From: Greg Kroah-Hartman Date: Thu, 25 Jun 2026 10:21:09 +0000 (+0100) Subject: 7.1-stable patches X-Git-Tag: v6.18.37~27 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1a73563f40aaace2bd66b1df1d365e1550e512a9;p=thirdparty%2Fkernel%2Fstable-queue.git 7.1-stable patches added patches: agp-amd64-fix-broken-error-propagation-in-agp_amd64_probe.patch --- diff --git a/queue-7.1/agp-amd64-fix-broken-error-propagation-in-agp_amd64_probe.patch b/queue-7.1/agp-amd64-fix-broken-error-propagation-in-agp_amd64_probe.patch new file mode 100644 index 0000000000..acbd322172 --- /dev/null +++ b/queue-7.1/agp-amd64-fix-broken-error-propagation-in-agp_amd64_probe.patch @@ -0,0 +1,52 @@ +From b08472db93b1ccff84a7adec5779d47f0e9d3a30 Mon Sep 17 00:00:00 2001 +From: Mingyu Wang <25181214217@stu.xidian.edu.cn> +Date: Mon, 4 May 2026 15:48:23 +0800 +Subject: agp/amd64: Fix broken error propagation in agp_amd64_probe() + +From: Mingyu Wang <25181214217@stu.xidian.edu.cn> + +commit b08472db93b1ccff84a7adec5779d47f0e9d3a30 upstream. + +A NULL pointer dereference was observed in the AMD64 AGP driver when +running in a virtualized environment (e.g. qemu/kvm) without a physical +AMD northbridge. The crash occurs in amd64_fetch_size() when attempting +to dereference the pointer returned by node_to_amd_nb(0). + +The root cause of this crash is broken error propagation in +agp_amd64_probe(): When no AMD northbridges are found, cache_nbs() +correctly returns -ENODEV. However, the probe function erroneously +checks the return value against exactly -1, rather than < 0. + +As a result, the hardware absence error is masked, allowing the driver +to improperly proceed with initialization. It eventually calls +agp_add_bridge(), which invokes amd64_fetch_size(). Since the hardware +does not exist, node_to_amd_nb(0) returns NULL, leading to a General +Protection Fault (GPF) when accessing its ->misc member. + +Fix the issue by correcting the error check in agp_amd64_probe() to +abort properly when cache_nbs() returns any negative error code. This +prevents the driver from erroneously proceeding without hardware, thereby +avoiding the subsequent NULL pointer dereference at its source. + +Fixes: a32073bffc65 ("[PATCH] x86_64: Clean and enhance up K8 northbridge access code") +Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn> +Signed-off-by: Lukas Wunner +Reviewed-by: Lukas Wunner +Cc: stable@vger.kernel.org # v2.6.18+ +Link: https://patch.msgid.link/20260504074823.99377-1-w15303746062@163.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/agp/amd64-agp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/agp/amd64-agp.c ++++ b/drivers/char/agp/amd64-agp.c +@@ -546,7 +546,7 @@ static int agp_amd64_probe(struct pci_de + /* Fill in the mode register */ + pci_read_config_dword(pdev, bridge->capndx+PCI_AGP_STATUS, &bridge->mode); + +- if (cache_nbs(pdev, cap_ptr) == -1) { ++ if (cache_nbs(pdev, cap_ptr) < 0) { + agp_put_bridge(bridge); + return -ENODEV; + } diff --git a/queue-7.1/series b/queue-7.1/series index 5ead36476c..51ef577c10 100644 --- a/queue-7.1/series +++ b/queue-7.1/series @@ -1,3 +1,4 @@ io_uring-net-avoid-msghdr-on-op_connect-op_bind-asyn.patch fuse-re-lock-request-before-replacing-page-cache-folio.patch revert-nfsd-defer-sub-object-cleanup-in-export-put-callbacks.patch +agp-amd64-fix-broken-error-propagation-in-agp_amd64_probe.patch