From: Greg Kroah-Hartman Date: Tue, 23 Dec 2025 16:53:52 +0000 (+0100) Subject: 6.1-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=88aca339c91306edb160273c33fcbae63c3e8f3e;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch input-lkkbd-disable-pending-work-before-freeing-device.patch input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch ksmbd-fix-buffer-validation-by-including-null-terminator-size-in-ea-length.patch ksmbd-fix-refcount-leak-when-invalid-session-is-found-on-session-lookup.patch ksmbd-skip-lock-range-check-on-equal-size-to-avoid-size-0-underflow.patch mmc-sdhci-esdhc-imx-add-alternate-arch_s32-dependency-to-kconfig.patch net-hsr-fix-null-pointer-dereference-in-prp_get_untagged_frame.patch spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch --- diff --git a/queue-6.1/acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch b/queue-6.1/acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch new file mode 100644 index 0000000000..54c0ffeb4b --- /dev/null +++ b/queue-6.1/acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch @@ -0,0 +1,40 @@ +From 6ea3a44cef28add2d93b1ef119d84886cb1e3c9b Mon Sep 17 00:00:00 2001 +From: Pengjie Zhang +Date: Wed, 10 Dec 2025 21:22:27 +0800 +Subject: ACPI: CPPC: Fix missing PCC check for guaranteed_perf + +From: Pengjie Zhang + +commit 6ea3a44cef28add2d93b1ef119d84886cb1e3c9b upstream. + +The current implementation overlooks the 'guaranteed_perf' +register in this check. + +If the Guaranteed Performance register is located in the PCC +subspace, the function currently attempts to read it without +acquiring the lock and without sending the CMD_READ doorbell +to the firmware. This can result in reading stale data. + +Fixes: 29523f095397 ("ACPI / CPPC: Add support for guaranteed performance") +Signed-off-by: Pengjie Zhang +Cc: 4.20+ # 4.20+ +[ rjw: Subject and changelog edits ] +Link: https://patch.msgid.link/20251210132227.1988380-1-zhangpengjie2@huawei.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/cppc_acpi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/cppc_acpi.c ++++ b/drivers/acpi/cppc_acpi.c +@@ -1267,7 +1267,8 @@ int cppc_get_perf_caps(int cpunum, struc + /* Are any of the regs PCC ?*/ + if (CPC_IN_PCC(highest_reg) || CPC_IN_PCC(lowest_reg) || + CPC_IN_PCC(lowest_non_linear_reg) || CPC_IN_PCC(nominal_reg) || +- CPC_IN_PCC(low_freq_reg) || CPC_IN_PCC(nom_freq_reg)) { ++ CPC_IN_PCC(low_freq_reg) || CPC_IN_PCC(nom_freq_reg) || ++ CPC_IN_PCC(guaranteed_reg)) { + if (pcc_ss_id < 0) { + pr_debug("Invalid pcc_ss_id\n"); + return -ENODEV; diff --git a/queue-6.1/hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch b/queue-6.1/hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch new file mode 100644 index 0000000000..6b285f9c9c --- /dev/null +++ b/queue-6.1/hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch @@ -0,0 +1,70 @@ +From 7953794f741e94d30df9dafaaa4c031c85b891d6 Mon Sep 17 00:00:00 2001 +From: Ping Cheng +Date: Mon, 27 Oct 2025 13:37:42 -0700 +Subject: HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen + +From: Ping Cheng + +commit 7953794f741e94d30df9dafaaa4c031c85b891d6 upstream. + +HID_GD_Z is mapped to ABS_Z for stylus and pen in hid-input.c. But HID_GD_Z +should be used to report ABS_DISTANCE for stylus and pen as described at: +Documentation/input/event-codes.rst#n226 + +* ABS_DISTANCE: + + - Used to describe the distance of a tool from an interaction surface. This + event should only be emitted while the tool is hovering, meaning in close + proximity of the device and while the value of the BTN_TOUCH code is 0. If + the input device may be used freely in three dimensions, consider ABS_Z + instead. + - BTN_TOOL_ should be set to 1 when the tool comes into detectable + proximity and set to 0 when the tool leaves detectable proximity. + BTN_TOOL_ signals the type of tool that is currently detected by the + hardware and is otherwise independent of ABS_DISTANCE and/or BTN_TOUCH. + +This patch makes the correct mapping. The ABS_DISTANCE is currently not mapped +by any HID usage in hid-generic driver. + +Signed-off-by: Ping Cheng +Cc: stable@kernel.org +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-input.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -871,7 +871,7 @@ static void hidinput_configure_usage(str + + switch (usage->hid) { + /* These usage IDs map directly to the usage codes. */ +- case HID_GD_X: case HID_GD_Y: case HID_GD_Z: ++ case HID_GD_X: case HID_GD_Y: + case HID_GD_RX: case HID_GD_RY: case HID_GD_RZ: + if (field->flags & HID_MAIN_ITEM_RELATIVE) + map_rel(usage->hid & 0xf); +@@ -879,6 +879,22 @@ static void hidinput_configure_usage(str + map_abs_clear(usage->hid & 0xf); + break; + ++ case HID_GD_Z: ++ /* HID_GD_Z is mapped to ABS_DISTANCE for stylus/pen */ ++ if (field->flags & HID_MAIN_ITEM_RELATIVE) { ++ map_rel(usage->hid & 0xf); ++ } else { ++ if (field->application == HID_DG_PEN || ++ field->physical == HID_DG_PEN || ++ field->logical == HID_DG_STYLUS || ++ field->physical == HID_DG_STYLUS || ++ field->application == HID_DG_DIGITIZER) ++ map_abs_clear(ABS_DISTANCE); ++ else ++ map_abs_clear(usage->hid & 0xf); ++ } ++ break; ++ + case HID_GD_WHEEL: + if (field->flags & HID_MAIN_ITEM_RELATIVE) { + set_bit(REL_WHEEL, input->relbit); diff --git a/queue-6.1/input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch b/queue-6.1/input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch new file mode 100644 index 0000000000..4f1b4a4bec --- /dev/null +++ b/queue-6.1/input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch @@ -0,0 +1,39 @@ +From aed3716db7fff74919cc5775ca3a80c8bb246489 Mon Sep 17 00:00:00 2001 +From: Christoffer Sandberg +Date: Mon, 24 Nov 2025 21:31:34 +0100 +Subject: Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table + +From: Christoffer Sandberg + +commit aed3716db7fff74919cc5775ca3a80c8bb246489 upstream. + +The device occasionally wakes up from suspend with missing input on the +internal keyboard and the following suspend attempt results in an instant +wake-up. The quirks fix both issues for this device. + +Signed-off-by: Christoffer Sandberg +Signed-off-by: Werner Sembach +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251124203336.64072-1-wse@tuxedocomputers.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/serio/i8042-acpipnpio.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/serio/i8042-acpipnpio.h ++++ b/drivers/input/serio/i8042-acpipnpio.h +@@ -1169,6 +1169,13 @@ static const struct dmi_system_id i8042_ + .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | + SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) + }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "X5KK45xS_X5SP45xS"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | ++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ }, + /* + * A lot of modern Clevo barebones have touchpad and/or keyboard issues + * after suspend fixable with the forcenorestore quirk. diff --git a/queue-6.1/input-lkkbd-disable-pending-work-before-freeing-device.patch b/queue-6.1/input-lkkbd-disable-pending-work-before-freeing-device.patch new file mode 100644 index 0000000000..4237777936 --- /dev/null +++ b/queue-6.1/input-lkkbd-disable-pending-work-before-freeing-device.patch @@ -0,0 +1,52 @@ +From e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c Mon Sep 17 00:00:00 2001 +From: Minseong Kim +Date: Fri, 12 Dec 2025 00:29:23 -0800 +Subject: Input: lkkbd - disable pending work before freeing device + +From: Minseong Kim + +commit e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c upstream. + +lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work +handler lkkbd_reinit() dereferences the lkkbd structure and its +serio/input_dev fields. + +lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd +structure without preventing the reinit work from being queued again +until serio_close() returns. This can allow the work handler to run +after the structure has been freed, leading to a potential use-after-free. + +Use disable_work_sync() instead of cancel_work_sync() to ensure the +reinit work cannot be re-queued, and call it both in lkkbd_disconnect() +and in lkkbd_connect() error paths after serio_open(). + +Signed-off-by: Minseong Kim +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251212052314.16139-1-ii4gsp@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/keyboard/lkkbd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/input/keyboard/lkkbd.c ++++ b/drivers/input/keyboard/lkkbd.c +@@ -670,7 +670,8 @@ static int lkkbd_connect(struct serio *s + + return 0; + +- fail3: serio_close(serio); ++ fail3: disable_work_sync(&lk->tq); ++ serio_close(serio); + fail2: serio_set_drvdata(serio, NULL); + fail1: input_free_device(input_dev); + kfree(lk); +@@ -684,6 +685,8 @@ static void lkkbd_disconnect(struct seri + { + struct lkkbd *lk = serio_get_drvdata(serio); + ++ disable_work_sync(&lk->tq); ++ + input_get_device(lk->dev); + input_unregister_device(lk->dev); + serio_close(serio); diff --git a/queue-6.1/input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch b/queue-6.1/input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch new file mode 100644 index 0000000000..a368a9bc9f --- /dev/null +++ b/queue-6.1/input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch @@ -0,0 +1,38 @@ +From 248d3a73a0167dce15ba100477c3e778c4787178 Mon Sep 17 00:00:00 2001 +From: Junjie Cao +Date: Thu, 18 Dec 2025 21:56:59 -0800 +Subject: Input: ti_am335x_tsc - fix off-by-one error in wire_order validation + +From: Junjie Cao + +commit 248d3a73a0167dce15ba100477c3e778c4787178 upstream. + +The current validation 'wire_order[i] > ARRAY_SIZE(config_pins)' allows +wire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds +access when used as index in 'config_pins[wire_order[i]]'. + +Since config_pins has 4 elements (indices 0-3), the valid range for +wire_order should be 0-3. Fix the off-by-one error by using >= instead +of > in the validation check. + +Signed-off-by: Junjie Cao +Link: https://patch.msgid.link/20251114062817.852698-1-junjie.cao@intel.com +Fixes: bb76dc09ddfc ("input: ti_am33x_tsc: Order of TSC wires, made configurable") +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/ti_am335x_tsc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/ti_am335x_tsc.c ++++ b/drivers/input/touchscreen/ti_am335x_tsc.c +@@ -86,7 +86,7 @@ static int titsc_config_wires(struct tit + wire_order[i] = ts_dev->config_inp[i] & 0x0F; + if (WARN_ON(analog_line[i] > 7)) + return -EINVAL; +- if (WARN_ON(wire_order[i] > ARRAY_SIZE(config_pins))) ++ if (WARN_ON(wire_order[i] >= ARRAY_SIZE(config_pins))) + return -EINVAL; + } + diff --git a/queue-6.1/ksmbd-fix-buffer-validation-by-including-null-terminator-size-in-ea-length.patch b/queue-6.1/ksmbd-fix-buffer-validation-by-including-null-terminator-size-in-ea-length.patch new file mode 100644 index 0000000000..5af7431d33 --- /dev/null +++ b/queue-6.1/ksmbd-fix-buffer-validation-by-including-null-terminator-size-in-ea-length.patch @@ -0,0 +1,46 @@ +From 95d7a890e4b03e198836d49d699408fd1867cb55 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sun, 14 Dec 2025 15:06:34 +0900 +Subject: ksmbd: fix buffer validation by including null terminator size in EA length + +From: Namjae Jeon + +commit 95d7a890e4b03e198836d49d699408fd1867cb55 upstream. + +The smb2_set_ea function, which handles Extended Attributes (EA), +was performing buffer validation checks that incorrectly omitted the size +of the null terminating character (+1 byte) for EA Name. +This patch fixes the issue by explicitly adding '+ 1' to EaNameLength where +the null terminator is expected to be present in the buffer, ensuring +the validation accurately reflects the total required buffer size. + +Cc: stable@vger.kernel.org +Reported-by: Roger +Reported-by: Stanislas Polu +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -2354,7 +2354,7 @@ static int smb2_set_ea(struct smb2_ea_in + int rc = 0; + unsigned int next = 0; + +- if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength + ++ if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength + 1 + + le16_to_cpu(eabuf->EaValueLength)) + return -EINVAL; + +@@ -2430,7 +2430,7 @@ next: + break; + } + +- if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength + ++ if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength + 1 + + le16_to_cpu(eabuf->EaValueLength)) { + rc = -EINVAL; + break; diff --git a/queue-6.1/ksmbd-fix-refcount-leak-when-invalid-session-is-found-on-session-lookup.patch b/queue-6.1/ksmbd-fix-refcount-leak-when-invalid-session-is-found-on-session-lookup.patch new file mode 100644 index 0000000000..fcd550a650 --- /dev/null +++ b/queue-6.1/ksmbd-fix-refcount-leak-when-invalid-session-is-found-on-session-lookup.patch @@ -0,0 +1,39 @@ +From cafb57f7bdd57abba87725eb4e82bbdca4959644 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sun, 14 Dec 2025 15:05:56 +0900 +Subject: ksmbd: Fix refcount leak when invalid session is found on session lookup + +From: Namjae Jeon + +commit cafb57f7bdd57abba87725eb4e82bbdca4959644 upstream. + +When a session is found but its state is not SMB2_SESSION_VALID, It +indicates that no valid session was found, but it is missing to decrement +the reference count acquired by the session lookup, which results in +a reference count leak. This patch fixes the issue by explicitly calling +ksmbd_user_session_put to release the reference to the session. + +Cc: stable@vger.kernel.org +Reported-by: Alexandre +Reported-by: Stanislas Polu +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/mgmt/user_session.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/smb/server/mgmt/user_session.c ++++ b/fs/smb/server/mgmt/user_session.c +@@ -312,8 +312,10 @@ struct ksmbd_session *ksmbd_session_look + sess = ksmbd_session_lookup(conn, id); + if (!sess && conn->binding) + sess = ksmbd_session_lookup_slowpath(id); +- if (sess && sess->state != SMB2_SESSION_VALID) ++ if (sess && sess->state != SMB2_SESSION_VALID) { ++ ksmbd_user_session_put(sess); + sess = NULL; ++ } + return sess; + } + diff --git a/queue-6.1/ksmbd-skip-lock-range-check-on-equal-size-to-avoid-size-0-underflow.patch b/queue-6.1/ksmbd-skip-lock-range-check-on-equal-size-to-avoid-size-0-underflow.patch new file mode 100644 index 0000000000..81bdb7309b --- /dev/null +++ b/queue-6.1/ksmbd-skip-lock-range-check-on-equal-size-to-avoid-size-0-underflow.patch @@ -0,0 +1,45 @@ +From 5d510ac31626ed157d2182149559430350cf2104 Mon Sep 17 00:00:00 2001 +From: Qianchang Zhao +Date: Sun, 9 Nov 2025 10:00:55 +0900 +Subject: ksmbd: skip lock-range check on equal size to avoid size==0 underflow + +From: Qianchang Zhao + +commit 5d510ac31626ed157d2182149559430350cf2104 upstream. + +When size equals the current i_size (including 0), the code used to call +check_lock_range(filp, i_size, size - 1, WRITE), which computes `size - 1` +and can underflow for size==0. Skip the equal case. + +Cc: stable@vger.kernel.org +Reported-by: Qianchang Zhao +Reported-by: Zhitong Liu +Signed-off-by: Qianchang Zhao +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/vfs.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/smb/server/vfs.c ++++ b/fs/smb/server/vfs.c +@@ -330,6 +330,9 @@ static int check_lock_range(struct file + struct file_lock_context *ctx = file_inode(filp)->i_flctx; + int error = 0; + ++ if (start == end) ++ return 0; ++ + if (!ctx || list_empty_careful(&ctx->flc_posix)) + return 0; + +@@ -830,7 +833,7 @@ int ksmbd_vfs_truncate(struct ksmbd_work + if (size < inode->i_size) { + err = check_lock_range(filp, size, + inode->i_size - 1, WRITE); +- } else { ++ } else if (size > inode->i_size) { + err = check_lock_range(filp, inode->i_size, + size - 1, WRITE); + } diff --git a/queue-6.1/mmc-sdhci-esdhc-imx-add-alternate-arch_s32-dependency-to-kconfig.patch b/queue-6.1/mmc-sdhci-esdhc-imx-add-alternate-arch_s32-dependency-to-kconfig.patch new file mode 100644 index 0000000000..fc80567070 --- /dev/null +++ b/queue-6.1/mmc-sdhci-esdhc-imx-add-alternate-arch_s32-dependency-to-kconfig.patch @@ -0,0 +1,43 @@ +From d3ecb12e2e04ce53c95f933c462f2d8b150b965b Mon Sep 17 00:00:00 2001 +From: Jared Kangas +Date: Fri, 12 Dec 2025 07:03:17 -0800 +Subject: mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig + +From: Jared Kangas + +commit d3ecb12e2e04ce53c95f933c462f2d8b150b965b upstream. + +MMC_SDHCI_ESDHC_IMX requires ARCH_MXC despite also being used on +ARCH_S32, which results in unmet dependencies when compiling strictly +for ARCH_S32. Resolve this by adding ARCH_S32 as an alternative to +ARCH_MXC in the driver's dependencies. + +Fixes: 5c4f00627c9a ("mmc: sdhci-esdhc-imx: add NXP S32G2 support") +Cc: stable@bvger.kernel.org +Signed-off-by: Jared Kangas +Reviewed-by: Haibo Chen +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/Kconfig ++++ b/drivers/mmc/host/Kconfig +@@ -279,14 +279,14 @@ config MMC_SDHCI_ESDHC_MCF + + config MMC_SDHCI_ESDHC_IMX + tristate "SDHCI support for the Freescale eSDHC/uSDHC i.MX controller" +- depends on ARCH_MXC || COMPILE_TEST ++ depends on ARCH_MXC || ARCH_S32 || COMPILE_TEST + depends on MMC_SDHCI_PLTFM + depends on OF + select MMC_SDHCI_IO_ACCESSORS + select MMC_CQHCI + help + This selects the Freescale eSDHC/uSDHC controller support +- found on i.MX25, i.MX35 i.MX5x and i.MX6x. ++ found on i.MX25, i.MX35, i.MX5x, i.MX6x, and S32G. + + If you have a controller with this interface, say Y or M here. + diff --git a/queue-6.1/net-hsr-fix-null-pointer-dereference-in-prp_get_untagged_frame.patch b/queue-6.1/net-hsr-fix-null-pointer-dereference-in-prp_get_untagged_frame.patch new file mode 100644 index 0000000000..e8d85f9319 --- /dev/null +++ b/queue-6.1/net-hsr-fix-null-pointer-dereference-in-prp_get_untagged_frame.patch @@ -0,0 +1,85 @@ +From 188e0fa5a679570ea35474575e724d8211423d17 Mon Sep 17 00:00:00 2001 +From: Shaurya Rane +Date: Sat, 29 Nov 2025 15:07:18 +0530 +Subject: net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() + +From: Shaurya Rane + +commit 188e0fa5a679570ea35474575e724d8211423d17 upstream. + +prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std +but doesn't check if the allocation failed. If __pskb_copy() returns +NULL, skb_clone() is called with a NULL pointer, causing a crash: + +Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI +KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] +CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +RIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041 +Code: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 <43> 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c +RSP: 0018:ffffc9000d00f200 EFLAGS: 00010207 +RAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480 +RDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000 +RBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee +R10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000 +R13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00 +FS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0 +Call Trace: + + hsr_forward_do net/hsr/hsr_forward.c:-1 [inline] + hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741 + hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84 + __netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966 + __netif_receive_skb_one_core net/core/dev.c:6077 [inline] + __netif_receive_skb+0x72/0x380 net/core/dev.c:6192 + netif_receive_skb_internal net/core/dev.c:6278 [inline] + netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337 + tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485 + tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953 + tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0x5c9/0xb30 fs/read_write.c:686 + ksys_write+0x145/0x250 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f0449f8e1ff +Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48 +RSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff +RDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8 +RBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000 +R10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001 +R13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003 + + +Add a NULL check immediately after __pskb_copy() to handle allocation +failures gracefully. + +Reported-by: syzbot+2fa344348a579b779e05@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2fa344348a579b779e05 +Fixes: f266a683a480 ("net/hsr: Better frame dispatch") +Cc: stable@vger.kernel.org +Signed-off-by: Shaurya Rane +Reviewed-by: Felix Maurer +Tested-by: Felix Maurer +Link: https://patch.msgid.link/20251129093718.25320-1-ssrane_b23@ee.vjti.ac.in +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/hsr/hsr_forward.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/hsr/hsr_forward.c ++++ b/net/hsr/hsr_forward.c +@@ -176,6 +176,8 @@ struct sk_buff *prp_get_untagged_frame(s + __pskb_copy(frame->skb_prp, + skb_headroom(frame->skb_prp), + GFP_ATOMIC); ++ if (!frame->skb_std) ++ return NULL; + } else { + /* Unexpected */ + WARN_ONCE(1, "%s:%d: Unexpected frame received (port_src %s)\n", diff --git a/queue-6.1/series b/queue-6.1/series index d55c39f488..2b25a8e3a3 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -280,3 +280,14 @@ spi-cadence-quadspi-add-clock-configuration-for-star.patch spi-cadence-quadspi-add-missing-clk_disable_unprepar.patch spi-cadence-quadspi-fix-clock-disable-on-probe-failu.patch block-rnbd-clt-fix-leaked-id-in-init_dev.patch +ksmbd-skip-lock-range-check-on-equal-size-to-avoid-size-0-underflow.patch +ksmbd-fix-refcount-leak-when-invalid-session-is-found-on-session-lookup.patch +ksmbd-fix-buffer-validation-by-including-null-terminator-size-in-ea-length.patch +hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch +input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch +input-lkkbd-disable-pending-work-before-freeing-device.patch +input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch +acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch +spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch +mmc-sdhci-esdhc-imx-add-alternate-arch_s32-dependency-to-kconfig.patch +net-hsr-fix-null-pointer-dereference-in-prp_get_untagged_frame.patch diff --git a/queue-6.1/spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch b/queue-6.1/spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch new file mode 100644 index 0000000000..b9995aec5a --- /dev/null +++ b/queue-6.1/spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch @@ -0,0 +1,46 @@ +From 1417927df8049a0194933861e9b098669a95c762 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Thu, 20 Nov 2025 09:34:49 +0100 +Subject: spi: fsl-cpm: Check length parity before switching to 16 bit mode + +From: Christophe Leroy + +commit 1417927df8049a0194933861e9b098669a95c762 upstream. + +Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers +with even size") failed to make sure that the size is really even +before switching to 16 bit mode. Until recently the problem went +unnoticed because kernfs uses a pre-allocated bounce buffer of size +PAGE_SIZE for reading EEPROM. + +But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API") +introduced an additional dynamically allocated bounce buffer whose size +is exactly the size of the transfer, leading to a buffer overrun in +the fsl-cpm driver when that size is odd. + +Add the missing length parity verification and remain in 8 bit mode +when the length is not even. + +Fixes: fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size") +Cc: stable@vger.kernel.org +Closes: https://lore.kernel.org/all/638496dd-ec60-4e53-bad7-eb657f67d580@csgroup.eu/ +Signed-off-by: Christophe Leroy +Reviewed-by: Sverdlin Alexander +Link: https://patch.msgid.link/3c4d81c3923c93f95ec56702a454744a4bad3cfc.1763627618.git.christophe.leroy@csgroup.eu +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-fsl-spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-fsl-spi.c ++++ b/drivers/spi/spi-fsl-spi.c +@@ -352,7 +352,7 @@ static int fsl_spi_prepare_message(struc + if (t->bits_per_word == 16 || t->bits_per_word == 32) + t->bits_per_word = 8; /* pretend its 8 bits */ + if (t->bits_per_word == 8 && t->len >= 256 && +- (mpc8xxx_spi->flags & SPI_CPM1)) ++ !(t->len & 1) && (mpc8xxx_spi->flags & SPI_CPM1)) + t->bits_per_word = 16; + } + }