From: Greg Kroah-Hartman Date: Tue, 12 May 2026 13:52:58 +0000 (+0200) Subject: 5.15-stable patches X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bf9f9da75c02deb5744a11b63bfd2f4da76e3bad;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: af_unix-reject-siocatmark-on-non-stream-sockets.patch cpuidle-powerpc-avoid-double-clear-when-breaking-snooze.patch extcon-ptn5150-handle-pending-irq-events-during-system-resume.patch hv_sock-fix-arm64-support.patch hwmon-corsair-psu-close-hid-device-on-probe-errors.patch hwmon-ltc2992-clamp-threshold-writes-to-hardware-range.patch hwmon-ltc2992-fix-u32-overflow-in-power-read-path.patch ibmveth-disable-gso-for-packets-with-small-mss.patch ip6_gre-use-cached-t-net-in-ip6erspan_changelink.patch net-rds-handle-zerocopy-send-cleanup-before-the-message-is-queued.patch parisc-fix-irq-leak-in-lasi-driver.patch sound-ua101-fix-division-by-zero-at-probe.patch spi-topcliff-pch-fix-use-after-free-on-unbind.patch thermal-drivers-sprd-fix-raw-temperature-clamping-in-sprd_thm_rawdata_to_temp.patch thermal-drivers-sprd-fix-temperature-clamping-in-sprd_thm_temp_to_rawdata.patch udf-reject-descriptors-with-oversized-crc-length.patch --- diff --git a/queue-5.15/af_unix-reject-siocatmark-on-non-stream-sockets.patch b/queue-5.15/af_unix-reject-siocatmark-on-non-stream-sockets.patch new file mode 100644 index 0000000000..9da776d477 --- /dev/null +++ b/queue-5.15/af_unix-reject-siocatmark-on-non-stream-sockets.patch @@ -0,0 +1,48 @@ +From d119775f2bad827edc28071c061fdd4a91f889a5 Mon Sep 17 00:00:00 2001 +From: Jiexun Wang +Date: Wed, 6 May 2026 22:08:23 +0800 +Subject: af_unix: Reject SIOCATMARK on non-stream sockets + +From: Jiexun Wang + +commit d119775f2bad827edc28071c061fdd4a91f889a5 upstream. + +SIOCATMARK reports whether the receive queue is at the urgent mark for +MSG_OOB. + +In AF_UNIX, MSG_OOB is supported only for SOCK_STREAM sockets. +SOCK_DGRAM and SOCK_SEQPACKET reject MSG_OOB in sendmsg() and recvmsg(), +so they should not support SIOCATMARK either. + +Return -EOPNOTSUPP for non-stream sockets before checking the receive +queue. + +Fixes: 314001f0bf92 ("af_unix: Add OOB support") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Suggested-by: Kuniyuki Iwashima +Signed-off-by: Jiexun Wang +Signed-off-by: Ren Wei +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260506140825.2987635-1-n05ec@lzu.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/unix/af_unix.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -2706,6 +2706,9 @@ again: + goto out; + } + ++ if (sk->sk_type != SOCK_STREAM) ++ return -EOPNOTSUPP; ++ + mutex_lock(&u->iolock); + goto redo; + unlock: diff --git a/queue-5.15/cpuidle-powerpc-avoid-double-clear-when-breaking-snooze.patch b/queue-5.15/cpuidle-powerpc-avoid-double-clear-when-breaking-snooze.patch new file mode 100644 index 0000000000..8e911814f5 --- /dev/null +++ b/queue-5.15/cpuidle-powerpc-avoid-double-clear-when-breaking-snooze.patch @@ -0,0 +1,59 @@ +From 64ed1e3e728afb57ba9acb59e69de930ead847d9 Mon Sep 17 00:00:00 2001 +From: Shrikanth Hegde +Date: Wed, 11 Mar 2026 11:47:09 +0530 +Subject: cpuidle: powerpc: avoid double clear when breaking snooze + +From: Shrikanth Hegde + +commit 64ed1e3e728afb57ba9acb59e69de930ead847d9 upstream. + +snooze_loop is done often in any system which has fair bit of +idle time. So it qualifies for even micro-optimizations. + +When breaking the snooze due to timeout, TIF_POLLING_NRFLAG is cleared +twice. Clearing the bit invokes atomics. Avoid double clear and thereby +avoid one atomic write. + +dev->poll_time_limit indicates whether the loop was broken due to +timeout. Use that instead of defining a new variable. + +Fixes: 7ded429152e8 ("cpuidle: powerpc: no memory barrier after break from idle") +Cc: stable@vger.kernel.org +Reviewed-by: Mukesh Kumar Chaurasiya (IBM) +Signed-off-by: Shrikanth Hegde +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20260311061709.1230440-1-sshegde@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpuidle/cpuidle-powernv.c | 5 ++++- + drivers/cpuidle/cpuidle-pseries.c | 5 ++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/cpuidle/cpuidle-powernv.c ++++ b/drivers/cpuidle/cpuidle-powernv.c +@@ -93,7 +93,10 @@ static int snooze_loop(struct cpuidle_de + + HMT_medium(); + ppc64_runlatch_on(); +- clear_thread_flag(TIF_POLLING_NRFLAG); ++ ++ /* Avoid double clear when breaking */ ++ if (!dev->poll_time_limit) ++ clear_thread_flag(TIF_POLLING_NRFLAG); + + local_irq_disable(); + +--- a/drivers/cpuidle/cpuidle-pseries.c ++++ b/drivers/cpuidle/cpuidle-pseries.c +@@ -61,7 +61,10 @@ static int snooze_loop(struct cpuidle_de + } + + HMT_medium(); +- clear_thread_flag(TIF_POLLING_NRFLAG); ++ ++ /* Avoid double clear when breaking */ ++ if (!dev->poll_time_limit) ++ clear_thread_flag(TIF_POLLING_NRFLAG); + + local_irq_disable(); + diff --git a/queue-5.15/extcon-ptn5150-handle-pending-irq-events-during-system-resume.patch b/queue-5.15/extcon-ptn5150-handle-pending-irq-events-during-system-resume.patch new file mode 100644 index 0000000000..1abd18c3f4 --- /dev/null +++ b/queue-5.15/extcon-ptn5150-handle-pending-irq-events-during-system-resume.patch @@ -0,0 +1,58 @@ +From 4652fefcda3c604c83d1ae28ede94544e2142f06 Mon Sep 17 00:00:00 2001 +From: Xu Yang +Date: Sat, 15 Nov 2025 10:59:05 +0800 +Subject: extcon: ptn5150: handle pending IRQ events during system resume + +From: Xu Yang + +commit 4652fefcda3c604c83d1ae28ede94544e2142f06 upstream. + +When the system is suspended and ptn5150 wakeup interrupt is disabled, +any changes on ptn5150 will only be record in interrupt status +registers and won't fire an IRQ since its trigger type is falling +edge. So the HW interrupt line will keep at low state and any further +changes won't trigger IRQ anymore. To fix it, this will schedule a +work to check whether any IRQ are pending and handle it accordingly. + +Fixes: 4ed754de2d66 ("extcon: Add support for ptn5150 extcon driver") +Cc: stable@vger.kernel.org +Reviewed-by: Krzysztof Kozlowski +Acked-by: MyungJoo Ham +Signed-off-by: Xu Yang +Signed-off-by: Chanwoo Choi +Link: https://lore.kernel.org/lkml/20251115025905.1395347-1-xu.yang_2@nxp.com/ +Signed-off-by: Greg Kroah-Hartman +--- + drivers/extcon/extcon-ptn5150.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/extcon/extcon-ptn5150.c ++++ b/drivers/extcon/extcon-ptn5150.c +@@ -306,6 +306,19 @@ static int ptn5150_i2c_probe(struct i2c_ + return 0; + } + ++static int ptn5150_resume(struct device *dev) ++{ ++ struct i2c_client *i2c = to_i2c_client(dev); ++ struct ptn5150_info *info = i2c_get_clientdata(i2c); ++ ++ /* Need to check possible pending interrupt events */ ++ schedule_work(&info->irq_work); ++ ++ return 0; ++} ++ ++static DEFINE_SIMPLE_DEV_PM_OPS(ptn5150_pm_ops, NULL, ptn5150_resume); ++ + static const struct of_device_id ptn5150_dt_match[] = { + { .compatible = "nxp,ptn5150" }, + { }, +@@ -321,6 +334,7 @@ MODULE_DEVICE_TABLE(i2c, ptn5150_i2c_id) + static struct i2c_driver ptn5150_i2c_driver = { + .driver = { + .name = "ptn5150", ++ .pm = pm_sleep_ptr(&ptn5150_pm_ops), + .of_match_table = ptn5150_dt_match, + }, + .probe_new = ptn5150_i2c_probe, diff --git a/queue-5.15/hv_sock-fix-arm64-support.patch b/queue-5.15/hv_sock-fix-arm64-support.patch new file mode 100644 index 0000000000..f9ee89690e --- /dev/null +++ b/queue-5.15/hv_sock-fix-arm64-support.patch @@ -0,0 +1,42 @@ +From b31681206e3f527970a7c7ed807fbf6a028fc25b Mon Sep 17 00:00:00 2001 +From: Hamza Mahfooz +Date: Tue, 28 Apr 2026 08:53:39 -0400 +Subject: hv_sock: fix ARM64 support + +From: Hamza Mahfooz + +commit b31681206e3f527970a7c7ed807fbf6a028fc25b upstream. + +VMBUS ring buffers must be page aligned. Therefore, the current value of +24K presents a challenge on ARM64 kernels (with 64K pages). So, use +VMBUS_RING_SIZE() to ensure they are always aligned and large enough to +hold all of the relevant data. + +Cc: stable@vger.kernel.org +Fixes: 77ffe33363c0 ("hv_sock: use HV_HYP_PAGE_SIZE for Hyper-V communication") +Tested-by: Dexuan Cui +Reviewed-by: Dexuan Cui +Signed-off-by: Hamza Mahfooz +Acked-by: Stefano Garzarella +Link: https://patch.msgid.link/20260428125339.13963-1-hamzamahfooz@linux.microsoft.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/hyperv_transport.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/vmw_vsock/hyperv_transport.c ++++ b/net/vmw_vsock/hyperv_transport.c +@@ -366,10 +366,10 @@ static void hvs_open_connection(struct v + } else { + sndbuf = max_t(int, sk->sk_sndbuf, RINGBUFFER_HVS_SND_SIZE); + sndbuf = min_t(int, sndbuf, RINGBUFFER_HVS_MAX_SIZE); +- sndbuf = ALIGN(sndbuf, HV_HYP_PAGE_SIZE); ++ sndbuf = VMBUS_RING_SIZE(sndbuf); + rcvbuf = max_t(int, sk->sk_rcvbuf, RINGBUFFER_HVS_RCV_SIZE); + rcvbuf = min_t(int, rcvbuf, RINGBUFFER_HVS_MAX_SIZE); +- rcvbuf = ALIGN(rcvbuf, HV_HYP_PAGE_SIZE); ++ rcvbuf = VMBUS_RING_SIZE(rcvbuf); + } + + ret = vmbus_open(chan, sndbuf, rcvbuf, NULL, 0, hvs_channel_cb, diff --git a/queue-5.15/hwmon-corsair-psu-close-hid-device-on-probe-errors.patch b/queue-5.15/hwmon-corsair-psu-close-hid-device-on-probe-errors.patch new file mode 100644 index 0000000000..0953f369c3 --- /dev/null +++ b/queue-5.15/hwmon-corsair-psu-close-hid-device-on-probe-errors.patch @@ -0,0 +1,45 @@ +From 174606451fbb17db506ebaacdd5e203e57773d5f Mon Sep 17 00:00:00 2001 +From: Myeonghun Pak +Date: Fri, 24 Apr 2026 22:50:51 +0900 +Subject: hwmon: (corsair-psu) Close HID device on probe errors + +From: Myeonghun Pak + +commit 174606451fbb17db506ebaacdd5e203e57773d5f upstream. + +corsairpsu_probe() opens the HID device before sending the device init +and firmware-info commands. If either command fails, the error path jumps +directly to fail_and_stop and skips hid_hw_close(). + +Use the existing fail_and_close label for those post-open failures so the +open count and low-level close callback are balanced before hid_hw_stop(). + +Fixes: d115b51e0e56 ("hwmon: add Corsair PSU HID controller driver") +Cc: stable@vger.kernel.org +Signed-off-by: Myeonghun Pak +Reviewed-by: Wilken Gottwalt +Link: https://lore.kernel.org/r/20260424135107.13720-1-mhun512@gmail.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/corsair-psu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/hwmon/corsair-psu.c ++++ b/drivers/hwmon/corsair-psu.c +@@ -716,13 +716,13 @@ static int corsairpsu_probe(struct hid_d + ret = corsairpsu_init(priv); + if (ret < 0) { + dev_err(&hdev->dev, "unable to initialize device (%d)\n", ret); +- goto fail_and_stop; ++ goto fail_and_close; + } + + ret = corsairpsu_fwinfo(priv); + if (ret < 0) { + dev_err(&hdev->dev, "unable to query firmware (%d)\n", ret); +- goto fail_and_stop; ++ goto fail_and_close; + } + + corsairpsu_get_criticals(priv); diff --git a/queue-5.15/hwmon-ltc2992-clamp-threshold-writes-to-hardware-range.patch b/queue-5.15/hwmon-ltc2992-clamp-threshold-writes-to-hardware-range.patch new file mode 100644 index 0000000000..e85a5a10be --- /dev/null +++ b/queue-5.15/hwmon-ltc2992-clamp-threshold-writes-to-hardware-range.patch @@ -0,0 +1,115 @@ +From d6cc7c99bf1f73eda7d565d224d791d16239bb41 Mon Sep 17 00:00:00 2001 +From: Sanman Pradhan +Date: Thu, 16 Apr 2026 21:59:30 +0000 +Subject: hwmon: (ltc2992) Clamp threshold writes to hardware range + +From: Sanman Pradhan + +commit d6cc7c99bf1f73eda7d565d224d791d16239bb41 upstream. + +ltc2992_set_voltage(), ltc2992_set_current(), and ltc2992_set_power() +do not validate the user-supplied value before converting it to a +register value. This can result in: + +1. Negative input values wrapping to large positive register values. + For power, the negative long is implicitly cast to u64 in + mul_u64_u32_div(), producing an incorrect value. For voltage and + current, the negative converted value wraps when passed to + ltc2992_write_reg() as a u32. + +2. Intermediate arithmetic exceeding the range representable in u64 on + 64-bit platforms. In ltc2992_set_voltage(), (u64)val * 1000 can + exceed U64_MAX when val is a large positive long. In + ltc2992_set_current(), (u64)val * r_sense_uohm can overflow + similarly. In ltc2992_set_power(), the computed value may not fit + in u64. + +3. Register values exceeding the hardware field width. Voltage and + current threshold registers are 12-bit (stored left-justified in + 16 bits), and power threshold registers are 24-bit. Without + clamping, bits above the field width are truncated in + ltc2992_write_reg(). + +Fix by clamping negative values to zero, clamping positive values to +the rounded hardware-representable maximum (the value returned by the +read path for a full-scale register) to prevent intermediate overflow, +and clamping the converted register value to the hardware field width +before writing. The existing conversion formula and rounding behavior +are preserved. + +In the power write path, cancel the factor of 1000 from both the +numerator (r_sense_uohm * 1000) and the denominator +(VADC_UV_LSB * IADC_NANOV_LSB) to also eliminate a u32 overflow of +r_sense_uohm * 1000 when r_sense_uohm exceeds about 4.29 ohms. + +Fixes: b0bd407e94b03 ("hwmon: (ltc2992) Add support") +Cc: stable@vger.kernel.org +Signed-off-by: Sanman Pradhan +Link: https://lore.kernel.org/r/20260416215904.101969-2-sanman.pradhan@hpe.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/ltc2992.c | 35 ++++++++++++++++++++++++++++------- + 1 file changed, 28 insertions(+), 7 deletions(-) + +--- a/drivers/hwmon/ltc2992.c ++++ b/drivers/hwmon/ltc2992.c +@@ -422,10 +422,16 @@ static int ltc2992_get_voltage(struct lt + + static int ltc2992_set_voltage(struct ltc2992_state *st, u32 reg, u32 scale, long val) + { +- val = DIV_ROUND_CLOSEST(val * 1000, scale); +- val = val << 4; ++ u32 reg_val; ++ long vmax; ++ ++ vmax = DIV_ROUND_CLOSEST_ULL(0xFFFULL * scale, 1000); ++ val = max(val, 0L); ++ val = min(val, vmax); ++ reg_val = min(DIV_ROUND_CLOSEST_ULL((u64)val * 1000, scale), ++ 0xFFFULL) << 4; + +- return ltc2992_write_reg(st, reg, 2, val); ++ return ltc2992_write_reg(st, reg, 2, reg_val); + } + + static int ltc2992_read_gpio_alarm(struct ltc2992_state *st, int nr_gpio, u32 attr, long *val) +@@ -550,9 +556,15 @@ static int ltc2992_get_current(struct lt + static int ltc2992_set_current(struct ltc2992_state *st, u32 reg, u32 channel, long val) + { + u32 reg_val; ++ long cmax; + +- reg_val = DIV_ROUND_CLOSEST(val * st->r_sense_uohm[channel], LTC2992_IADC_NANOV_LSB); +- reg_val = reg_val << 4; ++ cmax = DIV_ROUND_CLOSEST_ULL(0xFFFULL * LTC2992_IADC_NANOV_LSB, ++ st->r_sense_uohm[channel]); ++ val = max(val, 0L); ++ val = min(val, cmax); ++ reg_val = min(DIV_ROUND_CLOSEST_ULL((u64)val * st->r_sense_uohm[channel], ++ LTC2992_IADC_NANOV_LSB), ++ 0xFFFULL) << 4; + + return ltc2992_write_reg(st, reg, 2, reg_val); + } +@@ -625,9 +637,18 @@ static int ltc2992_get_power(struct ltc2 + static int ltc2992_set_power(struct ltc2992_state *st, u32 reg, u32 channel, long val) + { + u32 reg_val; ++ u64 pmax, uval; + +- reg_val = mul_u64_u32_div(val, st->r_sense_uohm[channel] * 1000, +- LTC2992_VADC_UV_LSB * LTC2992_IADC_NANOV_LSB); ++ uval = max(val, 0L); ++ pmax = mul_u64_u32_div(0xFFFFFFULL, ++ LTC2992_VADC_UV_LSB / 1000 * ++ LTC2992_IADC_NANOV_LSB, ++ st->r_sense_uohm[channel]); ++ uval = min(uval, pmax); ++ reg_val = min(mul_u64_u32_div(uval, st->r_sense_uohm[channel], ++ LTC2992_VADC_UV_LSB / 1000 * ++ LTC2992_IADC_NANOV_LSB), ++ 0xFFFFFFULL); + + return ltc2992_write_reg(st, reg, 3, reg_val); + } diff --git a/queue-5.15/hwmon-ltc2992-fix-u32-overflow-in-power-read-path.patch b/queue-5.15/hwmon-ltc2992-fix-u32-overflow-in-power-read-path.patch new file mode 100644 index 0000000000..0fc77abd01 --- /dev/null +++ b/queue-5.15/hwmon-ltc2992-fix-u32-overflow-in-power-read-path.patch @@ -0,0 +1,49 @@ +From 2da0c1fd01dbd6b22844e8676585153dfc660cbe Mon Sep 17 00:00:00 2001 +From: Sanman Pradhan +Date: Thu, 16 Apr 2026 21:59:40 +0000 +Subject: hwmon: (ltc2992) Fix u32 overflow in power read path + +From: Sanman Pradhan + +commit 2da0c1fd01dbd6b22844e8676585153dfc660cbe upstream. + +ltc2992_get_power() computes the divisor for mul_u64_u32_div() as +r_sense_uohm * 1000. This multiplication overflows u32 when +r_sense_uohm exceeds about 4.29 ohms (4294967 micro-ohms), producing +a truncated divisor and an incorrect power reading. + +Cancel the factor of 1000 from both the numerator +(VADC_UV_LSB * IADC_NANOV_LSB = 312500000) and the divisor +(r_sense_uohm * 1000), giving (VADC_UV_LSB / 1000) * IADC_NANOV_LSB += 312500 as the numerator and plain r_sense_uohm as the divisor. +The cancellation is exact because LTC2992_VADC_UV_LSB (25000) is +divisible by 1000. + +This is the read-path counterpart of the write-path fix applied in +the preceding patch. + +Fixes: b0bd407e94b03 ("hwmon: (ltc2992) Add support") +Cc: stable@vger.kernel.org +Signed-off-by: Sanman Pradhan +Link: https://lore.kernel.org/r/20260416215904.101969-3-sanman.pradhan@hpe.com +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/ltc2992.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/hwmon/ltc2992.c ++++ b/drivers/hwmon/ltc2992.c +@@ -628,8 +628,10 @@ static int ltc2992_get_power(struct ltc2 + if (reg_val < 0) + return reg_val; + +- *val = mul_u64_u32_div(reg_val, LTC2992_VADC_UV_LSB * LTC2992_IADC_NANOV_LSB, +- st->r_sense_uohm[channel] * 1000); ++ *val = mul_u64_u32_div(reg_val, ++ LTC2992_VADC_UV_LSB / 1000 * ++ LTC2992_IADC_NANOV_LSB, ++ st->r_sense_uohm[channel]); + + return 0; + } diff --git a/queue-5.15/ibmveth-disable-gso-for-packets-with-small-mss.patch b/queue-5.15/ibmveth-disable-gso-for-packets-with-small-mss.patch new file mode 100644 index 0000000000..e9fe8065fa --- /dev/null +++ b/queue-5.15/ibmveth-disable-gso-for-packets-with-small-mss.patch @@ -0,0 +1,99 @@ +From cc427d24ac6442ffdeafd157a63c7c5b73ed4de4 Mon Sep 17 00:00:00 2001 +From: Mingming Cao +Date: Fri, 24 Apr 2026 09:29:17 -0700 +Subject: ibmveth: Disable GSO for packets with small MSS + +From: Mingming Cao + +commit cc427d24ac6442ffdeafd157a63c7c5b73ed4de4 upstream. + +Some physical adapters on Power systems do not support segmentation +offload when the MSS is less than 224 bytes. Attempting to send such +packets causes the adapter to freeze, stopping all traffic until +manually reset. + +Implement ndo_features_check to disable GSO for packets with small MSS +values. The network stack will perform software segmentation instead. + +The 224-byte minimum matches ibmvnic +commit ("ibmvnic: Enforce stronger sanity checks +on GSO packets") +which uses the same physical adapters in SEA configurations. + +The issue occurs specifically when the hardware attempts to perform +segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets +(gso_segs == 1) do not trigger the problematic LSO code path and are +transmitted normally without segmentation. + +Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. +Also call vlan_features_check() to ensure proper handling of VLAN packets, +particularly QinQ (802.1ad) configurations where the hardware parser may +not support certain offload features. + +Validated using iptables to force small MSS values. Without the fix, +the adapter freezes. With the fix, packets are segmented in software +and transmission succeeds. Comprehensive regression testing completedd +(MSS tests, performance, stability). + +Fixes: 8641dd85799f ("ibmveth: Add support for TSO") +Cc: stable@vger.kernel.org +Reviewed-by: Brian King +Tested-by: Shaik Abdulla +Tested-by: Naveed Ahmed +Signed-off-by: Mingming Cao +Link: https://patch.msgid.link/20260424162917.65725-1-mmc@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmveth.c | 22 ++++++++++++++++++++++ + drivers/net/ethernet/ibm/ibmveth.h | 1 + + 2 files changed, 23 insertions(+) + +--- a/drivers/net/ethernet/ibm/ibmveth.c ++++ b/drivers/net/ethernet/ibm/ibmveth.c +@@ -1624,6 +1624,27 @@ static int ibmveth_set_mac_addr(struct n + return 0; + } + ++static netdev_features_t ibmveth_features_check(struct sk_buff *skb, ++ struct net_device *dev, ++ netdev_features_t features) ++{ ++ /* Some physical adapters do not support segmentation offload with ++ * MSS < 224. Disable GSO for such packets to avoid adapter freeze. ++ * Note: Single-segment packets (gso_segs == 1) don't need this check ++ * as they bypass the LSO path and are transmitted without segmentation. ++ */ ++ if (skb_is_gso(skb)) { ++ if (skb_shinfo(skb)->gso_size < IBMVETH_MIN_LSO_MSS) { ++ netdev_warn_once(dev, ++ "MSS %u too small for LSO, disabling GSO\n", ++ skb_shinfo(skb)->gso_size); ++ features &= ~NETIF_F_GSO_MASK; ++ } ++ } ++ ++ return vlan_features_check(skb, features); ++} ++ + static const struct net_device_ops ibmveth_netdev_ops = { + .ndo_open = ibmveth_open, + .ndo_stop = ibmveth_close, +@@ -1635,6 +1656,7 @@ static const struct net_device_ops ibmve + .ndo_set_features = ibmveth_set_features, + .ndo_validate_addr = eth_validate_addr, + .ndo_set_mac_address = ibmveth_set_mac_addr, ++ .ndo_features_check = ibmveth_features_check, + #ifdef CONFIG_NET_POLL_CONTROLLER + .ndo_poll_controller = ibmveth_poll_controller, + #endif +--- a/drivers/net/ethernet/ibm/ibmveth.h ++++ b/drivers/net/ethernet/ibm/ibmveth.h +@@ -36,6 +36,7 @@ + #define IBMVETH_ILLAN_IPV4_TCP_CSUM 0x0000000000000002UL + #define IBMVETH_ILLAN_ACTIVE_TRUNK 0x0000000000000001UL + ++#define IBMVETH_MIN_LSO_MSS 224 /* Minimum MSS for LSO */ + /* hcall macros */ + #define h_register_logical_lan(ua, buflst, rxq, fltlst, mac) \ + plpar_hcall_norets(H_REGISTER_LOGICAL_LAN, ua, buflst, rxq, fltlst, mac) diff --git a/queue-5.15/ip6_gre-use-cached-t-net-in-ip6erspan_changelink.patch b/queue-5.15/ip6_gre-use-cached-t-net-in-ip6erspan_changelink.patch new file mode 100644 index 0000000000..89ebeb3533 --- /dev/null +++ b/queue-5.15/ip6_gre-use-cached-t-net-in-ip6erspan_changelink.patch @@ -0,0 +1,55 @@ +From 1d324c2f43f70c965f25c58cc3611c779adbe47e Mon Sep 17 00:00:00 2001 +From: Maoyi Xie +Date: Thu, 30 Apr 2026 18:33:18 +0800 +Subject: ip6_gre: Use cached t->net in ip6erspan_changelink(). + +From: Maoyi Xie + +commit 1d324c2f43f70c965f25c58cc3611c779adbe47e upstream. + +After commit 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of +rtnl_link_ops"), ip6erspan_newlink() correctly resolves the per-netns +ip6gre hash via link_net. ip6erspan_changelink() was not converted in +that series and still uses dev_net(dev), which diverges from the +device's creation netns after IFLA_NET_NS_FD migration. + +This re-inserts the tunnel into the wrong per-netns hash. The +original netns keeps a stale entry. When that netns is later +destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a +slab-use-after-free reported by KASAN, followed by a kernel BUG at +net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify(). + +Reachable from an unprivileged user namespace (unshare --user +--map-root-user --net). + +ip6gre_changelink() earlier in the same file already uses the cached +t->net; only ip6erspan_changelink() has the wrong shape. + +Fixes: 2d665034f239 ("net: ip6_gre: Fix ip6erspan hlen calculation") +Cc: stable@vger.kernel.org # v5.15+ +Signed-off-by: Maoyi Xie +Reviewed-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Link: https://patch.msgid.link/20260430103318.3206018-1-maoyi.xie@ntu.edu.sg +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_gre.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -2301,10 +2301,11 @@ static int ip6erspan_changelink(struct n + struct nlattr *data[], + struct netlink_ext_ack *extack) + { +- struct ip6gre_net *ign = net_generic(dev_net(dev), ip6gre_net_id); ++ struct ip6_tnl *t = netdev_priv(dev); + struct __ip6_tnl_parm p; +- struct ip6_tnl *t; ++ struct ip6gre_net *ign; + ++ ign = net_generic(t->net, ip6gre_net_id); + t = ip6gre_changelink_common(dev, tb, data, &p, extack); + if (IS_ERR(t)) + return PTR_ERR(t); diff --git a/queue-5.15/net-rds-handle-zerocopy-send-cleanup-before-the-message-is-queued.patch b/queue-5.15/net-rds-handle-zerocopy-send-cleanup-before-the-message-is-queued.patch new file mode 100644 index 0000000000..31872be5f0 --- /dev/null +++ b/queue-5.15/net-rds-handle-zerocopy-send-cleanup-before-the-message-is-queued.patch @@ -0,0 +1,87 @@ +From 44b550d88b267320459d518c0743a241ab2108fa Mon Sep 17 00:00:00 2001 +From: Nan Li +Date: Fri, 1 May 2026 09:08:44 +0800 +Subject: net/rds: handle zerocopy send cleanup before the message is queued + +From: Nan Li + +commit 44b550d88b267320459d518c0743a241ab2108fa upstream. + +A zerocopy send can fail after user pages have been pinned but before +the message is attached to the sending socket. + +The purge path currently infers zerocopy state from rm->m_rs, so an +unqueued message can be cleaned up as if it owned normal payload pages. +However, zerocopy ownership is really determined by the presence of +op_mmp_znotifier, regardless of whether the message has reached the +socket queue. + +Capture op_mmp_znotifier up front in rds_message_purge() and use it as +the cleanup discriminator. If the message is already associated with a +socket, keep the existing completion path. Otherwise, drop the pinned +page accounting directly and release the notifier before putting the +payload pages. + +This keeps early send failure cleanup consistent with the zerocopy +lifetime rules without changing the normal queued completion path. + +Fixes: 0cebaccef3ac ("rds: zerocopy Tx support.") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Co-developed-by: Xiao Liu +Signed-off-by: Xiao Liu +Signed-off-by: Nan Li +Signed-off-by: Ren Wei +Reviewed-by: Allison Henderson +Link: https://patch.msgid.link/d2ea98a6313d5467bac00f7c9fef8c7acddb9258.1777550074.git.tonanli66@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/message.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +--- a/net/rds/message.c ++++ b/net/rds/message.c +@@ -129,24 +129,34 @@ static void rds_rm_zerocopy_callback(str + */ + static void rds_message_purge(struct rds_message *rm) + { ++ struct rds_znotifier *znotifier; + unsigned long i, flags; +- bool zcopy = false; ++ bool zcopy; + + if (unlikely(test_bit(RDS_MSG_PAGEVEC, &rm->m_flags))) + return; + + spin_lock_irqsave(&rm->m_rs_lock, flags); ++ znotifier = rm->data.op_mmp_znotifier; ++ rm->data.op_mmp_znotifier = NULL; ++ zcopy = !!znotifier; ++ + if (rm->m_rs) { + struct rds_sock *rs = rm->m_rs; + +- if (rm->data.op_mmp_znotifier) { +- zcopy = true; +- rds_rm_zerocopy_callback(rs, rm->data.op_mmp_znotifier); ++ if (znotifier) { ++ rds_rm_zerocopy_callback(rs, znotifier); + rds_wake_sk_sleep(rs); +- rm->data.op_mmp_znotifier = NULL; + } + sock_put(rds_rs_to_sk(rs)); + rm->m_rs = NULL; ++ } else if (znotifier) { ++ /* ++ * Zerocopy can fail before the message is queued on the ++ * socket, so there is no rs to carry the notification. ++ */ ++ mm_unaccount_pinned_pages(&znotifier->z_mmp); ++ kfree(rds_info_from_znotifier(znotifier)); + } + spin_unlock_irqrestore(&rm->m_rs_lock, flags); + diff --git a/queue-5.15/parisc-fix-irq-leak-in-lasi-driver.patch b/queue-5.15/parisc-fix-irq-leak-in-lasi-driver.patch new file mode 100644 index 0000000000..1721a8cf05 --- /dev/null +++ b/queue-5.15/parisc-fix-irq-leak-in-lasi-driver.patch @@ -0,0 +1,63 @@ +From 37b0dc5e279f35036fb638d1e187197b6c05a76d Mon Sep 17 00:00:00 2001 +From: Hongling Zeng +Date: Sun, 3 May 2026 12:17:44 +0800 +Subject: parisc: Fix IRQ leak in LASI driver + +From: Hongling Zeng + +commit 37b0dc5e279f35036fb638d1e187197b6c05a76d upstream. + +When request_irq() succeeds but gsc_common_setup() fails later, +the IRQ is never released. Fix this by adding proper error handling +with goto labels to ensure resources are released in LIFO order. + +Detected by Smatch: + drivers/parisc/lasi.c:216 lasi_init_chip() warn: 'lasi->gsc_irq.irq' +from request_irq() not released on lines: 207. + +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/r/202604180957.4QdAIxP6-lkp@intel.com/ +Signed-off-by: Hongling Zeng +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parisc/lasi.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/parisc/lasi.c ++++ b/drivers/parisc/lasi.c +@@ -196,8 +196,7 @@ static int __init lasi_init_chip(struct + + ret = request_irq(lasi->gsc_irq.irq, gsc_asic_intr, 0, "lasi", lasi); + if (ret < 0) { +- kfree(lasi); +- return ret; ++ goto err_free; + } + + /* enable IRQ's for devices below LASI */ +@@ -206,8 +205,7 @@ static int __init lasi_init_chip(struct + /* Done init'ing, register this driver */ + ret = gsc_common_setup(dev, lasi); + if (ret) { +- kfree(lasi); +- return ret; ++ goto err_irq; + } + + gsc_fixup_irqs(dev, lasi, lasi_choose_irq); +@@ -220,6 +218,12 @@ static int __init lasi_init_chip(struct + chassis_power_off = lasi_power_off; + + return ret; ++ ++err_irq: ++ free_irq(lasi->gsc_irq.irq, lasi); ++err_free: ++ kfree(lasi); ++ return ret; + } + + static struct parisc_device_id lasi_tbl[] __initdata = { diff --git a/queue-5.15/series b/queue-5.15/series index 7a351799ce..5b2d563bb0 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -315,3 +315,19 @@ bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_state_change_cb.patch spi-zynqmp-gqspi-fix-controller-deregistration.patch fanotify-fix-false-positive-on-permission-events.patch net-rtnetlink-zero-ifla_vf_broadcast-to-avoid-stack-infoleak-in-rtnl_fill_vfinfo.patch +sound-ua101-fix-division-by-zero-at-probe.patch +ip6_gre-use-cached-t-net-in-ip6erspan_changelink.patch +net-rds-handle-zerocopy-send-cleanup-before-the-message-is-queued.patch +parisc-fix-irq-leak-in-lasi-driver.patch +hwmon-ltc2992-clamp-threshold-writes-to-hardware-range.patch +hwmon-ltc2992-fix-u32-overflow-in-power-read-path.patch +hwmon-corsair-psu-close-hid-device-on-probe-errors.patch +af_unix-reject-siocatmark-on-non-stream-sockets.patch +extcon-ptn5150-handle-pending-irq-events-during-system-resume.patch +hv_sock-fix-arm64-support.patch +ibmveth-disable-gso-for-packets-with-small-mss.patch +udf-reject-descriptors-with-oversized-crc-length.patch +thermal-drivers-sprd-fix-temperature-clamping-in-sprd_thm_temp_to_rawdata.patch +thermal-drivers-sprd-fix-raw-temperature-clamping-in-sprd_thm_rawdata_to_temp.patch +spi-topcliff-pch-fix-use-after-free-on-unbind.patch +cpuidle-powerpc-avoid-double-clear-when-breaking-snooze.patch diff --git a/queue-5.15/sound-ua101-fix-division-by-zero-at-probe.patch b/queue-5.15/sound-ua101-fix-division-by-zero-at-probe.patch new file mode 100644 index 0000000000..9c247f100f --- /dev/null +++ b/queue-5.15/sound-ua101-fix-division-by-zero-at-probe.patch @@ -0,0 +1,45 @@ +From d1f73f169c1014463b5060e3f60813e13ddc7b87 Mon Sep 17 00:00:00 2001 +From: SeungJu Cheon +Date: Sun, 26 Apr 2026 20:12:39 +0900 +Subject: sound: ua101: fix division by zero at probe + +From: SeungJu Cheon + +commit d1f73f169c1014463b5060e3f60813e13ddc7b87 upstream. + +Add a missing sanity check for bNrChannels in detect_usb_format() +to prevent a division by zero in playback_urb_complete() and +capture_urb_complete(). + +USB core does not validate class-specific descriptor fields such +as bNrChannels, so drivers must verify them before use. If a +device provides bNrChannels = 0, frame_bytes becomes zero and is +later used as a divisor in the URB completion handlers, leading +to a kernel crash. + +Fixes: 63978ab3e3e9 ("sound: add Edirol UA-101 support") +Cc: stable@vger.kernel.org +Signed-off-by: SeungJu Cheon +Link: https://patch.msgid.link/20260426111239.103296-1-suunj1331@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/misc/ua101.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/usb/misc/ua101.c ++++ b/sound/usb/misc/ua101.c +@@ -994,6 +994,13 @@ static int detect_usb_format(struct ua10 + + ua->capture.channels = fmt_capture->bNrChannels; + ua->playback.channels = fmt_playback->bNrChannels; ++ if (!ua->capture.channels || !ua->playback.channels) { ++ dev_err(&ua->dev->dev, ++ "invalid channel count: capture %u, playback %u\n", ++ ua->capture.channels, ua->playback.channels); ++ return -EINVAL; ++ } ++ + ua->capture.frame_bytes = + fmt_capture->bSubframeSize * ua->capture.channels; + ua->playback.frame_bytes = diff --git a/queue-5.15/spi-topcliff-pch-fix-use-after-free-on-unbind.patch b/queue-5.15/spi-topcliff-pch-fix-use-after-free-on-unbind.patch new file mode 100644 index 0000000000..5417a200f0 --- /dev/null +++ b/queue-5.15/spi-topcliff-pch-fix-use-after-free-on-unbind.patch @@ -0,0 +1,45 @@ +From 9d72732fe70c11424bc90ed466c7ccfa58b42a9a Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 14 Apr 2026 15:43:19 +0200 +Subject: spi: topcliff-pch: fix use-after-free on unbind + +From: Johan Hovold + +commit 9d72732fe70c11424bc90ed466c7ccfa58b42a9a upstream. + +Give the driver a chance to flush its queue before releasing the DMA +buffers on driver unbind + +Fixes: c37f3c2749b5 ("spi/topcliff_pch: DMA support") +Cc: stable@vger.kernel.org # 3.1 +Cc: Tomoya MORINAGA +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260414134319.978196-9-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-topcliff-pch.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/spi/spi-topcliff-pch.c ++++ b/drivers/spi/spi-topcliff-pch.c +@@ -1427,9 +1427,6 @@ static int pch_spi_pd_remove(struct plat + dev_dbg(&plat_dev->dev, "%s:[ch%d] irq=%d\n", + __func__, plat_dev->id, board_dat->pdev->irq); + +- if (use_dma) +- pch_free_dma_buf(board_dat, data); +- + /* check for any pending messages; no action is taken if the queue + * is still full; but at least we tried. Unload anyway */ + count = 500; +@@ -1453,6 +1450,9 @@ static int pch_spi_pd_remove(struct plat + free_irq(board_dat->pdev->irq, data); + } + ++ if (use_dma) ++ pch_free_dma_buf(board_dat, data); ++ + pci_iounmap(board_dat->pdev, data->io_remap_addr); + spi_unregister_master(data->master); + diff --git a/queue-5.15/thermal-drivers-sprd-fix-raw-temperature-clamping-in-sprd_thm_rawdata_to_temp.patch b/queue-5.15/thermal-drivers-sprd-fix-raw-temperature-clamping-in-sprd_thm_rawdata_to_temp.patch new file mode 100644 index 0000000000..84710b7a48 --- /dev/null +++ b/queue-5.15/thermal-drivers-sprd-fix-raw-temperature-clamping-in-sprd_thm_rawdata_to_temp.patch @@ -0,0 +1,38 @@ +From b3414148bbc1f9cd56217e58a558c6ac4fd1b4a6 Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Sat, 7 Mar 2026 11:24:21 +0100 +Subject: thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp + +From: Thorsten Blum + +commit b3414148bbc1f9cd56217e58a558c6ac4fd1b4a6 upstream. + +The raw temperature data was never clamped to SPRD_THM_RAW_DATA_LOW or +SPRD_THM_RAW_DATA_HIGH because the return value of clamp() was not used. +Fix this by assigning the clamped value to 'rawdata'. + +Casting SPRD_THM_RAW_DATA_LOW and SPRD_THM_RAW_DATA_HIGH to u32 is also +redundant and can be removed. + +Fixes: 554fdbaf19b1 ("thermal: sprd: Add Spreadtrum thermal driver support") +Signed-off-by: Thorsten Blum +Signed-off-by: Daniel Lezcano +Reviewed-by: Baolin Wang +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260307102422.306055-2-thorsten.blum@linux.dev +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/sprd_thermal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/thermal/sprd_thermal.c ++++ b/drivers/thermal/sprd_thermal.c +@@ -178,7 +178,7 @@ static int sprd_thm_sensor_calibration(s + static int sprd_thm_rawdata_to_temp(struct sprd_thermal_sensor *sen, + u32 rawdata) + { +- clamp(rawdata, (u32)SPRD_THM_RAW_DATA_LOW, (u32)SPRD_THM_RAW_DATA_HIGH); ++ rawdata = clamp(rawdata, SPRD_THM_RAW_DATA_LOW, SPRD_THM_RAW_DATA_HIGH); + + /* + * According to the thermal datasheet, the formula of converting diff --git a/queue-5.15/thermal-drivers-sprd-fix-temperature-clamping-in-sprd_thm_temp_to_rawdata.patch b/queue-5.15/thermal-drivers-sprd-fix-temperature-clamping-in-sprd_thm_temp_to_rawdata.patch new file mode 100644 index 0000000000..f6a868ccb3 --- /dev/null +++ b/queue-5.15/thermal-drivers-sprd-fix-temperature-clamping-in-sprd_thm_temp_to_rawdata.patch @@ -0,0 +1,38 @@ +From 83c0f9a5d679a6f8d84fc49b2f62ea434ccab4b6 Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Sat, 7 Mar 2026 11:24:20 +0100 +Subject: thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata + +From: Thorsten Blum + +commit 83c0f9a5d679a6f8d84fc49b2f62ea434ccab4b6 upstream. + +The temperature was never clamped to SPRD_THM_TEMP_LOW or +SPRD_THM_TEMP_HIGH because the return value of clamp() was not used. Fix +this by assigning the clamped value to 'temp'. + +Casting SPRD_THM_TEMP_LOW and SPRD_THM_TEMP_HIGH to int is also +redundant and can be removed. + +Fixes: 554fdbaf19b1 ("thermal: sprd: Add Spreadtrum thermal driver support") +Signed-off-by: Thorsten Blum +Signed-off-by: Daniel Lezcano +Reviewed-by: Baolin Wang +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260307102422.306055-1-thorsten.blum@linux.dev +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/sprd_thermal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/thermal/sprd_thermal.c ++++ b/drivers/thermal/sprd_thermal.c +@@ -192,7 +192,7 @@ static int sprd_thm_temp_to_rawdata(int + { + u32 val; + +- clamp(temp, (int)SPRD_THM_TEMP_LOW, (int)SPRD_THM_TEMP_HIGH); ++ temp = clamp(temp, SPRD_THM_TEMP_LOW, SPRD_THM_TEMP_HIGH); + + /* + * According to the thermal datasheet, the formula of converting diff --git a/queue-5.15/udf-reject-descriptors-with-oversized-crc-length.patch b/queue-5.15/udf-reject-descriptors-with-oversized-crc-length.patch new file mode 100644 index 0000000000..fae5f68659 --- /dev/null +++ b/queue-5.15/udf-reject-descriptors-with-oversized-crc-length.patch @@ -0,0 +1,48 @@ +From 55d41b0a20128e86b9e960dd2e3f0a2d69a18df7 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Mon, 13 Apr 2026 17:12:40 -0400 +Subject: udf: reject descriptors with oversized CRC length + +From: Michael Bommarito + +commit 55d41b0a20128e86b9e960dd2e3f0a2d69a18df7 upstream. + +udf_read_tagged() skips CRC verification when descCRCLength + +sizeof(struct tag) exceeds the block size. A crafted UDF image can +set descCRCLength to an oversized value to bypass CRC validation +entirely; the descriptor is then accepted based solely on the 8-bit +tag checksum, which is trivially recomputable. + +Reject such descriptors instead of silently accepting them. A +legitimate single-block descriptor should never have a CRC length that +exceeds the block. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-6 +Assisted-by: Codex:gpt-5-4 +Signed-off-by: Michael Bommarito +Link: https://patch.msgid.link/20260413211240.853662-1-michael.bommarito@gmail.com +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/udf/misc.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/udf/misc.c ++++ b/fs/udf/misc.c +@@ -250,8 +250,12 @@ struct buffer_head *udf_read_tagged(stru + } + + /* Verify the descriptor CRC */ +- if (le16_to_cpu(tag_p->descCRCLength) + sizeof(struct tag) > sb->s_blocksize || +- le16_to_cpu(tag_p->descCRC) == crc_itu_t(0, ++ if (le16_to_cpu(tag_p->descCRCLength) + sizeof(struct tag) > sb->s_blocksize) { ++ udf_err(sb, "block %u: CRC length %u exceeds block size\n", ++ block, le16_to_cpu(tag_p->descCRCLength)); ++ goto error_out; ++ } ++ if (le16_to_cpu(tag_p->descCRC) == crc_itu_t(0, + bh->b_data + sizeof(struct tag), + le16_to_cpu(tag_p->descCRCLength))) + return bh;