterates over all the CPU
+ring buffers and it will check if they are dropped when figuring out which
+buffer to print next. This prematurely clears the missed_events flag if
+the CPU buffer with the missed events is not the one that is printed next.
+
+On the iteration where the CPU buffer with the missed events is printed,
+the check if it had missed events would return false and the output does
+not show that events were missed.
+
+Do not reset the missed_events flag when checking if there were missed
+events, but instead clear it when moving the iterator head to the next
+event.
+
+Cc: stable@vger.kernel.org
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Link: https://patch.msgid.link/20260520220801.4fd09d13@fedora
+Fixes: c9b7a4a72ff64 ("ring-buffer/tracing: Have iterator acknowledge dropped events")
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ring_buffer.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -4346,6 +4346,7 @@ static void rb_iter_reset(struct ring_bu
+ iter->head_page = cpu_buffer->reader_page;
+ iter->head = cpu_buffer->reader_page->read;
+ iter->next_event = iter->head;
++ iter->missed_events = 0;
+
+ iter->cache_reader_page = iter->head_page;
+ iter->cache_read = cpu_buffer->read;
+@@ -4955,10 +4956,7 @@ ring_buffer_peek(struct trace_buffer *bu
+ */
+ bool ring_buffer_iter_dropped(struct ring_buffer_iter *iter)
+ {
+- bool ret = iter->missed_events != 0;
+-
+- iter->missed_events = 0;
+- return ret;
++ return iter->missed_events != 0;
+ }
+ EXPORT_SYMBOL_GPL(ring_buffer_iter_dropped);
+
+@@ -5175,7 +5173,7 @@ void ring_buffer_iter_advance(struct rin
+ unsigned long flags;
+
+ raw_spin_lock_irqsave(&cpu_buffer->reader_lock, flags);
+-
++ iter->missed_events = 0;
+ rb_advance_iter(iter);
+
+ raw_spin_unlock_irqrestore(&cpu_buffer->reader_lock, flags);
netfilter-ip6t_hbh-reject-oversized-option-lists.patch
netfilter-nf_queue-hold-bridge-skb-dev-while-queued.patch
netfilter-ipset-stop-hash-range-iteration-at-end.patch
+ring-buffer-fix-reporting-of-missed-events-in-iterator.patch
+vsock-vmci-fix-uaf-when-peer-resets-connection-during-handshake.patch
+wifi-ath11k-clear-shared-srng-pointer-state-on-restart.patch
+ipv4-raw-reject-ip_hdrincl-packets-with-ihl-5.patch
+ixgbevf-fix-use-after-free-in-vepa-multicast-source-pruning.patch
+wifi-cfg80211-advance-loop-vars-in-cfg80211_merge_profile.patch
--- /dev/null
+From 99e22ddf4edb63dc8382bc028af928056d3450cf Mon Sep 17 00:00:00 2001
+From: Minh Nguyen <minhnguyen.080505@gmail.com>
+Date: Tue, 19 May 2026 17:23:10 +0700
+Subject: vsock/vmci: fix UAF when peer resets connection during handshake
+
+From: Minh Nguyen <minhnguyen.080505@gmail.com>
+
+commit 99e22ddf4edb63dc8382bc028af928056d3450cf upstream.
+
+vmci_transport_recv_connecting_server() returned err = 0 for a peer
+RST in its default switch arm:
+
+ err = pkt->type == VMCI_TRANSPORT_PACKET_TYPE_RST ? 0 : -EINVAL;
+
+That made vmci_transport_recv_listen() skip vsock_remove_pending(),
+leaving the pending socket on the listener's pending_links with
+sk_state = TCP_CLOSE while destroy: still dropped the explicit
+reference taken before schedule_delayed_work().
+
+One second later vsock_pending_work() observed is_pending=true and
+performed full cleanup: vsock_remove_pending() then the two trailing
+sock_put(sk) calls -- the first reached refcount 0 and __sk_freed
+the socket, and the second wrote into the freed object:
+
+ BUG: KASAN: slab-use-after-free in refcount_warn_saturate
+ Write of size 4 at addr ffff88800b1cac80 by task kworker
+ Workqueue: events vsock_pending_work
+
+Treat peer RST like any other unexpected packet type (err = -EINVAL).
+All destroy: arms now return err < 0, so vmci_transport_recv_listen()
+removes pending from pending_links synchronously and
+vsock_pending_work() takes the is_pending=false / !rejected branch,
+dropping only its own work reference. This also closes the
+multi-packet race Sashiko reported on v2: pending is removed from
+the list before any subsequent packet can find it.
+
+The pre-existing sk_acceptq_removed() gap on the err < 0 path of
+vmci_transport_recv_listen() that Sashiko also noted is not
+introduced or changed by this patch.
+
+Tested on lts-6.12.79 with KASAN: 52/100 unpatched -> 0/100 patched.
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Cc: stable@vger.kernel.org
+Signed-off-by: Minh Nguyen <minhnguyen.080505@gmail.com>
+Acked-by: Bryan Tan <bryan-bt.tan@broadcom.com>
+Link: https://patch.msgid.link/20260519102310.237181-1-minhnguyen.080505@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/vmci_transport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/vmw_vsock/vmci_transport.c
++++ b/net/vmw_vsock/vmci_transport.c
+@@ -1156,7 +1156,7 @@ vmci_transport_recv_connecting_server(st
+ /* Close and cleanup the connection. */
+ vmci_transport_send_reset(pending, pkt);
+ skerr = EPROTO;
+- err = pkt->type == VMCI_TRANSPORT_PACKET_TYPE_RST ? 0 : -EINVAL;
++ err = -EINVAL;
+ goto destroy;
+ }
+
--- /dev/null
+From f51e4b3b5574ad8cb5b16b11f8a1452147ece87a Mon Sep 17 00:00:00 2001
+From: Kyle Farnung <kfarnung@gmail.com>
+Date: Wed, 13 May 2026 21:52:12 -0700
+Subject: wifi: ath11k: clear shared SRNG pointer state on restart
+
+From: Kyle Farnung <kfarnung@gmail.com>
+
+commit f51e4b3b5574ad8cb5b16b11f8a1452147ece87a upstream.
+
+LMAC rings reuse the shared rdp/wrp pointer buffers without going
+through the normal SRNG hw-init path that zeros non-LMAC ring
+pointers. After restart, ath11k_hal_srng_clear() can therefore hand
+stale hp/tp state from the previous firmware instance back to the new
+one.
+
+Clear the shared pointer buffers while keeping the allocations in
+place so restart still avoids reallocating SRNG DMA memory, but starts
+with fresh ring-pointer state.
+
+Fixes: 32be3ca4cf78b ("wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again")
+Cc: stable@vger.kernel.org
+Closes: https://lore.kernel.org/all/CAOPSVF04q6uvVdq8GTRLHBrVMdpt9=o9wVcFMc6f-yhmSBcZqQ@mail.gmail.com/
+Signed-off-by: Kyle Farnung <kfarnung@gmail.com>
+Reviewed-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
+Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
+Link: https://patch.msgid.link/20260513-kfarnung-ath11k-srng-clear-pointer-state-v1-1-bc700dd8b333@gmail.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath11k/hal.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath11k/hal.c
++++ b/drivers/net/wireless/ath/ath11k/hal.c
+@@ -1315,14 +1315,22 @@ EXPORT_SYMBOL(ath11k_hal_srng_deinit);
+
+ void ath11k_hal_srng_clear(struct ath11k_base *ab)
+ {
+- /* No need to memset rdp and wrp memory since each individual
+- * segment would get cleared in ath11k_hal_srng_src_hw_init()
+- * and ath11k_hal_srng_dst_hw_init().
++ /*
++ * Preserve the shared pointer buffers, but clear the previous
++ * firmware instance's hp/tp state before handing them back to FW.
++ * LMAC rings reuse this shared memory without going through the
++ * normal SRNG hw-init path that zeros non-LMAC ring pointers.
+ */
+ memset(ab->hal.srng_list, 0,
+ sizeof(ab->hal.srng_list));
+ memset(ab->hal.shadow_reg_addr, 0,
+ sizeof(ab->hal.shadow_reg_addr));
++ if (ab->hal.rdp.vaddr)
++ memset(ab->hal.rdp.vaddr, 0,
++ sizeof(*ab->hal.rdp.vaddr) * HAL_SRNG_RING_ID_MAX);
++ if (ab->hal.wrp.vaddr)
++ memset(ab->hal.wrp.vaddr, 0,
++ sizeof(*ab->hal.wrp.vaddr) * HAL_SRNG_NUM_LMAC_RINGS);
+ ab->hal.avail_blk_resource = 0;
+ ab->hal.current_blk_index = 0;
+ ab->hal.num_shadow_reg_configured = 0;
--- /dev/null
+From 7666dbb1bacc4ba522b96740cba7283d243d16e1 Mon Sep 17 00:00:00 2001
+From: John Walker <johnwalker0@gmail.com>
+Date: Thu, 7 May 2026 17:07:20 -0600
+Subject: wifi: cfg80211: advance loop vars in cfg80211_merge_profile()
+
+From: John Walker <johnwalker0@gmail.com>
+
+commit 7666dbb1bacc4ba522b96740cba7283d243d16e1 upstream.
+
+cfg80211_merge_profile() reassembles a Multi-BSSID non-transmitted BSS
+profile that has been split across multiple consecutive MBSSID elements.
+Its while-loop calls
+
+ cfg80211_get_profile_continuation(ie, ielen, mbssid_elem, sub_elem)
+
+but never advances mbssid_elem or sub_elem inside the body. Each
+iteration therefore searches for a continuation that follows the same
+fixed pair; the helper returns the same next_mbssid; and the same
+next_sub bytes are memcpy()'d into merged_ie at a growing offset until
+the buffer fills.
+
+Advance both mbssid_elem and sub_elem to the just-consumed continuation
+so the next call to cfg80211_get_profile_continuation() searches for a
+further continuation beyond it (or returns NULL when none exists).
+
+A specially-crafted malicious beacon can take advantage of this bug
+to cause the kernel to spend an excessive amount of time in
+cfg80211_merge_profile (up to as much as 2ms per beacon received),
+which could theoretically be abused in some way.
+
+Cc: stable@vger.kernel.org
+Fixes: fe806e4992c9 ("cfg80211: support profile split between elements")
+Signed-off-by: John Walker <johnwalker0@gmail.com>
+Link: https://patch.msgid.link/20260507230720.64783-1-johnwalker0@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/scan.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -2180,6 +2180,9 @@ size_t cfg80211_merge_profile(const u8 *
+ memcpy(merged_ie + copied_len, next_sub->data,
+ next_sub->datalen);
+ copied_len += next_sub->datalen;
++
++ mbssid_elem = next_mbssid;
++ sub_elem = next_sub;
+ }
+
+ return copied_len;
projects / thirdparty / kernel / stable-queue.git / commitdiff
