From: Greg Kroah-Hartman Date: Mon, 20 Apr 2026 15:21:26 +0000 (+0200) Subject: 6.12-stable patches X-Git-Url: http://git.ipfire.org/index.cgi?a=commitdiff_plain;h=73b9671b7e5cc2e0bd8a2f19a356379d22d12c58;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: ipv6-add-null-checks-for-idev-in-srv6-paths.patch ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch ocfs2-validate-inline-data-i_size-during-inode-read.patch pci-fix-placement-of-pci_save_state-in-pci_bus_add_device.patch rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch --- diff --git a/queue-6.12/ipv6-add-null-checks-for-idev-in-srv6-paths.patch b/queue-6.12/ipv6-add-null-checks-for-idev-in-srv6-paths.patch new file mode 100644 index 0000000000..ca195ddbc5 --- /dev/null +++ b/queue-6.12/ipv6-add-null-checks-for-idev-in-srv6-paths.patch @@ -0,0 +1,56 @@ +From stable+bounces-238692-greg=kroah.com@vger.kernel.org Mon Apr 20 07:43:16 2026 +From: Li hongliang <1468888505@139.com> +Date: Mon, 20 Apr 2026 13:42:41 +0800 +Subject: ipv6: add NULL checks for idev in SRv6 paths +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, heminhong@kylinos.cn +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, davem@davemloft.net, dsahern@kernel.org, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, david.lebrun@uclouvain.be, netdev@vger.kernel.org, andrea.mayer@uniroma2.it +Message-ID: <20260420054241.3043646-1-1468888505@139.com> + +From: Minhong He + +[ Upstream commit 06413793526251870e20402c39930804f14d59c0 ] + +__in6_dev_get() can return NULL when the device has no IPv6 configuration +(e.g. MTU < IPV6_MIN_MTU or after NETDEV_UNREGISTER). + +Add NULL checks for idev returned by __in6_dev_get() in both +seg6_hmac_validate_skb() and ipv6_srh_rcv() to prevent potential NULL +pointer dereferences. + +Fixes: 1ababeba4a21 ("ipv6: implement dataplane support for rthdr type 4 (Segment Routing Header)") +Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support") +Signed-off-by: Minhong He +Reviewed-by: Andrea Mayer +Link: https://patch.msgid.link/20260316073301.106643-1-heminhong@kylinos.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/exthdrs.c | 4 ++++ + net/ipv6/seg6_hmac.c | 2 ++ + 2 files changed, 6 insertions(+) + +--- a/net/ipv6/exthdrs.c ++++ b/net/ipv6/exthdrs.c +@@ -379,6 +379,10 @@ static int ipv6_srh_rcv(struct sk_buff * + hdr = (struct ipv6_sr_hdr *)skb_transport_header(skb); + + idev = __in6_dev_get(skb->dev); ++ if (!idev) { ++ kfree_skb(skb); ++ return -1; ++ } + + accept_seg6 = min(READ_ONCE(net->ipv6.devconf_all->seg6_enabled), + READ_ONCE(idev->cnf.seg6_enabled)); +--- a/net/ipv6/seg6_hmac.c ++++ b/net/ipv6/seg6_hmac.c +@@ -245,6 +245,8 @@ bool seg6_hmac_validate_skb(struct sk_bu + int require_hmac; + + idev = __in6_dev_get(skb->dev); ++ if (!idev) ++ return false; + + srh = (struct ipv6_sr_hdr *)skb_transport_header(skb); + diff --git a/queue-6.12/ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch b/queue-6.12/ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch new file mode 100644 index 0000000000..ce922b516a --- /dev/null +++ b/queue-6.12/ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch @@ -0,0 +1,53 @@ +From stable+bounces-236138-greg=kroah.com@vger.kernel.org Mon Apr 13 17:31:42 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 11:25:40 -0400 +Subject: ocfs2: add inline inode consistency check to ocfs2_validate_inode_block() +To: stable@vger.kernel.org +Cc: Dmitry Antipov , syzbot+c16daba279a1161acfb0@syzkaller.appspotmail.com, Joseph Qi , Joseph Qi , Mark Fasheh , Joel Becker , Junxiao Bi , Changwei Ge , Jun Piao , Heming Zhao , Andrew Morton , Sasha Levin +Message-ID: <20260413152542.3042780-1-sashal@kernel.org> + +From: Dmitry Antipov + +[ Upstream commit a2b1c419ff72ec62ff5831684e30cd1d4f0b09ee ] + +In 'ocfs2_validate_inode_block()', add an extra check whether an inode +with inline data (i.e. self-contained) has no clusters, thus preventing +an invalid inode from being passed to 'ocfs2_evict_inode()' and below. + +Link: https://lkml.kernel.org/r/20251023141650.417129-1-dmantipov@yandex.ru +Signed-off-by: Dmitry Antipov +Reported-by: syzbot+c16daba279a1161acfb0@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c16daba279a1161acfb0 +Reviewed-by: Joseph Qi +Cc: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Heming Zhao +Signed-off-by: Andrew Morton +Stable-dep-of: 7bc5da4842be ("ocfs2: fix out-of-bounds write in ocfs2_write_end_inline") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/inode.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/ocfs2/inode.c ++++ b/fs/ocfs2/inode.c +@@ -1419,6 +1419,14 @@ int ocfs2_validate_inode_block(struct su + goto bail; + } + ++ if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) && ++ le32_to_cpu(di->i_clusters)) { ++ rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n", ++ (unsigned long long)bh->b_blocknr, ++ le32_to_cpu(di->i_clusters)); ++ goto bail; ++ } ++ + rc = 0; + + bail: diff --git a/queue-6.12/ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch b/queue-6.12/ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch new file mode 100644 index 0000000000..fa3330a5dd --- /dev/null +++ b/queue-6.12/ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch @@ -0,0 +1,77 @@ +From stable+bounces-236141-greg=kroah.com@vger.kernel.org Mon Apr 13 17:26:06 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 11:25:42 -0400 +Subject: ocfs2: fix out-of-bounds write in ocfs2_write_end_inline +To: stable@vger.kernel.org +Cc: Joseph Qi , syzbot+62c1793956716ea8b28a@syzkaller.appspotmail.com, Mark Fasheh , Joel Becker , Junxiao Bi , Changwei Ge , Jun Piao , Heming Zhao , Andrew Morton , Sasha Levin +Message-ID: <20260413152542.3042780-3-sashal@kernel.org> + +From: Joseph Qi + +[ Upstream commit 7bc5da4842bed3252d26e742213741a4d0ac1b14 ] + +KASAN reports a use-after-free write of 4086 bytes in +ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a +copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on +a loop device. The actual bug is an out-of-bounds write past the inode +block buffer, not a true use-after-free. The write overflows into an +adjacent freed page, which KASAN reports as UAF. + +The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk +id_count field to determine whether a write fits in inline data. On a +corrupted filesystem, id_count can exceed the physical maximum inline data +capacity, causing writes to overflow the inode block buffer. + +Call trace (crash path): + + vfs_copy_file_range (fs/read_write.c:1634) + do_splice_direct + splice_direct_to_actor + iter_file_splice_write + ocfs2_file_write_iter + generic_perform_write + ocfs2_write_end + ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949) + ocfs2_write_end_inline (fs/ocfs2/aops.c:1915) + memcpy_from_folio <-- KASAN: write OOB + +So add id_count upper bound check in ocfs2_validate_inode_block() to +alongside the existing i_size check to fix it. + +Link: https://lkml.kernel.org/r/20260403063830.3662739-1-joseph.qi@linux.alibaba.com +Signed-off-by: Joseph Qi +Reported-by: syzbot+62c1793956716ea8b28a@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=62c1793956716ea8b28a +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Heming Zhao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/inode.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/fs/ocfs2/inode.c ++++ b/fs/ocfs2/inode.c +@@ -1430,6 +1430,16 @@ int ocfs2_validate_inode_block(struct su + goto bail; + } + ++ if (le16_to_cpu(data->id_count) > ++ ocfs2_max_inline_data_with_xattr(sb, di)) { ++ rc = ocfs2_error(sb, ++ "Invalid dinode #%llu: inline data id_count %u exceeds max %d\n", ++ (unsigned long long)bh->b_blocknr, ++ le16_to_cpu(data->id_count), ++ ocfs2_max_inline_data_with_xattr(sb, di)); ++ goto bail; ++ } ++ + if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) { + rc = ocfs2_error(sb, + "Invalid dinode #%llu: inline data i_size %llu exceeds id_count %u\n", diff --git a/queue-6.12/ocfs2-validate-inline-data-i_size-during-inode-read.patch b/queue-6.12/ocfs2-validate-inline-data-i_size-during-inode-read.patch new file mode 100644 index 0000000000..de27a64033 --- /dev/null +++ b/queue-6.12/ocfs2-validate-inline-data-i_size-during-inode-read.patch @@ -0,0 +1,88 @@ +From stable+bounces-236139-greg=kroah.com@vger.kernel.org Mon Apr 13 17:31:50 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 11:25:41 -0400 +Subject: ocfs2: validate inline data i_size during inode read +To: stable@vger.kernel.org +Cc: Deepanshu Kartikey , syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com, Joseph Qi , Mark Fasheh , Joel Becker , Junxiao Bi , Changwei Ge , Jun Piao , Heming Zhao , Andrew Morton , Sasha Levin +Message-ID: <20260413152542.3042780-2-sashal@kernel.org> + +From: Deepanshu Kartikey + +[ Upstream commit 1524af3685b35feac76662cc551cbc37bd14775f ] + +When reading an inode from disk, ocfs2_validate_inode_block() performs +various sanity checks but does not validate the size of inline data. If +the filesystem is corrupted, an inode's i_size can exceed the actual +inline data capacity (id_count). + +This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data +buffer, triggering a use-after-free when accessing directory entries from +freed memory. + +In the syzbot report: + - i_size was 1099511627576 bytes (~1TB) + - Actual inline data capacity (id_count) is typically <256 bytes + - A garbage rec_len (54648) caused ctx->pos to jump out of bounds + - This triggered a UAF in ocfs2_check_dir_entry() + +Fix by adding a validation check in ocfs2_validate_inode_block() to ensure +inodes with inline data have i_size <= id_count. This catches the +corruption early during inode read and prevents all downstream code from +operating on invalid data. + +Link: https://lkml.kernel.org/r/20251212052132.16750-1-kartikey406@gmail.com +Signed-off-by: Deepanshu Kartikey +Reported-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c897823f699449cc3eb4 +Tested-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/20251211115231.3560028-1-kartikey406@gmail.com/T/ [v1] +Link: https://lore.kernel.org/all/20251212040400.6377-1-kartikey406@gmail.com/T/ [v2] +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Heming Zhao +Signed-off-by: Andrew Morton +Stable-dep-of: 7bc5da4842be ("ocfs2: fix out-of-bounds write in ocfs2_write_end_inline") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/inode.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/fs/ocfs2/inode.c ++++ b/fs/ocfs2/inode.c +@@ -1419,12 +1419,25 @@ int ocfs2_validate_inode_block(struct su + goto bail; + } + +- if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) && +- le32_to_cpu(di->i_clusters)) { +- rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n", +- (unsigned long long)bh->b_blocknr, +- le32_to_cpu(di->i_clusters)); +- goto bail; ++ if (le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) { ++ struct ocfs2_inline_data *data = &di->id2.i_data; ++ ++ if (le32_to_cpu(di->i_clusters)) { ++ rc = ocfs2_error(sb, ++ "Invalid dinode %llu: %u clusters\n", ++ (unsigned long long)bh->b_blocknr, ++ le32_to_cpu(di->i_clusters)); ++ goto bail; ++ } ++ ++ if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) { ++ rc = ocfs2_error(sb, ++ "Invalid dinode #%llu: inline data i_size %llu exceeds id_count %u\n", ++ (unsigned long long)bh->b_blocknr, ++ (unsigned long long)le64_to_cpu(di->i_size), ++ le16_to_cpu(data->id_count)); ++ goto bail; ++ } + } + + rc = 0; diff --git a/queue-6.12/pci-fix-placement-of-pci_save_state-in-pci_bus_add_device.patch b/queue-6.12/pci-fix-placement-of-pci_save_state-in-pci_bus_add_device.patch new file mode 100644 index 0000000000..e87356921d --- /dev/null +++ b/queue-6.12/pci-fix-placement-of-pci_save_state-in-pci_bus_add_device.patch @@ -0,0 +1,48 @@ +From lukas@wunner.de Mon Apr 20 07:11:09 2026 +From: Lukas Wunner +Date: Mon, 20 Apr 2026 07:11:07 +0200 +Subject: PCI: Fix placement of pci_save_state() in pci_bus_add_device() +To: Greg Kroah-Hartman , Sasha Levin +Cc: stable@vger.kernel.org +Message-ID: <06ca9feb332381c7809d4734ae087273cd8a3d31.1776661622.git.lukas@wunner.de> + +From: Lukas Wunner + +Commit 58130e7ce6cb ("PCI/ERR: Ensure error recoverability at all +times") sought to backport upstream commit a2f1e22390ac, but misplaced +the call to pci_save_state() in pci_bus_add_device(): + +It put the call at the top of the function even though the upstream +commit deliberately put it in the middle to capture config space changes +caused by pci_fixup_final(). + +Fix the placement. + +Signed-off-by: Lukas Wunner +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/bus.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/pci/bus.c ++++ b/drivers/pci/bus.c +@@ -331,9 +331,6 @@ void pci_bus_add_device(struct pci_dev * + struct device_node *dn = dev->dev.of_node; + int retval; + +- /* Save config space for error recoverability */ +- pci_save_state(dev); +- + /* + * Can not put in pci_device_add yet because resources + * are not assigned yet for some devices. +@@ -346,6 +343,9 @@ void pci_bus_add_device(struct pci_dev * + pci_proc_attach_device(dev); + pci_bridge_d3_update(dev); + ++ /* Save config space for error recoverability */ ++ pci_save_state(dev); ++ + dev->match_driver = !dn || of_device_is_available(dn); + retval = device_attach(&dev->dev); + if (retval < 0 && retval != -EPROBE_DEFER) diff --git a/queue-6.12/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch b/queue-6.12/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch new file mode 100644 index 0000000000..e16f5c17a6 --- /dev/null +++ b/queue-6.12/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch @@ -0,0 +1,63 @@ +From stable+bounces-237668-greg=kroah.com@vger.kernel.org Tue Apr 14 00:19:06 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 18:18:59 -0400 +Subject: rxrpc: Fix key quota calculation for multitoken keys +To: stable@vger.kernel.org +Cc: David Howells , Marc Dionne , Jeffrey Altman , Simon Horman , linux-afs@lists.infradead.org, stable@kernel.org, Jakub Kicinski , Sasha Levin +Message-ID: <20260413221859.3749467-1-sashal@kernel.org> + +From: David Howells + +[ Upstream commit bdbfead6d38979475df0c2f4bad2b19394fe9bdc ] + +In the rxrpc key preparsing, every token extracted sets the proposed quota +value, but for multitoken keys, this will overwrite the previous proposed +quota, losing it. + +Fix this by adding to the proposed quota instead. + +Fixes: 8a7a3eb4ddbe ("KEYS: RxRPC: Use key preparsing") +Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com +Signed-off-by: David Howells +cc: Marc Dionne +cc: Jeffrey Altman +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-2-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +[ dropped hunk for rxrpc_preparse_xdr_yfs_rxgk() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/key.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -72,7 +72,7 @@ static int rxrpc_preparse_xdr_rxkad(stru + return -EKEYREJECTED; + + plen = sizeof(*token) + sizeof(*token->kad) + tktlen; +- prep->quotalen = datalen + plen; ++ prep->quotalen += datalen + plen; + + plen -= sizeof(*token); + token = kzalloc(sizeof(*token), GFP_KERNEL); +@@ -303,6 +303,7 @@ static int rxrpc_preparse(struct key_pre + memcpy(&kver, prep->data, sizeof(kver)); + prep->data += sizeof(kver); + prep->datalen -= sizeof(kver); ++ prep->quotalen = 0; + + _debug("KEY I/F VERSION: %u", kver); + +@@ -340,7 +341,7 @@ static int rxrpc_preparse(struct key_pre + goto error; + + plen = sizeof(*token->kad) + v1->ticket_length; +- prep->quotalen = plen + sizeof(*token); ++ prep->quotalen += plen + sizeof(*token); + + ret = -ENOMEM; + token = kzalloc(sizeof(*token), GFP_KERNEL); diff --git a/queue-6.12/series b/queue-6.12/series index e65bac3ddd..9b92a8385a 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -153,3 +153,9 @@ media-as102-fix-to-not-free-memory-after-the-device-is-registered-in-as102_usb_p nilfs2-fix-null-i_assoc_inode-dereference-in-nilfs_mdt_save_to_shadow_map.patch media-vidtv-fix-pass-by-value-structs-causing-msan-warnings.patch media-hackrf-fix-to-not-free-memory-after-the-device-is-registered-in-hackrf_probe.patch +ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch +ocfs2-validate-inline-data-i_size-during-inode-read.patch +ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch +rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch +pci-fix-placement-of-pci_save_state-in-pci_bus_add_device.patch +ipv6-add-null-checks-for-idev-in-srv6-paths.patch