From: Greg Kroah-Hartman Date: Sat, 6 Sep 2025 18:34:31 +0000 (+0200) Subject: 6.12-stable patches X-Git-Tag: v5.4.299~53 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=18cc9a3eb0560030c7d45b40fd5002a0d9f40257;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: accel-ivpu-prevent-recovery-work-from-being-queued-during-device-removal.patch acpi-iort-fix-memory-leak-in-iort_rmr_alloc_sids.patch alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-some-devices.patch arm64-ftrace-fix-unreachable-plt-for-ftrace_caller-in-init_module-with-config_dynamic_ftrace.patch pcmcia-fix-a-null-pointer-dereference-in-__iodyn_find_io_region.patch --- diff --git a/queue-6.12/accel-ivpu-prevent-recovery-work-from-being-queued-during-device-removal.patch b/queue-6.12/accel-ivpu-prevent-recovery-work-from-being-queued-during-device-removal.patch new file mode 100644 index 0000000000..714df4e342 --- /dev/null +++ b/queue-6.12/accel-ivpu-prevent-recovery-work-from-being-queued-during-device-removal.patch @@ -0,0 +1,68 @@ +From 69a79ada8eb034ce016b5b78fb7d08d8687223de Mon Sep 17 00:00:00 2001 +From: Karol Wachowski +Date: Fri, 8 Aug 2025 13:09:39 +0200 +Subject: accel/ivpu: Prevent recovery work from being queued during device removal + +From: Karol Wachowski + +commit 69a79ada8eb034ce016b5b78fb7d08d8687223de upstream. + +Use disable_work_sync() instead of cancel_work_sync() in ivpu_dev_fini() +to ensure that no new recovery work items can be queued after device +removal has started. Previously, recovery work could be scheduled even +after canceling existing work, potentially leading to use-after-free +bugs if recovery accessed freed resources. + +Rename ivpu_pm_cancel_recovery() to ivpu_pm_disable_recovery() to better +reflect its new behavior. + +Fixes: 58cde80f45a2 ("accel/ivpu: Use dedicated work for job timeout detection") +Cc: stable@vger.kernel.org # v6.8+ +Signed-off-by: Karol Wachowski +Reviewed-by: Lizhi Hou +Signed-off-by: Jacek Lawrynowicz +Link: https://lore.kernel.org/r/20250808110939.328366-1-jacek.lawrynowicz@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accel/ivpu/ivpu_drv.c | 2 +- + drivers/accel/ivpu/ivpu_pm.c | 4 ++-- + drivers/accel/ivpu/ivpu_pm.h | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/accel/ivpu/ivpu_drv.c ++++ b/drivers/accel/ivpu/ivpu_drv.c +@@ -689,7 +689,7 @@ static void ivpu_bo_unbind_all_user_cont + static void ivpu_dev_fini(struct ivpu_device *vdev) + { + ivpu_jobs_abort_all(vdev); +- ivpu_pm_cancel_recovery(vdev); ++ ivpu_pm_disable_recovery(vdev); + ivpu_pm_disable(vdev); + ivpu_prepare_for_reset(vdev); + ivpu_shutdown(vdev); +--- a/drivers/accel/ivpu/ivpu_pm.c ++++ b/drivers/accel/ivpu/ivpu_pm.c +@@ -382,10 +382,10 @@ void ivpu_pm_init(struct ivpu_device *vd + ivpu_dbg(vdev, PM, "Autosuspend delay = %d\n", delay); + } + +-void ivpu_pm_cancel_recovery(struct ivpu_device *vdev) ++void ivpu_pm_disable_recovery(struct ivpu_device *vdev) + { + drm_WARN_ON(&vdev->drm, delayed_work_pending(&vdev->pm->job_timeout_work)); +- cancel_work_sync(&vdev->pm->recovery_work); ++ disable_work_sync(&vdev->pm->recovery_work); + } + + void ivpu_pm_enable(struct ivpu_device *vdev) +--- a/drivers/accel/ivpu/ivpu_pm.h ++++ b/drivers/accel/ivpu/ivpu_pm.h +@@ -25,7 +25,7 @@ struct ivpu_pm_info { + void ivpu_pm_init(struct ivpu_device *vdev); + void ivpu_pm_enable(struct ivpu_device *vdev); + void ivpu_pm_disable(struct ivpu_device *vdev); +-void ivpu_pm_cancel_recovery(struct ivpu_device *vdev); ++void ivpu_pm_disable_recovery(struct ivpu_device *vdev); + + int ivpu_pm_suspend_cb(struct device *dev); + int ivpu_pm_resume_cb(struct device *dev); diff --git a/queue-6.12/acpi-iort-fix-memory-leak-in-iort_rmr_alloc_sids.patch b/queue-6.12/acpi-iort-fix-memory-leak-in-iort_rmr_alloc_sids.patch new file mode 100644 index 0000000000..4fffcc68fe --- /dev/null +++ b/queue-6.12/acpi-iort-fix-memory-leak-in-iort_rmr_alloc_sids.patch @@ -0,0 +1,39 @@ +From f3ef7110924b897f4b79db9f7ac75d319ec09c4a Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Thu, 28 Aug 2025 19:22:43 +0800 +Subject: ACPI/IORT: Fix memory leak in iort_rmr_alloc_sids() + +From: Miaoqian Lin + +commit f3ef7110924b897f4b79db9f7ac75d319ec09c4a upstream. + +If krealloc_array() fails in iort_rmr_alloc_sids(), the function returns +NULL but does not free the original 'sids' allocation. This results in a +memory leak since the caller overwrites the original pointer with the +NULL return value. + +Fixes: 491cf4a6735a ("ACPI/IORT: Add support to retrieve IORT RMR reserved regions") +Cc: # 6.0.x +Signed-off-by: Miaoqian Lin +Reviewed-by: Hanjun Guo +Link: https://lore.kernel.org/r/20250828112243.61460-1-linmq006@gmail.com +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/arm64/iort.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/arm64/iort.c ++++ b/drivers/acpi/arm64/iort.c +@@ -937,8 +937,10 @@ static u32 *iort_rmr_alloc_sids(u32 *sid + + new_sids = krealloc_array(sids, count + new_count, + sizeof(*new_sids), GFP_KERNEL); +- if (!new_sids) ++ if (!new_sids) { ++ kfree(sids); + return NULL; ++ } + + for (i = count; i < total_count; i++) + new_sids[i] = id_start++; diff --git a/queue-6.12/alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-some-devices.patch b/queue-6.12/alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-some-devices.patch new file mode 100644 index 0000000000..76d7cc04d6 --- /dev/null +++ b/queue-6.12/alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-some-devices.patch @@ -0,0 +1,37 @@ +From 9c6182843b0d02ca04cc1d946954a65a2286c7db Mon Sep 17 00:00:00 2001 +From: Cryolitia PukNgae +Date: Fri, 22 Aug 2025 20:58:08 +0800 +Subject: ALSA: usb-audio: Add mute TLV for playback volumes on some devices + +From: Cryolitia PukNgae + +commit 9c6182843b0d02ca04cc1d946954a65a2286c7db upstream. + +Applying the quirk of that, the lowest Playback mixer volume setting +mutes the audio output, on more devices. + +Link: https://gitlab.freedesktop.org/pipewire/pipewire/-/merge_requests/2514 +Cc: +Tested-by: Guoli An +Signed-off-by: Cryolitia PukNgae +Link: https://patch.msgid.link/20250822-mixer-quirk-v1-1-b19252239c1c@uniontech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer_quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -4212,9 +4212,11 @@ void snd_usb_mixer_fu_apply_quirk(struct + snd_dragonfly_quirk_db_scale(mixer, cval, kctl); + break; + /* lowest playback value is muted on some devices */ ++ case USB_ID(0x0572, 0x1b09): /* Conexant Systems (Rockwell), Inc. */ + case USB_ID(0x0d8c, 0x000c): /* C-Media */ + case USB_ID(0x0d8c, 0x0014): /* C-Media */ + case USB_ID(0x19f7, 0x0003): /* RODE NT-USB */ ++ case USB_ID(0x2d99, 0x0026): /* HECATE G2 GAMING HEADSET */ + if (strstr(kctl->id.name, "Playback")) + cval->min_mute = 1; + break; diff --git a/queue-6.12/arm64-ftrace-fix-unreachable-plt-for-ftrace_caller-in-init_module-with-config_dynamic_ftrace.patch b/queue-6.12/arm64-ftrace-fix-unreachable-plt-for-ftrace_caller-in-init_module-with-config_dynamic_ftrace.patch new file mode 100644 index 0000000000..28f59e4b29 --- /dev/null +++ b/queue-6.12/arm64-ftrace-fix-unreachable-plt-for-ftrace_caller-in-init_module-with-config_dynamic_ftrace.patch @@ -0,0 +1,149 @@ +From a7ed7b9d0ebb038db9963d574da0311cab0b666a Mon Sep 17 00:00:00 2001 +From: panfan +Date: Thu, 4 Sep 2025 20:22:36 -0700 +Subject: arm64: ftrace: fix unreachable PLT for ftrace_caller in init_module with CONFIG_DYNAMIC_FTRACE + +From: panfan + +commit a7ed7b9d0ebb038db9963d574da0311cab0b666a upstream. + +On arm64, it has been possible for a module's sections to be placed more +than 128M away from each other since commit: + + commit 3e35d303ab7d ("arm64: module: rework module VA range selection") + +Due to this, an ftrace callsite in a module's .init.text section can be +out of branch range for the module's ftrace PLT entry (in the module's +.text section). Any attempt to enable tracing of that callsite will +result in a BRK being patched into the callsite, resulting in a fatal +exception when the callsite is later executed. + +Fix this by adding an additional trampoline for .init.text, which will +be within range. + +No additional trampolines are necessary due to the way a given +module's executable sections are packed together. Any executable +section beginning with ".init" will be placed in MOD_INIT_TEXT, +and any other executable section, including those beginning with ".exit", + will be placed in MOD_TEXT. + +Fixes: 3e35d303ab7d ("arm64: module: rework module VA range selection") +Cc: # 6.5.x +Signed-off-by: panfan +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/20250905032236.3220885-1-panfan@qti.qualcomm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/module.h | 1 + + arch/arm64/include/asm/module.lds.h | 1 + + arch/arm64/kernel/ftrace.c | 13 ++++++++++--- + arch/arm64/kernel/module-plts.c | 12 +++++++++++- + arch/arm64/kernel/module.c | 11 +++++++++++ + 5 files changed, 34 insertions(+), 4 deletions(-) + +--- a/arch/arm64/include/asm/module.h ++++ b/arch/arm64/include/asm/module.h +@@ -19,6 +19,7 @@ struct mod_arch_specific { + + /* for CONFIG_DYNAMIC_FTRACE */ + struct plt_entry *ftrace_trampolines; ++ struct plt_entry *init_ftrace_trampolines; + }; + + u64 module_emit_plt_entry(struct module *mod, Elf64_Shdr *sechdrs, +--- a/arch/arm64/include/asm/module.lds.h ++++ b/arch/arm64/include/asm/module.lds.h +@@ -2,6 +2,7 @@ SECTIONS { + .plt 0 : { BYTE(0) } + .init.plt 0 : { BYTE(0) } + .text.ftrace_trampoline 0 : { BYTE(0) } ++ .init.text.ftrace_trampoline 0 : { BYTE(0) } + + #ifdef CONFIG_KASAN_SW_TAGS + /* +--- a/arch/arm64/kernel/ftrace.c ++++ b/arch/arm64/kernel/ftrace.c +@@ -195,10 +195,17 @@ int ftrace_update_ftrace_func(ftrace_fun + return ftrace_modify_code(pc, 0, new, false); + } + +-static struct plt_entry *get_ftrace_plt(struct module *mod) ++static struct plt_entry *get_ftrace_plt(struct module *mod, unsigned long addr) + { + #ifdef CONFIG_MODULES +- struct plt_entry *plt = mod->arch.ftrace_trampolines; ++ struct plt_entry *plt = NULL; ++ ++ if (within_module_mem_type(addr, mod, MOD_INIT_TEXT)) ++ plt = mod->arch.init_ftrace_trampolines; ++ else if (within_module_mem_type(addr, mod, MOD_TEXT)) ++ plt = mod->arch.ftrace_trampolines; ++ else ++ return NULL; + + return &plt[FTRACE_PLT_IDX]; + #else +@@ -270,7 +277,7 @@ static bool ftrace_find_callable_addr(st + if (WARN_ON(!mod)) + return false; + +- plt = get_ftrace_plt(mod); ++ plt = get_ftrace_plt(mod, pc); + if (!plt) { + pr_err("ftrace: no module PLT for %ps\n", (void *)*addr); + return false; +--- a/arch/arm64/kernel/module-plts.c ++++ b/arch/arm64/kernel/module-plts.c +@@ -283,7 +283,7 @@ int module_frob_arch_sections(Elf_Ehdr * + unsigned long core_plts = 0; + unsigned long init_plts = 0; + Elf64_Sym *syms = NULL; +- Elf_Shdr *pltsec, *tramp = NULL; ++ Elf_Shdr *pltsec, *tramp = NULL, *init_tramp = NULL; + int i; + + /* +@@ -298,6 +298,9 @@ int module_frob_arch_sections(Elf_Ehdr * + else if (!strcmp(secstrings + sechdrs[i].sh_name, + ".text.ftrace_trampoline")) + tramp = sechdrs + i; ++ else if (!strcmp(secstrings + sechdrs[i].sh_name, ++ ".init.text.ftrace_trampoline")) ++ init_tramp = sechdrs + i; + else if (sechdrs[i].sh_type == SHT_SYMTAB) + syms = (Elf64_Sym *)sechdrs[i].sh_addr; + } +@@ -363,5 +366,12 @@ int module_frob_arch_sections(Elf_Ehdr * + tramp->sh_size = NR_FTRACE_PLTS * sizeof(struct plt_entry); + } + ++ if (init_tramp) { ++ init_tramp->sh_type = SHT_NOBITS; ++ init_tramp->sh_flags = SHF_EXECINSTR | SHF_ALLOC; ++ init_tramp->sh_addralign = __alignof__(struct plt_entry); ++ init_tramp->sh_size = NR_FTRACE_PLTS * sizeof(struct plt_entry); ++ } ++ + return 0; + } +--- a/arch/arm64/kernel/module.c ++++ b/arch/arm64/kernel/module.c +@@ -453,6 +453,17 @@ static int module_init_ftrace_plt(const + __init_plt(&plts[FTRACE_PLT_IDX], FTRACE_ADDR); + + mod->arch.ftrace_trampolines = plts; ++ ++ s = find_section(hdr, sechdrs, ".init.text.ftrace_trampoline"); ++ if (!s) ++ return -ENOEXEC; ++ ++ plts = (void *)s->sh_addr; ++ ++ __init_plt(&plts[FTRACE_PLT_IDX], FTRACE_ADDR); ++ ++ mod->arch.init_ftrace_trampolines = plts; ++ + #endif + return 0; + } diff --git a/queue-6.12/pcmcia-fix-a-null-pointer-dereference-in-__iodyn_find_io_region.patch b/queue-6.12/pcmcia-fix-a-null-pointer-dereference-in-__iodyn_find_io_region.patch new file mode 100644 index 0000000000..bef4d65120 --- /dev/null +++ b/queue-6.12/pcmcia-fix-a-null-pointer-dereference-in-__iodyn_find_io_region.patch @@ -0,0 +1,37 @@ +From 44822df89e8f3386871d9cad563ece8e2fd8f0e7 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Tue, 12 Aug 2025 15:25:09 +0800 +Subject: pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() + +From: Ma Ke + +commit 44822df89e8f3386871d9cad563ece8e2fd8f0e7 upstream. + +In __iodyn_find_io_region(), pcmcia_make_resource() is assigned to +res and used in pci_bus_alloc_resource(). There is a dereference of res +in pci_bus_alloc_resource(), which could lead to a NULL pointer +dereference on failure of pcmcia_make_resource(). + +Fix this bug by adding a check of res. + +Cc: stable@vger.kernel.org +Fixes: 49b1153adfe1 ("pcmcia: move all pcmcia_resource_ops providers into one module") +Signed-off-by: Ma Ke +Signed-off-by: Dominik Brodowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pcmcia/rsrc_iodyn.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/pcmcia/rsrc_iodyn.c ++++ b/drivers/pcmcia/rsrc_iodyn.c +@@ -62,6 +62,9 @@ static struct resource *__iodyn_find_io_ + unsigned long min = base; + int ret; + ++ if (!res) ++ return NULL; ++ + data.mask = align - 1; + data.offset = base & data.mask; + diff --git a/queue-6.12/series b/queue-6.12/series index e2d8e7e092..9be7293951 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -88,3 +88,8 @@ net-xilinx-axienet-add-error-handling-for-rx-metadat.patch ppp-fix-memory-leak-in-pad_compress_skb.patch selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch +alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-some-devices.patch +accel-ivpu-prevent-recovery-work-from-being-queued-during-device-removal.patch +acpi-iort-fix-memory-leak-in-iort_rmr_alloc_sids.patch +arm64-ftrace-fix-unreachable-plt-for-ftrace_caller-in-init_module-with-config_dynamic_ftrace.patch +pcmcia-fix-a-null-pointer-dereference-in-__iodyn_find_io_region.patch