From 52006bafc62e3aa23076da6f78eda4e542305d0c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 24 May 2025 18:01:26 +0200 Subject: [PATCH] 6.14-stable patches added patches: arm64-dts-marvell-udpu-define-pinctrl-state-for-alarm-leds.patch drm-edid-fixed-the-bug-that-hdr-metadata-was-not-reset.patch platform-x86-dell-wmi-sysman-avoid-buffer-overflow-in-current_password_store.patch smb-client-fix-use-after-free-in-cifs_fill_dirent.patch smb-client-reset-all-search-buffer-pointers-when-releasing-buffer.patch thermal-intel-x86_pkg_temp_thermal-fix-bogus-trip-temperature.patch --- ...-define-pinctrl-state-for-alarm-leds.patch | 76 ++++++++ ...-bug-that-hdr-metadata-was-not-reset.patch | 35 ++++ ...r-overflow-in-current_password_store.patch | 42 +++++ queue-6.14/series | 6 + ...x-use-after-free-in-cifs_fill_dirent.patch | 169 ++++++++++++++++++ ...uffer-pointers-when-releasing-buffer.patch | 41 +++++ ...p_thermal-fix-bogus-trip-temperature.patch | 39 ++++ 7 files changed, 408 insertions(+) create mode 100644 queue-6.14/arm64-dts-marvell-udpu-define-pinctrl-state-for-alarm-leds.patch create mode 100644 queue-6.14/drm-edid-fixed-the-bug-that-hdr-metadata-was-not-reset.patch create mode 100644 queue-6.14/platform-x86-dell-wmi-sysman-avoid-buffer-overflow-in-current_password_store.patch create mode 100644 queue-6.14/smb-client-fix-use-after-free-in-cifs_fill_dirent.patch create mode 100644 queue-6.14/smb-client-reset-all-search-buffer-pointers-when-releasing-buffer.patch create mode 100644 queue-6.14/thermal-intel-x86_pkg_temp_thermal-fix-bogus-trip-temperature.patch diff --git a/queue-6.14/arm64-dts-marvell-udpu-define-pinctrl-state-for-alarm-leds.patch b/queue-6.14/arm64-dts-marvell-udpu-define-pinctrl-state-for-alarm-leds.patch new file mode 100644 index 0000000000..8b73bebcd2 --- /dev/null +++ b/queue-6.14/arm64-dts-marvell-udpu-define-pinctrl-state-for-alarm-leds.patch @@ -0,0 +1,76 @@ +From b04f0d89e880bc2cca6a5c73cf287082c91878da Mon Sep 17 00:00:00 2001 +From: Gabor Juhos +Date: Fri, 9 May 2025 15:48:52 +0200 +Subject: arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs + +From: Gabor Juhos + +commit b04f0d89e880bc2cca6a5c73cf287082c91878da upstream. + +The two alarm LEDs of on the uDPU board are stopped working since +commit 78efa53e715e ("leds: Init leds class earlier"). + +The LEDs are driven by the GPIO{15,16} pins of the North Bridge +GPIO controller. These pins are part of the 'spi_quad' pin group +for which the 'spi' function is selected via the default pinctrl +state of the 'spi' node. This is wrong however, since in order to +allow controlling the LEDs, the pins should use the 'gpio' function. + +Before the commit mentined above, the 'spi' function is selected +first by the pinctrl core before probing the spi driver, but then +it gets overridden to 'gpio' implicitly via the +devm_gpiod_get_index_optional() call from the 'leds-gpio' driver. + +After the commit, the LED subsystem gets initialized before the +SPI subsystem, so the function of the pin group remains 'spi' +which in turn prevents controlling of the LEDs. + +Despite the change of the initialization order, the root cause is +that the pinctrl state definition is wrong since its initial commit +0d45062cfc89 ("arm64: dts: marvell: Add device tree for uDPU board"), + +To fix the problem, override the function in the 'spi_quad_pins' +node to 'gpio' and move the pinctrl state definition from the +'spi' node into the 'leds' node. + +Cc: stable@vger.kernel.org # needs adjustment for < 6.1 +Fixes: 0d45062cfc89 ("arm64: dts: marvell: Add device tree for uDPU board") +Signed-off-by: Gabor Juhos +Signed-off-by: Imre Kaloz +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi ++++ b/arch/arm64/boot/dts/marvell/armada-3720-uDPU.dtsi +@@ -26,6 +26,8 @@ + + leds { + compatible = "gpio-leds"; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&spi_quad_pins>; + + led-power1 { + label = "udpu:green:power"; +@@ -82,8 +84,6 @@ + + &spi0 { + status = "okay"; +- pinctrl-names = "default"; +- pinctrl-0 = <&spi_quad_pins>; + + flash@0 { + compatible = "jedec,spi-nor"; +@@ -108,6 +108,10 @@ + }; + }; + ++&spi_quad_pins { ++ function = "gpio"; ++}; ++ + &pinctrl_nb { + i2c2_recovery_pins: i2c2-recovery-pins { + groups = "i2c2"; diff --git a/queue-6.14/drm-edid-fixed-the-bug-that-hdr-metadata-was-not-reset.patch b/queue-6.14/drm-edid-fixed-the-bug-that-hdr-metadata-was-not-reset.patch new file mode 100644 index 0000000000..d6c97b229f --- /dev/null +++ b/queue-6.14/drm-edid-fixed-the-bug-that-hdr-metadata-was-not-reset.patch @@ -0,0 +1,35 @@ +From 6692dbc15e5ed40a3aa037aced65d7b8826c58cd Mon Sep 17 00:00:00 2001 +From: "feijuan.li" +Date: Wed, 14 May 2025 14:35:11 +0800 +Subject: drm/edid: fixed the bug that hdr metadata was not reset + +From: feijuan.li + +commit 6692dbc15e5ed40a3aa037aced65d7b8826c58cd upstream. + +When DP connected to a device with HDR capability, +the hdr structure was filled.Then connected to another +sink device without hdr capability, but the hdr info +still exist. + +Fixes: e85959d6cbe0 ("drm: Parse HDR metadata info from EDID") +Cc: # v5.3+ +Signed-off-by: "feijuan.li" +Reviewed-by: Jani Nikula +Link: https://lore.kernel.org/r/20250514063511.4151780-1-feijuan.li@samsung.com +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_edid.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -6596,6 +6596,7 @@ static void drm_reset_display_info(struc + info->has_hdmi_infoframe = false; + info->rgb_quant_range_selectable = false; + memset(&info->hdmi, 0, sizeof(info->hdmi)); ++ memset(&connector->hdr_sink_metadata, 0, sizeof(connector->hdr_sink_metadata)); + + info->edid_hdmi_rgb444_dc_modes = 0; + info->edid_hdmi_ycbcr444_dc_modes = 0; diff --git a/queue-6.14/platform-x86-dell-wmi-sysman-avoid-buffer-overflow-in-current_password_store.patch b/queue-6.14/platform-x86-dell-wmi-sysman-avoid-buffer-overflow-in-current_password_store.patch new file mode 100644 index 0000000000..e5ab806791 --- /dev/null +++ b/queue-6.14/platform-x86-dell-wmi-sysman-avoid-buffer-overflow-in-current_password_store.patch @@ -0,0 +1,42 @@ +From 4e89a4077490f52cde652d17e32519b666abf3a6 Mon Sep 17 00:00:00 2001 +From: Vladimir Moskovkin +Date: Wed, 14 May 2025 12:12:55 +0000 +Subject: platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vladimir Moskovkin + +commit 4e89a4077490f52cde652d17e32519b666abf3a6 upstream. + +If the 'buf' array received from the user contains an empty string, the +'length' variable will be zero. Accessing the 'buf' array element with +index 'length - 1' will result in a buffer overflow. + +Add a check for an empty string. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems") +Cc: stable@vger.kernel.org +Signed-off-by: Vladimir Moskovkin +Link: https://lore.kernel.org/r/39973642a4f24295b4a8fad9109c5b08@kaspersky.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c ++++ b/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c +@@ -45,7 +45,7 @@ static ssize_t current_password_store(st + int length; + + length = strlen(buf); +- if (buf[length-1] == '\n') ++ if (length && buf[length - 1] == '\n') + length--; + + /* firmware does verifiation of min/max password length, diff --git a/queue-6.14/series b/queue-6.14/series index f23249b09c..789b5c573b 100644 --- a/queue-6.14/series +++ b/queue-6.14/series @@ -746,3 +746,9 @@ mmc-sdhci_am654-add-sdhci_quirk2_suppress_v1p8_ena-quirk-to-am62-compatible.patc mmc-sdhci-of-dwcmshc-add-pd-workaround-on-rk3576.patch pmdomain-renesas-rcar-remove-obsolete-nullify-checks.patch pmdomain-core-fix-error-checking-in-genpd_dev_pm_attach_by_id.patch +platform-x86-dell-wmi-sysman-avoid-buffer-overflow-in-current_password_store.patch +thermal-intel-x86_pkg_temp_thermal-fix-bogus-trip-temperature.patch +drm-edid-fixed-the-bug-that-hdr-metadata-was-not-reset.patch +smb-client-fix-use-after-free-in-cifs_fill_dirent.patch +arm64-dts-marvell-udpu-define-pinctrl-state-for-alarm-leds.patch +smb-client-reset-all-search-buffer-pointers-when-releasing-buffer.patch diff --git a/queue-6.14/smb-client-fix-use-after-free-in-cifs_fill_dirent.patch b/queue-6.14/smb-client-fix-use-after-free-in-cifs_fill_dirent.patch new file mode 100644 index 0000000000..5d18322ec5 --- /dev/null +++ b/queue-6.14/smb-client-fix-use-after-free-in-cifs_fill_dirent.patch @@ -0,0 +1,169 @@ +From a7a8fe56e932a36f43e031b398aef92341bf5ea0 Mon Sep 17 00:00:00 2001 +From: Wang Zhaolong +Date: Fri, 16 May 2025 17:12:55 +0800 +Subject: smb: client: Fix use-after-free in cifs_fill_dirent + +From: Wang Zhaolong + +commit a7a8fe56e932a36f43e031b398aef92341bf5ea0 upstream. + +There is a race condition in the readdir concurrency process, which may +access the rsp buffer after it has been released, triggering the +following KASAN warning. + + ================================================================== + BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs] + Read of size 4 at addr ffff8880099b819c by task a.out/342975 + + CPU: 2 UID: 0 PID: 342975 Comm: a.out Not tainted 6.15.0-rc6+ #240 PREEMPT(full) + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 + Call Trace: + + dump_stack_lvl+0x53/0x70 + print_report+0xce/0x640 + kasan_report+0xb8/0xf0 + cifs_fill_dirent+0xb03/0xb60 [cifs] + cifs_readdir+0x12cb/0x3190 [cifs] + iterate_dir+0x1a1/0x520 + __x64_sys_getdents+0x134/0x220 + do_syscall_64+0x4b/0x110 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + RIP: 0033:0x7f996f64b9f9 + Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 + f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 + f0 ff ff 0d f7 c3 0c 00 f7 d8 64 89 8 + RSP: 002b:00007f996f53de78 EFLAGS: 00000207 ORIG_RAX: 000000000000004e + RAX: ffffffffffffffda RBX: 00007f996f53ecdc RCX: 00007f996f64b9f9 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 + RBP: 00007f996f53dea0 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000207 R12: ffffffffffffff88 + R13: 0000000000000000 R14: 00007ffc8cd9a500 R15: 00007f996f51e000 + + + Allocated by task 408: + kasan_save_stack+0x20/0x40 + kasan_save_track+0x14/0x30 + __kasan_slab_alloc+0x6e/0x70 + kmem_cache_alloc_noprof+0x117/0x3d0 + mempool_alloc_noprof+0xf2/0x2c0 + cifs_buf_get+0x36/0x80 [cifs] + allocate_buffers+0x1d2/0x330 [cifs] + cifs_demultiplex_thread+0x22b/0x2690 [cifs] + kthread+0x394/0x720 + ret_from_fork+0x34/0x70 + ret_from_fork_asm+0x1a/0x30 + + Freed by task 342979: + kasan_save_stack+0x20/0x40 + kasan_save_track+0x14/0x30 + kasan_save_free_info+0x3b/0x60 + __kasan_slab_free+0x37/0x50 + kmem_cache_free+0x2b8/0x500 + cifs_buf_release+0x3c/0x70 [cifs] + cifs_readdir+0x1c97/0x3190 [cifs] + iterate_dir+0x1a1/0x520 + __x64_sys_getdents64+0x134/0x220 + do_syscall_64+0x4b/0x110 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + + The buggy address belongs to the object at ffff8880099b8000 + which belongs to the cache cifs_request of size 16588 + The buggy address is located 412 bytes inside of + freed 16588-byte region [ffff8880099b8000, ffff8880099bc0cc) + + The buggy address belongs to the physical page: + page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x99b8 + head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 + anon flags: 0x80000000000040(head|node=0|zone=1) + page_type: f5(slab) + raw: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 + raw: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 + head: 0080000000000040 ffff888001e03400 0000000000000000 dead000000000001 + head: 0000000000000000 0000000000010001 00000000f5000000 0000000000000000 + head: 0080000000000003 ffffea0000266e01 00000000ffffffff 00000000ffffffff + head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffff8880099b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880099b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + >ffff8880099b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8880099b8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880099b8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ================================================================== + +POC is available in the link [1]. + +The problem triggering process is as follows: + +Process 1 Process 2 +----------------------------------------------------------------- +cifs_readdir + /* file->private_data == NULL */ + initiate_cifs_search + cifsFile = kzalloc(sizeof(struct cifsFileInfo), GFP_KERNEL); + smb2_query_dir_first ->query_dir_first() + SMB2_query_directory + SMB2_query_directory_init + cifs_send_recv + smb2_parse_query_directory + srch_inf->ntwrk_buf_start = (char *)rsp; + srch_inf->srch_entries_start = (char *)rsp + ... + srch_inf->last_entry = (char *)rsp + ... + srch_inf->smallBuf = true; + find_cifs_entry + /* if (cfile->srch_inf.ntwrk_buf_start) */ + cifs_small_buf_release(cfile->srch_inf // free + + cifs_readdir ->iterate_shared() + /* file->private_data != NULL */ + find_cifs_entry + /* in while (...) loop */ + smb2_query_dir_next ->query_dir_next() + SMB2_query_directory + SMB2_query_directory_init + cifs_send_recv + compound_send_recv + smb_send_rqst + __smb_send_rqst + rc = -ERESTARTSYS; + /* if (fatal_signal_pending()) */ + goto out; + return rc + /* if (cfile->srch_inf.last_entry) */ + cifs_save_resume_key() + cifs_fill_dirent // UAF + /* if (rc) */ + return -ENOENT; + +Fix this by ensuring the return code is checked before using pointers +from the srch_inf. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=220131 [1] +Fixes: a364bc0b37f1 ("[CIFS] fix saving of resume key before CIFSFindNext") +Cc: stable@vger.kernel.org +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: Wang Zhaolong +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/readdir.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/smb/client/readdir.c ++++ b/fs/smb/client/readdir.c +@@ -756,11 +756,11 @@ find_cifs_entry(const unsigned int xid, + rc = server->ops->query_dir_next(xid, tcon, &cfile->fid, + search_flags, + &cfile->srch_inf); ++ if (rc) ++ return -ENOENT; + /* FindFirst/Next set last_entry to NULL on malformed reply */ + if (cfile->srch_inf.last_entry) + cifs_save_resume_key(cfile->srch_inf.last_entry, cfile); +- if (rc) +- return -ENOENT; + } + if (index_to_find < cfile->srch_inf.index_of_last_entry) { + /* we found the buffer that contains the entry */ diff --git a/queue-6.14/smb-client-reset-all-search-buffer-pointers-when-releasing-buffer.patch b/queue-6.14/smb-client-reset-all-search-buffer-pointers-when-releasing-buffer.patch new file mode 100644 index 0000000000..636f462d00 --- /dev/null +++ b/queue-6.14/smb-client-reset-all-search-buffer-pointers-when-releasing-buffer.patch @@ -0,0 +1,41 @@ +From e48f9d849bfdec276eebf782a84fd4dfbe1c14c0 Mon Sep 17 00:00:00 2001 +From: Wang Zhaolong +Date: Fri, 16 May 2025 17:12:56 +0800 +Subject: smb: client: Reset all search buffer pointers when releasing buffer + +From: Wang Zhaolong + +commit e48f9d849bfdec276eebf782a84fd4dfbe1c14c0 upstream. + +Multiple pointers in struct cifs_search_info (ntwrk_buf_start, +srch_entries_start, and last_entry) point to the same allocated buffer. +However, when freeing this buffer, only ntwrk_buf_start was set to NULL, +while the other pointers remained pointing to freed memory. + +This is defensive programming to prevent potential issues with stale +pointers. While the active UAF vulnerability is fixed by the previous +patch, this change ensures consistent pointer state and more robust error +handling. + +Signed-off-by: Wang Zhaolong +Cc: stable@vger.kernel.org +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/readdir.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/smb/client/readdir.c ++++ b/fs/smb/client/readdir.c +@@ -733,7 +733,10 @@ find_cifs_entry(const unsigned int xid, + else + cifs_buf_release(cfile->srch_inf. + ntwrk_buf_start); ++ /* Reset all pointers to the network buffer to prevent stale references */ + cfile->srch_inf.ntwrk_buf_start = NULL; ++ cfile->srch_inf.srch_entries_start = NULL; ++ cfile->srch_inf.last_entry = NULL; + } + rc = initiate_cifs_search(xid, file, full_path); + if (rc) { diff --git a/queue-6.14/thermal-intel-x86_pkg_temp_thermal-fix-bogus-trip-temperature.patch b/queue-6.14/thermal-intel-x86_pkg_temp_thermal-fix-bogus-trip-temperature.patch new file mode 100644 index 0000000000..84e252d1af --- /dev/null +++ b/queue-6.14/thermal-intel-x86_pkg_temp_thermal-fix-bogus-trip-temperature.patch @@ -0,0 +1,39 @@ +From cf948c8e274e8b406e846cdf6cc48fe47f98cf57 Mon Sep 17 00:00:00 2001 +From: Zhang Rui +Date: Mon, 19 May 2025 15:09:01 +0800 +Subject: thermal: intel: x86_pkg_temp_thermal: Fix bogus trip temperature + +From: Zhang Rui + +commit cf948c8e274e8b406e846cdf6cc48fe47f98cf57 upstream. + +The tj_max value obtained from the Intel TCC library are in Celsius, +whereas the thermal subsystem operates in milli-Celsius. + +This discrepancy leads to incorrect trip temperature calculations. + +Fix bogus trip temperature by converting tj_max to milli-Celsius Unit. + +Fixes: 8ef0ca4a177d ("Merge back other thermal control material for 6.3.") +Signed-off-by: Zhang Rui +Reported-by: zhang ning +Closes: https://lore.kernel.org/all/TY2PR01MB3786EF0FE24353026293F5ACCD97A@TY2PR01MB3786.jpnprd01.prod.outlook.com/ +Tested-by: zhang ning +Cc: 6.3+ # 6.3+ +Link: https://patch.msgid.link/20250519070901.1031233-1-rui.zhang@intel.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/intel/x86_pkg_temp_thermal.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/thermal/intel/x86_pkg_temp_thermal.c ++++ b/drivers/thermal/intel/x86_pkg_temp_thermal.c +@@ -329,6 +329,7 @@ static int pkg_temp_thermal_device_add(u + tj_max = intel_tcc_get_tjmax(cpu); + if (tj_max < 0) + return tj_max; ++ tj_max *= 1000; + + zonedev = kzalloc(sizeof(*zonedev), GFP_KERNEL); + if (!zonedev) -- 2.47.2