--- /dev/null
+From b04f0d89e880bc2cca6a5c73cf287082c91878da Mon Sep 17 00:00:00 2001
+From: Gabor Juhos <j4g8y7@gmail.com>
+Date: Fri, 9 May 2025 15:48:52 +0200
+Subject: arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs
+
+From: Gabor Juhos <j4g8y7@gmail.com>
+
+commit b04f0d89e880bc2cca6a5c73cf287082c91878da upstream.
+
+The two alarm LEDs of on the uDPU board are stopped working since
+commit 78efa53e715e ("leds: Init leds class earlier").
+
+The LEDs are driven by the GPIO{15,16} pins of the North Bridge
+GPIO controller. These pins are part of the 'spi_quad' pin group
+for which the 'spi' function is selected via the default pinctrl
+state of the 'spi' node. This is wrong however, since in order to
+allow controlling the LEDs, the pins should use the 'gpio' function.
+
+Before the commit mentined above, the 'spi' function is selected
+first by the pinctrl core before probing the spi driver, but then
+it gets overridden to 'gpio' implicitly via the
+devm_gpiod_get_index_optional() call from the 'leds-gpio' driver.
+
+After the commit, the LED subsystem gets initialized before the
+SPI subsystem, so the function of the pin group remains 'spi'
+which in turn prevents controlling of the LEDs.
+
+Despite the change of the initialization order, the root cause is
+that the pinctrl state definition is wrong since its initial commit
+0d45062cfc89 ("arm64: dts: marvell: Add device tree for uDPU board"),
+
+To fix the problem, override the function in the 'spi_quad_pins'
+node to 'gpio' and move the pinctrl state definition from the
+'spi' node into the 'leds' node.
+
+Cc: stable@vger.kernel.org # needs adjustment for < 6.1
+Fixes: 0d45062cfc89 ("arm64: dts: marvell: Add device tree for uDPU board")
+Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
+Signed-off-by: Imre Kaloz <kaloz@openwrt.org>
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi
++++ b/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi
+@@ -26,6 +26,8 @@
+
+ leds {
+ compatible = "gpio-leds";
++ pinctrl-names = "default";
++ pinctrl-0 = <&spi_quad_pins>;
+
+ led-power1 {
+ label = "udpu:green:power";
+@@ -82,8 +84,6 @@
+
+ &spi0 {
+ status = "okay";
+- pinctrl-names = "default";
+- pinctrl-0 = <&spi_quad_pins>;
+
+ flash@0 {
+ compatible = "jedec,spi-nor";
+@@ -108,6 +108,10 @@
+ };
+ };
+
++&spi_quad_pins {
++ function = "gpio";
++};
++
+ &pinctrl_nb {
+ i2c2_recovery_pins: i2c2-recovery-pins {
+ groups = "i2c2";
--- /dev/null
+From 6692dbc15e5ed40a3aa037aced65d7b8826c58cd Mon Sep 17 00:00:00 2001
+From: "feijuan.li" <feijuan.li@samsung.com>
+Date: Wed, 14 May 2025 14:35:11 +0800
+Subject: drm/edid: fixed the bug that hdr metadata was not reset
+
+From: feijuan.li <feijuan.li@samsung.com>
+
+commit 6692dbc15e5ed40a3aa037aced65d7b8826c58cd upstream.
+
+When DP connected to a device with HDR capability,
+the hdr structure was filled.Then connected to another
+sink device without hdr capability, but the hdr info
+still exist.
+
+Fixes: e85959d6cbe0 ("drm: Parse HDR metadata info from EDID")
+Cc: <stable@vger.kernel.org> # v5.3+
+Signed-off-by: "feijuan.li" <feijuan.li@samsung.com>
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://lore.kernel.org/r/20250514063511.4151780-1-feijuan.li@samsung.com
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_edid.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -6596,6 +6596,7 @@ static void drm_reset_display_info(struc
+ info->has_hdmi_infoframe = false;
+ info->rgb_quant_range_selectable = false;
+ memset(&info->hdmi, 0, sizeof(info->hdmi));
++ memset(&connector->hdr_sink_metadata, 0, sizeof(connector->hdr_sink_metadata));
+
+ info->edid_hdmi_rgb444_dc_modes = 0;
+ info->edid_hdmi_ycbcr444_dc_modes = 0;
--- /dev/null
+From 4e89a4077490f52cde652d17e32519b666abf3a6 Mon Sep 17 00:00:00 2001
+From: Vladimir Moskovkin <Vladimir.Moskovkin@kaspersky.com>
+Date: Wed, 14 May 2025 12:12:55 +0000
+Subject: platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vladimir Moskovkin <Vladimir.Moskovkin@kaspersky.com>
+
+commit 4e89a4077490f52cde652d17e32519b666abf3a6 upstream.
+
+If the 'buf' array received from the user contains an empty string, the
+'length' variable will be zero. Accessing the 'buf' array element with
+index 'length - 1' will result in a buffer overflow.
+
+Add a check for an empty string.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vladimir Moskovkin <Vladimir.Moskovkin@kaspersky.com>
+Link: https://lore.kernel.org/r/39973642a4f24295b4a8fad9109c5b08@kaspersky.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c
+@@ -45,7 +45,7 @@ static ssize_t current_password_store(st
+ int length;
+
+ length = strlen(buf);
+- if (buf[length-1] == '\n')
++ if (length && buf[length - 1] == '\n')
+ length--;
+
+ /* firmware does verifiation of min/max password length,
mmc-sdhci-of-dwcmshc-add-pd-workaround-on-rk3576.patch
pmdomain-renesas-rcar-remove-obsolete-nullify-checks.patch
pmdomain-core-fix-error-checking-in-genpd_dev_pm_attach_by_id.patch
+platform-x86-dell-wmi-sysman-avoid-buffer-overflow-in-current_password_store.patch
+thermal-intel-x86_pkg_temp_thermal-fix-bogus-trip-temperature.patch
+drm-edid-fixed-the-bug-that-hdr-metadata-was-not-reset.patch
+smb-client-fix-use-after-free-in-cifs_fill_dirent.patch
+arm64-dts-marvell-udpu-define-pinctrl-state-for-alarm-leds.patch
+smb-client-reset-all-search-buffer-pointers-when-releasing-buffer.patch
--- /dev/null
+From a7a8fe56e932a36f43e031b398aef92341bf5ea0 Mon Sep 17 00:00:00 2001
+From: Wang Zhaolong <wangzhaolong1@huawei.com>
+Date: Fri, 16 May 2025 17:12:55 +0800
+Subject: smb: client: Fix use-after-free in cifs_fill_dirent
+
+From: Wang Zhaolong <wangzhaolong1@huawei.com>
+
+commit a7a8fe56e932a36f43e031b398aef92341bf5ea0 upstream.
+
+There is a race condition in the readdir concurrency process, which may
+access the rsp buffer after it has been released, triggering the
+following KASAN warning.
+
+ ==================================================================
+ BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs]
+ Read of size 4 at addr ffff8880099b819c by task a.out/342975
+
+ CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full)
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x53/0x70
+ print_report+0xce/0x640
+ kasan_report+0xb8/0xf0
+ cifs_fill_dirent+0xb03/0xb60 [cifs]
+ cifs_readdir+0x12cb/0x3190 [cifs]
+ iterate_dir+0x1a1/0x520
+ __x64_sys_getdents+0x134/0x220
+ do_syscall_64+0x4b/0x110
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ RIP: 0033:0x7f996f64b9f9
+ Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89
+ f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
+ f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8
+ RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e
+ RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
+ RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88
+ R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000
+ </TASK>
+
+ Allocated by task 408:
+ kasan_save_stack+0x20/0x40
+ kasan_save_track+0x14/0x30
+ __kasan_slab_alloc+0x6e/0x70
+ kmem_cache_alloc_noprof+0x117/0x3d0
+ mempool_alloc_noprof+0xf2/0x2c0
+ cifs_buf_get+0x36/0x80 [cifs]
+ allocate_buffers+0x1d2/0x330 [cifs]
+ cifs_demultiplex_thread+0x22b/0x2690 [cifs]
+ kthread+0x394/0x720
+ ret_from_fork+0x34/0x70
+ ret_from_fork_asm+0x1a/0x30
+
+ Freed by task 342979:
+ kasan_save_stack+0x20/0x40
+ kasan_save_track+0x14/0x30
+ kasan_save_free_info+0x3b/0x60
+ __kasan_slab_free+0x37/0x50
+ kmem_cache_free+0x2b8/0x500
+ cifs_buf_release+0x3c/0x70 [cifs]
+ cifs_readdir+0x1c97/0x3190 [cifs]
+ iterate_dir+0x1a1/0x520
+ __x64_sys_getdents64+0x134/0x220
+ do_syscall_64+0x4b/0x110
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+ The buggy address belongs to the object at ffff8880099b8000
+ which belongs to the cache cifs_request of size 16588
+ The buggy address is located 412 bytes inside of
+ freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc)
+
+ The buggy address belongs to the physical page:
+ page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8
+ head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+ anon flags: 0x80000000000040(head|node=0|zone=1)
+ page_type: f5(slab)
+ raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001
+ raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
+ head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001
+ head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000
+ head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff
+ head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
+ page dumped because: kasan: bad access detected
+
+ Memory state around the buggy address:
+ ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ==================================================================
+
+POC is available in the link [1].
+
+The problem triggering process is as follows:
+
+Process 1 Process 2
+-----------------------------------------------------------------
+cifs_readdir
+ /* file->private_data == NULL */
+ initiate_cifs_search
+ cifsFile = kzalloc(sizeof(struct cifsFileInfo), GFP_KERNEL);
+ smb2_query_dir_first ->query_dir_first()
+ SMB2_query_directory
+ SMB2_query_directory_init
+ cifs_send_recv
+ smb2_parse_query_directory
+ srch_inf->ntwrk_buf_start = (char *)rsp;
+ srch_inf->srch_entries_start = (char *)rsp + ...
+ srch_inf->last_entry = (char *)rsp + ...
+ srch_inf->smallBuf = true;
+ find_cifs_entry
+ /* if (cfile->srch_inf.ntwrk_buf_start) */
+ cifs_small_buf_release(cfile->srch_inf // free
+
+ cifs_readdir ->iterate_shared()
+ /* file->private_data != NULL */
+ find_cifs_entry
+ /* in while (...) loop */
+ smb2_query_dir_next ->query_dir_next()
+ SMB2_query_directory
+ SMB2_query_directory_init
+ cifs_send_recv
+ compound_send_recv
+ smb_send_rqst
+ __smb_send_rqst
+ rc = -ERESTARTSYS;
+ /* if (fatal_signal_pending()) */
+ goto out;
+ return rc
+ /* if (cfile->srch_inf.last_entry) */
+ cifs_save_resume_key()
+ cifs_fill_dirent // UAF
+ /* if (rc) */
+ return -ENOENT;
+
+Fix this by ensuring the return code is checked before using pointers
+from the srch_inf.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=220131 [1]
+Fixes: a364bc0b37f1 ("[CIFS] fix saving of resume key before CIFSFindNext")
+Cc: stable@vger.kernel.org
+Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+Signed-off-by: Wang Zhaolong <wangzhaolong1@huawei.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/readdir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/client/readdir.c
++++ b/fs/smb/client/readdir.c
+@@ -756,11 +756,11 @@ find_cifs_entry(const unsigned int xid,
+ rc = server->ops->query_dir_next(xid, tcon, &cfile->fid,
+ search_flags,
+ &cfile->srch_inf);
++ if (rc)
++ return -ENOENT;
+ /* FindFirst/Next set last_entry to NULL on malformed reply */
+ if (cfile->srch_inf.last_entry)
+ cifs_save_resume_key(cfile->srch_inf.last_entry, cfile);
+- if (rc)
+- return -ENOENT;
+ }
+ if (index_to_find < cfile->srch_inf.index_of_last_entry) {
+ /* we found the buffer that contains the entry */
--- /dev/null
+From e48f9d849bfdec276eebf782a84fd4dfbe1c14c0 Mon Sep 17 00:00:00 2001
+From: Wang Zhaolong <wangzhaolong1@huawei.com>
+Date: Fri, 16 May 2025 17:12:56 +0800
+Subject: smb: client: Reset all search buffer pointers when releasing buffer
+
+From: Wang Zhaolong <wangzhaolong1@huawei.com>
+
+commit e48f9d849bfdec276eebf782a84fd4dfbe1c14c0 upstream.
+
+Multiple pointers in struct cifs_search_info (ntwrk_buf_start,
+srch_entries_start, and last_entry) point to the same allocated buffer.
+However, when freeing this buffer, only ntwrk_buf_start was set to NULL,
+while the other pointers remained pointing to freed memory.
+
+This is defensive programming to prevent potential issues with stale
+pointers. While the active UAF vulnerability is fixed by the previous
+patch, this change ensures consistent pointer state and more robust error
+handling.
+
+Signed-off-by: Wang Zhaolong <wangzhaolong1@huawei.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/readdir.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/smb/client/readdir.c
++++ b/fs/smb/client/readdir.c
+@@ -733,7 +733,10 @@ find_cifs_entry(const unsigned int xid,
+ else
+ cifs_buf_release(cfile->srch_inf.
+ ntwrk_buf_start);
++ /* Reset all pointers to the network buffer to prevent stale references */
+ cfile->srch_inf.ntwrk_buf_start = NULL;
++ cfile->srch_inf.srch_entries_start = NULL;
++ cfile->srch_inf.last_entry = NULL;
+ }
+ rc = initiate_cifs_search(xid, file, full_path);
+ if (rc) {
--- /dev/null
+From cf948c8e274e8b406e846cdf6cc48fe47f98cf57 Mon Sep 17 00:00:00 2001
+From: Zhang Rui <rui.zhang@intel.com>
+Date: Mon, 19 May 2025 15:09:01 +0800
+Subject: thermal: intel: x86_pkg_temp_thermal: Fix bogus trip temperature
+
+From: Zhang Rui <rui.zhang@intel.com>
+
+commit cf948c8e274e8b406e846cdf6cc48fe47f98cf57 upstream.
+
+The tj_max value obtained from the Intel TCC library are in Celsius,
+whereas the thermal subsystem operates in milli-Celsius.
+
+This discrepancy leads to incorrect trip temperature calculations.
+
+Fix bogus trip temperature by converting tj_max to milli-Celsius Unit.
+
+Fixes: 8ef0ca4a177d ("Merge back other thermal control material for 6.3.")
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Reported-by: zhang ning <zhangn1985@outlook.com>
+Closes: https://lore.kernel.org/all/TY2PR01MB3786EF0FE24353026293F5ACCD97A@TY2PR01MB3786.jpnprd01.prod.outlook.com/
+Tested-by: zhang ning <zhangn1985@outlook.com>
+Cc: 6.3+ <stable@vger.kernel.org> # 6.3+
+Link: https://patch.msgid.link/20250519070901.1031233-1-rui.zhang@intel.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/intel/x86_pkg_temp_thermal.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/thermal/intel/x86_pkg_temp_thermal.c
++++ b/drivers/thermal/intel/x86_pkg_temp_thermal.c
+@@ -329,6 +329,7 @@ static int pkg_temp_thermal_device_add(u
+ tj_max = intel_tcc_get_tjmax(cpu);
+ if (tj_max < 0)
+ return tj_max;
++ tj_max *= 1000;
+
+ zonedev = kzalloc(sizeof(*zonedev), GFP_KERNEL);
+ if (!zonedev)
projects / thirdparty / kernel / stable-queue.git / commitdiff
