From 956c0e0ce67e79b43911d187e1d2417f136a4b02 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 14 Jun 2026 19:38:51 +0200 Subject: [PATCH] fix up duplicates --- ...integer-overflow-in-i2c_timeout-ioct.patch | 65 ----------- queue-5.10/series | 1 - ...integer-overflow-in-i2c_timeout-ioct.patch | 65 ----------- ...se-after-free-when-processing-mld-qu.patch | 107 ------------------ queue-5.15/series | 2 - ...integer-overflow-in-i2c_timeout-ioct.patch | 65 ----------- ...se-after-free-when-processing-mld-qu.patch | 107 ------------------ queue-6.1/series | 2 - ...integer-overflow-in-i2c_timeout-ioct.patch | 65 ----------- ...se-after-free-when-processing-mld-qu.patch | 107 ------------------ queue-6.12/series | 2 - ...integer-overflow-in-i2c_timeout-ioct.patch | 65 ----------- ...se-after-free-when-processing-mld-qu.patch | 107 ------------------ ...he-srcu-lock-for-page-table-walks-in.patch | 61 ---------- queue-6.18/series | 3 - ...integer-overflow-in-i2c_timeout-ioct.patch | 65 ----------- ...se-after-free-when-processing-mld-qu.patch | 107 ------------------ queue-6.6/series | 2 - ...x-a-use-after-free-of-the-hci_conn-p.patch | 48 -------- ...integer-overflow-in-i2c_timeout-ioct.patch | 65 ----------- ...se-after-free-when-processing-mld-qu.patch | 107 ------------------ ...he-srcu-lock-for-page-table-walks-in.patch | 57 ---------- queue-7.0/series | 4 - 23 files changed, 1279 deletions(-) delete mode 100644 queue-5.10/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch delete mode 100644 queue-5.15/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch delete mode 100644 queue-5.15/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch delete mode 100644 queue-6.1/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch delete mode 100644 queue-6.1/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch delete mode 100644 queue-6.12/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch delete mode 100644 queue-6.12/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch delete mode 100644 queue-6.18/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch delete mode 100644 queue-6.18/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch delete mode 100644 queue-6.18/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch delete mode 100644 queue-6.6/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch delete mode 100644 queue-6.6/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch delete mode 100644 queue-7.0/bluetooth-iso-fix-a-use-after-free-of-the-hci_conn-p.patch delete mode 100644 queue-7.0/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch delete mode 100644 queue-7.0/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch delete mode 100644 queue-7.0/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch diff --git a/queue-5.10/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch b/queue-5.10/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch deleted file mode 100644 index a411d4a179..0000000000 --- a/queue-5.10/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch +++ /dev/null @@ -1,65 +0,0 @@ -From e19e48d6663d064c2ef53e206b125981164876db Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 27 Apr 2026 10:57:45 +0800 -Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl - -From: Mingyu Wang <25181214217@stu.xidian.edu.cn> - -[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ] - -While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong -timeout value` warning was observed, accompanied by SMBus controller -state machine corruption. - -The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of -10 ms. The user argument is checked against INT_MAX, but it is -subsequently multiplied by 10 before being passed to msecs_to_jiffies(). - -A malicious user can pass a large value (e.g., 429496729) that passes -the `arg > INT_MAX` check but overflows when multiplied by 10. This -results in a truncated 32-bit unsigned value that bypasses the -internal `(int)m < 0` check in `msecs_to_jiffies()`. - -The truncated value is then assigned to `client->adapter->timeout` -(a signed 32-bit int), which is reinterpreted as a negative number. -When passed to wait_for_completion_timeout(), this negative value -undergoes sign extension to a 64-bit unsigned long, triggering the -`schedule_timeout` warning and causing premature returns. This leaves -the SMBus state machine in an unrecoverable state, constituting a -local Denial of Service (DoS). - -Fix this by bounding the user argument to `INT_MAX / 10`. - -Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> -[wsa: move the comment as well] -Signed-off-by: Wolfram Sang -Signed-off-by: Sasha Levin ---- - drivers/i2c/i2c-dev.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c -index f0bd4ae19df67f..25438ba6bdfb72 100644 ---- a/drivers/i2c/i2c-dev.c -+++ b/drivers/i2c/i2c-dev.c -@@ -477,12 +477,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - client->adapter->retries = arg; - break; - case I2C_TIMEOUT: -- if (arg > INT_MAX) -+ /* -+ * For historical reasons, user-space sets the timeout value in -+ * units of 10 ms. -+ */ -+ if (arg > INT_MAX / 10) - return -EINVAL; - -- /* For historical reasons, user-space sets the timeout -- * value in units of 10 ms. -- */ - client->adapter->timeout = msecs_to_jiffies(arg * 10); - break; - default: --- -2.53.0 - diff --git a/queue-5.10/series b/queue-5.10/series index 9c7b0d9ead..bc48984b39 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -147,7 +147,6 @@ ipv4-restrict-ipopt_ssrr-and-ipopt_lsrr-options.patch ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch sctp-purge-outqueue-on-stale-cookie-echo-handling.patch -i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch time-fix-off-by-one-in-settimeofday-usec-validation.patch alsa-pcm-fix-wait-queue-list-corruption-in-snd_pcm_d.patch diff --git a/queue-5.15/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch b/queue-5.15/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch deleted file mode 100644 index e9d0c7f3c2..0000000000 --- a/queue-5.15/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch +++ /dev/null @@ -1,65 +0,0 @@ -From f14b9824b6fb9b3f6e2a94de10b36ea7fe1a64a4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 27 Apr 2026 10:57:45 +0800 -Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl - -From: Mingyu Wang <25181214217@stu.xidian.edu.cn> - -[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ] - -While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong -timeout value` warning was observed, accompanied by SMBus controller -state machine corruption. - -The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of -10 ms. The user argument is checked against INT_MAX, but it is -subsequently multiplied by 10 before being passed to msecs_to_jiffies(). - -A malicious user can pass a large value (e.g., 429496729) that passes -the `arg > INT_MAX` check but overflows when multiplied by 10. This -results in a truncated 32-bit unsigned value that bypasses the -internal `(int)m < 0` check in `msecs_to_jiffies()`. - -The truncated value is then assigned to `client->adapter->timeout` -(a signed 32-bit int), which is reinterpreted as a negative number. -When passed to wait_for_completion_timeout(), this negative value -undergoes sign extension to a 64-bit unsigned long, triggering the -`schedule_timeout` warning and causing premature returns. This leaves -the SMBus state machine in an unrecoverable state, constituting a -local Denial of Service (DoS). - -Fix this by bounding the user argument to `INT_MAX / 10`. - -Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> -[wsa: move the comment as well] -Signed-off-by: Wolfram Sang -Signed-off-by: Sasha Levin ---- - drivers/i2c/i2c-dev.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c -index 9fefceb3a95d46..e18d14bf94a9be 100644 ---- a/drivers/i2c/i2c-dev.c -+++ b/drivers/i2c/i2c-dev.c -@@ -476,12 +476,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - client->adapter->retries = arg; - break; - case I2C_TIMEOUT: -- if (arg > INT_MAX) -+ /* -+ * For historical reasons, user-space sets the timeout value in -+ * units of 10 ms. -+ */ -+ if (arg > INT_MAX / 10) - return -EINVAL; - -- /* For historical reasons, user-space sets the timeout -- * value in units of 10 ms. -- */ - client->adapter->timeout = msecs_to_jiffies(arg * 10); - break; - default: --- -2.53.0 - diff --git a/queue-5.15/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch b/queue-5.15/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch deleted file mode 100644 index 57ee14e2fb..0000000000 --- a/queue-5.15/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch +++ /dev/null @@ -1,107 +0,0 @@ -From b9869d1ed6d30a63dc017f9a20f9b54491a7754e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 3 Jun 2026 13:18:11 +0300 -Subject: ipv6: mcast: Fix use-after-free when processing MLD queries - -From: Ido Schimmel - -[ Upstream commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 ] - -When processing an MLD query, a pointer to the multicast group address -is retrieved when initially parsing the packet. This pointer is later -dereferenced without being reloaded despite the fact that the skb header -might have been reallocated following the pskb_may_pull() calls, leading -to a use-after-free [1]. - -Fix by copying the multicast group address when the packet is initially -parsed. - -[1] -BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512) -Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118 - -Workqueue: mld mld_query_work -Call Trace: - -dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120) -print_address_description.constprop.0 (mm/kasan/report.c:378) -print_report (mm/kasan/report.c:482) -kasan_report (mm/kasan/report.c:595) -__mld_query_work (net/ipv6/mcast.c:1512) -mld_query_work (net/ipv6/mcast.c:1563) -process_one_work (kernel/workqueue.c:3314) -worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) -kthread (kernel/kthread.c:436) -ret_from_fork (arch/x86/kernel/process.c:158) -ret_from_fork_asm (arch/x86/entry/entry_64.S:245) - - -[...] - -Freed by task 118: -kasan_save_stack (mm/kasan/common.c:57) -kasan_save_track (mm/kasan/common.c:78) -kasan_save_free_info (mm/kasan/generic.c:584) -__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285) -kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566) -pskb_expand_head (net/core/skbuff.c:2335) -__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4)) -__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1)) -mld_query_work (net/ipv6/mcast.c:1563) -process_one_work (kernel/workqueue.c:3314) -worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) -kthread (kernel/kthread.c:436) -ret_from_fork (arch/x86/kernel/process.c:158) -ret_from_fork_asm (arch/x86/entry/entry_64.S:245) - -Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast") -Reported-by: Leo Lin -Reviewed-by: David Ahern -Signed-off-by: Ido Schimmel -Reviewed-by: Eric Dumazet -Reviewed-by: Jiayuan Chen -Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv6/mcast.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c -index 77a9f17c816b5d..18a3516abb586e 100644 ---- a/net/ipv6/mcast.c -+++ b/net/ipv6/mcast.c -@@ -1392,9 +1392,9 @@ void igmp6_event_query(struct sk_buff *skb) - static void __mld_query_work(struct sk_buff *skb) - { - struct mld2_query *mlh2 = NULL; -- const struct in6_addr *group; - unsigned long max_delay; - struct inet6_dev *idev; -+ struct in6_addr group; - struct ifmcaddr6 *ma; - struct mld_msg *mld; - int group_type; -@@ -1426,8 +1426,8 @@ static void __mld_query_work(struct sk_buff *skb) - goto kfree_skb; - - mld = (struct mld_msg *)icmp6_hdr(skb); -- group = &mld->mld_mca; -- group_type = ipv6_addr_type(group); -+ group = mld->mld_mca; -+ group_type = ipv6_addr_type(&group); - - if (group_type != IPV6_ADDR_ANY && - !(group_type&IPV6_ADDR_MULTICAST)) -@@ -1477,7 +1477,7 @@ static void __mld_query_work(struct sk_buff *skb) - } - } else { - for_each_mc_mclock(idev, ma) { -- if (!ipv6_addr_equal(group, &ma->mca_addr)) -+ if (!ipv6_addr_equal(&group, &ma->mca_addr)) - continue; - if (ma->mca_flags & MAF_TIMER_RUNNING) { - /* gsquery <- gsquery && mark */ --- -2.53.0 - diff --git a/queue-5.15/series b/queue-5.15/series index a0d78c6c99..c8e5e0acd5 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -166,11 +166,9 @@ bluetooth-bnep-fix-incorrect-length-parsing-in-bnep_.patch bluetooth-bnep-reject-short-frames-before-parsing.patch bluetooth-fix-memory-leak-in-error-path-of-hci_alloc.patch ipv4-restrict-ipopt_ssrr-and-ipopt_lsrr-options.patch -ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch sctp-purge-outqueue-on-stale-cookie-echo-handling.patch -i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch time-fix-off-by-one-in-settimeofday-usec-validation.patch ext4-validate-p_idx-bounds-in-ext4_ext_correct_index.patch diff --git a/queue-6.1/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch b/queue-6.1/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch deleted file mode 100644 index 85258e7b3e..0000000000 --- a/queue-6.1/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 2af63b4f342848bc4201b9020bbea401c09cd2da Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 27 Apr 2026 10:57:45 +0800 -Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl - -From: Mingyu Wang <25181214217@stu.xidian.edu.cn> - -[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ] - -While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong -timeout value` warning was observed, accompanied by SMBus controller -state machine corruption. - -The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of -10 ms. The user argument is checked against INT_MAX, but it is -subsequently multiplied by 10 before being passed to msecs_to_jiffies(). - -A malicious user can pass a large value (e.g., 429496729) that passes -the `arg > INT_MAX` check but overflows when multiplied by 10. This -results in a truncated 32-bit unsigned value that bypasses the -internal `(int)m < 0` check in `msecs_to_jiffies()`. - -The truncated value is then assigned to `client->adapter->timeout` -(a signed 32-bit int), which is reinterpreted as a negative number. -When passed to wait_for_completion_timeout(), this negative value -undergoes sign extension to a 64-bit unsigned long, triggering the -`schedule_timeout` warning and causing premature returns. This leaves -the SMBus state machine in an unrecoverable state, constituting a -local Denial of Service (DoS). - -Fix this by bounding the user argument to `INT_MAX / 10`. - -Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> -[wsa: move the comment as well] -Signed-off-by: Wolfram Sang -Signed-off-by: Sasha Levin ---- - drivers/i2c/i2c-dev.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c -index dd35f341b16fd3..d10d8fe29a73b9 100644 ---- a/drivers/i2c/i2c-dev.c -+++ b/drivers/i2c/i2c-dev.c -@@ -476,12 +476,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - client->adapter->retries = arg; - break; - case I2C_TIMEOUT: -- if (arg > INT_MAX) -+ /* -+ * For historical reasons, user-space sets the timeout value in -+ * units of 10 ms. -+ */ -+ if (arg > INT_MAX / 10) - return -EINVAL; - -- /* For historical reasons, user-space sets the timeout -- * value in units of 10 ms. -- */ - client->adapter->timeout = msecs_to_jiffies(arg * 10); - break; - default: --- -2.53.0 - diff --git a/queue-6.1/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch b/queue-6.1/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch deleted file mode 100644 index 5a809fde02..0000000000 --- a/queue-6.1/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 069404dfdfb6001db5fc68846b408ca92c65ec83 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 3 Jun 2026 13:18:11 +0300 -Subject: ipv6: mcast: Fix use-after-free when processing MLD queries - -From: Ido Schimmel - -[ Upstream commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 ] - -When processing an MLD query, a pointer to the multicast group address -is retrieved when initially parsing the packet. This pointer is later -dereferenced without being reloaded despite the fact that the skb header -might have been reallocated following the pskb_may_pull() calls, leading -to a use-after-free [1]. - -Fix by copying the multicast group address when the packet is initially -parsed. - -[1] -BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512) -Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118 - -Workqueue: mld mld_query_work -Call Trace: - -dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120) -print_address_description.constprop.0 (mm/kasan/report.c:378) -print_report (mm/kasan/report.c:482) -kasan_report (mm/kasan/report.c:595) -__mld_query_work (net/ipv6/mcast.c:1512) -mld_query_work (net/ipv6/mcast.c:1563) -process_one_work (kernel/workqueue.c:3314) -worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) -kthread (kernel/kthread.c:436) -ret_from_fork (arch/x86/kernel/process.c:158) -ret_from_fork_asm (arch/x86/entry/entry_64.S:245) - - -[...] - -Freed by task 118: -kasan_save_stack (mm/kasan/common.c:57) -kasan_save_track (mm/kasan/common.c:78) -kasan_save_free_info (mm/kasan/generic.c:584) -__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285) -kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566) -pskb_expand_head (net/core/skbuff.c:2335) -__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4)) -__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1)) -mld_query_work (net/ipv6/mcast.c:1563) -process_one_work (kernel/workqueue.c:3314) -worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) -kthread (kernel/kthread.c:436) -ret_from_fork (arch/x86/kernel/process.c:158) -ret_from_fork_asm (arch/x86/entry/entry_64.S:245) - -Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast") -Reported-by: Leo Lin -Reviewed-by: David Ahern -Signed-off-by: Ido Schimmel -Reviewed-by: Eric Dumazet -Reviewed-by: Jiayuan Chen -Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv6/mcast.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c -index e7f569875e7186..f6af19b873a41d 100644 ---- a/net/ipv6/mcast.c -+++ b/net/ipv6/mcast.c -@@ -1392,9 +1392,9 @@ void igmp6_event_query(struct sk_buff *skb) - static void __mld_query_work(struct sk_buff *skb) - { - struct mld2_query *mlh2 = NULL; -- const struct in6_addr *group; - unsigned long max_delay; - struct inet6_dev *idev; -+ struct in6_addr group; - struct ifmcaddr6 *ma; - struct mld_msg *mld; - int group_type; -@@ -1426,8 +1426,8 @@ static void __mld_query_work(struct sk_buff *skb) - goto kfree_skb; - - mld = (struct mld_msg *)icmp6_hdr(skb); -- group = &mld->mld_mca; -- group_type = ipv6_addr_type(group); -+ group = mld->mld_mca; -+ group_type = ipv6_addr_type(&group); - - if (group_type != IPV6_ADDR_ANY && - !(group_type&IPV6_ADDR_MULTICAST)) -@@ -1477,7 +1477,7 @@ static void __mld_query_work(struct sk_buff *skb) - } - } else { - for_each_mc_mclock(idev, ma) { -- if (!ipv6_addr_equal(group, &ma->mca_addr)) -+ if (!ipv6_addr_equal(&group, &ma->mca_addr)) - continue; - if (ma->mca_flags & MAF_TIMER_RUNNING) { - /* gsquery <- gsquery && mark */ --- -2.53.0 - diff --git a/queue-6.1/series b/queue-6.1/series index 693ba82b3b..ecad61d2e8 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -221,11 +221,9 @@ ptp-vclock-switch-from-rcu-to-srcu.patch octeontx2-af-npc-fix-cpt-channel-mask-in-npc_install.patch vxlan-vnifilter-send-notification-on-vni-add.patch vxlan-vnifilter-fix-spurious-notification-on-vni-upd.patch -ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch sctp-purge-outqueue-on-stale-cookie-echo-handling.patch -i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch time-fix-off-by-one-in-settimeofday-usec-validation.patch diff --git a/queue-6.12/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch b/queue-6.12/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch deleted file mode 100644 index 2822b771f7..0000000000 --- a/queue-6.12/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch +++ /dev/null @@ -1,65 +0,0 @@ -From ba552ad18875cc90f6b8a704c8b3539f7634ab30 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 27 Apr 2026 10:57:45 +0800 -Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl - -From: Mingyu Wang <25181214217@stu.xidian.edu.cn> - -[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ] - -While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong -timeout value` warning was observed, accompanied by SMBus controller -state machine corruption. - -The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of -10 ms. The user argument is checked against INT_MAX, but it is -subsequently multiplied by 10 before being passed to msecs_to_jiffies(). - -A malicious user can pass a large value (e.g., 429496729) that passes -the `arg > INT_MAX` check but overflows when multiplied by 10. This -results in a truncated 32-bit unsigned value that bypasses the -internal `(int)m < 0` check in `msecs_to_jiffies()`. - -The truncated value is then assigned to `client->adapter->timeout` -(a signed 32-bit int), which is reinterpreted as a negative number. -When passed to wait_for_completion_timeout(), this negative value -undergoes sign extension to a 64-bit unsigned long, triggering the -`schedule_timeout` warning and causing premature returns. This leaves -the SMBus state machine in an unrecoverable state, constituting a -local Denial of Service (DoS). - -Fix this by bounding the user argument to `INT_MAX / 10`. - -Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> -[wsa: move the comment as well] -Signed-off-by: Wolfram Sang -Signed-off-by: Sasha Levin ---- - drivers/i2c/i2c-dev.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c -index e9577f920286d0..c8715df8b08b1d 100644 ---- a/drivers/i2c/i2c-dev.c -+++ b/drivers/i2c/i2c-dev.c -@@ -487,12 +487,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - client->adapter->retries = arg; - break; - case I2C_TIMEOUT: -- if (arg > INT_MAX) -+ /* -+ * For historical reasons, user-space sets the timeout value in -+ * units of 10 ms. -+ */ -+ if (arg > INT_MAX / 10) - return -EINVAL; - -- /* For historical reasons, user-space sets the timeout -- * value in units of 10 ms. -- */ - client->adapter->timeout = msecs_to_jiffies(arg * 10); - break; - default: --- -2.53.0 - diff --git a/queue-6.12/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch b/queue-6.12/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch deleted file mode 100644 index e3796f91d9..0000000000 --- a/queue-6.12/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch +++ /dev/null @@ -1,107 +0,0 @@ -From f9ac9192b424b7eab8e2819013c2d9a82cb473d5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 3 Jun 2026 13:18:11 +0300 -Subject: ipv6: mcast: Fix use-after-free when processing MLD queries - -From: Ido Schimmel - -[ Upstream commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 ] - -When processing an MLD query, a pointer to the multicast group address -is retrieved when initially parsing the packet. This pointer is later -dereferenced without being reloaded despite the fact that the skb header -might have been reallocated following the pskb_may_pull() calls, leading -to a use-after-free [1]. - -Fix by copying the multicast group address when the packet is initially -parsed. - -[1] -BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512) -Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118 - -Workqueue: mld mld_query_work -Call Trace: - -dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120) -print_address_description.constprop.0 (mm/kasan/report.c:378) -print_report (mm/kasan/report.c:482) -kasan_report (mm/kasan/report.c:595) -__mld_query_work (net/ipv6/mcast.c:1512) -mld_query_work (net/ipv6/mcast.c:1563) -process_one_work (kernel/workqueue.c:3314) -worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) -kthread (kernel/kthread.c:436) -ret_from_fork (arch/x86/kernel/process.c:158) -ret_from_fork_asm (arch/x86/entry/entry_64.S:245) - - -[...] - -Freed by task 118: -kasan_save_stack (mm/kasan/common.c:57) -kasan_save_track (mm/kasan/common.c:78) -kasan_save_free_info (mm/kasan/generic.c:584) -__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285) -kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566) -pskb_expand_head (net/core/skbuff.c:2335) -__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4)) -__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1)) -mld_query_work (net/ipv6/mcast.c:1563) -process_one_work (kernel/workqueue.c:3314) -worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) -kthread (kernel/kthread.c:436) -ret_from_fork (arch/x86/kernel/process.c:158) -ret_from_fork_asm (arch/x86/entry/entry_64.S:245) - -Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast") -Reported-by: Leo Lin -Reviewed-by: David Ahern -Signed-off-by: Ido Schimmel -Reviewed-by: Eric Dumazet -Reviewed-by: Jiayuan Chen -Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv6/mcast.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c -index e2a11a2f3b255d..b769e856a068d2 100644 ---- a/net/ipv6/mcast.c -+++ b/net/ipv6/mcast.c -@@ -1393,9 +1393,9 @@ void igmp6_event_query(struct sk_buff *skb) - static void __mld_query_work(struct sk_buff *skb) - { - struct mld2_query *mlh2 = NULL; -- const struct in6_addr *group; - unsigned long max_delay; - struct inet6_dev *idev; -+ struct in6_addr group; - struct ifmcaddr6 *ma; - struct mld_msg *mld; - int group_type; -@@ -1427,8 +1427,8 @@ static void __mld_query_work(struct sk_buff *skb) - goto kfree_skb; - - mld = (struct mld_msg *)icmp6_hdr(skb); -- group = &mld->mld_mca; -- group_type = ipv6_addr_type(group); -+ group = mld->mld_mca; -+ group_type = ipv6_addr_type(&group); - - if (group_type != IPV6_ADDR_ANY && - !(group_type&IPV6_ADDR_MULTICAST)) -@@ -1478,7 +1478,7 @@ static void __mld_query_work(struct sk_buff *skb) - } - } else { - for_each_mc_mclock(idev, ma) { -- if (!ipv6_addr_equal(group, &ma->mca_addr)) -+ if (!ipv6_addr_equal(&group, &ma->mca_addr)) - continue; - if (ma->mca_flags & MAF_TIMER_RUNNING) { - /* gsquery <- gsquery && mark */ --- -2.53.0 - diff --git a/queue-6.12/series b/queue-6.12/series index f255d28d3b..96b7290a6a 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -54,11 +54,9 @@ net-sched-fix-pedit-partial-cow-leading-to-page-cach.patch octeontx2-af-npc-fix-cpt-channel-mask-in-npc_install.patch vxlan-vnifilter-send-notification-on-vni-add.patch vxlan-vnifilter-fix-spurious-notification-on-vni-upd.patch -ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch sctp-purge-outqueue-on-stale-cookie-echo-handling.patch -i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch time-fix-off-by-one-in-settimeofday-usec-validation.patch diff --git a/queue-6.18/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch b/queue-6.18/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch deleted file mode 100644 index 0bd6147745..0000000000 --- a/queue-6.18/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch +++ /dev/null @@ -1,65 +0,0 @@ -From ce65f2949f6432822977613ca7101d6a86254f9a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 27 Apr 2026 10:57:45 +0800 -Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl - -From: Mingyu Wang <25181214217@stu.xidian.edu.cn> - -[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ] - -While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong -timeout value` warning was observed, accompanied by SMBus controller -state machine corruption. - -The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of -10 ms. The user argument is checked against INT_MAX, but it is -subsequently multiplied by 10 before being passed to msecs_to_jiffies(). - -A malicious user can pass a large value (e.g., 429496729) that passes -the `arg > INT_MAX` check but overflows when multiplied by 10. This -results in a truncated 32-bit unsigned value that bypasses the -internal `(int)m < 0` check in `msecs_to_jiffies()`. - -The truncated value is then assigned to `client->adapter->timeout` -(a signed 32-bit int), which is reinterpreted as a negative number. -When passed to wait_for_completion_timeout(), this negative value -undergoes sign extension to a 64-bit unsigned long, triggering the -`schedule_timeout` warning and causing premature returns. This leaves -the SMBus state machine in an unrecoverable state, constituting a -local Denial of Service (DoS). - -Fix this by bounding the user argument to `INT_MAX / 10`. - -Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> -[wsa: move the comment as well] -Signed-off-by: Wolfram Sang -Signed-off-by: Sasha Levin ---- - drivers/i2c/i2c-dev.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c -index e9577f920286d0..c8715df8b08b1d 100644 ---- a/drivers/i2c/i2c-dev.c -+++ b/drivers/i2c/i2c-dev.c -@@ -487,12 +487,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - client->adapter->retries = arg; - break; - case I2C_TIMEOUT: -- if (arg > INT_MAX) -+ /* -+ * For historical reasons, user-space sets the timeout value in -+ * units of 10 ms. -+ */ -+ if (arg > INT_MAX / 10) - return -EINVAL; - -- /* For historical reasons, user-space sets the timeout -- * value in units of 10 ms. -- */ - client->adapter->timeout = msecs_to_jiffies(arg * 10); - break; - default: --- -2.53.0 - diff --git a/queue-6.18/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch b/queue-6.18/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch deleted file mode 100644 index f39b33b114..0000000000 --- a/queue-6.18/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 5a688c86061ed594756a1c02aa894a2400dbad73 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 3 Jun 2026 13:18:11 +0300 -Subject: ipv6: mcast: Fix use-after-free when processing MLD queries - -From: Ido Schimmel - -[ Upstream commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 ] - -When processing an MLD query, a pointer to the multicast group address -is retrieved when initially parsing the packet. This pointer is later -dereferenced without being reloaded despite the fact that the skb header -might have been reallocated following the pskb_may_pull() calls, leading -to a use-after-free [1]. - -Fix by copying the multicast group address when the packet is initially -parsed. - -[1] -BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512) -Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118 - -Workqueue: mld mld_query_work -Call Trace: - -dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120) -print_address_description.constprop.0 (mm/kasan/report.c:378) -print_report (mm/kasan/report.c:482) -kasan_report (mm/kasan/report.c:595) -__mld_query_work (net/ipv6/mcast.c:1512) -mld_query_work (net/ipv6/mcast.c:1563) -process_one_work (kernel/workqueue.c:3314) -worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) -kthread (kernel/kthread.c:436) -ret_from_fork (arch/x86/kernel/process.c:158) -ret_from_fork_asm (arch/x86/entry/entry_64.S:245) - - -[...] - -Freed by task 118: -kasan_save_stack (mm/kasan/common.c:57) -kasan_save_track (mm/kasan/common.c:78) -kasan_save_free_info (mm/kasan/generic.c:584) -__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285) -kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566) -pskb_expand_head (net/core/skbuff.c:2335) -__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4)) -__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1)) -mld_query_work (net/ipv6/mcast.c:1563) -process_one_work (kernel/workqueue.c:3314) -worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) -kthread (kernel/kthread.c:436) -ret_from_fork (arch/x86/kernel/process.c:158) -ret_from_fork_asm (arch/x86/entry/entry_64.S:245) - -Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast") -Reported-by: Leo Lin -Reviewed-by: David Ahern -Signed-off-by: Ido Schimmel -Reviewed-by: Eric Dumazet -Reviewed-by: Jiayuan Chen -Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv6/mcast.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c -index 016b572e7d6f02..f4b3cb48387096 100644 ---- a/net/ipv6/mcast.c -+++ b/net/ipv6/mcast.c -@@ -1424,9 +1424,9 @@ void igmp6_event_query(struct sk_buff *skb) - static void __mld_query_work(struct sk_buff *skb) - { - struct mld2_query *mlh2 = NULL; -- const struct in6_addr *group; - unsigned long max_delay; - struct inet6_dev *idev; -+ struct in6_addr group; - struct ifmcaddr6 *ma; - struct mld_msg *mld; - int group_type; -@@ -1458,8 +1458,8 @@ static void __mld_query_work(struct sk_buff *skb) - goto kfree_skb; - - mld = (struct mld_msg *)icmp6_hdr(skb); -- group = &mld->mld_mca; -- group_type = ipv6_addr_type(group); -+ group = mld->mld_mca; -+ group_type = ipv6_addr_type(&group); - - if (group_type != IPV6_ADDR_ANY && - !(group_type&IPV6_ADDR_MULTICAST)) -@@ -1509,7 +1509,7 @@ static void __mld_query_work(struct sk_buff *skb) - } - } else { - for_each_mc_mclock(idev, ma) { -- if (!ipv6_addr_equal(group, &ma->mca_addr)) -+ if (!ipv6_addr_equal(&group, &ma->mca_addr)) - continue; - if (ma->mca_flags & MAF_TIMER_RUNNING) { - /* gsquery <- gsquery && mark */ --- -2.53.0 - diff --git a/queue-6.18/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch b/queue-6.18/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch deleted file mode 100644 index 72f42f8a7d..0000000000 --- a/queue-6.18/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch +++ /dev/null @@ -1,61 +0,0 @@ -From cac4acb1b336b27232ae740be39eaa1034ecb0dd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 9 Jun 2026 18:48:08 +0900 -Subject: KVM: arm64: Take the SRCU lock for page table walks in fault - injection and AT emulation - -From: Hyunwoo Kim - -[ Upstream commit f2ca45b50d4216c9cc7ffabf50d9ad1932209251 ] - -walk_s1() and kvm_walk_nested_s2() expect to be called while holding -kvm->srcu to guard against memslot changes. While this is generally -the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the -respective walkers without taking kvm->srcu. - -Fix by acquiring kvm->srcu prior to the table walk in both instances. - -Cc: stable@vger.kernel.org -Fixes: 50f77dc87f13 ("KVM: arm64: Populate level on S1PTW SEA injection") -Fixes: be04cebf3e78 ("KVM: arm64: nv: Add emulation of AT S12E{0,1}{R,W}") -Suggested-by: Oliver Upton -Signed-off-by: Hyunwoo Kim -Reviewed-by: Oliver Upton -Link: https://patch.msgid.link/aiAZfdeyanIvP8SD@v4bel -Signed-off-by: Marc Zyngier -[ Hyunwoo Kim: __kvm_at_s12() still returns void in 6.18.y, so the - surrounding context differs from upstream (return; instead of - return ret;); the added scoped_guard() is unchanged. ] -Signed-off-by: Hyunwoo Kim -Signed-off-by: Sasha Levin ---- - arch/arm64/kvm/at.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/arch/arm64/kvm/at.c b/arch/arm64/kvm/at.c -index be26d5aa668c39..e6de6aac6ede20 100644 ---- a/arch/arm64/kvm/at.c -+++ b/arch/arm64/kvm/at.c -@@ -1528,7 +1528,8 @@ void __kvm_at_s12(struct kvm_vcpu *vcpu, u32 op, u64 vaddr) - /* Do the stage-2 translation */ - ipa = (par & GENMASK_ULL(47, 12)) | (vaddr & GENMASK_ULL(11, 0)); - out.esr = 0; -- ret = kvm_walk_nested_s2(vcpu, ipa, &out); -+ scoped_guard(srcu, &vcpu->kvm->srcu) -+ ret = kvm_walk_nested_s2(vcpu, ipa, &out); - if (ret < 0) - return; - -@@ -1623,7 +1624,8 @@ int __kvm_find_s1_desc_level(struct kvm_vcpu *vcpu, u64 va, u64 ipa, int *level) - } - - /* Walk the guest's PT, looking for a match along the way */ -- ret = walk_s1(vcpu, &wi, &wr, va); -+ scoped_guard(srcu, &vcpu->kvm->srcu) -+ ret = walk_s1(vcpu, &wi, &wr, va); - switch (ret) { - case -EINTR: - /* We interrupted the walk on a match, return the level */ --- -2.53.0 - diff --git a/queue-6.18/series b/queue-6.18/series index 364dbbdc3c..fa432a9868 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -62,12 +62,9 @@ sctp-validate-cached-peer-init-chunk-length-in-cooki.patch octeontx2-af-npc-fix-cpt-channel-mask-in-npc_install.patch vxlan-vnifilter-send-notification-on-vni-add.patch vxlan-vnifilter-fix-spurious-notification-on-vni-upd.patch -ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch sctp-purge-outqueue-on-stale-cookie-echo-handling.patch -i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch -kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch drivers-hv-vmbus-protocol-version-6.0.patch drivers-hv-vmbus-provide-option-to-skip-vmbus-unload.patch drm-hyperv-during-panic-do-vmbus-unload-after-frame-.patch diff --git a/queue-6.6/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch b/queue-6.6/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch deleted file mode 100644 index d3e8ecd6cf..0000000000 --- a/queue-6.6/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch +++ /dev/null @@ -1,65 +0,0 @@ -From a0c0fa10ee209567b685a35881676d4e0fadfa14 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 27 Apr 2026 10:57:45 +0800 -Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl - -From: Mingyu Wang <25181214217@stu.xidian.edu.cn> - -[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ] - -While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong -timeout value` warning was observed, accompanied by SMBus controller -state machine corruption. - -The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of -10 ms. The user argument is checked against INT_MAX, but it is -subsequently multiplied by 10 before being passed to msecs_to_jiffies(). - -A malicious user can pass a large value (e.g., 429496729) that passes -the `arg > INT_MAX` check but overflows when multiplied by 10. This -results in a truncated 32-bit unsigned value that bypasses the -internal `(int)m < 0` check in `msecs_to_jiffies()`. - -The truncated value is then assigned to `client->adapter->timeout` -(a signed 32-bit int), which is reinterpreted as a negative number. -When passed to wait_for_completion_timeout(), this negative value -undergoes sign extension to a 64-bit unsigned long, triggering the -`schedule_timeout` warning and causing premature returns. This leaves -the SMBus state machine in an unrecoverable state, constituting a -local Denial of Service (DoS). - -Fix this by bounding the user argument to `INT_MAX / 10`. - -Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> -[wsa: move the comment as well] -Signed-off-by: Wolfram Sang -Signed-off-by: Sasha Levin ---- - drivers/i2c/i2c-dev.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c -index 7d337380a05d99..2ee07fc675d63a 100644 ---- a/drivers/i2c/i2c-dev.c -+++ b/drivers/i2c/i2c-dev.c -@@ -476,12 +476,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - client->adapter->retries = arg; - break; - case I2C_TIMEOUT: -- if (arg > INT_MAX) -+ /* -+ * For historical reasons, user-space sets the timeout value in -+ * units of 10 ms. -+ */ -+ if (arg > INT_MAX / 10) - return -EINVAL; - -- /* For historical reasons, user-space sets the timeout -- * value in units of 10 ms. -- */ - client->adapter->timeout = msecs_to_jiffies(arg * 10); - break; - default: --- -2.53.0 - diff --git a/queue-6.6/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch b/queue-6.6/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch deleted file mode 100644 index a4d74437de..0000000000 --- a/queue-6.6/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 1bb28a2c0b24a60a2a573a9a1664c70a7b819c84 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 3 Jun 2026 13:18:11 +0300 -Subject: ipv6: mcast: Fix use-after-free when processing MLD queries - -From: Ido Schimmel - -[ Upstream commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 ] - -When processing an MLD query, a pointer to the multicast group address -is retrieved when initially parsing the packet. This pointer is later -dereferenced without being reloaded despite the fact that the skb header -might have been reallocated following the pskb_may_pull() calls, leading -to a use-after-free [1]. - -Fix by copying the multicast group address when the packet is initially -parsed. - -[1] -BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512) -Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118 - -Workqueue: mld mld_query_work -Call Trace: - -dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120) -print_address_description.constprop.0 (mm/kasan/report.c:378) -print_report (mm/kasan/report.c:482) -kasan_report (mm/kasan/report.c:595) -__mld_query_work (net/ipv6/mcast.c:1512) -mld_query_work (net/ipv6/mcast.c:1563) -process_one_work (kernel/workqueue.c:3314) -worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) -kthread (kernel/kthread.c:436) -ret_from_fork (arch/x86/kernel/process.c:158) -ret_from_fork_asm (arch/x86/entry/entry_64.S:245) - - -[...] - -Freed by task 118: -kasan_save_stack (mm/kasan/common.c:57) -kasan_save_track (mm/kasan/common.c:78) -kasan_save_free_info (mm/kasan/generic.c:584) -__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285) -kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566) -pskb_expand_head (net/core/skbuff.c:2335) -__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4)) -__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1)) -mld_query_work (net/ipv6/mcast.c:1563) -process_one_work (kernel/workqueue.c:3314) -worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) -kthread (kernel/kthread.c:436) -ret_from_fork (arch/x86/kernel/process.c:158) -ret_from_fork_asm (arch/x86/entry/entry_64.S:245) - -Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast") -Reported-by: Leo Lin -Reviewed-by: David Ahern -Signed-off-by: Ido Schimmel -Reviewed-by: Eric Dumazet -Reviewed-by: Jiayuan Chen -Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv6/mcast.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c -index 160b452f75e7d2..c52865e20a4114 100644 ---- a/net/ipv6/mcast.c -+++ b/net/ipv6/mcast.c -@@ -1392,9 +1392,9 @@ void igmp6_event_query(struct sk_buff *skb) - static void __mld_query_work(struct sk_buff *skb) - { - struct mld2_query *mlh2 = NULL; -- const struct in6_addr *group; - unsigned long max_delay; - struct inet6_dev *idev; -+ struct in6_addr group; - struct ifmcaddr6 *ma; - struct mld_msg *mld; - int group_type; -@@ -1426,8 +1426,8 @@ static void __mld_query_work(struct sk_buff *skb) - goto kfree_skb; - - mld = (struct mld_msg *)icmp6_hdr(skb); -- group = &mld->mld_mca; -- group_type = ipv6_addr_type(group); -+ group = mld->mld_mca; -+ group_type = ipv6_addr_type(&group); - - if (group_type != IPV6_ADDR_ANY && - !(group_type&IPV6_ADDR_MULTICAST)) -@@ -1477,7 +1477,7 @@ static void __mld_query_work(struct sk_buff *skb) - } - } else { - for_each_mc_mclock(idev, ma) { -- if (!ipv6_addr_equal(group, &ma->mca_addr)) -+ if (!ipv6_addr_equal(&group, &ma->mca_addr)) - continue; - if (ma->mca_flags & MAF_TIMER_RUNNING) { - /* gsquery <- gsquery && mark */ --- -2.53.0 - diff --git a/queue-6.6/series b/queue-6.6/series index 47bfd088db..e4abe2fc91 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -241,11 +241,9 @@ net-ethernet-mtk_eth_soc-fix-use-after-free-in-metad.patch octeontx2-af-npc-fix-cpt-channel-mask-in-npc_install.patch vxlan-vnifilter-send-notification-on-vni-add.patch vxlan-vnifilter-fix-spurious-notification-on-vni-upd.patch -ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch sctp-purge-outqueue-on-stale-cookie-echo-handling.patch -i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch ipmi-fix-rcu_read_unlock-to-srcu_read_unlock-in-hand.patch signal-clear-jobctl_pending_mask-for-caller-in-zap_o.patch time-fix-off-by-one-in-settimeofday-usec-validation.patch diff --git a/queue-7.0/bluetooth-iso-fix-a-use-after-free-of-the-hci_conn-p.patch b/queue-7.0/bluetooth-iso-fix-a-use-after-free-of-the-hci_conn-p.patch deleted file mode 100644 index 50d9cd2286..0000000000 --- a/queue-7.0/bluetooth-iso-fix-a-use-after-free-of-the-hci_conn-p.patch +++ /dev/null @@ -1,48 +0,0 @@ -From a7e58d3d636a0a157ef84216335f4832960d0d10 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 1 Jun 2026 14:52:09 -0400 -Subject: Bluetooth: ISO: Fix a use-after-free of the hci_conn pointer - -From: Luiz Augusto von Dentz - -[ Upstream commit f50331f2a1441ec49988832c3a95f2edacc47322 ] - -In iso_sock_rebind_bc(), the bis pointer is cached, then the socket lock is -dropped: - bis = iso_pi(sk)->conn->hcon; - /* Release the socket before lookups since that requires hci_dev_lock - * which shall not be acquired while holding sock_lock for proper - * ordering. - */ - release_sock(sk); - hci_dev_lock(bis->hdev); - -During the unlocked window, could a concurrent close() destroy the connection -and free the bis structure, causing hci_dev_lock(bis->hdev) to access memory -after it is freed, fix this by using the hdev reference which was safely -acquired via iso_conn_get_hdev(). - -Fixes: d3413703d5f8 ("Bluetooth: ISO: Add support to bind to trigger PAST") -Reported-by: Sashiko -Signed-off-by: Luiz Augusto von Dentz -Signed-off-by: Sasha Levin ---- - net/bluetooth/iso.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c -index 2363b6135c6f1b..05a3f1e554fe67 100644 ---- a/net/bluetooth/iso.c -+++ b/net/bluetooth/iso.c -@@ -1090,7 +1090,7 @@ static int iso_sock_rebind_bc(struct sock *sk, struct sockaddr_iso *sa, - * ordering. - */ - release_sock(sk); -- hci_dev_lock(bis->hdev); -+ hci_dev_lock(hdev); - lock_sock(sk); - - if (!iso_pi(sk)->conn || iso_pi(sk)->conn->hcon != bis) { --- -2.53.0 - diff --git a/queue-7.0/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch b/queue-7.0/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch deleted file mode 100644 index 8f15c2e2c3..0000000000 --- a/queue-7.0/i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch +++ /dev/null @@ -1,65 +0,0 @@ -From d4d49d7d68259828c44eb97566b49cfcc45b2d80 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 27 Apr 2026 10:57:45 +0800 -Subject: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl - -From: Mingyu Wang <25181214217@stu.xidian.edu.cn> - -[ Upstream commit 617eb7c0961a8dfcfc811844a6396e406b2923ea ] - -While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong -timeout value` warning was observed, accompanied by SMBus controller -state machine corruption. - -The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of -10 ms. The user argument is checked against INT_MAX, but it is -subsequently multiplied by 10 before being passed to msecs_to_jiffies(). - -A malicious user can pass a large value (e.g., 429496729) that passes -the `arg > INT_MAX` check but overflows when multiplied by 10. This -results in a truncated 32-bit unsigned value that bypasses the -internal `(int)m < 0` check in `msecs_to_jiffies()`. - -The truncated value is then assigned to `client->adapter->timeout` -(a signed 32-bit int), which is reinterpreted as a negative number. -When passed to wait_for_completion_timeout(), this negative value -undergoes sign extension to a 64-bit unsigned long, triggering the -`schedule_timeout` warning and causing premature returns. This leaves -the SMBus state machine in an unrecoverable state, constituting a -local Denial of Service (DoS). - -Fix this by bounding the user argument to `INT_MAX / 10`. - -Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> -[wsa: move the comment as well] -Signed-off-by: Wolfram Sang -Signed-off-by: Sasha Levin ---- - drivers/i2c/i2c-dev.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c -index 7bbe0263411eb7..ccaac5e29f906b 100644 ---- a/drivers/i2c/i2c-dev.c -+++ b/drivers/i2c/i2c-dev.c -@@ -487,12 +487,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) - client->adapter->retries = arg; - break; - case I2C_TIMEOUT: -- if (arg > INT_MAX) -+ /* -+ * For historical reasons, user-space sets the timeout value in -+ * units of 10 ms. -+ */ -+ if (arg > INT_MAX / 10) - return -EINVAL; - -- /* For historical reasons, user-space sets the timeout -- * value in units of 10 ms. -- */ - client->adapter->timeout = msecs_to_jiffies(arg * 10); - break; - default: --- -2.53.0 - diff --git a/queue-7.0/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch b/queue-7.0/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch deleted file mode 100644 index c57410b605..0000000000 --- a/queue-7.0/ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch +++ /dev/null @@ -1,107 +0,0 @@ -From c9d11fe24aba67d9adbd03e528b6adc93bb27b39 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 3 Jun 2026 13:18:11 +0300 -Subject: ipv6: mcast: Fix use-after-free when processing MLD queries - -From: Ido Schimmel - -[ Upstream commit 791c91dc7a9dfb2457d5e29b8216a6484b9c4b40 ] - -When processing an MLD query, a pointer to the multicast group address -is retrieved when initially parsing the packet. This pointer is later -dereferenced without being reloaded despite the fact that the skb header -might have been reallocated following the pskb_may_pull() calls, leading -to a use-after-free [1]. - -Fix by copying the multicast group address when the packet is initially -parsed. - -[1] -BUG: KASAN: slab-use-after-free in __mld_query_work (net/ipv6/mcast.c:1512) -Read of size 8 at addr ffff8881154b8e90 by task kworker/4:1/118 - -Workqueue: mld mld_query_work -Call Trace: - -dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120) -print_address_description.constprop.0 (mm/kasan/report.c:378) -print_report (mm/kasan/report.c:482) -kasan_report (mm/kasan/report.c:595) -__mld_query_work (net/ipv6/mcast.c:1512) -mld_query_work (net/ipv6/mcast.c:1563) -process_one_work (kernel/workqueue.c:3314) -worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) -kthread (kernel/kthread.c:436) -ret_from_fork (arch/x86/kernel/process.c:158) -ret_from_fork_asm (arch/x86/entry/entry_64.S:245) - - -[...] - -Freed by task 118: -kasan_save_stack (mm/kasan/common.c:57) -kasan_save_track (mm/kasan/common.c:78) -kasan_save_free_info (mm/kasan/generic.c:584) -__kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285) -kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566) -pskb_expand_head (net/core/skbuff.c:2335) -__pskb_pull_tail (net/core/skbuff.c:2878 (discriminator 4)) -__mld_query_work (net/ipv6/mcast.c:1495 (discriminator 1)) -mld_query_work (net/ipv6/mcast.c:1563) -process_one_work (kernel/workqueue.c:3314) -worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478) -kthread (kernel/kthread.c:436) -ret_from_fork (arch/x86/kernel/process.c:158) -ret_from_fork_asm (arch/x86/entry/entry_64.S:245) - -Fixes: 97300b5fdfe2 ("[MCAST] IPv6: Check packet size when process Multicast") -Reported-by: Leo Lin -Reviewed-by: David Ahern -Signed-off-by: Ido Schimmel -Reviewed-by: Eric Dumazet -Reviewed-by: Jiayuan Chen -Link: https://patch.msgid.link/20260603101811.612594-1-idosch@nvidia.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv6/mcast.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c -index 3330adcf26db24..d9b855d5191bf6 100644 ---- a/net/ipv6/mcast.c -+++ b/net/ipv6/mcast.c -@@ -1424,9 +1424,9 @@ void igmp6_event_query(struct sk_buff *skb) - static void __mld_query_work(struct sk_buff *skb) - { - struct mld2_query *mlh2 = NULL; -- const struct in6_addr *group; - unsigned long max_delay; - struct inet6_dev *idev; -+ struct in6_addr group; - struct ifmcaddr6 *ma; - struct mld_msg *mld; - int group_type; -@@ -1458,8 +1458,8 @@ static void __mld_query_work(struct sk_buff *skb) - goto kfree_skb; - - mld = (struct mld_msg *)icmp6_hdr(skb); -- group = &mld->mld_mca; -- group_type = ipv6_addr_type(group); -+ group = mld->mld_mca; -+ group_type = ipv6_addr_type(&group); - - if (group_type != IPV6_ADDR_ANY && - !(group_type&IPV6_ADDR_MULTICAST)) -@@ -1509,7 +1509,7 @@ static void __mld_query_work(struct sk_buff *skb) - } - } else { - for_each_mc_mclock(idev, ma) { -- if (!ipv6_addr_equal(group, &ma->mca_addr)) -+ if (!ipv6_addr_equal(&group, &ma->mca_addr)) - continue; - if (ma->mca_flags & MAF_TIMER_RUNNING) { - /* gsquery <- gsquery && mark */ --- -2.53.0 - diff --git a/queue-7.0/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch b/queue-7.0/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch deleted file mode 100644 index 1ef9964e44..0000000000 --- a/queue-7.0/kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 971c15264302a47c87e42cb68fba5033109d2522 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 3 Jun 2026 21:09:33 +0900 -Subject: KVM: arm64: Take the SRCU lock for page table walks in fault - injection and AT emulation - -From: Hyunwoo Kim - -[ Upstream commit f2ca45b50d4216c9cc7ffabf50d9ad1932209251 ] - -walk_s1() and kvm_walk_nested_s2() expect to be called while holding -kvm->srcu to guard against memslot changes. While this is generally -the case, __kvm_at_s12() and __kvm_find_s1_desc_level() call into the -respective walkers without taking kvm->srcu. - -Fix by acquiring kvm->srcu prior to the table walk in both instances. - -Cc: stable@vger.kernel.org -Fixes: 50f77dc87f13 ("KVM: arm64: Populate level on S1PTW SEA injection") -Fixes: be04cebf3e78 ("KVM: arm64: nv: Add emulation of AT S12E{0,1}{R,W}") -Suggested-by: Oliver Upton -Signed-off-by: Hyunwoo Kim -Reviewed-by: Oliver Upton -Link: https://patch.msgid.link/aiAZfdeyanIvP8SD@v4bel -Signed-off-by: Marc Zyngier -Signed-off-by: Sasha Levin ---- - arch/arm64/kvm/at.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/arch/arm64/kvm/at.c b/arch/arm64/kvm/at.c -index a024d9a770dc74..1d563070526c4d 100644 ---- a/arch/arm64/kvm/at.c -+++ b/arch/arm64/kvm/at.c -@@ -1568,7 +1568,8 @@ int __kvm_at_s12(struct kvm_vcpu *vcpu, u32 op, u64 vaddr) - /* Do the stage-2 translation */ - ipa = (par & GENMASK_ULL(47, 12)) | (vaddr & GENMASK_ULL(11, 0)); - out.esr = 0; -- ret = kvm_walk_nested_s2(vcpu, ipa, &out); -+ scoped_guard(srcu, &vcpu->kvm->srcu) -+ ret = kvm_walk_nested_s2(vcpu, ipa, &out); - if (ret < 0) - return ret; - -@@ -1664,7 +1665,8 @@ int __kvm_find_s1_desc_level(struct kvm_vcpu *vcpu, u64 va, u64 ipa, int *level) - } - - /* Walk the guest's PT, looking for a match along the way */ -- ret = walk_s1(vcpu, &wi, &wr, va); -+ scoped_guard(srcu, &vcpu->kvm->srcu) -+ ret = walk_s1(vcpu, &wi, &wr, va); - switch (ret) { - case -EINTR: - /* We interrupted the walk on a match, return the level */ --- -2.53.0 - diff --git a/queue-7.0/series b/queue-7.0/series index 8fe7de11a1..4032117909 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -48,7 +48,6 @@ bluetooth-bnep-fix-incorrect-length-parsing-in-bnep_.patch bluetooth-bnep-reject-short-frames-before-parsing.patch bluetooth-fix-memory-leak-in-error-path-of-hci_alloc.patch bluetooth-iso-fix-not-releasing-hdev-reference-on-is.patch -bluetooth-iso-fix-a-use-after-free-of-the-hci_conn-p.patch bluetooth-iso-fix-data-race-on-iso_pi-fields-in-hci_.patch bluetooth-sco-fix-data-race-on-sco_pi-fields-in-sco_.patch bluetooth-mgmt-fix-backward-compatibility-with-users.patch @@ -66,7 +65,6 @@ sctp-validate-cached-peer-init-chunk-length-in-cooki.patch octeontx2-af-npc-fix-cpt-channel-mask-in-npc_install.patch vxlan-vnifilter-send-notification-on-vni-add.patch vxlan-vnifilter-fix-spurious-notification-on-vni-upd.patch -ipv6-mcast-fix-use-after-free-when-processing-mld-qu.patch ieee802154-6lowpan-only-accept-ipv6-packets-in-lowpa.patch net-802-mrp-fix-vector-attribute-parsing-in-mrp_pdu_.patch bonding-annotate-data-races-arcound-churn-variables.patch @@ -74,8 +72,6 @@ sctp-purge-outqueue-on-stale-cookie-echo-handling.patch fwctl-bnxt_en-move-common-definitions-to-include-lin.patch fwctl-bnxt_en-refactor-aux-bus-functions-to-be-more-.patch reapply-bnxt_en-bring-back-rtnl_lock-in-the-bnxt_ope.patch -i2c-dev-prevent-integer-overflow-in-i2c_timeout-ioct.patch -kvm-arm64-take-the-srcu-lock-for-page-table-walks-in.patch drivers-hv-vmbus-provide-option-to-skip-vmbus-unload.patch drm-hyperv-during-panic-do-vmbus-unload-after-frame-.patch selftests-harness-fix-pidfd-leak-in-__wait_for_test.patch -- 2.47.3