7.1-stable patches

added patches:
	agp-amd64-fix-broken-error-propagation-in-agp_amd64_probe.patch

diff --git a/queue-7.1/agp-amd64-fix-broken-error-propagation-in-agp_amd64_probe.patch b/queue-7.1/agp-amd64-fix-broken-error-propagation-in-agp_amd64_probe.patch
new file mode 100644 (file)
index 0000000..acbd322
--- /dev/null
+++ b/queue-7.1/agp-amd64-fix-broken-error-propagation-in-agp_amd64_probe.patch
@@ -0,0 +1,52 @@
+From b08472db93b1ccff84a7adec5779d47f0e9d3a30 Mon Sep 17 00:00:00 2001
+From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+Date: Mon, 4 May 2026 15:48:23 +0800
+Subject: agp/amd64: Fix broken error propagation in agp_amd64_probe()
+
+From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+
+commit b08472db93b1ccff84a7adec5779d47f0e9d3a30 upstream.
+
+A NULL pointer dereference was observed in the AMD64 AGP driver when
+running in a virtualized environment (e.g. qemu/kvm) without a physical
+AMD northbridge. The crash occurs in amd64_fetch_size() when attempting
+to dereference the pointer returned by node_to_amd_nb(0).
+
+The root cause of this crash is broken error propagation in
+agp_amd64_probe(): When no AMD northbridges are found, cache_nbs()
+correctly returns -ENODEV. However, the probe function erroneously
+checks the return value against exactly -1, rather than < 0.
+
+As a result, the hardware absence error is masked, allowing the driver
+to improperly proceed with initialization. It eventually calls
+agp_add_bridge(), which invokes amd64_fetch_size(). Since the hardware
+does not exist, node_to_amd_nb(0) returns NULL, leading to a General
+Protection Fault (GPF) when accessing its ->misc member.
+
+Fix the issue by correcting the error check in agp_amd64_probe() to
+abort properly when cache_nbs() returns any negative error code. This
+prevents the driver from erroneously proceeding without hardware, thereby
+avoiding the subsequent NULL pointer dereference at its source.
+
+Fixes: a32073bffc65 ("[PATCH] x86_64: Clean and enhance up K8 northbridge access code")
+Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Reviewed-by: Lukas Wunner <lukas@wunner.de>
+Cc: stable@vger.kernel.org # v2.6.18+
+Link: https://patch.msgid.link/20260504074823.99377-1-w15303746062@163.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/agp/amd64-agp.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/agp/amd64-agp.c
++++ b/drivers/char/agp/amd64-agp.c
+@@ -546,7 +546,7 @@ static int agp_amd64_probe(struct pci_de
+       /* Fill in the mode register */
+       pci_read_config_dword(pdev, bridge->capndx+PCI_AGP_STATUS, &bridge->mode);
+ 
+-      if (cache_nbs(pdev, cap_ptr) == -1) {
++      if (cache_nbs(pdev, cap_ptr) < 0) {
+               agp_put_bridge(bridge);
+               return -ENODEV;
+       }

diff --git a/queue-7.1/series b/queue-7.1/series
index 5ead36476c309b8e3ead5164864fd7ff7eb60f3d..51ef577c1004cff03cfc25a7847256b71071cdb0 100644 (file)
--- a/queue-7.1/series
+++ b/queue-7.1/series
@@ -1,3 +1,4 @@
 io_uring-net-avoid-msghdr-on-op_connect-op_bind-asyn.patch
 fuse-re-lock-request-before-replacing-page-cache-folio.patch
 revert-nfsd-defer-sub-object-cleanup-in-export-put-callbacks.patch
+agp-amd64-fix-broken-error-propagation-in-agp_amd64_probe.patch