From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 22 Aug 2025 12:44:31 +0000 (+0200)
Subject: 6.16-stable patches
X-Git-Tag: v6.16.3~48
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b9c29a362ac5f0fa2e9775684c00c129c4ef0e02;p=thirdparty%2Fkernel%2Fstable-queue.git

6.16-stable patches

added patches:
	crypto-acomp-fix-cfi-failure-due-to-type-punning.patch
---

diff --git a/queue-6.16/crypto-acomp-fix-cfi-failure-due-to-type-punning.patch b/queue-6.16/crypto-acomp-fix-cfi-failure-due-to-type-punning.patch
new file mode 100644
index 0000000000..c1b1a890e9
--- /dev/null
+++ b/queue-6.16/crypto-acomp-fix-cfi-failure-due-to-type-punning.patch
@@ -0,0 +1,60 @@
+From 962ddc5a7a4b04c007bba0f3e7298cda13c62efd Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Tue, 8 Jul 2025 17:59:54 -0700
+Subject: crypto: acomp - Fix CFI failure due to type punning
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+commit 962ddc5a7a4b04c007bba0f3e7298cda13c62efd upstream.
+
+To avoid a crash when control flow integrity is enabled, make the
+workspace ("stream") free function use a consistent type, and call it
+through a function pointer that has that same type.
+
+Fixes: 42d9f6c77479 ("crypto: acomp - Move scomp stream allocation code into acomp")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+[Giovanni: Backport to 6.16.y. Removed logic in crypto/zstd.c as commit
+f5ad93ffb541 ("crypto: zstd - convert to acomp") is not going to be
+backported to stable.]
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/deflate.c                    |    7 ++++++-
+ include/crypto/internal/acompress.h |    5 +----
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+
+--- a/crypto/deflate.c
++++ b/crypto/deflate.c
+@@ -48,9 +48,14 @@ static void *deflate_alloc_stream(void)
+ 	return ctx;
+ }
+ 
++static void deflate_free_stream(void *ctx)
++{
++	kvfree(ctx);
++}
++
+ static struct crypto_acomp_streams deflate_streams = {
+ 	.alloc_ctx = deflate_alloc_stream,
+-	.cfree_ctx = kvfree,
++	.free_ctx = deflate_free_stream,
+ };
+ 
+ static int deflate_compress_one(struct acomp_req *req,
+--- a/include/crypto/internal/acompress.h
++++ b/include/crypto/internal/acompress.h
+@@ -63,10 +63,7 @@ struct crypto_acomp_stream {
+ struct crypto_acomp_streams {
+ 	/* These must come first because of struct scomp_alg. */
+ 	void *(*alloc_ctx)(void);
+-	union {
+-		void (*free_ctx)(void *);
+-		void (*cfree_ctx)(const void *);
+-	};
++	void (*free_ctx)(void *);
+ 
+ 	struct crypto_acomp_stream __percpu *streams;
+ 	struct work_struct stream_work;
diff --git a/queue-6.16/series b/queue-6.16/series
index 3f31d99f57..b15d6d0122 100644
--- a/queue-6.16/series
+++ b/queue-6.16/series
@@ -226,3 +226,4 @@ xfs-fully-decouple-xfs_ibulk-flags-from-xfs_iwalk-flags.patch
 xfs-remove-unused-label-in-xfs_dax_notify_dev_failure.patch
 erofs-fix-build-error-with-config_erofs_fs_zip_accel-y.patch
 erofs-do-not-select-tristate-symbols-from-bool-symbols.patch
+crypto-acomp-fix-cfi-failure-due-to-type-punning.patch