From: Greg Kroah-Hartman Date: Mon, 29 Dec 2025 11:43:24 +0000 (+0100) Subject: 5.15-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7fad732aeea57eb60de2c772592ba0c27f64aa88;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: block-rate-limit-capacity-change-info-log.patch efi-add-missing-static-initializer-for-efi_mm-cpus_allowed_lock.patch floppy-fix-for-page_size-4kb.patch fs-ntfs3-fix-mount-failure-for-sparse-runs-in-run_unpack.patch keys-trusted-fix-a-memory-leak-in-tpm2_load_cmd.patch ktest.pl-fix-uninitialized-var-in-config-bisect.pl.patch lib-crypto-x86-blake2s-fix-32-bit-arg-treated-as-64-bit.patch mmc-sdhci-msm-avoid-early-clock-doubling-during-hs400-transition.patch --- diff --git a/queue-5.15/block-rate-limit-capacity-change-info-log.patch b/queue-5.15/block-rate-limit-capacity-change-info-log.patch new file mode 100644 index 0000000000..b62d50410f --- /dev/null +++ b/queue-5.15/block-rate-limit-capacity-change-info-log.patch @@ -0,0 +1,39 @@ +From 3179a5f7f86bcc3acd5d6fb2a29f891ef5615852 Mon Sep 17 00:00:00 2001 +From: Li Chen +Date: Mon, 17 Nov 2025 13:34:07 +0800 +Subject: block: rate-limit capacity change info log + +From: Li Chen + +commit 3179a5f7f86bcc3acd5d6fb2a29f891ef5615852 upstream. + +loop devices under heavy stress-ng loop streessor can trigger many +capacity change events in a short time. Each event prints an info +message from set_capacity_and_notify(), flooding the console and +contributing to soft lockups on slow consoles. + +Switch the printk in set_capacity_and_notify() to +pr_info_ratelimited() so frequent capacity changes do not spam +the log while still reporting occasional changes. + +Cc: stable@vger.kernel.org +Signed-off-by: Li Chen +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Bart Van Assche +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/genhd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -83,7 +83,7 @@ bool set_capacity_and_notify(struct gend + (disk->flags & GENHD_FL_HIDDEN)) + return false; + +- pr_info("%s: detected capacity change from %lld to %lld\n", ++ pr_info_ratelimited("%s: detected capacity change from %lld to %lld\n", + disk->disk_name, capacity, size); + + /* diff --git a/queue-5.15/efi-add-missing-static-initializer-for-efi_mm-cpus_allowed_lock.patch b/queue-5.15/efi-add-missing-static-initializer-for-efi_mm-cpus_allowed_lock.patch new file mode 100644 index 0000000000..476b3bb1d8 --- /dev/null +++ b/queue-5.15/efi-add-missing-static-initializer-for-efi_mm-cpus_allowed_lock.patch @@ -0,0 +1,32 @@ +From 40374d308e4e456048d83991e937f13fc8bda8bf Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 15 Oct 2025 22:56:36 +0200 +Subject: efi: Add missing static initializer for efi_mm::cpus_allowed_lock + +From: Ard Biesheuvel + +commit 40374d308e4e456048d83991e937f13fc8bda8bf upstream. + +Initialize the cpus_allowed_lock struct member of efi_mm. + +Cc: stable@vger.kernel.org +Signed-off-by: Ard Biesheuvel +Acked-by: Catalin Marinas +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/efi.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/firmware/efi/efi.c ++++ b/drivers/firmware/efi/efi.c +@@ -62,6 +62,9 @@ struct mm_struct efi_mm = { + .page_table_lock = __SPIN_LOCK_UNLOCKED(efi_mm.page_table_lock), + .mmlist = LIST_HEAD_INIT(efi_mm.mmlist), + .cpu_bitmap = { [BITS_TO_LONGS(NR_CPUS)] = 0}, ++#ifdef CONFIG_SCHED_MM_CID ++ .cpus_allowed_lock = __RAW_SPIN_LOCK_UNLOCKED(efi_mm.cpus_allowed_lock), ++#endif + }; + + struct workqueue_struct *efi_rts_wq; diff --git a/queue-5.15/floppy-fix-for-page_size-4kb.patch b/queue-5.15/floppy-fix-for-page_size-4kb.patch new file mode 100644 index 0000000000..865720477e --- /dev/null +++ b/queue-5.15/floppy-fix-for-page_size-4kb.patch @@ -0,0 +1,46 @@ +From 82d20481024cbae2ea87fe8b86d12961bfda7169 Mon Sep 17 00:00:00 2001 +From: Rene Rebe +Date: Fri, 14 Nov 2025 14:41:27 +0100 +Subject: floppy: fix for PAGE_SIZE != 4KB +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rene Rebe + +commit 82d20481024cbae2ea87fe8b86d12961bfda7169 upstream. + +For years I wondered why the floppy driver does not just work on +sparc64, e.g: + +root@SUNW_375_0066:# disktype /dev/fd0 +disktype: Can't open /dev/fd0: No such device or address + +[ 525.341906] disktype: attempt to access beyond end of device +fd0: rw=0, sector=0, nr_sectors = 16 limit=8 +[ 525.341991] floppy: error 10 while reading block 0 + +Turns out floppy.c __floppy_read_block_0 tries to read one page for +the first test read to determine the disk size and thus fails if that +is greater than 4k. Adjust minimum MAX_DISK_SIZE to PAGE_SIZE to fix +floppy on sparc64 and likely all other PAGE_SIZE != 4KB configs. + +Cc: stable@vger.kernel.org +Signed-off-by: René Rebe +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/floppy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -331,7 +331,7 @@ static bool initialized; + * This default is used whenever the current disk size is unknown. + * [Now it is rather a minimum] + */ +-#define MAX_DISK_SIZE 4 /* 3984 */ ++#define MAX_DISK_SIZE (PAGE_SIZE / 1024) + + /* + * globals used by 'result()' diff --git a/queue-5.15/fs-ntfs3-fix-mount-failure-for-sparse-runs-in-run_unpack.patch b/queue-5.15/fs-ntfs3-fix-mount-failure-for-sparse-runs-in-run_unpack.patch new file mode 100644 index 0000000000..79c28e3e45 --- /dev/null +++ b/queue-5.15/fs-ntfs3-fix-mount-failure-for-sparse-runs-in-run_unpack.patch @@ -0,0 +1,41 @@ +From 801f614ba263cb37624982b27b4c82f3c3c597a9 Mon Sep 17 00:00:00 2001 +From: Konstantin Komarov +Date: Thu, 18 Sep 2025 13:35:24 +0300 +Subject: fs/ntfs3: fix mount failure for sparse runs in run_unpack() + +From: Konstantin Komarov + +commit 801f614ba263cb37624982b27b4c82f3c3c597a9 upstream. + +Some NTFS volumes failed to mount because sparse data runs were not +handled correctly during runlist unpacking. The code performed arithmetic +on the special SPARSE_LCN64 marker, leading to invalid LCN values and +mount errors. + +Add an explicit check for the case described above, marking the run as +sparse without applying arithmetic. + +Fixes: 736fc7bf5f68 ("fs: ntfs3: Fix integer overflow in run_unpack()") +Cc: stable@vger.kernel.org +Signed-off-by: Konstantin Komarov +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/run.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/ntfs3/run.c ++++ b/fs/ntfs3/run.c +@@ -937,8 +937,12 @@ int run_unpack(struct runs_tree *run, st + if (!dlcn) + return -EINVAL; + +- if (check_add_overflow(prev_lcn, dlcn, &lcn)) ++ /* Check special combination: 0 + SPARSE_LCN64. */ ++ if (!prev_lcn && dlcn == SPARSE_LCN64) { ++ lcn = SPARSE_LCN64; ++ } else if (check_add_overflow(prev_lcn, dlcn, &lcn)) { + return -EINVAL; ++ } + prev_lcn = lcn; + } else + return -EINVAL; diff --git a/queue-5.15/keys-trusted-fix-a-memory-leak-in-tpm2_load_cmd.patch b/queue-5.15/keys-trusted-fix-a-memory-leak-in-tpm2_load_cmd.patch new file mode 100644 index 0000000000..d6114a1a2d --- /dev/null +++ b/queue-5.15/keys-trusted-fix-a-memory-leak-in-tpm2_load_cmd.patch @@ -0,0 +1,50 @@ +From 62cd5d480b9762ce70d720a81fa5b373052ae05f Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Sat, 18 Oct 2025 13:30:36 +0300 +Subject: KEYS: trusted: Fix a memory leak in tpm2_load_cmd + +From: Jarkko Sakkinen + +commit 62cd5d480b9762ce70d720a81fa5b373052ae05f upstream. + +'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode' +but it is not freed in the failure paths. Address this by wrapping the blob +into with a cleanup helper. + +Cc: stable@vger.kernel.org # v5.13+ +Fixes: f2219745250f ("security: keys: trusted: use ASN.1 TPM2 key format for the blobs") +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/trusted-keys/trusted_tpm2.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/security/keys/trusted-keys/trusted_tpm2.c ++++ b/security/keys/trusted-keys/trusted_tpm2.c +@@ -375,6 +375,7 @@ static int tpm2_load_cmd(struct tpm_chip + struct trusted_key_options *options, + u32 *blob_handle) + { ++ u8 *blob_ref __free(kfree) = NULL; + struct tpm_buf buf; + unsigned int private_len; + unsigned int public_len; +@@ -388,6 +389,9 @@ static int tpm2_load_cmd(struct tpm_chip + /* old form */ + blob = payload->blob; + payload->old_format = 1; ++ } else { ++ /* Bind for cleanup: */ ++ blob_ref = blob; + } + + /* new format carries keyhandle but old format doesn't */ +@@ -446,8 +450,6 @@ static int tpm2_load_cmd(struct tpm_chip + (__be32 *) &buf.data[TPM_HEADER_SIZE]); + + out: +- if (blob != payload->blob) +- kfree(blob); + tpm_buf_destroy(&buf); + + if (rc > 0) diff --git a/queue-5.15/ktest.pl-fix-uninitialized-var-in-config-bisect.pl.patch b/queue-5.15/ktest.pl-fix-uninitialized-var-in-config-bisect.pl.patch new file mode 100644 index 0000000000..183bfa1414 --- /dev/null +++ b/queue-5.15/ktest.pl-fix-uninitialized-var-in-config-bisect.pl.patch @@ -0,0 +1,49 @@ +From d3042cbe84a060b4df764eb6c5300bbe20d125ca Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Wed, 3 Dec 2025 18:09:24 -0500 +Subject: ktest.pl: Fix uninitialized var in config-bisect.pl + +From: Steven Rostedt + +commit d3042cbe84a060b4df764eb6c5300bbe20d125ca upstream. + +The error path of copying the old config used the wrong variable in the +error message: + + $ mkdir /tmp/build + $ ./tools/testing/ktest/config-bisect.pl -b /tmp/build config-good /tmp/config-bad + $ chmod 0 /tmp/build + $ ./tools/testing/ktest/config-bisect.pl -b /tmp/build config-good /tmp/config-bad good + cp /tmp/build//.config config-good.tmp ... [0 seconds] FAILED! + Use of uninitialized value $config in concatenation (.) or string at ./tools/testing/ktest/config-bisect.pl line 744. + failed to copy to config-good.tmp + +When it should have shown: + + failed to copy /tmp/build//.config to config-good.tmp + +Cc: stable@vger.kernel.org +Cc: John 'Warthog9' Hawley +Fixes: 0f0db065999cf ("ktest: Add standalone config-bisect.pl program") +Link: https://patch.msgid.link/20251203180924.6862bd26@gandalf.local.home +Reported-by: "John W. Krahn" +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/ktest/config-bisect.pl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/testing/ktest/config-bisect.pl ++++ b/tools/testing/ktest/config-bisect.pl +@@ -741,9 +741,9 @@ if ($start) { + die "Can not find file $bad\n"; + } + if ($val eq "good") { +- run_command "cp $output_config $good" or die "failed to copy $config to $good\n"; ++ run_command "cp $output_config $good" or die "failed to copy $output_config to $good\n"; + } elsif ($val eq "bad") { +- run_command "cp $output_config $bad" or die "failed to copy $config to $bad\n"; ++ run_command "cp $output_config $bad" or die "failed to copy $output_config to $bad\n"; + } + } + diff --git a/queue-5.15/lib-crypto-x86-blake2s-fix-32-bit-arg-treated-as-64-bit.patch b/queue-5.15/lib-crypto-x86-blake2s-fix-32-bit-arg-treated-as-64-bit.patch new file mode 100644 index 0000000000..267d8a45aa --- /dev/null +++ b/queue-5.15/lib-crypto-x86-blake2s-fix-32-bit-arg-treated-as-64-bit.patch @@ -0,0 +1,57 @@ +From 2f22115709fc7ebcfa40af3367a508fbbd2f71e9 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sun, 2 Nov 2025 15:42:04 -0800 +Subject: lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit + +From: Eric Biggers + +commit 2f22115709fc7ebcfa40af3367a508fbbd2f71e9 upstream. + +In the C code, the 'inc' argument to the assembly functions +blake2s_compress_ssse3() and blake2s_compress_avx512() is declared with +type u32, matching blake2s_compress(). The assembly code then reads it +from the 64-bit %rcx. However, the ABI doesn't guarantee zero-extension +to 64 bits, nor do gcc or clang guarantee it. Therefore, fix these +functions to read this argument from the 32-bit %ecx. + +In theory, this bug could have caused the wrong 'inc' value to be used, +causing incorrect BLAKE2s hashes. In practice, probably not: I've fixed +essentially this same bug in many other assembly files too, but there's +never been a real report of it having caused a problem. In x86_64, all +writes to 32-bit registers are zero-extended to 64 bits. That results +in zero-extension in nearly all situations. I've only been able to +demonstrate a lack of zero-extension with a somewhat contrived example +involving truncation, e.g. when the C code has a u64 variable holding +0x1234567800000040 and passes it as a u32 expecting it to be truncated +to 0x40 (64). But that's not what the real code does, of course. + +Fixes: ed0356eda153 ("crypto: blake2s - x86_64 SIMD implementation") +Cc: stable@vger.kernel.org +Reviewed-by: Ard Biesheuvel +Link: https://lore.kernel.org/r/20251102234209.62133-2-ebiggers@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/crypto/blake2s-core.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/crypto/blake2s-core.S ++++ b/arch/x86/crypto/blake2s-core.S +@@ -54,7 +54,7 @@ SYM_FUNC_START(blake2s_compress_ssse3) + movdqa ROT16(%rip),%xmm12 + movdqa ROR328(%rip),%xmm13 + movdqu 0x20(%rdi),%xmm14 +- movq %rcx,%xmm15 ++ movd %ecx,%xmm15 + leaq SIGMA+0xa0(%rip),%r8 + jmp .Lbeginofloop + .align 32 +@@ -179,7 +179,7 @@ SYM_FUNC_START(blake2s_compress_avx512) + vmovdqu (%rdi),%xmm0 + vmovdqu 0x10(%rdi),%xmm1 + vmovdqu 0x20(%rdi),%xmm4 +- vmovq %rcx,%xmm5 ++ vmovd %ecx,%xmm5 + vmovdqa IV(%rip),%xmm14 + vmovdqa IV+16(%rip),%xmm15 + jmp .Lblake2s_compress_avx512_mainloop diff --git a/queue-5.15/mmc-sdhci-msm-avoid-early-clock-doubling-during-hs400-transition.patch b/queue-5.15/mmc-sdhci-msm-avoid-early-clock-doubling-during-hs400-transition.patch new file mode 100644 index 0000000000..e3a9ba3e56 --- /dev/null +++ b/queue-5.15/mmc-sdhci-msm-avoid-early-clock-doubling-during-hs400-transition.patch @@ -0,0 +1,121 @@ +From b1f856b1727c2eaa4be2c6d7cd7a8ed052bbeb87 Mon Sep 17 00:00:00 2001 +From: Sarthak Garg +Date: Fri, 14 Nov 2025 13:58:24 +0530 +Subject: mmc: sdhci-msm: Avoid early clock doubling during HS400 transition + +From: Sarthak Garg + +commit b1f856b1727c2eaa4be2c6d7cd7a8ed052bbeb87 upstream. + +According to the hardware programming guide, the clock frequency must +remain below 52MHz during the transition to HS400 mode. + +However,in the current implementation, the timing is set to HS400 (a +DDR mode) before adjusting the clock. This causes the clock to double +prematurely to 104MHz during the transition phase, violating the +specification and potentially resulting in CRC errors or CMD timeouts. + +This change ensures that clock doubling is avoided during intermediate +transitions and is applied only when the card requires a 200MHz clock +for HS400 operation. + +Signed-off-by: Sarthak Garg +Reviewed-by: Bjorn Andersson +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-msm.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +--- a/drivers/mmc/host/sdhci-msm.c ++++ b/drivers/mmc/host/sdhci-msm.c +@@ -340,41 +340,43 @@ static void sdhci_msm_v5_variant_writel_ + writel_relaxed(val, host->ioaddr + offset); + } + +-static unsigned int msm_get_clock_mult_for_bus_mode(struct sdhci_host *host) ++static unsigned int msm_get_clock_mult_for_bus_mode(struct sdhci_host *host, ++ unsigned int clock, ++ unsigned int timing) + { +- struct mmc_ios ios = host->mmc->ios; + /* + * The SDHC requires internal clock frequency to be double the + * actual clock that will be set for DDR mode. The controller + * uses the faster clock(100/400MHz) for some of its parts and + * send the actual required clock (50/200MHz) to the card. + */ +- if (ios.timing == MMC_TIMING_UHS_DDR50 || +- ios.timing == MMC_TIMING_MMC_DDR52 || +- ios.timing == MMC_TIMING_MMC_HS400 || ++ if (timing == MMC_TIMING_UHS_DDR50 || ++ timing == MMC_TIMING_MMC_DDR52 || ++ (timing == MMC_TIMING_MMC_HS400 && ++ clock == MMC_HS200_MAX_DTR) || + host->flags & SDHCI_HS400_TUNING) + return 2; + return 1; + } + + static void msm_set_clock_rate_for_bus_mode(struct sdhci_host *host, +- unsigned int clock) ++ unsigned int clock, ++ unsigned int timing) + { + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); + struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host); +- struct mmc_ios curr_ios = host->mmc->ios; + struct clk *core_clk = msm_host->bulk_clks[0].clk; + unsigned long achieved_rate; + unsigned int desired_rate; + unsigned int mult; + int rc; + +- mult = msm_get_clock_mult_for_bus_mode(host); ++ mult = msm_get_clock_mult_for_bus_mode(host, clock, timing); + desired_rate = clock * mult; + rc = dev_pm_opp_set_rate(mmc_dev(host->mmc), desired_rate); + if (rc) { + pr_err("%s: Failed to set clock at rate %u at timing %d\n", +- mmc_hostname(host->mmc), desired_rate, curr_ios.timing); ++ mmc_hostname(host->mmc), desired_rate, timing); + return; + } + +@@ -393,7 +395,7 @@ static void msm_set_clock_rate_for_bus_m + msm_host->clk_rate = desired_rate; + + pr_debug("%s: Setting clock at rate %lu at timing %d\n", +- mmc_hostname(host->mmc), achieved_rate, curr_ios.timing); ++ mmc_hostname(host->mmc), achieved_rate, timing); + } + + /* Platform specific tuning */ +@@ -1235,7 +1237,7 @@ static int sdhci_msm_execute_tuning(stru + */ + if (host->flags & SDHCI_HS400_TUNING) { + sdhci_msm_hc_select_mode(host); +- msm_set_clock_rate_for_bus_mode(host, ios.clock); ++ msm_set_clock_rate_for_bus_mode(host, ios.clock, ios.timing); + host->flags &= ~SDHCI_HS400_TUNING; + } + +@@ -1860,6 +1862,7 @@ static void sdhci_msm_set_clock(struct s + { + struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); + struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host); ++ struct mmc_ios ios = host->mmc->ios; + + if (!clock) { + host->mmc->actual_clock = msm_host->clk_rate = 0; +@@ -1868,7 +1871,7 @@ static void sdhci_msm_set_clock(struct s + + sdhci_msm_hc_select_mode(host); + +- msm_set_clock_rate_for_bus_mode(host, clock); ++ msm_set_clock_rate_for_bus_mode(host, ios.clock, ios.timing); + out: + __sdhci_msm_set_clock(host, clock); + } diff --git a/queue-5.15/series b/queue-5.15/series index 9f1fb255fd..deda36aa3e 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -273,3 +273,11 @@ serial-sprd-return-eprobe_defer-when-uart-clock-is-n.patch nvme-fc-don-t-hold-rport-lock-when-putting-ctrl.patch platform-x86-intel-hid-add-dell-pro-rugged-10-12-tab.patch vhost-vsock-improve-rcu-read-sections-around-vhost_v.patch +keys-trusted-fix-a-memory-leak-in-tpm2_load_cmd.patch +mmc-sdhci-msm-avoid-early-clock-doubling-during-hs400-transition.patch +efi-add-missing-static-initializer-for-efi_mm-cpus_allowed_lock.patch +lib-crypto-x86-blake2s-fix-32-bit-arg-treated-as-64-bit.patch +block-rate-limit-capacity-change-info-log.patch +floppy-fix-for-page_size-4kb.patch +fs-ntfs3-fix-mount-failure-for-sparse-runs-in-run_unpack.patch +ktest.pl-fix-uninitialized-var-in-config-bisect.pl.patch