From: Greg Kroah-Hartman Date: Mon, 18 Aug 2025 11:21:57 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v6.12.43~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=12822b8a605b6201fe2dbd8619125a6c828040bc;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch parisc-makefile-fix-a-typo-in-palo.conf.patch --- diff --git a/queue-5.15/fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch b/queue-5.15/fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch new file mode 100644 index 0000000000..f02a8a65b7 --- /dev/null +++ b/queue-5.15/fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch @@ -0,0 +1,69 @@ +From af0db3c1f898144846d4c172531a199bb3ca375d Mon Sep 17 00:00:00 2001 +From: Sravan Kumar Gundu +Date: Thu, 31 Jul 2025 15:36:18 -0500 +Subject: fbdev: Fix vmalloc out-of-bounds write in fast_imageblit + +From: Sravan Kumar Gundu + +commit af0db3c1f898144846d4c172531a199bb3ca375d upstream. + +This issue triggers when a userspace program does an ioctl +FBIOPUT_CON2FBMAP by passing console number and frame buffer number. +Ideally this maps console to frame buffer and updates the screen if +console is visible. + +As part of mapping it has to do resize of console according to frame +buffer info. if this resize fails and returns from vc_do_resize() and +continues further. At this point console and new frame buffer are mapped +and sets display vars. Despite failure still it continue to proceed +updating the screen at later stages where vc_data is related to previous +frame buffer and frame buffer info and display vars are mapped to new +frame buffer and eventully leading to out-of-bounds write in +fast_imageblit(). This bheviour is excepted only when fg_console is +equal to requested console which is a visible console and updates screen +with invalid struct references in fbcon_putcs(). + +Reported-and-tested-by: syzbot+c4b7aa0513823e2ea880@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c4b7aa0513823e2ea880 +Signed-off-by: Sravan Kumar Gundu +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbcon.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -804,7 +804,8 @@ static void con2fb_init_display(struct v + fg_vc->vc_rows); + } + +- update_screen(vc_cons[fg_console].d); ++ if (fg_console != unit) ++ update_screen(vc_cons[fg_console].d); + } + + /** +@@ -1342,6 +1343,7 @@ static void fbcon_set_disp(struct fb_inf + struct vc_data *svc; + struct fbcon_ops *ops = info->fbcon_par; + int rows, cols; ++ unsigned long ret = 0; + + p = &fb_display[unit]; + +@@ -1392,11 +1394,10 @@ static void fbcon_set_disp(struct fb_inf + rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres); + cols /= vc->vc_font.width; + rows /= vc->vc_font.height; +- vc_resize(vc, cols, rows); ++ ret = vc_resize(vc, cols, rows); + +- if (con_is_visible(vc)) { ++ if (con_is_visible(vc) && !ret) + update_screen(vc); +- } + } + + static __inline__ void ywrap_up(struct vc_data *vc, int count) diff --git a/queue-5.15/media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch b/queue-5.15/media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch new file mode 100644 index 0000000000..f2a8895951 --- /dev/null +++ b/queue-5.15/media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch @@ -0,0 +1,58 @@ +From bda2859bff0b9596a19648f3740c697ce4c71496 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Mon, 7 Jul 2025 18:34:01 +0000 +Subject: media: uvcvideo: Do not mark valid metadata as invalid + +From: Ricardo Ribalda + +commit bda2859bff0b9596a19648f3740c697ce4c71496 upstream. + +Currently, the driver performs a length check of the metadata buffer +before the actual metadata size is known and before the metadata is +decided to be copied. This results in valid metadata buffers being +incorrectly marked as invalid. + +Move the length check to occur after the metadata size is determined and +is decided to be copied. + +Cc: stable@vger.kernel.org +Fixes: 088ead255245 ("media: uvcvideo: Add a metadata device node") +Reviewed-by: Laurent Pinchart +Reviewed-by: Hans de Goede +Signed-off-by: Ricardo Ribalda +Link: https://lore.kernel.org/r/20250707-uvc-meta-v8-1-ed17f8b1218b@chromium.org +Signed-off-by: Hans de Goede +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_video.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -1335,12 +1335,6 @@ static void uvc_video_decode_meta(struct + if (!meta_buf || length == 2) + return; + +- if (meta_buf->length - meta_buf->bytesused < +- length + sizeof(meta->ns) + sizeof(meta->sof)) { +- meta_buf->error = 1; +- return; +- } +- + has_pts = mem[1] & UVC_STREAM_PTS; + has_scr = mem[1] & UVC_STREAM_SCR; + +@@ -1361,6 +1355,12 @@ static void uvc_video_decode_meta(struct + !memcmp(scr, stream->clock.last_scr, 6))) + return; + ++ if (meta_buf->length - meta_buf->bytesused < ++ length + sizeof(meta->ns) + sizeof(meta->sof)) { ++ meta_buf->error = 1; ++ return; ++ } ++ + meta = (struct uvc_meta_buf *)((u8 *)meta_buf->mem + meta_buf->bytesused); + local_irq_save(flags); + time = uvc_video_get_time(); diff --git a/queue-5.15/media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch b/queue-5.15/media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch new file mode 100644 index 0000000000..c22c8a49e8 --- /dev/null +++ b/queue-5.15/media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch @@ -0,0 +1,43 @@ +From 782b6a718651eda3478b1824b37a8b3185d2740c Mon Sep 17 00:00:00 2001 +From: Youngjun Lee +Date: Tue, 10 Jun 2025 21:41:07 +0900 +Subject: media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() + +From: Youngjun Lee + +commit 782b6a718651eda3478b1824b37a8b3185d2740c upstream. + +The buffer length check before calling uvc_parse_format() only ensured +that the buffer has at least 3 bytes (buflen > 2), buf the function +accesses buffer[3], requiring at least 4 bytes. + +This can lead to an out-of-bounds read if the buffer has exactly 3 bytes. + +Fix it by checking that the buffer has at least 4 bytes in +uvc_parse_format(). + +Signed-off-by: Youngjun Lee +Reviewed-by: Laurent Pinchart +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Cc: stable@vger.kernel.org +Reviewed-by: Ricardo Ribalda +Link: https://lore.kernel.org/r/20250610124107.37360-1-yjjuny.lee@samsung.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_driver.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -512,6 +512,9 @@ static int uvc_parse_format(struct uvc_d + unsigned int i, n; + u8 ftype; + ++ if (buflen < 4) ++ return -EINVAL; ++ + format->type = buffer[2]; + format->index = buffer[3]; + diff --git a/queue-5.15/mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch b/queue-5.15/mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch new file mode 100644 index 0000000000..d6c8fab45f --- /dev/null +++ b/queue-5.15/mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch @@ -0,0 +1,64 @@ +From 47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Thu, 31 Jul 2025 02:57:18 -0700 +Subject: mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock + +From: Breno Leitao + +commit 47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 upstream. + +When netpoll is enabled, calling pr_warn_once() while holding +kmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock +inversion with the netconsole subsystem. This occurs because +pr_warn_once() may trigger netpoll, which eventually leads to +__alloc_skb() and back into kmemleak code, attempting to reacquire +kmemleak_lock. + +This is the path for the deadlock. + +mem_pool_alloc() + -> raw_spin_lock_irqsave(&kmemleak_lock, flags); + -> pr_warn_once() + -> netconsole subsystem + -> netpoll + -> __alloc_skb + -> __create_object + -> raw_spin_lock_irqsave(&kmemleak_lock, flags); + +Fix this by setting a flag and issuing the pr_warn_once() after +kmemleak_lock is released. + +Link: https://lkml.kernel.org/r/20250731-kmemleak_lock-v1-1-728fd470198f@debian.org +Fixes: c5665868183f ("mm: kmemleak: use the memory pool for early allocations") +Signed-off-by: Breno Leitao +Reported-by: Jakub Kicinski +Acked-by: Catalin Marinas +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/kmemleak.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -419,6 +419,7 @@ static struct kmemleak_object *mem_pool_ + { + unsigned long flags; + struct kmemleak_object *object; ++ bool warn = false; + + /* try the slab allocator first */ + if (object_cache) { +@@ -436,8 +437,10 @@ static struct kmemleak_object *mem_pool_ + else if (mem_pool_free_count) + object = &mem_pool[--mem_pool_free_count]; + else +- pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n"); ++ warn = true; + raw_spin_unlock_irqrestore(&kmemleak_lock, flags); ++ if (warn) ++ pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n"); + + return object; + } diff --git a/queue-5.15/mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch b/queue-5.15/mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch new file mode 100644 index 0000000000..03436414b5 --- /dev/null +++ b/queue-5.15/mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch @@ -0,0 +1,66 @@ +From d1534ae23c2b6be350c8ab060803fbf6e9682adc Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Mon, 28 Jul 2025 15:02:48 -0400 +Subject: mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() + +From: Waiman Long + +commit d1534ae23c2b6be350c8ab060803fbf6e9682adc upstream. + +A soft lockup warning was observed on a relative small system x86-64 +system with 16 GB of memory when running a debug kernel with kmemleak +enabled. + + watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134] + +The test system was running a workload with hot unplug happening in +parallel. Then kemleak decided to disable itself due to its inability to +allocate more kmemleak objects. The debug kernel has its +CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE set to 40,000. + +The soft lockup happened in kmemleak_do_cleanup() when the existing +kmemleak objects were being removed and deleted one-by-one in a loop via a +workqueue. In this particular case, there are at least 40,000 objects +that need to be processed and given the slowness of a debug kernel and the +fact that a raw_spinlock has to be acquired and released in +__delete_object(), it could take a while to properly handle all these +objects. + +As kmemleak has been disabled in this case, the object removal and +deletion process can be further optimized as locking isn't really needed. +However, it is probably not worth the effort to optimize for such an edge +case that should rarely happen. So the simple solution is to call +cond_resched() at periodic interval in the iteration loop to avoid soft +lockup. + +Link: https://lkml.kernel.org/r/20250728190248.605750-1-longman@redhat.com +Signed-off-by: Waiman Long +Acked-by: Catalin Marinas +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/kmemleak.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -1859,6 +1859,7 @@ static const struct file_operations kmem + static void __kmemleak_do_cleanup(void) + { + struct kmemleak_object *object, *tmp; ++ unsigned int cnt = 0; + + /* + * Kmemleak has already been disabled, no need for RCU list traversal +@@ -1867,6 +1868,10 @@ static void __kmemleak_do_cleanup(void) + list_for_each_entry_safe(object, tmp, &object_list, object_list) { + __remove_object(object); + __delete_object(object); ++ ++ /* Call cond_resched() once per 64 iterations to avoid soft lockup */ ++ if (!(++cnt & 0x3f)) ++ cond_resched(); + } + } + diff --git a/queue-5.15/parisc-makefile-fix-a-typo-in-palo.conf.patch b/queue-5.15/parisc-makefile-fix-a-typo-in-palo.conf.patch new file mode 100644 index 0000000000..1dcca4b9a8 --- /dev/null +++ b/queue-5.15/parisc-makefile-fix-a-typo-in-palo.conf.patch @@ -0,0 +1,35 @@ +From 963f1b20a8d2a098954606b9725cd54336a2a86c Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Wed, 25 Jun 2025 00:39:33 -0700 +Subject: parisc: Makefile: fix a typo in palo.conf + +From: Randy Dunlap + +commit 963f1b20a8d2a098954606b9725cd54336a2a86c upstream. + +Correct "objree" to "objtree". "objree" is not defined. + +Fixes: 75dd47472b92 ("kbuild: remove src and obj from the top Makefile") +Signed-off-by: Randy Dunlap +Cc: Masahiro Yamada +Cc: "James E.J. Bottomley" +Cc: Helge Deller +Cc: linux-parisc@vger.kernel.org +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.3+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/Makefile ++++ b/arch/parisc/Makefile +@@ -136,7 +136,7 @@ palo lifimage: vmlinuz + fi + @if test ! -f "$(PALOCONF)"; then \ + cp $(srctree)/arch/parisc/defpalo.conf $(objtree)/palo.conf; \ +- echo 'A generic palo config file ($(objree)/palo.conf) has been created for you.'; \ ++ echo 'A generic palo config file ($(objtree)/palo.conf) has been created for you.'; \ + echo 'You should check it and re-run "make palo".'; \ + echo 'WARNING: the "lifimage" file is now placed in this directory by default!'; \ + false; \ diff --git a/queue-5.15/series b/queue-5.15/series index d104fd17ea..a66b4f4c9c 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -447,3 +447,9 @@ thunderbolt-fix-copy-paste-error-in-match_service_id.patch cdc-acm-fix-race-between-initial-clearing-halt-and-open.patch btrfs-fix-log-tree-replay-failure-due-to-file-with-0-links-and-extents.patch btrfs-do-not-allow-relocation-of-partially-dropped-subvolumes.patch +fbdev-fix-vmalloc-out-of-bounds-write-in-fast_imageblit.patch +parisc-makefile-fix-a-typo-in-palo.conf.patch +mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch +mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch +media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch +media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch