- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] dmaengine: idxd: Fix memory leak when a wq is reset
by Yin Tirui 12 May '26

12 May '26

From: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> stable inclusion from stable-v6.6.131 commit 54d77cc0c40ca2f894859dc7b3c52997574f1a2a category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14184 CVE: CVE-2026-31441 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit d9cfb5193a047a92a4d3c0e91ea4cc87c8f7c478 ] idxd_wq_disable_cleanup() which is called from the reset path for a workqueue, sets the wq type to NONE, which for other parts of the driver mean that the wq is empty (all its resources were released). Only set the wq type to NONE after its resources are released. Fixes: da32b28c95a7 ("dmaengine: idxd: cleanup workqueue config after disabling") Reviewed-by: Dave Jiang <dave.jiang(a)intel.com> Signed-off-by: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-8-7ed… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/dma/idxd/device.c [context conflicts.] Signed-off-by: Yin Tirui <yintirui(a)huawei.com> --- drivers/dma/idxd/device.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c index c41ef195eeb9f..d8e0a12f62ace 100644 --- a/drivers/dma/idxd/device.c +++ b/drivers/dma/idxd/device.c @@ -174,6 +174,7 @@ void idxd_wq_free_resources(struct idxd_wq *wq) free_descs(wq); dma_free_coherent(dev, wq->compls_size, wq->compls, wq->compls_addr); sbitmap_queue_free(&wq->sbq); + wq->type = IDXD_WQT_NONE; } EXPORT_SYMBOL_NS_GPL(idxd_wq_free_resources, IDXD); @@ -367,7 +368,6 @@ static void idxd_wq_disable_cleanup(struct idxd_wq *wq) lockdep_assert_held(&wq->wq_lock); wq->state = IDXD_WQ_DISABLED; memset(wq->wqcfg, 0, idxd->wqcfg_size); - wq->type = IDXD_WQT_NONE; wq->threshold = 0; wq->priority = 0; wq->enqcmds_retries = IDXD_ENQCMDS_RETRIES; @@ -1513,7 +1513,6 @@ void idxd_drv_disable_wq(struct idxd_wq *wq) idxd_wq_reset(wq); idxd_wq_free_resources(wq); percpu_ref_exit(&wq->wq_active); - wq->type = IDXD_WQT_NONE; wq->client_count = 0; } EXPORT_SYMBOL_NS_GPL(idxd_drv_disable_wq, IDXD); -- 2.43.0

2 1

[PATCH OLK-6.6 0/5] 5 CVE fix patches
by Xia Fukun 12 May '26

12 May '26

CVE-2026-31522 CVE-2026-31520 CVE-2026-31667 CVE-2026-31625 CVE-2026-31624 Greg Kroah-Hartman (2): HID: alps: fix NULL pointer dereference in alps_raw_event() HID: core: clamp report_size in s32ton() to avoid undefined shift Günther Noack (2): HID: magicmouse: avoid memory leak in magicmouse_report_fixup() HID: apple: avoid memory leak in apple_report_fixup() Mikhail Gavrilov (1): Input: uinput - fix circular locking dependency with ff-core drivers/hid/hid-alps.c | 3 +++ drivers/hid/hid-apple.c | 4 +--- drivers/hid/hid-core.c | 3 +++ drivers/hid/hid-magicmouse.c | 4 +--- drivers/input/misc/uinput.c | 28 +++++++++++++++++++++------- 5 files changed, 29 insertions(+), 13 deletions(-) -- 2.34.1

2 6

[PATCH OLK-5.10] Bluetooth: SMP: derive legacy responder STK authentication from MITM state
by Chen Jinghuang 12 May '26

12 May '26

From: Oleh Konko <security(a)1seal.org> stable inclusion from stable-v5.10.253 commit 9a38659a3d06080715691bd3139f9c4b61f688e3 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14523 CVE: CVE-2026-31773 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ---------------------------------------------------------------------- commit 20756fec2f0108cb88e815941f1ffff88dc286fe upstream. The legacy responder path in smp_random() currently labels the stored STK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH. That reflects what the local service requested, not what the pairing flow actually achieved. For Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear and the resulting STK should remain unauthenticated even if the local side requested HIGH security. Use the established MITM state when storing the responder STK so the key metadata matches the pairing result. This also keeps the legacy path aligned with the Secure Connections code, which already treats JUST_WORKS/JUST_CFM as unauthenticated. Fixes: fff3490f4781 ("Bluetooth: Fix setting correct authentication information for SMP STK") Cc: stable(a)vger.kernel.org Signed-off-by: Oleh Konko <security(a)1seal.org> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Chen Jinghuang <chenjinghuang2(a)huawei.com> --- net/bluetooth/smp.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c index d9a378d12be6..d3bc89bbbeb9 100644 --- a/net/bluetooth/smp.c +++ b/net/bluetooth/smp.c @@ -1017,10 +1017,7 @@ static u8 smp_random(struct smp_chan *smp) smp_s1(smp->tk, smp->prnd, smp->rrnd, stk); - if (hcon->pending_sec_level == BT_SECURITY_HIGH) - auth = 1; - else - auth = 0; + auth = test_bit(SMP_FLAG_MITM_AUTH, &smp->flags) ? 1 : 0; /* Even though there's no _RESPONDER suffix this is the * responder STK we're adding for later lookup (the initiator -- 2.34.1

2 1

[PATCH OLK-6.6] Bluetooth: SMP: derive legacy responder STK authentication from MITM state
by Chen Jinghuang 12 May '26

12 May '26

From: Oleh Konko <security(a)1seal.org> stable inclusion from stable-v6.6.134 commit b1c6a8e554a39b222c0879a288ea98e338fc4d77 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14523 CVE: CVE-2026-31773 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ---------------------------------------------------------------------- commit 20756fec2f0108cb88e815941f1ffff88dc286fe upstream. The legacy responder path in smp_random() currently labels the stored STK as authenticated whenever pending_sec_level is BT_SECURITY_HIGH. That reflects what the local service requested, not what the pairing flow actually achieved. For Just Works/Confirm legacy pairing, SMP_FLAG_MITM_AUTH stays clear and the resulting STK should remain unauthenticated even if the local side requested HIGH security. Use the established MITM state when storing the responder STK so the key metadata matches the pairing result. This also keeps the legacy path aligned with the Secure Connections code, which already treats JUST_WORKS/JUST_CFM as unauthenticated. Fixes: fff3490f4781 ("Bluetooth: Fix setting correct authentication information for SMP STK") Cc: stable(a)vger.kernel.org Signed-off-by: Oleh Konko <security(a)1seal.org> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Chen Jinghuang <chenjinghuang2(a)huawei.com> --- net/bluetooth/smp.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c index e7ee13fe83a7..101cc9007cf0 100644 --- a/net/bluetooth/smp.c +++ b/net/bluetooth/smp.c @@ -1019,10 +1019,7 @@ static u8 smp_random(struct smp_chan *smp) smp_s1(smp->tk, smp->prnd, smp->rrnd, stk); - if (hcon->pending_sec_level == BT_SECURITY_HIGH) - auth = 1; - else - auth = 0; + auth = test_bit(SMP_FLAG_MITM_AUTH, &smp->flags) ? 1 : 0; /* Even though there's no _RESPONDER suffix this is the * responder STK we're adding for later lookup (the initiator -- 2.34.1

2 1

[PATCH OLK-6.6 v4 00/32] ext4 hardware atomic write support
by Long Li 12 May '26

12 May '26

This patch set support ext4 hardware atomic write. Alan Adamson (1): nvme: Atomic write support John Garry (12): block: Pass blk_queue_get_max_sectors() a request pointer block: Generalize chunk_sectors support as boundary support block: Add core atomic write support block: Call blkdev_dio_unaligned() from blkdev_direct_IO() block: Add fops atomic write support block/fs: Pass an iocb to generic_atomic_write_valid() fs/block: Check for IOCB_DIRECT in generic_atomic_write_valid() block: Add bdev atomic write limits helpers fs: Export generic_atomic_write_valid() fs: iomap: Atomic write support block: Fix blk_validate_atomic_write_limits() build for arm32 nvme: stop using AWUPF Long Li (3): block: fix kabi broken in struct queue_limits fs: fix kabi broken in struct kstat block: fix kabi broken in enum req_flag_bits Prasad Singamsetty (2): fs: Initial atomic write support fs: Add initial atomic write support info to statx Ritesh Harjani (IBM) (14): ext4: Add statx support for atomic writes ext4: Check for atomic writes support in write iter ext4: Support setting FMODE_CAN_ATOMIC_WRITE ext4: Do not fallback to buffered-io for DIO atomic write ext4: Document an edge case for overwrites ext4: Check if inode uses extents in ext4_inode_can_atomic_write() ext4: Make ext4_meta_trans_blocks() non-static for later use ext4: Add support for EXT4_GET_BLOCKS_QUERY_LEAF_BLOCKS ext4: Add multi-fsblock atomic write support with bigalloc ext4: Enable support for ext4 multi-fsblock atomic write using bigalloc ext4: Add atomic block write documentation iomap: Lift blocksize restriction on atomic writes ext4: Unwritten to written conversion requires EXT4_EX_NOCACHE ext4: Simplify last in leaf check in ext4_map_query_blocks Documentation/ABI/stable/sysfs-block | 53 +++ .../filesystems/ext4/atomic_writes.rst | 225 ++++++++++++ Documentation/filesystems/ext4/overview.rst | 1 + block/blk-core.c | 19 + block/blk-merge.c | 67 +++- block/blk-mq.c | 2 +- block/blk-settings.c | 86 +++++ block/blk-sysfs.c | 33 ++ block/blk.h | 9 +- block/fops.c | 51 ++- drivers/md/dm.c | 2 +- drivers/nvme/host/core.c | 64 +++- fs/aio.c | 8 +- fs/btrfs/ioctl.c | 2 +- fs/ext4/ext4.h | 35 +- fs/ext4/extents.c | 99 +++++ fs/ext4/file.c | 31 +- fs/ext4/inode.c | 345 ++++++++++++++++-- fs/ext4/super.c | 34 ++ fs/iomap/direct-io.c | 38 +- fs/iomap/trace.h | 3 +- fs/read_write.c | 22 +- fs/stat.c | 34 ++ include/linux/blk_types.h | 8 +- include/linux/blkdev.h | 84 ++++- include/linux/fs.h | 18 +- include/linux/iomap.h | 1 + include/linux/stat.h | 5 +- include/uapi/linux/fs.h | 5 +- include/uapi/linux/stat.h | 11 +- io_uring/rw.c | 8 +- 31 files changed, 1313 insertions(+), 90 deletions(-) create mode 100644 Documentation/filesystems/ext4/atomic_writes.rst -- 2.52.0

2 33

[PATCH OLK-6.6] ixgbevf: add missing negotiate_features op to Hyper-V ops table
by Pu Lehui 12 May '26

12 May '26

From: Michal Schmidt <mschmidt(a)redhat.com> stable inclusion from stable-v6.6.136 commit d8a747057a17ffc79e31df1abb11d05e1669d8e5 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14640 CVE: CVE-2026-43094 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 4821d563cd7f251ae728be1a6d04af82a294a5b9 ] Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by negotiating supported features") added the .negotiate_features callback to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL on Hyper-V VMs. During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(), which unconditionally dereferences hw->mac.ops.negotiate_features(). On Hyper-V this results in a NULL pointer dereference: BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...] Workqueue: events work_for_cpu_fn RIP: 0010:0x0 [...] Call Trace: ixgbevf_negotiate_api+0x66/0x160 [ixgbevf] ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf] ixgbevf_probe+0x20f/0x4a0 [ixgbevf] local_pci_probe+0x50/0xa0 work_for_cpu_fn+0x1a/0x30 [...] Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP gracefully. Fixes: a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by negotiating supported features") Reported-by: Xiaoqiang Xiong <xxiong(a)redhat.com> Closes: https://issues.redhat.com/browse/RHEL-155455 Assisted-by: Claude:claude-4.6-opus-high Cursor Tested-by: Xiaoqiang Xiong <xxiong(a)redhat.com> Signed-off-by: Michal Schmidt <mschmidt(a)redhat.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov(a)intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- drivers/net/ethernet/intel/ixgbevf/vf.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/net/ethernet/intel/ixgbevf/vf.c b/drivers/net/ethernet/intel/ixgbevf/vf.c index 65257107dfc8..92e5b0ec5c7d 100644 --- a/drivers/net/ethernet/intel/ixgbevf/vf.c +++ b/drivers/net/ethernet/intel/ixgbevf/vf.c @@ -709,6 +709,12 @@ static int ixgbevf_negotiate_features_vf(struct ixgbe_hw *hw, u32 *pf_features) return err; } +static int ixgbevf_hv_negotiate_features_vf(struct ixgbe_hw *hw, + u32 *pf_features) +{ + return -EOPNOTSUPP; +} + /** * ixgbevf_set_vfta_vf - Set/Unset VLAN filter table address * @hw: pointer to the HW structure @@ -1141,6 +1147,7 @@ static const struct ixgbe_mac_operations ixgbevf_hv_mac_ops = { .setup_link = ixgbevf_setup_mac_link_vf, .check_link = ixgbevf_hv_check_mac_link_vf, .negotiate_api_version = ixgbevf_hv_negotiate_api_version_vf, + .negotiate_features = ixgbevf_hv_negotiate_features_vf, .set_rar = ixgbevf_hv_set_rar_vf, .update_mc_addr_list = ixgbevf_hv_update_mc_addr_list_vf, .update_xcast_mode = ixgbevf_hv_update_xcast_mode, -- 2.34.1

2 1

[PATCH OLK-6.6 1/2] hwmon: (pmbus/core) Declare regulator notification function as void
by Yin Tirui 12 May '26

12 May '26

From: Guenter Roeck <linux(a)roeck-us.net> mainline inclusion from mainline-v7.0-rc6 commit 510db88a1c56abfbdb82c976f29bb3dc85a71c13 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14223 CVE: CVE-2026-31486 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- The regulator notification function never returns an error. Declare it as void. While at it, fix its indentation. No functional change. Reviewed-by: Tzung-Bi Shih <tzungbi(a)kernel.org> Signed-off-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Yin Tirui <yintirui(a)huawei.com> --- drivers/hwmon/pmbus/pmbus_core.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c index 019c5982ba564..772c1b3c46ec4 100644 --- a/drivers/hwmon/pmbus/pmbus_core.c +++ b/drivers/hwmon/pmbus/pmbus_core.c @@ -3173,17 +3173,16 @@ static int pmbus_regulator_register(struct pmbus_data *data) return 0; } -static int pmbus_regulator_notify(struct pmbus_data *data, int page, int event) +static void pmbus_regulator_notify(struct pmbus_data *data, int page, int event) { - int j; + int j; - for (j = 0; j < data->info->num_regulators; j++) { - if (page == rdev_get_id(data->rdevs[j])) { - regulator_notifier_call_chain(data->rdevs[j], event, NULL); - break; - } + for (j = 0; j < data->info->num_regulators; j++) { + if (page == rdev_get_id(data->rdevs[j])) { + regulator_notifier_call_chain(data->rdevs[j], event, NULL); + break; } - return 0; + } } #else static int pmbus_regulator_register(struct pmbus_data *data) @@ -3191,9 +3190,8 @@ static int pmbus_regulator_register(struct pmbus_data *data) return 0; } -static int pmbus_regulator_notify(struct pmbus_data *data, int page, int event) +static void pmbus_regulator_notify(struct pmbus_data *data, int page, int event) { - return 0; } #endif -- 2.43.0

2 2

[PATCH openEuler-1.0-LTS] rxrpc: proc: size address buffers for %pISpc output
by Zhao Yipeng 12 May '26

12 May '26

From: Pengpeng Hou <pengpeng(a)iscas.ac.cn> mainline inclusion from mainline-v7.0 commit a44ce6aa2efb61fe44f2cfab72bb01544bbca272 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14372 CVE: CVE-2026-31630 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- The AF_RXRPC procfs helpers format local and remote socket addresses into fixed 50-byte stack buffers with "%pISpc". That is too small for the longest current-tree IPv6-with-port form the formatter can produce. In lib/vsprintf.c, the compressed IPv6 path uses a dotted-quad tail not only for v4mapped addresses, but also for ISATAP addresses via ipv6_addr_is_isatap(). As a result, a case such as [ffff:ffff:ffff:ffff:0:5efe:255.255.255.255]:65535 is possible with the current formatter. That is 50 visible characters, so 51 bytes including the trailing NUL, which does not fit in the existing char[50] buffers used by net/rxrpc/proc.c. Size the buffers from the formatter's maximum textual form and switch the call sites to scnprintf(). Changes since v1: - correct the changelog to cite the actual maximum current-tree case explicitly - frame the proof around the ISATAP formatting path instead of the earlier mapped-v4 example Fixes: 75b54cb57ca3 ("rxrpc: Add IPv6 support") Signed-off-by: Pengpeng Hou <pengpeng(a)iscas.ac.cn> Signed-off-by: David Howells <dhowells(a)redhat.com> cc: Marc Dionne <marc.dionne(a)auristor.com> cc: Anderson Nascimento <anderson(a)allelesecurity.com> cc: Simon Horman <horms(a)kernel.org> cc: linux-afs(a)lists.infradead.org cc: stable(a)kernel.org Link: https://patch.msgid.link/20260408121252.2249051-22-dhowells@redhat.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/rxrpc/proc.c [Context conflicts.] Signed-off-by: Zhao Yipeng <zhaoyipeng5(a)huawei.com> --- net/rxrpc/proc.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/net/rxrpc/proc.c b/net/rxrpc/proc.c index 9805e3b85c36..5b90d925a667 100644 --- a/net/rxrpc/proc.c +++ b/net/rxrpc/proc.c @@ -14,6 +14,10 @@ #include <net/af_rxrpc.h> #include "ar-internal.h" +#define RXRPC_PROC_ADDRBUF_SIZE \ + (sizeof("[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255]") + \ + sizeof(":12345")) + static const char *const rxrpc_conn_states[RXRPC_CONN__NR_STATES] = { [RXRPC_CONN_UNUSED] = "Unused ", [RXRPC_CONN_CLIENT] = "Client ", @@ -65,7 +69,7 @@ static int rxrpc_call_seq_show(struct seq_file *seq, void *v) struct rxrpc_net *rxnet = rxrpc_net(seq_file_net(seq)); unsigned long timeout = 0; rxrpc_seq_t tx_hard_ack, rx_hard_ack; - char lbuff[50], rbuff[50]; + char lbuff[RXRPC_PROC_ADDRBUF_SIZE], rbuff[RXRPC_PROC_ADDRBUF_SIZE]; if (v == &rxnet->calls) { seq_puts(seq, @@ -82,7 +86,7 @@ static int rxrpc_call_seq_show(struct seq_file *seq, void *v) if (rx) { local = READ_ONCE(rx->local); if (local) - sprintf(lbuff, "%pISpc", &local->srx.transport); + scnprintf(lbuff, sizeof(lbuff), "%pISpc", &local->srx.transport); else strcpy(lbuff, "no_local"); } else { @@ -91,7 +95,7 @@ static int rxrpc_call_seq_show(struct seq_file *seq, void *v) peer = call->peer; if (peer) - sprintf(rbuff, "%pISpc", &peer->srx.transport); + scnprintf(lbuff, sizeof(lbuff), "%pISpc", &peer->srx.transport); else strcpy(rbuff, "no_connection"); @@ -162,7 +166,7 @@ static int rxrpc_connection_seq_show(struct seq_file *seq, void *v) { struct rxrpc_connection *conn; struct rxrpc_net *rxnet = rxrpc_net(seq_file_net(seq)); - char lbuff[50], rbuff[50]; + char lbuff[RXRPC_PROC_ADDRBUF_SIZE], rbuff[RXRPC_PROC_ADDRBUF_SIZE]; if (v == &rxnet->conn_proc_list) { seq_puts(seq, @@ -181,9 +185,9 @@ static int rxrpc_connection_seq_show(struct seq_file *seq, void *v) goto print; } - sprintf(lbuff, "%pISpc", &conn->params.local->srx.transport); + scnprintf(lbuff, sizeof(lbuff), "%pISpc", &conn->params.local->srx.transport); - sprintf(rbuff, "%pISpc", &conn->params.peer->srx.transport); + scnprintf(lbuff, sizeof(lbuff), "%pISpc", &conn->params.peer->srx.transport); print: seq_printf(seq, "UDP %-47.47s %-47.47s %4x %08x %s %3u" -- 2.34.1

2 2

[PATCH OLK-6.6] Bluetooth: MGMT: validate mesh send advertising payload length
by Chen Jinghuang 12 May '26

12 May '26

From: Keenan Dong <keenanat2000(a)gmail.com> stable inclusion from stable-v6.6.134 commit 244b639e6a3a8e26241e201004a3a9f764476631 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14549 CVE: CVE-2026-43017 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… ---------------------------------------------------------------------- [ Upstream commit bda93eec78cdbfe5cda00785cefebd443e56b88b ] mesh_send() currently bounds MGMT_OP_MESH_SEND by total command length, but it never verifies that the bytes supplied for the flexible adv_data[] array actually match the embedded adv_data_len field. MGMT_MESH_SEND_SIZE only covers the fixed header, so a truncated command can still pass the existing 20..50 byte range check and later drive the async mesh send path past the end of the queued command buffer. Keep rejecting zero-length and oversized advertising payloads, but validate adv_data_len explicitly and require the command length to exactly match the flexible array size before queueing the request. Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh") Reported-by: Keenan Dong <keenanat2000(a)gmail.com> Signed-off-by: Keenan Dong <keenanat2000(a)gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Chen Jinghuang <chenjinghuang2(a)huawei.com> --- net/bluetooth/mgmt.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index fdb18cf27e9d..3a9d9b6662cd 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -2451,6 +2451,7 @@ static int mesh_send(struct sock *sk, struct hci_dev *hdev, void *data, u16 len) struct mgmt_mesh_tx *mesh_tx; struct mgmt_cp_mesh_send *send = data; struct mgmt_rp_mesh_read_features rp; + u16 expected_len; bool sending; int err = 0; @@ -2458,12 +2459,19 @@ static int mesh_send(struct sock *sk, struct hci_dev *hdev, void *data, u16 len) !hci_dev_test_flag(hdev, HCI_MESH_EXPERIMENTAL)) return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND, MGMT_STATUS_NOT_SUPPORTED); - if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) || - len <= MGMT_MESH_SEND_SIZE || - len > (MGMT_MESH_SEND_SIZE + 31)) + if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) + return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND, + MGMT_STATUS_REJECTED); + + if (!send->adv_data_len || send->adv_data_len > 31) return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND, MGMT_STATUS_REJECTED); + expected_len = struct_size(send, adv_data, send->adv_data_len); + if (expected_len != len) + return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND, + MGMT_STATUS_INVALID_PARAMS); + hci_dev_lock(hdev); memset(&rp, 0, sizeof(rp)); -- 2.34.1

2 1

[PATCH OLK-6.6] Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt
by Chen Jinghuang 12 May '26

12 May '26

From: Pauli Virtanen <pav(a)iki.fi> mainline inclusion from mainline-v7.0-rc7 commit b255531b27da336571411248c2a72a350662bd09 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14550 CVE: CVE-2026-43018 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ---------------------------------------------------------------------- hci_conn lookup and field access must be covered by hdev lock in hci_le_remote_conn_param_req_evt, otherwise it's possible it is freed concurrently. Extend the hci_dev_lock critical section to cover all conn usage. Fixes: 95118dd4edfec ("Bluetooth: hci_event: Use of a function table to handle LE subevents") Signed-off-by: Pauli Virtanen <pav(a)iki.fi> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Chen Jinghuang <chenjinghuang2(a)huawei.com> --- net/bluetooth/hci_event.c | 33 ++++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 92e28e6794dd..3922f8429af1 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -6569,25 +6569,31 @@ static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data, latency = le16_to_cpu(ev->latency); timeout = le16_to_cpu(ev->timeout); + hci_dev_lock(hdev); + hcon = hci_conn_hash_lookup_handle(hdev, handle); - if (!hcon || hcon->state != BT_CONNECTED) - return send_conn_param_neg_reply(hdev, handle, - HCI_ERROR_UNKNOWN_CONN_ID); + if (!hcon || hcon->state != BT_CONNECTED) { + send_conn_param_neg_reply(hdev, handle, + HCI_ERROR_UNKNOWN_CONN_ID); + goto unlock; + } - if (max > hcon->le_conn_max_interval) - return send_conn_param_neg_reply(hdev, handle, - HCI_ERROR_INVALID_LL_PARAMS); + if (max > hcon->le_conn_max_interval) { + send_conn_param_neg_reply(hdev, handle, + HCI_ERROR_INVALID_LL_PARAMS); + goto unlock; + } - if (hci_check_conn_params(min, max, latency, timeout)) - return send_conn_param_neg_reply(hdev, handle, - HCI_ERROR_INVALID_LL_PARAMS); + if (hci_check_conn_params(min, max, latency, timeout)) { + send_conn_param_neg_reply(hdev, handle, + HCI_ERROR_INVALID_LL_PARAMS); + goto unlock; + } if (hcon->role == HCI_ROLE_MASTER) { struct hci_conn_params *params; u8 store_hint; - hci_dev_lock(hdev); - params = hci_conn_params_lookup(hdev, &hcon->dst, hcon->dst_type); if (params) { @@ -6600,8 +6606,6 @@ static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data, store_hint = 0x00; } - hci_dev_unlock(hdev); - mgmt_new_conn_param(hdev, &hcon->dst, hcon->dst_type, store_hint, min, max, latency, timeout); } @@ -6615,6 +6619,9 @@ static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev, void *data, cp.max_ce_len = 0; hci_send_cmd(hdev, HCI_OP_LE_CONN_PARAM_REQ_REPLY, sizeof(cp), &cp); + +unlock: + hci_dev_unlock(hdev); } static void hci_le_direct_adv_report_evt(struct hci_dev *hdev, void *data, -- 2.34.1

2 1