From: Greg Kroah-Hartman Date: Thu, 23 Apr 2026 11:22:59 +0000 (+0200) Subject: 6.6-stable patches X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=ba252de468a5f33aa6e8c1105b8d242351d61723;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: kvm-x86-use-__declare_flex_array-for-uapi-structures-with-vlas.patch ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch ocfs2-validate-inline-data-i_size-during-inode-read.patch pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch scripts-generate_rust_analyzer.py-define-scripts.patch --- diff --git a/queue-6.6/kvm-x86-use-__declare_flex_array-for-uapi-structures-with-vlas.patch b/queue-6.6/kvm-x86-use-__declare_flex_array-for-uapi-structures-with-vlas.patch new file mode 100644 index 0000000000..761c60432e --- /dev/null +++ b/queue-6.6/kvm-x86-use-__declare_flex_array-for-uapi-structures-with-vlas.patch @@ -0,0 +1,154 @@ +From stable+bounces-236129-greg=kroah.com@vger.kernel.org Mon Apr 13 17:05:40 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 10:58:35 -0400 +Subject: KVM: x86: Use __DECLARE_FLEX_ARRAY() for UAPI structures with VLAs +To: stable@vger.kernel.org +Cc: David Woodhouse , Sean Christopherson , Sasha Levin +Message-ID: <20260413145835.2969194-1-sashal@kernel.org> + +From: David Woodhouse + +[ Upstream commit 2619da73bb2f10d88f7e1087125c40144fdf0987 ] + +Commit 94dfc73e7cf4 ("treewide: uapi: Replace zero-length arrays with +flexible-array members") broke the userspace API for C++. + +These structures ending in VLAs are typically a *header*, which can be +followed by an arbitrary number of entries. Userspace typically creates +a larger structure with some non-zero number of entries, for example in +QEMU's kvm_arch_get_supported_msr_feature(): + + struct { + struct kvm_msrs info; + struct kvm_msr_entry entries[1]; + } msr_data = {}; + +While that works in C, it fails in C++ with an error like: + flexible array member 'kvm_msrs::entries' not at end of 'struct msr_data' + +Fix this by using __DECLARE_FLEX_ARRAY() for the VLA, which uses [0] +for C++ compilation. + +Fixes: 94dfc73e7cf4 ("treewide: uapi: Replace zero-length arrays with flexible-array members") +Cc: stable@vger.kernel.org +Signed-off-by: David Woodhouse +Link: https://patch.msgid.link/3abaf6aefd6e5efeff3b860ac38421d9dec908db.camel@infradead.org +[sean: tag for stable@] +Signed-off-by: Sean Christopherson +[ applied `__DECLARE_FLEX_ARRAY(char, name)` change directly instead of inside missing `#ifdef __KERNEL__` else branch ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/uapi/asm/kvm.h | 12 ++++++------ + include/uapi/linux/kvm.h | 11 ++++++----- + 2 files changed, 12 insertions(+), 11 deletions(-) + +--- a/arch/x86/include/uapi/asm/kvm.h ++++ b/arch/x86/include/uapi/asm/kvm.h +@@ -191,13 +191,13 @@ struct kvm_msrs { + __u32 nmsrs; /* number of msrs in entries */ + __u32 pad; + +- struct kvm_msr_entry entries[]; ++ __DECLARE_FLEX_ARRAY(struct kvm_msr_entry, entries); + }; + + /* for KVM_GET_MSR_INDEX_LIST */ + struct kvm_msr_list { + __u32 nmsrs; /* number of msrs in entries */ +- __u32 indices[]; ++ __DECLARE_FLEX_ARRAY(__u32, indices); + }; + + /* Maximum size of any access bitmap in bytes */ +@@ -239,7 +239,7 @@ struct kvm_cpuid_entry { + struct kvm_cpuid { + __u32 nent; + __u32 padding; +- struct kvm_cpuid_entry entries[]; ++ __DECLARE_FLEX_ARRAY(struct kvm_cpuid_entry, entries); + }; + + struct kvm_cpuid_entry2 { +@@ -261,7 +261,7 @@ struct kvm_cpuid_entry2 { + struct kvm_cpuid2 { + __u32 nent; + __u32 padding; +- struct kvm_cpuid_entry2 entries[]; ++ __DECLARE_FLEX_ARRAY(struct kvm_cpuid_entry2, entries); + }; + + /* for KVM_GET_PIT and KVM_SET_PIT */ +@@ -392,7 +392,7 @@ struct kvm_xsave { + * the contents of CPUID leaf 0xD on the host. + */ + __u32 region[1024]; +- __u32 extra[]; ++ __DECLARE_FLEX_ARRAY(__u32, extra); + }; + + #define KVM_MAX_XCRS 16 +@@ -520,7 +520,7 @@ struct kvm_pmu_event_filter { + __u32 fixed_counter_bitmap; + __u32 flags; + __u32 pad[4]; +- __u64 events[]; ++ __DECLARE_FLEX_ARRAY(__u64, events); + }; + + #define KVM_PMU_EVENT_ALLOW 0 +--- a/include/uapi/linux/kvm.h ++++ b/include/uapi/linux/kvm.h +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -556,7 +557,7 @@ struct kvm_coalesced_mmio { + + struct kvm_coalesced_mmio_ring { + __u32 first, last; +- struct kvm_coalesced_mmio coalesced_mmio[]; ++ __DECLARE_FLEX_ARRAY(struct kvm_coalesced_mmio, coalesced_mmio); + }; + + #define KVM_COALESCED_MMIO_MAX \ +@@ -643,7 +644,7 @@ struct kvm_clear_dirty_log { + /* for KVM_SET_SIGNAL_MASK */ + struct kvm_signal_mask { + __u32 len; +- __u8 sigset[]; ++ __DECLARE_FLEX_ARRAY(__u8, sigset); + }; + + /* for KVM_TPR_ACCESS_REPORTING */ +@@ -1256,7 +1257,7 @@ struct kvm_irq_routing_entry { + struct kvm_irq_routing { + __u32 nr; + __u32 flags; +- struct kvm_irq_routing_entry entries[]; ++ __DECLARE_FLEX_ARRAY(struct kvm_irq_routing_entry, entries); + }; + + #endif +@@ -1377,7 +1378,7 @@ struct kvm_dirty_tlb { + + struct kvm_reg_list { + __u64 n; /* number of regs */ +- __u64 reg[]; ++ __DECLARE_FLEX_ARRAY(__u64, reg); + }; + + struct kvm_one_reg { +@@ -2211,7 +2212,7 @@ struct kvm_stats_desc { + __u16 size; + __u32 offset; + __u32 bucket_size; +- char name[]; ++ __DECLARE_FLEX_ARRAY(char, name); + }; + + #define KVM_GET_STATS_FD _IO(KVMIO, 0xce) diff --git a/queue-6.6/ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch b/queue-6.6/ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch new file mode 100644 index 0000000000..1eb1ace09a --- /dev/null +++ b/queue-6.6/ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch @@ -0,0 +1,53 @@ +From stable+bounces-236144-greg=kroah.com@vger.kernel.org Mon Apr 13 17:35:38 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 11:35:28 -0400 +Subject: ocfs2: add inline inode consistency check to ocfs2_validate_inode_block() +To: stable@vger.kernel.org +Cc: Dmitry Antipov , syzbot+c16daba279a1161acfb0@syzkaller.appspotmail.com, Joseph Qi , Joseph Qi , Mark Fasheh , Joel Becker , Junxiao Bi , Changwei Ge , Jun Piao , Heming Zhao , Andrew Morton , Sasha Levin +Message-ID: <20260413153531.3097531-1-sashal@kernel.org> + +From: Dmitry Antipov + +[ Upstream commit a2b1c419ff72ec62ff5831684e30cd1d4f0b09ee ] + +In 'ocfs2_validate_inode_block()', add an extra check whether an inode +with inline data (i.e. self-contained) has no clusters, thus preventing +an invalid inode from being passed to 'ocfs2_evict_inode()' and below. + +Link: https://lkml.kernel.org/r/20251023141650.417129-1-dmantipov@yandex.ru +Signed-off-by: Dmitry Antipov +Reported-by: syzbot+c16daba279a1161acfb0@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c16daba279a1161acfb0 +Reviewed-by: Joseph Qi +Cc: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Heming Zhao +Signed-off-by: Andrew Morton +Stable-dep-of: 7bc5da4842be ("ocfs2: fix out-of-bounds write in ocfs2_write_end_inline") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/inode.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/ocfs2/inode.c ++++ b/fs/ocfs2/inode.c +@@ -1419,6 +1419,14 @@ int ocfs2_validate_inode_block(struct su + goto bail; + } + ++ if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) && ++ le32_to_cpu(di->i_clusters)) { ++ rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n", ++ (unsigned long long)bh->b_blocknr, ++ le32_to_cpu(di->i_clusters)); ++ goto bail; ++ } ++ + rc = 0; + + bail: diff --git a/queue-6.6/ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch b/queue-6.6/ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch new file mode 100644 index 0000000000..f6d3cb05ad --- /dev/null +++ b/queue-6.6/ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch @@ -0,0 +1,77 @@ +From stable+bounces-236146-greg=kroah.com@vger.kernel.org Mon Apr 13 17:44:00 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 11:35:30 -0400 +Subject: ocfs2: fix out-of-bounds write in ocfs2_write_end_inline +To: stable@vger.kernel.org +Cc: Joseph Qi , syzbot+62c1793956716ea8b28a@syzkaller.appspotmail.com, Mark Fasheh , Joel Becker , Junxiao Bi , Changwei Ge , Jun Piao , Heming Zhao , Andrew Morton , Sasha Levin +Message-ID: <20260413153531.3097531-3-sashal@kernel.org> + +From: Joseph Qi + +[ Upstream commit 7bc5da4842bed3252d26e742213741a4d0ac1b14 ] + +KASAN reports a use-after-free write of 4086 bytes in +ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a +copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on +a loop device. The actual bug is an out-of-bounds write past the inode +block buffer, not a true use-after-free. The write overflows into an +adjacent freed page, which KASAN reports as UAF. + +The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk +id_count field to determine whether a write fits in inline data. On a +corrupted filesystem, id_count can exceed the physical maximum inline data +capacity, causing writes to overflow the inode block buffer. + +Call trace (crash path): + + vfs_copy_file_range (fs/read_write.c:1634) + do_splice_direct + splice_direct_to_actor + iter_file_splice_write + ocfs2_file_write_iter + generic_perform_write + ocfs2_write_end + ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949) + ocfs2_write_end_inline (fs/ocfs2/aops.c:1915) + memcpy_from_folio <-- KASAN: write OOB + +So add id_count upper bound check in ocfs2_validate_inode_block() to +alongside the existing i_size check to fix it. + +Link: https://lkml.kernel.org/r/20260403063830.3662739-1-joseph.qi@linux.alibaba.com +Signed-off-by: Joseph Qi +Reported-by: syzbot+62c1793956716ea8b28a@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=62c1793956716ea8b28a +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Heming Zhao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/inode.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/fs/ocfs2/inode.c ++++ b/fs/ocfs2/inode.c +@@ -1430,6 +1430,16 @@ int ocfs2_validate_inode_block(struct su + goto bail; + } + ++ if (le16_to_cpu(data->id_count) > ++ ocfs2_max_inline_data_with_xattr(sb, di)) { ++ rc = ocfs2_error(sb, ++ "Invalid dinode #%llu: inline data id_count %u exceeds max %d\n", ++ (unsigned long long)bh->b_blocknr, ++ le16_to_cpu(data->id_count), ++ ocfs2_max_inline_data_with_xattr(sb, di)); ++ goto bail; ++ } ++ + if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) { + rc = ocfs2_error(sb, + "Invalid dinode #%llu: inline data i_size %llu exceeds id_count %u\n", diff --git a/queue-6.6/ocfs2-validate-inline-data-i_size-during-inode-read.patch b/queue-6.6/ocfs2-validate-inline-data-i_size-during-inode-read.patch new file mode 100644 index 0000000000..27b2a50182 --- /dev/null +++ b/queue-6.6/ocfs2-validate-inline-data-i_size-during-inode-read.patch @@ -0,0 +1,88 @@ +From stable+bounces-236145-greg=kroah.com@vger.kernel.org Mon Apr 13 17:37:38 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 11:35:29 -0400 +Subject: ocfs2: validate inline data i_size during inode read +To: stable@vger.kernel.org +Cc: Deepanshu Kartikey , syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com, Joseph Qi , Mark Fasheh , Joel Becker , Junxiao Bi , Changwei Ge , Jun Piao , Heming Zhao , Andrew Morton , Sasha Levin +Message-ID: <20260413153531.3097531-2-sashal@kernel.org> + +From: Deepanshu Kartikey + +[ Upstream commit 1524af3685b35feac76662cc551cbc37bd14775f ] + +When reading an inode from disk, ocfs2_validate_inode_block() performs +various sanity checks but does not validate the size of inline data. If +the filesystem is corrupted, an inode's i_size can exceed the actual +inline data capacity (id_count). + +This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data +buffer, triggering a use-after-free when accessing directory entries from +freed memory. + +In the syzbot report: + - i_size was 1099511627576 bytes (~1TB) + - Actual inline data capacity (id_count) is typically <256 bytes + - A garbage rec_len (54648) caused ctx->pos to jump out of bounds + - This triggered a UAF in ocfs2_check_dir_entry() + +Fix by adding a validation check in ocfs2_validate_inode_block() to ensure +inodes with inline data have i_size <= id_count. This catches the +corruption early during inode read and prevents all downstream code from +operating on invalid data. + +Link: https://lkml.kernel.org/r/20251212052132.16750-1-kartikey406@gmail.com +Signed-off-by: Deepanshu Kartikey +Reported-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c897823f699449cc3eb4 +Tested-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/20251211115231.3560028-1-kartikey406@gmail.com/T/ [v1] +Link: https://lore.kernel.org/all/20251212040400.6377-1-kartikey406@gmail.com/T/ [v2] +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Heming Zhao +Signed-off-by: Andrew Morton +Stable-dep-of: 7bc5da4842be ("ocfs2: fix out-of-bounds write in ocfs2_write_end_inline") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/inode.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/fs/ocfs2/inode.c ++++ b/fs/ocfs2/inode.c +@@ -1419,12 +1419,25 @@ int ocfs2_validate_inode_block(struct su + goto bail; + } + +- if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) && +- le32_to_cpu(di->i_clusters)) { +- rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n", +- (unsigned long long)bh->b_blocknr, +- le32_to_cpu(di->i_clusters)); +- goto bail; ++ if (le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) { ++ struct ocfs2_inline_data *data = &di->id2.i_data; ++ ++ if (le32_to_cpu(di->i_clusters)) { ++ rc = ocfs2_error(sb, ++ "Invalid dinode %llu: %u clusters\n", ++ (unsigned long long)bh->b_blocknr, ++ le32_to_cpu(di->i_clusters)); ++ goto bail; ++ } ++ ++ if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) { ++ rc = ocfs2_error(sb, ++ "Invalid dinode #%llu: inline data i_size %llu exceeds id_count %u\n", ++ (unsigned long long)bh->b_blocknr, ++ (unsigned long long)le64_to_cpu(di->i_size), ++ le16_to_cpu(data->id_count)); ++ goto bail; ++ } + } + + rc = 0; diff --git a/queue-6.6/pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch b/queue-6.6/pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch new file mode 100644 index 0000000000..be4cb50f56 --- /dev/null +++ b/queue-6.6/pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch @@ -0,0 +1,49 @@ +From stable+bounces-239958-greg=kroah.com@vger.kernel.org Mon Apr 20 19:18:08 2026 +From: Sasha Levin +Date: Mon, 20 Apr 2026 13:18:01 -0400 +Subject: PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup +To: stable@vger.kernel.org +Cc: Koichiro Den , Manivannan Sadhasivam , Frank Li , Sasha Levin +Message-ID: <20260420171801.1388436-1-sashal@kernel.org> + +From: Koichiro Den + +[ Upstream commit d799984233a50abd2667a7d17a9a710a3f10ebe2 ] + +Disable the delayed work before clearing BAR mappings and doorbells to +avoid running the handler after resources have been torn down. + + Unable to handle kernel paging request at virtual address ffff800083f46004 + [...] + Internal error: Oops: 0000000096000007 [#1] SMP + [...] + Call trace: + epf_ntb_cmd_handler+0x54/0x200 [pci_epf_vntb] (P) + process_one_work+0x154/0x3b0 + worker_thread+0x2c8/0x400 + kthread+0x148/0x210 + ret_from_fork+0x10/0x20 + +Fixes: e35f56bb0330 ("PCI: endpoint: Support NTB transfer between RC and EP") +Signed-off-by: Koichiro Den +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Frank Li +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260226084142.2226875-4-den@valinux.co.jp +[ replaced disable_delayed_work_sync() with cancel_delayed_work_sync() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/endpoint/functions/pci-epf-vntb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pci/endpoint/functions/pci-epf-vntb.c ++++ b/drivers/pci/endpoint/functions/pci-epf-vntb.c +@@ -798,6 +798,7 @@ err_config_interrupt: + */ + static void epf_ntb_epc_cleanup(struct epf_ntb *ntb) + { ++ cancel_delayed_work_sync(&ntb->cmd_handler); + epf_ntb_mw_bar_clear(ntb, ntb->num_mws); + epf_ntb_db_bar_clear(ntb); + epf_ntb_config_sspad_bar_clear(ntb); diff --git a/queue-6.6/revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch b/queue-6.6/revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch new file mode 100644 index 0000000000..240208c9e8 --- /dev/null +++ b/queue-6.6/revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch @@ -0,0 +1,36 @@ +From stable+bounces-237706-greg=kroah.com@vger.kernel.org Tue Apr 14 04:47:26 2026 +From: guocai.he.cn@windriver.com +Date: Tue, 14 Apr 2026 10:46:34 +0800 +Subject: Revert "wifi: cfg80211: stop NAN and P2P in cfg80211_leave" +To: gregkh@linuxfoundation.org +Cc: stable@vger.kernel.org, johannes.berg@intel.com, netdev@vger.kernel.org, regressions@lists.linux.dev, miriam.rachel.korenblit@intel.com, linux-kernel@vger.kernel.org +Message-ID: <20260414024634.2826229-1-guocai.he.cn@windriver.com> + +From: Guocai He + +This reverts commit 4d7a05da767e5cbcf4db511b9289d7ebd380dc56 which is commit +e1696c8bd0056bc1a5f7766f58ac333adc203e8a upstream. + +The reverted patch introduced a deadlock. The locking situation in mainline is +totally different, so it is incorrect to directly backport the commit from mainline. + +Signed-off-by: Guocai He +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/core.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/net/wireless/core.c ++++ b/net/wireless/core.c +@@ -1332,10 +1332,8 @@ void __cfg80211_leave(struct cfg80211_re + __cfg80211_leave_ocb(rdev, dev); + break; + case NL80211_IFTYPE_P2P_DEVICE: +- cfg80211_stop_p2p_device(rdev, wdev); +- break; + case NL80211_IFTYPE_NAN: +- cfg80211_stop_nan(rdev, wdev); ++ /* cannot happen, has no netdev */ + break; + case NL80211_IFTYPE_AP_VLAN: + case NL80211_IFTYPE_MONITOR: diff --git a/queue-6.6/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch b/queue-6.6/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch new file mode 100644 index 0000000000..130121a08d --- /dev/null +++ b/queue-6.6/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch @@ -0,0 +1,63 @@ +From stable+bounces-237669-greg=kroah.com@vger.kernel.org Tue Apr 14 00:27:30 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 18:27:13 -0400 +Subject: rxrpc: Fix key quota calculation for multitoken keys +To: stable@vger.kernel.org +Cc: David Howells , Marc Dionne , Jeffrey Altman , Simon Horman , linux-afs@lists.infradead.org, stable@kernel.org, Jakub Kicinski , Sasha Levin +Message-ID: <20260413222713.3754983-1-sashal@kernel.org> + +From: David Howells + +[ Upstream commit bdbfead6d38979475df0c2f4bad2b19394fe9bdc ] + +In the rxrpc key preparsing, every token extracted sets the proposed quota +value, but for multitoken keys, this will overwrite the previous proposed +quota, losing it. + +Fix this by adding to the proposed quota instead. + +Fixes: 8a7a3eb4ddbe ("KEYS: RxRPC: Use key preparsing") +Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com +Signed-off-by: David Howells +cc: Marc Dionne +cc: Jeffrey Altman +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-2-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +[ dropped hunk for rxrpc_preparse_xdr_yfs_rxgk() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/key.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -72,7 +72,7 @@ static int rxrpc_preparse_xdr_rxkad(stru + return -EKEYREJECTED; + + plen = sizeof(*token) + sizeof(*token->kad) + tktlen; +- prep->quotalen = datalen + plen; ++ prep->quotalen += datalen + plen; + + plen -= sizeof(*token); + token = kzalloc(sizeof(*token), GFP_KERNEL); +@@ -303,6 +303,7 @@ static int rxrpc_preparse(struct key_pre + memcpy(&kver, prep->data, sizeof(kver)); + prep->data += sizeof(kver); + prep->datalen -= sizeof(kver); ++ prep->quotalen = 0; + + _debug("KEY I/F VERSION: %u", kver); + +@@ -340,7 +341,7 @@ static int rxrpc_preparse(struct key_pre + goto error; + + plen = sizeof(*token->kad) + v1->ticket_length; +- prep->quotalen = plen + sizeof(*token); ++ prep->quotalen += plen + sizeof(*token); + + ret = -ENOMEM; + token = kzalloc(sizeof(*token), GFP_KERNEL); diff --git a/queue-6.6/scripts-generate_rust_analyzer.py-define-scripts.patch b/queue-6.6/scripts-generate_rust_analyzer.py-define-scripts.patch new file mode 100644 index 0000000000..26ef2929b9 --- /dev/null +++ b/queue-6.6/scripts-generate_rust_analyzer.py-define-scripts.patch @@ -0,0 +1,63 @@ +From stable+bounces-239942-greg=kroah.com@vger.kernel.org Mon Apr 20 19:02:26 2026 +From: Sasha Levin +Date: Mon, 20 Apr 2026 12:25:12 -0400 +Subject: scripts: generate_rust_analyzer.py: define scripts +To: stable@vger.kernel.org +Cc: Tamir Duberstein , Daniel Almeida , Fiona Behrens , Trevor Gross , Sasha Levin +Message-ID: <20260420162512.1267976-1-sashal@kernel.org> + +From: Tamir Duberstein + +[ Upstream commit 36c619f6bd793493294becb10a02fea370b67a91 ] + +Add IDE support for host-side scripts written in Rust. This support has +been missing since these scripts were initially added in commit +9a8ff24ce584 ("scripts: add `generate_rust_target.rs`"), thus add it. + +Change the existing instance of extension stripping to +`pathlib.Path.stem` to maintain code consistency. + +Fixes: 9a8ff24ce584 ("scripts: add `generate_rust_target.rs`") +Cc: stable@vger.kernel.org +Reviewed-by: Daniel Almeida +Reviewed-by: Fiona Behrens +Reviewed-by: Trevor Gross +Link: https://patch.msgid.link/20260122-rust-analyzer-scripts-v1-1-ff6ba278170e@kernel.org +Signed-off-by: Tamir Duberstein +[ changed `[std]` dep to `["std"]` and kept untyped `is_root_crate()` ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + scripts/generate_rust_analyzer.py | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/scripts/generate_rust_analyzer.py ++++ b/scripts/generate_rust_analyzer.py +@@ -119,6 +119,18 @@ def generate_crates(srctree, objtree, sy + "exclude_dirs": [], + } + ++ scripts = srctree / "scripts" ++ makefile = (scripts / "Makefile").read_text() ++ for path in scripts.glob("*.rs"): ++ name = path.stem ++ if f"{name}-rust" not in makefile: ++ continue ++ append_crate( ++ name, ++ path, ++ ["std"], ++ ) ++ + def is_root_crate(build_file, target): + try: + contents = build_file.read_text() +@@ -135,7 +147,7 @@ def generate_crates(srctree, objtree, sy + for folder in extra_dirs: + for path in folder.rglob("*.rs"): + logging.info("Checking %s", path) +- name = path.name.replace(".rs", "") ++ name = path.stem + + # Skip those that are not crate roots. + if not is_root_crate(path.parent / "Makefile", name) and \ diff --git a/queue-6.6/series b/queue-6.6/series index 06f10262c7..cd9d9d4c4b 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -131,3 +131,11 @@ wifi-mac80211-always-free-skb-on-ieee80211_tx_prepar.patch net-ethernet-mtk_eth_soc-initialize-ppe-per-tag-laye.patch i40e-fix-preempt-count-leak-in-napi-poll-tracepoint.patch net-annotate-data-races-around-sk-sk_-data_ready-wri.patch +pci-endpoint-pci-epf-vntb-stop-cmd_handler-work-in-epf_ntb_epc_cleanup.patch +scripts-generate_rust_analyzer.py-define-scripts.patch +kvm-x86-use-__declare_flex_array-for-uapi-structures-with-vlas.patch +rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch +ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch +ocfs2-validate-inline-data-i_size-during-inode-read.patch +ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch +revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch