From: Greg Kroah-Hartman Date: Thu, 21 Aug 2025 14:22:56 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.16.3~80 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3134d14426bbd10bb966a60e6841b9e8f685bcc3;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch jbd2-prevent-softlockup-in-jbd2_log_do_checkpoint.patch media-gspca-add-bounds-checking-to-firmware-parser.patch media-hi556-correct-the-test-pattern-configuration.patch media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch media-ivsc-fix-crash-at-shutdown-due-to-missing-mei_cldev_disable-calls.patch media-ov2659-fix-memory-leaks-in-ov2659_probe.patch media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch media-usbtv-lock-resolution-while-streaming.patch media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch media-verisilicon-fix-av1-decoder-clock-frequency.patch media-vivid-fix-wrong-pixel_array-control-size.patch mtd-rawnand-fsmc-add-missing-check-after-dma-map.patch mtd-rawnand-renesas-add-missing-check-after-dma-map.patch mtd-spi-nor-fix-spi_nor_try_unlock_all.patch mtd-spinand-propagate-spinand_wait-errors-from-spinand_write_page.patch parisc-check-region-is-readable-by-user-in-raw_copy_from_user.patch parisc-define-and-use-set_pte_at.patch parisc-drop-warn_on_once-from-flush_cache_vmap.patch parisc-makefile-explain-that-64bit-requires-both-32-bit-and-64-bit-compilers.patch parisc-rename-pte_needs_flush-to-pte_needs_cache_flush-in-cache.c.patch parisc-revise-__get_user-to-probe-user-read-access.patch parisc-revise-gateway-lws-calls-to-probe-user-read-access.patch parisc-try-to-fixup-kernel-exception-in-bad_area_nosemaphore-path-of-do_page_fault.patch parisc-update-comments-in-make_insert_tlb.patch pci-endpoint-fix-configfs-group-list-head-handling.patch pci-endpoint-fix-configfs-group-removal-on-driver-teardown.patch phy-qcom-phy-qcom-m31-update-ipq5332-m31-usb-phy-initialization-sequence.patch soc-tegra-pmc-ensure-power-domains-are-in-a-known-state.patch vhost-vsock-avoid-allocating-arbitrarily-sized-skbs.patch vsock-virtio-validate-length-in-packet-header-before-skb_put.patch --- diff --git a/queue-6.6/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch b/queue-6.6/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch new file mode 100644 index 0000000000..50b652acfc --- /dev/null +++ b/queue-6.6/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch @@ -0,0 +1,71 @@ +From 77de19b6867f2740cdcb6c9c7e50d522b47847a4 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Thu, 17 Jul 2025 21:26:33 +0800 +Subject: f2fs: fix to avoid out-of-boundary access in dnode page + +From: Chao Yu + +commit 77de19b6867f2740cdcb6c9c7e50d522b47847a4 upstream. + +As Jiaming Zhang reported: + + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0x17e/0x800 mm/kasan/report.c:480 + kasan_report+0x147/0x180 mm/kasan/report.c:593 + data_blkaddr fs/f2fs/f2fs.h:3053 [inline] + f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline] + f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855 + f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195 + prepare_write_begin fs/f2fs/data.c:3395 [inline] + f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594 + generic_perform_write+0x2c7/0x910 mm/filemap.c:4112 + f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline] + f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0x546/0xa90 fs/read_write.c:686 + ksys_write+0x149/0x250 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +The root cause is in the corrupted image, there is a dnode has the same +node id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to +access block address in dnode at offset 934, however it parses the dnode +as inode node, so that get_dnode_addr() returns 360, then it tries to +access page address from 360 + 934 * 4 = 4096 w/ 4 bytes. + +To fix this issue, let's add sanity check for node id of all direct nodes +during f2fs_get_dnode_of_data(). + +Cc: stable@kernel.org +Reported-by: Jiaming Zhang +Closes: https://groups.google.com/g/syzkaller/c/-ZnaaOOfO3M +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/node.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -799,6 +799,16 @@ int f2fs_get_dnode_of_data(struct dnode_ + for (i = 1; i <= level; i++) { + bool done = false; + ++ if (nids[i] && nids[i] == dn->inode->i_ino) { ++ err = -EFSCORRUPTED; ++ f2fs_err_ratelimited(sbi, ++ "inode mapping table is corrupted, run fsck to fix it, " ++ "ino:%lu, nid:%u, level:%d, offset:%d", ++ dn->inode->i_ino, nids[i], level, offset[level]); ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ goto release_pages; ++ } ++ + if (!nids[i] && mode == ALLOC_NODE) { + /* alloc new node */ + if (!f2fs_alloc_nid(sbi, &(nids[i]))) { diff --git a/queue-6.6/jbd2-prevent-softlockup-in-jbd2_log_do_checkpoint.patch b/queue-6.6/jbd2-prevent-softlockup-in-jbd2_log_do_checkpoint.patch new file mode 100644 index 0000000000..02c25c1a82 --- /dev/null +++ b/queue-6.6/jbd2-prevent-softlockup-in-jbd2_log_do_checkpoint.patch @@ -0,0 +1,73 @@ +From 9d98cf4632258720f18265a058e62fde120c0151 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Tue, 12 Aug 2025 14:37:52 +0800 +Subject: jbd2: prevent softlockup in jbd2_log_do_checkpoint() + +From: Baokun Li + +commit 9d98cf4632258720f18265a058e62fde120c0151 upstream. + +Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list() +periodically release j_list_lock after processing a batch of buffers to +avoid long hold times on the j_list_lock. However, since both functions +contend for j_list_lock, the combined time spent waiting and processing +can be significant. + +jbd2_journal_shrink_checkpoint_list() explicitly calls cond_resched() when +need_resched() is true to avoid softlockups during prolonged operations. +But jbd2_log_do_checkpoint() only exits its loop when need_resched() is +true, relying on potentially sleeping functions like __flush_batch() or +wait_on_buffer() to trigger rescheduling. If those functions do not sleep, +the kernel may hit a softlockup. + +watchdog: BUG: soft lockup - CPU#3 stuck for 156s! [kworker/u129:2:373] +CPU: 3 PID: 373 Comm: kworker/u129:2 Kdump: loaded Not tainted 6.6.0+ #10 +Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.27 06/13/2017 +Workqueue: writeback wb_workfn (flush-7:2) +pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : native_queued_spin_lock_slowpath+0x358/0x418 +lr : jbd2_log_do_checkpoint+0x31c/0x438 [jbd2] +Call trace: + native_queued_spin_lock_slowpath+0x358/0x418 + jbd2_log_do_checkpoint+0x31c/0x438 [jbd2] + __jbd2_log_wait_for_space+0xfc/0x2f8 [jbd2] + add_transaction_credits+0x3bc/0x418 [jbd2] + start_this_handle+0xf8/0x560 [jbd2] + jbd2__journal_start+0x118/0x228 [jbd2] + __ext4_journal_start_sb+0x110/0x188 [ext4] + ext4_do_writepages+0x3dc/0x740 [ext4] + ext4_writepages+0xa4/0x190 [ext4] + do_writepages+0x94/0x228 + __writeback_single_inode+0x48/0x318 + writeback_sb_inodes+0x204/0x590 + __writeback_inodes_wb+0x54/0xf8 + wb_writeback+0x2cc/0x3d8 + wb_do_writeback+0x2e0/0x2f8 + wb_workfn+0x80/0x2a8 + process_one_work+0x178/0x3e8 + worker_thread+0x234/0x3b8 + kthread+0xf0/0x108 + ret_from_fork+0x10/0x20 + +So explicitly call cond_resched() in jbd2_log_do_checkpoint() to avoid +softlockup. + +Cc: stable@kernel.org +Signed-off-by: Baokun Li +Link: https://patch.msgid.link/20250812063752.912130-1-libaokun@huaweicloud.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/checkpoint.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -285,6 +285,7 @@ restart: + retry: + if (batch_count) + __flush_batch(journal, &batch_count); ++ cond_resched(); + spin_lock(&journal->j_list_lock); + goto restart; + } diff --git a/queue-6.6/media-gspca-add-bounds-checking-to-firmware-parser.patch b/queue-6.6/media-gspca-add-bounds-checking-to-firmware-parser.patch new file mode 100644 index 0000000000..8939ed836f --- /dev/null +++ b/queue-6.6/media-gspca-add-bounds-checking-to-firmware-parser.patch @@ -0,0 +1,56 @@ +From aef89c0b2417da79cb2062a95476288f9f203ab0 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 28 May 2025 23:22:14 +0300 +Subject: media: gspca: Add bounds checking to firmware parser + +From: Dan Carpenter + +commit aef89c0b2417da79cb2062a95476288f9f203ab0 upstream. + +This sd_init() function reads the firmware. The firmware data holds a +series of records and the function reads each record and sends the data +to the device. The request_ihex_firmware() function +calls ihex_validate_fw() which ensures that the total length of all the +records won't read out of bounds of the fw->data[]. + +However, a potential issue is if there is a single very large +record (larger than PAGE_SIZE) and that would result in memory +corruption. Generally we trust the firmware, but it's always better to +double check. + +Fixes: 49b61ec9b5af ("[media] gspca: Add new vicam subdriver") +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/gspca/vicam.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/gspca/vicam.c ++++ b/drivers/media/usb/gspca/vicam.c +@@ -227,6 +227,7 @@ static int sd_init(struct gspca_dev *gsp + const struct ihex_binrec *rec; + const struct firmware *fw; + u8 *firmware_buf; ++ int len; + + ret = request_ihex_firmware(&fw, VICAM_FIRMWARE, + &gspca_dev->dev->dev); +@@ -241,9 +242,14 @@ static int sd_init(struct gspca_dev *gsp + goto exit; + } + for (rec = (void *)fw->data; rec; rec = ihex_next_binrec(rec)) { +- memcpy(firmware_buf, rec->data, be16_to_cpu(rec->len)); ++ len = be16_to_cpu(rec->len); ++ if (len > PAGE_SIZE) { ++ ret = -EINVAL; ++ break; ++ } ++ memcpy(firmware_buf, rec->data, len); + ret = vicam_control_msg(gspca_dev, 0xff, 0, 0, firmware_buf, +- be16_to_cpu(rec->len)); ++ len); + if (ret < 0) + break; + } diff --git a/queue-6.6/media-hi556-correct-the-test-pattern-configuration.patch b/queue-6.6/media-hi556-correct-the-test-pattern-configuration.patch new file mode 100644 index 0000000000..64e737830e --- /dev/null +++ b/queue-6.6/media-hi556-correct-the-test-pattern-configuration.patch @@ -0,0 +1,95 @@ +From 020f602b068c9ce18d5056d02c8302199377d98d Mon Sep 17 00:00:00 2001 +From: Bingbu Cao +Date: Mon, 30 Jun 2025 17:04:20 +0800 +Subject: media: hi556: correct the test pattern configuration + +From: Bingbu Cao + +commit 020f602b068c9ce18d5056d02c8302199377d98d upstream. + +Hynix hi556 support 8 test pattern modes: +hi556_test_pattern_menu[] = { +{ + "Disabled", + "Solid Colour", + "100% Colour Bars", + "Fade To Grey Colour Bars", + "PN9", + "Gradient Horizontal", + "Gradient Vertical", + "Check Board", + "Slant Pattern", +} + +The test pattern is set by a 8-bit register according to the +specification. ++--------+-------------------------------+ +| BIT[0] | Solid color | ++--------+-------------------------------+ +| BIT[1] | Color bar | ++--------+-------------------------------+ +| BIT[2] | Fade to grey color bar | ++--------+-------------------------------+ +| BIT[3] | PN9 | ++--------+-------------------------------+ +| BIT[4] | Gradient horizontal | ++--------+-------------------------------+ +| BIT[5] | Gradient vertical | ++--------+-------------------------------+ +| BIT[6] | Check board | ++--------+-------------------------------+ +| BIT[7] | Slant pattern | ++--------+-------------------------------+ +Based on function above, current test pattern programming is wrong. +This patch fixes it by 'BIT(pattern - 1)'. If pattern is 0, driver +will disable the test pattern generation and set the pattern to 0. + +Fixes: e62138403a84 ("media: hi556: Add support for Hi-556 sensor") +Cc: stable@vger.kernel.org +Signed-off-by: Bingbu Cao +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/hi556.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +--- a/drivers/media/i2c/hi556.c ++++ b/drivers/media/i2c/hi556.c +@@ -689,21 +689,23 @@ static int hi556_test_pattern(struct hi5 + int ret; + u32 val; + +- if (pattern) { +- ret = hi556_read_reg(hi556, HI556_REG_ISP, +- HI556_REG_VALUE_08BIT, &val); +- if (ret) +- return ret; +- +- ret = hi556_write_reg(hi556, HI556_REG_ISP, +- HI556_REG_VALUE_08BIT, +- val | HI556_REG_ISP_TPG_EN); +- if (ret) +- return ret; +- } ++ ret = hi556_read_reg(hi556, HI556_REG_ISP, ++ HI556_REG_VALUE_08BIT, &val); ++ if (ret) ++ return ret; ++ ++ val = pattern ? (val | HI556_REG_ISP_TPG_EN) : ++ (val & ~HI556_REG_ISP_TPG_EN); ++ ++ ret = hi556_write_reg(hi556, HI556_REG_ISP, ++ HI556_REG_VALUE_08BIT, val); ++ if (ret) ++ return ret; ++ ++ val = pattern ? BIT(pattern - 1) : 0; + + return hi556_write_reg(hi556, HI556_REG_TEST_PATTERN, +- HI556_REG_VALUE_08BIT, pattern); ++ HI556_REG_VALUE_08BIT, val); + } + + static int hi556_set_ctrl(struct v4l2_ctrl *ctrl) diff --git a/queue-6.6/media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch b/queue-6.6/media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch new file mode 100644 index 0000000000..a3745d5087 --- /dev/null +++ b/queue-6.6/media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch @@ -0,0 +1,35 @@ +From fc5f8aec77704373ee804b5dba0e0e5029c0f180 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Thu, 27 Feb 2025 15:44:51 +0800 +Subject: media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init() + +From: Haoxiang Li + +commit fc5f8aec77704373ee804b5dba0e0e5029c0f180 upstream. + +Add video_device_release() in label 'err_m2m' to release the memory +allocated by video_device_alloc() and prevent potential memory leaks. +Remove the reduntant code in label 'err_m2m'. + +Fixes: a8ef0488cc59 ("media: imx: add csc/scaler mem2mem device") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Reviewed-by: Dan Carpenter +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/imx/imx-media-csc-scaler.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/media/imx/imx-media-csc-scaler.c ++++ b/drivers/staging/media/imx/imx-media-csc-scaler.c +@@ -914,7 +914,7 @@ imx_media_csc_scaler_device_init(struct + return &priv->vdev; + + err_m2m: +- video_set_drvdata(vfd, NULL); ++ video_device_release(vfd); + err_vfd: + kfree(priv); + return ERR_PTR(ret); diff --git a/queue-6.6/media-ivsc-fix-crash-at-shutdown-due-to-missing-mei_cldev_disable-calls.patch b/queue-6.6/media-ivsc-fix-crash-at-shutdown-due-to-missing-mei_cldev_disable-calls.patch new file mode 100644 index 0000000000..c43041249c --- /dev/null +++ b/queue-6.6/media-ivsc-fix-crash-at-shutdown-due-to-missing-mei_cldev_disable-calls.patch @@ -0,0 +1,82 @@ +From 0c92c49fc688cfadacc47ae99b06a31237702e9e Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 21 Jun 2025 16:00:52 +0200 +Subject: media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls + +From: Hans de Goede + +commit 0c92c49fc688cfadacc47ae99b06a31237702e9e upstream. + +Both the ACE and CSI driver are missing a mei_cldev_disable() call in +their remove() function. + +This causes the mei_cl client to stay part of the mei_device->file_list +list even though its memory is freed by mei_cl_bus_dev_release() calling +kfree(cldev->cl). + +This leads to a use-after-free when mei_vsc_remove() runs mei_stop() +which first removes all mei bus devices calling mei_ace_remove() and +mei_csi_remove() followed by mei_cl_bus_dev_release() and then calls +mei_cl_all_disconnect() which walks over mei_device->file_list dereferecing +the just freed cldev->cl. + +And mei_vsc_remove() it self is run at shutdown because of the +platform_device_unregister(tp->pdev) in vsc_tp_shutdown() + +When building a kernel with KASAN this leads to the following KASAN report: + +[ 106.634504] ================================================================== +[ 106.634623] BUG: KASAN: slab-use-after-free in mei_cl_set_disconnected (drivers/misc/mei/client.c:783) mei +[ 106.634683] Read of size 4 at addr ffff88819cb62018 by task systemd-shutdow/1 +[ 106.634729] +[ 106.634767] Tainted: [E]=UNSIGNED_MODULE +[ 106.634770] Hardware name: Dell Inc. XPS 16 9640/09CK4V, BIOS 1.12.0 02/10/2025 +[ 106.634773] Call Trace: +[ 106.634777] +... +[ 106.634871] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636) +[ 106.634901] mei_cl_set_disconnected (drivers/misc/mei/client.c:783) mei +[ 106.634921] mei_cl_all_disconnect (drivers/misc/mei/client.c:2165 (discriminator 4)) mei +[ 106.634941] mei_reset (drivers/misc/mei/init.c:163) mei +... +[ 106.635042] mei_stop (drivers/misc/mei/init.c:348) mei +[ 106.635062] mei_vsc_remove (drivers/misc/mei/mei_dev.h:784 drivers/misc/mei/platform-vsc.c:393) mei_vsc +[ 106.635066] platform_remove (drivers/base/platform.c:1424) + +Add the missing mei_cldev_disable() calls so that the mei_cl gets removed +from mei_device->file_list before it is freed to fix this. + +Fixes: 78876f71b3e9 ("media: pci: intel: ivsc: Add ACE submodule") +Fixes: 29006e196a56 ("media: pci: intel: ivsc: Add CSI submodule") +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/intel/ivsc/mei_ace.c | 2 ++ + drivers/media/pci/intel/ivsc/mei_csi.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/drivers/media/pci/intel/ivsc/mei_ace.c ++++ b/drivers/media/pci/intel/ivsc/mei_ace.c +@@ -528,6 +528,8 @@ static void mei_ace_remove(struct mei_cl + + ace_set_camera_owner(ace, ACE_CAMERA_IVSC); + ++ mei_cldev_disable(cldev); ++ + mutex_destroy(&ace->lock); + } + +--- a/drivers/media/pci/intel/ivsc/mei_csi.c ++++ b/drivers/media/pci/intel/ivsc/mei_csi.c +@@ -807,6 +807,8 @@ static void mei_csi_remove(struct mei_cl + + pm_runtime_disable(&cldev->dev); + ++ mei_cldev_disable(cldev); ++ + mutex_destroy(&csi->lock); + } + diff --git a/queue-6.6/media-ov2659-fix-memory-leaks-in-ov2659_probe.patch b/queue-6.6/media-ov2659-fix-memory-leaks-in-ov2659_probe.patch new file mode 100644 index 0000000000..8d1893ef5e --- /dev/null +++ b/queue-6.6/media-ov2659-fix-memory-leaks-in-ov2659_probe.patch @@ -0,0 +1,42 @@ +From 76142b137b968d47b35cdd8d1dc924677d319c8b Mon Sep 17 00:00:00 2001 +From: Zhang Shurong +Date: Sun, 6 Jul 2025 00:31:09 +0800 +Subject: media: ov2659: Fix memory leaks in ov2659_probe() + +From: Zhang Shurong + +commit 76142b137b968d47b35cdd8d1dc924677d319c8b upstream. + +ov2659_probe() doesn't properly free control handler resources in failure +paths, causing memory leaks. Add v4l2_ctrl_handler_free() to prevent these +memory leaks and reorder the ctrl_handler assignment for better code flow. + +Fixes: c4c0283ab3cd ("[media] media: i2c: add support for omnivision's ov2659 sensor") +Cc: stable@vger.kernel.org +Signed-off-by: Zhang Shurong +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov2659.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/i2c/ov2659.c ++++ b/drivers/media/i2c/ov2659.c +@@ -1479,14 +1479,15 @@ static int ov2659_probe(struct i2c_clien + V4L2_CID_TEST_PATTERN, + ARRAY_SIZE(ov2659_test_pattern_menu) - 1, + 0, 0, ov2659_test_pattern_menu); +- ov2659->sd.ctrl_handler = &ov2659->ctrls; + + if (ov2659->ctrls.error) { + dev_err(&client->dev, "%s: control initialization error %d\n", + __func__, ov2659->ctrls.error); ++ v4l2_ctrl_handler_free(&ov2659->ctrls); + return ov2659->ctrls.error; + } + ++ ov2659->sd.ctrl_handler = &ov2659->ctrls; + sd = &ov2659->sd; + client->flags |= I2C_CLIENT_SCCB; + #ifdef CONFIG_VIDEO_V4L2_SUBDEV_API diff --git a/queue-6.6/media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch b/queue-6.6/media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch new file mode 100644 index 0000000000..860bc54f4b --- /dev/null +++ b/queue-6.6/media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch @@ -0,0 +1,54 @@ +From 7af160aea26c7dc9e6734d19306128cce156ec40 Mon Sep 17 00:00:00 2001 +From: Gui-Dong Han +Date: Fri, 6 Jun 2025 03:04:59 +0000 +Subject: media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() + +From: Gui-Dong Han + +commit 7af160aea26c7dc9e6734d19306128cce156ec40 upstream. + +In the interrupt handler rain_interrupt(), the buffer full check on +rain->buf_len is performed before acquiring rain->buf_lock. This +creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as +rain->buf_len is concurrently accessed and modified in the work +handler rain_irq_work_handler() under the same lock. + +Multiple interrupt invocations can race, with each reading buf_len +before it becomes full and then proceeding. This can lead to both +interrupts attempting to write to the buffer, incrementing buf_len +beyond its capacity (DATA_SIZE) and causing a buffer overflow. + +Fix this bug by moving the spin_lock() to before the buffer full +check. This ensures that the check and the subsequent buffer modification +are performed atomically, preventing the race condition. An corresponding +spin_unlock() is added to the overflow path to correctly release the +lock. + +This possible bug was found by an experimental static analysis tool +developed by our team. + +Fixes: 0f314f6c2e77 ("[media] rainshadow-cec: new RainShadow Tech HDMI CEC driver") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/cec/usb/rainshadow/rainshadow-cec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/cec/usb/rainshadow/rainshadow-cec.c ++++ b/drivers/media/cec/usb/rainshadow/rainshadow-cec.c +@@ -171,11 +171,12 @@ static irqreturn_t rain_interrupt(struct + { + struct rain *rain = serio_get_drvdata(serio); + ++ spin_lock(&rain->buf_lock); + if (rain->buf_len == DATA_SIZE) { ++ spin_unlock(&rain->buf_lock); + dev_warn_once(rain->dev, "buffer overflow\n"); + return IRQ_HANDLED; + } +- spin_lock(&rain->buf_lock); + rain->buf_len++; + rain->buf[rain->buf_wr_idx] = data; + rain->buf_wr_idx = (rain->buf_wr_idx + 1) & 0xff; diff --git a/queue-6.6/media-usbtv-lock-resolution-while-streaming.patch b/queue-6.6/media-usbtv-lock-resolution-while-streaming.patch new file mode 100644 index 0000000000..841ca89499 --- /dev/null +++ b/queue-6.6/media-usbtv-lock-resolution-while-streaming.patch @@ -0,0 +1,39 @@ +From 7e40e0bb778907b2441bff68d73c3eb6b6cd319f Mon Sep 17 00:00:00 2001 +From: Ludwig Disterhof +Date: Mon, 28 Apr 2025 20:16:50 +0200 +Subject: media: usbtv: Lock resolution while streaming + +From: Ludwig Disterhof + +commit 7e40e0bb778907b2441bff68d73c3eb6b6cd319f upstream. + +When an program is streaming (ffplay) and another program (qv4l2) +changes the TV standard from NTSC to PAL, the kernel crashes due to trying +to copy to unmapped memory. + +Changing from NTSC to PAL increases the resolution in the usbtv struct, +but the video plane buffer isn't adjusted, so it overflows. + +Fixes: 0e0fe3958fdd13d ("[media] usbtv: Add support for PAL video source") +Cc: stable@vger.kernel.org +Signed-off-by: Ludwig Disterhof +Signed-off-by: Hans Verkuil +[hverkuil: call vb2_is_busy instead of vb2_is_streaming] +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/usbtv/usbtv-video.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/usb/usbtv/usbtv-video.c ++++ b/drivers/media/usb/usbtv/usbtv-video.c +@@ -73,6 +73,10 @@ static int usbtv_configure_for_norm(stru + } + + if (params) { ++ if (vb2_is_busy(&usbtv->vb2q) && ++ (usbtv->width != params->cap_width || ++ usbtv->height != params->cap_height)) ++ return -EBUSY; + usbtv->width = params->cap_width; + usbtv->height = params->cap_height; + usbtv->n_chunks = usbtv->width * usbtv->height diff --git a/queue-6.6/media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch b/queue-6.6/media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch new file mode 100644 index 0000000000..d3a71396e2 --- /dev/null +++ b/queue-6.6/media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch @@ -0,0 +1,44 @@ +From 5a0400aca5fa7c6b8ba456c311a460e733571c88 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Thu, 8 May 2025 18:55:38 +0300 +Subject: media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free() + +From: Sakari Ailus + +commit 5a0400aca5fa7c6b8ba456c311a460e733571c88 upstream. + +It's a common pattern in drivers to free the control handler's resources +and then return the handler's error code on drivers' error handling paths. +Alas, the v4l2_ctrl_handler_free() function also zeroes the error field, +effectively indicating successful return to the caller. + +There's no apparent need to touch the error field while releasing the +control handler's resources and cleaning up stale pointers. Not touching +the handler's error field is a more certain way to address this problem +than changing all the users, in which case the pattern would be likely to +re-emerge in new drivers. + +Do just that, don't touch the control handler's error field in +v4l2_ctrl_handler_free(). + +Fixes: 0996517cf8ea ("V4L/DVB: v4l2: Add new control handling framework") +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Reviewed-by: Hans Verkuil +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-ctrls-core.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/media/v4l2-core/v4l2-ctrls-core.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls-core.c +@@ -1578,7 +1578,6 @@ void v4l2_ctrl_handler_free(struct v4l2_ + kvfree(hdl->buckets); + hdl->buckets = NULL; + hdl->cached = NULL; +- hdl->error = 0; + mutex_unlock(hdl->lock); + mutex_destroy(&hdl->_lock); + } diff --git a/queue-6.6/media-verisilicon-fix-av1-decoder-clock-frequency.patch b/queue-6.6/media-verisilicon-fix-av1-decoder-clock-frequency.patch new file mode 100644 index 0000000000..e0741bea61 --- /dev/null +++ b/queue-6.6/media-verisilicon-fix-av1-decoder-clock-frequency.patch @@ -0,0 +1,57 @@ +From 01350185fe02ae3ea2c12d578e06af0d5186f33e Mon Sep 17 00:00:00 2001 +From: Nicolas Dufresne +Date: Mon, 17 Feb 2025 16:46:54 -0500 +Subject: media: verisilicon: Fix AV1 decoder clock frequency + +From: Nicolas Dufresne + +commit 01350185fe02ae3ea2c12d578e06af0d5186f33e upstream. + +The desired clock frequency was correctly set to 400MHz in the device tree +but was lowered by the driver to 300MHz breaking 4K 60Hz content playback. +Fix the issue by removing the driver call to clk_set_rate(), which reduce +the amount of board specific code. + +Fixes: 003afda97c65 ("media: verisilicon: Enable AV1 decoder on rk3588") +Cc: stable@vger.kernel.org +Reviewed-by: Benjamin Gaignard +Reviewed-by: Philipp Zabel +Signed-off-by: Nicolas Dufresne +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/verisilicon/rockchip_vpu_hw.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/drivers/media/platform/verisilicon/rockchip_vpu_hw.c ++++ b/drivers/media/platform/verisilicon/rockchip_vpu_hw.c +@@ -17,7 +17,6 @@ + + #define RK3066_ACLK_MAX_FREQ (300 * 1000 * 1000) + #define RK3288_ACLK_MAX_FREQ (400 * 1000 * 1000) +-#define RK3588_ACLK_MAX_FREQ (300 * 1000 * 1000) + + #define ROCKCHIP_VPU981_MIN_SIZE 64 + +@@ -441,13 +440,6 @@ static int rk3066_vpu_hw_init(struct han + return 0; + } + +-static int rk3588_vpu981_hw_init(struct hantro_dev *vpu) +-{ +- /* Bump ACLKs to max. possible freq. to improve performance. */ +- clk_set_rate(vpu->clocks[0].clk, RK3588_ACLK_MAX_FREQ); +- return 0; +-} +- + static int rockchip_vpu_hw_init(struct hantro_dev *vpu) + { + /* Bump ACLK to max. possible freq. to improve performance. */ +@@ -808,7 +800,6 @@ const struct hantro_variant rk3588_vpu98 + .codec_ops = rk3588_vpu981_codec_ops, + .irqs = rk3588_vpu981_irqs, + .num_irqs = ARRAY_SIZE(rk3588_vpu981_irqs), +- .init = rk3588_vpu981_hw_init, + .clk_names = rk3588_vpu981_vpu_clk_names, + .num_clocks = ARRAY_SIZE(rk3588_vpu981_vpu_clk_names) + }; diff --git a/queue-6.6/media-vivid-fix-wrong-pixel_array-control-size.patch b/queue-6.6/media-vivid-fix-wrong-pixel_array-control-size.patch new file mode 100644 index 0000000000..b1d5c67b75 --- /dev/null +++ b/queue-6.6/media-vivid-fix-wrong-pixel_array-control-size.patch @@ -0,0 +1,52 @@ +From 3e43442d4994c9e1e202c98129a87e330f7faaed Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Sun, 6 Jul 2025 12:55:40 +0200 +Subject: media: vivid: fix wrong pixel_array control size + +From: Hans Verkuil + +commit 3e43442d4994c9e1e202c98129a87e330f7faaed upstream. + +The pixel_array control size was calculated incorrectly: +the dimensions were swapped (dims[0] should be the height), and the +values should be the width or height divided by PIXEL_ARRAY_DIV +and rounded up. So don't use roundup, but use DIV_ROUND_UP instead. + +This bug is harmless in the sense that nothing will break, except that +it consumes way too much memory for this control. + +Fixes: 6bc7643d1b9c ("media: vivid: add pixel_array test control") +Cc: +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/test-drivers/vivid/vivid-ctrls.c | 3 ++- + drivers/media/test-drivers/vivid/vivid-vid-cap.c | 4 ++-- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/media/test-drivers/vivid/vivid-ctrls.c ++++ b/drivers/media/test-drivers/vivid/vivid-ctrls.c +@@ -240,7 +240,8 @@ static const struct v4l2_ctrl_config viv + .min = 0x00, + .max = 0xff, + .step = 1, +- .dims = { 640 / PIXEL_ARRAY_DIV, 360 / PIXEL_ARRAY_DIV }, ++ .dims = { DIV_ROUND_UP(360, PIXEL_ARRAY_DIV), ++ DIV_ROUND_UP(640, PIXEL_ARRAY_DIV) }, + }; + + static const struct v4l2_ctrl_config vivid_ctrl_s32_array = { +--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c ++++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c +@@ -460,8 +460,8 @@ void vivid_update_format_cap(struct vivi + if (keep_controls) + return; + +- dims[0] = roundup(dev->src_rect.width, PIXEL_ARRAY_DIV); +- dims[1] = roundup(dev->src_rect.height, PIXEL_ARRAY_DIV); ++ dims[0] = DIV_ROUND_UP(dev->src_rect.height, PIXEL_ARRAY_DIV); ++ dims[1] = DIV_ROUND_UP(dev->src_rect.width, PIXEL_ARRAY_DIV); + v4l2_ctrl_modify_dimensions(dev->pixel_array, dims); + } + diff --git a/queue-6.6/mtd-rawnand-fsmc-add-missing-check-after-dma-map.patch b/queue-6.6/mtd-rawnand-fsmc-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..84c2bdd651 --- /dev/null +++ b/queue-6.6/mtd-rawnand-fsmc-add-missing-check-after-dma-map.patch @@ -0,0 +1,33 @@ +From 6c4dab38431fee3d39a841d66ba6f2890b31b005 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Mon, 7 Jul 2025 09:39:37 +0200 +Subject: mtd: rawnand: fsmc: Add missing check after DMA map + +From: Thomas Fourier + +commit 6c4dab38431fee3d39a841d66ba6f2890b31b005 upstream. + +The DMA map functions can fail and should be tested for errors. + +Fixes: 4774fb0a48aa ("mtd: nand/fsmc: Add DMA support") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Fourier +Rule: add +Link: https://lore.kernel.org/stable/20250702065806.20983-2-fourier.thomas%40gmail.com +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/fsmc_nand.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mtd/nand/raw/fsmc_nand.c ++++ b/drivers/mtd/nand/raw/fsmc_nand.c +@@ -503,6 +503,8 @@ static int dma_xfer(struct fsmc_nand_dat + + dma_dev = chan->device; + dma_addr = dma_map_single(dma_dev->dev, buffer, len, direction); ++ if (dma_mapping_error(dma_dev->dev, dma_addr)) ++ return -EINVAL; + + if (direction == DMA_TO_DEVICE) { + dma_src = dma_addr; diff --git a/queue-6.6/mtd-rawnand-renesas-add-missing-check-after-dma-map.patch b/queue-6.6/mtd-rawnand-renesas-add-missing-check-after-dma-map.patch new file mode 100644 index 0000000000..bae2a91751 --- /dev/null +++ b/queue-6.6/mtd-rawnand-renesas-add-missing-check-after-dma-map.patch @@ -0,0 +1,42 @@ +From 79e441ee47949376e3bc20f085cf017b70523d0f Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Wed, 2 Jul 2025 10:01:06 +0200 +Subject: mtd: rawnand: renesas: Add missing check after DMA map + +From: Thomas Fourier + +commit 79e441ee47949376e3bc20f085cf017b70523d0f upstream. + +The DMA map functions can fail and should be tested for errors. + +Fixes: d8701fe890ec ("mtd: rawnand: renesas: Add new NAND controller driver") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Fourier +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/renesas-nand-controller.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/mtd/nand/raw/renesas-nand-controller.c ++++ b/drivers/mtd/nand/raw/renesas-nand-controller.c +@@ -426,6 +426,9 @@ static int rnandc_read_page_hw_ecc(struc + /* Configure DMA */ + dma_addr = dma_map_single(rnandc->dev, rnandc->buf, mtd->writesize, + DMA_FROM_DEVICE); ++ if (dma_mapping_error(rnandc->dev, dma_addr)) ++ return -ENOMEM; ++ + writel(dma_addr, rnandc->regs + DMA_ADDR_LOW_REG); + writel(mtd->writesize, rnandc->regs + DMA_CNT_REG); + writel(DMA_TLVL_MAX, rnandc->regs + DMA_TLVL_REG); +@@ -606,6 +609,9 @@ static int rnandc_write_page_hw_ecc(stru + /* Configure DMA */ + dma_addr = dma_map_single(rnandc->dev, (void *)rnandc->buf, mtd->writesize, + DMA_TO_DEVICE); ++ if (dma_mapping_error(rnandc->dev, dma_addr)) ++ return -ENOMEM; ++ + writel(dma_addr, rnandc->regs + DMA_ADDR_LOW_REG); + writel(mtd->writesize, rnandc->regs + DMA_CNT_REG); + writel(DMA_TLVL_MAX, rnandc->regs + DMA_TLVL_REG); diff --git a/queue-6.6/mtd-spi-nor-fix-spi_nor_try_unlock_all.patch b/queue-6.6/mtd-spi-nor-fix-spi_nor_try_unlock_all.patch new file mode 100644 index 0000000000..f60797712a --- /dev/null +++ b/queue-6.6/mtd-spi-nor-fix-spi_nor_try_unlock_all.patch @@ -0,0 +1,115 @@ +From 2e3a7476ec3989e77270b9481e76e137824b17c0 Mon Sep 17 00:00:00 2001 +From: Michael Walle +Date: Tue, 1 Jul 2025 16:04:26 +0200 +Subject: mtd: spi-nor: Fix spi_nor_try_unlock_all() + +From: Michael Walle + +commit 2e3a7476ec3989e77270b9481e76e137824b17c0 upstream. + +Commit ff67592cbdfc ("mtd: spi-nor: Introduce spi_nor_set_mtd_info()") +moved all initialization of the mtd fields at the end of spi_nor_scan(). +Normally, the mtd info is only needed for the mtd ops on the device, +with one exception: spi_nor_try_unlock_all(), which will also make use +of the mtd->size parameter. With that commit, the size will always be +zero because it is not initialized. Fix that by not using the size of +the mtd_info struct, but use the size from struct spi_nor_flash_parameter. + +Fixes: ff67592cbdfc ("mtd: spi-nor: Introduce spi_nor_set_mtd_info()") +Cc: stable@vger.kernel.org +Reported-by: Jean-Marc Ranger +Closes: https://lore.kernel.org/all/DM6PR06MB561177323DC5207E34AF2A06C547A@DM6PR06MB5611.namprd06.prod.outlook.com/ +Tested-by: Jean-Marc Ranger +Signed-off-by: Michael Walle +Reviewed-by: Pratyush Yadav +Signed-off-by: Pratyush Yadav +Link: https://lore.kernel.org/r/20250701140426.2355182-1-mwalle@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/swp.c | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +--- a/drivers/mtd/spi-nor/swp.c ++++ b/drivers/mtd/spi-nor/swp.c +@@ -50,7 +50,6 @@ static u64 spi_nor_get_min_prot_length_s + static void spi_nor_get_locked_range_sr(struct spi_nor *nor, u8 sr, loff_t *ofs, + uint64_t *len) + { +- struct mtd_info *mtd = &nor->mtd; + u64 min_prot_len; + u8 mask = spi_nor_get_sr_bp_mask(nor); + u8 tb_mask = spi_nor_get_sr_tb_mask(nor); +@@ -71,13 +70,13 @@ static void spi_nor_get_locked_range_sr( + min_prot_len = spi_nor_get_min_prot_length_sr(nor); + *len = min_prot_len << (bp - 1); + +- if (*len > mtd->size) +- *len = mtd->size; ++ if (*len > nor->params->size) ++ *len = nor->params->size; + + if (nor->flags & SNOR_F_HAS_SR_TB && sr & tb_mask) + *ofs = 0; + else +- *ofs = mtd->size - *len; ++ *ofs = nor->params->size - *len; + } + + /* +@@ -153,7 +152,6 @@ static bool spi_nor_is_unlocked_sr(struc + */ + static int spi_nor_sr_lock(struct spi_nor *nor, loff_t ofs, uint64_t len) + { +- struct mtd_info *mtd = &nor->mtd; + u64 min_prot_len; + int ret, status_old, status_new; + u8 mask = spi_nor_get_sr_bp_mask(nor); +@@ -178,7 +176,7 @@ static int spi_nor_sr_lock(struct spi_no + can_be_bottom = false; + + /* If anything above us is unlocked, we can't use 'top' protection */ +- if (!spi_nor_is_locked_sr(nor, ofs + len, mtd->size - (ofs + len), ++ if (!spi_nor_is_locked_sr(nor, ofs + len, nor->params->size - (ofs + len), + status_old)) + can_be_top = false; + +@@ -190,11 +188,11 @@ static int spi_nor_sr_lock(struct spi_no + + /* lock_len: length of region that should end up locked */ + if (use_top) +- lock_len = mtd->size - ofs; ++ lock_len = nor->params->size - ofs; + else + lock_len = ofs + len; + +- if (lock_len == mtd->size) { ++ if (lock_len == nor->params->size) { + val = mask; + } else { + min_prot_len = spi_nor_get_min_prot_length_sr(nor); +@@ -243,7 +241,6 @@ static int spi_nor_sr_lock(struct spi_no + */ + static int spi_nor_sr_unlock(struct spi_nor *nor, loff_t ofs, uint64_t len) + { +- struct mtd_info *mtd = &nor->mtd; + u64 min_prot_len; + int ret, status_old, status_new; + u8 mask = spi_nor_get_sr_bp_mask(nor); +@@ -268,7 +265,7 @@ static int spi_nor_sr_unlock(struct spi_ + can_be_top = false; + + /* If anything above us is locked, we can't use 'bottom' protection */ +- if (!spi_nor_is_unlocked_sr(nor, ofs + len, mtd->size - (ofs + len), ++ if (!spi_nor_is_unlocked_sr(nor, ofs + len, nor->params->size - (ofs + len), + status_old)) + can_be_bottom = false; + +@@ -280,7 +277,7 @@ static int spi_nor_sr_unlock(struct spi_ + + /* lock_len: length of region that should remain locked */ + if (use_top) +- lock_len = mtd->size - (ofs + len); ++ lock_len = nor->params->size - (ofs + len); + else + lock_len = ofs; + diff --git a/queue-6.6/mtd-spinand-propagate-spinand_wait-errors-from-spinand_write_page.patch b/queue-6.6/mtd-spinand-propagate-spinand_wait-errors-from-spinand_write_page.patch new file mode 100644 index 0000000000..111366f69f --- /dev/null +++ b/queue-6.6/mtd-spinand-propagate-spinand_wait-errors-from-spinand_write_page.patch @@ -0,0 +1,37 @@ +From 091d9e35b85b0f8f7e1c73535299f91364a5c73a Mon Sep 17 00:00:00 2001 +From: Gabor Juhos +Date: Tue, 8 Jul 2025 15:11:00 +0200 +Subject: mtd: spinand: propagate spinand_wait() errors from spinand_write_page() + +From: Gabor Juhos + +commit 091d9e35b85b0f8f7e1c73535299f91364a5c73a upstream. + +Since commit 3d1f08b032dc ("mtd: spinand: Use the external ECC engine +logic") the spinand_write_page() function ignores the errors returned +by spinand_wait(). Change the code to propagate those up to the stack +as it was done before the offending change. + +Cc: stable@vger.kernel.org +Fixes: 3d1f08b032dc ("mtd: spinand: Use the external ECC engine logic") +Signed-off-by: Gabor Juhos +Signed-off-by: Miquel Raynal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/spi/core.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/nand/spi/core.c ++++ b/drivers/mtd/nand/spi/core.c +@@ -624,7 +624,10 @@ static int spinand_write_page(struct spi + SPINAND_WRITE_INITIAL_DELAY_US, + SPINAND_WRITE_POLL_DELAY_US, + &status); +- if (!ret && (status & STATUS_PROG_FAILED)) ++ if (ret) ++ return ret; ++ ++ if (status & STATUS_PROG_FAILED) + return -EIO; + + return nand_ecc_finish_io_req(nand, (struct nand_page_io_req *)req); diff --git a/queue-6.6/parisc-check-region-is-readable-by-user-in-raw_copy_from_user.patch b/queue-6.6/parisc-check-region-is-readable-by-user-in-raw_copy_from_user.patch new file mode 100644 index 0000000000..28a9ebdcd2 --- /dev/null +++ b/queue-6.6/parisc-check-region-is-readable-by-user-in-raw_copy_from_user.patch @@ -0,0 +1,103 @@ +From 91428ca9320edbab1211851d82429d33b9cd73ef Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Mon, 21 Jul 2025 15:39:26 -0400 +Subject: parisc: Check region is readable by user in raw_copy_from_user() + +From: John David Anglin + +commit 91428ca9320edbab1211851d82429d33b9cd73ef upstream. + +Because of the way the _PAGE_READ is handled in the parisc PTE, an +access interruption is not generated when the kernel reads from a +region where the _PAGE_READ is zero. The current code was written +assuming read access faults would also occur in the kernel. + +This change adds user access checks to raw_copy_from_user(). The +prober_user() define checks whether user code has read access to +a virtual address. Note that page faults are not handled in the +exception support for the probe instruction. For this reason, we +precede the probe by a ldb access check. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/asm/special_insns.h | 28 ++++++++++++++++++++++++++++ + arch/parisc/lib/memcpy.c | 19 ++++++++++++++++++- + 2 files changed, 46 insertions(+), 1 deletion(-) + +--- a/arch/parisc/include/asm/special_insns.h ++++ b/arch/parisc/include/asm/special_insns.h +@@ -32,6 +32,34 @@ + pa; \ + }) + ++/** ++ * prober_user() - Probe user read access ++ * @sr: Space regster. ++ * @va: Virtual address. ++ * ++ * Return: Non-zero if address is accessible. ++ * ++ * Due to the way _PAGE_READ is handled in TLB entries, we need ++ * a special check to determine whether a user address is accessible. ++ * The ldb instruction does the initial access check. If it is ++ * successful, the probe instruction checks user access rights. ++ */ ++#define prober_user(sr, va) ({ \ ++ unsigned long read_allowed; \ ++ __asm__ __volatile__( \ ++ "copy %%r0,%0\n" \ ++ "8:\tldb 0(%%sr%1,%2),%%r0\n" \ ++ "\tproberi (%%sr%1,%2),%3,%0\n" \ ++ "9:\n" \ ++ ASM_EXCEPTIONTABLE_ENTRY(8b, 9b, \ ++ "or %%r0,%%r0,%%r0") \ ++ : "=&r" (read_allowed) \ ++ : "i" (sr), "r" (va), "i" (PRIV_USER) \ ++ : "memory" \ ++ ); \ ++ read_allowed; \ ++}) ++ + #define CR_EIEM 15 /* External Interrupt Enable Mask */ + #define CR_CR16 16 /* CR16 Interval Timer */ + #define CR_EIRR 23 /* External Interrupt Request Register */ +--- a/arch/parisc/lib/memcpy.c ++++ b/arch/parisc/lib/memcpy.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + + #define get_user_space() mfsp(SR_USER) + #define get_kernel_space() SR_KERNEL +@@ -32,9 +33,25 @@ EXPORT_SYMBOL(raw_copy_to_user); + unsigned long raw_copy_from_user(void *dst, const void __user *src, + unsigned long len) + { ++ unsigned long start = (unsigned long) src; ++ unsigned long end = start + len; ++ unsigned long newlen = len; ++ + mtsp(get_user_space(), SR_TEMP1); + mtsp(get_kernel_space(), SR_TEMP2); +- return pa_memcpy(dst, (void __force *)src, len); ++ ++ /* Check region is user accessible */ ++ if (start) ++ while (start < end) { ++ if (!prober_user(SR_TEMP1, start)) { ++ newlen = (start - (unsigned long) src); ++ break; ++ } ++ start += PAGE_SIZE; ++ /* align to page boundry which may have different permission */ ++ start = PAGE_ALIGN_DOWN(start); ++ } ++ return len - newlen + pa_memcpy(dst, (void __force *)src, newlen); + } + EXPORT_SYMBOL(raw_copy_from_user); + diff --git a/queue-6.6/parisc-define-and-use-set_pte_at.patch b/queue-6.6/parisc-define-and-use-set_pte_at.patch new file mode 100644 index 0000000000..1aea30886d --- /dev/null +++ b/queue-6.6/parisc-define-and-use-set_pte_at.patch @@ -0,0 +1,58 @@ +From 802e55488bc2cc1ab6423b720255a785ccac42ce Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Mon, 21 Jul 2025 16:06:21 -0400 +Subject: parisc: Define and use set_pte_at() + +From: John David Anglin + +commit 802e55488bc2cc1ab6423b720255a785ccac42ce upstream. + +When a PTE is changed, we need to flush the PTE. set_pte_at() +was lost in the folio update. PA-RISC version is the same as +the generic version. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/asm/pgtable.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/parisc/include/asm/pgtable.h ++++ b/arch/parisc/include/asm/pgtable.h +@@ -276,7 +276,7 @@ extern unsigned long *empty_zero_page; + #define pte_none(x) (pte_val(x) == 0) + #define pte_present(x) (pte_val(x) & _PAGE_PRESENT) + #define pte_user(x) (pte_val(x) & _PAGE_USER) +-#define pte_clear(mm, addr, xp) set_pte(xp, __pte(0)) ++#define pte_clear(mm, addr, xp) set_pte_at((mm), (addr), (xp), __pte(0)) + + #define pmd_flag(x) (pmd_val(x) & PxD_FLAG_MASK) + #define pmd_address(x) ((unsigned long)(pmd_val(x) &~ PxD_FLAG_MASK) << PxD_VALUE_SHIFT) +@@ -398,6 +398,7 @@ static inline void set_ptes(struct mm_st + } + } + #define set_ptes set_ptes ++#define set_pte_at(mm, addr, ptep, pte) set_ptes(mm, addr, ptep, pte, 1) + + /* Used for deferring calls to flush_dcache_page() */ + +@@ -462,7 +463,7 @@ static inline int ptep_test_and_clear_yo + if (!pte_young(pte)) { + return 0; + } +- set_pte(ptep, pte_mkold(pte)); ++ set_pte_at(vma->vm_mm, addr, ptep, pte_mkold(pte)); + return 1; + } + +@@ -472,7 +473,7 @@ pte_t ptep_clear_flush(struct vm_area_st + struct mm_struct; + static inline void ptep_set_wrprotect(struct mm_struct *mm, unsigned long addr, pte_t *ptep) + { +- set_pte(ptep, pte_wrprotect(*ptep)); ++ set_pte_at(mm, addr, ptep, pte_wrprotect(*ptep)); + } + + #define pte_same(A,B) (pte_val(A) == pte_val(B)) diff --git a/queue-6.6/parisc-drop-warn_on_once-from-flush_cache_vmap.patch b/queue-6.6/parisc-drop-warn_on_once-from-flush_cache_vmap.patch new file mode 100644 index 0000000000..8d172384be --- /dev/null +++ b/queue-6.6/parisc-drop-warn_on_once-from-flush_cache_vmap.patch @@ -0,0 +1,30 @@ +From 4eab1c27ce1f0e89ab67b01bf1e4e4c75215708a Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Mon, 21 Jul 2025 16:18:41 -0400 +Subject: parisc: Drop WARN_ON_ONCE() from flush_cache_vmap + +From: John David Anglin + +commit 4eab1c27ce1f0e89ab67b01bf1e4e4c75215708a upstream. + +I have observed warning to occassionally trigger. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/kernel/cache.c ++++ b/arch/parisc/kernel/cache.c +@@ -841,7 +841,7 @@ void flush_cache_vmap(unsigned long star + } + + vm = find_vm_area((void *)start); +- if (WARN_ON_ONCE(!vm)) { ++ if (!vm) { + flush_cache_all(); + return; + } diff --git a/queue-6.6/parisc-makefile-explain-that-64bit-requires-both-32-bit-and-64-bit-compilers.patch b/queue-6.6/parisc-makefile-explain-that-64bit-requires-both-32-bit-and-64-bit-compilers.patch new file mode 100644 index 0000000000..30ff9fb46f --- /dev/null +++ b/queue-6.6/parisc-makefile-explain-that-64bit-requires-both-32-bit-and-64-bit-compilers.patch @@ -0,0 +1,37 @@ +From 305ab0a748c52eeaeb01d8cff6408842d19e5cb5 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Wed, 25 Jun 2025 00:30:54 -0700 +Subject: parisc: Makefile: explain that 64BIT requires both 32-bit and 64-bit compilers + +From: Randy Dunlap + +commit 305ab0a748c52eeaeb01d8cff6408842d19e5cb5 upstream. + +For building a 64-bit kernel, both 32-bit and 64-bit VDSO binaries +are built, so both 32-bit and 64-bit compilers (and tools) should be +in the PATH environment variable. + +Signed-off-by: Randy Dunlap +Cc: "James E.J. Bottomley" +Cc: Helge Deller +Cc: linux-parisc@vger.kernel.org +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.3+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/Makefile | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/parisc/Makefile ++++ b/arch/parisc/Makefile +@@ -39,7 +39,9 @@ endif + + export LD_BFD + +-# Set default 32 bits cross compilers for vdso ++# Set default 32 bits cross compilers for vdso. ++# This means that for 64BIT, both the 64-bit tools and the 32-bit tools ++# need to be in the path. + CC_ARCHES_32 = hppa hppa2.0 hppa1.1 + CC_SUFFIXES = linux linux-gnu unknown-linux-gnu suse-linux + CROSS32_COMPILE := $(call cc-cross-prefix, \ diff --git a/queue-6.6/parisc-rename-pte_needs_flush-to-pte_needs_cache_flush-in-cache.c.patch b/queue-6.6/parisc-rename-pte_needs_flush-to-pte_needs_cache_flush-in-cache.c.patch new file mode 100644 index 0000000000..b4252ff9a8 --- /dev/null +++ b/queue-6.6/parisc-rename-pte_needs_flush-to-pte_needs_cache_flush-in-cache.c.patch @@ -0,0 +1,40 @@ +From 52ce9406a9625c4498c4eaa51e7a7ed9dcb9db16 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Mon, 21 Jul 2025 15:56:04 -0400 +Subject: parisc: Rename pte_needs_flush() to pte_needs_cache_flush() in cache.c + +From: John David Anglin + +commit 52ce9406a9625c4498c4eaa51e7a7ed9dcb9db16 upstream. + +The local name used in cache.c conflicts the declaration in +include/asm-generic/tlb.h. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/parisc/kernel/cache.c ++++ b/arch/parisc/kernel/cache.c +@@ -425,7 +425,7 @@ static inline pte_t *get_ptep(struct mm_ + return ptep; + } + +-static inline bool pte_needs_flush(pte_t pte) ++static inline bool pte_needs_cache_flush(pte_t pte) + { + return (pte_val(pte) & (_PAGE_PRESENT | _PAGE_ACCESSED | _PAGE_NO_CACHE)) + == (_PAGE_PRESENT | _PAGE_ACCESSED); +@@ -630,7 +630,7 @@ static void flush_cache_page_if_present( + ptep = get_ptep(vma->vm_mm, vmaddr); + if (ptep) { + pte = ptep_get(ptep); +- needs_flush = pte_needs_flush(pte); ++ needs_flush = pte_needs_cache_flush(pte); + pte_unmap(ptep); + } + if (needs_flush) diff --git a/queue-6.6/parisc-revise-__get_user-to-probe-user-read-access.patch b/queue-6.6/parisc-revise-__get_user-to-probe-user-read-access.patch new file mode 100644 index 0000000000..8bcb269e1e --- /dev/null +++ b/queue-6.6/parisc-revise-__get_user-to-probe-user-read-access.patch @@ -0,0 +1,59 @@ +From 89f686a0fb6e473a876a9a60a13aec67a62b9a7e Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Fri, 25 Jul 2025 13:51:32 -0400 +Subject: parisc: Revise __get_user() to probe user read access + +From: John David Anglin + +commit 89f686a0fb6e473a876a9a60a13aec67a62b9a7e upstream. + +Because of the way read access support is implemented, read access +interruptions are only triggered at privilege levels 2 and 3. The +kernel executes at privilege level 0, so __get_user() never triggers +a read access interruption (code 26). Thus, it is currently possible +for user code to access a read protected address via a system call. + +Fix this by probing read access rights at privilege level 3 (PRIV_USER) +and setting __gu_err to -EFAULT (-14) if access isn't allowed. + +Note the cmpiclr instruction does a 32-bit compare because COND macro +doesn't work inside asm. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/include/asm/uaccess.h | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/arch/parisc/include/asm/uaccess.h ++++ b/arch/parisc/include/asm/uaccess.h +@@ -42,9 +42,24 @@ + __gu_err; \ + }) + +-#define __get_user(val, ptr) \ +-({ \ +- __get_user_internal(SR_USER, val, ptr); \ ++#define __probe_user_internal(sr, error, ptr) \ ++({ \ ++ __asm__("\tproberi (%%sr%1,%2),%3,%0\n" \ ++ "\tcmpiclr,= 1,%0,%0\n" \ ++ "\tldi %4,%0\n" \ ++ : "=r"(error) \ ++ : "i"(sr), "r"(ptr), "i"(PRIV_USER), \ ++ "i"(-EFAULT)); \ ++}) ++ ++#define __get_user(val, ptr) \ ++({ \ ++ register long __gu_err; \ ++ \ ++ __gu_err = __get_user_internal(SR_USER, val, ptr); \ ++ if (likely(!__gu_err)) \ ++ __probe_user_internal(SR_USER, __gu_err, ptr); \ ++ __gu_err; \ + }) + + #define __get_user_asm(sr, val, ldx, ptr) \ diff --git a/queue-6.6/parisc-revise-gateway-lws-calls-to-probe-user-read-access.patch b/queue-6.6/parisc-revise-gateway-lws-calls-to-probe-user-read-access.patch new file mode 100644 index 0000000000..98caceeccb --- /dev/null +++ b/queue-6.6/parisc-revise-gateway-lws-calls-to-probe-user-read-access.patch @@ -0,0 +1,108 @@ +From f6334f4ae9a4e962ba74b026e1d965dfdf8cbef8 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Fri, 25 Jul 2025 12:12:14 -0400 +Subject: parisc: Revise gateway LWS calls to probe user read access + +From: John David Anglin + +commit f6334f4ae9a4e962ba74b026e1d965dfdf8cbef8 upstream. + +We use load and stbys,e instructions to trigger memory reference +interruptions without writing to memory. Because of the way read +access support is implemented, read access interruptions are only +triggered at privilege levels 2 and 3. The kernel and gateway +page execute at privilege level 0, so this code never triggers +a read access interruption. Thus, it is currently possible for +user code to execute a LWS compare and swap operation at an +address that is read protected at privilege level 3 (PRIV_USER). + +Fix this by probing read access rights at privilege level 3 and +branching to lws_fault if access isn't allowed. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/syscall.S | 30 +++++++++++++++++++++--------- + 1 file changed, 21 insertions(+), 9 deletions(-) + +--- a/arch/parisc/kernel/syscall.S ++++ b/arch/parisc/kernel/syscall.S +@@ -613,6 +613,9 @@ lws_compare_and_swap32: + lws_compare_and_swap: + /* Trigger memory reference interruptions without writing to memory */ + 1: ldw 0(%r26), %r28 ++ proberi (%r26), PRIV_USER, %r28 ++ comb,=,n %r28, %r0, lws_fault /* backwards, likely not taken */ ++ nop + 2: stbys,e %r0, 0(%r26) + + /* Calculate 8-bit hash index from virtual address */ +@@ -767,6 +770,9 @@ cas2_lock_start: + copy %r26, %r28 + depi_safe 0, 31, 2, %r28 + 10: ldw 0(%r28), %r1 ++ proberi (%r28), PRIV_USER, %r1 ++ comb,=,n %r1, %r0, lws_fault /* backwards, likely not taken */ ++ nop + 11: stbys,e %r0, 0(%r28) + + /* Calculate 8-bit hash index from virtual address */ +@@ -951,41 +957,47 @@ atomic_xchg_begin: + + /* 8-bit exchange */ + 1: ldb 0(%r24), %r20 ++ proberi (%r24), PRIV_USER, %r20 ++ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */ ++ nop + copy %r23, %r20 + depi_safe 0, 31, 2, %r20 + b atomic_xchg_start + 2: stbys,e %r0, 0(%r20) +- nop +- nop +- nop + + /* 16-bit exchange */ + 3: ldh 0(%r24), %r20 ++ proberi (%r24), PRIV_USER, %r20 ++ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */ ++ nop + copy %r23, %r20 + depi_safe 0, 31, 2, %r20 + b atomic_xchg_start + 4: stbys,e %r0, 0(%r20) +- nop +- nop +- nop + + /* 32-bit exchange */ + 5: ldw 0(%r24), %r20 ++ proberi (%r24), PRIV_USER, %r20 ++ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */ ++ nop + b atomic_xchg_start + 6: stbys,e %r0, 0(%r23) + nop + nop +- nop +- nop +- nop + + /* 64-bit exchange */ + #ifdef CONFIG_64BIT + 7: ldd 0(%r24), %r20 ++ proberi (%r24), PRIV_USER, %r20 ++ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */ ++ nop + 8: stdby,e %r0, 0(%r23) + #else + 7: ldw 0(%r24), %r20 + 8: ldw 4(%r24), %r20 ++ proberi (%r24), PRIV_USER, %r20 ++ comb,=,n %r20, %r0, lws_fault /* backwards, likely not taken */ ++ nop + copy %r23, %r20 + depi_safe 0, 31, 2, %r20 + 9: stbys,e %r0, 0(%r20) diff --git a/queue-6.6/parisc-try-to-fixup-kernel-exception-in-bad_area_nosemaphore-path-of-do_page_fault.patch b/queue-6.6/parisc-try-to-fixup-kernel-exception-in-bad_area_nosemaphore-path-of-do_page_fault.patch new file mode 100644 index 0000000000..e0f9474e21 --- /dev/null +++ b/queue-6.6/parisc-try-to-fixup-kernel-exception-in-bad_area_nosemaphore-path-of-do_page_fault.patch @@ -0,0 +1,30 @@ +From f92a5e36b0c45cd12ac0d1bc44680c0dfae34543 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Mon, 21 Jul 2025 16:13:13 -0400 +Subject: parisc: Try to fixup kernel exception in bad_area_nosemaphore path of do_page_fault() + +From: John David Anglin + +commit f92a5e36b0c45cd12ac0d1bc44680c0dfae34543 upstream. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/mm/fault.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/parisc/mm/fault.c ++++ b/arch/parisc/mm/fault.c +@@ -363,6 +363,10 @@ bad_area: + mmap_read_unlock(mm); + + bad_area_nosemaphore: ++ if (!user_mode(regs) && fixup_exception(regs)) { ++ return; ++ } ++ + if (user_mode(regs)) { + int signo, si_code; + diff --git a/queue-6.6/parisc-update-comments-in-make_insert_tlb.patch b/queue-6.6/parisc-update-comments-in-make_insert_tlb.patch new file mode 100644 index 0000000000..b2349b01ec --- /dev/null +++ b/queue-6.6/parisc-update-comments-in-make_insert_tlb.patch @@ -0,0 +1,98 @@ +From cb22f247f371bd206a88cf0e0c05d80b8b62fb26 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Mon, 21 Jul 2025 15:13:42 -0400 +Subject: parisc: Update comments in make_insert_tlb + +From: John David Anglin + +commit cb22f247f371bd206a88cf0e0c05d80b8b62fb26 upstream. + +The following testcase exposed a problem with our read access checks +in get_user() and raw_copy_from_user(): + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +int main(int argc, char **argv) +{ + unsigned long page_size = sysconf(_SC_PAGESIZE); + char *p = malloc(3 * page_size); + char *p_aligned; + + /* initialize memory region. If not initialized, write syscall below will correctly return EFAULT. */ + if (1) + memset(p, 'X', 3 * page_size); + + p_aligned = (char *) ((((uintptr_t) p) + (2*page_size - 1)) & ~(page_size - 1)); + /* Drop PROT_READ protection. Kernel and userspace should fault when accessing that memory region */ + mprotect(p_aligned, page_size, PROT_NONE); + + /* the following write() should return EFAULT, since PROT_READ was dropped by previous mprotect() */ + int ret = write(2, p_aligned, 1); + if (!ret || errno != EFAULT) + printf("\n FAILURE: write() did not returned expected EFAULT value\n"); + + return 0; +} + +Because of the way _PAGE_READ is handled, kernel code never generates +a read access fault when it access a page as the kernel privilege level +is always less than PL1 in the PTE. + +This patch reworks the comments in the make_insert_tlb macro to try +to make this clearer. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/entry.S | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/arch/parisc/kernel/entry.S ++++ b/arch/parisc/kernel/entry.S +@@ -499,6 +499,12 @@ + * this happens is quite subtle, read below */ + .macro make_insert_tlb spc,pte,prot,tmp + space_to_prot \spc \prot /* create prot id from space */ ++ ++#if _PAGE_SPECIAL_BIT == _PAGE_DMB_BIT ++ /* need to drop DMB bit, as it's used as SPECIAL flag */ ++ depi 0,_PAGE_SPECIAL_BIT,1,\pte ++#endif ++ + /* The following is the real subtlety. This is depositing + * T <-> _PAGE_REFTRAP + * D <-> _PAGE_DIRTY +@@ -511,17 +517,18 @@ + * Finally, _PAGE_READ goes in the top bit of PL1 (so we + * trigger an access rights trap in user space if the user + * tries to read an unreadable page */ +-#if _PAGE_SPECIAL_BIT == _PAGE_DMB_BIT +- /* need to drop DMB bit, as it's used as SPECIAL flag */ +- depi 0,_PAGE_SPECIAL_BIT,1,\pte +-#endif + depd \pte,8,7,\prot + + /* PAGE_USER indicates the page can be read with user privileges, + * so deposit X1|11 to PL1|PL2 (remember the upper bit of PL1 +- * contains _PAGE_READ) */ ++ * contains _PAGE_READ). While the kernel can't directly write ++ * user pages which have _PAGE_WRITE zero, it can read pages ++ * which have _PAGE_READ zero (PL <= PL1). Thus, the kernel ++ * exception fault handler doesn't trigger when reading pages ++ * that aren't user read accessible */ + extrd,u,*= \pte,_PAGE_USER_BIT+32,1,%r0 + depdi 7,11,3,\prot ++ + /* If we're a gateway page, drop PL2 back to zero for promotion + * to kernel privilege (so we can execute the page as kernel). + * Any privilege promotion page always denys read and write */ diff --git a/queue-6.6/pci-endpoint-fix-configfs-group-list-head-handling.patch b/queue-6.6/pci-endpoint-fix-configfs-group-list-head-handling.patch new file mode 100644 index 0000000000..7b06be92b9 --- /dev/null +++ b/queue-6.6/pci-endpoint-fix-configfs-group-list-head-handling.patch @@ -0,0 +1,62 @@ +From d79123d79a8154b4318529b7b2ff7e15806f480b Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Tue, 24 Jun 2025 20:45:43 +0900 +Subject: PCI: endpoint: Fix configfs group list head handling + +From: Damien Le Moal + +commit d79123d79a8154b4318529b7b2ff7e15806f480b upstream. + +Doing a list_del() on the epf_group field of struct pci_epf_driver in +pci_epf_remove_cfs() is not correct as this field is a list head, not +a list entry. This list_del() call triggers a KASAN warning when an +endpoint function driver which has a configfs attribute group is torn +down: + +================================================================== +BUG: KASAN: slab-use-after-free in pci_epf_remove_cfs+0x17c/0x198 +Write of size 8 at addr ffff00010f4a0d80 by task rmmod/319 + +CPU: 3 UID: 0 PID: 319 Comm: rmmod Not tainted 6.16.0-rc2 #1 NONE +Hardware name: Radxa ROCK 5B (DT) +Call trace: +show_stack+0x2c/0x84 (C) +dump_stack_lvl+0x70/0x98 +print_report+0x17c/0x538 +kasan_report+0xb8/0x190 +__asan_report_store8_noabort+0x20/0x2c +pci_epf_remove_cfs+0x17c/0x198 +pci_epf_unregister_driver+0x18/0x30 +nvmet_pci_epf_cleanup_module+0x24/0x30 [nvmet_pci_epf] +__arm64_sys_delete_module+0x264/0x424 +invoke_syscall+0x70/0x260 +el0_svc_common.constprop.0+0xac/0x230 +do_el0_svc+0x40/0x58 +el0_svc+0x48/0xdc +el0t_64_sync_handler+0x10c/0x138 +el0t_64_sync+0x198/0x19c +... + +Remove this incorrect list_del() call from pci_epf_remove_cfs(). + +Fixes: ef1433f717a2 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry") +Signed-off-by: Damien Le Moal +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Niklas Cassel +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250624114544.342159-2-dlemoal@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/endpoint/pci-epf-core.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/pci/endpoint/pci-epf-core.c ++++ b/drivers/pci/endpoint/pci-epf-core.c +@@ -311,7 +311,6 @@ static void pci_epf_remove_cfs(struct pc + mutex_lock(&pci_epf_mutex); + list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry) + pci_ep_cfs_remove_epf_group(group); +- list_del(&driver->epf_group); + mutex_unlock(&pci_epf_mutex); + } + diff --git a/queue-6.6/pci-endpoint-fix-configfs-group-removal-on-driver-teardown.patch b/queue-6.6/pci-endpoint-fix-configfs-group-removal-on-driver-teardown.patch new file mode 100644 index 0000000000..c1488b7e49 --- /dev/null +++ b/queue-6.6/pci-endpoint-fix-configfs-group-removal-on-driver-teardown.patch @@ -0,0 +1,53 @@ +From 910bdb8197f9322790c738bb32feaa11dba26909 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Tue, 24 Jun 2025 20:45:44 +0900 +Subject: PCI: endpoint: Fix configfs group removal on driver teardown + +From: Damien Le Moal + +commit 910bdb8197f9322790c738bb32feaa11dba26909 upstream. + +An endpoint driver configfs attributes group is added to the +epf_group list of struct pci_epf_driver by pci_epf_add_cfs() but an +added group is not removed from this list when the attribute group is +unregistered with pci_ep_cfs_remove_epf_group(). + +Add the missing list_del() call in pci_ep_cfs_remove_epf_group() +to correctly remove the attribute group from the driver list. + +With this change, once the loop over all attribute groups in +pci_epf_remove_cfs() completes, the driver epf_group list should be +empty. Add a WARN_ON() to make sure of that. + +Fixes: ef1433f717a2 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry") +Signed-off-by: Damien Le Moal +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Niklas Cassel +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250624114544.342159-3-dlemoal@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/endpoint/pci-ep-cfs.c | 1 + + drivers/pci/endpoint/pci-epf-core.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/pci/endpoint/pci-ep-cfs.c ++++ b/drivers/pci/endpoint/pci-ep-cfs.c +@@ -683,6 +683,7 @@ void pci_ep_cfs_remove_epf_group(struct + if (IS_ERR_OR_NULL(group)) + return; + ++ list_del(&group->group_entry); + configfs_unregister_default_group(group); + } + EXPORT_SYMBOL(pci_ep_cfs_remove_epf_group); +--- a/drivers/pci/endpoint/pci-epf-core.c ++++ b/drivers/pci/endpoint/pci-epf-core.c +@@ -311,6 +311,7 @@ static void pci_epf_remove_cfs(struct pc + mutex_lock(&pci_epf_mutex); + list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry) + pci_ep_cfs_remove_epf_group(group); ++ WARN_ON(!list_empty(&driver->epf_group)); + mutex_unlock(&pci_epf_mutex); + } + diff --git a/queue-6.6/phy-qcom-phy-qcom-m31-update-ipq5332-m31-usb-phy-initialization-sequence.patch b/queue-6.6/phy-qcom-phy-qcom-m31-update-ipq5332-m31-usb-phy-initialization-sequence.patch new file mode 100644 index 0000000000..3e326d7f80 --- /dev/null +++ b/queue-6.6/phy-qcom-phy-qcom-m31-update-ipq5332-m31-usb-phy-initialization-sequence.patch @@ -0,0 +1,71 @@ +From 4a3556b81b99f0c8c0358f7cc6801a62b4538fe2 Mon Sep 17 00:00:00 2001 +From: Kathiravan Thirumoorthy +Date: Mon, 30 Jun 2025 13:48:13 +0530 +Subject: phy: qcom: phy-qcom-m31: Update IPQ5332 M31 USB phy initialization sequence + +From: Kathiravan Thirumoorthy + +commit 4a3556b81b99f0c8c0358f7cc6801a62b4538fe2 upstream. + +The current configuration used for the IPQ5332 M31 USB PHY fails the +Near End High Speed Signal Quality compliance test. To resolve this, +update the initialization sequence as specified in the Hardware Design +Document. + +Fixes: 08e49af50701 ("phy: qcom: Introduce M31 USB PHY driver") +Cc: stable@kernel.org +Signed-off-by: Kathiravan Thirumoorthy +Reviewed-by: Konrad Dybcio +Link: https://lore.kernel.org/r/20250630-ipq5332_hsphy_complaince-v2-1-63621439ebdb@oss.qualcomm.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/qualcomm/phy-qcom-m31.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/phy/qualcomm/phy-qcom-m31.c ++++ b/drivers/phy/qualcomm/phy-qcom-m31.c +@@ -58,14 +58,16 @@ + #define USB2_0_TX_ENABLE BIT(2) + + #define USB2PHY_USB_PHY_M31_XCFGI_4 0xc8 +- #define HSTX_SLEW_RATE_565PS GENMASK(1, 0) ++ #define HSTX_SLEW_RATE_400PS GENMASK(2, 0) + #define PLL_CHARGING_PUMP_CURRENT_35UA GENMASK(4, 3) + #define ODT_VALUE_38_02_OHM GENMASK(7, 6) + + #define USB2PHY_USB_PHY_M31_XCFGI_5 0xcc +- #define ODT_VALUE_45_02_OHM BIT(2) + #define HSTX_PRE_EMPHASIS_LEVEL_0_55MA BIT(0) + ++#define USB2PHY_USB_PHY_M31_XCFGI_9 0xdc ++ #define HSTX_CURRENT_17_1MA_385MV BIT(1) ++ + #define USB2PHY_USB_PHY_M31_XCFGI_11 0xe4 + #define XCFG_COARSE_TUNE_NUM BIT(1) + #define XCFG_FINE_TUNE_NUM BIT(3) +@@ -120,7 +122,7 @@ static struct m31_phy_regs m31_ipq5332_r + }, + { + USB2PHY_USB_PHY_M31_XCFGI_4, +- HSTX_SLEW_RATE_565PS | PLL_CHARGING_PUMP_CURRENT_35UA | ODT_VALUE_38_02_OHM, ++ HSTX_SLEW_RATE_400PS | PLL_CHARGING_PUMP_CURRENT_35UA | ODT_VALUE_38_02_OHM, + 0 + }, + { +@@ -130,10 +132,14 @@ static struct m31_phy_regs m31_ipq5332_r + }, + { + USB2PHY_USB_PHY_M31_XCFGI_5, +- ODT_VALUE_45_02_OHM | HSTX_PRE_EMPHASIS_LEVEL_0_55MA, ++ HSTX_PRE_EMPHASIS_LEVEL_0_55MA, + 4 + }, + { ++ USB2PHY_USB_PHY_M31_XCFGI_9, ++ HSTX_CURRENT_17_1MA_385MV, ++ }, ++ { + USB_PHY_UTMI_CTRL5, + 0x0, + 0 diff --git a/queue-6.6/series b/queue-6.6/series index 901c4ffbdc..2be9d97774 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -378,3 +378,34 @@ pwm-imx-tpm-reset-counter-if-cmod-is-0.patch pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch pwm-mediatek-fix-duty-and-period-setting.patch hwmon-gsc-hwmon-fix-fan-pwm-setpoint-show-functions.patch +mtd-spi-nor-fix-spi_nor_try_unlock_all.patch +mtd-spinand-propagate-spinand_wait-errors-from-spinand_write_page.patch +mtd-rawnand-fsmc-add-missing-check-after-dma-map.patch +mtd-rawnand-renesas-add-missing-check-after-dma-map.patch +pci-endpoint-fix-configfs-group-list-head-handling.patch +pci-endpoint-fix-configfs-group-removal-on-driver-teardown.patch +vsock-virtio-validate-length-in-packet-header-before-skb_put.patch +vhost-vsock-avoid-allocating-arbitrarily-sized-skbs.patch +phy-qcom-phy-qcom-m31-update-ipq5332-m31-usb-phy-initialization-sequence.patch +f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch +jbd2-prevent-softlockup-in-jbd2_log_do_checkpoint.patch +soc-tegra-pmc-ensure-power-domains-are-in-a-known-state.patch +parisc-check-region-is-readable-by-user-in-raw_copy_from_user.patch +parisc-define-and-use-set_pte_at.patch +parisc-drop-warn_on_once-from-flush_cache_vmap.patch +parisc-makefile-explain-that-64bit-requires-both-32-bit-and-64-bit-compilers.patch +parisc-rename-pte_needs_flush-to-pte_needs_cache_flush-in-cache.c.patch +parisc-revise-__get_user-to-probe-user-read-access.patch +parisc-revise-gateway-lws-calls-to-probe-user-read-access.patch +parisc-try-to-fixup-kernel-exception-in-bad_area_nosemaphore-path-of-do_page_fault.patch +parisc-update-comments-in-make_insert_tlb.patch +media-gspca-add-bounds-checking-to-firmware-parser.patch +media-hi556-correct-the-test-pattern-configuration.patch +media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch +media-vivid-fix-wrong-pixel_array-control-size.patch +media-verisilicon-fix-av1-decoder-clock-frequency.patch +media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch +media-usbtv-lock-resolution-while-streaming.patch +media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch +media-ov2659-fix-memory-leaks-in-ov2659_probe.patch +media-ivsc-fix-crash-at-shutdown-due-to-missing-mei_cldev_disable-calls.patch diff --git a/queue-6.6/soc-tegra-pmc-ensure-power-domains-are-in-a-known-state.patch b/queue-6.6/soc-tegra-pmc-ensure-power-domains-are-in-a-known-state.patch new file mode 100644 index 0000000000..0793031ee0 --- /dev/null +++ b/queue-6.6/soc-tegra-pmc-ensure-power-domains-are-in-a-known-state.patch @@ -0,0 +1,137 @@ +From b6bcbce3359619d05bf387d4f5cc3af63668dbaa Mon Sep 17 00:00:00 2001 +From: Jon Hunter +Date: Thu, 31 Jul 2025 13:18:32 +0100 +Subject: soc/tegra: pmc: Ensure power-domains are in a known state + +From: Jon Hunter + +commit b6bcbce3359619d05bf387d4f5cc3af63668dbaa upstream. + +After commit 13a4b7fb6260 ("pmdomain: core: Leave powered-on genpds on +until late_initcall_sync") was applied, the Tegra210 Jetson TX1 board +failed to boot. Looking into this issue, before this commit was applied, +if any of the Tegra power-domains were in 'on' state when the kernel +booted, they were being turned off by the genpd core before any driver +had chance to request them. This was purely by luck and a consequence of +the power-domains being turned off earlier during boot. After this +commit was applied, any power-domains in the 'on' state are kept on for +longer during boot and therefore, may never transitioned to the off +state before they are requested/used. The hang on the Tegra210 Jetson +TX1 is caused because devices in some power-domains are accessed without +the power-domain being turned off and on, indicating that the +power-domain is not in a completely on state. + +>From reviewing the Tegra PMC driver code, if a power-domain is in the +'on' state there is no guarantee that all the necessary clocks +associated with the power-domain are on and even if they are they would +not have been requested via the clock framework and so could be turned +off later. Some power-domains also have a 'clamping' register that needs +to be configured as well. In short, if a power-domain is already 'on' it +is difficult to know if it has been configured correctly. Given that the +power-domains happened to be switched off during boot previously, to +ensure that they are in a good known state on boot, fix this by +switching off any power-domains that are on initially when registering +the power-domains with the genpd framework. + +Note that commit 05cfb988a4d0 ("soc/tegra: pmc: Initialise resets +associated with a power partition") updated the +tegra_powergate_of_get_resets() function to pass the 'off' to ensure +that the resets for the power-domain are in the correct state on boot. +However, now that we may power off a domain on boot, if it is on, it is +better to move this logic into the tegra_powergate_add() function so +that there is a single place where we are handling the initial state of +the power-domain. + +Fixes: a38045121bf4 ("soc/tegra: pmc: Add generic PM domain support") +Signed-off-by: Jon Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250731121832.213671-1-jonathanh@nvidia.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/tegra/pmc.c | 51 +++++++++++++++++++++++++++--------------------- + 1 file changed, 29 insertions(+), 22 deletions(-) + +--- a/drivers/soc/tegra/pmc.c ++++ b/drivers/soc/tegra/pmc.c +@@ -1232,7 +1232,7 @@ err: + } + + static int tegra_powergate_of_get_resets(struct tegra_powergate *pg, +- struct device_node *np, bool off) ++ struct device_node *np) + { + struct device *dev = pg->pmc->dev; + int err; +@@ -1247,22 +1247,6 @@ static int tegra_powergate_of_get_resets + err = reset_control_acquire(pg->reset); + if (err < 0) { + pr_err("failed to acquire resets: %d\n", err); +- goto out; +- } +- +- if (off) { +- err = reset_control_assert(pg->reset); +- } else { +- err = reset_control_deassert(pg->reset); +- if (err < 0) +- goto out; +- +- reset_control_release(pg->reset); +- } +- +-out: +- if (err) { +- reset_control_release(pg->reset); + reset_control_put(pg->reset); + } + +@@ -1307,20 +1291,43 @@ static int tegra_powergate_add(struct te + goto set_available; + } + +- err = tegra_powergate_of_get_resets(pg, np, off); ++ err = tegra_powergate_of_get_resets(pg, np); + if (err < 0) { + dev_err(dev, "failed to get resets for %pOFn: %d\n", np, err); + goto remove_clks; + } + +- if (!IS_ENABLED(CONFIG_PM_GENERIC_DOMAINS)) { +- if (off) +- WARN_ON(tegra_powergate_power_up(pg, true)); ++ /* ++ * If the power-domain is off, then ensure the resets are asserted. ++ * If the power-domain is on, then power down to ensure that when is ++ * it turned on the power-domain, clocks and resets are all in the ++ * expected state. ++ */ ++ if (off) { ++ err = reset_control_assert(pg->reset); ++ if (err) { ++ pr_err("failed to assert resets: %d\n", err); ++ goto remove_resets; ++ } ++ } else { ++ err = tegra_powergate_power_down(pg); ++ if (err) { ++ dev_err(dev, "failed to turn off PM domain %s: %d\n", ++ pg->genpd.name, err); ++ goto remove_resets; ++ } ++ } + ++ /* ++ * If PM_GENERIC_DOMAINS is not enabled, power-on ++ * the domain and skip the genpd registration. ++ */ ++ if (!IS_ENABLED(CONFIG_PM_GENERIC_DOMAINS)) { ++ WARN_ON(tegra_powergate_power_up(pg, true)); + goto remove_resets; + } + +- err = pm_genpd_init(&pg->genpd, NULL, off); ++ err = pm_genpd_init(&pg->genpd, NULL, true); + if (err < 0) { + dev_err(dev, "failed to initialise PM domain %pOFn: %d\n", np, + err); diff --git a/queue-6.6/vhost-vsock-avoid-allocating-arbitrarily-sized-skbs.patch b/queue-6.6/vhost-vsock-avoid-allocating-arbitrarily-sized-skbs.patch new file mode 100644 index 0000000000..78fa45108e --- /dev/null +++ b/queue-6.6/vhost-vsock-avoid-allocating-arbitrarily-sized-skbs.patch @@ -0,0 +1,53 @@ +From 10a886aaed293c4db3417951f396827216299e3d Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 17 Jul 2025 10:01:08 +0100 +Subject: vhost/vsock: Avoid allocating arbitrarily-sized SKBs + +From: Will Deacon + +commit 10a886aaed293c4db3417951f396827216299e3d upstream. + +vhost_vsock_alloc_skb() returns NULL for packets advertising a length +larger than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE in the packet header. However, +this is only checked once the SKB has been allocated and, if the length +in the packet header is zero, the SKB may not be freed immediately. + +Hoist the size check before the SKB allocation so that an iovec larger +than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + the header size is rejected +outright. The subsequent check on the length field in the header can +then simply check that the allocated SKB is indeed large enough to hold +the packet. + +Cc: +Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") +Reviewed-by: Stefano Garzarella +Signed-off-by: Will Deacon +Message-Id: <20250717090116.11987-2-will@kernel.org> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vsock.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/vhost/vsock.c ++++ b/drivers/vhost/vsock.c +@@ -340,6 +340,9 @@ vhost_vsock_alloc_skb(struct vhost_virtq + + len = iov_length(vq->iov, out); + ++ if (len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + VIRTIO_VSOCK_SKB_HEADROOM) ++ return NULL; ++ + /* len contains both payload and hdr */ + skb = virtio_vsock_alloc_skb(len, GFP_KERNEL); + if (!skb) +@@ -363,8 +366,7 @@ vhost_vsock_alloc_skb(struct vhost_virtq + return skb; + + /* The pkt is too big or the length in the header is invalid */ +- if (payload_len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE || +- payload_len + sizeof(*hdr) > len) { ++ if (payload_len + sizeof(*hdr) > len) { + kfree_skb(skb); + return NULL; + } diff --git a/queue-6.6/vsock-virtio-validate-length-in-packet-header-before-skb_put.patch b/queue-6.6/vsock-virtio-validate-length-in-packet-header-before-skb_put.patch new file mode 100644 index 0000000000..72f9781ed8 --- /dev/null +++ b/queue-6.6/vsock-virtio-validate-length-in-packet-header-before-skb_put.patch @@ -0,0 +1,62 @@ +From 0dab92484474587b82e8e0455839eaf5ac7bf894 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 17 Jul 2025 10:01:09 +0100 +Subject: vsock/virtio: Validate length in packet header before skb_put() + +From: Will Deacon + +commit 0dab92484474587b82e8e0455839eaf5ac7bf894 upstream. + +When receiving a vsock packet in the guest, only the virtqueue buffer +size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately, +virtio_vsock_skb_rx_put() uses the length from the packet header as the +length argument to skb_put(), potentially resulting in SKB overflow if +the host has gone wonky. + +Validate the length as advertised by the packet header before calling +virtio_vsock_skb_rx_put(). + +Cc: +Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff") +Signed-off-by: Will Deacon +Message-Id: <20250717090116.11987-3-will@kernel.org> +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Stefano Garzarella +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/virtio_transport.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/net/vmw_vsock/virtio_transport.c ++++ b/net/vmw_vsock/virtio_transport.c +@@ -497,8 +497,9 @@ static void virtio_transport_rx_work(str + do { + virtqueue_disable_cb(vq); + for (;;) { ++ unsigned int len, payload_len; ++ struct virtio_vsock_hdr *hdr; + struct sk_buff *skb; +- unsigned int len; + + if (!virtio_transport_more_replies(vsock)) { + /* Stop rx until the device processes already +@@ -515,11 +516,18 @@ static void virtio_transport_rx_work(str + vsock->rx_buf_nr--; + + /* Drop short/long packets */ +- if (unlikely(len < sizeof(struct virtio_vsock_hdr) || ++ if (unlikely(len < sizeof(*hdr) || + len > virtio_vsock_skb_len(skb))) { + kfree_skb(skb); + continue; + } ++ ++ hdr = virtio_vsock_hdr(skb); ++ payload_len = le32_to_cpu(hdr->len); ++ if (unlikely(payload_len > len - sizeof(*hdr))) { ++ kfree_skb(skb); ++ continue; ++ } + + virtio_vsock_skb_rx_put(skb); + virtio_transport_deliver_tap_pkt(skb);