From: Sasha Levin Date: Thu, 11 Jun 2026 00:44:57 +0000 (-0400) Subject: Fixes for all trees X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=6dbf11cff67cce300dc74d608f57a4a71b42fa79;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch b/queue-5.10/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch new file mode 100644 index 0000000000..7f58b083fa --- /dev/null +++ b/queue-5.10/bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch @@ -0,0 +1,95 @@ +From 8175fa7af4104238631b64b5c73101e557f1dbee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jun 2026 19:48:35 +0300 +Subject: bonding: limit BOND_MODE_8023AD to Ethernet devices + +From: Eric Dumazet + +commit c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6 upstream. + +BOND_MODE_8023AD makes sense for ARPHRD_ETHER only. + +syzbot reported: + + BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline] + BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 +Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497 + +CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full) +Tainted: [L]=SOFTLOCKUP +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 +Call Trace: + + dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xca/0x240 mm/kasan/report.c:482 + kasan_report+0x118/0x150 mm/kasan/report.c:595 + check_region_inline mm/kasan/generic.c:-1 [inline] + kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200 + __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 + __hw_addr_create net/core/dev_addr_lists.c:63 [inline] + __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 + __dev_mc_add net/core/dev_addr_lists.c:868 [inline] + dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886 + bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180 + do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963 + do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165 + rtnl_changelink net/core/rtnetlink.c:3776 [inline] + __rtnl_newlink net/core/rtnetlink.c:3935 [inline] + rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072 + rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958 + netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550 + netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] + netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344 + netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg+0x21c/0x270 net/socket.c:742 + ____sys_sendmsg+0x505/0x820 net/socket.c:2592 + ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646 + __sys_sendmsg+0x164/0x220 net/socket.c:2678 + do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] + __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307 + do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332 + entry_SYSENTER_compat_after_hwframe+0x84/0x8e + + +The buggy address belongs to the variable: + lacpdu_mcast_addr+0x0/0x40 + +Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER") +Reported-by: syzbot+9c081b17773615f24672@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/6966946b.a70a0220.245e30.0002.GAE@google.com/T/#u +Signed-off-by: Eric Dumazet +Cc: Andrew Lunn +Acked-by: Jay Vosburgh +Link: https://patch.msgid.link/20260113191201.3970737-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +[ Alexey: Replace SLAVE_NL_ERR() with NL_SET_ERR_MSG() and slave_err() + because SLAVE_NL_ERR() is not present in linux-5.10.y. ] +Signed-off-by: Alexey Panov +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 812e1792c232e1..86f0f155e9862c 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1763,6 +1763,13 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev, + */ + if (!bond_has_slaves(bond)) { + if (bond_dev->type != slave_dev->type) { ++ if (slave_dev->type != ARPHRD_ETHER && ++ BOND_MODE(bond) == BOND_MODE_8023AD) { ++ NL_SET_ERR_MSG(extack, "8023AD mode requires Ethernet devices"); ++ slave_err(bond_dev, slave_dev, ++ "Error: 8023AD mode requires Ethernet devices\n"); ++ return -EINVAL; ++ } + slave_dbg(bond_dev, slave_dev, "change device type from %d to %d\n", + bond_dev->type, slave_dev->type); + +-- +2.53.0 + diff --git a/queue-5.10/ext4-validate-p_idx-bounds-in-ext4_ext_correct_index.patch b/queue-5.10/ext4-validate-p_idx-bounds-in-ext4_ext_correct_index.patch new file mode 100644 index 0000000000..24caea8d6e --- /dev/null +++ b/queue-5.10/ext4-validate-p_idx-bounds-in-ext4_ext_correct_index.patch @@ -0,0 +1,75 @@ +From ec4978746d021110566cee95bfb7ae759b96c746 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jun 2026 19:44:30 +0300 +Subject: ext4: validate p_idx bounds in ext4_ext_correct_indexes + +From: Tejas Bharambe + +commit 2acb5c12ebd860f30e4faf67e6cc8c44ddfe5fe8 upstream. + +ext4_ext_correct_indexes() walks up the extent tree correcting +index entries when the first extent in a leaf is modified. Before +accessing path[k].p_idx->ei_block, there is no validation that +p_idx falls within the valid range of index entries for that +level. + +If the on-disk extent header contains a corrupted or crafted +eh_entries value, p_idx can point past the end of the allocated +buffer, causing a slab-out-of-bounds read. + +Fix this by validating path[k].p_idx against EXT_LAST_INDEX() at +both access sites: before the while loop and inside it. Return +-EFSCORRUPTED if the index pointer is out of range, consistent +with how other bounds violations are handled in the ext4 extent +tree code. + +Reported-by: syzbot+04c4e65cab786a2e5b7e@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=04c4e65cab786a2e5b7e +Signed-off-by: Tejas Bharambe +Link: https://patch.msgid.link/JH0PR06MB66326016F9B6AD24097D232B897CA@JH0PR06MB6632.apcprd06.prod.outlook.com +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +[ Alexey: Adapt goto clean to break because the clean error path is not + present in linux-5.10.y and linux-5.15.y. ] +Signed-off-by: Alexey Panov +Signed-off-by: Sasha Levin +--- + fs/ext4/extents.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 6d37805d315507..388e47dfb7aa18 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -1731,6 +1731,13 @@ static int ext4_ext_correct_indexes(handle_t *handle, struct inode *inode, + err = ext4_ext_get_access(handle, inode, path + k); + if (err) + return err; ++ if (unlikely(path[k].p_idx > EXT_LAST_INDEX(path[k].p_hdr))) { ++ EXT4_ERROR_INODE(inode, ++ "path[%d].p_idx %p > EXT_LAST_INDEX %p", ++ k, path[k].p_idx, ++ EXT_LAST_INDEX(path[k].p_hdr)); ++ return -EFSCORRUPTED; ++ } + path[k].p_idx->ei_block = border; + err = ext4_ext_dirty(handle, inode, path + k); + if (err) +@@ -1743,6 +1750,14 @@ static int ext4_ext_correct_indexes(handle_t *handle, struct inode *inode, + err = ext4_ext_get_access(handle, inode, path + k); + if (err) + break; ++ if (unlikely(path[k].p_idx > EXT_LAST_INDEX(path[k].p_hdr))) { ++ EXT4_ERROR_INODE(inode, ++ "path[%d].p_idx %p > EXT_LAST_INDEX %p", ++ k, path[k].p_idx, ++ EXT_LAST_INDEX(path[k].p_hdr)); ++ err = -EFSCORRUPTED; ++ break; ++ } + path[k].p_idx->ei_block = border; + err = ext4_ext_dirty(handle, inode, path + k); + if (err) +-- +2.53.0 + diff --git a/queue-5.10/nfsd-don-t-ignore-the-return-code-of-svc_proc_regist.patch b/queue-5.10/nfsd-don-t-ignore-the-return-code-of-svc_proc_regist.patch new file mode 100644 index 0000000000..cacdf3955b --- /dev/null +++ b/queue-5.10/nfsd-don-t-ignore-the-return-code-of-svc_proc_regist.patch @@ -0,0 +1,98 @@ +From 832f045982ddf99a925fd86d481f63ec73e5d468 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jun 2026 20:23:54 +0300 +Subject: nfsd: don't ignore the return code of svc_proc_register() + +From: Jeff Layton + +commit 930b64ca0c511521f0abdd1d57ce52b2a6e3476b upstream. + +Currently, nfsd_proc_stat_init() ignores the return value of +svc_proc_register(). If the procfile creation fails, then the kernel +will WARN when it tries to remove the entry later. + +Fix nfsd_proc_stat_init() to return the same type of pointer as +svc_proc_register(), and fix up nfsd_net_init() to check that and fail +the nfsd_net construction if it occurs. + +svc_proc_register() can fail if the dentry can't be allocated, or if an +identical dentry already exists. The second case is pretty unlikely in +the nfsd_net construction codepath, so if this happens, return -ENOMEM. + +Reported-by: syzbot+e34ad04f27991521104c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-nfs/67a47501.050a0220.19061f.05f9.GAE@google.com/ +Cc: stable@vger.kernel.org # v6.9 +Signed-off-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Vladislav Nikolaev +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfsctl.c | 9 ++++++++- + fs/nfsd/stats.c | 4 ++-- + fs/nfsd/stats.h | 2 +- + 3 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c +index 8178d7d016487a..5cd264171daeee 100644 +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -1471,17 +1471,24 @@ static __net_init int nfsd_init_net(struct net *net) + retval = nfsd_stat_counters_init(nn); + if (retval) + goto out_repcache_error; ++ + memset(&nn->nfsd_svcstats, 0, sizeof(nn->nfsd_svcstats)); + nn->nfsd_svcstats.program = &nfsd_program; ++ if (!nfsd_proc_stat_init(net)) { ++ retval = -ENOMEM; ++ goto out_proc_error; ++ } ++ + nn->nfsd_versions = NULL; + nn->nfsd4_minorversions = NULL; + nfsd4_init_leases_net(nn); + get_random_bytes(&nn->siphash_key, sizeof(nn->siphash_key)); + seqlock_init(&nn->writeverf_lock); +- nfsd_proc_stat_init(net); + + return 0; + ++out_proc_error: ++ nfsd_stat_counters_destroy(nn); + out_repcache_error: + nfsd_idmap_shutdown(net); + out_idmap_error: +diff --git a/fs/nfsd/stats.c b/fs/nfsd/stats.c +index 7a58dba0045c3b..6d1c6067c80e3b 100644 +--- a/fs/nfsd/stats.c ++++ b/fs/nfsd/stats.c +@@ -113,11 +113,11 @@ void nfsd_stat_counters_destroy(struct nfsd_net *nn) + nfsd_percpu_counters_destroy(nn->counter, NFSD_STATS_COUNTERS_NUM); + } + +-void nfsd_proc_stat_init(struct net *net) ++struct proc_dir_entry *nfsd_proc_stat_init(struct net *net) + { + struct nfsd_net *nn = net_generic(net, nfsd_net_id); + +- svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops); ++ return svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops); + } + + void nfsd_proc_stat_shutdown(struct net *net) +diff --git a/fs/nfsd/stats.h b/fs/nfsd/stats.h +index 14525e854cbac3..b9329285bc1d79 100644 +--- a/fs/nfsd/stats.h ++++ b/fs/nfsd/stats.h +@@ -15,7 +15,7 @@ void nfsd_percpu_counters_reset(struct percpu_counter *counters, int num); + void nfsd_percpu_counters_destroy(struct percpu_counter *counters, int num); + int nfsd_stat_counters_init(struct nfsd_net *nn); + void nfsd_stat_counters_destroy(struct nfsd_net *nn); +-void nfsd_proc_stat_init(struct net *net); ++struct proc_dir_entry *nfsd_proc_stat_init(struct net *net); + void nfsd_proc_stat_shutdown(struct net *net); + + static inline void nfsd_stats_rc_hits_inc(struct nfsd_net *nn) +-- +2.53.0 + diff --git a/queue-5.10/series b/queue-5.10/series index f28961038e..d186b74b33 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -150,3 +150,9 @@ i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch time-fix-off-by-one-in-settimeofday-usec-validation.patch alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch +ext4-validate-p_idx-bounds-in-ext4_ext_correct_index.patch +bonding-limit-bond_mode_8023ad-to-ethernet-devices.patch +usbnet-fix-using-smp_processor_id-in-preemptible-cod.patch +nfsd-don-t-ignore-the-return-code-of-svc_proc_regist.patch +wifi-mac80211-check-tdls-flag-in-ieee80211_tdls_oper.patch +spi-meson-spicc-fix-double-put-in-remove-path.patch diff --git a/queue-5.10/spi-meson-spicc-fix-double-put-in-remove-path.patch b/queue-5.10/spi-meson-spicc-fix-double-put-in-remove-path.patch new file mode 100644 index 0000000000..36dcff2d47 --- /dev/null +++ b/queue-5.10/spi-meson-spicc-fix-double-put-in-remove-path.patch @@ -0,0 +1,45 @@ +From 2b73cb8983b7e0f9a86e47087182ec91c663799d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Jun 2026 19:11:29 +0300 +Subject: spi: meson-spicc: Fix double-put in remove path + +From: Felix Gu + +commit 63542bb402b7013171c9f621c28b609eda4dbf1f upstream. + +meson_spicc_probe() registers the controller with +devm_spi_register_controller(), so teardown already drops the +controller reference via devm cleanup. + +Calling spi_controller_put() again in meson_spicc_remove() +causes a double-put. + +Fixes: 8311ee2164c5 ("spi: meson-spicc: fix memory leak in meson_spicc_remove") +Signed-off-by: Felix Gu +Reviewed-by: Johan Hovold +Link: https://patch.msgid.link/20260322-rockchip-v1-1-fac3f0c6dad8@gmail.com +Signed-off-by: Mark Brown +[ Alexey: Remove the equivalent legacy spi_master_put() call used in + linux-5.10.y. ] +Signed-off-by: Alexey Panov +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-meson-spicc.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/spi/spi-meson-spicc.c b/drivers/spi/spi-meson-spicc.c +index 6974a1c947aad6..ae818e7df79198 100644 +--- a/drivers/spi/spi-meson-spicc.c ++++ b/drivers/spi/spi-meson-spicc.c +@@ -863,8 +863,6 @@ static int meson_spicc_remove(struct platform_device *pdev) + clk_disable_unprepare(spicc->core); + clk_disable_unprepare(spicc->pclk); + +- spi_master_put(spicc->master); +- + return 0; + } + +-- +2.53.0 + diff --git a/queue-5.10/usbnet-fix-using-smp_processor_id-in-preemptible-cod.patch b/queue-5.10/usbnet-fix-using-smp_processor_id-in-preemptible-cod.patch new file mode 100644 index 0000000000..62a130d443 --- /dev/null +++ b/queue-5.10/usbnet-fix-using-smp_processor_id-in-preemptible-cod.patch @@ -0,0 +1,80 @@ +From 73b4cc7a7d68a2c8d5df6ea3897da01f48b9c370 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jun 2026 19:46:44 +0300 +Subject: usbnet: Fix using smp_processor_id() in preemptible code warnings + +From: Zqiang + +commit 327cd4b68b4398b6c24f10eb2b2533ffbfc10185 upstream. + +Syzbot reported the following warning: + +BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 +caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 +CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 + check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 + usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 + usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 + usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 + __dev_set_mtu net/core/dev.c:9443 [inline] + netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 + netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 + dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 + dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 + dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 + sock_do_ioctl+0x19d/0x280 net/socket.c:1204 + sock_ioctl+0x42f/0x6a0 net/socket.c:1311 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:906 [inline] + __se_sys_ioctl fs/ioctl.c:892 [inline] + __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +For historical and portability reasons, the netif_rx() is usually +run in the softirq or interrupt context, this commit therefore add +local_bh_disable/enable() protection in the usbnet_resume_rx(). + +Fixes: 43daa96b166c ("usbnet: Stop RX Q on MTU change") +Link: https://syzkaller.appspot.com/bug?id=81f55dfa587ee544baaaa5a359a060512228c1e1 +Suggested-by: Jakub Kicinski +Signed-off-by: Zqiang +Link: https://patch.msgid.link/20251011070518.7095-1-qiang.zhang@linux.dev +Signed-off-by: Paolo Abeni +[ Alexey: Keep tasklet_schedule() because commit 2c04d279e857 ("net: usb: + Convert tasklet API to new bottom half workqueue mechanism") is not present + in linux-5.10.y. ] +Signed-off-by: Alexey Panov +Signed-off-by: Sasha Levin +--- + drivers/net/usb/usbnet.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index 4a83228a2db578..4b34544d88aa86 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -684,6 +684,7 @@ void usbnet_resume_rx(struct usbnet *dev) + struct sk_buff *skb; + int num = 0; + ++ local_bh_disable(); + clear_bit(EVENT_RX_PAUSED, &dev->flags); + + while ((skb = skb_dequeue(&dev->rxq_pause)) != NULL) { +@@ -692,6 +693,7 @@ void usbnet_resume_rx(struct usbnet *dev) + } + + tasklet_schedule(&dev->bh); ++ local_bh_enable(); + + netif_dbg(dev, rx_status, dev->net, + "paused rx queue disabled, %d skbs requeued\n", num); +-- +2.53.0 + diff --git a/queue-5.10/wifi-mac80211-check-tdls-flag-in-ieee80211_tdls_oper.patch b/queue-5.10/wifi-mac80211-check-tdls-flag-in-ieee80211_tdls_oper.patch new file mode 100644 index 0000000000..990f359570 --- /dev/null +++ b/queue-5.10/wifi-mac80211-check-tdls-flag-in-ieee80211_tdls_oper.patch @@ -0,0 +1,49 @@ +From b99bdcc6ed86411c6d34428016f74a8e90c680a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jun 2026 21:11:08 +0300 +Subject: wifi: mac80211: check tdls flag in ieee80211_tdls_oper + +From: Deepanshu Kartikey + +commit 7d73872d949c488a1d7c308031d6a9d89b5e0a8b upstream. + +When NL80211_TDLS_ENABLE_LINK is called, the code only checks if the +station exists but not whether it is actually a TDLS station. This +allows the operation to proceed for non-TDLS stations, causing +unintended side effects like modifying channel context and HT +protection before failing. + +Add a check for sta->sta.tdls early in the ENABLE_LINK case, before +any side effects occur, to ensure the operation is only allowed for +actual TDLS peers. + +Reported-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=56b6a844a4ea74487b7b +Tested-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com +Suggested-by: Johannes Berg +Signed-off-by: Deepanshu Kartikey +Link: https://patch.msgid.link/20260313092417.520807-1-kartikey406@gmail.com +Signed-off-by: Johannes Berg +[ Alexey: Adapted to the older sta_mtx locking and error-handling flow. ] +Signed-off-by: Alexey Panov +Signed-off-by: Sasha Levin +--- + net/mac80211/tdls.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c +index e01e4daeb8cd31..66e32f1d0a989a 100644 +--- a/net/mac80211/tdls.c ++++ b/net/mac80211/tdls.c +@@ -1380,7 +1380,7 @@ int ieee80211_tdls_oper(struct wiphy *wiphy, struct net_device *dev, + + mutex_lock(&local->sta_mtx); + sta = sta_info_get(sdata, peer); +- if (!sta) { ++ if (!sta || !sta->sta.tdls) { + mutex_unlock(&local->sta_mtx); + ret = -ENOLINK; + break; +-- +2.53.0 + diff --git a/queue-5.15/ext4-validate-p_idx-bounds-in-ext4_ext_correct_index.patch b/queue-5.15/ext4-validate-p_idx-bounds-in-ext4_ext_correct_index.patch new file mode 100644 index 0000000000..ee29e1e5ac --- /dev/null +++ b/queue-5.15/ext4-validate-p_idx-bounds-in-ext4_ext_correct_index.patch @@ -0,0 +1,75 @@ +From bae3a2fa291d838c800804771fca282d1b94e2d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jun 2026 19:44:30 +0300 +Subject: ext4: validate p_idx bounds in ext4_ext_correct_indexes + +From: Tejas Bharambe + +commit 2acb5c12ebd860f30e4faf67e6cc8c44ddfe5fe8 upstream. + +ext4_ext_correct_indexes() walks up the extent tree correcting +index entries when the first extent in a leaf is modified. Before +accessing path[k].p_idx->ei_block, there is no validation that +p_idx falls within the valid range of index entries for that +level. + +If the on-disk extent header contains a corrupted or crafted +eh_entries value, p_idx can point past the end of the allocated +buffer, causing a slab-out-of-bounds read. + +Fix this by validating path[k].p_idx against EXT_LAST_INDEX() at +both access sites: before the while loop and inside it. Return +-EFSCORRUPTED if the index pointer is out of range, consistent +with how other bounds violations are handled in the ext4 extent +tree code. + +Reported-by: syzbot+04c4e65cab786a2e5b7e@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=04c4e65cab786a2e5b7e +Signed-off-by: Tejas Bharambe +Link: https://patch.msgid.link/JH0PR06MB66326016F9B6AD24097D232B897CA@JH0PR06MB6632.apcprd06.prod.outlook.com +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +[ Alexey: Adapt goto clean to break because the clean error path is not + present in linux-5.10.y and linux-5.15.y. ] +Signed-off-by: Alexey Panov +Signed-off-by: Sasha Levin +--- + fs/ext4/extents.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 80b7783c65b41e..e6dbb2dfb3318f 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -1736,6 +1736,13 @@ static int ext4_ext_correct_indexes(handle_t *handle, struct inode *inode, + err = ext4_ext_get_access(handle, inode, path + k); + if (err) + return err; ++ if (unlikely(path[k].p_idx > EXT_LAST_INDEX(path[k].p_hdr))) { ++ EXT4_ERROR_INODE(inode, ++ "path[%d].p_idx %p > EXT_LAST_INDEX %p", ++ k, path[k].p_idx, ++ EXT_LAST_INDEX(path[k].p_hdr)); ++ return -EFSCORRUPTED; ++ } + path[k].p_idx->ei_block = border; + err = ext4_ext_dirty(handle, inode, path + k); + if (err) +@@ -1748,6 +1755,14 @@ static int ext4_ext_correct_indexes(handle_t *handle, struct inode *inode, + err = ext4_ext_get_access(handle, inode, path + k); + if (err) + break; ++ if (unlikely(path[k].p_idx > EXT_LAST_INDEX(path[k].p_hdr))) { ++ EXT4_ERROR_INODE(inode, ++ "path[%d].p_idx %p > EXT_LAST_INDEX %p", ++ k, path[k].p_idx, ++ EXT_LAST_INDEX(path[k].p_hdr)); ++ err = -EFSCORRUPTED; ++ break; ++ } + path[k].p_idx->ei_block = border; + err = ext4_ext_dirty(handle, inode, path + k); + if (err) +-- +2.53.0 + diff --git a/queue-5.15/fs-ntfs3-return-error-for-inconsistent-extended-attr.patch b/queue-5.15/fs-ntfs3-return-error-for-inconsistent-extended-attr.patch new file mode 100644 index 0000000000..0a7cb61a51 --- /dev/null +++ b/queue-5.15/fs-ntfs3-return-error-for-inconsistent-extended-attr.patch @@ -0,0 +1,107 @@ +From 6b1aec5765e2306339d1ad6ac2246e5e5ba06c32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Mar 2023 18:23:03 +0800 +Subject: fs/ntfs3: Return error for inconsistent extended attributes + +From: Edward Lo + +[ Upstream commit c9db0ff04649aa0b45f497183c957fe260f229f6 ] + +ntfs_read_ea is called when we want to read extended attributes. There +are some sanity checks for the validity of the EAs. However, it fails to +return a proper error code for the inconsistent attributes, which might +lead to unpredicted memory accesses after return. + +[ 138.916927] BUG: KASAN: use-after-free in ntfs_set_ea+0x453/0xbf0 +[ 138.923876] Write of size 4 at addr ffff88800205cfac by task poc/199 +[ 138.931132] +[ 138.933016] CPU: 0 PID: 199 Comm: poc Not tainted 6.2.0-rc1+ #4 +[ 138.938070] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +[ 138.947327] Call Trace: +[ 138.949557] +[ 138.951539] dump_stack_lvl+0x4d/0x67 +[ 138.956834] print_report+0x16f/0x4a6 +[ 138.960798] ? ntfs_set_ea+0x453/0xbf0 +[ 138.964437] ? kasan_complete_mode_report_info+0x7d/0x200 +[ 138.969793] ? ntfs_set_ea+0x453/0xbf0 +[ 138.973523] kasan_report+0xb8/0x140 +[ 138.976740] ? ntfs_set_ea+0x453/0xbf0 +[ 138.980578] __asan_store4+0x76/0xa0 +[ 138.984669] ntfs_set_ea+0x453/0xbf0 +[ 138.988115] ? __pfx_ntfs_set_ea+0x10/0x10 +[ 138.993390] ? kernel_text_address+0xd3/0xe0 +[ 138.998270] ? __kernel_text_address+0x16/0x50 +[ 139.002121] ? unwind_get_return_address+0x3e/0x60 +[ 139.005659] ? __pfx_stack_trace_consume_entry+0x10/0x10 +[ 139.010177] ? arch_stack_walk+0xa2/0x100 +[ 139.013657] ? filter_irq_stacks+0x27/0x80 +[ 139.017018] ntfs_setxattr+0x405/0x440 +[ 139.022151] ? __pfx_ntfs_setxattr+0x10/0x10 +[ 139.026569] ? kvmalloc_node+0x2d/0x120 +[ 139.030329] ? kasan_save_stack+0x41/0x60 +[ 139.033883] ? kasan_save_stack+0x2a/0x60 +[ 139.037338] ? kasan_set_track+0x29/0x40 +[ 139.040163] ? kasan_save_alloc_info+0x1f/0x30 +[ 139.043588] ? __kasan_kmalloc+0x8b/0xa0 +[ 139.047255] ? __kmalloc_node+0x68/0x150 +[ 139.051264] ? kvmalloc_node+0x2d/0x120 +[ 139.055301] ? vmemdup_user+0x2b/0xa0 +[ 139.058584] __vfs_setxattr+0x121/0x170 +[ 139.062617] ? __pfx___vfs_setxattr+0x10/0x10 +[ 139.066282] __vfs_setxattr_noperm+0x97/0x300 +[ 139.070061] __vfs_setxattr_locked+0x145/0x170 +[ 139.073580] vfs_setxattr+0x137/0x2a0 +[ 139.076641] ? __pfx_vfs_setxattr+0x10/0x10 +[ 139.080223] ? __kasan_check_write+0x18/0x20 +[ 139.084234] do_setxattr+0xce/0x150 +[ 139.087768] setxattr+0x126/0x140 +[ 139.091250] ? __pfx_setxattr+0x10/0x10 +[ 139.094948] ? __virt_addr_valid+0xcb/0x140 +[ 139.097838] ? __call_rcu_common.constprop.0+0x1c7/0x330 +[ 139.102688] ? debug_smp_processor_id+0x1b/0x30 +[ 139.105985] ? kasan_quarantine_put+0x5b/0x190 +[ 139.109980] ? putname+0x84/0xa0 +[ 139.113886] ? __kasan_slab_free+0x11e/0x1b0 +[ 139.117961] ? putname+0x84/0xa0 +[ 139.121316] ? preempt_count_sub+0x1c/0xd0 +[ 139.124427] ? __mnt_want_write+0xae/0x100 +[ 139.127836] ? mnt_want_write+0x8f/0x150 +[ 139.130954] path_setxattr+0x164/0x180 +[ 139.133998] ? __pfx_path_setxattr+0x10/0x10 +[ 139.137853] ? __pfx_ksys_pwrite64+0x10/0x10 +[ 139.141299] ? debug_smp_processor_id+0x1b/0x30 +[ 139.145714] ? fpregs_assert_state_consistent+0x6b/0x80 +[ 139.150796] __x64_sys_setxattr+0x71/0x90 +[ 139.155407] do_syscall_64+0x3f/0x90 +[ 139.159035] entry_SYSCALL_64_after_hwframe+0x72/0xdc +[ 139.163843] RIP: 0033:0x7f108cae4469 +[ 139.166481] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088 +[ 139.183764] RSP: 002b:00007fff87588388 EFLAGS: 00000286 ORIG_RAX: 00000000000000bc +[ 139.190657] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f108cae4469 +[ 139.196586] RDX: 00007fff875883b0 RSI: 00007fff875883d1 RDI: 00007fff875883b6 +[ 139.201716] RBP: 00007fff8758c530 R08: 0000000000000001 R09: 00007fff8758c618 +[ 139.207940] R10: 0000000000000006 R11: 0000000000000286 R12: 00000000004004c0 +[ 139.214007] R13: 00007fff8758c610 R14: 0000000000000000 R15: 0000000000000000 + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/xattr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c +index 4a7753384b0e93..5016f0ef75d529 100644 +--- a/fs/ntfs3/xattr.c ++++ b/fs/ntfs3/xattr.c +@@ -140,6 +140,7 @@ static int ntfs_read_ea(struct ntfs_inode *ni, struct EA_FULL **ea, + + memset(Add2Ptr(ea_p, size), 0, add_bytes); + ++ err = -EINVAL; + /* Check all attributes for consistency. */ + for (off = 0; off < size; off += ea_size) { + const struct EA_FULL *ef = Add2Ptr(ea_p, off); +-- +2.53.0 + diff --git a/queue-5.15/nfsd-don-t-ignore-the-return-code-of-svc_proc_regist.patch b/queue-5.15/nfsd-don-t-ignore-the-return-code-of-svc_proc_regist.patch new file mode 100644 index 0000000000..02c8127942 --- /dev/null +++ b/queue-5.15/nfsd-don-t-ignore-the-return-code-of-svc_proc_regist.patch @@ -0,0 +1,98 @@ +From 63c6338d6606ac2541aa575a86726846fc25fb92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jun 2026 20:23:54 +0300 +Subject: nfsd: don't ignore the return code of svc_proc_register() + +From: Jeff Layton + +commit 930b64ca0c511521f0abdd1d57ce52b2a6e3476b upstream. + +Currently, nfsd_proc_stat_init() ignores the return value of +svc_proc_register(). If the procfile creation fails, then the kernel +will WARN when it tries to remove the entry later. + +Fix nfsd_proc_stat_init() to return the same type of pointer as +svc_proc_register(), and fix up nfsd_net_init() to check that and fail +the nfsd_net construction if it occurs. + +svc_proc_register() can fail if the dentry can't be allocated, or if an +identical dentry already exists. The second case is pretty unlikely in +the nfsd_net construction codepath, so if this happens, return -ENOMEM. + +Reported-by: syzbot+e34ad04f27991521104c@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-nfs/67a47501.050a0220.19061f.05f9.GAE@google.com/ +Cc: stable@vger.kernel.org # v6.9 +Signed-off-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Vladislav Nikolaev +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfsctl.c | 9 ++++++++- + fs/nfsd/stats.c | 4 ++-- + fs/nfsd/stats.h | 2 +- + 3 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c +index ba2eaf3744efa4..cc0dea883fbdb2 100644 +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -1460,17 +1460,24 @@ static __net_init int nfsd_init_net(struct net *net) + retval = nfsd_stat_counters_init(nn); + if (retval) + goto out_repcache_error; ++ + memset(&nn->nfsd_svcstats, 0, sizeof(nn->nfsd_svcstats)); + nn->nfsd_svcstats.program = &nfsd_program; ++ if (!nfsd_proc_stat_init(net)) { ++ retval = -ENOMEM; ++ goto out_proc_error; ++ } ++ + nn->nfsd_versions = NULL; + nn->nfsd4_minorversions = NULL; + nfsd4_init_leases_net(nn); + get_random_bytes(&nn->siphash_key, sizeof(nn->siphash_key)); + seqlock_init(&nn->writeverf_lock); +- nfsd_proc_stat_init(net); + + return 0; + ++out_proc_error: ++ nfsd_stat_counters_destroy(nn); + out_repcache_error: + nfsd_idmap_shutdown(net); + out_idmap_error: +diff --git a/fs/nfsd/stats.c b/fs/nfsd/stats.c +index 7a58dba0045c3b..6d1c6067c80e3b 100644 +--- a/fs/nfsd/stats.c ++++ b/fs/nfsd/stats.c +@@ -113,11 +113,11 @@ void nfsd_stat_counters_destroy(struct nfsd_net *nn) + nfsd_percpu_counters_destroy(nn->counter, NFSD_STATS_COUNTERS_NUM); + } + +-void nfsd_proc_stat_init(struct net *net) ++struct proc_dir_entry *nfsd_proc_stat_init(struct net *net) + { + struct nfsd_net *nn = net_generic(net, nfsd_net_id); + +- svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops); ++ return svc_proc_register(net, &nn->nfsd_svcstats, &nfsd_proc_ops); + } + + void nfsd_proc_stat_shutdown(struct net *net) +diff --git a/fs/nfsd/stats.h b/fs/nfsd/stats.h +index 14525e854cbac3..b9329285bc1d79 100644 +--- a/fs/nfsd/stats.h ++++ b/fs/nfsd/stats.h +@@ -15,7 +15,7 @@ void nfsd_percpu_counters_reset(struct percpu_counter *counters, int num); + void nfsd_percpu_counters_destroy(struct percpu_counter *counters, int num); + int nfsd_stat_counters_init(struct nfsd_net *nn); + void nfsd_stat_counters_destroy(struct nfsd_net *nn); +-void nfsd_proc_stat_init(struct net *net); ++struct proc_dir_entry *nfsd_proc_stat_init(struct net *net); + void nfsd_proc_stat_shutdown(struct net *net); + + static inline void nfsd_stats_rc_hits_inc(struct nfsd_net *nn) +-- +2.53.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 26ca9e23a6..c438df797b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -171,3 +171,6 @@ sctp-purge-outqueue-on-stale-cookie-echo-handling.patch i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch time-fix-off-by-one-in-settimeofday-usec-validation.patch +ext4-validate-p_idx-bounds-in-ext4_ext_correct_index.patch +fs-ntfs3-return-error-for-inconsistent-extended-attr.patch +nfsd-don-t-ignore-the-return-code-of-svc_proc_regist.patch diff --git a/queue-6.1/fs-ntfs3-return-error-for-inconsistent-extended-attr.patch b/queue-6.1/fs-ntfs3-return-error-for-inconsistent-extended-attr.patch new file mode 100644 index 0000000000..cd1d917d90 --- /dev/null +++ b/queue-6.1/fs-ntfs3-return-error-for-inconsistent-extended-attr.patch @@ -0,0 +1,107 @@ +From 687b9b40eb75da397c90c7a83c3f70e6552a7e17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Mar 2023 18:23:03 +0800 +Subject: fs/ntfs3: Return error for inconsistent extended attributes + +From: Edward Lo + +[ Upstream commit c9db0ff04649aa0b45f497183c957fe260f229f6 ] + +ntfs_read_ea is called when we want to read extended attributes. There +are some sanity checks for the validity of the EAs. However, it fails to +return a proper error code for the inconsistent attributes, which might +lead to unpredicted memory accesses after return. + +[ 138.916927] BUG: KASAN: use-after-free in ntfs_set_ea+0x453/0xbf0 +[ 138.923876] Write of size 4 at addr ffff88800205cfac by task poc/199 +[ 138.931132] +[ 138.933016] CPU: 0 PID: 199 Comm: poc Not tainted 6.2.0-rc1+ #4 +[ 138.938070] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +[ 138.947327] Call Trace: +[ 138.949557] +[ 138.951539] dump_stack_lvl+0x4d/0x67 +[ 138.956834] print_report+0x16f/0x4a6 +[ 138.960798] ? ntfs_set_ea+0x453/0xbf0 +[ 138.964437] ? kasan_complete_mode_report_info+0x7d/0x200 +[ 138.969793] ? ntfs_set_ea+0x453/0xbf0 +[ 138.973523] kasan_report+0xb8/0x140 +[ 138.976740] ? ntfs_set_ea+0x453/0xbf0 +[ 138.980578] __asan_store4+0x76/0xa0 +[ 138.984669] ntfs_set_ea+0x453/0xbf0 +[ 138.988115] ? __pfx_ntfs_set_ea+0x10/0x10 +[ 138.993390] ? kernel_text_address+0xd3/0xe0 +[ 138.998270] ? __kernel_text_address+0x16/0x50 +[ 139.002121] ? unwind_get_return_address+0x3e/0x60 +[ 139.005659] ? __pfx_stack_trace_consume_entry+0x10/0x10 +[ 139.010177] ? arch_stack_walk+0xa2/0x100 +[ 139.013657] ? filter_irq_stacks+0x27/0x80 +[ 139.017018] ntfs_setxattr+0x405/0x440 +[ 139.022151] ? __pfx_ntfs_setxattr+0x10/0x10 +[ 139.026569] ? kvmalloc_node+0x2d/0x120 +[ 139.030329] ? kasan_save_stack+0x41/0x60 +[ 139.033883] ? kasan_save_stack+0x2a/0x60 +[ 139.037338] ? kasan_set_track+0x29/0x40 +[ 139.040163] ? kasan_save_alloc_info+0x1f/0x30 +[ 139.043588] ? __kasan_kmalloc+0x8b/0xa0 +[ 139.047255] ? __kmalloc_node+0x68/0x150 +[ 139.051264] ? kvmalloc_node+0x2d/0x120 +[ 139.055301] ? vmemdup_user+0x2b/0xa0 +[ 139.058584] __vfs_setxattr+0x121/0x170 +[ 139.062617] ? __pfx___vfs_setxattr+0x10/0x10 +[ 139.066282] __vfs_setxattr_noperm+0x97/0x300 +[ 139.070061] __vfs_setxattr_locked+0x145/0x170 +[ 139.073580] vfs_setxattr+0x137/0x2a0 +[ 139.076641] ? __pfx_vfs_setxattr+0x10/0x10 +[ 139.080223] ? __kasan_check_write+0x18/0x20 +[ 139.084234] do_setxattr+0xce/0x150 +[ 139.087768] setxattr+0x126/0x140 +[ 139.091250] ? __pfx_setxattr+0x10/0x10 +[ 139.094948] ? __virt_addr_valid+0xcb/0x140 +[ 139.097838] ? __call_rcu_common.constprop.0+0x1c7/0x330 +[ 139.102688] ? debug_smp_processor_id+0x1b/0x30 +[ 139.105985] ? kasan_quarantine_put+0x5b/0x190 +[ 139.109980] ? putname+0x84/0xa0 +[ 139.113886] ? __kasan_slab_free+0x11e/0x1b0 +[ 139.117961] ? putname+0x84/0xa0 +[ 139.121316] ? preempt_count_sub+0x1c/0xd0 +[ 139.124427] ? __mnt_want_write+0xae/0x100 +[ 139.127836] ? mnt_want_write+0x8f/0x150 +[ 139.130954] path_setxattr+0x164/0x180 +[ 139.133998] ? __pfx_path_setxattr+0x10/0x10 +[ 139.137853] ? __pfx_ksys_pwrite64+0x10/0x10 +[ 139.141299] ? debug_smp_processor_id+0x1b/0x30 +[ 139.145714] ? fpregs_assert_state_consistent+0x6b/0x80 +[ 139.150796] __x64_sys_setxattr+0x71/0x90 +[ 139.155407] do_syscall_64+0x3f/0x90 +[ 139.159035] entry_SYSCALL_64_after_hwframe+0x72/0xdc +[ 139.163843] RIP: 0033:0x7f108cae4469 +[ 139.166481] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088 +[ 139.183764] RSP: 002b:00007fff87588388 EFLAGS: 00000286 ORIG_RAX: 00000000000000bc +[ 139.190657] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f108cae4469 +[ 139.196586] RDX: 00007fff875883b0 RSI: 00007fff875883d1 RDI: 00007fff875883b6 +[ 139.201716] RBP: 00007fff8758c530 R08: 0000000000000001 R09: 00007fff8758c618 +[ 139.207940] R10: 0000000000000006 R11: 0000000000000286 R12: 00000000004004c0 +[ 139.214007] R13: 00007fff8758c610 R14: 0000000000000000 R15: 0000000000000000 + +Signed-off-by: Edward Lo +Signed-off-by: Konstantin Komarov +Signed-off-by: Sasha Levin +--- + fs/ntfs3/xattr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c +index 2e4eea854bda59..7dc650b0b832c2 100644 +--- a/fs/ntfs3/xattr.c ++++ b/fs/ntfs3/xattr.c +@@ -140,6 +140,7 @@ static int ntfs_read_ea(struct ntfs_inode *ni, struct EA_FULL **ea, + + memset(Add2Ptr(ea_p, size), 0, add_bytes); + ++ err = -EINVAL; + /* Check all attributes for consistency. */ + for (off = 0; off < size; off += ea_size) { + const struct EA_FULL *ef = Add2Ptr(ea_p, off); +-- +2.53.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 2ca0d63c5e..f89387be72 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -227,3 +227,4 @@ ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch time-fix-off-by-one-in-settimeofday-usec-validation.patch alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch +fs-ntfs3-return-error-for-inconsistent-extended-attr.patch diff --git a/queue-6.12/ima-kexec-move-ima-log-copy-from-kexec-load-to-execu.patch b/queue-6.12/ima-kexec-move-ima-log-copy-from-kexec-load-to-execu.patch new file mode 100644 index 0000000000..c0e1dbc0bf --- /dev/null +++ b/queue-6.12/ima-kexec-move-ima-log-copy-from-kexec-load-to-execu.patch @@ -0,0 +1,164 @@ +From 5cc0896a673f5e7b1d9fe587be5ba6edae2d45bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jun 2026 14:58:44 -0700 +Subject: ima: kexec: move IMA log copy from kexec load to execute + +From: Steven Chen + +[ Upstream commit 9f0ec4b16f2b41d663f688a8012e9e52b2657eba ] + +The IMA log is currently copied to the new kernel during kexec 'load' using +ima_dump_measurement_list(). However, the IMA measurement list copied at +kexec 'load' may result in loss of IMA measurements records that only +occurred after the kexec 'load'. Move the IMA measurement list log copy +from kexec 'load' to 'execute' + +Make the kexec_segment_size variable a local static variable within the +file, so it can be accessed during both kexec 'load' and 'execute'. + +Define kexec_post_load() as a wrapper for calling ima_kexec_post_load() and +machine_kexec_post_load(). Replace the existing direct call to +machine_kexec_post_load() with kexec_post_load(). + +When there is insufficient memory to copy all the measurement logs, copy as +much of the measurement list as possible. + +Co-developed-by: Tushar Sugandhi +Signed-off-by: Tushar Sugandhi +Cc: Eric Biederman +Cc: Baoquan He +Cc: Vivek Goyal +Cc: Dave Young +Signed-off-by: Steven Chen +Tested-by: Stefan Berger # ppc64/kvm +Signed-off-by: Mimi Zohar +(cherry picked from commit 9f0ec4b16f2b41d663f688a8012e9e52b2657eba) +Signed-off-by: Sherry Yang +Signed-off-by: Sasha Levin +--- + kernel/kexec_file.c | 11 +++++++- + security/integrity/ima/ima_kexec.c | 43 ++++++++++++++++++++---------- + 2 files changed, 39 insertions(+), 15 deletions(-) + +diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c +index a20ceb4d27ccce..909432e804be16 100644 +--- a/kernel/kexec_file.c ++++ b/kernel/kexec_file.c +@@ -201,6 +201,15 @@ kimage_validate_signature(struct kimage *image) + } + #endif + ++static int kexec_post_load(struct kimage *image, unsigned long flags) ++{ ++#ifdef CONFIG_IMA_KEXEC ++ if (!(flags & KEXEC_FILE_ON_CRASH)) ++ ima_kexec_post_load(image); ++#endif ++ return machine_kexec_post_load(image); ++} ++ + /* + * In file mode list of segments is prepared by kernel. Copy relevant + * data from user space, do error checking, prepare segment list +@@ -428,7 +437,7 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd, + + kimage_terminate(image); + +- ret = machine_kexec_post_load(image); ++ ret = kexec_post_load(image, flags); + if (ret) + goto out; + +diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c +index 4de9834c3e1335..48fe9a7e1f456e 100644 +--- a/security/integrity/ima/ima_kexec.c ++++ b/security/integrity/ima/ima_kexec.c +@@ -21,6 +21,7 @@ + #ifdef CONFIG_IMA_KEXEC + static bool ima_kexec_update_registered; + static struct seq_file ima_kexec_file; ++static size_t kexec_segment_size; + static void *ima_kexec_buffer; + + static void ima_free_kexec_file_buf(struct seq_file *sf) +@@ -84,9 +85,6 @@ static int ima_dump_measurement_list(unsigned long *buffer_size, void **buffer, + } + } + +- if (ret < 0) +- goto out; +- + /* + * fill in reserved space with some buffer details + * (eg. version, buffer size, number of measurements) +@@ -106,7 +104,7 @@ static int ima_dump_measurement_list(unsigned long *buffer_size, void **buffer, + + *buffer_size = ima_kexec_file.count; + *buffer = ima_kexec_file.buf; +-out: ++ + return ret; + } + +@@ -124,9 +122,8 @@ void ima_add_kexec_buffer(struct kimage *image) + unsigned long binary_runtime_size; + + /* use more understandable variable names than defined in kbuf */ ++ size_t kexec_buffer_size = 0; + void *kexec_buffer = NULL; +- size_t kexec_buffer_size; +- size_t kexec_segment_size; + int ret; + + if (image->type == KEXEC_TYPE_CRASH) +@@ -154,13 +151,6 @@ void ima_add_kexec_buffer(struct kimage *image) + return; + } + +- ima_dump_measurement_list(&kexec_buffer_size, &kexec_buffer, +- kexec_segment_size); +- if (!kexec_buffer) { +- pr_err("Not enough memory for the kexec measurement buffer.\n"); +- return; +- } +- + kbuf.buffer = kexec_buffer; + kbuf.bufsz = kexec_buffer_size; + kbuf.memsz = kexec_segment_size; +@@ -188,7 +178,32 @@ void ima_add_kexec_buffer(struct kimage *image) + static int ima_update_kexec_buffer(struct notifier_block *self, + unsigned long action, void *data) + { +- return NOTIFY_OK; ++ size_t buf_size = 0; ++ int ret = NOTIFY_OK; ++ void *buf = NULL; ++ ++ if (!kexec_in_progress) { ++ pr_info("No kexec in progress.\n"); ++ return ret; ++ } ++ ++ if (!ima_kexec_buffer) { ++ pr_err("Kexec buffer not set.\n"); ++ return ret; ++ } ++ ++ ret = ima_dump_measurement_list(&buf_size, &buf, kexec_segment_size); ++ ++ if (ret) ++ pr_err("Dump measurements failed. Error:%d\n", ret); ++ ++ if (buf_size != 0) ++ memcpy(ima_kexec_buffer, buf, buf_size); ++ ++ kimage_unmap_segment(ima_kexec_buffer); ++ ima_kexec_buffer = NULL; ++ ++ return ret; + } + + static struct notifier_block update_buffer_nb = { +-- +2.53.0 + diff --git a/queue-6.12/ima-kexec-skip-ima-segment-validation-after-kexec-so.patch b/queue-6.12/ima-kexec-skip-ima-segment-validation-after-kexec-so.patch new file mode 100644 index 0000000000..fe2fb3c145 --- /dev/null +++ b/queue-6.12/ima-kexec-skip-ima-segment-validation-after-kexec-so.patch @@ -0,0 +1,127 @@ +From 820a804a08847459af2c7f9e6b90c8080f9b7197 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Jun 2026 14:58:43 -0700 +Subject: ima: kexec: skip IMA segment validation after kexec soft reboot + +From: Steven Chen + +[ Upstream commit 9ee8888a80fe2bd20ce929ffbc1dedd57607a778 ] + +Currently, the function kexec_calculate_store_digests() calculates and +stores the digest of the segment during the kexec_file_load syscall, +where the IMA segment is also allocated. + +Later, the IMA segment will be updated with the measurement log at the +kexec execute stage when a kexec reboot is initiated. Therefore, the +digests should be updated for the IMA segment in the normal case. The +problem is that the content of memory segments carried over to the new +kernel during the kexec systemcall can be changed at kexec 'execute' +stage, but the size and the location of the memory segments cannot be +changed at kexec 'execute' stage. + +To address this, skip the calculation and storage of the digest for the +IMA segment in kexec_calculate_store_digests() so that it is not added +to the purgatory_sha_regions. + +With this change, the IMA segment is not included in the digest +calculation, storage, and verification. + +Cc: Eric Biederman +Cc: Baoquan He +Cc: Vivek Goyal +Cc: Dave Young +Co-developed-by: Tushar Sugandhi +Signed-off-by: Tushar Sugandhi +Signed-off-by: Steven Chen +Reviewed-by: Stefan Berger +Acked-by: Baoquan He +Tested-by: Stefan Berger # ppc64/kvm +[zohar@linux.ibm.com: Fixed Signed-off-by tag to match author's email ] +Signed-off-by: Mimi Zohar +(cherry picked from commit 9ee8888a80fe2bd20ce929ffbc1dedd57607a778) +Signed-off-by: Sherry Yang +Signed-off-by: Sasha Levin +--- + include/linux/kexec.h | 3 +++ + kernel/kexec_file.c | 22 ++++++++++++++++++++++ + security/integrity/ima/ima_kexec.c | 3 +++ + 3 files changed, 28 insertions(+) + +diff --git a/include/linux/kexec.h b/include/linux/kexec.h +index 7d6b12f8b8d058..107e726f2ef3f1 100644 +--- a/include/linux/kexec.h ++++ b/include/linux/kexec.h +@@ -362,6 +362,9 @@ struct kimage { + + phys_addr_t ima_buffer_addr; + size_t ima_buffer_size; ++ ++ unsigned long ima_segment_index; ++ bool is_ima_segment_index_set; + #endif + + /* Core ELF header buffer */ +diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c +index f852528bdc246a..a20ceb4d27ccce 100644 +--- a/kernel/kexec_file.c ++++ b/kernel/kexec_file.c +@@ -38,6 +38,21 @@ void set_kexec_sig_enforced(void) + } + #endif + ++#ifdef CONFIG_IMA_KEXEC ++static bool check_ima_segment_index(struct kimage *image, int i) ++{ ++ if (image->is_ima_segment_index_set && i == image->ima_segment_index) ++ return true; ++ else ++ return false; ++} ++#else ++static bool check_ima_segment_index(struct kimage *image, int i) ++{ ++ return false; ++} ++#endif ++ + static int kexec_calculate_store_digests(struct kimage *image); + + /* Maximum size in bytes for kernel/initrd files. */ +@@ -764,6 +779,13 @@ static int kexec_calculate_store_digests(struct kimage *image) + if (ksegment->kbuf == pi->purgatory_buf) + continue; + ++ /* ++ * Skip the segment if ima_segment_index is set and matches ++ * the current index ++ */ ++ if (check_ima_segment_index(image, i)) ++ continue; ++ + ret = crypto_shash_update(desc, ksegment->kbuf, + ksegment->bufsz); + if (ret) +diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c +index 501b952b36981f..4de9834c3e1335 100644 +--- a/security/integrity/ima/ima_kexec.c ++++ b/security/integrity/ima/ima_kexec.c +@@ -164,6 +164,7 @@ void ima_add_kexec_buffer(struct kimage *image) + kbuf.buffer = kexec_buffer; + kbuf.bufsz = kexec_buffer_size; + kbuf.memsz = kexec_segment_size; ++ image->is_ima_segment_index_set = false; + ret = kexec_add_buffer(&kbuf); + if (ret) { + pr_err("Error passing over kexec measurement buffer.\n"); +@@ -174,6 +175,8 @@ void ima_add_kexec_buffer(struct kimage *image) + image->ima_buffer_addr = kbuf.mem; + image->ima_buffer_size = kexec_segment_size; + image->ima_buffer = kexec_buffer; ++ image->ima_segment_index = image->nr_segments - 1; ++ image->is_ima_segment_index_set = true; + + kexec_dprintk("kexec measurement buffer for the loaded kernel at 0x%lx.\n", + kbuf.mem); +-- +2.53.0 + diff --git a/queue-6.12/series b/queue-6.12/series index 180328093b..1f9d1e7526 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -61,3 +61,5 @@ signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch time-fix-off-by-one-in-settimeofday-usec-validation.patch alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch alsa-seq-dummy-fix-ump-event-stack-overread.patch +ima-kexec-skip-ima-segment-validation-after-kexec-so.patch +ima-kexec-move-ima-log-copy-from-kexec-load-to-execu.patch