From: Greg Kroah-Hartman Date: Wed, 20 May 2026 15:01:09 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v6.6.141~47 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5faff8f07e609901339de184873142fe3a39090b;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: alsa-usb-audio-bound-midi-endpoint-descriptor-scans.patch ceph-fix-a-buffer-leak-in-__ceph_setxattr.patch drm-i915-dp-fix-vsc-dynamic-range-signaling-for-rgb-formats.patch drm-i915-skip-__i915_request_skip-for-already-signaled-requests.patch drm-panfrost-fix-wait_bo-ioctl-leaking-positive-return-from-dma_resv_wait_timeout.patch iommu-vt-d-disable-dmar-for-intel-q35-igfx.patch libceph-fix-potential-null-ptr-deref-in-decode_choose_args.patch libceph-fix-potential-out-of-bounds-access-in-crush_decode.patch libceph-fix-potential-out-of-bounds-access-in-osdmap_decode.patch libceph-handle-rbtree-insertion-error-in-decode_choose_args.patch powerpc-warp-fix-error-handling-in-pika_dtm_thread.patch smb-client-fix-possible-infinite-loop-and-oob-read-in-symlink_data.patch --- diff --git a/queue-6.1/alsa-usb-audio-bound-midi-endpoint-descriptor-scans.patch b/queue-6.1/alsa-usb-audio-bound-midi-endpoint-descriptor-scans.patch new file mode 100644 index 0000000000..ff386c9a1e --- /dev/null +++ b/queue-6.1/alsa-usb-audio-bound-midi-endpoint-descriptor-scans.patch @@ -0,0 +1,58 @@ +From d6854daa67be623860f4e1873fd3d3c275aba4ed Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A1ssio=20Gabriel?= +Date: Thu, 7 May 2026 00:40:51 -0300 +Subject: ALSA: usb-audio: Bound MIDI endpoint descriptor scans +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cássio Gabriel + +commit d6854daa67be623860f4e1873fd3d3c275aba4ed upstream. + +snd_usbmidi_get_ms_info() validates the internal MIDIStreaming endpoint +descriptor size before using baAssocJackID[], but the descriptor walker can +still return a class-specific endpoint descriptor whose bLength exceeds the +remaining bytes in the endpoint-extra scan. + +That leaves later flexible-array reads bounded by bLength, but not by the +remaining bytes in the endpoint-extra scan. + +Stop walking when bLength is zero or +extends past the remaining endpoint-extra scan. + +Fixes: 5c6cd7021a05 ("ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor") +Cc: stable@vger.kernel.org +Signed-off-by: Cássio Gabriel +Link: https://patch.msgid.link/20260507-usb-midi-endpoint-scan-bounds-v1-1-329d7348160e@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/midi.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/sound/usb/midi.c ++++ b/sound/usb/midi.c +@@ -1974,15 +1974,17 @@ static struct usb_ms_endpoint_descriptor + while (extralen > 3) { + struct usb_ms_endpoint_descriptor *ms_ep = + (struct usb_ms_endpoint_descriptor *)extra; ++ int length = ms_ep->bLength; + +- if (ms_ep->bLength > 3 && ++ if (!length || length > extralen) ++ break; ++ ++ if (length > 3 && + ms_ep->bDescriptorType == USB_DT_CS_ENDPOINT && + ms_ep->bDescriptorSubtype == UAC_MS_GENERAL) + return ms_ep; +- if (!extra[0]) +- break; +- extralen -= extra[0]; +- extra += extra[0]; ++ extralen -= length; ++ extra += length; + } + return NULL; + } diff --git a/queue-6.1/ceph-fix-a-buffer-leak-in-__ceph_setxattr.patch b/queue-6.1/ceph-fix-a-buffer-leak-in-__ceph_setxattr.patch new file mode 100644 index 0000000000..108911dc35 --- /dev/null +++ b/queue-6.1/ceph-fix-a-buffer-leak-in-__ceph_setxattr.patch @@ -0,0 +1,34 @@ +From 5d3cc36b4e77a27ce7b686b7c59c7072bcb3fa8e Mon Sep 17 00:00:00 2001 +From: Viacheslav Dubeyko +Date: Thu, 9 Apr 2026 12:26:02 -0700 +Subject: ceph: fix a buffer leak in __ceph_setxattr() + +From: Viacheslav Dubeyko + +commit 5d3cc36b4e77a27ce7b686b7c59c7072bcb3fa8e upstream. + +The old_blob in __ceph_setxattr() can store +ci->i_xattrs.prealloc_blob value during the retry. +However, it is never called the ceph_buffer_put() +for the old_blob object. This patch fixes the issue of +the buffer leak. + +Cc: stable@vger.kernel.org +Signed-off-by: Viacheslav Dubeyko +Reviewed-by: Alex Markuze +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/xattr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ceph/xattr.c ++++ b/fs/ceph/xattr.c +@@ -1246,6 +1246,7 @@ retry: + + do_sync: + spin_unlock(&ci->i_ceph_lock); ++ ceph_buffer_put(old_blob); + do_sync_unlocked: + if (lock_snap_rwsem) + up_read(&mdsc->snap_rwsem); diff --git a/queue-6.1/drm-i915-dp-fix-vsc-dynamic-range-signaling-for-rgb-formats.patch b/queue-6.1/drm-i915-dp-fix-vsc-dynamic-range-signaling-for-rgb-formats.patch new file mode 100644 index 0000000000..fc09b4a0d7 --- /dev/null +++ b/queue-6.1/drm-i915-dp-fix-vsc-dynamic-range-signaling-for-rgb-formats.patch @@ -0,0 +1,55 @@ +From 1ae15b6c7965d137eef21f2cc7d367b29cb88369 Mon Sep 17 00:00:00 2001 +From: Chaitanya Kumar Borah +Date: Tue, 5 May 2026 14:39:20 +0530 +Subject: drm/i915/dp: Fix VSC dynamic range signaling for RGB formats + +From: Chaitanya Kumar Borah + +commit 1ae15b6c7965d137eef21f2cc7d367b29cb88369 upstream. + +For RGB, set dynamic_range to CTA or VESA based on +crtc_state->limited_color_range so sinks apply correct +quantization. YCbCr remains limited (CTA) range. +(DP v1.4, Table 5-1) + +v2: +- Added Reported-by and Tested-by tags + +v3: +- Add back YCbCr comment(Suraj) + +Cc: stable@vger.kernel.org #v5.8+ +Reported-by: DeepChirp +Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/work_items/15874 +Tested-by: DeepChirp +Fixes: 9799c4c3b76e ("drm/i915/dp: Add compute routine for DP VSC SDP") +Assisted-by: GitHub-Copilot:GPT-5.4 +Signed-off-by: Chaitanya Kumar Borah +Reviewed-by: Suraj Kandpal +Signed-off-by: Suraj Kandpal +Link: https://patch.msgid.link/20260505090920.2479112-1-chaitanya.kumar.borah@intel.com +(cherry picked from commit 38e10ddae6f8d42a2e8437fcd25a1cac51106c64) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_dp.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_dp.c ++++ b/drivers/gpu/drm/i915/display/intel_dp.c +@@ -1810,8 +1810,13 @@ static void intel_dp_compute_vsc_colorim + drm_WARN_ON(&dev_priv->drm, + vsc->bpc == 6 && vsc->pixelformat != DP_PIXELFORMAT_RGB); + +- /* all YCbCr are always limited range */ +- vsc->dynamic_range = DP_DYNAMIC_RANGE_CTA; ++ /* All YCbCr formats are always limited range. */ ++ if (vsc->pixelformat == DP_PIXELFORMAT_RGB) ++ vsc->dynamic_range = crtc_state->limited_color_range ? ++ DP_DYNAMIC_RANGE_CTA : DP_DYNAMIC_RANGE_VESA; ++ else ++ vsc->dynamic_range = DP_DYNAMIC_RANGE_CTA; ++ + vsc->content_type = DP_CONTENT_TYPE_NOT_DEFINED; + } + diff --git a/queue-6.1/drm-i915-skip-__i915_request_skip-for-already-signaled-requests.patch b/queue-6.1/drm-i915-skip-__i915_request_skip-for-already-signaled-requests.patch new file mode 100644 index 0000000000..1a5d29d0e1 --- /dev/null +++ b/queue-6.1/drm-i915-skip-__i915_request_skip-for-already-signaled-requests.patch @@ -0,0 +1,61 @@ +From 4cfe4c0efbdcde742a47813180cc69b132d7598e Mon Sep 17 00:00:00 2001 +From: Sebastian Brzezinka +Date: Thu, 16 Apr 2026 13:31:18 +0200 +Subject: drm/i915: skip __i915_request_skip() for already signaled requests + +From: Sebastian Brzezinka + +commit 4cfe4c0efbdcde742a47813180cc69b132d7598e upstream. + +After a GPU reset the HWSP is zeroed, so previously completed +requests appear incomplete. If such a request is picked up during +reset_rewind() and marked guilty, i915_request_set_error_once() +returns early (fence already signaled), leaving fence.error without +a fatal error code. The subsequent __i915_request_skip() then hits: +``` +GEM_BUG_ON(!fatal_error(rq->fence.error)) +``` + +Fixes a kernel BUG observed on Sandy Bridge (Gen6) during +heartbeat-triggered engine resets. +``` +kernel BUG at drivers/gpu/drm/i915/i915_request.c:556! +RIP: __i915_request_skip+0x15e/0x1d0 [i915] +... +__i915_request_reset+0x212/0xa70 [i915] +reset_rewind+0xe4/0x280 [i915] +intel_gt_reset+0x30d/0x5b0 [i915] +heartbeat+0x516/0x530 [i915] +``` + +Guard __i915_request_skip() with i915_request_signaled(), if the +fence is already signaled, the ring content is committed and there +is nothing left to skip. + +Fixes: 36e191f0644b ("drm/i915: Apply i915_request_skip() on submission") +Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/work_items/13729 +Signed-off-by: Sebastian Brzezinka +Cc: stable@vger.kernel.org # v5.7+ +Reviewed-by: Krzysztof Karas +Reviewed-by: Andi Shyti +Signed-off-by: Andi Shyti +Link: https://lore.kernel.org/r/fe76921d35b6ae85aa651822726d0d9815aa5362.1776339012.git.sebastian.brzezinka@intel.com +(cherry picked from commit 5ba54393dcd7adf75a9f39f5a933b1538349cad5) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gt/intel_reset.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/gt/intel_reset.c ++++ b/drivers/gpu/drm/i915/gt/intel_reset.c +@@ -144,7 +144,8 @@ void __i915_request_reset(struct i915_re + rcu_read_lock(); /* protect the GEM context */ + if (guilty) { + i915_request_set_error_once(rq, -EIO); +- __i915_request_skip(rq); ++ if (!i915_request_signaled(rq)) ++ __i915_request_skip(rq); + banned = mark_guilty(rq); + } else { + i915_request_set_error_once(rq, -EAGAIN); diff --git a/queue-6.1/drm-panfrost-fix-wait_bo-ioctl-leaking-positive-return-from-dma_resv_wait_timeout.patch b/queue-6.1/drm-panfrost-fix-wait_bo-ioctl-leaking-positive-return-from-dma_resv_wait_timeout.patch new file mode 100644 index 0000000000..5ee0ba3ecb --- /dev/null +++ b/queue-6.1/drm-panfrost-fix-wait_bo-ioctl-leaking-positive-return-from-dma_resv_wait_timeout.patch @@ -0,0 +1,43 @@ +From 459d75523b71c0ec254d153d8850d0b7008af396 Mon Sep 17 00:00:00 2001 +From: Gyeyoung Baek +Date: Sun, 19 Apr 2026 16:17:16 +0900 +Subject: drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gyeyoung Baek + +commit 459d75523b71c0ec254d153d8850d0b7008af396 upstream. + +dma_resv_wait_timeout() returns a positive 'remaining jiffies' value +on success, 0 on timeout, and -errno on failure. + +panfrost_ioctl_wait_bo() returns this 'long' result from an int-typed +ioctl handler, so positive values reach userspace as bogus errors. +Explicitly set ret to 0 on the success path. + +Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver") +Cc: stable@vger.kernel.org +Signed-off-by: Gyeyoung Baek +Reviewed-by: Adrián Larumbe +Reviewed-by: Boris Brezillon +Reviewed-by: Steven Price +Link: https://patch.msgid.link/fe33f82fded7be1c18e2e0eb2db451d5a738cf39.1776581974.git.gye976@gmail.com +Signed-off-by: Steven Price +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/panfrost/panfrost_drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/panfrost/panfrost_drv.c ++++ b/drivers/gpu/drm/panfrost/panfrost_drv.c +@@ -330,6 +330,8 @@ panfrost_ioctl_wait_bo(struct drm_device + true, timeout); + if (!ret) + ret = timeout ? -ETIMEDOUT : -EBUSY; ++ else if (ret > 0) ++ ret = 0; + + drm_gem_object_put(gem_obj); + diff --git a/queue-6.1/iommu-vt-d-disable-dmar-for-intel-q35-igfx.patch b/queue-6.1/iommu-vt-d-disable-dmar-for-intel-q35-igfx.patch new file mode 100644 index 0000000000..25890a5f8f --- /dev/null +++ b/queue-6.1/iommu-vt-d-disable-dmar-for-intel-q35-igfx.patch @@ -0,0 +1,47 @@ +From 2cda2e10dc8343ae01eae9e999a876b7e7d37861 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Naval=20Alcal=C3=A1?= +Date: Sat, 9 May 2026 10:43:44 +0800 +Subject: iommu/vt-d: Disable DMAR for Intel Q35 IGFX +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Naval Alcalá + +commit 2cda2e10dc8343ae01eae9e999a876b7e7d37861 upstream. + +Intel Q35 integrated graphics (8086:29b2) exhibits broken DMAR +behaviour similar to other G4x/GM45 devices for which DMAR is +already disabled via quirks. + +When DMAR is enabled, the system may hard lock up during boot or +early device initialization, requiring a reset. + +Add the missing PCI ID to the existing quirk list to disable +DMAR for this device. + +Fixes: 1f76249cc3be ("iommu/vt-d: Declare Broadwell igfx dmar support snafu") +Cc: stable@vger.kernel.org +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=201185 +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=216064 +Signed-off-by: Naval Alcalá +Link: https://lore.kernel.org/r/20260410161622.13549-1-ari@naval.cat +Signed-off-by: Lu Baolu +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/intel/iommu.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/iommu/intel/iommu.c ++++ b/drivers/iommu/intel/iommu.c +@@ -4832,6 +4832,9 @@ static void quirk_iommu_igfx(struct pci_ + dmar_map_gfx = 0; + } + ++/* Q35 integrated gfx dmar support is totally busted. */ ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x29b2, quirk_iommu_igfx); ++ + /* G4x/GM45 integrated gfx dmar support is totally busted. */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2a40, quirk_iommu_igfx); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e00, quirk_iommu_igfx); diff --git a/queue-6.1/libceph-fix-potential-null-ptr-deref-in-decode_choose_args.patch b/queue-6.1/libceph-fix-potential-null-ptr-deref-in-decode_choose_args.patch new file mode 100644 index 0000000000..7a64c772f7 --- /dev/null +++ b/queue-6.1/libceph-fix-potential-null-ptr-deref-in-decode_choose_args.patch @@ -0,0 +1,47 @@ +From 28b0a2ab8c82d0bbdeb8013029c67c978ce6e4bf Mon Sep 17 00:00:00 2001 +From: Raphael Zimmer +Date: Tue, 12 May 2026 18:16:40 +0200 +Subject: libceph: Fix potential null-ptr-deref in decode_choose_args() + +From: Raphael Zimmer + +commit 28b0a2ab8c82d0bbdeb8013029c67c978ce6e4bf upstream. + +A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself +contains a CRUSH map. When decoding this CRUSH map in crush_decode(), an +array of max_buckets CRUSH buckets is decoded, where some indices may +not refer to actual buckets and are therefore set to NULL. The received +CRUSH map may optionally contain choose_args that get decoded in +decode_choose_args(). When decoding a crush_choose_arg_map, a series of +choose_args for different buckets is decoded, with the bucket_index +being read from the incoming message. It is only checked that the bucket +index does not exceed max_buckets, but not that it doesn't point to an +index with a NULL bucket. If a (potentially corrupted) message contains +a crush_choose_arg_map including such a bucket_index, a null pointer +dereference may occur in the subsequent processing when attempting to +access the bucket with the given index. + +This patch fixes the issue by extending the affected check. Now, it is +only attempted to access the bucket if it is not NULL. + +Cc: stable@vger.kernel.org +Signed-off-by: Raphael Zimmer +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/osdmap.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/ceph/osdmap.c ++++ b/net/ceph/osdmap.c +@@ -390,7 +390,8 @@ static int decode_choose_args(void **p, + goto fail; + + if (arg->ids_size && +- arg->ids_size != c->buckets[bucket_index]->size) ++ (!c->buckets[bucket_index] || ++ arg->ids_size != c->buckets[bucket_index]->size)) + goto e_inval; + } + diff --git a/queue-6.1/libceph-fix-potential-out-of-bounds-access-in-crush_decode.patch b/queue-6.1/libceph-fix-potential-out-of-bounds-access-in-crush_decode.patch new file mode 100644 index 0000000000..d332361d16 --- /dev/null +++ b/queue-6.1/libceph-fix-potential-out-of-bounds-access-in-crush_decode.patch @@ -0,0 +1,98 @@ +From 4c79fc2d598694bda845b46229c9d48b65042970 Mon Sep 17 00:00:00 2001 +From: Raphael Zimmer +Date: Wed, 22 Apr 2026 10:47:13 +0200 +Subject: libceph: Fix potential out-of-bounds access in crush_decode() + +From: Raphael Zimmer + +commit 4c79fc2d598694bda845b46229c9d48b65042970 upstream. + +A message of type CEPH_MSG_OSD_MAP containing a crush map with at least +one bucket has two fields holding the bucket algorithm. If the values +in these two fields differ, an out-of-bounds access can occur. This is +the case because the first algorithm field (alg) is used to allocate +the correct amount of memory for a bucket of this type, while the second +algorithm field inside the bucket (b->alg) is used in the subsequent +processing. + +This patch fixes the issue by adding a check that compares alg and +b->alg and aborts the processing in case they differ. Furthermore, +b->alg is set to 0 in this case, because the destruction of the crush +map also uses this field to determine the bucket type, which can again +result in an out-of-bounds access when trying to free the memory pointed +to by the fields of the bucket. To correctly free the memory allocated +for the bucket in such a case, the corresponding call to kfree is moved +from the algorithm-specific crush_destroy_bucket functions to the +generic crush_destroy_bucket(). + +Cc: stable@vger.kernel.org +Signed-off-by: Raphael Zimmer +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/crush/crush.c | 6 +----- + net/ceph/osdmap.c | 4 ++++ + 2 files changed, 5 insertions(+), 5 deletions(-) + +--- a/net/ceph/crush/crush.c ++++ b/net/ceph/crush/crush.c +@@ -47,7 +47,6 @@ int crush_get_bucket_item_weight(const s + void crush_destroy_bucket_uniform(struct crush_bucket_uniform *b) + { + kfree(b->h.items); +- kfree(b); + } + + void crush_destroy_bucket_list(struct crush_bucket_list *b) +@@ -55,14 +54,12 @@ void crush_destroy_bucket_list(struct cr + kfree(b->item_weights); + kfree(b->sum_weights); + kfree(b->h.items); +- kfree(b); + } + + void crush_destroy_bucket_tree(struct crush_bucket_tree *b) + { + kfree(b->h.items); + kfree(b->node_weights); +- kfree(b); + } + + void crush_destroy_bucket_straw(struct crush_bucket_straw *b) +@@ -70,14 +67,12 @@ void crush_destroy_bucket_straw(struct c + kfree(b->straws); + kfree(b->item_weights); + kfree(b->h.items); +- kfree(b); + } + + void crush_destroy_bucket_straw2(struct crush_bucket_straw2 *b) + { + kfree(b->item_weights); + kfree(b->h.items); +- kfree(b); + } + + void crush_destroy_bucket(struct crush_bucket *b) +@@ -99,6 +94,7 @@ void crush_destroy_bucket(struct crush_b + crush_destroy_bucket_straw2((struct crush_bucket_straw2 *)b); + break; + } ++ kfree(b); + } + + /** +--- a/net/ceph/osdmap.c ++++ b/net/ceph/osdmap.c +@@ -518,6 +518,10 @@ static struct crush_map *crush_decode(vo + b->id = ceph_decode_32(p); + b->type = ceph_decode_16(p); + b->alg = ceph_decode_8(p); ++ if (b->alg != alg) { ++ b->alg = 0; ++ goto bad; ++ } + b->hash = ceph_decode_8(p); + b->weight = ceph_decode_32(p); + b->size = ceph_decode_32(p); diff --git a/queue-6.1/libceph-fix-potential-out-of-bounds-access-in-osdmap_decode.patch b/queue-6.1/libceph-fix-potential-out-of-bounds-access-in-osdmap_decode.patch new file mode 100644 index 0000000000..ceb90d1ac8 --- /dev/null +++ b/queue-6.1/libceph-fix-potential-out-of-bounds-access-in-osdmap_decode.patch @@ -0,0 +1,41 @@ +From 35d0ed82d03e5ee77ea4f31f20e29562a7721649 Mon Sep 17 00:00:00 2001 +From: Raphael Zimmer +Date: Tue, 5 May 2026 11:08:12 +0200 +Subject: libceph: Fix potential out-of-bounds access in osdmap_decode() + +From: Raphael Zimmer + +commit 35d0ed82d03e5ee77ea4f31f20e29562a7721649 upstream. + +When decoding osd_state and osd_weight from an incoming osdmap in +osdmap_decode(), both are decoded for each osd, i.e., map->max_osd +times. The ceph_decode_need() check only accounts for +sizeof(*map->osd_weight) once. This can potentially result in an +out-of-bounds memory access if the incoming message is corrupted such +that the max_osd value exceeds the actual content of the osdmap message. + +This patch fixes the issue by changing the corresponding part in the +ceph_decode_need() check to account for +map->max_osd*sizeof(*map->osd_weight). + +Cc: stable@vger.kernel.org +Fixes: dcbc919a5dc8 ("libceph: switch osdmap decoding to use ceph_decode_entity_addr") +Signed-off-by: Raphael Zimmer +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/osdmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ceph/osdmap.c ++++ b/net/ceph/osdmap.c +@@ -1703,7 +1703,7 @@ static int osdmap_decode(void **p, void + ceph_decode_need(p, end, 3*sizeof(u32) + + map->max_osd*(struct_v >= 5 ? sizeof(u32) : + sizeof(u8)) + +- sizeof(*map->osd_weight), e_inval); ++ map->max_osd*sizeof(*map->osd_weight), e_inval); + if (ceph_decode_32(p) != map->max_osd) + goto e_inval; + diff --git a/queue-6.1/libceph-handle-rbtree-insertion-error-in-decode_choose_args.patch b/queue-6.1/libceph-handle-rbtree-insertion-error-in-decode_choose_args.patch new file mode 100644 index 0000000000..da149f5706 --- /dev/null +++ b/queue-6.1/libceph-handle-rbtree-insertion-error-in-decode_choose_args.patch @@ -0,0 +1,48 @@ +From d289478cfc0bcf81c7914200d6abdcb78bd04ded Mon Sep 17 00:00:00 2001 +From: Raphael Zimmer +Date: Tue, 12 May 2026 09:29:30 +0200 +Subject: libceph: handle rbtree insertion error in decode_choose_args() + +From: Raphael Zimmer + +commit d289478cfc0bcf81c7914200d6abdcb78bd04ded upstream. + +A message of type CEPH_MSG_OSD_MAP contains an OSD map that itself +contains a CRUSH map. The received CRUSH map may optionally contain +choose_args that get decoded in decode_choose_args(). In this function, +num_choose_arg_maps is read from the message, and a corresponding number +of crush_choose_arg_maps gets decoded afterwards. Each +crush_choose_arg_map has a choose_args_index, which serves as the key +when inserting it into the choose_args rbtree of the decoded crush_map. +If a (potentially corrupted) message contains two crush_choose_arg_maps +with the same index, the assertion in insert_choose_arg_map() triggers a +kernel BUG when trying to insert the second crush_choose_arg_map. + +This patch fixes the issue by switching to the non-asserting rbtree +insertion function and rejecting the message if the insertion fails. + +[ idryomov: changelog ] + +Cc: stable@vger.kernel.org +Signed-off-by: Raphael Zimmer +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/osdmap.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ceph/osdmap.c ++++ b/net/ceph/osdmap.c +@@ -395,7 +395,10 @@ static int decode_choose_args(void **p, + goto e_inval; + } + +- insert_choose_arg_map(&c->choose_args, arg_map); ++ if (!__insert_choose_arg_map(&c->choose_args, arg_map)) { ++ ret = -EEXIST; ++ goto fail; ++ } + } + + return 0; diff --git a/queue-6.1/powerpc-warp-fix-error-handling-in-pika_dtm_thread.patch b/queue-6.1/powerpc-warp-fix-error-handling-in-pika_dtm_thread.patch new file mode 100644 index 0000000000..6ed1d28eaa --- /dev/null +++ b/queue-6.1/powerpc-warp-fix-error-handling-in-pika_dtm_thread.patch @@ -0,0 +1,39 @@ +From 108d7f951271cbd36ca36efc5e5d106966f5180c Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Sun, 16 Nov 2025 10:44:11 +0800 +Subject: powerpc/warp: Fix error handling in pika_dtm_thread + +From: Ma Ke + +commit 108d7f951271cbd36ca36efc5e5d106966f5180c upstream. + +pika_dtm_thread() acquires client through of_find_i2c_device_by_node() +but fails to release it in error handling path. This could result in a +reference count leak, preventing proper cleanup and potentially +leading to resource exhaustion. Add put_device() to release the +reference in the error handling path. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: 3984114f0562 ("powerpc/warp: Platform fix for i2c change") +Signed-off-by: Ma Ke +Reviewed-by: Christophe Leroy +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20251116024411.21968-1-make24@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/44x/warp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/powerpc/platforms/44x/warp.c ++++ b/arch/powerpc/platforms/44x/warp.c +@@ -262,6 +262,8 @@ static int pika_dtm_thread(void __iomem + schedule_timeout(HZ); + } + ++ put_device(&client->dev); ++ + return 0; + } + diff --git a/queue-6.1/series b/queue-6.1/series index 9acc0c7c9a..efea20eab8 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -816,3 +816,15 @@ audit-enforce-audit_locked-for-audit_trim-and-audit_make_equiv.patch kvm-reject-wrapped-offset-in-kvm_reset_dirty_gfn.patch kvm-s390-pci-fix-gait-table-indexing-due-to-double-scaling-pointer-arithmetic.patch kvm-x86-fix-xen-hypercall-tracepoint-argument-assignment.patch +smb-client-fix-possible-infinite-loop-and-oob-read-in-symlink_data.patch +drm-i915-dp-fix-vsc-dynamic-range-signaling-for-rgb-formats.patch +alsa-usb-audio-bound-midi-endpoint-descriptor-scans.patch +ceph-fix-a-buffer-leak-in-__ceph_setxattr.patch +powerpc-warp-fix-error-handling-in-pika_dtm_thread.patch +libceph-fix-potential-out-of-bounds-access-in-osdmap_decode.patch +libceph-fix-potential-null-ptr-deref-in-decode_choose_args.patch +libceph-fix-potential-out-of-bounds-access-in-crush_decode.patch +libceph-handle-rbtree-insertion-error-in-decode_choose_args.patch +iommu-vt-d-disable-dmar-for-intel-q35-igfx.patch +drm-i915-skip-__i915_request_skip-for-already-signaled-requests.patch +drm-panfrost-fix-wait_bo-ioctl-leaking-positive-return-from-dma_resv_wait_timeout.patch diff --git a/queue-6.1/smb-client-fix-possible-infinite-loop-and-oob-read-in-symlink_data.patch b/queue-6.1/smb-client-fix-possible-infinite-loop-and-oob-read-in-symlink_data.patch new file mode 100644 index 0000000000..f62773e1bc --- /dev/null +++ b/queue-6.1/smb-client-fix-possible-infinite-loop-and-oob-read-in-symlink_data.patch @@ -0,0 +1,44 @@ +From 7d9a7f1f96cd617ee9e75bb22217c709038e26b8 Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Thu, 14 May 2026 21:14:18 +0800 +Subject: smb/client: fix possible infinite loop and oob read in symlink_data() + +From: Ye Bin + +commit 7d9a7f1f96cd617ee9e75bb22217c709038e26b8 upstream. + +On 32-bit architectures, the infinite loop is as follows: + + len = p->ErrorDataLength == 0xfffffff8 + u8 *next = p->ErrorContextData + len + next == p + +On 32-bit architectures, the out-of-bounds read is as follows: + + len = p->ErrorDataLength == 0xfffffff0 + u8 *next = p->ErrorContextData + len + next == (u8 *)p - 8 + +Reported-by: ChenXiaoSong +Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+") +Cc: stable@vger.kernel.org +Signed-off-by: Ye Bin +Reviewed-by: ChenXiaoSong +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2file.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/smb/client/smb2file.c ++++ b/fs/smb/client/smb2file.c +@@ -48,6 +48,9 @@ static struct smb2_symlink_err_rsp *syml + __func__, le32_to_cpu(p->ErrorId)); + + len = ALIGN(le32_to_cpu(p->ErrorDataLength), 8); ++ if (len > end - ((u8 *)p + sizeof(*p))) ++ return ERR_PTR(-EINVAL); ++ + p = (struct smb2_error_context_rsp *)(p->ErrorContextData + len); + } + } else if (le32_to_cpu(err->ByteCount) >= sizeof(*sym) &&