From: Greg Kroah-Hartman Date: Sat, 6 Sep 2025 20:18:00 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.4.299~41 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2ae7b214d8d561f0baf1c1204252c330fcd65694;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: batman-adv-fix-oob-read-write-in-network-coding-decode.patch drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch scsi-lpfc-fix-buffer-free-clear-order-in-deferred-receive-path.patch wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch --- diff --git a/queue-5.15/batman-adv-fix-oob-read-write-in-network-coding-decode.patch b/queue-5.15/batman-adv-fix-oob-read-write-in-network-coding-decode.patch new file mode 100644 index 0000000000..db58beb951 --- /dev/null +++ b/queue-5.15/batman-adv-fix-oob-read-write-in-network-coding-decode.patch @@ -0,0 +1,44 @@ +From d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087 Mon Sep 17 00:00:00 2001 +From: Stanislav Fort +Date: Sun, 31 Aug 2025 16:56:23 +0200 +Subject: batman-adv: fix OOB read/write in network-coding decode + +From: Stanislav Fort + +commit d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087 upstream. + +batadv_nc_skb_decode_packet() trusts coded_len and checks only against +skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing +payload headroom, and the source skb length is not verified, allowing an +out-of-bounds read and a small out-of-bounds write. + +Validate that coded_len fits within the payload area of both destination +and source sk_buffs before XORing. + +Fixes: 2df5278b0267 ("batman-adv: network coding - receive coded packets and decode them") +Cc: stable@vger.kernel.org +Reported-by: Stanislav Fort +Signed-off-by: Stanislav Fort +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/network-coding.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/network-coding.c ++++ b/net/batman-adv/network-coding.c +@@ -1691,7 +1691,12 @@ batadv_nc_skb_decode_packet(struct batad + + coding_len = ntohs(coded_packet_tmp.coded_len); + +- if (coding_len > skb->len) ++ /* ensure dst buffer is large enough (payload only) */ ++ if (coding_len + h_size > skb->len) ++ return NULL; ++ ++ /* ensure src buffer is large enough (payload only) */ ++ if (coding_len + h_size > nc_packet->skb->len) + return NULL; + + /* Here the magic is reversed: diff --git a/queue-5.15/drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch b/queue-5.15/drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch new file mode 100644 index 0000000000..1eeb0536d8 --- /dev/null +++ b/queue-5.15/drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch @@ -0,0 +1,105 @@ +From 71403f58b4bb6c13b71c05505593a355f697fd94 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 6 Aug 2025 10:47:50 -0400 +Subject: drm/amdgpu: drop hw access in non-DC audio fini + +From: Alex Deucher + +commit 71403f58b4bb6c13b71c05505593a355f697fd94 upstream. + +We already disable the audio pins in hw_fini so +there is no need to do it again in sw_fini. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4481 +Cc: oushixiong +Signed-off-by: Alex Deucher +(cherry picked from commit 5eeb16ca727f11278b2917fd4311a7d7efb0bbd6) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 ----- + drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 ----- + drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 ----- + drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 ----- + 4 files changed, 20 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/dce_v10_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/dce_v10_0.c +@@ -1464,17 +1464,12 @@ static int dce_v10_0_audio_init(struct a + + static void dce_v10_0_audio_fini(struct amdgpu_device *adev) + { +- int i; +- + if (!amdgpu_audio) + return; + + if (!adev->mode_info.audio.enabled) + return; + +- for (i = 0; i < adev->mode_info.audio.num_pins; i++) +- dce_v10_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false); +- + adev->mode_info.audio.enabled = false; + } + +--- a/drivers/gpu/drm/amd/amdgpu/dce_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/dce_v11_0.c +@@ -1506,17 +1506,12 @@ static int dce_v11_0_audio_init(struct a + + static void dce_v11_0_audio_fini(struct amdgpu_device *adev) + { +- int i; +- + if (!amdgpu_audio) + return; + + if (!adev->mode_info.audio.enabled) + return; + +- for (i = 0; i < adev->mode_info.audio.num_pins; i++) +- dce_v11_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false); +- + adev->mode_info.audio.enabled = false; + } + +--- a/drivers/gpu/drm/amd/amdgpu/dce_v6_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/dce_v6_0.c +@@ -1375,17 +1375,12 @@ static int dce_v6_0_audio_init(struct am + + static void dce_v6_0_audio_fini(struct amdgpu_device *adev) + { +- int i; +- + if (!amdgpu_audio) + return; + + if (!adev->mode_info.audio.enabled) + return; + +- for (i = 0; i < adev->mode_info.audio.num_pins; i++) +- dce_v6_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false); +- + adev->mode_info.audio.enabled = false; + } + +--- a/drivers/gpu/drm/amd/amdgpu/dce_v8_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/dce_v8_0.c +@@ -1427,17 +1427,12 @@ static int dce_v8_0_audio_init(struct am + + static void dce_v8_0_audio_fini(struct amdgpu_device *adev) + { +- int i; +- + if (!amdgpu_audio) + return; + + if (!adev->mode_info.audio.enabled) + return; + +- for (i = 0; i < adev->mode_info.audio.num_pins; i++) +- dce_v8_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false); +- + adev->mode_info.audio.enabled = false; + } + diff --git a/queue-5.15/e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch b/queue-5.15/e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch new file mode 100644 index 0000000000..9218decb32 --- /dev/null +++ b/queue-5.15/e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch @@ -0,0 +1,55 @@ +From 90fb7db49c6dbac961c6b8ebfd741141ffbc8545 Mon Sep 17 00:00:00 2001 +From: Vitaly Lifshits +Date: Sun, 17 Aug 2025 12:25:47 +0300 +Subject: e1000e: fix heap overflow in e1000_set_eeprom + +From: Vitaly Lifshits + +commit 90fb7db49c6dbac961c6b8ebfd741141ffbc8545 upstream. + +Fix a possible heap overflow in e1000_set_eeprom function by adding +input validation for the requested length of the change in the EEPROM. +In addition, change the variable type from int to size_t for better +code practices and rearrange declarations to RCT. + +Cc: stable@vger.kernel.org +Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)") +Co-developed-by: Mikael Wessel +Signed-off-by: Mikael Wessel +Signed-off-by: Vitaly Lifshits +Tested-by: Mor Bar-Gabay +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000e/ethtool.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/intel/e1000e/ethtool.c ++++ b/drivers/net/ethernet/intel/e1000e/ethtool.c +@@ -559,12 +559,12 @@ static int e1000_set_eeprom(struct net_d + { + struct e1000_adapter *adapter = netdev_priv(netdev); + struct e1000_hw *hw = &adapter->hw; ++ size_t total_len, max_len; + u16 *eeprom_buff; +- void *ptr; +- int max_len; ++ int ret_val = 0; + int first_word; + int last_word; +- int ret_val = 0; ++ void *ptr; + u16 i; + + if (eeprom->len == 0) +@@ -579,6 +579,10 @@ static int e1000_set_eeprom(struct net_d + + max_len = hw->nvm.word_size * 2; + ++ if (check_add_overflow(eeprom->offset, eeprom->len, &total_len) || ++ total_len > max_len) ++ return -EFBIG; ++ + first_word = eeprom->offset >> 1; + last_word = (eeprom->offset + eeprom->len - 1) >> 1; + eeprom_buff = kmalloc(max_len, GFP_KERNEL); diff --git a/queue-5.15/scsi-lpfc-fix-buffer-free-clear-order-in-deferred-receive-path.patch b/queue-5.15/scsi-lpfc-fix-buffer-free-clear-order-in-deferred-receive-path.patch new file mode 100644 index 0000000000..ccc5666ff8 --- /dev/null +++ b/queue-5.15/scsi-lpfc-fix-buffer-free-clear-order-in-deferred-receive-path.patch @@ -0,0 +1,70 @@ +From 9dba9a45c348e8460da97c450cddf70b2056deb3 Mon Sep 17 00:00:00 2001 +From: John Evans +Date: Thu, 28 Aug 2025 12:40:08 +0800 +Subject: scsi: lpfc: Fix buffer free/clear order in deferred receive path + +From: John Evans + +commit 9dba9a45c348e8460da97c450cddf70b2056deb3 upstream. + +Fix a use-after-free window by correcting the buffer release sequence in +the deferred receive path. The code freed the RQ buffer first and only +then cleared the context pointer under the lock. Concurrent paths (e.g., +ABTS and the repost path) also inspect and release the same pointer under +the lock, so the old order could lead to double-free/UAF. + +Note that the repost path already uses the correct pattern: detach the +pointer under the lock, then free it after dropping the lock. The +deferred path should do the same. + +Fixes: 472e146d1cf3 ("scsi: lpfc: Correct upcalling nvmet_fc transport during io done downcall") +Cc: stable@vger.kernel.org +Signed-off-by: John Evans +Link: https://lore.kernel.org/r/20250828044008.743-1-evans1210144@gmail.com +Reviewed-by: Justin Tee +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_nvmet.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_nvmet.c ++++ b/drivers/scsi/lpfc/lpfc_nvmet.c +@@ -1244,7 +1244,7 @@ lpfc_nvmet_defer_rcv(struct nvmet_fc_tar + struct lpfc_nvmet_tgtport *tgtp; + struct lpfc_async_xchg_ctx *ctxp = + container_of(rsp, struct lpfc_async_xchg_ctx, hdlrctx.fcp_req); +- struct rqb_dmabuf *nvmebuf = ctxp->rqb_buffer; ++ struct rqb_dmabuf *nvmebuf; + struct lpfc_hba *phba = ctxp->phba; + unsigned long iflag; + +@@ -1252,13 +1252,18 @@ lpfc_nvmet_defer_rcv(struct nvmet_fc_tar + lpfc_nvmeio_data(phba, "NVMET DEFERRCV: xri x%x sz %d CPU %02x\n", + ctxp->oxid, ctxp->size, raw_smp_processor_id()); + ++ spin_lock_irqsave(&ctxp->ctxlock, iflag); ++ nvmebuf = ctxp->rqb_buffer; + if (!nvmebuf) { ++ spin_unlock_irqrestore(&ctxp->ctxlock, iflag); + lpfc_printf_log(phba, KERN_INFO, LOG_NVME_IOERR, + "6425 Defer rcv: no buffer oxid x%x: " + "flg %x ste %x\n", + ctxp->oxid, ctxp->flag, ctxp->state); + return; + } ++ ctxp->rqb_buffer = NULL; ++ spin_unlock_irqrestore(&ctxp->ctxlock, iflag); + + tgtp = phba->targetport->private; + if (tgtp) +@@ -1266,9 +1271,6 @@ lpfc_nvmet_defer_rcv(struct nvmet_fc_tar + + /* Free the nvmebuf since a new buffer already replaced it */ + nvmebuf->hrq->rqbp->rqb_free_buffer(phba, nvmebuf); +- spin_lock_irqsave(&ctxp->ctxlock, iflag); +- ctxp->rqb_buffer = NULL; +- spin_unlock_irqrestore(&ctxp->ctxlock, iflag); + } + + /** diff --git a/queue-5.15/series b/queue-5.15/series index 33a2f14ce4..d4e4b360be 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -30,3 +30,8 @@ alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-some-devices.patch pcmcia-fix-a-null-pointer-dereference-in-__iodyn_find_io_region.patch x86-mm-64-define-arch_page_table_sync_mask-and-arch_sync_kernel_mappings.patch mm-move-page-table-sync-declarations-to-linux-pgtable.h.patch +wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch +drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch +scsi-lpfc-fix-buffer-free-clear-order-in-deferred-receive-path.patch +batman-adv-fix-oob-read-write-in-network-coding-decode.patch +e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch diff --git a/queue-5.15/wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch b/queue-5.15/wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch new file mode 100644 index 0000000000..3a2f5c069c --- /dev/null +++ b/queue-5.15/wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch @@ -0,0 +1,70 @@ +From 0e20450829ca3c1dbc2db536391537c57a40fe0b Mon Sep 17 00:00:00 2001 +From: Qianfeng Rong +Date: Fri, 15 Aug 2025 10:30:50 +0800 +Subject: wifi: mwifiex: Initialize the chan_stats array to zero + +From: Qianfeng Rong + +commit 0e20450829ca3c1dbc2db536391537c57a40fe0b upstream. + +The adapter->chan_stats[] array is initialized in +mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out +memory. The array is filled in mwifiex_update_chan_statistics() +and then the user can query the data in mwifiex_cfg80211_dump_survey(). + +There are two potential issues here. What if the user calls +mwifiex_cfg80211_dump_survey() before the data has been filled in. +Also the mwifiex_update_chan_statistics() function doesn't necessarily +initialize the whole array. Since the array was not initialized at +the start that could result in an information leak. + +Also this array is pretty small. It's a maximum of 900 bytes so it's +more appropriate to use kcalloc() instead vmalloc(). + +Cc: stable@vger.kernel.org +Fixes: bf35443314ac ("mwifiex: channel statistics support for mwifiex") +Suggested-by: Dan Carpenter +Signed-off-by: Qianfeng Rong +Reviewed-by: Dan Carpenter +Link: https://patch.msgid.link/20250815023055.477719-1-rongqianfeng@vivo.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +++-- + drivers/net/wireless/marvell/mwifiex/main.c | 4 ++-- + 2 files changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +@@ -4282,8 +4282,9 @@ int mwifiex_init_channel_scan_gap(struct + * additional active scan request for hidden SSIDs on passive channels. + */ + adapter->num_in_chan_stats = 2 * (n_channels_bg + n_channels_a); +- adapter->chan_stats = vmalloc(array_size(sizeof(*adapter->chan_stats), +- adapter->num_in_chan_stats)); ++ adapter->chan_stats = kcalloc(adapter->num_in_chan_stats, ++ sizeof(*adapter->chan_stats), ++ GFP_KERNEL); + + if (!adapter->chan_stats) + return -ENOMEM; +--- a/drivers/net/wireless/marvell/mwifiex/main.c ++++ b/drivers/net/wireless/marvell/mwifiex/main.c +@@ -640,7 +640,7 @@ static int _mwifiex_fw_dpc(const struct + goto done; + + err_add_intf: +- vfree(adapter->chan_stats); ++ kfree(adapter->chan_stats); + err_init_chan_scan: + wiphy_unregister(adapter->wiphy); + wiphy_free(adapter->wiphy); +@@ -1462,7 +1462,7 @@ static void mwifiex_uninit_sw(struct mwi + wiphy_free(adapter->wiphy); + adapter->wiphy = NULL; + +- vfree(adapter->chan_stats); ++ kfree(adapter->chan_stats); + mwifiex_free_cmd_buffers(adapter); + } +