From: Greg Kroah-Hartman Date: Sat, 6 Sep 2025 18:34:18 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v5.4.299~54 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6ce36ea7490b13029419a5e8dbde94ceddcff7ca;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: acpi-iort-fix-memory-leak-in-iort_rmr_alloc_sids.patch alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-some-devices.patch arm64-ftrace-fix-unreachable-plt-for-ftrace_caller-in-init_module-with-config_dynamic_ftrace.patch pcmcia-fix-a-null-pointer-dereference-in-__iodyn_find_io_region.patch --- diff --git a/queue-6.6/acpi-iort-fix-memory-leak-in-iort_rmr_alloc_sids.patch b/queue-6.6/acpi-iort-fix-memory-leak-in-iort_rmr_alloc_sids.patch new file mode 100644 index 0000000000..4fffcc68fe --- /dev/null +++ b/queue-6.6/acpi-iort-fix-memory-leak-in-iort_rmr_alloc_sids.patch @@ -0,0 +1,39 @@ +From f3ef7110924b897f4b79db9f7ac75d319ec09c4a Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Thu, 28 Aug 2025 19:22:43 +0800 +Subject: ACPI/IORT: Fix memory leak in iort_rmr_alloc_sids() + +From: Miaoqian Lin + +commit f3ef7110924b897f4b79db9f7ac75d319ec09c4a upstream. + +If krealloc_array() fails in iort_rmr_alloc_sids(), the function returns +NULL but does not free the original 'sids' allocation. This results in a +memory leak since the caller overwrites the original pointer with the +NULL return value. + +Fixes: 491cf4a6735a ("ACPI/IORT: Add support to retrieve IORT RMR reserved regions") +Cc: # 6.0.x +Signed-off-by: Miaoqian Lin +Reviewed-by: Hanjun Guo +Link: https://lore.kernel.org/r/20250828112243.61460-1-linmq006@gmail.com +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/arm64/iort.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/arm64/iort.c ++++ b/drivers/acpi/arm64/iort.c +@@ -937,8 +937,10 @@ static u32 *iort_rmr_alloc_sids(u32 *sid + + new_sids = krealloc_array(sids, count + new_count, + sizeof(*new_sids), GFP_KERNEL); +- if (!new_sids) ++ if (!new_sids) { ++ kfree(sids); + return NULL; ++ } + + for (i = count; i < total_count; i++) + new_sids[i] = id_start++; diff --git a/queue-6.6/alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-some-devices.patch b/queue-6.6/alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-some-devices.patch new file mode 100644 index 0000000000..787b21ed8a --- /dev/null +++ b/queue-6.6/alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-some-devices.patch @@ -0,0 +1,37 @@ +From 9c6182843b0d02ca04cc1d946954a65a2286c7db Mon Sep 17 00:00:00 2001 +From: Cryolitia PukNgae +Date: Fri, 22 Aug 2025 20:58:08 +0800 +Subject: ALSA: usb-audio: Add mute TLV for playback volumes on some devices + +From: Cryolitia PukNgae + +commit 9c6182843b0d02ca04cc1d946954a65a2286c7db upstream. + +Applying the quirk of that, the lowest Playback mixer volume setting +mutes the audio output, on more devices. + +Link: https://gitlab.freedesktop.org/pipewire/pipewire/-/merge_requests/2514 +Cc: +Tested-by: Guoli An +Signed-off-by: Cryolitia PukNgae +Link: https://patch.msgid.link/20250822-mixer-quirk-v1-1-b19252239c1c@uniontech.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/mixer_quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -3631,9 +3631,11 @@ void snd_usb_mixer_fu_apply_quirk(struct + snd_dragonfly_quirk_db_scale(mixer, cval, kctl); + break; + /* lowest playback value is muted on some devices */ ++ case USB_ID(0x0572, 0x1b09): /* Conexant Systems (Rockwell), Inc. */ + case USB_ID(0x0d8c, 0x000c): /* C-Media */ + case USB_ID(0x0d8c, 0x0014): /* C-Media */ + case USB_ID(0x19f7, 0x0003): /* RODE NT-USB */ ++ case USB_ID(0x2d99, 0x0026): /* HECATE G2 GAMING HEADSET */ + if (strstr(kctl->id.name, "Playback")) + cval->min_mute = 1; + break; diff --git a/queue-6.6/arm64-ftrace-fix-unreachable-plt-for-ftrace_caller-in-init_module-with-config_dynamic_ftrace.patch b/queue-6.6/arm64-ftrace-fix-unreachable-plt-for-ftrace_caller-in-init_module-with-config_dynamic_ftrace.patch new file mode 100644 index 0000000000..19d54ad0f7 --- /dev/null +++ b/queue-6.6/arm64-ftrace-fix-unreachable-plt-for-ftrace_caller-in-init_module-with-config_dynamic_ftrace.patch @@ -0,0 +1,149 @@ +From a7ed7b9d0ebb038db9963d574da0311cab0b666a Mon Sep 17 00:00:00 2001 +From: panfan +Date: Thu, 4 Sep 2025 20:22:36 -0700 +Subject: arm64: ftrace: fix unreachable PLT for ftrace_caller in init_module with CONFIG_DYNAMIC_FTRACE + +From: panfan + +commit a7ed7b9d0ebb038db9963d574da0311cab0b666a upstream. + +On arm64, it has been possible for a module's sections to be placed more +than 128M away from each other since commit: + + commit 3e35d303ab7d ("arm64: module: rework module VA range selection") + +Due to this, an ftrace callsite in a module's .init.text section can be +out of branch range for the module's ftrace PLT entry (in the module's +.text section). Any attempt to enable tracing of that callsite will +result in a BRK being patched into the callsite, resulting in a fatal +exception when the callsite is later executed. + +Fix this by adding an additional trampoline for .init.text, which will +be within range. + +No additional trampolines are necessary due to the way a given +module's executable sections are packed together. Any executable +section beginning with ".init" will be placed in MOD_INIT_TEXT, +and any other executable section, including those beginning with ".exit", + will be placed in MOD_TEXT. + +Fixes: 3e35d303ab7d ("arm64: module: rework module VA range selection") +Cc: # 6.5.x +Signed-off-by: panfan +Acked-by: Mark Rutland +Link: https://lore.kernel.org/r/20250905032236.3220885-1-panfan@qti.qualcomm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/module.h | 1 + + arch/arm64/include/asm/module.lds.h | 1 + + arch/arm64/kernel/ftrace.c | 13 ++++++++++--- + arch/arm64/kernel/module-plts.c | 12 +++++++++++- + arch/arm64/kernel/module.c | 11 +++++++++++ + 5 files changed, 34 insertions(+), 4 deletions(-) + +--- a/arch/arm64/include/asm/module.h ++++ b/arch/arm64/include/asm/module.h +@@ -19,6 +19,7 @@ struct mod_arch_specific { + + /* for CONFIG_DYNAMIC_FTRACE */ + struct plt_entry *ftrace_trampolines; ++ struct plt_entry *init_ftrace_trampolines; + }; + + u64 module_emit_plt_entry(struct module *mod, Elf64_Shdr *sechdrs, +--- a/arch/arm64/include/asm/module.lds.h ++++ b/arch/arm64/include/asm/module.lds.h +@@ -2,6 +2,7 @@ SECTIONS { + .plt 0 : { BYTE(0) } + .init.plt 0 : { BYTE(0) } + .text.ftrace_trampoline 0 : { BYTE(0) } ++ .init.text.ftrace_trampoline 0 : { BYTE(0) } + + #ifdef CONFIG_KASAN_SW_TAGS + /* +--- a/arch/arm64/kernel/ftrace.c ++++ b/arch/arm64/kernel/ftrace.c +@@ -195,10 +195,17 @@ int ftrace_update_ftrace_func(ftrace_fun + return ftrace_modify_code(pc, 0, new, false); + } + +-static struct plt_entry *get_ftrace_plt(struct module *mod) ++static struct plt_entry *get_ftrace_plt(struct module *mod, unsigned long addr) + { + #ifdef CONFIG_MODULES +- struct plt_entry *plt = mod->arch.ftrace_trampolines; ++ struct plt_entry *plt = NULL; ++ ++ if (within_module_mem_type(addr, mod, MOD_INIT_TEXT)) ++ plt = mod->arch.init_ftrace_trampolines; ++ else if (within_module_mem_type(addr, mod, MOD_TEXT)) ++ plt = mod->arch.ftrace_trampolines; ++ else ++ return NULL; + + return &plt[FTRACE_PLT_IDX]; + #else +@@ -270,7 +277,7 @@ static bool ftrace_find_callable_addr(st + if (WARN_ON(!mod)) + return false; + +- plt = get_ftrace_plt(mod); ++ plt = get_ftrace_plt(mod, pc); + if (!plt) { + pr_err("ftrace: no module PLT for %ps\n", (void *)*addr); + return false; +--- a/arch/arm64/kernel/module-plts.c ++++ b/arch/arm64/kernel/module-plts.c +@@ -284,7 +284,7 @@ int module_frob_arch_sections(Elf_Ehdr * + unsigned long core_plts = 0; + unsigned long init_plts = 0; + Elf64_Sym *syms = NULL; +- Elf_Shdr *pltsec, *tramp = NULL; ++ Elf_Shdr *pltsec, *tramp = NULL, *init_tramp = NULL; + int i; + + /* +@@ -299,6 +299,9 @@ int module_frob_arch_sections(Elf_Ehdr * + else if (!strcmp(secstrings + sechdrs[i].sh_name, + ".text.ftrace_trampoline")) + tramp = sechdrs + i; ++ else if (!strcmp(secstrings + sechdrs[i].sh_name, ++ ".init.text.ftrace_trampoline")) ++ init_tramp = sechdrs + i; + else if (sechdrs[i].sh_type == SHT_SYMTAB) + syms = (Elf64_Sym *)sechdrs[i].sh_addr; + } +@@ -364,5 +367,12 @@ int module_frob_arch_sections(Elf_Ehdr * + tramp->sh_size = NR_FTRACE_PLTS * sizeof(struct plt_entry); + } + ++ if (init_tramp) { ++ init_tramp->sh_type = SHT_NOBITS; ++ init_tramp->sh_flags = SHF_EXECINSTR | SHF_ALLOC; ++ init_tramp->sh_addralign = __alignof__(struct plt_entry); ++ init_tramp->sh_size = NR_FTRACE_PLTS * sizeof(struct plt_entry); ++ } ++ + return 0; + } +--- a/arch/arm64/kernel/module.c ++++ b/arch/arm64/kernel/module.c +@@ -579,6 +579,17 @@ static int module_init_ftrace_plt(const + __init_plt(&plts[FTRACE_PLT_IDX], FTRACE_ADDR); + + mod->arch.ftrace_trampolines = plts; ++ ++ s = find_section(hdr, sechdrs, ".init.text.ftrace_trampoline"); ++ if (!s) ++ return -ENOEXEC; ++ ++ plts = (void *)s->sh_addr; ++ ++ __init_plt(&plts[FTRACE_PLT_IDX], FTRACE_ADDR); ++ ++ mod->arch.init_ftrace_trampolines = plts; ++ + #endif + return 0; + } diff --git a/queue-6.6/pcmcia-fix-a-null-pointer-dereference-in-__iodyn_find_io_region.patch b/queue-6.6/pcmcia-fix-a-null-pointer-dereference-in-__iodyn_find_io_region.patch new file mode 100644 index 0000000000..bef4d65120 --- /dev/null +++ b/queue-6.6/pcmcia-fix-a-null-pointer-dereference-in-__iodyn_find_io_region.patch @@ -0,0 +1,37 @@ +From 44822df89e8f3386871d9cad563ece8e2fd8f0e7 Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Tue, 12 Aug 2025 15:25:09 +0800 +Subject: pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() + +From: Ma Ke + +commit 44822df89e8f3386871d9cad563ece8e2fd8f0e7 upstream. + +In __iodyn_find_io_region(), pcmcia_make_resource() is assigned to +res and used in pci_bus_alloc_resource(). There is a dereference of res +in pci_bus_alloc_resource(), which could lead to a NULL pointer +dereference on failure of pcmcia_make_resource(). + +Fix this bug by adding a check of res. + +Cc: stable@vger.kernel.org +Fixes: 49b1153adfe1 ("pcmcia: move all pcmcia_resource_ops providers into one module") +Signed-off-by: Ma Ke +Signed-off-by: Dominik Brodowski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pcmcia/rsrc_iodyn.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/pcmcia/rsrc_iodyn.c ++++ b/drivers/pcmcia/rsrc_iodyn.c +@@ -62,6 +62,9 @@ static struct resource *__iodyn_find_io_ + unsigned long min = base; + int ret; + ++ if (!res) ++ return NULL; ++ + data.mask = align - 1; + data.offset = base & data.mask; + diff --git a/queue-6.6/series b/queue-6.6/series index 96aed3a1a6..2b95e2025c 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -48,3 +48,7 @@ net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch ppp-fix-memory-leak-in-pad_compress_skb.patch selftest-net-fix-weird-setsockopt-in-bind_bhash.c.patch phy-mscc-stop-taking-ts_lock-for-tx_queue-and-use-it.patch +alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-some-devices.patch +acpi-iort-fix-memory-leak-in-iort_rmr_alloc_sids.patch +arm64-ftrace-fix-unreachable-plt-for-ftrace_caller-in-init_module-with-config_dynamic_ftrace.patch +pcmcia-fix-a-null-pointer-dereference-in-__iodyn_find_io_region.patch