--- /dev/null
+From stable+bounces-238692-greg=kroah.com@vger.kernel.org Mon Apr 20 07:43:16 2026
+From: Li hongliang <1468888505@139.com>
+Date: Mon, 20 Apr 2026 13:42:41 +0800
+Subject: ipv6: add NULL checks for idev in SRv6 paths
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org, heminhong@kylinos.cn
+Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, davem@davemloft.net, dsahern@kernel.org, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, david.lebrun@uclouvain.be, netdev@vger.kernel.org, andrea.mayer@uniroma2.it
+Message-ID: <20260420054241.3043646-1-1468888505@139.com>
+
+From: Minhong He <heminhong@kylinos.cn>
+
+[ Upstream commit 06413793526251870e20402c39930804f14d59c0 ]
+
+__in6_dev_get() can return NULL when the device has no IPv6 configuration
+(e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER).
+
+Add NULL checks for idev returned by __in6_dev_get() in both
+seg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULL
+pointer dereferences.
+
+Fixes: 1ababeba4a21 ("ipv6: implement dataplane support for rthdr type 4 (Segment Routing Header)")
+Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support")
+Signed-off-by: Minhong He <heminhong@kylinos.cn>
+Reviewed-by: Andrea Mayer <andrea.mayer@uniroma2.it>
+Link: https://patch.msgid.link/20260316073301.106643-1-heminhong@kylinos.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Li hongliang <1468888505@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/exthdrs.c | 4 ++++
+ net/ipv6/seg6_hmac.c | 2 ++
+ 2 files changed, 6 insertions(+)
+
+--- a/net/ipv6/exthdrs.c
++++ b/net/ipv6/exthdrs.c
+@@ -379,6 +379,10 @@ static int ipv6_srh_rcv(struct sk_buff *
+ hdr = (struct ipv6_sr_hdr *)skb_transport_header(skb);
+
+ idev = __in6_dev_get(skb->dev);
++ if (!idev) {
++ kfree_skb(skb);
++ return -1;
++ }
+
+ accept_seg6 = min(READ_ONCE(net->ipv6.devconf_all->seg6_enabled),
+ READ_ONCE(idev->cnf.seg6_enabled));
+--- a/net/ipv6/seg6_hmac.c
++++ b/net/ipv6/seg6_hmac.c
+@@ -245,6 +245,8 @@ bool seg6_hmac_validate_skb(struct sk_bu
+ int require_hmac;
+
+ idev = __in6_dev_get(skb->dev);
++ if (!idev)
++ return false;
+
+ srh = (struct ipv6_sr_hdr *)skb_transport_header(skb);
+
--- /dev/null
+From stable+bounces-236138-greg=kroah.com@vger.kernel.org Mon Apr 13 17:31:42 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2026 11:25:40 -0400
+Subject: ocfs2: add inline inode consistency check to ocfs2_validate_inode_block()
+To: stable@vger.kernel.org
+Cc: Dmitry Antipov <dmantipov@yandex.ru>, syzbot+c16daba279a1161acfb0@syzkaller.appspotmail.com, Joseph Qi <joseph.qi@linux.alibaba.com>, Joseph Qi <jiangqi903@gmail.com>, Mark Fasheh <mark@fasheh.com>, Joel Becker <jlbec@evilplan.org>, Junxiao Bi <junxiao.bi@oracle.com>, Changwei Ge <gechangwei@live.cn>, Jun Piao <piaojun@huawei.com>, Heming Zhao <heming.zhao@suse.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260413152542.3042780-1-sashal@kernel.org>
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit a2b1c419ff72ec62ff5831684e30cd1d4f0b09ee ]
+
+In 'ocfs2_validate_inode_block()', add an extra check whether an inode
+with inline data (i.e. self-contained) has no clusters, thus preventing
+an invalid inode from being passed to 'ocfs2_evict_inode()' and below.
+
+Link: https://lkml.kernel.org/r/20251023141650.417129-1-dmantipov@yandex.ru
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Reported-by: syzbot+c16daba279a1161acfb0@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c16daba279a1161acfb0
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Heming Zhao <heming.zhao@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 7bc5da4842be ("ocfs2: fix out-of-bounds write in ocfs2_write_end_inline")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/inode.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/ocfs2/inode.c
++++ b/fs/ocfs2/inode.c
+@@ -1419,6 +1419,14 @@ int ocfs2_validate_inode_block(struct su
+ goto bail;
+ }
+
++ if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) &&
++ le32_to_cpu(di->i_clusters)) {
++ rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n",
++ (unsigned long long)bh->b_blocknr,
++ le32_to_cpu(di->i_clusters));
++ goto bail;
++ }
++
+ rc = 0;
+
+ bail:
--- /dev/null
+From stable+bounces-236141-greg=kroah.com@vger.kernel.org Mon Apr 13 17:26:06 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2026 11:25:42 -0400
+Subject: ocfs2: fix out-of-bounds write in ocfs2_write_end_inline
+To: stable@vger.kernel.org
+Cc: Joseph Qi <joseph.qi@linux.alibaba.com>, syzbot+62c1793956716ea8b28a@syzkaller.appspotmail.com, Mark Fasheh <mark@fasheh.com>, Joel Becker <jlbec@evilplan.org>, Junxiao Bi <junxiao.bi@oracle.com>, Changwei Ge <gechangwei@live.cn>, Jun Piao <piaojun@huawei.com>, Heming Zhao <heming.zhao@suse.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260413152542.3042780-3-sashal@kernel.org>
+
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+
+[ Upstream commit 7bc5da4842bed3252d26e742213741a4d0ac1b14 ]
+
+KASAN reports a use-after-free write of 4086 bytes in
+ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a
+copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on
+a loop device. The actual bug is an out-of-bounds write past the inode
+block buffer, not a true use-after-free. The write overflows into an
+adjacent freed page, which KASAN reports as UAF.
+
+The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk
+id_count field to determine whether a write fits in inline data. On a
+corrupted filesystem, id_count can exceed the physical maximum inline data
+capacity, causing writes to overflow the inode block buffer.
+
+Call trace (crash path):
+
+ vfs_copy_file_range (fs/read_write.c:1634)
+ do_splice_direct
+ splice_direct_to_actor
+ iter_file_splice_write
+ ocfs2_file_write_iter
+ generic_perform_write
+ ocfs2_write_end
+ ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949)
+ ocfs2_write_end_inline (fs/ocfs2/aops.c:1915)
+ memcpy_from_folio <-- KASAN: write OOB
+
+So add id_count upper bound check in ocfs2_validate_inode_block() to
+alongside the existing i_size check to fix it.
+
+Link: https://lkml.kernel.org/r/20260403063830.3662739-1-joseph.qi@linux.alibaba.com
+Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Reported-by: syzbot+62c1793956716ea8b28a@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=62c1793956716ea8b28a
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Heming Zhao <heming.zhao@suse.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/inode.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/fs/ocfs2/inode.c
++++ b/fs/ocfs2/inode.c
+@@ -1430,6 +1430,16 @@ int ocfs2_validate_inode_block(struct su
+ goto bail;
+ }
+
++ if (le16_to_cpu(data->id_count) >
++ ocfs2_max_inline_data_with_xattr(sb, di)) {
++ rc = ocfs2_error(sb,
++ "Invalid dinode #%llu: inline data id_count %u exceeds max %d\n",
++ (unsigned long long)bh->b_blocknr,
++ le16_to_cpu(data->id_count),
++ ocfs2_max_inline_data_with_xattr(sb, di));
++ goto bail;
++ }
++
+ if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) {
+ rc = ocfs2_error(sb,
+ "Invalid dinode #%llu: inline data i_size %llu exceeds id_count %u\n",
--- /dev/null
+From stable+bounces-236139-greg=kroah.com@vger.kernel.org Mon Apr 13 17:31:50 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2026 11:25:41 -0400
+Subject: ocfs2: validate inline data i_size during inode read
+To: stable@vger.kernel.org
+Cc: Deepanshu Kartikey <kartikey406@gmail.com>, syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com, Joseph Qi <joseph.qi@linux.alibaba.com>, Mark Fasheh <mark@fasheh.com>, Joel Becker <jlbec@evilplan.org>, Junxiao Bi <junxiao.bi@oracle.com>, Changwei Ge <gechangwei@live.cn>, Jun Piao <piaojun@huawei.com>, Heming Zhao <heming.zhao@suse.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260413152542.3042780-2-sashal@kernel.org>
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+[ Upstream commit 1524af3685b35feac76662cc551cbc37bd14775f ]
+
+When reading an inode from disk, ocfs2_validate_inode_block() performs
+various sanity checks but does not validate the size of inline data. If
+the filesystem is corrupted, an inode's i_size can exceed the actual
+inline data capacity (id_count).
+
+This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data
+buffer, triggering a use-after-free when accessing directory entries from
+freed memory.
+
+In the syzbot report:
+ - i_size was 1099511627576 bytes (~1TB)
+ - Actual inline data capacity (id_count) is typically <256 bytes
+ - A garbage rec_len (54648) caused ctx->pos to jump out of bounds
+ - This triggered a UAF in ocfs2_check_dir_entry()
+
+Fix by adding a validation check in ocfs2_validate_inode_block() to ensure
+inodes with inline data have i_size <= id_count. This catches the
+corruption early during inode read and prevents all downstream code from
+operating on invalid data.
+
+Link: https://lkml.kernel.org/r/20251212052132.16750-1-kartikey406@gmail.com
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Reported-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c897823f699449cc3eb4
+Tested-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/all/20251211115231.3560028-1-kartikey406@gmail.com/T/ [v1]
+Link: https://lore.kernel.org/all/20251212040400.6377-1-kartikey406@gmail.com/T/ [v2]
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Heming Zhao <heming.zhao@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 7bc5da4842be ("ocfs2: fix out-of-bounds write in ocfs2_write_end_inline")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/inode.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+--- a/fs/ocfs2/inode.c
++++ b/fs/ocfs2/inode.c
+@@ -1419,12 +1419,25 @@ int ocfs2_validate_inode_block(struct su
+ goto bail;
+ }
+
+- if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) &&
+- le32_to_cpu(di->i_clusters)) {
+- rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n",
+- (unsigned long long)bh->b_blocknr,
+- le32_to_cpu(di->i_clusters));
+- goto bail;
++ if (le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) {
++ struct ocfs2_inline_data *data = &di->id2.i_data;
++
++ if (le32_to_cpu(di->i_clusters)) {
++ rc = ocfs2_error(sb,
++ "Invalid dinode %llu: %u clusters\n",
++ (unsigned long long)bh->b_blocknr,
++ le32_to_cpu(di->i_clusters));
++ goto bail;
++ }
++
++ if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) {
++ rc = ocfs2_error(sb,
++ "Invalid dinode #%llu: inline data i_size %llu exceeds id_count %u\n",
++ (unsigned long long)bh->b_blocknr,
++ (unsigned long long)le64_to_cpu(di->i_size),
++ le16_to_cpu(data->id_count));
++ goto bail;
++ }
+ }
+
+ rc = 0;
--- /dev/null
+From lukas@wunner.de Mon Apr 20 07:11:09 2026
+From: Lukas Wunner <lukas@wunner.de>
+Date: Mon, 20 Apr 2026 07:11:07 +0200
+Subject: PCI: Fix placement of pci_save_state() in pci_bus_add_device()
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Cc: stable@vger.kernel.org
+Message-ID: <06ca9feb332381c7809d4734ae087273cd8a3d31.1776661622.git.lukas@wunner.de>
+
+From: Lukas Wunner <lukas@wunner.de>
+
+Commit 58130e7ce6cb ("PCI/ERR: Ensure error recoverability at all
+times") sought to backport upstream commit a2f1e22390ac, but misplaced
+the call to pci_save_state() in pci_bus_add_device():
+
+It put the call at the top of the function even though the upstream
+commit deliberately put it in the middle to capture config space changes
+caused by pci_fixup_final().
+
+Fix the placement.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/bus.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/pci/bus.c
++++ b/drivers/pci/bus.c
+@@ -331,9 +331,6 @@ void pci_bus_add_device(struct pci_dev *
+ struct device_node *dn = dev->dev.of_node;
+ int retval;
+
+- /* Save config space for error recoverability */
+- pci_save_state(dev);
+-
+ /*
+ * Can not put in pci_device_add yet because resources
+ * are not assigned yet for some devices.
+@@ -346,6 +343,9 @@ void pci_bus_add_device(struct pci_dev *
+ pci_proc_attach_device(dev);
+ pci_bridge_d3_update(dev);
+
++ /* Save config space for error recoverability */
++ pci_save_state(dev);
++
+ dev->match_driver = !dn || of_device_is_available(dn);
+ retval = device_attach(&dev->dev);
+ if (retval < 0 && retval != -EPROBE_DEFER)
--- /dev/null
+From stable+bounces-237668-greg=kroah.com@vger.kernel.org Tue Apr 14 00:19:06 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2026 18:18:59 -0400
+Subject: rxrpc: Fix key quota calculation for multitoken keys
+To: stable@vger.kernel.org
+Cc: David Howells <dhowells@redhat.com>, Marc Dionne <marc.dionne@auristor.com>, Jeffrey Altman <jaltman@auristor.com>, Simon Horman <horms@kernel.org>, linux-afs@lists.infradead.org, stable@kernel.org, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260413221859.3749467-1-sashal@kernel.org>
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit bdbfead6d38979475df0c2f4bad2b19394fe9bdc ]
+
+In the rxrpc key preparsing, every token extracted sets the proposed quota
+value, but for multitoken keys, this will overwrite the previous proposed
+quota, losing it.
+
+Fix this by adding to the proposed quota instead.
+
+Fixes: 8a7a3eb4ddbe ("KEYS: RxRPC: Use key preparsing")
+Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Jeffrey Altman <jaltman@auristor.com>
+cc: Simon Horman <horms@kernel.org>
+cc: linux-afs@lists.infradead.org
+cc: stable@kernel.org
+Link: https://patch.msgid.link/20260408121252.2249051-2-dhowells@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ dropped hunk for rxrpc_preparse_xdr_yfs_rxgk() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/key.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/rxrpc/key.c
++++ b/net/rxrpc/key.c
+@@ -72,7 +72,7 @@ static int rxrpc_preparse_xdr_rxkad(stru
+ return -EKEYREJECTED;
+
+ plen = sizeof(*token) + sizeof(*token->kad) + tktlen;
+- prep->quotalen = datalen + plen;
++ prep->quotalen += datalen + plen;
+
+ plen -= sizeof(*token);
+ token = kzalloc(sizeof(*token), GFP_KERNEL);
+@@ -303,6 +303,7 @@ static int rxrpc_preparse(struct key_pre
+ memcpy(&kver, prep->data, sizeof(kver));
+ prep->data += sizeof(kver);
+ prep->datalen -= sizeof(kver);
++ prep->quotalen = 0;
+
+ _debug("KEY I/F VERSION: %u", kver);
+
+@@ -340,7 +341,7 @@ static int rxrpc_preparse(struct key_pre
+ goto error;
+
+ plen = sizeof(*token->kad) + v1->ticket_length;
+- prep->quotalen = plen + sizeof(*token);
++ prep->quotalen += plen + sizeof(*token);
+
+ ret = -ENOMEM;
+ token = kzalloc(sizeof(*token), GFP_KERNEL);
nilfs2-fix-null-i_assoc_inode-dereference-in-nilfs_mdt_save_to_shadow_map.patch
media-vidtv-fix-pass-by-value-structs-causing-msan-warnings.patch
media-hackrf-fix-to-not-free-memory-after-the-device-is-registered-in-hackrf_probe.patch
+ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch
+ocfs2-validate-inline-data-i_size-during-inode-read.patch
+ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch
+rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch
+pci-fix-placement-of-pci_save_state-in-pci_bus_add_device.patch
+ipv6-add-null-checks-for-idev-in-srv6-paths.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
