From cc07638424795ca1972ee32e041710d6b61c6039 Mon Sep 17 00:00:00 2001 From: Stefan Catargiu <13122921+5kt@users.noreply.github.com> Date: Sun, 7 Jun 2026 21:18:17 +0200 Subject: [PATCH 1/4] Bump version --- prepare_source | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/prepare_source b/prepare_source index c144eaa..6354475 100755 --- a/prepare_source +++ b/prepare_source @@ -1,5 +1,5 @@ pkg=linux -version_orig=6.18.33 +version_orig=6.18.34 version="$version_orig-1" ( From 2ef6fe25acadc79a142046f72906e9681285f46f Mon Sep 17 00:00:00 2001 From: Stefan Catargiu <13122921+5kt@users.noreply.github.com> Date: Sun, 7 Jun 2026 21:18:41 +0200 Subject: [PATCH 2/4] CVE fixes --- upstream_patches/CVE-2026-31688.patch | 48 +++++++ upstream_patches/CVE-2026-31709.patch | 185 ++++++++++++++++++++++++++ upstream_patches/CVE-2026-43009.patch | 45 +++++++ upstream_patches/series | 3 + 4 files changed, 281 insertions(+) create mode 100644 upstream_patches/CVE-2026-31688.patch create mode 100644 upstream_patches/CVE-2026-31709.patch create mode 100644 upstream_patches/CVE-2026-43009.patch diff --git a/upstream_patches/CVE-2026-31688.patch b/upstream_patches/CVE-2026-31688.patch new file mode 100644 index 0000000..7e7f5ba --- /dev/null +++ b/upstream_patches/CVE-2026-31688.patch @@ -0,0 +1,48 @@ +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=dc23806a7c47ec5f1293aba407fb69519f976ee0 +--- a/drivers/base/base.h ++++ b/drivers/base/base.h +@@ -166,9 +166,18 @@ void device_set_deferred_probe_reason(const struct device *dev, struct va_format + static inline int driver_match_device(const struct device_driver *drv, + struct device *dev) + { ++ device_lock_assert(dev); ++ + return drv->bus->match ? drv->bus->match(dev, drv) : 1; + } + ++static inline int driver_match_device_locked(const struct device_driver *drv, ++ struct device *dev) ++{ ++ guard(device)(dev); ++ return driver_match_device(drv, dev); ++} ++ + static inline void dev_sync_state(struct device *dev) + { + if (dev->bus->sync_state) +diff --git a/drivers/base/bus.c b/drivers/base/bus.c +index 2653670f962f..2b039aa2da74 100644 +--- a/drivers/base/bus.c ++++ b/drivers/base/bus.c +@@ -263,7 +263,7 @@ static ssize_t bind_store(struct device_driver *drv, const char *buf, + int err = -ENODEV; + + dev = bus_find_device_by_name(bus, NULL, buf); +- if (dev && driver_match_device(drv, dev)) { ++ if (dev && driver_match_device_locked(drv, dev)) { + err = device_driver_attach(drv, dev); + if (!err) { + /* success */ +diff --git a/drivers/base/dd.c b/drivers/base/dd.c +index 2c3a610f52a7..04087a4961ef 100644 +--- a/drivers/base/dd.c ++++ b/drivers/base/dd.c +@@ -1250,7 +1250,7 @@ static int __driver_attach(struct device *dev, void *data) + * is an error. + */ + +- ret = driver_match_device(drv, dev); ++ ret = driver_match_device_locked(drv, dev); + if (ret == 0) { + /* no match */ + return 0; diff --git a/upstream_patches/CVE-2026-31709.patch b/upstream_patches/CVE-2026-31709.patch new file mode 100644 index 0000000..404ae10 --- /dev/null +++ b/upstream_patches/CVE-2026-31709.patch @@ -0,0 +1,185 @@ +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b78db9bddc84136f6a0bb49e8883cf200dfb87a8 +--- a/fs/smb/client/cifsacl.c ++++ b/fs/smb/client/cifsacl.c +@@ -757,6 +757,77 @@ static void dump_ace(struct smb_ace *pace, char *end_of_acl) + } + #endif + ++static int validate_dacl(struct smb_acl *pdacl, char *end_of_acl) ++{ ++ int i, ace_hdr_size, ace_size, min_ace_size; ++ u16 dacl_size, num_aces; ++ char *acl_base, *end_of_dacl; ++ struct smb_ace *pace; ++ ++ if (!pdacl) ++ return 0; ++ ++ if (end_of_acl < (char *)pdacl + sizeof(struct smb_acl)) { ++ cifs_dbg(VFS, "ACL too small to parse DACL\n"); ++ return -EINVAL; ++ } ++ ++ dacl_size = le16_to_cpu(pdacl->size); ++ if (dacl_size < sizeof(struct smb_acl) || ++ end_of_acl < (char *)pdacl + dacl_size) { ++ cifs_dbg(VFS, "ACL too small to parse DACL\n"); ++ return -EINVAL; ++ } ++ ++ num_aces = le16_to_cpu(pdacl->num_aces); ++ if (!num_aces) ++ return 0; ++ ++ ace_hdr_size = offsetof(struct smb_ace, sid) + ++ offsetof(struct smb_sid, sub_auth); ++ min_ace_size = ace_hdr_size + sizeof(__le32); ++ if (num_aces > (dacl_size - sizeof(struct smb_acl)) / min_ace_size) { ++ cifs_dbg(VFS, "ACL too small to parse DACL\n"); ++ return -EINVAL; ++ } ++ ++ end_of_dacl = (char *)pdacl + dacl_size; ++ acl_base = (char *)pdacl; ++ ace_size = sizeof(struct smb_acl); ++ ++ for (i = 0; i < num_aces; ++i) { ++ if (end_of_dacl - acl_base < ace_size) { ++ cifs_dbg(VFS, "ACL too small to parse ACE\n"); ++ return -EINVAL; ++ } ++ ++ pace = (struct smb_ace *)(acl_base + ace_size); ++ acl_base = (char *)pace; ++ ++ if (end_of_dacl - acl_base < ace_hdr_size || ++ pace->sid.num_subauth == 0 || ++ pace->sid.num_subauth > SID_MAX_SUB_AUTHORITIES) { ++ cifs_dbg(VFS, "ACL too small to parse ACE\n"); ++ return -EINVAL; ++ } ++ ++ ace_size = ace_hdr_size + sizeof(__le32) * pace->sid.num_subauth; ++ if (end_of_dacl - acl_base < ace_size || ++ le16_to_cpu(pace->size) < ace_size) { ++ cifs_dbg(VFS, "ACL too small to parse ACE\n"); ++ return -EINVAL; ++ } ++ ++ ace_size = le16_to_cpu(pace->size); ++ if (end_of_dacl - acl_base < ace_size) { ++ cifs_dbg(VFS, "ACL too small to parse ACE\n"); ++ return -EINVAL; ++ } ++ } ++ ++ return 0; ++} ++ + static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, + struct smb_sid *pownersid, struct smb_sid *pgrpsid, + struct cifs_fattr *fattr, bool mode_from_special_sid) +@@ -764,7 +835,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, + int i; + u16 num_aces = 0; + int acl_size; +- char *acl_base; ++ char *acl_base, *end_of_dacl; + struct smb_ace **ppace; + + /* BB need to add parm so we can store the SID BB */ +@@ -776,12 +847,8 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, + return; + } + +- /* validate that we do not go past end of acl */ +- if (end_of_acl < (char *)pdacl + sizeof(struct smb_acl) || +- end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) { +- cifs_dbg(VFS, "ACL too small to parse DACL\n"); ++ if (validate_dacl(pdacl, end_of_acl)) + return; +- } + + cifs_dbg(NOISY, "DACL revision %d size %d num aces %d\n", + le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size), +@@ -792,6 +859,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, + user/group/other have no permissions */ + fattr->cf_mode &= ~(0777); + ++ end_of_dacl = (char *)pdacl + le16_to_cpu(pdacl->size); + acl_base = (char *)pdacl; + acl_size = sizeof(struct smb_acl); + +@@ -799,36 +867,16 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, + if (num_aces > 0) { + umode_t denied_mode = 0; + +- if (num_aces > (le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) / +- (offsetof(struct smb_ace, sid) + +- offsetof(struct smb_sid, sub_auth) + sizeof(__le16))) +- return; +- + ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *), + GFP_KERNEL); + if (!ppace) + return; + + for (i = 0; i < num_aces; ++i) { +- if (end_of_acl - acl_base < acl_size) +- break; +- + ppace[i] = (struct smb_ace *) (acl_base + acl_size); +- acl_base = (char *)ppace[i]; +- acl_size = offsetof(struct smb_ace, sid) + +- offsetof(struct smb_sid, sub_auth); +- +- if (end_of_acl - acl_base < acl_size || +- ppace[i]->sid.num_subauth == 0 || +- ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES || +- (end_of_acl - acl_base < +- acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) || +- (le16_to_cpu(ppace[i]->size) < +- acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth)) +- break; + + #ifdef CONFIG_CIFS_DEBUG2 +- dump_ace(ppace[i], end_of_acl); ++ dump_ace(ppace[i], end_of_dacl); + #endif + if (mode_from_special_sid && + ppace[i]->sid.num_subauth >= 3 && +@@ -871,6 +919,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, + (void *)ppace[i], + sizeof(struct smb_ace)); */ + ++ acl_base = (char *)ppace[i]; + acl_size = le16_to_cpu(ppace[i]->size); + } + +@@ -1316,10 +1365,9 @@ static int build_sec_desc(struct smb_ntsd *pntsd, struct smb_ntsd *pnntsd, + } + + dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset); +- if (end_of_acl < (char *)dacl_ptr + le16_to_cpu(dacl_ptr->size)) { +- cifs_dbg(VFS, "Server returned illegal ACL size\n"); +- return -EINVAL; +- } ++ rc = validate_dacl(dacl_ptr, end_of_acl); ++ if (rc) ++ return rc; + } + + owner_sid_ptr = (struct smb_sid *)((char *)pntsd + +@@ -1698,6 +1746,12 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode, + } + + dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset); ++ rc = validate_dacl(dacl_ptr, (char *)pntsd + secdesclen); ++ if (rc) { ++ kfree(pntsd); ++ cifs_put_tlink(tlink); ++ return rc; ++ } + if (mode_from_sid) + nsecdesclen += + le16_to_cpu(dacl_ptr->num_aces) * sizeof(struct smb_ace); diff --git a/upstream_patches/CVE-2026-43009.patch b/upstream_patches/CVE-2026-43009.patch new file mode 100644 index 0000000..c1ed38d --- /dev/null +++ b/upstream_patches/CVE-2026-43009.patch @@ -0,0 +1,45 @@ +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7ffbe45b1d227e24659998a91cfd4c27af457e71 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -610,6 +610,13 @@ static bool is_atomic_load_insn(const struct bpf_insn *insn) + insn->imm == BPF_LOAD_ACQ; + } + ++static bool is_atomic_fetch_insn(const struct bpf_insn *insn) ++{ ++ return BPF_CLASS(insn->code) == BPF_STX && ++ BPF_MODE(insn->code) == BPF_ATOMIC && ++ (insn->imm & BPF_FETCH); ++} ++ + static int __get_spi(s32 off) + { + return (-off - 1) / BPF_REG_SIZE; +@@ -4322,10 +4329,24 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx, + * dreg still needs precision before this insn + */ + } +- } else if (class == BPF_LDX || is_atomic_load_insn(insn)) { +- if (!bt_is_reg_set(bt, dreg)) ++ } else if (class == BPF_LDX || ++ is_atomic_load_insn(insn) || ++ is_atomic_fetch_insn(insn)) { ++ u32 load_reg = dreg; ++ ++ /* ++ * Atomic fetch operation writes the old value into ++ * a register (sreg or r0) and if it was tracked for ++ * precision, propagate to the stack slot like we do ++ * in regular ldx. ++ */ ++ if (is_atomic_fetch_insn(insn)) ++ load_reg = insn->imm == BPF_CMPXCHG ? ++ BPF_REG_0 : sreg; ++ ++ if (!bt_is_reg_set(bt, load_reg)) + return 0; +- bt_clear_reg(bt, dreg); ++ bt_clear_reg(bt, load_reg); + + /* scalars can only be spilled into stack w/o losing precision. + * Load from any other memory can be zero extended. diff --git a/upstream_patches/series b/upstream_patches/series index 0c1b65a..ab9c5d5 100644 --- a/upstream_patches/series +++ b/upstream_patches/series @@ -3,3 +3,6 @@ 0003-implement-FIPS-PCT-for-ECDH.patch 0004-flag-instantiations-as-FIPS_compliant.patch 0005-disable-xxhash64.patch +CVE-2026-31688.patch +CVE-2026-31709.patch +CVE-2026-43009.patch From 6d7d345ad44b900a74ea94538f5e0fa90f65cf04 Mon Sep 17 00:00:00 2001 From: Denis Brdjanin Date: Wed, 17 Jun 2026 14:49:10 +0200 Subject: [PATCH 3/4] del: remove patch for CVE-2026-31709 --- upstream_patches/CVE-2026-31709.patch | 185 -------------------------- 1 file changed, 185 deletions(-) delete mode 100644 upstream_patches/CVE-2026-31709.patch diff --git a/upstream_patches/CVE-2026-31709.patch b/upstream_patches/CVE-2026-31709.patch deleted file mode 100644 index 404ae10..0000000 --- a/upstream_patches/CVE-2026-31709.patch +++ /dev/null @@ -1,185 +0,0 @@ -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b78db9bddc84136f6a0bb49e8883cf200dfb87a8 ---- a/fs/smb/client/cifsacl.c -+++ b/fs/smb/client/cifsacl.c -@@ -757,6 +757,77 @@ static void dump_ace(struct smb_ace *pace, char *end_of_acl) - } - #endif - -+static int validate_dacl(struct smb_acl *pdacl, char *end_of_acl) -+{ -+ int i, ace_hdr_size, ace_size, min_ace_size; -+ u16 dacl_size, num_aces; -+ char *acl_base, *end_of_dacl; -+ struct smb_ace *pace; -+ -+ if (!pdacl) -+ return 0; -+ -+ if (end_of_acl < (char *)pdacl + sizeof(struct smb_acl)) { -+ cifs_dbg(VFS, "ACL too small to parse DACL\n"); -+ return -EINVAL; -+ } -+ -+ dacl_size = le16_to_cpu(pdacl->size); -+ if (dacl_size < sizeof(struct smb_acl) || -+ end_of_acl < (char *)pdacl + dacl_size) { -+ cifs_dbg(VFS, "ACL too small to parse DACL\n"); -+ return -EINVAL; -+ } -+ -+ num_aces = le16_to_cpu(pdacl->num_aces); -+ if (!num_aces) -+ return 0; -+ -+ ace_hdr_size = offsetof(struct smb_ace, sid) + -+ offsetof(struct smb_sid, sub_auth); -+ min_ace_size = ace_hdr_size + sizeof(__le32); -+ if (num_aces > (dacl_size - sizeof(struct smb_acl)) / min_ace_size) { -+ cifs_dbg(VFS, "ACL too small to parse DACL\n"); -+ return -EINVAL; -+ } -+ -+ end_of_dacl = (char *)pdacl + dacl_size; -+ acl_base = (char *)pdacl; -+ ace_size = sizeof(struct smb_acl); -+ -+ for (i = 0; i < num_aces; ++i) { -+ if (end_of_dacl - acl_base < ace_size) { -+ cifs_dbg(VFS, "ACL too small to parse ACE\n"); -+ return -EINVAL; -+ } -+ -+ pace = (struct smb_ace *)(acl_base + ace_size); -+ acl_base = (char *)pace; -+ -+ if (end_of_dacl - acl_base < ace_hdr_size || -+ pace->sid.num_subauth == 0 || -+ pace->sid.num_subauth > SID_MAX_SUB_AUTHORITIES) { -+ cifs_dbg(VFS, "ACL too small to parse ACE\n"); -+ return -EINVAL; -+ } -+ -+ ace_size = ace_hdr_size + sizeof(__le32) * pace->sid.num_subauth; -+ if (end_of_dacl - acl_base < ace_size || -+ le16_to_cpu(pace->size) < ace_size) { -+ cifs_dbg(VFS, "ACL too small to parse ACE\n"); -+ return -EINVAL; -+ } -+ -+ ace_size = le16_to_cpu(pace->size); -+ if (end_of_dacl - acl_base < ace_size) { -+ cifs_dbg(VFS, "ACL too small to parse ACE\n"); -+ return -EINVAL; -+ } -+ } -+ -+ return 0; -+} -+ - static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, - struct smb_sid *pownersid, struct smb_sid *pgrpsid, - struct cifs_fattr *fattr, bool mode_from_special_sid) -@@ -764,7 +835,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, - int i; - u16 num_aces = 0; - int acl_size; -- char *acl_base; -+ char *acl_base, *end_of_dacl; - struct smb_ace **ppace; - - /* BB need to add parm so we can store the SID BB */ -@@ -776,12 +847,8 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, - return; - } - -- /* validate that we do not go past end of acl */ -- if (end_of_acl < (char *)pdacl + sizeof(struct smb_acl) || -- end_of_acl < (char *)pdacl + le16_to_cpu(pdacl->size)) { -- cifs_dbg(VFS, "ACL too small to parse DACL\n"); -+ if (validate_dacl(pdacl, end_of_acl)) - return; -- } - - cifs_dbg(NOISY, "DACL revision %d size %d num aces %d\n", - le16_to_cpu(pdacl->revision), le16_to_cpu(pdacl->size), -@@ -792,6 +859,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, - user/group/other have no permissions */ - fattr->cf_mode &= ~(0777); - -+ end_of_dacl = (char *)pdacl + le16_to_cpu(pdacl->size); - acl_base = (char *)pdacl; - acl_size = sizeof(struct smb_acl); - -@@ -799,36 +867,16 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, - if (num_aces > 0) { - umode_t denied_mode = 0; - -- if (num_aces > (le16_to_cpu(pdacl->size) - sizeof(struct smb_acl)) / -- (offsetof(struct smb_ace, sid) + -- offsetof(struct smb_sid, sub_auth) + sizeof(__le16))) -- return; -- - ppace = kmalloc_array(num_aces, sizeof(struct smb_ace *), - GFP_KERNEL); - if (!ppace) - return; - - for (i = 0; i < num_aces; ++i) { -- if (end_of_acl - acl_base < acl_size) -- break; -- - ppace[i] = (struct smb_ace *) (acl_base + acl_size); -- acl_base = (char *)ppace[i]; -- acl_size = offsetof(struct smb_ace, sid) + -- offsetof(struct smb_sid, sub_auth); -- -- if (end_of_acl - acl_base < acl_size || -- ppace[i]->sid.num_subauth == 0 || -- ppace[i]->sid.num_subauth > SID_MAX_SUB_AUTHORITIES || -- (end_of_acl - acl_base < -- acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth) || -- (le16_to_cpu(ppace[i]->size) < -- acl_size + sizeof(__le32) * ppace[i]->sid.num_subauth)) -- break; - - #ifdef CONFIG_CIFS_DEBUG2 -- dump_ace(ppace[i], end_of_acl); -+ dump_ace(ppace[i], end_of_dacl); - #endif - if (mode_from_special_sid && - ppace[i]->sid.num_subauth >= 3 && -@@ -871,6 +919,7 @@ static void parse_dacl(struct smb_acl *pdacl, char *end_of_acl, - (void *)ppace[i], - sizeof(struct smb_ace)); */ - -+ acl_base = (char *)ppace[i]; - acl_size = le16_to_cpu(ppace[i]->size); - } - -@@ -1316,10 +1365,9 @@ static int build_sec_desc(struct smb_ntsd *pntsd, struct smb_ntsd *pnntsd, - } - - dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset); -- if (end_of_acl < (char *)dacl_ptr + le16_to_cpu(dacl_ptr->size)) { -- cifs_dbg(VFS, "Server returned illegal ACL size\n"); -- return -EINVAL; -- } -+ rc = validate_dacl(dacl_ptr, end_of_acl); -+ if (rc) -+ return rc; - } - - owner_sid_ptr = (struct smb_sid *)((char *)pntsd + -@@ -1698,6 +1746,12 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode, - } - - dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset); -+ rc = validate_dacl(dacl_ptr, (char *)pntsd + secdesclen); -+ if (rc) { -+ kfree(pntsd); -+ cifs_put_tlink(tlink); -+ return rc; -+ } - if (mode_from_sid) - nsecdesclen += - le16_to_cpu(dacl_ptr->num_aces) * sizeof(struct smb_ace); From d59eb960867be574eaa38c26df27f05e409ad0be Mon Sep 17 00:00:00 2001 From: Denis Brdjanin Date: Wed, 17 Jun 2026 14:50:38 +0200 Subject: [PATCH 4/4] feat: update version + delete patch from series --- prepare_source | 2 +- upstream_patches/series | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/prepare_source b/prepare_source index 6354475..0d27f27 100755 --- a/prepare_source +++ b/prepare_source @@ -1,5 +1,5 @@ pkg=linux -version_orig=6.18.34 +version_orig=6.18.35 version="$version_orig-1" ( diff --git a/upstream_patches/series b/upstream_patches/series index ab9c5d5..bb2bf16 100644 --- a/upstream_patches/series +++ b/upstream_patches/series @@ -4,5 +4,4 @@ 0004-flag-instantiations-as-FIPS_compliant.patch 0005-disable-xxhash64.patch CVE-2026-31688.patch -CVE-2026-31709.patch CVE-2026-43009.patch