--- /dev/null
+From bf39286adc5e10ce3e32eb86ad316ae56f3b52a0 Mon Sep 17 00:00:00 2001
+From: Oliver Schramm <oliver.schramm97@gmail.com>
+Date: Sun, 22 Jun 2025 00:30:01 +0200
+Subject: ASoC: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15
+
+From: Oliver Schramm <oliver.schramm97@gmail.com>
+
+commit bf39286adc5e10ce3e32eb86ad316ae56f3b52a0 upstream.
+
+It's smaller brother has already received the patch to enable the microphone,
+now add it too to the DMI quirk table.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Oliver Schramm <oliver.schramm97@gmail.com>
+Link: https://patch.msgid.link/20250621223000.11817-2-oliver.schramm97@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -356,6 +356,13 @@ static const struct dmi_system_id yc_acp
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "83J3"),
++ }
++ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "UM5302TA"),
+ }
--- /dev/null
+From a3ef3c2da675a8a564c8bea1a511cdd0a2a9aa49 Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Thu, 5 Jun 2025 11:28:46 +0300
+Subject: drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Imre Deak <imre.deak@intel.com>
+
+commit a3ef3c2da675a8a564c8bea1a511cdd0a2a9aa49 upstream.
+
+Reading DPCD registers has side-effects in general. In particular
+accessing registers outside of the link training register range
+(0x102-0x106, 0x202-0x207, 0x200c-0x200f, 0x2216) is explicitly
+forbidden by the DP v2.1 Standard, see
+
+3.6.5.1 DPTX AUX Transaction Handling Mandates
+3.6.7.4 128b/132b DP Link Layer LTTPR Link Training Mandates
+
+Based on my tests, accessing the DPCD_REV register during the link
+training of an UHBR TBT DP tunnel sink leads to link training failures.
+
+Solve the above by using the DP_LANE0_1_STATUS (0x202) register for the
+DPCD register access quirk.
+
+Cc: <stable@vger.kernel.org>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Acked-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Link: https://lore.kernel.org/r/20250605082850.65136-2-imre.deak@intel.com
+(cherry picked from commit a40c5d727b8111b5db424a1e43e14a1dcce1e77f)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/display/drm_dp_helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/display/drm_dp_helper.c
++++ b/drivers/gpu/drm/display/drm_dp_helper.c
+@@ -663,7 +663,7 @@ ssize_t drm_dp_dpcd_read(struct drm_dp_a
+ * monitor doesn't power down exactly after the throw away read.
+ */
+ if (!aux->is_remote) {
+- ret = drm_dp_dpcd_probe(aux, DP_DPCD_REV);
++ ret = drm_dp_dpcd_probe(aux, DP_LANE0_1_STATUS);
+ if (ret < 0)
+ return ret;
+ }
--- /dev/null
+From 56ad91c1aa9c18064348edf69308080b03c9dc48 Mon Sep 17 00:00:00 2001
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Thu, 22 May 2025 08:42:35 +0200
+Subject: i2c: robotfuzz-osif: disable zero-length read messages
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+commit 56ad91c1aa9c18064348edf69308080b03c9dc48 upstream.
+
+This driver passes the length of an i2c_msg directly to
+usb_control_msg(). If the message is now a read and of length 0, it
+violates the USB protocol and a warning will be printed. Enable the
+I2C_AQ_NO_ZERO_LEN_READ quirk for this adapter thus forbidding 0-length
+read messages altogether.
+
+Fixes: 83e53a8f120f ("i2c: Add bus driver for for OSIF USB i2c device.")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Cc: <stable@vger.kernel.org> # v3.14+
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20250522064234.3721-2-wsa+renesas@sang-engineering.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-robotfuzz-osif.c
++++ b/drivers/i2c/busses/i2c-robotfuzz-osif.c
+@@ -111,6 +111,11 @@ static u32 osif_func(struct i2c_adapter
+ return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
+ }
+
++/* prevent invalid 0-length usb_control_msg */
++static const struct i2c_adapter_quirks osif_quirks = {
++ .flags = I2C_AQ_NO_ZERO_LEN_READ,
++};
++
+ static const struct i2c_algorithm osif_algorithm = {
+ .master_xfer = osif_xfer,
+ .functionality = osif_func,
+@@ -143,6 +148,7 @@ static int osif_probe(struct usb_interfa
+
+ priv->adapter.owner = THIS_MODULE;
+ priv->adapter.class = I2C_CLASS_HWMON;
++ priv->adapter.quirks = &osif_quirks;
+ priv->adapter.algo = &osif_algorithm;
+ priv->adapter.algo_data = priv;
+ snprintf(priv->adapter.name, sizeof(priv->adapter.name),
--- /dev/null
+From cbdb25ccf7566eee0c2b945e35cb98baf9ed0aa6 Mon Sep 17 00:00:00 2001
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Thu, 22 May 2025 08:43:49 +0200
+Subject: i2c: tiny-usb: disable zero-length read messages
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+commit cbdb25ccf7566eee0c2b945e35cb98baf9ed0aa6 upstream.
+
+This driver passes the length of an i2c_msg directly to
+usb_control_msg(). If the message is now a read and of length 0, it
+violates the USB protocol and a warning will be printed. Enable the
+I2C_AQ_NO_ZERO_LEN_READ quirk for this adapter thus forbidding 0-length
+read messages altogether.
+
+Fixes: e8c76eed2ecd ("i2c: New i2c-tiny-usb bus driver")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Cc: <stable@vger.kernel.org> # v2.6.22+
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20250522064349.3823-2-wsa+renesas@sang-engineering.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-tiny-usb.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-tiny-usb.c
++++ b/drivers/i2c/busses/i2c-tiny-usb.c
+@@ -140,6 +140,11 @@ out:
+ return ret;
+ }
+
++/* prevent invalid 0-length usb_control_msg */
++static const struct i2c_adapter_quirks usb_quirks = {
++ .flags = I2C_AQ_NO_ZERO_LEN_READ,
++};
++
+ /* This is the actual algorithm we define */
+ static const struct i2c_algorithm usb_algorithm = {
+ .master_xfer = usb_xfer,
+@@ -248,6 +253,7 @@ static int i2c_tiny_usb_probe(struct usb
+ /* setup i2c adapter description */
+ dev->adapter.owner = THIS_MODULE;
+ dev->adapter.class = I2C_CLASS_HWMON;
++ dev->adapter.quirks = &usb_quirks;
+ dev->adapter.algo = &usb_algorithm;
+ dev->adapter.algo_data = dev;
+ snprintf(dev->adapter.name, sizeof(dev->adapter.name),
--- /dev/null
+From df831e97739405ecbaddb85516bc7d4d1c933d6b Mon Sep 17 00:00:00 2001
+From: Yu Kuai <yukuai3@huawei.com>
+Date: Thu, 19 Jun 2025 21:26:55 +0800
+Subject: lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+commit df831e97739405ecbaddb85516bc7d4d1c933d6b upstream.
+
+While testing null_blk with configfs, echo 0 > poll_queues will trigger
+following panic:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000010
+Oops: Oops: 0000 [#1] SMP NOPTI
+CPU: 27 UID: 0 PID: 920 Comm: bash Not tainted 6.15.0-02023-gadbdb95c8696-dirty #1238 PREEMPT(undef)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
+RIP: 0010:__bitmap_or+0x48/0x70
+Call Trace:
+ <TASK>
+ __group_cpus_evenly+0x822/0x8c0
+ group_cpus_evenly+0x2d9/0x490
+ blk_mq_map_queues+0x1e/0x110
+ null_map_queues+0xc9/0x170 [null_blk]
+ blk_mq_update_queue_map+0xdb/0x160
+ blk_mq_update_nr_hw_queues+0x22b/0x560
+ nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]
+ nullb_device_poll_queues_store+0xa4/0x130 [null_blk]
+ configfs_write_iter+0x109/0x1d0
+ vfs_write+0x26e/0x6f0
+ ksys_write+0x79/0x180
+ __x64_sys_write+0x1d/0x30
+ x64_sys_call+0x45c4/0x45f0
+ do_syscall_64+0xa5/0x240
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Root cause is that numgrps is set to 0, and ZERO_SIZE_PTR is returned from
+kcalloc(), and later ZERO_SIZE_PTR will be deferenced.
+
+Fix the problem by checking numgrps first in group_cpus_evenly(), and
+return NULL directly if numgrps is zero.
+
+[yukuai3@huawei.com: also fix the non-SMP version]
+ Link: https://lkml.kernel.org/r/20250620010958.1265984-1-yukuai1@huaweicloud.com
+Link: https://lkml.kernel.org/r/20250619132655.3318883-1-yukuai1@huaweicloud.com
+Fixes: 6a6dcae8f486 ("blk-mq: Build default queue map via group_cpus_evenly()")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Jens Axboe <axboe@kernel.dk>
+Cc: ErKun Yang <yangerkun@huawei.com>
+Cc: John Garry <john.g.garry@oracle.com>
+Cc: Thomas Gleinxer <tglx@linutronix.de>
+Cc: "zhangyi (F)" <yi.zhang@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/group_cpus.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/lib/group_cpus.c b/lib/group_cpus.c
+index ee272c4cefcc..18d43a406114 100644
+--- a/lib/group_cpus.c
++++ b/lib/group_cpus.c
+@@ -352,6 +352,9 @@ struct cpumask *group_cpus_evenly(unsigned int numgrps)
+ int ret = -ENOMEM;
+ struct cpumask *masks = NULL;
+
++ if (numgrps == 0)
++ return NULL;
++
+ if (!zalloc_cpumask_var(&nmsk, GFP_KERNEL))
+ return NULL;
+
+@@ -426,8 +429,12 @@ struct cpumask *group_cpus_evenly(unsigned int numgrps)
+ #else /* CONFIG_SMP */
+ struct cpumask *group_cpus_evenly(unsigned int numgrps)
+ {
+- struct cpumask *masks = kcalloc(numgrps, sizeof(*masks), GFP_KERNEL);
++ struct cpumask *masks;
+
++ if (numgrps == 0)
++ return NULL;
++
++ masks = kcalloc(numgrps, sizeof(*masks), GFP_KERNEL);
+ if (!masks)
+ return NULL;
+
+--
+2.50.0
+
--- /dev/null
+From 4f489fe6afb395dbc79840efa3c05440b760d883 Mon Sep 17 00:00:00 2001
+From: SeongJae Park <sj@kernel.org>
+Date: Thu, 19 Jun 2025 11:36:07 -0700
+Subject: mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write
+
+From: SeongJae Park <sj@kernel.org>
+
+commit 4f489fe6afb395dbc79840efa3c05440b760d883 upstream.
+
+memcg_path_store() assigns a newly allocated memory buffer to
+filter->memcg_path, without deallocating the previously allocated and
+assigned memory buffer. As a result, users can leak kernel memory by
+continuously writing a data to memcg_path DAMOS sysfs file. Fix the leak
+by deallocating the previously set memory buffer.
+
+Link: https://lkml.kernel.org/r/20250619183608.6647-2-sj@kernel.org
+Fixes: 7ee161f18b5d ("mm/damon/sysfs-schemes: implement filter directory")
+Signed-off-by: SeongJae Park <sj@kernel.org>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: <stable@vger.kernel.org> [6.3.x]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/damon/sysfs-schemes.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/damon/sysfs-schemes.c
++++ b/mm/damon/sysfs-schemes.c
+@@ -376,6 +376,7 @@ static ssize_t memcg_path_store(struct k
+ return -ENOMEM;
+
+ strscpy(path, buf, count + 1);
++ kfree(filter->memcg_path);
+ filter->memcg_path = path;
+ return count;
+ }
--- /dev/null
+From 7360ee47599af91a1d5f4e74d635d9408a54e489 Mon Sep 17 00:00:00 2001
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+Date: Wed, 11 Jun 2025 22:20:10 +0300
+Subject: s390/pkey: Prevent overflow in size calculation for memdup_user()
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+commit 7360ee47599af91a1d5f4e74d635d9408a54e489 upstream.
+
+Number of apqn target list entries contained in 'nr_apqns' variable is
+determined by userspace via an ioctl call so the result of the product in
+calculation of size passed to memdup_user() may overflow.
+
+In this case the actual size of the allocated area and the value
+describing it won't be in sync leading to various types of unpredictable
+behaviour later.
+
+Use a proper memdup_array_user() helper which returns an error if an
+overflow is detected. Note that it is different from when nr_apqns is
+initially zero - that case is considered valid and should be handled in
+subsequent pkey_handler implementations.
+
+Found by Linux Verification Center (linuxtesting.org).
+
+Fixes: f2bbc96e7cfa ("s390/pkey: add CCA AES cipher key support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Link: https://lore.kernel.org/r/20250611192011.206057-1-pchelkin@ispras.ru
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/crypto/pkey_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/s390/crypto/pkey_api.c
++++ b/drivers/s390/crypto/pkey_api.c
+@@ -1333,7 +1333,7 @@ static void *_copy_apqns_from_user(void
+ if (!uapqns || nr_apqns == 0)
+ return NULL;
+
+- return memdup_user(uapqns, nr_apqns * sizeof(struct pkey_apqn));
++ return memdup_array_user(uapqns, nr_apqns, sizeof(struct pkey_apqn));
+ }
+
+ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
af_unix-define-locking-order-for-u_recvq_lock_embryo.patch
af_unix-don-t-call-skb_get-for-oob-skb.patch
af_unix-don-t-leave-consecutive-consumed-oob-skbs.patch
+i2c-tiny-usb-disable-zero-length-read-messages.patch
+i2c-robotfuzz-osif-disable-zero-length-read-messages.patch
+mm-damon-sysfs-schemes-free-old-damon_sysfs_scheme_filter-memcg_path-on-write.patch
+asoc-amd-yc-add-dmi-quirk-for-lenovo-ideapad-slim-5-15.patch
+s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch
+lib-group_cpus-fix-null-pointer-dereference-from-group_cpus_evenly.patch
+drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
