From: Greg Kroah-Hartman Date: Tue, 19 May 2026 10:23:30 +0000 (+0200) Subject: 7.0-stable patches X-Git-Tag: v6.6.141~61 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=c4805cb3c65948778762a4defd8af4972ffeae95;p=thirdparty%2Fkernel%2Fstable-queue.git 7.0-stable patches added patches: audit-enforce-audit_locked-for-audit_trim-and-audit_make_equiv.patch audit-fix-incorrect-inheritable-capability-in-capset-records.patch cgroup-cpuset-reserve-dl-bandwidth-only-for-root-domain-moves.patch cgroup-cpuset-reset-dl-migration-state-on-can_attach-failure.patch cgroup-cpuset-return-only-actually-allocated-cpus-during-partition-invalidation.patch cgroup-dmem-return-enomem-on-failed-pool-preallocation.patch crypto-af_alg-cap-aead-ad-length-to-0x80000000.patch i40e-cleanup-ptp-pins-on-probe-failure.patch idpf-fix-double-free-and-use-after-free-in-aux-device-error-paths.patch kvm-reject-wrapped-offset-in-kvm_reset_dirty_gfn.patch kvm-s390-pci-fix-gait-table-indexing-due-to-double-scaling-pointer-arithmetic.patch kvm-x86-fix-xen-hypercall-tracepoint-argument-assignment.patch kvm-x86-swap-the-dst-and-src-operand-for-movntdqa.patch net-atlantic-preserve-pci-wake-from-d3-on-shutdown-when-wol-enabled.patch net-ena-phc-check-return-code-before-setting-timestamp-output.patch net-ena-phc-fix-potential-use-after-free-in-get_timestamp.patch netfilter-nf_conntrack_sip-get-helper-before-allocating-expectation.patch netfilter-nft_ct-fix-missing-expect-put-in-obj-eval.patch revert-acpi-cppc-adjust-debug-messages-in-amd_set_max_freq_ratio-to-warn.patch workqueue-fix-wq-cpu_pwq-leak-in-alloc_and_link_pwqs-wq_unbound-path.patch --- diff --git a/queue-7.0/audit-enforce-audit_locked-for-audit_trim-and-audit_make_equiv.patch b/queue-7.0/audit-enforce-audit_locked-for-audit_trim-and-audit_make_equiv.patch new file mode 100644 index 0000000000..cb2abdf692 --- /dev/null +++ b/queue-7.0/audit-enforce-audit_locked-for-audit_trim-and-audit_make_equiv.patch @@ -0,0 +1,47 @@ +From f9e1c1324b4d98d591a6f7568fdebf5cf456dfc2 Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Tue, 12 May 2026 14:28:59 +0100 +Subject: audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV + +From: Sergio Correia + +commit f9e1c1324b4d98d591a6f7568fdebf5cf456dfc2 upstream. + +AUDIT_ADD_RULE and AUDIT_DEL_RULE correctly check for AUDIT_LOCKED +and return -EPERM, but AUDIT_TRIM and AUDIT_MAKE_EQUIV do not. This +allows a process with CAP_AUDIT_CONTROL to modify directory tree +watches and equivalence mappings even when the audit configuration +has been locked, undermining the purpose of the lock. + +Add AUDIT_LOCKED checks to both commands. + +Cc: stable@vger.kernel.org +Reviewed-by: Ricardo Robaina +Assisted-by: Claude:claude-opus-4-6 +Signed-off-by: Sergio Correia +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + kernel/audit.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -1466,6 +1466,8 @@ static int audit_receive_msg(struct sk_b + err = audit_list_rules_send(skb, seq); + break; + case AUDIT_TRIM: ++ if (audit_enabled == AUDIT_LOCKED) ++ return -EPERM; + audit_trim_trees(); + audit_log_common_recv_msg(audit_context(), &ab, + AUDIT_CONFIG_CHANGE); +@@ -1478,6 +1480,8 @@ static int audit_receive_msg(struct sk_b + size_t msglen = data_len; + char *old, *new; + ++ if (audit_enabled == AUDIT_LOCKED) ++ return -EPERM; + err = -EINVAL; + if (msglen < 2 * sizeof(u32)) + break; diff --git a/queue-7.0/audit-fix-incorrect-inheritable-capability-in-capset-records.patch b/queue-7.0/audit-fix-incorrect-inheritable-capability-in-capset-records.patch new file mode 100644 index 0000000000..706a27811b --- /dev/null +++ b/queue-7.0/audit-fix-incorrect-inheritable-capability-in-capset-records.patch @@ -0,0 +1,44 @@ +From e4a640475e43f406fdfd56d370b1f34b0cbbc18d Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Tue, 12 May 2026 14:28:33 +0100 +Subject: audit: fix incorrect inheritable capability in CAPSET records + +From: Sergio Correia + +commit e4a640475e43f406fdfd56d370b1f34b0cbbc18d upstream. + +__audit_log_capset() records the effective capability set into the +inheritable field due to a copy-paste error. Every CAPSET audit +record therefore reports cap_pi (process inheritable) with the value +of cap_effective instead of cap_inheritable. + +This silently corrupts audit data used for compliance and forensic +analysis: an attacker who modifies inheritable capabilities to +prepare for a privilege-escalating exec would have the change masked +in the audit trail. + +The bug has been present since the original introduction of CAPSET +audit records in 2008. + +Cc: stable@vger.kernel.org +Fixes: e68b75a027bb ("When the capset syscall is used it is not possible for audit to record the actual capbilities being added/removed. This patch adds a new record type which emits the target pid and the eff, inh, and perm cap sets.") +Reviewed-by: Ricardo Robaina +Assisted-by: Claude:claude-opus-4-6 +Signed-off-by: Sergio Correia +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + kernel/auditsc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -2786,7 +2786,7 @@ void __audit_log_capset(const struct cre + + context->capset.pid = task_tgid_nr(current); + context->capset.cap.effective = new->cap_effective; +- context->capset.cap.inheritable = new->cap_effective; ++ context->capset.cap.inheritable = new->cap_inheritable; + context->capset.cap.permitted = new->cap_permitted; + context->capset.cap.ambient = new->cap_ambient; + context->type = AUDIT_CAPSET; diff --git a/queue-7.0/cgroup-cpuset-reserve-dl-bandwidth-only-for-root-domain-moves.patch b/queue-7.0/cgroup-cpuset-reserve-dl-bandwidth-only-for-root-domain-moves.patch new file mode 100644 index 0000000000..8fd5baa11a --- /dev/null +++ b/queue-7.0/cgroup-cpuset-reserve-dl-bandwidth-only-for-root-domain-moves.patch @@ -0,0 +1,167 @@ +From 5dd74441cbf42c22e874450eb6a6bbb19390a216 Mon Sep 17 00:00:00 2001 +From: Guopeng Zhang +Date: Sat, 9 May 2026 18:20:31 +0800 +Subject: cgroup/cpuset: Reserve DL bandwidth only for root-domain moves + +From: Guopeng Zhang + +commit 5dd74441cbf42c22e874450eb6a6bbb19390a216 upstream. + +cpuset_can_attach() currently adds the bandwidth of all migrating +SCHED_DEADLINE tasks to sum_migrate_dl_bw. If the source and destination +cpuset effective CPU masks do not overlap, the whole sum is then +reserved in the destination root domain. + +set_cpus_allowed_dl(), however, subtracts bandwidth from the source +root domain only when the affinity change really moves the task between +root domains. A DL task can move between cpusets that are still in the +same root domain, so including that task in sum_migrate_dl_bw can reserve +destination bandwidth without a matching source-side subtraction. + +Share the root-domain move test with set_cpus_allowed_dl(). Keep +nr_migrate_dl_tasks counting all migrating deadline tasks for cpuset DL +task accounting, but add to sum_migrate_dl_bw only for tasks that need a +root-domain bandwidth move. Keep using the destination cpuset effective +CPU mask and leave the broader can_attach()/attach() transaction model +unchanged. + +Fixes: 2ef269ef1ac0 ("cgroup/cpuset: Free DL BW in case can_attach() fails") +Cc: stable@vger.kernel.org # v6.10+ +Signed-off-by: Guopeng Zhang +Reviewed-by: Waiman Long +Acked-by: Juri Lelli +Tested-by: Juri Lelli +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sched/deadline.h | 9 +++++++++ + kernel/cgroup/cpuset-internal.h | 1 + + kernel/cgroup/cpuset.c | 33 ++++++++++++++++++--------------- + kernel/sched/deadline.c | 13 ++++++++++--- + 4 files changed, 38 insertions(+), 18 deletions(-) + +--- a/include/linux/sched/deadline.h ++++ b/include/linux/sched/deadline.h +@@ -33,6 +33,15 @@ struct root_domain; + extern void dl_add_task_root_domain(struct task_struct *p); + extern void dl_clear_root_domain(struct root_domain *rd); + extern void dl_clear_root_domain_cpu(int cpu); ++/* ++ * Return whether moving DL task @p to @new_mask requires moving DL ++ * bandwidth accounting between root domains. This helper is specific to ++ * DL bandwidth move accounting semantics and is shared by ++ * cpuset_can_attach() and set_cpus_allowed_dl() so both paths use the ++ * same source root-domain test. ++ */ ++extern bool dl_task_needs_bw_move(struct task_struct *p, ++ const struct cpumask *new_mask); + + extern u64 dl_cookie; + extern bool dl_bw_visited(int cpu, u64 cookie); +--- a/kernel/cgroup/cpuset-internal.h ++++ b/kernel/cgroup/cpuset-internal.h +@@ -167,6 +167,7 @@ struct cpuset { + */ + int nr_deadline_tasks; + int nr_migrate_dl_tasks; ++ /* DL bandwidth that needs destination reservation for this attach. */ + u64 sum_migrate_dl_bw; + /* + * CPU used for temporary DL bandwidth allocation during attach; +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -2993,7 +2993,7 @@ static int cpuset_can_attach(struct cgro + struct cpuset *cs, *oldcs; + struct task_struct *task; + bool setsched_check; +- int ret; ++ int cpu, ret; + + /* used later by cpuset_attach() */ + cpuset_attach_old_cs = task_cs(cgroup_taskset_first(tset, &css)); +@@ -3038,28 +3038,31 @@ static int cpuset_can_attach(struct cgro + } + + if (dl_task(task)) { ++ /* ++ * Count all migrating DL tasks for cpuset task accounting. ++ * Only tasks that need a root-domain bandwidth move ++ * contribute to sum_migrate_dl_bw. ++ */ + cs->nr_migrate_dl_tasks++; +- cs->sum_migrate_dl_bw += task->dl.dl_bw; ++ if (dl_task_needs_bw_move(task, cs->effective_cpus)) ++ cs->sum_migrate_dl_bw += task->dl.dl_bw; + } + } + +- if (!cs->nr_migrate_dl_tasks) ++ if (!cs->sum_migrate_dl_bw) + goto out_success; + +- if (!cpumask_intersects(oldcs->effective_cpus, cs->effective_cpus)) { +- int cpu = cpumask_any_and(cpu_active_mask, cs->effective_cpus); +- +- if (unlikely(cpu >= nr_cpu_ids)) { +- ret = -EINVAL; +- goto out_unlock; +- } ++ cpu = cpumask_any_and(cpu_active_mask, cs->effective_cpus); ++ if (unlikely(cpu >= nr_cpu_ids)) { ++ ret = -EINVAL; ++ goto out_unlock; ++ } + +- ret = dl_bw_alloc(cpu, cs->sum_migrate_dl_bw); +- if (ret) +- goto out_unlock; ++ ret = dl_bw_alloc(cpu, cs->sum_migrate_dl_bw); ++ if (ret) ++ goto out_unlock; + +- cs->dl_bw_cpu = cpu; +- } ++ cs->dl_bw_cpu = cpu; + + out_success: + /* +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -3106,20 +3106,18 @@ static void task_woken_dl(struct rq *rq, + static void set_cpus_allowed_dl(struct task_struct *p, + struct affinity_context *ctx) + { +- struct root_domain *src_rd; + struct rq *rq; + + WARN_ON_ONCE(!dl_task(p)); + + rq = task_rq(p); +- src_rd = rq->rd; + /* + * Migrating a SCHED_DEADLINE task between exclusive + * cpusets (different root_domains) entails a bandwidth + * update. We already made space for us in the destination + * domain (see cpuset_can_attach()). + */ +- if (!cpumask_intersects(src_rd->span, ctx->new_mask)) { ++ if (dl_task_needs_bw_move(p, ctx->new_mask)) { + struct dl_bw *src_dl_b; + + src_dl_b = dl_bw_of(cpu_of(rq)); +@@ -3136,6 +3134,15 @@ static void set_cpus_allowed_dl(struct t + set_cpus_allowed_common(p, ctx); + } + ++bool dl_task_needs_bw_move(struct task_struct *p, ++ const struct cpumask *new_mask) ++{ ++ if (!dl_task(p)) ++ return false; ++ ++ return !cpumask_intersects(task_rq(p)->rd->span, new_mask); ++} ++ + /* Assumes rq->lock is held */ + static void rq_online_dl(struct rq *rq) + { diff --git a/queue-7.0/cgroup-cpuset-reset-dl-migration-state-on-can_attach-failure.patch b/queue-7.0/cgroup-cpuset-reset-dl-migration-state-on-can_attach-failure.patch new file mode 100644 index 0000000000..ae0718f723 --- /dev/null +++ b/queue-7.0/cgroup-cpuset-reset-dl-migration-state-on-can_attach-failure.patch @@ -0,0 +1,65 @@ +From 4a39eda5fdd867fc39f3c039714dd432cee00268 Mon Sep 17 00:00:00 2001 +From: Guopeng Zhang +Date: Sat, 9 May 2026 18:20:30 +0800 +Subject: cgroup/cpuset: Reset DL migration state on can_attach() failure + +From: Guopeng Zhang + +commit 4a39eda5fdd867fc39f3c039714dd432cee00268 upstream. + +cpuset_can_attach() accumulates temporary SCHED_DEADLINE migration +state in the destination cpuset while walking the taskset. + +If a later task_can_attach() or security_task_setscheduler() check +fails, cgroup_migrate_execute() treats cpuset as the failing subsystem +and does not call cpuset_cancel_attach() for it. The partially +accumulated state is then left behind and can be consumed by a later +attach, corrupting cpuset DL task accounting and pending DL bandwidth +accounting. + +Reset the pending DL migration state from the common error exit when +ret is non-zero. Successful can_attach() keeps the state for +cpuset_attach() or cpuset_cancel_attach(). + +Fixes: 2ef269ef1ac0 ("cgroup/cpuset: Free DL BW in case can_attach() fails") +Cc: stable@vger.kernel.org # v6.10+ +Signed-off-by: Guopeng Zhang +Signed-off-by: Tejun Heo +Reviewed-by: Chen Ridong +Reviewed-by: Waiman Long +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cpuset.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -3050,16 +3050,13 @@ static int cpuset_can_attach(struct cgro + int cpu = cpumask_any_and(cpu_active_mask, cs->effective_cpus); + + if (unlikely(cpu >= nr_cpu_ids)) { +- reset_migrate_dl_data(cs); + ret = -EINVAL; + goto out_unlock; + } + + ret = dl_bw_alloc(cpu, cs->sum_migrate_dl_bw); +- if (ret) { +- reset_migrate_dl_data(cs); ++ if (ret) + goto out_unlock; +- } + + cs->dl_bw_cpu = cpu; + } +@@ -3070,7 +3067,10 @@ out_success: + * changes which zero cpus/mems_allowed. + */ + cs->attach_in_progress++; ++ + out_unlock: ++ if (ret) ++ reset_migrate_dl_data(cs); + mutex_unlock(&cpuset_mutex); + return ret; + } diff --git a/queue-7.0/cgroup-cpuset-return-only-actually-allocated-cpus-during-partition-invalidation.patch b/queue-7.0/cgroup-cpuset-return-only-actually-allocated-cpus-during-partition-invalidation.patch new file mode 100644 index 0000000000..e6f24e64de --- /dev/null +++ b/queue-7.0/cgroup-cpuset-return-only-actually-allocated-cpus-during-partition-invalidation.patch @@ -0,0 +1,73 @@ +From 345f40166694e60db6d5cf02233814bb27ac5dec Mon Sep 17 00:00:00 2001 +From: sunshaojie +Date: Wed, 13 May 2026 18:37:38 +0800 +Subject: cgroup/cpuset: Return only actually allocated CPUs during partition invalidation + +From: sunshaojie + +commit 345f40166694e60db6d5cf02233814bb27ac5dec upstream. + +In update_parent_effective_cpumask() with partcmd_invalidate, the CPUs +to return to the parent are computed as: + + adding = cpumask_and(tmp->addmask, xcpus, parent->effective_xcpus); + +where xcpus = user_xcpus(cs) which returns cs->exclusive_cpus (if set) +or cs->cpus_allowed. When exclusive_cpus is not set, user_xcpus(cs) can +contain CPUs that were never actually granted to the partition due to +sibling exclusion in compute_excpus(). Consequently, the invalidation +may return CPUs to the parent that remain in use by sibling partitions, +causing overlapping effective_cpus and triggering the +WARN_ON_ONCE(1) in generate_sched_domains(). + +Use cs->effective_xcpus instead, which reflects the CPUs actually +granted to this partition. + +Reproducer (on a 4-CPU machine): + + cd /sys/fs/cgroup + mkdir a1 b1 + + # a1 becomes partition root with CPUs 0-1 + echo "0-1" > a1/cpuset.cpus + echo "root" > a1/cpuset.cpus.partition + + # b1 becomes partition root with CPUs 1-2, but sibling exclusion + # reduces its effective_xcpus to CPU 2 only + echo "1-2" > b1/cpuset.cpus + echo "root" > b1/cpuset.cpus.partition + + # b1 changes cpus_allowed to 0-1 -> partition invalidation + echo "0-1" > b1/cpuset.cpus + + # Expected: CPUs 2-3 (only CPU 2 returned from b1) + # Actual: CPUs 1-3 (CPU 0-1 returned, overlapping with a1) + cat cpuset.cpus.effective + +dmesg will also show a WARNING from generate_sched_domains() reporting +overlapping partition root effective_cpus. + +Fixes: 2a3602030d80 ("cgroup/cpuset: Don't invalidate sibling partitions on cpuset.cpus conflict") +Cc: stable@vger.kernel.org # v7.0+ +Signed-off-by: sunshaojie +Tested-by: Chen Ridong +Reviewed-by: Chen Ridong +Reviewed-by: Waiman Long +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cpuset.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -1718,7 +1718,8 @@ static int update_parent_effective_cpuma + */ + if (is_partition_valid(parent)) + adding = cpumask_and(tmp->addmask, +- xcpus, parent->effective_xcpus); ++ cs->effective_xcpus, ++ parent->effective_xcpus); + if (old_prs > 0) + new_prs = -old_prs; + diff --git a/queue-7.0/cgroup-dmem-return-enomem-on-failed-pool-preallocation.patch b/queue-7.0/cgroup-dmem-return-enomem-on-failed-pool-preallocation.patch new file mode 100644 index 0000000000..73bd29bf18 --- /dev/null +++ b/queue-7.0/cgroup-dmem-return-enomem-on-failed-pool-preallocation.patch @@ -0,0 +1,41 @@ +From 796ad622040f7f955ccc3973085e953415920496 Mon Sep 17 00:00:00 2001 +From: Guopeng Zhang +Date: Mon, 11 May 2026 09:31:50 +0800 +Subject: cgroup/dmem: Return -ENOMEM on failed pool preallocation + +From: Guopeng Zhang + +commit 796ad622040f7f955ccc3973085e953415920496 upstream. + +get_cg_pool_unlocked() handles allocation failures under dmemcg_lock by +dropping the lock, preallocating a pool with GFP_KERNEL, and retrying the +locked lookup and creation path. + +If the fallback allocation fails too, pool remains NULL. Since the loop +condition is while (!pool), the function can keep retrying instead of +propagating the allocation failure to the caller. + +Set pool to ERR_PTR(-ENOMEM) when the fallback allocation fails so the +loop exits through the existing common return path. The callers already +handle ERR_PTR() from get_cg_pool_unlocked(), so this restores the +expected error path. + +Fixes: b168ed458dde ("kernel/cgroup: Add "dmem" memory accounting cgroup") +Cc: stable@vger.kernel.org # v6.14+ +Signed-off-by: Guopeng Zhang +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/dmem.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/cgroup/dmem.c ++++ b/kernel/cgroup/dmem.c +@@ -602,6 +602,7 @@ get_cg_pool_unlocked(struct dmemcg_state + pool = NULL; + continue; + } ++ pool = ERR_PTR(-ENOMEM); + } + } + diff --git a/queue-7.0/crypto-af_alg-cap-aead-ad-length-to-0x80000000.patch b/queue-7.0/crypto-af_alg-cap-aead-ad-length-to-0x80000000.patch new file mode 100644 index 0000000000..3290cc49fa --- /dev/null +++ b/queue-7.0/crypto-af_alg-cap-aead-ad-length-to-0x80000000.patch @@ -0,0 +1,31 @@ +From e4c06479d7059888adf2f22bc1ebcf053bf691a2 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Tue, 5 May 2026 17:02:45 +0800 +Subject: crypto: af_alg - Cap AEAD AD length to 0x80000000 + +From: Herbert Xu + +commit e4c06479d7059888adf2f22bc1ebcf053bf691a2 upstream. + +In order to prevent arithmetic overflows when checking the TX +buffer size, cap the associated data length to 0x80000000. + +Reported-by: Yiming Qian +Fixes: 400c40cf78da ("crypto: algif - add AEAD support") +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + crypto/af_alg.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -586,6 +586,8 @@ static int af_alg_cmsg_send(struct msghd + if (cmsg->cmsg_len < CMSG_LEN(sizeof(u32))) + return -EINVAL; + con->aead_assoclen = *(u32 *)CMSG_DATA(cmsg); ++ if (con->aead_assoclen >= 0x80000000u) ++ return -EINVAL; + break; + + default: diff --git a/queue-7.0/i40e-cleanup-ptp-pins-on-probe-failure.patch b/queue-7.0/i40e-cleanup-ptp-pins-on-probe-failure.patch new file mode 100644 index 0000000000..5b7f1fa73c --- /dev/null +++ b/queue-7.0/i40e-cleanup-ptp-pins-on-probe-failure.patch @@ -0,0 +1,73 @@ +From 678b713ece1e853f11e670a84cb887c35e1381b7 Mon Sep 17 00:00:00 2001 +From: Matt Vollrath +Date: Wed, 6 May 2026 14:48:11 -0700 +Subject: i40e: Cleanup PTP pins on probe failure + +From: Matt Vollrath + +commit 678b713ece1e853f11e670a84cb887c35e1381b7 upstream. + +PTP pin structs are allocated early in probe, but never cleaned up. + +Fix this by calling i40e_ptp_free_pins in the error path. + +To support this, i40e_ptp_free_pins is added to the header and +pin_config is correctly nullified after being freed. + +This has been an issue since i40e_ptp_alloc_pins was introduced. + +Fixes: 1050713026a08 ("i40e: add support for PTP external synchronization clock") +Reported-by: Kohei Enju +Cc: stable@vger.kernel.org +Signed-off-by: Matt Vollrath +Reviewed-by: Paul Menzel +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Kohei Enju +Tested-by: Sunitha Mekala +Signed-off-by: Jacob Keller +Link: https://patch.msgid.link/20260506-jk-iwl-net-2026-05-04-v2-2-a5ea4dc837a9@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40e/i40e.h | 1 + + drivers/net/ethernet/intel/i40e/i40e_main.c | 1 + + drivers/net/ethernet/intel/i40e/i40e_ptp.c | 3 ++- + 3 files changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e.h ++++ b/drivers/net/ethernet/intel/i40e/i40e.h +@@ -1318,6 +1318,7 @@ void i40e_ptp_restore_hw_time(struct i40 + void i40e_ptp_init(struct i40e_pf *pf); + void i40e_ptp_stop(struct i40e_pf *pf); + int i40e_ptp_alloc_pins(struct i40e_pf *pf); ++void i40e_ptp_free_pins(struct i40e_pf *pf); + int i40e_update_adq_vsi_queues(struct i40e_vsi *vsi, int vsi_offset); + int i40e_is_vsi_uplink_mode_veb(struct i40e_vsi *vsi); + int i40e_get_partition_bw_setting(struct i40e_pf *pf); +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -16111,6 +16111,7 @@ err_vsis: + i40e_clear_interrupt_scheme(pf); + kfree(pf->vsi); + err_switch_setup: ++ i40e_ptp_free_pins(pf); + i40e_reset_interrupt_capability(pf); + timer_shutdown_sync(&pf->service_timer); + err_mac_addr: +--- a/drivers/net/ethernet/intel/i40e/i40e_ptp.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_ptp.c +@@ -940,12 +940,13 @@ int i40e_ptp_hwtstamp_get(struct net_dev + * + * Release memory allocated for PTP pins. + **/ +-static void i40e_ptp_free_pins(struct i40e_pf *pf) ++void i40e_ptp_free_pins(struct i40e_pf *pf) + { + if (i40e_is_ptp_pin_dev(&pf->hw)) { + kfree(pf->ptp_pins); + kfree(pf->ptp_caps.pin_config); + pf->ptp_pins = NULL; ++ pf->ptp_caps.pin_config = NULL; + } + } + diff --git a/queue-7.0/idpf-fix-double-free-and-use-after-free-in-aux-device-error-paths.patch b/queue-7.0/idpf-fix-double-free-and-use-after-free-in-aux-device-error-paths.patch new file mode 100644 index 0000000000..dafed10797 --- /dev/null +++ b/queue-7.0/idpf-fix-double-free-and-use-after-free-in-aux-device-error-paths.patch @@ -0,0 +1,65 @@ +From 6c77b9510829a424d1b74409b7db9456e3522871 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 6 May 2026 14:48:13 -0700 +Subject: idpf: fix double free and use-after-free in aux device error paths + +From: Greg Kroah-Hartman + +commit 6c77b9510829a424d1b74409b7db9456e3522871 upstream. + +When auxiliary_device_add() fails in idpf_plug_vport_aux_dev() or +idpf_plug_core_aux_dev(), the err_aux_dev_add label calls +auxiliary_device_uninit() and falls through to err_aux_dev_init. The +uninit call will trigger put_device(), which invokes the release +callback (idpf_vport_adev_release / idpf_core_adev_release) that frees +iadev. The fall-through then reads adev->id from the freed iadev for +ida_free() and double-frees iadev with kfree(). + +Free the IDA slot and clear the back-pointer before uninit, while adev +is still valid, then return immediately. + +Commit 65637c3a1811 ("idpf: fix UAF in RDMA core aux dev deinitialization") +fixed the same use-after-free in the matching unplug path in this file but +missed both probe error paths. + +Cc: Tony Nguyen +Cc: Przemek Kitszel +Cc: Andrew Lunn +Cc: stable@kernel.org +Fixes: be91128c579c ("idpf: implement RDMA vport auxiliary dev create, init, and destroy") +Fixes: f4312e6bfa2a ("idpf: implement core RDMA auxiliary dev create, init, and destroy") +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: Aleksandr Loktionov +Reviewed-by: Paul Menzel +Signed-off-by: Jacob Keller +Link: https://patch.msgid.link/20260506-jk-iwl-net-2026-05-04-v2-4-a5ea4dc837a9@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/idpf/idpf_idc.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/ethernet/intel/idpf/idpf_idc.c ++++ b/drivers/net/ethernet/intel/idpf/idpf_idc.c +@@ -90,7 +90,10 @@ static int idpf_plug_vport_aux_dev(struc + return 0; + + err_aux_dev_add: ++ ida_free(&idpf_idc_ida, adev->id); ++ vdev_info->adev = NULL; + auxiliary_device_uninit(adev); ++ return ret; + err_aux_dev_init: + ida_free(&idpf_idc_ida, adev->id); + err_ida_alloc: +@@ -228,7 +231,10 @@ static int idpf_plug_core_aux_dev(struct + return 0; + + err_aux_dev_add: ++ ida_free(&idpf_idc_ida, adev->id); ++ cdev_info->adev = NULL; + auxiliary_device_uninit(adev); ++ return ret; + err_aux_dev_init: + ida_free(&idpf_idc_ida, adev->id); + err_ida_alloc: diff --git a/queue-7.0/kvm-reject-wrapped-offset-in-kvm_reset_dirty_gfn.patch b/queue-7.0/kvm-reject-wrapped-offset-in-kvm_reset_dirty_gfn.patch new file mode 100644 index 0000000000..2c0347723e --- /dev/null +++ b/queue-7.0/kvm-reject-wrapped-offset-in-kvm_reset_dirty_gfn.patch @@ -0,0 +1,75 @@ +From 577a8d3bae0531f0e5ccfac919cd8192f920a804 Mon Sep 17 00:00:00 2001 +From: Aaron Sacks +Date: Tue, 12 May 2026 02:07:42 -0400 +Subject: KVM: Reject wrapped offset in kvm_reset_dirty_gfn() + +From: Aaron Sacks + +commit 577a8d3bae0531f0e5ccfac919cd8192f920a804 upstream. + +kvm_reset_dirty_gfn() guards the gfn range with + + if (!memslot || (offset + __fls(mask)) >= memslot->npages) + return; + +but offset is u64 and the addition is unchecked. The check can be +silently bypassed by a u64 wrap. + +The dirty ring backing those entries is MAP_SHARED at +KVM_DIRTY_LOG_PAGE_OFFSET of the vcpu fd, so the VMM can rewrite the +slot and offset fields of any entry between when the kernel pushes +them and when KVM_RESET_DIRTY_RINGS consumes them. On reset, +kvm_dirty_ring_reset() re-reads the values via READ_ONCE() and feeds +them straight back into this check; only the flags handshake is +treated as the handover, the slot/offset payload is taken on trust. + +Crafting two entries + + entry[i].offset = 0xffffffffffffffc1 + entry[i+1].offset = 0 + +makes the coalescing loop in kvm_dirty_ring_reset() compute + + delta = (s64)(0 - 0xffffffffffffffc1) = 63 + +which falls in [0, BITS_PER_LONG), so it folds entry[i+1] into the +existing mask by setting bit 63. The trailing kvm_reset_dirty_gfn() +call then sees offset = 0xffffffffffffffc1 and __fls(mask) = 63; +the sum is 0 in u64 and the bounds check passes. + +That offset propagates into kvm_arch_mmu_enable_log_dirty_pt_masked() +unchanged. On the legacy MMU path -- kvm_memslots_have_rmaps() == +true, i.e. shadow paging, any VM that has allocated shadow roots, or +a write-tracked slot -- it reaches gfn_to_rmap(), which indexes +slot->arch.rmap[0][] with a near-U64_MAX gfn. That is an +out-of-bounds load of a kvm_rmap_head, followed by a conditional +clear of PT_WRITABLE_MASK in whatever the loaded pointer points at. +The path is reachable from any process holding /dev/kvm. + +Range-check offset on its own first, so the addition cannot wrap. +memslot->npages is bounded well below U64_MAX, so once offset < +npages holds, offset + __fls(mask) (with __fls(mask) < BITS_PER_LONG) +stays in range. + +Fixes: fb04a1eddb1a ("KVM: X86: Implement ring-based dirty memory tracking") +Cc: stable@vger.kernel.org +Signed-off-by: Aaron Sacks +Link: https://patch.msgid.link/20260512060742.1628959-1-contact@xchglabs.com/ +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/dirty_ring.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/virt/kvm/dirty_ring.c ++++ b/virt/kvm/dirty_ring.c +@@ -63,7 +63,8 @@ static void kvm_reset_dirty_gfn(struct k + + memslot = id_to_memslot(__kvm_memslots(kvm, as_id), id); + +- if (!memslot || (offset + __fls(mask)) >= memslot->npages) ++ if (!memslot || offset >= memslot->npages || ++ offset + __fls(mask) >= memslot->npages) + return; + + KVM_MMU_LOCK(kvm); diff --git a/queue-7.0/kvm-s390-pci-fix-gait-table-indexing-due-to-double-scaling-pointer-arithmetic.patch b/queue-7.0/kvm-s390-pci-fix-gait-table-indexing-due-to-double-scaling-pointer-arithmetic.patch new file mode 100644 index 0000000000..3ec27e2aa4 --- /dev/null +++ b/queue-7.0/kvm-s390-pci-fix-gait-table-indexing-due-to-double-scaling-pointer-arithmetic.patch @@ -0,0 +1,70 @@ +From 16d990a15491cf76cd6eef0846e1b4100e63261a Mon Sep 17 00:00:00 2001 +From: Junrui Luo +Date: Wed, 15 Apr 2026 17:26:55 +0800 +Subject: KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic + +From: Junrui Luo + +commit 16d990a15491cf76cd6eef0846e1b4100e63261a upstream. + +kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and +aen_host_forward() index the GAIT by manually multiplying the index +with sizeof(struct zpci_gaite). + +Since aift->gait is already a struct zpci_gaite pointer, this +double-scales the offset, accessing element aisb*16 instead of aisb. + +This causes out-of-bounds accesses when aisb >= 32 (with +ZPCI_NR_DEVICES=512) + +Fix by removing the erroneous sizeof multiplication. + +Fixes: 3c5a1b6f0a18 ("KVM: s390: pci: provide routines for enabling/disabling interrupt forwarding") +Fixes: 73f91b004321 ("KVM: s390: pci: enable host forwarding of Adapter Event Notifications") +Reported-by: Yuhao Jiang +Cc: stable@vger.kernel.org +Signed-off-by: Junrui Luo +Reviewed-by: Christian Borntraeger +Reviewed-by: Matthew Rosato +Tested-by: Matthew Rosato +Signed-off-by: Christian Borntraeger +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kvm/interrupt.c | 3 +-- + arch/s390/kvm/pci.c | 6 ++---- + 2 files changed, 3 insertions(+), 6 deletions(-) + +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -3307,8 +3307,7 @@ static void aen_host_forward(unsigned lo + struct zpci_gaite *gaite; + struct kvm *kvm; + +- gaite = (struct zpci_gaite *)aift->gait + +- (si * sizeof(struct zpci_gaite)); ++ gaite = aift->gait + si; + if (gaite->count == 0) + return; + if (gaite->aisb != 0) +--- a/arch/s390/kvm/pci.c ++++ b/arch/s390/kvm/pci.c +@@ -290,8 +290,7 @@ static int kvm_s390_pci_aif_enable(struc + phys_to_virt(fib->fmt0.aibv)); + + spin_lock_irq(&aift->gait_lock); +- gaite = (struct zpci_gaite *)aift->gait + (zdev->aisb * +- sizeof(struct zpci_gaite)); ++ gaite = aift->gait + zdev->aisb; + + /* If assist not requested, host will get all alerts */ + if (assist) +@@ -357,8 +356,7 @@ static int kvm_s390_pci_aif_disable(stru + if (zdev->kzdev->fib.fmt0.aibv == 0) + goto out; + spin_lock_irq(&aift->gait_lock); +- gaite = (struct zpci_gaite *)aift->gait + (zdev->aisb * +- sizeof(struct zpci_gaite)); ++ gaite = aift->gait + zdev->aisb; + isc = gaite->gisc; + gaite->count--; + if (gaite->count == 0) { diff --git a/queue-7.0/kvm-x86-fix-xen-hypercall-tracepoint-argument-assignment.patch b/queue-7.0/kvm-x86-fix-xen-hypercall-tracepoint-argument-assignment.patch new file mode 100644 index 0000000000..8ea1dee6c4 --- /dev/null +++ b/queue-7.0/kvm-x86-fix-xen-hypercall-tracepoint-argument-assignment.patch @@ -0,0 +1,35 @@ +From 2b72f1674e427c56e3772c5ccf785fdda2138820 Mon Sep 17 00:00:00 2001 +From: Qiang Ma +Date: Tue, 12 May 2026 09:53:13 +0800 +Subject: KVM: x86: Fix Xen hypercall tracepoint argument assignment + +From: Qiang Ma + +commit 2b72f1674e427c56e3772c5ccf785fdda2138820 upstream. + +TRACE_EVENT(kvm_xen_hypercall) stores a5 in __entry->a4 instead of +__entry->a5. + +That overwrites the recorded a4 argument and leaves a5 unset in the +trace entry. Fix the typo so both arguments are captured correctly. + +Signed-off-by: Qiang Ma +Link: https://patch.msgid.link/20260512015313.1685784-1-maqianga@uniontech.com/ +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/trace.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/trace.h ++++ b/arch/x86/kvm/trace.h +@@ -154,7 +154,7 @@ TRACE_EVENT(kvm_xen_hypercall, + __entry->a2 = a2; + __entry->a3 = a3; + __entry->a4 = a4; +- __entry->a4 = a5; ++ __entry->a5 = a5; + ), + + TP_printk("cpl %d nr 0x%lx a0 0x%lx a1 0x%lx a2 0x%lx a3 0x%lx a4 0x%lx a5 %lx", diff --git a/queue-7.0/kvm-x86-swap-the-dst-and-src-operand-for-movntdqa.patch b/queue-7.0/kvm-x86-swap-the-dst-and-src-operand-for-movntdqa.patch new file mode 100644 index 0000000000..6409ebf132 --- /dev/null +++ b/queue-7.0/kvm-x86-swap-the-dst-and-src-operand-for-movntdqa.patch @@ -0,0 +1,43 @@ +From 3098c076c83ea2913245cb915cdcba98eb24214c Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Wed, 6 May 2026 14:35:14 -0700 +Subject: KVM: x86: Swap the dst and src operand for MOVNTDQA + +From: Sean Christopherson + +commit 3098c076c83ea2913245cb915cdcba98eb24214c upstream. + +Swap the MOVNTDQA operands, as MOVNTDQA does NOT in fact have "the same +characteristics as 0F E7 (MOVNTDQ)"; MOVNTDQA loads from memory and stores +to registers, while MOVNTDQ loads from registers and stores to memory. + +Per the SDM: + + MOVNTDQ - Move packed integer values in xmm1 to m128 using non-temporal + hint. + + MOVNTDQA - Move double quadword from m128 to xmm1 using non-temporal hint + if WC memory type. + +Reported-by: Josh Eads +Fixes: c57d9bafbd0b ("KVM: x86: Add support for emulating MOVNTDQA") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-ID: <20260506213514.2781948-1-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/emulate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -4469,7 +4469,7 @@ static const struct opcode opcode_map_0f + X16(N), X16(N), + /* 0x20 - 0x2f */ + X8(N), +- X2(N), GP(SrcReg | DstMem | ModRM | Mov | Aligned, &pfx_0f_e7_0f_38_2a), N, N, N, N, N, ++ X2(N), GP(SrcMem | DstReg | ModRM | Mov | Aligned, &pfx_0f_e7_0f_38_2a), N, N, N, N, N, + /* 0x30 - 0x7f */ + X16(N), X16(N), X16(N), X16(N), X16(N), + /* 0x80 - 0xef */ diff --git a/queue-7.0/net-atlantic-preserve-pci-wake-from-d3-on-shutdown-when-wol-enabled.patch b/queue-7.0/net-atlantic-preserve-pci-wake-from-d3-on-shutdown-when-wol-enabled.patch new file mode 100644 index 0000000000..1d02e863ed --- /dev/null +++ b/queue-7.0/net-atlantic-preserve-pci-wake-from-d3-on-shutdown-when-wol-enabled.patch @@ -0,0 +1,50 @@ +From 2c308cf34284420963607d677d576a2b4124d8bd Mon Sep 17 00:00:00 2001 +From: Zoran Ilievski +Date: Mon, 11 May 2026 08:40:02 +0200 +Subject: net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled + +From: Zoran Ilievski + +commit 2c308cf34284420963607d677d576a2b4124d8bd upstream. + +The shutdown handler aq_pci_shutdown() unconditionally calls +pci_wake_from_d3(pdev, false), clearing the PCI PME_En bit even when +wake-on-LAN has been configured. While aq_nic_shutdown() correctly +programs the NIC firmware via aq_nic_set_power() to listen for magic +packets, the PCI subsystem will not propagate the resulting PME wake +event from D3, so the system never wakes after poweroff. + +WOL from suspend (S3) is unaffected because aq_suspend_common() does +not touch pci_wake_from_d3() and relies on the PM core's wake +configuration via device_may_wakeup(). + +This affects all atlantic-supported NICs (AQC107/108/111/112/113); +users have reported that WOL works if the atlantic driver is never +loaded, but breaks once it has run its shutdown path. + +Pass the configured WOL state to pci_wake_from_d3() instead of a +literal false, so the PCI PME_En bit is preserved when the user has +armed WOL via ethtool. + +Fixes: 90869ddfefeb ("net: aquantia: Implement pci shutdown callback") +Cc: stable@vger.kernel.org +Signed-off-by: Zoran Ilievski +Reviewed-by: Sukhdeep Singh +Link: https://patch.msgid.link/20260511064002.1857-1-goodboy@rexbytes.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_pci_func.c +@@ -371,7 +371,7 @@ static void aq_pci_shutdown(struct pci_d + pci_disable_device(pdev); + + if (system_state == SYSTEM_POWER_OFF) { +- pci_wake_from_d3(pdev, false); ++ pci_wake_from_d3(pdev, self->aq_hw->aq_nic_cfg->wol); + pci_set_power_state(pdev, PCI_D3hot); + } + } diff --git a/queue-7.0/net-ena-phc-check-return-code-before-setting-timestamp-output.patch b/queue-7.0/net-ena-phc-check-return-code-before-setting-timestamp-output.patch new file mode 100644 index 0000000000..2f42b7dbc6 --- /dev/null +++ b/queue-7.0/net-ena-phc-check-return-code-before-setting-timestamp-output.patch @@ -0,0 +1,48 @@ +From 24a08d7d6218d60c033015cf4870b6096446e734 Mon Sep 17 00:00:00 2001 +From: Arthur Kiyanovski +Date: Thu, 7 May 2026 00:35:15 +0000 +Subject: net: ena: PHC: Check return code before setting timestamp output + +From: Arthur Kiyanovski + +commit 24a08d7d6218d60c033015cf4870b6096446e734 upstream. + +ena_phc_gettimex64() is setting the output parameter regardless +of whether ena_com_phc_get_timestamp() succeeded or failed. + +When ena_com_phc_get_timestamp() returns an error, the timestamp +parameter may contain uninitialized stack memory (e.g., when PHC is +disabled or in blocked state) or invalid hardware values. Passing +these to userspace via the PTP ioctl is both a security issue +(information leak) and a correctness bug. + +Fix by checking the return code after releasing the lock and only +setting the output timestamp on success. + +Fixes: e0ea34158ee8 ("net: ena: Add PHC support in the ENA driver") +Cc: stable@vger.kernel.org +Signed-off-by: Arthur Kiyanovski +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20260507003518.22554-1-akiyano@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amazon/ena/ena_phc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/amazon/ena/ena_phc.c ++++ b/drivers/net/ethernet/amazon/ena/ena_phc.c +@@ -46,9 +46,12 @@ static int ena_phc_gettimex64(struct ptp + + spin_unlock_irqrestore(&phc_info->lock, flags); + ++ if (rc) ++ return rc; ++ + *ts = ns_to_timespec64(timestamp_nsec); + +- return rc; ++ return 0; + } + + static int ena_phc_settime64(struct ptp_clock_info *clock_info, diff --git a/queue-7.0/net-ena-phc-fix-potential-use-after-free-in-get_timestamp.patch b/queue-7.0/net-ena-phc-fix-potential-use-after-free-in-get_timestamp.patch new file mode 100644 index 0000000000..48e7cc0000 --- /dev/null +++ b/queue-7.0/net-ena-phc-fix-potential-use-after-free-in-get_timestamp.patch @@ -0,0 +1,61 @@ +From e42c755582f0960e684298762f0ab927b3778376 Mon Sep 17 00:00:00 2001 +From: Arthur Kiyanovski +Date: Fri, 8 May 2026 06:21:21 +0000 +Subject: net: ena: PHC: Fix potential use-after-free in get_timestamp + +From: Arthur Kiyanovski + +commit e42c755582f0960e684298762f0ab927b3778376 upstream. + +Move the phc->active check and resp pointer assignment to after +acquiring the spinlock. Previously, phc->active was checked without +holding the lock, and resp was cached from ena_dev->phc.virt_addr +before the lock was acquired. + +If ena_com_phc_destroy() runs between the lockless active check and +the lock acquisition, it sets active=false, releases the lock, frees +the DMA memory, and sets virt_addr=NULL. The get_timestamp path would +then read a NULL virt_addr and dereference it. + +With both the active check and the pointer read under the lock, +destroy cannot free the memory while get_timestamp is using it. + +Fixes: e0ea34158ee8 ("net: ena: Add PHC support in the ENA driver") +Cc: stable@vger.kernel.org +Signed-off-by: Arthur Kiyanovski +Reviewed-by: Vadim Fedorenko +Link: https://patch.msgid.link/20260508062126.7273-1-akiyano@amazon.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amazon/ena/ena_com.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/amazon/ena/ena_com.c ++++ b/drivers/net/ethernet/amazon/ena/ena_com.c +@@ -1782,20 +1782,23 @@ void ena_com_phc_destroy(struct ena_com_ + + int ena_com_phc_get_timestamp(struct ena_com_dev *ena_dev, u64 *timestamp) + { +- volatile struct ena_admin_phc_resp *resp = ena_dev->phc.virt_addr; + const ktime_t zero_system_time = ktime_set(0, 0); + struct ena_com_phc_info *phc = &ena_dev->phc; ++ volatile struct ena_admin_phc_resp *resp; + ktime_t expire_time; + ktime_t block_time; + unsigned long flags = 0; + int ret = 0; + ++ spin_lock_irqsave(&phc->lock, flags); ++ + if (!phc->active) { ++ spin_unlock_irqrestore(&phc->lock, flags); + netdev_err(ena_dev->net_device, "PHC feature is not active in the device\n"); + return -EOPNOTSUPP; + } + +- spin_lock_irqsave(&phc->lock, flags); ++ resp = ena_dev->phc.virt_addr; + + /* Check if PHC is in blocked state */ + if (unlikely(ktime_compare(phc->system_time, zero_system_time))) { diff --git a/queue-7.0/netfilter-nf_conntrack_sip-get-helper-before-allocating-expectation.patch b/queue-7.0/netfilter-nf_conntrack_sip-get-helper-before-allocating-expectation.patch new file mode 100644 index 0000000000..9bfded5acd --- /dev/null +++ b/queue-7.0/netfilter-nf_conntrack_sip-get-helper-before-allocating-expectation.patch @@ -0,0 +1,50 @@ +From eb6317739b1ea3ab28791e1f91b24781905fa815 Mon Sep 17 00:00:00 2001 +From: Li Xiasong +Date: Thu, 7 May 2026 22:04:22 +0800 +Subject: netfilter: nf_conntrack_sip: get helper before allocating expectation + +From: Li Xiasong + +commit eb6317739b1ea3ab28791e1f91b24781905fa815 upstream. + +process_register_request() allocates an expectation and then checks +whether a conntrack helper is available. If helper lookup fails, the +function returns early and the allocated expectation is left behind. + +Reorder the code to fetch and validate helper before calling +nf_ct_expect_alloc(). This keeps the logic simpler and removes the leak +path while preserving existing behavior. + +Fixes: e14575fa7529 ("netfilter: nf_conntrack: use rcu accessors where needed") +Cc: stable@vger.kernel.org +Signed-off-by: Li Xiasong +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conntrack_sip.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/netfilter/nf_conntrack_sip.c ++++ b/net/netfilter/nf_conntrack_sip.c +@@ -1367,6 +1367,10 @@ static int process_register_request(stru + goto store_cseq; + } + ++ helper = rcu_dereference(nfct_help(ct)->helper); ++ if (!helper) ++ return NF_DROP; ++ + exp = nf_ct_expect_alloc(ct); + if (!exp) { + nf_ct_helper_log(skb, ct, "cannot alloc expectation"); +@@ -1377,10 +1381,6 @@ static int process_register_request(stru + if (sip_direct_signalling) + saddr = &ct->tuplehash[!dir].tuple.src.u3; + +- helper = rcu_dereference(nfct_help(ct)->helper); +- if (!helper) +- return NF_DROP; +- + nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, nf_ct_l3num(ct), + saddr, &daddr, proto, NULL, &port); + exp->timeout.expires = sip_timeout * HZ; diff --git a/queue-7.0/netfilter-nft_ct-fix-missing-expect-put-in-obj-eval.patch b/queue-7.0/netfilter-nft_ct-fix-missing-expect-put-in-obj-eval.patch new file mode 100644 index 0000000000..9bcf6f1d1d --- /dev/null +++ b/queue-7.0/netfilter-nft_ct-fix-missing-expect-put-in-obj-eval.patch @@ -0,0 +1,34 @@ +From 19f94b6fee75b3ef7fbc06f3745b9a771a8a19a4 Mon Sep 17 00:00:00 2001 +From: Li Xiasong +Date: Thu, 7 May 2026 22:04:23 +0800 +Subject: netfilter: nft_ct: fix missing expect put in obj eval + +From: Li Xiasong + +commit 19f94b6fee75b3ef7fbc06f3745b9a771a8a19a4 upstream. + +nft_ct_expect_obj_eval() allocates an expectation and may call +nf_ct_expect_related(), but never drops its local reference. + +Add nf_ct_expect_put(exp) before return to balance allocation. + +Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support") +Cc: stable@vger.kernel.org +Signed-off-by: Li Xiasong +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_ct.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/netfilter/nft_ct.c ++++ b/net/netfilter/nft_ct.c +@@ -1381,6 +1381,8 @@ static void nft_ct_expect_obj_eval(struc + + if (nf_ct_expect_related(exp, 0) != 0) + regs->verdict.code = NF_DROP; ++ ++ nf_ct_expect_put(exp); + } + + static const struct nla_policy nft_ct_expect_policy[NFTA_CT_EXPECT_MAX + 1] = { diff --git a/queue-7.0/revert-acpi-cppc-adjust-debug-messages-in-amd_set_max_freq_ratio-to-warn.patch b/queue-7.0/revert-acpi-cppc-adjust-debug-messages-in-amd_set_max_freq_ratio-to-warn.patch new file mode 100644 index 0000000000..dd6d1e6c8c --- /dev/null +++ b/queue-7.0/revert-acpi-cppc-adjust-debug-messages-in-amd_set_max_freq_ratio-to-warn.patch @@ -0,0 +1,51 @@ +From db5dadb562cabb6da49959b473ed0d9645b6f2da Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Mon, 4 May 2026 18:01:37 -0500 +Subject: Revert "ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn" + +From: Mario Limonciello + +commit db5dadb562cabb6da49959b473ed0d9645b6f2da upstream. + +Some older systems don't support CPPC in the firmware and this just makes +noise for them when booting. Drop back to debug. + +This reverts commit 21fb59ab4b9767085f4fe1edbdbe3177fbb9ec97. + +Fixes: 21fb59ab4b976 ("ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn") +Suggested-by: Kim Phillips +Signed-off-by: Mario Limonciello +Tested-by: Kim Phillips +Cc: All applicable +Link: https://patch.msgid.link/20260504230141.484743-2-mario.limonciello@amd.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/acpi/cppc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/acpi/cppc.c ++++ b/arch/x86/kernel/acpi/cppc.c +@@ -88,19 +88,19 @@ static void amd_set_max_freq_ratio(void) + + rc = cppc_get_perf_caps(0, &perf_caps); + if (rc) { +- pr_warn("Could not retrieve perf counters (%d)\n", rc); ++ pr_debug("Could not retrieve perf counters (%d)\n", rc); + return; + } + + rc = amd_get_boost_ratio_numerator(0, &numerator); + if (rc) { +- pr_warn("Could not retrieve highest performance (%d)\n", rc); ++ pr_debug("Could not retrieve highest performance (%d)\n", rc); + return; + } + nominal_perf = perf_caps.nominal_perf; + + if (!nominal_perf) { +- pr_warn("Could not retrieve nominal performance\n"); ++ pr_debug("Could not retrieve nominal performance\n"); + return; + } + diff --git a/queue-7.0/series b/queue-7.0/series index a57726fc53..9a99923051 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -1038,3 +1038,23 @@ pci-initialize-temporary-device-in-new_id_store.patch workqueue-fix-devm_alloc_workqueue-va_list-misuse.patch net-sched-sch_pie-annotate-more-data-races-in-pie_du.patch sched-fair-fix-wakeup_preempt_fair-for-not-waking-up.patch +crypto-af_alg-cap-aead-ad-length-to-0x80000000.patch +i40e-cleanup-ptp-pins-on-probe-failure.patch +workqueue-fix-wq-cpu_pwq-leak-in-alloc_and_link_pwqs-wq_unbound-path.patch +net-ena-phc-fix-potential-use-after-free-in-get_timestamp.patch +cgroup-cpuset-reset-dl-migration-state-on-can_attach-failure.patch +netfilter-nf_conntrack_sip-get-helper-before-allocating-expectation.patch +audit-fix-incorrect-inheritable-capability-in-capset-records.patch +net-ena-phc-check-return-code-before-setting-timestamp-output.patch +cgroup-dmem-return-enomem-on-failed-pool-preallocation.patch +idpf-fix-double-free-and-use-after-free-in-aux-device-error-paths.patch +cgroup-cpuset-reserve-dl-bandwidth-only-for-root-domain-moves.patch +revert-acpi-cppc-adjust-debug-messages-in-amd_set_max_freq_ratio-to-warn.patch +netfilter-nft_ct-fix-missing-expect-put-in-obj-eval.patch +net-atlantic-preserve-pci-wake-from-d3-on-shutdown-when-wol-enabled.patch +audit-enforce-audit_locked-for-audit_trim-and-audit_make_equiv.patch +cgroup-cpuset-return-only-actually-allocated-cpus-during-partition-invalidation.patch +kvm-x86-swap-the-dst-and-src-operand-for-movntdqa.patch +kvm-reject-wrapped-offset-in-kvm_reset_dirty_gfn.patch +kvm-s390-pci-fix-gait-table-indexing-due-to-double-scaling-pointer-arithmetic.patch +kvm-x86-fix-xen-hypercall-tracepoint-argument-assignment.patch diff --git a/queue-7.0/workqueue-fix-wq-cpu_pwq-leak-in-alloc_and_link_pwqs-wq_unbound-path.patch b/queue-7.0/workqueue-fix-wq-cpu_pwq-leak-in-alloc_and_link_pwqs-wq_unbound-path.patch new file mode 100644 index 0000000000..062c9daeda --- /dev/null +++ b/queue-7.0/workqueue-fix-wq-cpu_pwq-leak-in-alloc_and_link_pwqs-wq_unbound-path.patch @@ -0,0 +1,52 @@ +From 0143033dc22cdff912cfc13419f5db92fea3b4cb Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Fri, 8 May 2026 09:22:03 -0700 +Subject: workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path + +From: Breno Leitao + +commit 0143033dc22cdff912cfc13419f5db92fea3b4cb upstream. + +For WQ_UNBOUND workqueues, alloc_and_link_pwqs() allocates wq->cpu_pwq +via alloc_percpu() and then calls apply_workqueue_attrs_locked(). On +failure it returns the error directly, bypassing the enomem: label +which holds the only free_percpu(wq->cpu_pwq) in this function. + +The caller's error path kfree()s wq without touching wq->cpu_pwq, +leaking one percpu pointer table (nr_cpu_ids * sizeof(void *) bytes) per +failed call. + +If kmemleak is enabled, we can see: + + unreferenced object (percpu) 0xc0fffa5b121048 (size 8): + comm "insmod", pid 776, jiffies 4294682844 + backtrace (crc 0): + pcpu_alloc_noprof+0x665/0xac0 + __alloc_workqueue+0x33f/0xa20 + alloc_workqueue_noprof+0x60/0x100 + +Route the error through the existing enomem: cleanup and any error +before this one. + +Cc: stable@kernel.org +Fixes: 636b927eba5b ("workqueue: Make unbound workqueues to use per-cpu pool_workqueues") +Signed-off-by: Breno Leitao +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + kernel/workqueue.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -5629,7 +5629,9 @@ static int alloc_and_link_pwqs(struct wo + ret = apply_workqueue_attrs_locked(wq, unbound_std_wq_attrs[highpri]); + } + +- return ret; ++ if (ret) ++ goto enomem; ++ return 0; + + enomem: + if (wq->cpu_pwq) {