From: Greg Kroah-Hartman Date: Tue, 9 Jun 2026 10:45:22 +0000 (+0200) Subject: 6.12-stable patches X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=9736f39c0280aebcbcc327690cbaee0bdca9fc06;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: arm-allow-__do_kernel_fault-to-report-execution-of-m.patch arm-fix-branch-predictor-hardening.patch arm-fix-hash_name-fault.patch arm-group-is_permission_fault-with-is_translation_fa.patch bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch net-phy-micrel-fix-lan8814-qsgmii-soft-reset.patch series usb-serial-mct_u232-fix-memory-corruption-with-small.patch wifi-remove-zero-length-arrays.patch --- diff --git a/queue-6.12/arm-allow-__do_kernel_fault-to-report-execution-of-m.patch b/queue-6.12/arm-allow-__do_kernel_fault-to-report-execution-of-m.patch new file mode 100644 index 0000000000..b6e2274036 --- /dev/null +++ b/queue-6.12/arm-allow-__do_kernel_fault-to-report-execution-of-m.patch @@ -0,0 +1,39 @@ +From 118999c3ea67ee7a625d7b705a84a2c5d4544d45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 May 2026 15:53:55 +0200 +Subject: ARM: allow __do_kernel_fault() to report execution of memory faults + +From: Russell King (Oracle) + +commit 40b466db1dffb41f0529035c59c5739636d0e5b8 upstream. + +Allow __do_kernel_fault() to detect the execution of memory, so we can +provide the same fault message as do_page_fault() would do. This is +required when we split the kernel address fault handling from the +main do_page_fault() code path. + +Reviewed-by: Xie Yuanbin +Tested-by: Xie Yuanbin +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Sasha Levin +--- + arch/arm/mm/fault.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c +index 4dca7b75ae5e43..1d052d3c767d96 100644 +--- a/arch/arm/mm/fault.c ++++ b/arch/arm/mm/fault.c +@@ -176,6 +176,8 @@ __do_kernel_fault(struct mm_struct *mm, unsigned long addr, unsigned int fsr, + */ + if (addr < PAGE_SIZE) { + msg = "NULL pointer dereference"; ++ } else if (is_permission_fault(fsr) && fsr & FSR_LNX_PF) { ++ msg = "execution of memory"; + } else { + if (is_translation_fault(fsr) && + kfence_handle_page_fault(addr, is_write_fault(fsr), regs)) +-- +2.53.0 + diff --git a/queue-6.12/arm-fix-branch-predictor-hardening.patch b/queue-6.12/arm-fix-branch-predictor-hardening.patch new file mode 100644 index 0000000000..19d35aa26a --- /dev/null +++ b/queue-6.12/arm-fix-branch-predictor-hardening.patch @@ -0,0 +1,159 @@ +From 3d00acaa8e5ba357b1706dd0002cc5aa941b2be0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 May 2026 15:53:57 +0200 +Subject: ARM: fix branch predictor hardening + +From: Russell King (Oracle) + +commit fd2dee1c6e2256f726ba33fd3083a7be0efc80d3 upstream. + +__do_user_fault() may be called with indeterminent interrupt enable +state, which means we may be preemptive at this point. This causes +problems when calling harden_branch_predictor(). For example, when +called from a data abort, do_alignment_fault()->do_bad_area(). + +Move harden_branch_predictor() out of __do_user_fault() and into the +calling contexts. + +Moving it into do_kernel_address_page_fault(), we can be sure that +interrupts will be disabled here. + +Converting do_translation_fault() to use do_kernel_address_page_fault() +rather than do_bad_area() means that we keep branch predictor handling +for translation faults. Interrupts will also be disabled at this call +site. + +do_sect_fault() needs special handling, so detect user mode accesses +to kernel-addresses, and add an explicit call to branch predictor +hardening. + +Finally, add branch predictor hardening to do_alignment() for the +faulting case (user mode accessing kernel addresses) before interrupts +are enabled. + +This should cover all cases where harden_branch_predictor() is called, +ensuring that it is always has interrupts disabled, also ensuring that +it is called early in each call path. + +Reviewed-by: Xie Yuanbin +Tested-by: Xie Yuanbin +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Sasha Levin +--- + arch/arm/mm/alignment.c | 6 +++++- + arch/arm/mm/fault.c | 39 ++++++++++++++++++++++++++------------- + 2 files changed, 31 insertions(+), 14 deletions(-) + +diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c +index 3c6ddb1afdc463..812380f30ae36a 100644 +--- a/arch/arm/mm/alignment.c ++++ b/arch/arm/mm/alignment.c +@@ -19,10 +19,11 @@ + #include + #include + #include ++#include + + #include + #include +-#include ++#include + #include + + #include "fault.h" +@@ -809,6 +810,9 @@ do_alignment(unsigned long addr, unsigned int fsr, struct pt_regs *regs) + int thumb2_32b = 0; + int fault; + ++ if (addr >= TASK_SIZE && user_mode(regs)) ++ harden_branch_predictor(); ++ + if (interrupts_enabled(regs)) + local_irq_enable(); + +diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c +index 8768c70fd885bc..16b5a7d214808f 100644 +--- a/arch/arm/mm/fault.c ++++ b/arch/arm/mm/fault.c +@@ -199,9 +199,6 @@ __do_user_fault(unsigned long addr, unsigned int fsr, unsigned int sig, + { + struct task_struct *tsk = current; + +- if (addr > TASK_SIZE) +- harden_branch_predictor(); +- + #ifdef CONFIG_DEBUG_USER + if (((user_debug & UDBG_SEGV) && (sig == SIGSEGV)) || + ((user_debug & UDBG_BUS) && (sig == SIGBUS))) { +@@ -270,8 +267,10 @@ do_kernel_address_page_fault(struct mm_struct *mm, unsigned long addr, + /* + * Fault from user mode for a kernel space address. User mode + * should not be faulting in kernel space, which includes the +- * vector/khelper page. Send a SIGSEGV. ++ * vector/khelper page. Handle the branch predictor hardening ++ * while interrupts are still disabled, then send a SIGSEGV. + */ ++ harden_branch_predictor(); + __do_user_fault(addr, fsr, SIGSEGV, SEGV_MAPERR, regs); + } else { + /* +@@ -486,16 +485,20 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs) + * We enter here because the first level page table doesn't contain + * a valid entry for the address. + * +- * If the address is in kernel space (>= TASK_SIZE), then we are +- * probably faulting in the vmalloc() area. ++ * If this is a user address (addr < TASK_SIZE), we handle this as a ++ * normal page fault. This leaves the remainder of the function to handle ++ * kernel address translation faults. + * +- * If the init_task's first level page tables contains the relevant +- * entry, we copy the it to this task. If not, we send the process +- * a signal, fixup the exception, or oops the kernel. ++ * Since user mode is not permitted to access kernel addresses, pass these ++ * directly to do_kernel_address_page_fault() to handle. + * +- * NOTE! We MUST NOT take any locks for this case. We may be in an +- * interrupt or a critical region, and should only copy the information +- * from the master page table, nothing more. ++ * Otherwise, we're probably faulting in the vmalloc() area, so try to fix ++ * that up. Note that we must not take any locks or enable interrupts in ++ * this case. ++ * ++ * If vmalloc() fixup fails, that means the non-leaf page tables did not ++ * contain an entry for this address, so handle this via ++ * do_kernel_address_page_fault(). + */ + #ifdef CONFIG_MMU + static int __kprobes +@@ -561,7 +564,8 @@ do_translation_fault(unsigned long addr, unsigned int fsr, + return 0; + + bad_area: +- do_bad_area(addr, fsr, regs); ++ do_kernel_address_page_fault(current->mm, addr, fsr, regs); ++ + return 0; + } + #else /* CONFIG_MMU */ +@@ -581,7 +585,16 @@ do_translation_fault(unsigned long addr, unsigned int fsr, + static int + do_sect_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs) + { ++ /* ++ * If this is a kernel address, but from user mode, then userspace ++ * is trying bad stuff. Invoke the branch predictor handling. ++ * Interrupts are disabled here. ++ */ ++ if (addr >= TASK_SIZE && user_mode(regs)) ++ harden_branch_predictor(); ++ + do_bad_area(addr, fsr, regs); ++ + return 0; + } + #endif /* CONFIG_ARM_LPAE */ +-- +2.53.0 + diff --git a/queue-6.12/arm-fix-hash_name-fault.patch b/queue-6.12/arm-fix-hash_name-fault.patch new file mode 100644 index 0000000000..eede28286e --- /dev/null +++ b/queue-6.12/arm-fix-hash_name-fault.patch @@ -0,0 +1,109 @@ +From 926b0d9847aa8d9515741af254b988ed3722f936 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 May 2026 15:53:56 +0200 +Subject: ARM: fix hash_name() fault + +From: Russell King (Oracle) + +commit 7733bc7d299d682f2723dc38fc7f370b9bf973e9 upstream. + +Zizhi Wo reports: + +"During the execution of hash_name()->load_unaligned_zeropad(), a + potential memory access beyond the PAGE boundary may occur. For + example, when the filename length is near the PAGE_SIZE boundary. + This triggers a page fault, which leads to a call to + do_page_fault()->mmap_read_trylock(). If we can't acquire the lock, + we have to fall back to the mmap_read_lock() path, which calls + might_sleep(). This breaks RCU semantics because path lookup occurs + under an RCU read-side critical section." + +This is seen with CONFIG_DEBUG_ATOMIC_SLEEP=y and CONFIG_KFENCE=y. + +Kernel addresses (with the exception of the vectors/kuser helper +page) do not have VMAs associated with them. If the vectors/kuser +helper page faults, then there are two possibilities: + +1. if the fault happened while in kernel mode, then we're basically + dead, because the CPU won't be able to vector through this page + to handle the fault. +2. if the fault happened while in user mode, that means the page was + protected from user access, and we want to fault anyway. + +Thus, we can handle kernel addresses from any context entirely +separately without going anywhere near the mmap lock. This gives us +an entirely non-sleeping path for all kernel mode kernel address +faults. + +As we handle the kernel address faults before interrupts are enabled, +this change has the side effect of improving the branch predictor +hardening, but does not completely solve the issue. + +Reported-by: Zizhi Wo +Reported-by: Xie Yuanbin +Link: https://lore.kernel.org/r/20251126090505.3057219-1-wozizhi@huaweicloud.com +Reviewed-by: Xie Yuanbin +Tested-by: Xie Yuanbin +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Sasha Levin +--- + arch/arm/mm/fault.c | 35 +++++++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + +diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c +index 1d052d3c767d96..8768c70fd885bc 100644 +--- a/arch/arm/mm/fault.c ++++ b/arch/arm/mm/fault.c +@@ -262,6 +262,35 @@ static inline bool ttbr0_usermode_access_allowed(struct pt_regs *regs) + } + #endif + ++static int __kprobes ++do_kernel_address_page_fault(struct mm_struct *mm, unsigned long addr, ++ unsigned int fsr, struct pt_regs *regs) ++{ ++ if (user_mode(regs)) { ++ /* ++ * Fault from user mode for a kernel space address. User mode ++ * should not be faulting in kernel space, which includes the ++ * vector/khelper page. Send a SIGSEGV. ++ */ ++ __do_user_fault(addr, fsr, SIGSEGV, SEGV_MAPERR, regs); ++ } else { ++ /* ++ * Fault from kernel mode. Enable interrupts if they were ++ * enabled in the parent context. Section (upper page table) ++ * translation faults are handled via do_translation_fault(), ++ * so we will only get here for a non-present kernel space ++ * PTE or PTE permission fault. This may happen in exceptional ++ * circumstances and need the fixup tables to be walked. ++ */ ++ if (interrupts_enabled(regs)) ++ local_irq_enable(); ++ ++ __do_kernel_fault(mm, addr, fsr, regs); ++ } ++ ++ return 0; ++} ++ + static int __kprobes + do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs) + { +@@ -275,6 +304,12 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs) + if (kprobe_page_fault(regs, fsr)) + return 0; + ++ /* ++ * Handle kernel addresses faults separately, which avoids touching ++ * the mmap lock from contexts that are not able to sleep. ++ */ ++ if (addr >= TASK_SIZE) ++ return do_kernel_address_page_fault(mm, addr, fsr, regs); + + /* Enable interrupts if they were enabled in the parent context. */ + if (interrupts_enabled(regs)) +-- +2.53.0 + diff --git a/queue-6.12/arm-group-is_permission_fault-with-is_translation_fa.patch b/queue-6.12/arm-group-is_permission_fault-with-is_translation_fa.patch new file mode 100644 index 0000000000..e7989d15f8 --- /dev/null +++ b/queue-6.12/arm-group-is_permission_fault-with-is_translation_fa.patch @@ -0,0 +1,68 @@ +From d99ba41af61fbe7af8709d9ccc26f1c0c31a4ab4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 May 2026 15:53:54 +0200 +Subject: ARM: group is_permission_fault() with is_translation_fault() + +From: Russell King (Oracle) + +commit dea20281ac88226615761c570c8ff7adc18e6ac2 upstream. + +Group is_permission_fault() with is_translation_fault(), which is +needed to use is_permission_fault() in __do_kernel_fault(). As +this is static inline, there is no need for this to be under +CONFIG_MMU. + +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Sasha Levin +--- + arch/arm/mm/fault.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c +index ab01b51de5590b..4dca7b75ae5e43 100644 +--- a/arch/arm/mm/fault.c ++++ b/arch/arm/mm/fault.c +@@ -128,6 +128,19 @@ static inline bool is_translation_fault(unsigned int fsr) + return false; + } + ++static inline bool is_permission_fault(unsigned int fsr) ++{ ++ int fs = fsr_fs(fsr); ++#ifdef CONFIG_ARM_LPAE ++ if ((fs & FS_MMU_NOLL_MASK) == FS_PERM_NOLL) ++ return true; ++#else ++ if (fs == FS_L1_PERM || fs == FS_L2_PERM) ++ return true; ++#endif ++ return false; ++} ++ + static void die_kernel_fault(const char *msg, struct mm_struct *mm, + unsigned long addr, unsigned int fsr, + struct pt_regs *regs) +@@ -226,19 +239,6 @@ void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs) + } + + #ifdef CONFIG_MMU +-static inline bool is_permission_fault(unsigned int fsr) +-{ +- int fs = fsr_fs(fsr); +-#ifdef CONFIG_ARM_LPAE +- if ((fs & FS_MMU_NOLL_MASK) == FS_PERM_NOLL) +- return true; +-#else +- if (fs == FS_L1_PERM || fs == FS_L2_PERM) +- return true; +-#endif +- return false; +-} +- + #ifdef CONFIG_CPU_TTBR0_PAN + static inline bool ttbr0_usermode_access_allowed(struct pt_regs *regs) + { +-- +2.53.0 + diff --git a/queue-6.12/bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch b/queue-6.12/bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch new file mode 100644 index 0000000000..e50b427755 --- /dev/null +++ b/queue-6.12/bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch @@ -0,0 +1,139 @@ +From 8d4ccdc3a532a9a74ef0eba9c36c455b3417e6b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Apr 2026 01:26:43 +0000 +Subject: bpf: Free reuseport cBPF prog after RCU grace period. + +From: Kuniyuki Iwashima + +[ Upstream commit 18fc650ccd7fe3376eca89203668cfb8268f60df ] + +Eulgyu Kim reported the splat below with a repro. [0] + +The repro sets up a UDP reuseport group with a cBPF prog and +replaces it with a new one while another thread is sending +a UDP packet to the group. + +The reuseport prog is freed by sk_reuseport_prog_free(). +bpf_prog_put() is called for "e"BPF prog to destruct through +multiple stages while cBPF prog is freed immediately by +bpf_release_orig_filter() and bpf_prog_free(). + +If a reuseport prog is detached from the setsockopt() path +(reuseport_attach_prog() or reuseport_detach_prog()), +sk_reuseport_prog_free() is called without waiting for RCU +readers to complete, resulting in various bugs. + +Let's defer freeing the reuseport cBPF prog after one RCU +grace period. + +Note "e"BPF prog is safe as is unless the fast path starts +to touch fields destroyed in bpf_prog_put_deferred() and +__bpf_prog_put_noref(). + +[0]: +BUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596 +Read of size 4 at addr ffffc9000051e004 by task slowme/10208 +CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full) +Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +Call Trace: + + dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xca/0x240 mm/kasan/report.c:482 + kasan_report+0x118/0x150 mm/kasan/report.c:595 + reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596 + udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495 + __udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723 + __udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752 + __udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752 + ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207 + ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241 + NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 + NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 + __netif_receive_skb_one_core net/core/dev.c:6181 [inline] + __netif_receive_skb net/core/dev.c:6294 [inline] + process_backlog+0xaa4/0x1960 net/core/dev.c:6645 + __napi_poll+0xae/0x340 net/core/dev.c:7709 + napi_poll net/core/dev.c:7772 [inline] + net_rx_action+0x5d7/0xf50 net/core/dev.c:7929 + handle_softirqs+0x22b/0x870 kernel/softirq.c:622 + do_softirq+0x76/0xd0 kernel/softirq.c:523 + + + __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450 + local_bh_enable include/linux/bottom_half.h:33 [inline] + rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline] + __dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890 + neigh_output include/net/neighbour.h:556 [inline] + ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237 + NF_HOOK_COND include/linux/netfilter.h:307 [inline] + ip_output+0x29f/0x450 net/ipv4/ip_output.c:438 + ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508 + udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195 + udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg net/socket.c:742 [inline] + __sys_sendto+0x554/0x680 net/socket.c:2206 + __do_sys_sendto net/socket.c:2213 [inline] + __se_sys_sendto net/socket.c:2209 [inline] + __x64_sys_sendto+0xde/0x100 net/socket.c:2209 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x415a2d +Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c +RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d +RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003 +RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010 +R10: 0000000000000000 R11: 0000000000000212 R12: 00007f6bc31e46c0 +R13: ffffffffffffffb8 R14: 0000000000000000 R15: 00007ffc9b0d70b0 + + +Fixes: 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF") +Reported-by: Eulgyu Kim +Reported-by: Taeyang Lee <0wn@theori.io> +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: Daniel Borkmann +Acked-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20260426012647.3233119-1-kuniyu@google.com +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index 193ecaa7425ea2..3d71a59072533d 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -1651,15 +1651,24 @@ int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk) + return err; + } + ++static void sk_reuseport_prog_free_rcu(struct rcu_head *rcu) ++{ ++ struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu); ++ struct bpf_prog *prog = aux->prog; ++ ++ bpf_release_orig_filter(prog); ++ bpf_prog_free(prog); ++} ++ + void sk_reuseport_prog_free(struct bpf_prog *prog) + { + if (!prog) + return; + +- if (prog->type == BPF_PROG_TYPE_SK_REUSEPORT) +- bpf_prog_put(prog); ++ if (bpf_prog_was_classic(prog)) ++ call_rcu(&prog->aux->rcu, sk_reuseport_prog_free_rcu); + else +- bpf_prog_destroy(prog); ++ bpf_prog_put(prog); + } + + struct bpf_scratchpad { +-- +2.53.0 + diff --git a/queue-6.12/net-phy-micrel-fix-lan8814-qsgmii-soft-reset.patch b/queue-6.12/net-phy-micrel-fix-lan8814-qsgmii-soft-reset.patch new file mode 100644 index 0000000000..6e4aa38683 --- /dev/null +++ b/queue-6.12/net-phy-micrel-fix-lan8814-qsgmii-soft-reset.patch @@ -0,0 +1,72 @@ +From 5b4e8d854b6d27bd7353caf435de8c0972ef82a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Apr 2026 15:41:01 +0200 +Subject: net: phy: micrel: fix LAN8814 QSGMII soft reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Robert Marko + +[ Upstream commit e027c218c482c6a0ae1948129ccda3b0a2033368 ] + +LAN8814 QSGMII soft reset was moved into the probe function to avoid +triggering it for each of 4 PHY-s in the package. + +However, that broke QSGMII link between the MAC and PHY on most LAN8814 +PHY-s, specificaly for us on the Microchip LAN969x switch. +Reading the QSGMII status registers it was visible that lanes were only +partially synced. + +It looks like the reset timing is crucial, so lets move the reset back +into the .config_init function but guard it with phy_package_init_once() +to avoid it being triggered on each of 4 PHY-s in the package. +Change the probe function to use phy_package_probe_once() for coma and PtP +setup. + +Fixes: 347bf638d39f ("net: phy: micrel: lan8814 fix reset of the QSGMII interface") +Signed-off-by: Robert Marko +Link: https://patch.msgid.link/20260428134138.1741253-1-robert.marko@sartura.hr +Signed-off-by: Jakub Kicinski +Signed-off-by: Joël Esponde +Signed-off-by: Sasha Levin +--- + drivers/net/phy/micrel.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c +index f0c068075322f9..2dca6e8a5fce5c 100644 +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -4093,6 +4093,13 @@ static int lan8814_config_init(struct phy_device *phydev) + { + struct kszphy_priv *lan8814 = phydev->priv; + ++ if (phy_package_init_once(phydev)) ++ /* Reset the PHY */ ++ lanphy_modify_page_reg(phydev, LAN8814_PAGE_COMMON_REGS, ++ LAN8814_QSGMII_SOFT_RESET, ++ LAN8814_QSGMII_SOFT_RESET_BIT, ++ LAN8814_QSGMII_SOFT_RESET_BIT); ++ + /* Disable ANEG with QSGMII PCS Host side */ + lanphy_modify_page_reg(phydev, LAN8814_PAGE_PORT_REGS, + LAN8814_QSGMII_PCS1G_ANEG_CONFIG, +@@ -4177,13 +4184,7 @@ static int lan8814_probe(struct phy_device *phydev) + devm_phy_package_join(&phydev->mdio.dev, phydev, + addr, sizeof(struct lan8814_shared_priv)); + +- if (phy_package_init_once(phydev)) { +- /* Reset the PHY */ +- lanphy_modify_page_reg(phydev, LAN8814_PAGE_COMMON_REGS, +- LAN8814_QSGMII_SOFT_RESET, +- LAN8814_QSGMII_SOFT_RESET_BIT, +- LAN8814_QSGMII_SOFT_RESET_BIT); +- ++ if (phy_package_probe_once(phydev)) { + err = lan8814_release_coma_mode(phydev); + if (err) + return err; +-- +2.53.0 + diff --git a/queue-6.12/series b/queue-6.12/series new file mode 100644 index 0000000000..10876eb595 --- /dev/null +++ b/queue-6.12/series @@ -0,0 +1,8 @@ +bpf-free-reuseport-cbpf-prog-after-rcu-grace-period.patch +usb-serial-mct_u232-fix-memory-corruption-with-small.patch +arm-group-is_permission_fault-with-is_translation_fa.patch +arm-allow-__do_kernel_fault-to-report-execution-of-m.patch +arm-fix-hash_name-fault.patch +arm-fix-branch-predictor-hardening.patch +net-phy-micrel-fix-lan8814-qsgmii-soft-reset.patch +wifi-remove-zero-length-arrays.patch diff --git a/queue-6.12/usb-serial-mct_u232-fix-memory-corruption-with-small.patch b/queue-6.12/usb-serial-mct_u232-fix-memory-corruption-with-small.patch new file mode 100644 index 0000000000..faf3bf1888 --- /dev/null +++ b/queue-6.12/usb-serial-mct_u232-fix-memory-corruption-with-small.patch @@ -0,0 +1,81 @@ +From 8d0fd8b9a42dd7c07484915459a5efe6e3f1ab2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Jun 2026 14:11:33 +0200 +Subject: USB: serial: mct_u232: fix memory corruption with small endpoint + +From: Johan Hovold + +commit 915b36d701950503c4ea0f6e314b10868e59fce3 upstream. + +The driver overrides the maximum transfer size for a specific device +which only accepts 16 byte packets for its 32 byte bulk-out endpoint. + +Make sure to never increase the maximum transfer size to prevent slab +corruption should a malicious device report a smaller endpoint max +packet size than expected. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Sasha Levin +--- + drivers/usb/serial/mct_u232.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c +index d225d7c1455f4f..33d4bbc461be6a 100644 +--- a/drivers/usb/serial/mct_u232.c ++++ b/drivers/usb/serial/mct_u232.c +@@ -378,6 +378,7 @@ static int mct_u232_port_probe(struct usb_serial_port *port) + { + struct usb_serial *serial = port->serial; + struct mct_u232_private *priv; ++ u16 pid; + + /* check first to simplify error handling */ + if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) { +@@ -385,6 +386,16 @@ static int mct_u232_port_probe(struct usb_serial_port *port) + return -ENODEV; + } + ++ /* ++ * Compensate for a hardware bug: although the Sitecom U232-P25 ++ * device reports a maximum output packet size of 32 bytes, ++ * it seems to be able to accept only 16 bytes (and that's what ++ * SniffUSB says too...) ++ */ ++ pid = le16_to_cpu(serial->dev->descriptor.idProduct); ++ if (pid == MCT_U232_SITECOM_PID) ++ port->bulk_out_size = min(16, port->bulk_out_size); ++ + priv = kzalloc(sizeof(*priv), GFP_KERNEL); + if (!priv) + return -ENOMEM; +@@ -410,7 +421,6 @@ static void mct_u232_port_remove(struct usb_serial_port *port) + + static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port) + { +- struct usb_serial *serial = port->serial; + struct mct_u232_private *priv = usb_get_serial_port_data(port); + int retval = 0; + unsigned int control_state; +@@ -418,15 +428,6 @@ static int mct_u232_open(struct tty_struct *tty, struct usb_serial_port *port) + unsigned char last_lcr; + unsigned char last_msr; + +- /* Compensate for a hardware bug: although the Sitecom U232-P25 +- * device reports a maximum output packet size of 32 bytes, +- * it seems to be able to accept only 16 bytes (and that's what +- * SniffUSB says too...) +- */ +- if (le16_to_cpu(serial->dev->descriptor.idProduct) +- == MCT_U232_SITECOM_PID) +- port->bulk_out_size = 16; +- + /* Do a defined restart: the normal serial device seems to + * always turn on DTR and RTS here, so do the same. I'm not + * sure if this is really necessary. But it should not harm +-- +2.53.0 + diff --git a/queue-6.12/wifi-remove-zero-length-arrays.patch b/queue-6.12/wifi-remove-zero-length-arrays.patch new file mode 100644 index 0000000000..afecde3b25 --- /dev/null +++ b/queue-6.12/wifi-remove-zero-length-arrays.patch @@ -0,0 +1,92 @@ +From 9624cc1827c137d1d56189e8662b15d37d4a710d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Jun 2026 13:32:16 +0000 +Subject: wifi: remove zero-length arrays + +From: Johannes Berg + +commit a85b8544d46390469b6ca72d6bfd3ecb7be985ff upstream. + +All of these are really meant to be variable-length, and +in the case of s1g_beacon it's actually accessed. Make that +one in particular, and a couple of others (that aren't used +as arrays now), actually variable. + +Reported-by: syzbot+fd222bb38e916df26fa4@syzkaller.appspotmail.com +Fixes: 1e1f706fc2ce ("wifi: cfg80211/mac80211: correctly parse S1G beacon optional elements") +Link: https://patch.msgid.link/20250614003037.a3e82e882251.I2e8b58e56ff2a9f8b06c66f036578b7c1d4e4685@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Carlos Llamas +Signed-off-by: Sasha Levin +--- + include/linux/ieee80211.h | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h +index abb069aa5fa54f..85bf3ac6db570b 100644 +--- a/include/linux/ieee80211.h ++++ b/include/linux/ieee80211.h +@@ -1266,7 +1266,7 @@ struct ieee80211_ext { + u8 sa[ETH_ALEN]; + __le32 timestamp; + u8 change_seq; +- u8 variable[0]; ++ u8 variable[]; + } __packed s1g_beacon; + } u; + } __packed __aligned(2); +@@ -1522,7 +1522,7 @@ struct ieee80211_mgmt { + u8 action_code; + u8 dialog_token; + __le16 capability; +- u8 variable[0]; ++ u8 variable[]; + } __packed tdls_discover_resp; + struct { + u8 action_code; +@@ -1690,35 +1690,35 @@ struct ieee80211_tdls_data { + struct { + u8 dialog_token; + __le16 capability; +- u8 variable[0]; ++ u8 variable[]; + } __packed setup_req; + struct { + __le16 status_code; + u8 dialog_token; + __le16 capability; +- u8 variable[0]; ++ u8 variable[]; + } __packed setup_resp; + struct { + __le16 status_code; + u8 dialog_token; +- u8 variable[0]; ++ u8 variable[]; + } __packed setup_cfm; + struct { + __le16 reason_code; +- u8 variable[0]; ++ u8 variable[]; + } __packed teardown; + struct { + u8 dialog_token; +- u8 variable[0]; ++ u8 variable[]; + } __packed discover_req; + struct { + u8 target_channel; + u8 oper_class; +- u8 variable[0]; ++ u8 variable[]; + } __packed chan_switch_req; + struct { + __le16 status_code; +- u8 variable[0]; ++ u8 variable[]; + } __packed chan_switch_resp; + } u; + } __packed; +-- +2.53.0 +