From: Greg Kroah-Hartman Date: Sun, 7 Sep 2025 15:23:57 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.4.299~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=be3476ad337781b03c85ce1b7b95bf2b1fa4ae8d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: cifs-fix-integer-overflow-in-match_server.patch clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch --- diff --git a/queue-5.10/cifs-fix-integer-overflow-in-match_server.patch b/queue-5.10/cifs-fix-integer-overflow-in-match_server.patch new file mode 100644 index 0000000000..414eceaf6f --- /dev/null +++ b/queue-5.10/cifs-fix-integer-overflow-in-match_server.patch @@ -0,0 +1,46 @@ +From stable+bounces-178045-greg=kroah.com@vger.kernel.org Sun Sep 7 16:58:22 2025 +From: Sasha Levin +Date: Sun, 7 Sep 2025 10:58:14 -0400 +Subject: cifs: fix integer overflow in match_server() +To: stable@vger.kernel.org +Cc: Roman Smirnov , Steve French , Sasha Levin +Message-ID: <20250907145814.636984-1-sashal@kernel.org> + +From: Roman Smirnov + +[ Upstream commit 2510859475d7f46ed7940db0853f3342bf1b65ee ] + +The echo_interval is not limited in any way during mounting, +which makes it possible to write a large number to it. This can +cause an overflow when multiplying ctx->echo_interval by HZ in +match_server(). + +Add constraints for echo_interval to smb3_fs_context_parse_param(). + +Found by Linux Verification Center (linuxtesting.org) with Svace. + +Fixes: adfeb3e00e8e1 ("cifs: Make echo interval tunable") +Cc: stable@vger.kernel.org +Signed-off-by: Roman Smirnov +Signed-off-by: Steve French +[ Adapted to older CIFS filesystem structure and mount option parsing ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/connect.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -1915,6 +1915,11 @@ cifs_parse_mount_options(const char *mou + __func__); + goto cifs_parse_mount_err; + } ++ if (option < SMB_ECHO_INTERVAL_MIN || ++ option > SMB_ECHO_INTERVAL_MAX) { ++ cifs_dbg(VFS, "echo interval is out of bounds\n"); ++ goto cifs_parse_mount_err; ++ } + vol->echo_interval = option; + break; + case Opt_snapshot: diff --git a/queue-5.10/clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch b/queue-5.10/clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch new file mode 100644 index 0000000000..fb62f606fa --- /dev/null +++ b/queue-5.10/clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch @@ -0,0 +1,84 @@ +From stable+bounces-178046-greg=kroah.com@vger.kernel.org Sun Sep 7 17:08:44 2025 +From: Sasha Levin +Date: Sun, 7 Sep 2025 11:08:33 -0400 +Subject: clk: qcom: gdsc: Set retain_ff before moving to HW CTRL +To: stable@vger.kernel.org +Cc: Taniya Das , Imran Shaik , Bjorn Andersson , Sasha Levin +Message-ID: <20250907150833.640151-1-sashal@kernel.org> + +From: Taniya Das + +[ Upstream commit 25708f73ff171bb4171950c9f4be5aa8504b8459 ] + +Enable the retain_ff_enable bit of GDSCR only if the GDSC is already ON. +Once the GDSCR moves to HW control, SW no longer can determine the state +of the GDSCR and setting the retain_ff bit could destroy all the register +contents we intended to save. +Therefore, move the retain_ff configuration before switching the GDSC to +HW trigger mode. + +Cc: stable@vger.kernel.org +Fixes: 173722995cdb ("clk: qcom: gdsc: Add support to enable retention of GSDCR") +Signed-off-by: Taniya Das +Reviewed-by: Imran Shaik +Tested-by: Imran Shaik # on QCS8300 +Link: https://lore.kernel.org/r/20250214-gdsc_fixes-v1-1-73e56d68a80f@quicinc.com +Signed-off-by: Bjorn Andersson +[ Changed error path ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/qcom/gdsc.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +--- a/drivers/clk/qcom/gdsc.c ++++ b/drivers/clk/qcom/gdsc.c +@@ -273,6 +273,9 @@ static int gdsc_enable(struct generic_pm + */ + udelay(1); + ++ if (sc->flags & RETAIN_FF_ENABLE) ++ gdsc_retain_ff_on(sc); ++ + /* Turn on HW trigger mode if supported */ + if (sc->flags & HW_CTRL) { + ret = gdsc_hwctrl(sc, true); +@@ -289,9 +292,6 @@ static int gdsc_enable(struct generic_pm + udelay(1); + } + +- if (sc->flags & RETAIN_FF_ENABLE) +- gdsc_retain_ff_on(sc); +- + return 0; + } + +@@ -392,13 +392,6 @@ static int gdsc_init(struct gdsc *sc) + return ret; + } + +- /* Turn on HW trigger mode if supported */ +- if (sc->flags & HW_CTRL) { +- ret = gdsc_hwctrl(sc, true); +- if (ret < 0) +- return ret; +- } +- + /* + * Make sure the retain bit is set if the GDSC is already on, + * otherwise we end up turning off the GDSC and destroying all +@@ -406,6 +399,14 @@ static int gdsc_init(struct gdsc *sc) + */ + if (sc->flags & RETAIN_FF_ENABLE) + gdsc_retain_ff_on(sc); ++ ++ /* Turn on HW trigger mode if supported */ ++ if (sc->flags & HW_CTRL) { ++ ret = gdsc_hwctrl(sc, true); ++ if (ret < 0) ++ return ret; ++ } ++ + } else if (sc->flags & ALWAYS_ON) { + /* If ALWAYS_ON GDSCs are not ON, turn them ON */ + gdsc_enable(&sc->pd); diff --git a/queue-5.10/series b/queue-5.10/series index 95935d3522..24db48e4c3 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -47,3 +47,5 @@ pcmcia-add-error-handling-for-add_interval-in-do_val.patch spi-spi-fsl-lpspi-fix-transmissions-when-using-cont.patch spi-spi-fsl-lpspi-set-correct-chip-select-polarity-b.patch spi-spi-fsl-lpspi-reset-fifo-and-disable-module-on-t.patch +clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch +cifs-fix-integer-overflow-in-match_server.patch