From: Greg Kroah-Hartman Date: Thu, 21 Aug 2025 13:41:39 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v6.16.3~81 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1c1807619621a8521a6094d532de38655bcd5b80;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: jbd2-prevent-softlockup-in-jbd2_log_do_checkpoint.patch media-gspca-add-bounds-checking-to-firmware-parser.patch media-hi556-correct-the-test-pattern-configuration.patch media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch media-ov2659-fix-memory-leaks-in-ov2659_probe.patch media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch media-usbtv-lock-resolution-while-streaming.patch media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch media-vivid-fix-wrong-pixel_array-control-size.patch mtd-rawnand-fsmc-add-missing-check-after-dma-map.patch mtd-rawnand-renesas-add-missing-check-after-dma-map.patch mtd-spi-nor-fix-spi_nor_try_unlock_all.patch mtd-spinand-propagate-spinand_wait-errors-from-spinand_write_page.patch parisc-check-region-is-readable-by-user-in-raw_copy_from_user.patch parisc-makefile-explain-that-64bit-requires-both-32-bit-and-64-bit-compilers.patch parisc-revise-__get_user-to-probe-user-read-access.patch parisc-revise-gateway-lws-calls-to-probe-user-read-access.patch parisc-try-to-fixup-kernel-exception-in-bad_area_nosemaphore-path-of-do_page_fault.patch parisc-update-comments-in-make_insert_tlb.patch pci-endpoint-fix-configfs-group-list-head-handling.patch pci-endpoint-fix-configfs-group-removal-on-driver-teardown.patch soc-tegra-pmc-ensure-power-domains-are-in-a-known-state.patch vhost-vsock-avoid-allocating-arbitrarily-sized-skbs.patch vsock-virtio-validate-length-in-packet-header-before-skb_put.patch --- diff --git a/queue-6.1/jbd2-prevent-softlockup-in-jbd2_log_do_checkpoint.patch b/queue-6.1/jbd2-prevent-softlockup-in-jbd2_log_do_checkpoint.patch new file mode 100644 index 0000000000..27bc392928 --- /dev/null +++ b/queue-6.1/jbd2-prevent-softlockup-in-jbd2_log_do_checkpoint.patch @@ -0,0 +1,73 @@ +From 9d98cf4632258720f18265a058e62fde120c0151 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Tue, 12 Aug 2025 14:37:52 +0800 +Subject: jbd2: prevent softlockup in jbd2_log_do_checkpoint() + +From: Baokun Li + +commit 9d98cf4632258720f18265a058e62fde120c0151 upstream. + +Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list() +periodically release j_list_lock after processing a batch of buffers to +avoid long hold times on the j_list_lock. However, since both functions +contend for j_list_lock, the combined time spent waiting and processing +can be significant. + +jbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when +need_resched() is true to avoid softlockups during prolonged operations. +But jbd2_log_do_checkpoint() only exits its loop when need_resched() is +true, relying on potentially sleeping functions like __flush_batch() or +wait_on_buffer() to trigger rescheduling. If those functions do not sleep, +the kernel may hit a softlockup. + +watchdog: BUG: soft lockup - CPU#3 stuck for 156s! [kworker/u129:2:373] +CPU: 3 PID: 373 Comm: kworker/u129:2 Kdump: loaded Not tainted 6.6.0+ #10 +Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.27 06/13/2017 +Workqueue: writeback wb_workfn (flush-7:2) +pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : native_queued_spin_lock_slowpath+0x358/0x418 +lr : jbd2_log_do_checkpoint+0x31c/0x438 [jbd2] +Call trace: + native_queued_spin_lock_slowpath+0x358/0x418 + jbd2_log_do_checkpoint+0x31c/0x438 [jbd2] + __jbd2_log_wait_for_space+0xfc/0x2f8 [jbd2] + add_transaction_credits+0x3bc/0x418 [jbd2] + start_this_handle+0xf8/0x560 [jbd2] + jbd2__journal_start+0x118/0x228 [jbd2] + __ext4_journal_start_sb+0x110/0x188 [ext4] + ext4_do_writepages+0x3dc/0x740 [ext4] + ext4_writepages+0xa4/0x190 [ext4] + do_writepages+0x94/0x228 + __writeback_single_inode+0x48/0x318 + writeback_sb_inodes+0x204/0x590 + __writeback_inodes_wb+0x54/0xf8 + wb_writeback+0x2cc/0x3d8 + wb_do_writeback+0x2e0/0x2f8 + wb_workfn+0x80/0x2a8 + process_one_work+0x178/0x3e8 + worker_thread+0x234/0x3b8 + kthread+0xf0/0x108 + ret_from_fork+0x10/0x20 + +So explicitly call cond_resched() in jbd2_log_do_checkpoint() to avoid +softlockup. + +Cc: stable@kernel.org +Signed-off-by: Baokun Li +Link: https://patch.msgid.link/20250812063752.912130-1-libaokun@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/checkpoint.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -297,6 +297,7 @@ restart: + retry: + if (batch_count) + __flush_batch(journal, &batch_count); ++ cond_resched(); + spin_lock(&journal->j_list_lock); + goto restart; + } diff --git a/queue-6.1/media-gspca-add-bounds-checking-to-firmware-parser.patch b/queue-6.1/media-gspca-add-bounds-checking-to-firmware-parser.patch new file mode 100644 index 0000000000..8939ed836f --- /dev/null +++ b/queue-6.1/media-gspca-add-bounds-checking-to-firmware-parser.patch @@ -0,0 +1,56 @@ +From aef89c0b2417da79cb2062a95476288f9f203ab0 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 28 May 2025 23:22:14 +0300 +Subject: media: gspca: Add bounds checking to firmware parser + +From: Dan Carpenter + +commit aef89c0b2417da79cb2062a95476288f9f203ab0 upstream. + +This sd_init() function reads the firmware. The firmware data holds a +series of records and the function reads each record and sends the data +to the device. The request_ihex_firmware() function +calls ihex_validate_fw() which ensures that the total length of all the +records won't read out of bounds of the fw->data[]. + +However, a potential issue is if there is a single very large +record (larger than PAGE_SIZE) and that would result in memory +corruption. Generally we trust the firmware, but it's always better to +double check. + +Fixes: 49b61ec9b5af ("[media] gspca: Add new vicam subdriver") +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/gspca/vicam.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/gspca/vicam.c ++++ b/drivers/media/usb/gspca/vicam.c +@@ -227,6 +227,7 @@ static int sd_init(struct gspca_dev *gsp + const struct ihex_binrec *rec; + const struct firmware *fw; + u8 *firmware_buf; ++ int len; + + ret = request_ihex_firmware(&fw, VICAM_FIRMWARE, + &gspca_dev->dev->dev); +@@ -241,9 +242,14 @@ static int sd_init(struct gspca_dev *gsp + goto exit; + } + for (rec = (void *)fw->data; rec; rec = ihex_next_binrec(rec)) { +- memcpy(firmware_buf, rec->data, be16_to_cpu(rec->len)); ++ len = be16_to_cpu(rec->len); ++ if (len > PAGE_SIZE) { ++ ret = -EINVAL; ++ break; ++ } ++ memcpy(firmware_buf, rec->data, len); + ret = vicam_control_msg(gspca_dev, 0xff, 0, 0, firmware_buf, +- be16_to_cpu(rec->len)); ++ len); + if (ret < 0) + break; + } diff --git a/queue-6.1/media-hi556-correct-the-test-pattern-configuration.patch b/queue-6.1/media-hi556-correct-the-test-pattern-configuration.patch new file mode 100644 index 0000000000..aa688f87f2 --- /dev/null +++ b/queue-6.1/media-hi556-correct-the-test-pattern-configuration.patch @@ -0,0 +1,95 @@ +From 020f602b068c9ce18d5056d02c8302199377d98d Mon Sep 17 00:00:00 2001 +From: Bingbu Cao +Date: Mon, 30 Jun 2025 17:04:20 +0800 +Subject: media: hi556: correct the test pattern configuration + +From: Bingbu Cao + +commit 020f602b068c9ce18d5056d02c8302199377d98d upstream. + +Hynix hi556 support 8 test pattern modes: +hi556_test_pattern_menu[] = { +{ + "Disabled", + "Solid Colour", + "100% Colour Bars", + "Fade To Grey Colour Bars", + "PN9", + "Gradient Horizontal", + "Gradient Vertical", + "Check Board", + "Slant Pattern", +} + +The test pattern is set by a 8-bit register according to the +specification. ++--------+-------------------------------+ +| BIT[0] | Solid color | ++--------+-------------------------------+ +| BIT[1] | Color bar | ++--------+-------------------------------+ +| BIT[2] | Fade to grey color bar | ++--------+-------------------------------+ +| BIT[3] | PN9 | ++--------+-------------------------------+ +| BIT[4] | Gradient horizontal | ++--------+-------------------------------+ +| BIT[5] | Gradient vertical | ++--------+-------------------------------+ +| BIT[6] | Check board | ++--------+-------------------------------+ +| BIT[7] | Slant pattern | ++--------+-------------------------------+ +Based on function above, current test pattern programming is wrong. +This patch fixes it by 'BIT(pattern - 1)'. If pattern is 0, driver +will disable the test pattern generation and set the pattern to 0. + +Fixes: e62138403a84 ("media: hi556: Add support for Hi-556 sensor") +Cc: stable@vger.kernel.org +Signed-off-by: Bingbu Cao +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/hi556.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +--- a/drivers/media/i2c/hi556.c ++++ b/drivers/media/i2c/hi556.c +@@ -605,21 +605,23 @@ static int hi556_test_pattern(struct hi5 + int ret; + u32 val; + +- if (pattern) { +- ret = hi556_read_reg(hi556, HI556_REG_ISP, +- HI556_REG_VALUE_08BIT, &val); +- if (ret) +- return ret; +- +- ret = hi556_write_reg(hi556, HI556_REG_ISP, +- HI556_REG_VALUE_08BIT, +- val | HI556_REG_ISP_TPG_EN); +- if (ret) +- return ret; +- } ++ ret = hi556_read_reg(hi556, HI556_REG_ISP, ++ HI556_REG_VALUE_08BIT, &val); ++ if (ret) ++ return ret; ++ ++ val = pattern ? (val | HI556_REG_ISP_TPG_EN) : ++ (val & ~HI556_REG_ISP_TPG_EN); ++ ++ ret = hi556_write_reg(hi556, HI556_REG_ISP, ++ HI556_REG_VALUE_08BIT, val); ++ if (ret) ++ return ret; ++ ++ val = pattern ? BIT(pattern - 1) : 0; + + return hi556_write_reg(hi556, HI556_REG_TEST_PATTERN, +- HI556_REG_VALUE_08BIT, pattern); ++ HI556_REG_VALUE_08BIT, val); + } + + static int hi556_set_ctrl(struct v4l2_ctrl *ctrl) diff --git a/queue-6.1/media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch b/queue-6.1/media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch new file mode 100644 index 0000000000..a3745d5087 --- /dev/null +++ b/queue-6.1/media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch @@ -0,0 +1,35 @@ +From fc5f8aec77704373ee804b5dba0e0e5029c0f180 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Thu, 27 Feb 2025 15:44:51 +0800 +Subject: media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init() + +From: Haoxiang Li + +commit fc5f8aec77704373ee804b5dba0e0e5029c0f180 upstream. + +Add video_device_release() in label 'err_m2m' to release the memory +allocated by video_device_alloc() and prevent potential memory leaks. +Remove the reduntant code in label 'err_m2m'. + +Fixes: a8ef0488cc59 ("media: imx: add csc/scaler mem2mem device") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Reviewed-by: Dan Carpenter +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/imx/imx-media-csc-scaler.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/media/imx/imx-media-csc-scaler.c ++++ b/drivers/staging/media/imx/imx-media-csc-scaler.c +@@ -914,7 +914,7 @@ imx_media_csc_scaler_device_init(struct + return &priv->vdev; + + err_m2m: +- video_set_drvdata(vfd, NULL); ++ video_device_release(vfd); + err_vfd: + kfree(priv); + return ERR_PTR(ret); diff --git a/queue-6.1/media-ov2659-fix-memory-leaks-in-ov2659_probe.patch b/queue-6.1/media-ov2659-fix-memory-leaks-in-ov2659_probe.patch new file mode 100644 index 0000000000..8d1893ef5e --- /dev/null +++ b/queue-6.1/media-ov2659-fix-memory-leaks-in-ov2659_probe.patch @@ -0,0 +1,42 @@ +From 76142b137b968d47b35cdd8d1dc924677d319c8b Mon Sep 17 00:00:00 2001 +From: Zhang Shurong +Date: Sun, 6 Jul 2025 00:31:09 +0800 +Subject: media: ov2659: Fix memory leaks in ov2659_probe() + +From: Zhang Shurong + +commit 76142b137b968d47b35cdd8d1dc924677d319c8b upstream. + +ov2659_probe() doesn't properly free control handler resources in failure +paths, causing memory leaks. Add v4l2_ctrl_handler_free() to prevent these +memory leaks and reorder the ctrl_handler assignment for better code flow. + +Fixes: c4c0283ab3cd ("[media] media: i2c: add support for omnivision's ov2659 sensor") +Cc: stable@vger.kernel.org +Signed-off-by: Zhang Shurong +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov2659.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/i2c/ov2659.c ++++ b/drivers/media/i2c/ov2659.c +@@ -1479,14 +1479,15 @@ static int ov2659_probe(struct i2c_clien + V4L2_CID_TEST_PATTERN, + ARRAY_SIZE(ov2659_test_pattern_menu) - 1, + 0, 0, ov2659_test_pattern_menu); +- ov2659->sd.ctrl_handler = &ov2659->ctrls; + + if (ov2659->ctrls.error) { + dev_err(&client->dev, "%s: control initialization error %d\n", + __func__, ov2659->ctrls.error); ++ v4l2_ctrl_handler_free(&ov2659->ctrls); + return ov2659->ctrls.error; + } + ++ ov2659->sd.ctrl_handler = &ov2659->ctrls; + sd = &ov2659->sd; + client->flags |= I2C_CLIENT_SCCB; + #ifdef CONFIG_VIDEO_V4L2_SUBDEV_API diff --git a/queue-6.1/media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch b/queue-6.1/media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch new file mode 100644 index 0000000000..860bc54f4b --- /dev/null +++ b/queue-6.1/media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch @@ -0,0 +1,54 @@ +From 7af160aea26c7dc9e6734d19306128cce156ec40 Mon Sep 17 00:00:00 2001 +From: Gui-Dong Han +Date: Fri, 6 Jun 2025 03:04:59 +0000 +Subject: media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() + +From: Gui-Dong Han + +commit 7af160aea26c7dc9e6734d19306128cce156ec40 upstream. + +In the interrupt handler rain_interrupt(), the buffer full check on +rain->buf_len is performed before acquiring rain->buf_lock. This +creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as +rain->buf_len is concurrently accessed and modified in the work +handler rain_irq_work_handler() under the same lock. + +Multiple interrupt invocations can race, with each reading buf_len +before it becomes full and then proceeding. This can lead to both +interrupts attempting to write to the buffer, incrementing buf_len +beyond its capacity (DATA_SIZE) and causing a buffer overflow. + +Fix this bug by moving the spin_lock() to before the buffer full +check. This ensures that the check and the subsequent buffer modification +are performed atomically, preventing the race condition. An corresponding +spin_unlock() is added to the overflow path to correctly release the +lock. + +This possible bug was found by an experimental static analysis tool +developed by our team. + +Fixes: 0f314f6c2e77 ("[media] rainshadow-cec: new RainShadow Tech HDMI CEC driver") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/cec/usb/rainshadow/rainshadow-cec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/cec/usb/rainshadow/rainshadow-cec.c ++++ b/drivers/media/cec/usb/rainshadow/rainshadow-cec.c +@@ -171,11 +171,12 @@ static irqreturn_t rain_interrupt(struct + { + struct rain *rain = serio_get_drvdata(serio); + ++ spin_lock(&rain->buf_lock); + if (rain->buf_len == DATA_SIZE) { ++ spin_unlock(&rain->buf_lock); + dev_warn_once(rain->dev, "buffer overflow\n"); + return IRQ_HANDLED; + } +- spin_lock(&rain->buf_lock); + rain->buf_len++; + rain->buf[rain->buf_wr_idx] = data; + rain->buf_wr_idx = (rain->buf_wr_idx + 1) & 0xff; diff --git a/queue-6.1/media-usbtv-lock-resolution-while-streaming.patch b/queue-6.1/media-usbtv-lock-resolution-while-streaming.patch new file mode 100644 index 0000000000..841ca89499 --- /dev/null +++ b/queue-6.1/media-usbtv-lock-resolution-while-streaming.patch @@ -0,0 +1,39 @@ +From 7e40e0bb778907b2441bff68d73c3eb6b6cd319f Mon Sep 17 00:00:00 2001 +From: Ludwig Disterhof +Date: Mon, 28 Apr 2025 20:16:50 +0200 +Subject: media: usbtv: Lock resolution while streaming + +From: Ludwig Disterhof + +commit 7e40e0bb778907b2441bff68d73c3eb6b6cd319f upstream. + +When an program is streaming (ffplay) and another program (qv4l2) +changes the TV standard from NTSC to PAL, the kernel crashes due to trying +to copy to unmapped memory. + +Changing from NTSC to PAL increases the resolution in the usbtv struct, +but the video plane buffer isn't adjusted, so it overflows. + +Fixes: 0e0fe3958fdd13d ("[media] usbtv: Add support for PAL video source") +Cc: stable@vger.kernel.org +Signed-off-by: Ludwig Disterhof +Signed-off-by: Hans Verkuil +[hverkuil: call vb2_is_busy instead of vb2_is_streaming] +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/usbtv/usbtv-video.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/usb/usbtv/usbtv-video.c ++++ b/drivers/media/usb/usbtv/usbtv-video.c +@@ -73,6 +73,10 @@ static int usbtv_configure_for_norm(stru + } + + if (params) { ++ if (vb2_is_busy(&usbtv->vb2q) && ++ (usbtv->width != params->cap_width || ++ usbtv->height != params->cap_height)) ++ return -EBUSY; + usbtv->width = params->cap_width; + usbtv->height = params->cap_height; + usbtv->n_chunks = usbtv->width * usbtv->height diff --git a/queue-6.1/media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch b/queue-6.1/media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch new file mode 100644 index 0000000000..349532b803 --- /dev/null +++ b/queue-6.1/media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch @@ -0,0 +1,44 @@ +From 5a0400aca5fa7c6b8ba456c311a460e733571c88 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Thu, 8 May 2025 18:55:38 +0300 +Subject: media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free() + +From: Sakari Ailus + +commit 5a0400aca5fa7c6b8ba456c311a460e733571c88 upstream. + +It's a common pattern in drivers to free the control handler's resources +and then return the handler's error code on drivers' error handling paths. +Alas, the v4l2_ctrl_handler_free() function also zeroes the error field, +effectively indicating successful return to the caller. + +There's no apparent need to touch the error field while releasing the +control handler's resources and cleaning up stale pointers. Not touching +the handler's error field is a more certain way to address this problem +than changing all the users, in which case the pattern would be likely to +re-emerge in new drivers. + +Do just that, don't touch the control handler's error field in +v4l2_ctrl_handler_free(). + +Fixes: 0996517cf8ea ("V4L/DVB: v4l2: Add new control handling framework") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Reviewed-by: Hans Verkuil +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-ctrls-core.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/media/v4l2-core/v4l2-ctrls-core.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls-core.c +@@ -1327,7 +1327,6 @@ void v4l2_ctrl_handler_free(struct v4l2_ + kvfree(hdl->buckets); + hdl->buckets = NULL; + hdl->cached = NULL; +- hdl->error = 0; + mutex_unlock(hdl->lock); + mutex_destroy(&hdl->_lock); + } diff --git a/queue-6.1/media-vivid-fix-wrong-pixel_array-control-size.patch b/queue-6.1/media-vivid-fix-wrong-pixel_array-control-size.patch new file mode 100644 index 0000000000..4e3e12ec02 --- /dev/null +++ b/queue-6.1/media-vivid-fix-wrong-pixel_array-control-size.patch @@ -0,0 +1,52 @@ +From 3e43442d4994c9e1e202c98129a87e330f7faaed Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Sun, 6 Jul 2025 12:55:40 +0200 +Subject: media: vivid: fix wrong pixel_array control size + +From: Hans Verkuil + +commit 3e43442d4994c9e1e202c98129a87e330f7faaed upstream. + +The pixel_array control size was calculated incorrectly: +the dimensions were swapped (dims[0] should be the height), and the +values should be the width or height divided by PIXEL_ARRAY_DIV +and rounded up. So don't use roundup, but use DIV_ROUND_UP instead. + +This bug is harmless in the sense that nothing will break, except that +it consumes way too much memory for this control. + +Fixes: 6bc7643d1b9c ("media: vivid: add pixel_array test control") +Cc: +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/test-drivers/vivid/vivid-ctrls.c | 3 ++- + drivers/media/test-drivers/vivid/vivid-vid-cap.c | 4 ++-- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/media/test-drivers/vivid/vivid-ctrls.c ++++ b/drivers/media/test-drivers/vivid/vivid-ctrls.c +@@ -238,7 +238,8 @@ static const struct v4l2_ctrl_config viv + .min = 0x00, + .max = 0xff, + .step = 1, +- .dims = { 640 / PIXEL_ARRAY_DIV, 360 / PIXEL_ARRAY_DIV }, ++ .dims = { DIV_ROUND_UP(360, PIXEL_ARRAY_DIV), ++ DIV_ROUND_UP(640, PIXEL_ARRAY_DIV) }, + }; + + static const char * const vivid_ctrl_menu_strings[] = { +--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c ++++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c +@@ -475,8 +475,8 @@ void vivid_update_format_cap(struct vivi + if (keep_controls) + return; + +- dims[0] = roundup(dev->src_rect.width, PIXEL_ARRAY_DIV); +- dims[1] = roundup(dev->src_rect.height, PIXEL_ARRAY_DIV); ++ dims[0] = DIV_ROUND_UP(dev->src_rect.height, PIXEL_ARRAY_DIV); ++ dims[1] = DIV_ROUND_UP(dev->src_rect.width, PIXEL_ARRAY_DIV); + v4l2_ctrl_modify_dimensions(dev->pixel_array, dims); + } + diff --git a/queue-6.1/mtd-rawnand-fsmc-add-missing-check-after-dma-map.patch b/queue-6.1/mtd-rawnand-fsmc-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..84c2bdd651 --- /dev/null +++ b/queue-6.1/mtd-rawnand-fsmc-add-missing-check-after-dma-map.patch @@ -0,0 +1,33 @@ +From 6c4dab38431fee3d39a841d66ba6f2890b31b005 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Mon, 7 Jul 2025 09:39:37 +0200 +Subject: mtd: rawnand: fsmc: Add missing check after DMA map + +From: Thomas Fourier + +commit 6c4dab38431fee3d39a841d66ba6f2890b31b005 upstream. + +The DMA map functions can fail and should be tested for errors. + +Fixes: 4774fb0a48aa ("mtd: nand/fsmc: Add DMA support") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Fourier +Rule: add +Link: https://lore.kernel.org/stable/20250702065806.20983-2-fourier.thomas%40gmail.com +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/fsmc_nand.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mtd/nand/raw/fsmc_nand.c ++++ b/drivers/mtd/nand/raw/fsmc_nand.c +@@ -503,6 +503,8 @@ static int dma_xfer(struct fsmc_nand_dat + + dma_dev = chan->device; + dma_addr = dma_map_single(dma_dev->dev, buffer, len, direction); ++ if (dma_mapping_error(dma_dev->dev, dma_addr)) ++ return -EINVAL; + + if (direction == DMA_TO_DEVICE) { + dma_src = dma_addr; diff --git a/queue-6.1/mtd-rawnand-renesas-add-missing-check-after-dma-map.patch b/queue-6.1/mtd-rawnand-renesas-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..bae2a91751 --- /dev/null +++ b/queue-6.1/mtd-rawnand-renesas-add-missing-check-after-dma-map.patch @@ -0,0 +1,42 @@ +From 79e441ee47949376e3bc20f085cf017b70523d0f Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Wed, 2 Jul 2025 10:01:06 +0200 +Subject: mtd: rawnand: renesas: Add missing check after DMA map + +From: Thomas Fourier + +commit 79e441ee47949376e3bc20f085cf017b70523d0f upstream. + +The DMA map functions can fail and should be tested for errors. + +Fixes: d8701fe890ec ("mtd: rawnand: renesas: Add new NAND controller driver") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Fourier +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/renesas-nand-controller.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/mtd/nand/raw/renesas-nand-controller.c ++++ b/drivers/mtd/nand/raw/renesas-nand-controller.c +@@ -426,6 +426,9 @@ static int rnandc_read_page_hw_ecc(struc + /* Configure DMA */ + dma_addr = dma_map_single(rnandc->dev, rnandc->buf, mtd->writesize, + DMA_FROM_DEVICE); ++ if (dma_mapping_error(rnandc->dev, dma_addr)) ++ return -ENOMEM; ++ + writel(dma_addr, rnandc->regs + DMA_ADDR_LOW_REG); + writel(mtd->writesize, rnandc->regs + DMA_CNT_REG); + writel(DMA_TLVL_MAX, rnandc->regs + DMA_TLVL_REG); +@@ -606,6 +609,9 @@ static int rnandc_write_page_hw_ecc(stru + /* Configure DMA */ + dma_addr = dma_map_single(rnandc->dev, (void *)rnandc->buf, mtd->writesize, + DMA_TO_DEVICE); ++ if (dma_mapping_error(rnandc->dev, dma_addr)) ++ return -ENOMEM; ++ + writel(dma_addr, rnandc->regs + DMA_ADDR_LOW_REG); + writel(mtd->writesize, rnandc->regs + DMA_CNT_REG); + writel(DMA_TLVL_MAX, rnandc->regs + DMA_TLVL_REG); diff --git a/queue-6.1/mtd-spi-nor-fix-spi_nor_try_unlock_all.patch b/queue-6.1/mtd-spi-nor-fix-spi_nor_try_unlock_all.patch new file mode 100644 index 0000000000..64a494cedb --- /dev/null +++ b/queue-6.1/mtd-spi-nor-fix-spi_nor_try_unlock_all.patch @@ -0,0 +1,115 @@ +From 2e3a7476ec3989e77270b9481e76e137824b17c0 Mon Sep 17 00:00:00 2001 +From: Michael Walle +Date: Tue, 1 Jul 2025 16:04:26 +0200 +Subject: mtd: spi-nor: Fix spi_nor_try_unlock_all() + +From: Michael Walle + +commit 2e3a7476ec3989e77270b9481e76e137824b17c0 upstream. + +Commit ff67592cbdfc ("mtd: spi-nor: Introduce spi_nor_set_mtd_info()") +moved all initialization of the mtd fields at the end of spi_nor_scan(). +Normally, the mtd info is only needed for the mtd ops on the device, +with one exception: spi_nor_try_unlock_all(), which will also make use +of the mtd->size parameter. With that commit, the size will always be +zero because it is not initialized. Fix that by not using the size of +the mtd_info struct, but use the size from struct spi_nor_flash_parameter. + +Fixes: ff67592cbdfc ("mtd: spi-nor: Introduce spi_nor_set_mtd_info()") +Cc: stable@vger.kernel.org +Reported-by: Jean-Marc Ranger +Closes: https://lore.kernel.org/all/DM6PR06MB561177323DC5207E34AF2A06C547A@DM6PR06MB5611.namprd06.prod.outlook.com/ +Tested-by: Jean-Marc Ranger +Signed-off-by: Michael Walle +Reviewed-by: Pratyush Yadav +Signed-off-by: Pratyush Yadav +Link: https://lore.kernel.org/r/20250701140426.2355182-1-mwalle@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/swp.c | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +--- a/drivers/mtd/spi-nor/swp.c ++++ b/drivers/mtd/spi-nor/swp.c +@@ -50,7 +50,6 @@ static u64 spi_nor_get_min_prot_length_s + static void spi_nor_get_locked_range_sr(struct spi_nor *nor, u8 sr, loff_t *ofs, + uint64_t *len) + { +- struct mtd_info *mtd = &nor->mtd; + u64 min_prot_len; + u8 mask = spi_nor_get_sr_bp_mask(nor); + u8 tb_mask = spi_nor_get_sr_tb_mask(nor); +@@ -71,13 +70,13 @@ static void spi_nor_get_locked_range_sr( + min_prot_len = spi_nor_get_min_prot_length_sr(nor); + *len = min_prot_len << (bp - 1); + +- if (*len > mtd->size) +- *len = mtd->size; ++ if (*len > nor->params->size) ++ *len = nor->params->size; + + if (nor->flags & SNOR_F_HAS_SR_TB && sr & tb_mask) + *ofs = 0; + else +- *ofs = mtd->size - *len; ++ *ofs = nor->params->size - *len; + } + + /* +@@ -153,7 +152,6 @@ static bool spi_nor_is_unlocked_sr(struc + */ + static int spi_nor_sr_lock(struct spi_nor *nor, loff_t ofs, uint64_t len) + { +- struct mtd_info *mtd = &nor->mtd; + u64 min_prot_len; + int ret, status_old, status_new; + u8 mask = spi_nor_get_sr_bp_mask(nor); +@@ -178,7 +176,7 @@ static int spi_nor_sr_lock(struct spi_no + can_be_bottom = false; + + /* If anything above us is unlocked, we can't use 'top' protection */ +- if (!spi_nor_is_locked_sr(nor, ofs + len, mtd->size - (ofs + len), ++ if (!spi_nor_is_locked_sr(nor, ofs + len, nor->params->size - (ofs + len), + status_old)) + can_be_top = false; + +@@ -190,11 +188,11 @@ static int spi_nor_sr_lock(struct spi_no + + /* lock_len: length of region that should end up locked */ + if (use_top) +- lock_len = mtd->size - ofs; ++ lock_len = nor->params->size - ofs; + else + lock_len = ofs + len; + +- if (lock_len == mtd->size) { ++ if (lock_len == nor->params->size) { + val = mask; + } else { + min_prot_len = spi_nor_get_min_prot_length_sr(nor); +@@ -238,7 +236,6 @@ static int spi_nor_sr_lock(struct spi_no + */ + static int spi_nor_sr_unlock(struct spi_nor *nor, loff_t ofs, uint64_t len) + { +- struct mtd_info *mtd = &nor->mtd; + u64 min_prot_len; + int ret, status_old, status_new; + u8 mask = spi_nor_get_sr_bp_mask(nor); +@@ -263,7 +260,7 @@ static int spi_nor_sr_unlock(struct spi_ + can_be_top = false; + + /* If anything above us is locked, we can't use 'bottom' protection */ +- if (!spi_nor_is_unlocked_sr(nor, ofs + len, mtd->size - (ofs + len), ++ if (!spi_nor_is_unlocked_sr(nor, ofs + len, nor->params->size - (ofs + len), + status_old)) + can_be_bottom = false; + +@@ -275,7 +272,7 @@ static int spi_nor_sr_unlock(struct spi_ + + /* lock_len: length of region that should remain locked */ + if (use_top) +- lock_len = mtd->size - (ofs + len); ++ lock_len = nor->params->size - (ofs + len); + else + lock_len = ofs; + diff --git a/queue-6.1/mtd-spinand-propagate-spinand_wait-errors-from-spinand_write_page.patch b/queue-6.1/mtd-spinand-propagate-spinand_wait-errors-from-spinand_write_page.patch new file mode 100644 index 0000000000..111366f69f --- /dev/null +++ b/queue-6.1/mtd-spinand-propagate-spinand_wait-errors-from-spinand_write_page.patch @@ -0,0 +1,37 @@ +From 091d9e35b85b0f8f7e1c73535299f91364a5c73a Mon Sep 17 00:00:00 2001 +From: Gabor Juhos +Date: Tue, 8 Jul 2025 15:11:00 +0200 +Subject: mtd: spinand: propagate spinand_wait() errors from spinand_write_page() + +From: Gabor Juhos + +commit 091d9e35b85b0f8f7e1c73535299f91364a5c73a upstream. + +Since commit 3d1f08b032dc ("mtd: spinand: Use the external ECC engine +logic") the spinand_write_page() function ignores the errors returned +by spinand_wait(). Change the code to propagate those up to the stack +as it was done before the offending change. + +Cc: stable@vger.kernel.org +Fixes: 3d1f08b032dc ("mtd: spinand: Use the external ECC engine logic") +Signed-off-by: Gabor Juhos +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/spi/core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/nand/spi/core.c ++++ b/drivers/mtd/nand/spi/core.c +@@ -624,7 +624,10 @@ static int spinand_write_page(struct spi + SPINAND_WRITE_INITIAL_DELAY_US, + SPINAND_WRITE_POLL_DELAY_US, + &status); +- if (!ret && (status & STATUS_PROG_FAILED)) ++ if (ret) ++ return ret; ++ ++ if (status & STATUS_PROG_FAILED) + return -EIO; + + return nand_ecc_finish_io_req(nand, (struct nand_page_io_req *)req); diff --git a/queue-6.1/parisc-check-region-is-readable-by-user-in-raw_copy_from_user.patch b/queue-6.1/parisc-check-region-is-readable-by-user-in-raw_copy_from_user.patch new file mode 100644 index 0000000000..28a9ebdcd2 --- /dev/null +++ b/queue-6.1/parisc-check-region-is-readable-by-user-in-raw_copy_from_user.patch @@ -0,0 +1,103 @@ +From 91428ca9320edbab1211851d82429d33b9cd73ef Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Mon, 21 Jul 2025 15:39:26 -0400 +Subject: parisc: Check region is readable by user in raw_copy_from_user() + +From: John David Anglin + +commit 91428ca9320edbab1211851d82429d33b9cd73ef upstream. + +Because of the way the _PAGE_READ is handled in the parisc PTE, an +access interruption is not generated when the kernel reads from a +region where the _PAGE_READ is zero. The current code was written +assuming read access faults would also occur in the kernel. + +This change adds user access checks to raw_copy_from_user(). The +prober_user() define checks whether user code has read access to +a virtual address. Note that page faults are not handled in the +exception support for the probe instruction. For this reason, we +precede the probe by a ldb access check. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/asm/special_insns.h | 28 ++++++++++++++++++++++++++++ + arch/parisc/lib/memcpy.c | 19 ++++++++++++++++++- + 2 files changed, 46 insertions(+), 1 deletion(-) + +--- a/arch/parisc/include/asm/special_insns.h ++++ b/arch/parisc/include/asm/special_insns.h +@@ -32,6 +32,34 @@ + pa; \ + }) + ++/** ++ * prober_user() - Probe user read access ++ * @sr: Space regster. ++ * @va: Virtual address. ++ * ++ * Return: Non-zero if address is accessible. ++ * ++ * Due to the way _PAGE_READ is handled in TLB entries, we need ++ * a special check to determine whether a user address is accessible. ++ * The ldb instruction does the initial access check. If it is ++ * successful, the probe instruction checks user access rights. ++ */ ++#define prober_user(sr, va) ({ \ ++ unsigned long read_allowed; \ ++ __asm__ __volatile__( \ ++ "copy %%r0,%0\n" \ ++ "8:\tldb 0(%%sr%1,%2),%%r0\n" \ ++ "\tproberi (%%sr%1,%2),%3,%0\n" \ ++ "9:\n" \ ++ ASM_EXCEPTIONTABLE_ENTRY(8b, 9b, \ ++ "or %%r0,%%r0,%%r0") \ ++ : "=&r" (read_allowed) \ ++ : "i" (sr), "r" (va), "i" (PRIV_USER) \ ++ : "memory" \ ++ ); \ ++ read_allowed; \ ++}) ++ + #define CR_EIEM 15 /* External Interrupt Enable Mask */ + #define CR_CR16 16 /* CR16 Interval Timer */ + #define CR_EIRR 23 /* External Interrupt Request Register */ +--- a/arch/parisc/lib/memcpy.c ++++ b/arch/parisc/lib/memcpy.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + + #define get_user_space() mfsp(SR_USER) + #define get_kernel_space() SR_KERNEL +@@ -32,9 +33,25 @@ EXPORT_SYMBOL(raw_copy_to_user); + unsigned long raw_copy_from_user(void *dst, const void __user *src, + unsigned long len) + { ++ unsigned long start = (unsigned long) src; ++ unsigned long end = start + len; ++ unsigned long newlen = len; ++ + mtsp(get_user_space(), SR_TEMP1); + mtsp(get_kernel_space(), SR_TEMP2); +- return pa_memcpy(dst, (void __force *)src, len); ++ ++ /* Check region is user accessible */ ++ if (start) ++ while (start < end) { ++ if (!prober_user(SR_TEMP1, start)) { ++ newlen = (start - (unsigned long) src); ++ break; ++ } ++ start += PAGE_SIZE; ++ /* align to page boundry which may have different permission */ ++ start = PAGE_ALIGN_DOWN(start); ++ } ++ return len - newlen + pa_memcpy(dst, (void __force *)src, newlen); + } + EXPORT_SYMBOL(raw_copy_from_user); + diff --git a/queue-6.1/parisc-makefile-explain-that-64bit-requires-both-32-bit-and-64-bit-compilers.patch b/queue-6.1/parisc-makefile-explain-that-64bit-requires-both-32-bit-and-64-bit-compilers.patch new file mode 100644 index 0000000000..30ff9fb46f --- /dev/null +++ b/queue-6.1/parisc-makefile-explain-that-64bit-requires-both-32-bit-and-64-bit-compilers.patch @@ -0,0 +1,37 @@ +From 305ab0a748c52eeaeb01d8cff6408842d19e5cb5 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Wed, 25 Jun 2025 00:30:54 -0700 +Subject: parisc: Makefile: explain that 64BIT requires both 32-bit and 64-bit compilers + +From: Randy Dunlap + +commit 305ab0a748c52eeaeb01d8cff6408842d19e5cb5 upstream. + +For building a 64-bit kernel, both 32-bit and 64-bit VDSO binaries +are built, so both 32-bit and 64-bit compilers (and tools) should be +in the PATH environment variable. + +Signed-off-by: Randy Dunlap +Cc: "James E.J. Bottomley" +Cc: Helge Deller +Cc: linux-parisc@vger.kernel.org +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.3+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/Makefile | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/parisc/Makefile ++++ b/arch/parisc/Makefile +@@ -39,7 +39,9 @@ endif + + export LD_BFD + +-# Set default 32 bits cross compilers for vdso ++# Set default 32 bits cross compilers for vdso. ++# This means that for 64BIT, both the 64-bit tools and the 32-bit tools ++# need to be in the path. + CC_ARCHES_32 = hppa hppa2.0 hppa1.1 + CC_SUFFIXES = linux linux-gnu unknown-linux-gnu suse-linux + CROSS32_COMPILE := $(call cc-cross-prefix, \ diff --git a/queue-6.1/parisc-revise-__get_user-to-probe-user-read-access.patch b/queue-6.1/parisc-revise-__get_user-to-probe-user-read-access.patch new file mode 100644 index 0000000000..8bcb269e1e --- /dev/null +++ b/queue-6.1/parisc-revise-__get_user-to-probe-user-read-access.patch @@ -0,0 +1,59 @@ +From 89f686a0fb6e473a876a9a60a13aec67a62b9a7e Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Fri, 25 Jul 2025 13:51:32 -0400 +Subject: parisc: Revise __get_user() to probe user read access + +From: John David Anglin + +commit 89f686a0fb6e473a876a9a60a13aec67a62b9a7e upstream. + +Because of the way read access support is implemented, read access +interruptions are only triggered at privilege levels 2 and 3. The +kernel executes at privilege level 0, so __get_user() never triggers +a read access interruption (code 26). Thus, it is currently possible +for user code to access a read protected address via a system call. + +Fix this by probing read access rights at privilege level 3 (PRIV_USER) +and setting __gu_err to -EFAULT (-14) if access isn't allowed. + +Note the cmpiclr instruction does a 32-bit compare because COND macro +doesn't work inside asm. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/asm/uaccess.h | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/arch/parisc/include/asm/uaccess.h ++++ b/arch/parisc/include/asm/uaccess.h +@@ -42,9 +42,24 @@ + __gu_err; \ + }) + +-#define __get_user(val, ptr) \ +-({ \ +- __get_user_internal(SR_USER, val, ptr); \ ++#define __probe_user_internal(sr, error, ptr) \ ++({ \ ++ __asm__("\tproberi (%%sr%1,%2),%3,%0\n" \ ++ "\tcmpiclr,= 1,%0,%0\n" \ ++ "\tldi %4,%0\n" \ ++ : "=r"(error) \ ++ : "i"(sr), "r"(ptr), "i"(PRIV_USER), \ ++ "i"(-EFAULT)); \ ++}) ++ ++#define __get_user(val, ptr) \ ++({ \ ++ register long __gu_err; \ ++ \ ++ __gu_err = __get_user_internal(SR_USER, val, ptr); \ ++ if (likely(!__gu_err)) \ ++ __probe_user_internal(SR_USER, __gu_err, ptr); \ ++ __gu_err; \ + }) + + #define __get_user_asm(sr, val, ldx, ptr) \ diff --git a/queue-6.1/parisc-revise-gateway-lws-calls-to-probe-user-read-access.patch b/queue-6.1/parisc-revise-gateway-lws-calls-to-probe-user-read-access.patch new file mode 100644 index 0000000000..59272703c4 --- /dev/null +++ b/queue-6.1/parisc-revise-gateway-lws-calls-to-probe-user-read-access.patch @@ -0,0 +1,108 @@ +From f6334f4ae9a4e962ba74b026e1d965dfdf8cbef8 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Fri, 25 Jul 2025 12:12:14 -0400 +Subject: parisc: Revise gateway LWS calls to probe user read access + +From: John David Anglin + +commit f6334f4ae9a4e962ba74b026e1d965dfdf8cbef8 upstream. + +We use load and stbys,e instructions to trigger memory reference +interruptions without writing to memory. Because of the way read +access support is implemented, read access interruptions are only +triggered at privilege levels 2 and 3. The kernel and gateway +page execute at privilege level 0, so this code never triggers +a read access interruption. Thus, it is currently possible for +user code to execute a LWS compare and swap operation at an +address that is read protected at privilege level 3 (PRIV_USER). + +Fix this by probing read access rights at privilege level 3 and +branching to lws_fault if access isn't allowed. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/syscall.S | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +--- a/arch/parisc/kernel/syscall.S ++++ b/arch/parisc/kernel/syscall.S +@@ -600,6 +600,9 @@ lws_compare_and_swap32: + lws_compare_and_swap: + /* Trigger memory reference interruptions without writing to memory */ + 1: ldw 0(%r26), %r28 ++ proberi (%r26), PRIV_USER, %r28 ++ comb,=,n %r28, %r0, lws_fault /* backwards, likely not taken */ ++ nop + 2: stbys,e %r0, 0(%r26) + + /* Calculate 8-bit hash index from virtual address */ +@@ -753,6 +756,9 @@ cas2_lock_start: + copy %r26, %r28 + depi_safe 0, 31, 2, %r28 + 10: ldw 0(%r28), %r1 ++ proberi (%r28), PRIV_USER, %r1 ++ comb,=,n %r1, %r0, lws_fault /* backwards, likely not taken */ ++ nop + 11: stbys,e %r0, 0(%r28) + + /* Calculate 8-bit hash index from virtual address */ +@@ -936,41 +942,47 @@ atomic_xchg_begin: + + /* 8-bit exchange */ + 1: ldb 0(%r24), %r20 ++ proberi (%r24), PRIV_USER, %r20 ++ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */ ++ nop + copy %r23, %r20 + depi_safe 0, 31, 2, %r20 + b atomic_xchg_start + 2: stbys,e %r0, 0(%r20) +- nop +- nop +- nop + + /* 16-bit exchange */ + 3: ldh 0(%r24), %r20 ++ proberi (%r24), PRIV_USER, %r20 ++ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */ ++ nop + copy %r23, %r20 + depi_safe 0, 31, 2, %r20 + b atomic_xchg_start + 4: stbys,e %r0, 0(%r20) +- nop +- nop +- nop + + /* 32-bit exchange */ + 5: ldw 0(%r24), %r20 ++ proberi (%r24), PRIV_USER, %r20 ++ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */ ++ nop + b atomic_xchg_start + 6: stbys,e %r0, 0(%r23) + nop + nop +- nop +- nop +- nop + + /* 64-bit exchange */ + #ifdef CONFIG_64BIT + 7: ldd 0(%r24), %r20 ++ proberi (%r24), PRIV_USER, %r20 ++ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */ ++ nop + 8: stdby,e %r0, 0(%r23) + #else + 7: ldw 0(%r24), %r20 + 8: ldw 4(%r24), %r20 ++ proberi (%r24), PRIV_USER, %r20 ++ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */ ++ nop + copy %r23, %r20 + depi_safe 0, 31, 2, %r20 + 9: stbys,e %r0, 0(%r20) diff --git a/queue-6.1/parisc-try-to-fixup-kernel-exception-in-bad_area_nosemaphore-path-of-do_page_fault.patch b/queue-6.1/parisc-try-to-fixup-kernel-exception-in-bad_area_nosemaphore-path-of-do_page_fault.patch new file mode 100644 index 0000000000..19942106b4 --- /dev/null +++ b/queue-6.1/parisc-try-to-fixup-kernel-exception-in-bad_area_nosemaphore-path-of-do_page_fault.patch @@ -0,0 +1,30 @@ +From f92a5e36b0c45cd12ac0d1bc44680c0dfae34543 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Mon, 21 Jul 2025 16:13:13 -0400 +Subject: parisc: Try to fixup kernel exception in bad_area_nosemaphore path of do_page_fault() + +From: John David Anglin + +commit f92a5e36b0c45cd12ac0d1bc44680c0dfae34543 upstream. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/mm/fault.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/parisc/mm/fault.c ++++ b/arch/parisc/mm/fault.c +@@ -358,6 +358,10 @@ bad_area: + mmap_read_unlock(mm); + + bad_area_nosemaphore: ++ if (!user_mode(regs) && fixup_exception(regs)) { ++ return; ++ } ++ + if (user_mode(regs)) { + int signo, si_code; + diff --git a/queue-6.1/parisc-update-comments-in-make_insert_tlb.patch b/queue-6.1/parisc-update-comments-in-make_insert_tlb.patch new file mode 100644 index 0000000000..bcde05a164 --- /dev/null +++ b/queue-6.1/parisc-update-comments-in-make_insert_tlb.patch @@ -0,0 +1,98 @@ +From cb22f247f371bd206a88cf0e0c05d80b8b62fb26 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Mon, 21 Jul 2025 15:13:42 -0400 +Subject: parisc: Update comments in make_insert_tlb + +From: John David Anglin + +commit cb22f247f371bd206a88cf0e0c05d80b8b62fb26 upstream. + +The following testcase exposed a problem with our read access checks +in get_user() and raw_copy_from_user(): + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +int main(int argc, char **argv) +{ + unsigned long page_size = sysconf(_SC_PAGESIZE); + char *p = malloc(3 * page_size); + char *p_aligned; + + /* initialize memory region. If not initialized, write syscall below will correctly return EFAULT. */ + if (1) + memset(p, 'X', 3 * page_size); + + p_aligned = (char *) ((((uintptr_t) p) + (2*page_size - 1)) & ~(page_size - 1)); + /* Drop PROT_READ protection. Kernel and userspace should fault when accessing that memory region */ + mprotect(p_aligned, page_size, PROT_NONE); + + /* the following write() should return EFAULT, since PROT_READ was dropped by previous mprotect() */ + int ret = write(2, p_aligned, 1); + if (!ret || errno != EFAULT) + printf("\n FAILURE: write() did not returned expected EFAULT value\n"); + + return 0; +} + +Because of the way _PAGE_READ is handled, kernel code never generates +a read access fault when it access a page as the kernel privilege level +is always less than PL1 in the PTE. + +This patch reworks the comments in the make_insert_tlb macro to try +to make this clearer. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/entry.S | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/arch/parisc/kernel/entry.S ++++ b/arch/parisc/kernel/entry.S +@@ -486,6 +486,12 @@ + * this happens is quite subtle, read below */ + .macro make_insert_tlb spc,pte,prot,tmp + space_to_prot \spc \prot /* create prot id from space */ ++ ++#if _PAGE_SPECIAL_BIT == _PAGE_DMB_BIT ++ /* need to drop DMB bit, as it's used as SPECIAL flag */ ++ depi 0,_PAGE_SPECIAL_BIT,1,\pte ++#endif ++ + /* The following is the real subtlety. This is depositing + * T <-> _PAGE_REFTRAP + * D <-> _PAGE_DIRTY +@@ -498,17 +504,18 @@ + * Finally, _PAGE_READ goes in the top bit of PL1 (so we + * trigger an access rights trap in user space if the user + * tries to read an unreadable page */ +-#if _PAGE_SPECIAL_BIT == _PAGE_DMB_BIT +- /* need to drop DMB bit, as it's used as SPECIAL flag */ +- depi 0,_PAGE_SPECIAL_BIT,1,\pte +-#endif + depd \pte,8,7,\prot + + /* PAGE_USER indicates the page can be read with user privileges, + * so deposit X1|11 to PL1|PL2 (remember the upper bit of PL1 +- * contains _PAGE_READ) */ ++ * contains _PAGE_READ). While the kernel can't directly write ++ * user pages which have _PAGE_WRITE zero, it can read pages ++ * which have _PAGE_READ zero (PL <= PL1). Thus, the kernel ++ * exception fault handler doesn't trigger when reading pages ++ * that aren't user read accessible */ + extrd,u,*= \pte,_PAGE_USER_BIT+32,1,%r0 + depdi 7,11,3,\prot ++ + /* If we're a gateway page, drop PL2 back to zero for promotion + * to kernel privilege (so we can execute the page as kernel). + * Any privilege promotion page always denys read and write */ diff --git a/queue-6.1/pci-endpoint-fix-configfs-group-list-head-handling.patch b/queue-6.1/pci-endpoint-fix-configfs-group-list-head-handling.patch new file mode 100644 index 0000000000..a2b49daf21 --- /dev/null +++ b/queue-6.1/pci-endpoint-fix-configfs-group-list-head-handling.patch @@ -0,0 +1,62 @@ +From d79123d79a8154b4318529b7b2ff7e15806f480b Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Tue, 24 Jun 2025 20:45:43 +0900 +Subject: PCI: endpoint: Fix configfs group list head handling + +From: Damien Le Moal + +commit d79123d79a8154b4318529b7b2ff7e15806f480b upstream. + +Doing a list_del() on the epf_group field of struct pci_epf_driver in +pci_epf_remove_cfs() is not correct as this field is a list head, not +a list entry. This list_del() call triggers a KASAN warning when an +endpoint function driver which has a configfs attribute group is torn +down: + +================================================================== +BUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198 +Write of size 8 at addr ffff00010f4a0d80 by task rmmod/319 + +CPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE +Hardware name: Radxa ROCK 5B (DT) +Call trace: +show_stack+0x2c/0x84 (C) +dump_stack_lvl+0x70/0x98 +print_report+0x17c/0x538 +kasan_report+0xb8/0x190 +__asan_report_store8_noabort+0x20/0x2c +pci_epf_remove_cfs+0x17c/0x198 +pci_epf_unregister_driver+0x18/0x30 +nvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf] +__arm64_sys_delete_module+0x264/0x424 +invoke_syscall+0x70/0x260 +el0_svc_common.constprop.0+0xac/0x230 +do_el0_svc+0x40/0x58 +el0_svc+0x48/0xdc +el0t_64_sync_handler+0x10c/0x138 +el0t_64_sync+0x198/0x19c +... + +Remove this incorrect list_del() call from pci_epf_remove_cfs(). + +Fixes: ef1433f717a2 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry") +Signed-off-by: Damien Le Moal +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Niklas Cassel +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250624114544.342159-2-dlemoal@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/endpoint/pci-epf-core.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/pci/endpoint/pci-epf-core.c ++++ b/drivers/pci/endpoint/pci-epf-core.c +@@ -343,7 +343,6 @@ static void pci_epf_remove_cfs(struct pc + mutex_lock(&pci_epf_mutex); + list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry) + pci_ep_cfs_remove_epf_group(group); +- list_del(&driver->epf_group); + mutex_unlock(&pci_epf_mutex); + } + diff --git a/queue-6.1/pci-endpoint-fix-configfs-group-removal-on-driver-teardown.patch b/queue-6.1/pci-endpoint-fix-configfs-group-removal-on-driver-teardown.patch new file mode 100644 index 0000000000..be60c2c9d2 --- /dev/null +++ b/queue-6.1/pci-endpoint-fix-configfs-group-removal-on-driver-teardown.patch @@ -0,0 +1,53 @@ +From 910bdb8197f9322790c738bb32feaa11dba26909 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Tue, 24 Jun 2025 20:45:44 +0900 +Subject: PCI: endpoint: Fix configfs group removal on driver teardown + +From: Damien Le Moal + +commit 910bdb8197f9322790c738bb32feaa11dba26909 upstream. + +An endpoint driver configfs attributes group is added to the +epf_group list of struct pci_epf_driver by pci_epf_add_cfs() but an +added group is not removed from this list when the attribute group is +unregistered with pci_ep_cfs_remove_epf_group(). + +Add the missing list_del() call in pci_ep_cfs_remove_epf_group() +to correctly remove the attribute group from the driver list. + +With this change, once the loop over all attribute groups in +pci_epf_remove_cfs() completes, the driver epf_group list should be +empty. Add a WARN_ON() to make sure of that. + +Fixes: ef1433f717a2 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry") +Signed-off-by: Damien Le Moal +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Niklas Cassel +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250624114544.342159-3-dlemoal@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/endpoint/pci-ep-cfs.c | 1 + + drivers/pci/endpoint/pci-epf-core.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/pci/endpoint/pci-ep-cfs.c ++++ b/drivers/pci/endpoint/pci-ep-cfs.c +@@ -646,6 +646,7 @@ void pci_ep_cfs_remove_epf_group(struct + if (IS_ERR_OR_NULL(group)) + return; + ++ list_del(&group->group_entry); + configfs_unregister_default_group(group); + } + EXPORT_SYMBOL(pci_ep_cfs_remove_epf_group); +--- a/drivers/pci/endpoint/pci-epf-core.c ++++ b/drivers/pci/endpoint/pci-epf-core.c +@@ -343,6 +343,7 @@ static void pci_epf_remove_cfs(struct pc + mutex_lock(&pci_epf_mutex); + list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry) + pci_ep_cfs_remove_epf_group(group); ++ WARN_ON(!list_empty(&driver->epf_group)); + mutex_unlock(&pci_epf_mutex); + } + diff --git a/queue-6.1/series b/queue-6.1/series index 484cf863e8..ac33d66ed5 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -301,3 +301,27 @@ pwm-imx-tpm-reset-counter-if-cmod-is-0.patch pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch pwm-mediatek-fix-duty-and-period-setting.patch hwmon-gsc-hwmon-fix-fan-pwm-setpoint-show-functions.patch +mtd-spi-nor-fix-spi_nor_try_unlock_all.patch +mtd-spinand-propagate-spinand_wait-errors-from-spinand_write_page.patch +mtd-rawnand-fsmc-add-missing-check-after-dma-map.patch +mtd-rawnand-renesas-add-missing-check-after-dma-map.patch +pci-endpoint-fix-configfs-group-list-head-handling.patch +pci-endpoint-fix-configfs-group-removal-on-driver-teardown.patch +vsock-virtio-validate-length-in-packet-header-before-skb_put.patch +vhost-vsock-avoid-allocating-arbitrarily-sized-skbs.patch +jbd2-prevent-softlockup-in-jbd2_log_do_checkpoint.patch +soc-tegra-pmc-ensure-power-domains-are-in-a-known-state.patch +parisc-check-region-is-readable-by-user-in-raw_copy_from_user.patch +parisc-makefile-explain-that-64bit-requires-both-32-bit-and-64-bit-compilers.patch +parisc-revise-__get_user-to-probe-user-read-access.patch +parisc-revise-gateway-lws-calls-to-probe-user-read-access.patch +parisc-try-to-fixup-kernel-exception-in-bad_area_nosemaphore-path-of-do_page_fault.patch +parisc-update-comments-in-make_insert_tlb.patch +media-gspca-add-bounds-checking-to-firmware-parser.patch +media-hi556-correct-the-test-pattern-configuration.patch +media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch +media-vivid-fix-wrong-pixel_array-control-size.patch +media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch +media-usbtv-lock-resolution-while-streaming.patch +media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch +media-ov2659-fix-memory-leaks-in-ov2659_probe.patch diff --git a/queue-6.1/soc-tegra-pmc-ensure-power-domains-are-in-a-known-state.patch b/queue-6.1/soc-tegra-pmc-ensure-power-domains-are-in-a-known-state.patch new file mode 100644 index 0000000000..eb7afcf87e --- /dev/null +++ b/queue-6.1/soc-tegra-pmc-ensure-power-domains-are-in-a-known-state.patch @@ -0,0 +1,137 @@ +From b6bcbce3359619d05bf387d4f5cc3af63668dbaa Mon Sep 17 00:00:00 2001 +From: Jon Hunter +Date: Thu, 31 Jul 2025 13:18:32 +0100 +Subject: soc/tegra: pmc: Ensure power-domains are in a known state + +From: Jon Hunter + +commit b6bcbce3359619d05bf387d4f5cc3af63668dbaa upstream. + +After commit 13a4b7fb6260 ("pmdomain: core: Leave powered-on genpds on +until late_initcall_sync") was applied, the Tegra210 Jetson TX1 board +failed to boot. Looking into this issue, before this commit was applied, +if any of the Tegra power-domains were in 'on' state when the kernel +booted, they were being turned off by the genpd core before any driver +had chance to request them. This was purely by luck and a consequence of +the power-domains being turned off earlier during boot. After this +commit was applied, any power-domains in the 'on' state are kept on for +longer during boot and therefore, may never transitioned to the off +state before they are requested/used. The hang on the Tegra210 Jetson +TX1 is caused because devices in some power-domains are accessed without +the power-domain being turned off and on, indicating that the +power-domain is not in a completely on state. + +>From reviewing the Tegra PMC driver code, if a power-domain is in the +'on' state there is no guarantee that all the necessary clocks +associated with the power-domain are on and even if they are they would +not have been requested via the clock framework and so could be turned +off later. Some power-domains also have a 'clamping' register that needs +to be configured as well. In short, if a power-domain is already 'on' it +is difficult to know if it has been configured correctly. Given that the +power-domains happened to be switched off during boot previously, to +ensure that they are in a good known state on boot, fix this by +switching off any power-domains that are on initially when registering +the power-domains with the genpd framework. + +Note that commit 05cfb988a4d0 ("soc/tegra: pmc: Initialise resets +associated with a power partition") updated the +tegra_powergate_of_get_resets() function to pass the 'off' to ensure +that the resets for the power-domain are in the correct state on boot. +However, now that we may power off a domain on boot, if it is on, it is +better to move this logic into the tegra_powergate_add() function so +that there is a single place where we are handling the initial state of +the power-domain. + +Fixes: a38045121bf4 ("soc/tegra: pmc: Add generic PM domain support") +Signed-off-by: Jon Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250731121832.213671-1-jonathanh@nvidia.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/tegra/pmc.c | 51 +++++++++++++++++++++++++++--------------------- + 1 file changed, 29 insertions(+), 22 deletions(-) + +--- a/drivers/soc/tegra/pmc.c ++++ b/drivers/soc/tegra/pmc.c +@@ -1224,7 +1224,7 @@ err: + } + + static int tegra_powergate_of_get_resets(struct tegra_powergate *pg, +- struct device_node *np, bool off) ++ struct device_node *np) + { + struct device *dev = pg->pmc->dev; + int err; +@@ -1239,22 +1239,6 @@ static int tegra_powergate_of_get_resets + err = reset_control_acquire(pg->reset); + if (err < 0) { + pr_err("failed to acquire resets: %d\n", err); +- goto out; +- } +- +- if (off) { +- err = reset_control_assert(pg->reset); +- } else { +- err = reset_control_deassert(pg->reset); +- if (err < 0) +- goto out; +- +- reset_control_release(pg->reset); +- } +- +-out: +- if (err) { +- reset_control_release(pg->reset); + reset_control_put(pg->reset); + } + +@@ -1299,20 +1283,43 @@ static int tegra_powergate_add(struct te + goto set_available; + } + +- err = tegra_powergate_of_get_resets(pg, np, off); ++ err = tegra_powergate_of_get_resets(pg, np); + if (err < 0) { + dev_err(dev, "failed to get resets for %pOFn: %d\n", np, err); + goto remove_clks; + } + +- if (!IS_ENABLED(CONFIG_PM_GENERIC_DOMAINS)) { +- if (off) +- WARN_ON(tegra_powergate_power_up(pg, true)); ++ /* ++ * If the power-domain is off, then ensure the resets are asserted. ++ * If the power-domain is on, then power down to ensure that when is ++ * it turned on the power-domain, clocks and resets are all in the ++ * expected state. ++ */ ++ if (off) { ++ err = reset_control_assert(pg->reset); ++ if (err) { ++ pr_err("failed to assert resets: %d\n", err); ++ goto remove_resets; ++ } ++ } else { ++ err = tegra_powergate_power_down(pg); ++ if (err) { ++ dev_err(dev, "failed to turn off PM domain %s: %d\n", ++ pg->genpd.name, err); ++ goto remove_resets; ++ } ++ } + ++ /* ++ * If PM_GENERIC_DOMAINS is not enabled, power-on ++ * the domain and skip the genpd registration. ++ */ ++ if (!IS_ENABLED(CONFIG_PM_GENERIC_DOMAINS)) { ++ WARN_ON(tegra_powergate_power_up(pg, true)); + goto remove_resets; + } + +- err = pm_genpd_init(&pg->genpd, NULL, off); ++ err = pm_genpd_init(&pg->genpd, NULL, true); + if (err < 0) { + dev_err(dev, "failed to initialise PM domain %pOFn: %d\n", np, + err); diff --git a/queue-6.1/vhost-vsock-avoid-allocating-arbitrarily-sized-skbs.patch b/queue-6.1/vhost-vsock-avoid-allocating-arbitrarily-sized-skbs.patch new file mode 100644 index 0000000000..78fa45108e --- /dev/null +++ b/queue-6.1/vhost-vsock-avoid-allocating-arbitrarily-sized-skbs.patch @@ -0,0 +1,53 @@ +From 10a886aaed293c4db3417951f396827216299e3d Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 17 Jul 2025 10:01:08 +0100 +Subject: vhost/vsock: Avoid allocating arbitrarily-sized SKBs + +From: Will Deacon + +commit 10a886aaed293c4db3417951f396827216299e3d upstream. + +vhost_vsock_alloc_skb() returns NULL for packets advertising a length +larger than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE in the packet header. However, +this is only checked once the SKB has been allocated and, if the length +in the packet header is zero, the SKB may not be freed immediately. + +Hoist the size check before the SKB allocation so that an iovec larger +than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + the header size is rejected +outright. The subsequent check on the length field in the header can +then simply check that the allocated SKB is indeed large enough to hold +the packet. + +Cc: +Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") +Reviewed-by: Stefano Garzarella +Signed-off-by: Will Deacon +Message-Id: <20250717090116.11987-2-will@kernel.org> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vsock.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/vhost/vsock.c ++++ b/drivers/vhost/vsock.c +@@ -340,6 +340,9 @@ vhost_vsock_alloc_skb(struct vhost_virtq + + len = iov_length(vq->iov, out); + ++ if (len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + VIRTIO_VSOCK_SKB_HEADROOM) ++ return NULL; ++ + /* len contains both payload and hdr */ + skb = virtio_vsock_alloc_skb(len, GFP_KERNEL); + if (!skb) +@@ -363,8 +366,7 @@ vhost_vsock_alloc_skb(struct vhost_virtq + return skb; + + /* The pkt is too big or the length in the header is invalid */ +- if (payload_len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE || +- payload_len + sizeof(*hdr) > len) { ++ if (payload_len + sizeof(*hdr) > len) { + kfree_skb(skb); + return NULL; + } diff --git a/queue-6.1/vsock-virtio-validate-length-in-packet-header-before-skb_put.patch b/queue-6.1/vsock-virtio-validate-length-in-packet-header-before-skb_put.patch new file mode 100644 index 0000000000..817223d199 --- /dev/null +++ b/queue-6.1/vsock-virtio-validate-length-in-packet-header-before-skb_put.patch @@ -0,0 +1,62 @@ +From 0dab92484474587b82e8e0455839eaf5ac7bf894 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 17 Jul 2025 10:01:09 +0100 +Subject: vsock/virtio: Validate length in packet header before skb_put() + +From: Will Deacon + +commit 0dab92484474587b82e8e0455839eaf5ac7bf894 upstream. + +When receiving a vsock packet in the guest, only the virtqueue buffer +size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately, +virtio_vsock_skb_rx_put() uses the length from the packet header as the +length argument to skb_put(), potentially resulting in SKB overflow if +the host has gone wonky. + +Validate the length as advertised by the packet header before calling +virtio_vsock_skb_rx_put(). + +Cc: +Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") +Signed-off-by: Will Deacon +Message-Id: <20250717090116.11987-3-will@kernel.org> +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Stefano Garzarella +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/net/vmw_vsock/virtio_transport.c ++++ b/net/vmw_vsock/virtio_transport.c +@@ -494,8 +494,9 @@ static void virtio_transport_rx_work(str + do { + virtqueue_disable_cb(vq); + for (;;) { ++ unsigned int len, payload_len; ++ struct virtio_vsock_hdr *hdr; + struct sk_buff *skb; +- unsigned int len; + + if (!virtio_transport_more_replies(vsock)) { + /* Stop rx until the device processes already +@@ -512,11 +513,18 @@ static void virtio_transport_rx_work(str + vsock->rx_buf_nr--; + + /* Drop short/long packets */ +- if (unlikely(len < sizeof(struct virtio_vsock_hdr) || ++ if (unlikely(len < sizeof(*hdr) || + len > virtio_vsock_skb_len(skb))) { + kfree_skb(skb); + continue; + } ++ ++ hdr = virtio_vsock_hdr(skb); ++ payload_len = le32_to_cpu(hdr->len); ++ if (unlikely(payload_len > len - sizeof(*hdr))) { ++ kfree_skb(skb); ++ continue; ++ } + + virtio_vsock_skb_rx_put(skb); + virtio_transport_deliver_tap_pkt(skb);