From: Greg Kroah-Hartman Date: Sun, 6 Jul 2025 11:54:58 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v5.15.187~59 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=adf64bf672628e44d5c697abe6dc6872c1b5050c;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: bluetooth-hci_sync-revert-some-mesh-modifications.patch bluetooth-mgmt-mesh_send-check-instances-prior-disabling-advertising.patch bluetooth-mgmt-set_mesh-update-le-scan-interval-and-window.patch mmc-core-sd-apply-broken_sd_discard-quirk-earlier.patch mmc-sdhci-add-a-helper-function-for-dump-register-in-dynamic-debug-mode.patch mtk-sd-fix-a-pagefault-in-dma_unmap_sg-for-not-prepared-data.patch mtk-sd-prevent-memory-corruption-from-dma-map-failure.patch mtk-sd-reset-host-mrq-on-prepare_data-error.patch regulator-gpio-fix-the-out-of-bounds-access-to-drvdata-gpiods.patch revert-mmc-sdhci-disable-sd-card-clock-before-changing-parameters.patch s390-pci-do-not-try-re-enabling-load-store-if-device-is-disabled.patch usb-typec-altmodes-displayport-do-not-index-invalid-pin_assignments.patch virtio-net-ensure-the-received-length-does-not-exceed-allocated-size.patch vsock-vmci-clear-the-vmci-transport-packet-properly-when-initializing-it.patch --- diff --git a/queue-6.6/bluetooth-hci_sync-revert-some-mesh-modifications.patch b/queue-6.6/bluetooth-hci_sync-revert-some-mesh-modifications.patch new file mode 100644 index 0000000000..cb1eef8f0c --- /dev/null +++ b/queue-6.6/bluetooth-hci_sync-revert-some-mesh-modifications.patch @@ -0,0 +1,74 @@ +From 46c0d947b64ac8efcf89dd754213dab5d1bd00aa Mon Sep 17 00:00:00 2001 +From: Christian Eggers +Date: Wed, 25 Jun 2025 15:09:29 +0200 +Subject: Bluetooth: hci_sync: revert some mesh modifications + +From: Christian Eggers + +commit 46c0d947b64ac8efcf89dd754213dab5d1bd00aa upstream. + +This reverts minor parts of the changes made in commit b338d91703fa +("Bluetooth: Implement support for Mesh"). It looks like these changes +were only made for development purposes but shouldn't have been part of +the commit. + +Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh") +Cc: stable@vger.kernel.org +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_sync.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -2010,13 +2010,10 @@ static int hci_clear_adv_sets_sync(struc + static int hci_clear_adv_sync(struct hci_dev *hdev, struct sock *sk, bool force) + { + struct adv_info *adv, *n; +- int err = 0; + + if (ext_adv_capable(hdev)) + /* Remove all existing sets */ +- err = hci_clear_adv_sets_sync(hdev, sk); +- if (ext_adv_capable(hdev)) +- return err; ++ return hci_clear_adv_sets_sync(hdev, sk); + + /* This is safe as long as there is no command send while the lock is + * held. +@@ -2044,13 +2041,11 @@ static int hci_clear_adv_sync(struct hci + static int hci_remove_adv_sync(struct hci_dev *hdev, u8 instance, + struct sock *sk) + { +- int err = 0; ++ int err; + + /* If we use extended advertising, instance has to be removed first. */ + if (ext_adv_capable(hdev)) +- err = hci_remove_ext_adv_instance_sync(hdev, instance, sk); +- if (ext_adv_capable(hdev)) +- return err; ++ return hci_remove_ext_adv_instance_sync(hdev, instance, sk); + + /* This is safe as long as there is no command send while the lock is + * held. +@@ -2149,16 +2144,13 @@ int hci_read_tx_power_sync(struct hci_de + int hci_disable_advertising_sync(struct hci_dev *hdev) + { + u8 enable = 0x00; +- int err = 0; + + /* If controller is not advertising we are done. */ + if (!hci_dev_test_flag(hdev, HCI_LE_ADV)) + return 0; + + if (ext_adv_capable(hdev)) +- err = hci_disable_ext_adv_instance_sync(hdev, 0x00); +- if (ext_adv_capable(hdev)) +- return err; ++ return hci_disable_ext_adv_instance_sync(hdev, 0x00); + + return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_ENABLE, + sizeof(enable), &enable, HCI_CMD_TIMEOUT); diff --git a/queue-6.6/bluetooth-mgmt-mesh_send-check-instances-prior-disabling-advertising.patch b/queue-6.6/bluetooth-mgmt-mesh_send-check-instances-prior-disabling-advertising.patch new file mode 100644 index 0000000000..2436614949 --- /dev/null +++ b/queue-6.6/bluetooth-mgmt-mesh_send-check-instances-prior-disabling-advertising.patch @@ -0,0 +1,38 @@ +From f3cb5676e5c11c896ba647ee309a993e73531588 Mon Sep 17 00:00:00 2001 +From: Christian Eggers +Date: Wed, 25 Jun 2025 15:09:31 +0200 +Subject: Bluetooth: MGMT: mesh_send: check instances prior disabling advertising + +From: Christian Eggers + +commit f3cb5676e5c11c896ba647ee309a993e73531588 upstream. + +The unconditional call of hci_disable_advertising_sync() in +mesh_send_done_sync() also disables other LE advertisings (non mesh +related). + +I am not sure whether this call is required at all, but checking the +adv_instances list (like done at other places) seems to solve the +problem. + +Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh") +Cc: stable@vger.kernel.org +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/mgmt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -1074,7 +1074,8 @@ static int mesh_send_done_sync(struct hc + struct mgmt_mesh_tx *mesh_tx; + + hci_dev_clear_flag(hdev, HCI_MESH_SENDING); +- hci_disable_advertising_sync(hdev); ++ if (list_empty(&hdev->adv_instances)) ++ hci_disable_advertising_sync(hdev); + mesh_tx = mgmt_mesh_next(hdev, NULL); + + if (mesh_tx) diff --git a/queue-6.6/bluetooth-mgmt-set_mesh-update-le-scan-interval-and-window.patch b/queue-6.6/bluetooth-mgmt-set_mesh-update-le-scan-interval-and-window.patch new file mode 100644 index 0000000000..691894b04e --- /dev/null +++ b/queue-6.6/bluetooth-mgmt-set_mesh-update-le-scan-interval-and-window.patch @@ -0,0 +1,77 @@ +From e5af67a870f738bb8a4594b6c60c2caf4c87a3c9 Mon Sep 17 00:00:00 2001 +From: Christian Eggers +Date: Wed, 25 Jun 2025 15:09:30 +0200 +Subject: Bluetooth: MGMT: set_mesh: update LE scan interval and window + +From: Christian Eggers + +commit e5af67a870f738bb8a4594b6c60c2caf4c87a3c9 upstream. + +According to the message of commit b338d91703fa ("Bluetooth: Implement +support for Mesh"), MGMT_OP_SET_MESH_RECEIVER should set the passive scan +parameters. Currently the scan interval and window parameters are +silently ignored, although user space (bluetooth-meshd) expects that +they can be used [1] + +[1] https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/mesh/mesh-io-mgmt.c#n344 +Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh") +Cc: stable@vger.kernel.org +Signed-off-by: Christian Eggers +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/mgmt.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -2140,6 +2140,9 @@ static int set_mesh_sync(struct hci_dev + else + hci_dev_clear_flag(hdev, HCI_MESH); + ++ hdev->le_scan_interval = __le16_to_cpu(cp->period); ++ hdev->le_scan_window = __le16_to_cpu(cp->window); ++ + len -= sizeof(*cp); + + /* If filters don't fit, forward all adv pkts */ +@@ -2154,6 +2157,7 @@ static int set_mesh(struct sock *sk, str + { + struct mgmt_cp_set_mesh *cp = data; + struct mgmt_pending_cmd *cmd; ++ __u16 period, window; + int err = 0; + + bt_dev_dbg(hdev, "sock %p", sk); +@@ -2167,6 +2171,23 @@ static int set_mesh(struct sock *sk, str + return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, + MGMT_STATUS_INVALID_PARAMS); + ++ /* Keep allowed ranges in sync with set_scan_params() */ ++ period = __le16_to_cpu(cp->period); ++ ++ if (period < 0x0004 || period > 0x4000) ++ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, ++ MGMT_STATUS_INVALID_PARAMS); ++ ++ window = __le16_to_cpu(cp->window); ++ ++ if (window < 0x0004 || window > 0x4000) ++ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, ++ MGMT_STATUS_INVALID_PARAMS); ++ ++ if (window > period) ++ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER, ++ MGMT_STATUS_INVALID_PARAMS); ++ + hci_dev_lock(hdev); + + cmd = mgmt_pending_add(sk, MGMT_OP_SET_MESH_RECEIVER, hdev, data, len); +@@ -6529,6 +6550,7 @@ static int set_scan_params(struct sock * + return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS, + MGMT_STATUS_NOT_SUPPORTED); + ++ /* Keep allowed ranges in sync with set_mesh() */ + interval = __le16_to_cpu(cp->interval); + + if (interval < 0x0004 || interval > 0x4000) diff --git a/queue-6.6/mmc-core-sd-apply-broken_sd_discard-quirk-earlier.patch b/queue-6.6/mmc-core-sd-apply-broken_sd_discard-quirk-earlier.patch new file mode 100644 index 0000000000..356166c759 --- /dev/null +++ b/queue-6.6/mmc-core-sd-apply-broken_sd_discard-quirk-earlier.patch @@ -0,0 +1,56 @@ +From 009c3a4bc41e855fd76f92727f9fbae4e5917d7f Mon Sep 17 00:00:00 2001 +From: Avri Altman +Date: Mon, 26 May 2025 14:44:45 +0300 +Subject: mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier + +From: Avri Altman + +commit 009c3a4bc41e855fd76f92727f9fbae4e5917d7f upstream. + +Move the BROKEN_SD_DISCARD quirk for certain SanDisk SD cards from the +`mmc_blk_fixups[]` to `mmc_sd_fixups[]`. This ensures the quirk is +applied earlier in the device initialization process, aligning with the +reasoning in [1]. Applying the quirk sooner prevents the kernel from +incorrectly enabling discard support on affected cards during initial +setup. + +[1] https://lore.kernel.org/all/20240820230631.GA436523@sony.com + +Fixes: 07d2872bf4c8 ("mmc: core: Add SD card quirk for broken discard") +Signed-off-by: Avri Altman +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250526114445.675548-1-avri.altman@sandisk.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/quirks.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/mmc/core/quirks.h ++++ b/drivers/mmc/core/quirks.h +@@ -44,6 +44,12 @@ static const struct mmc_fixup __maybe_un + 0, -1ull, SDIO_ANY_ID, SDIO_ANY_ID, add_quirk_sd, + MMC_QUIRK_NO_UHS_DDR50_TUNING, EXT_CSD_REV_ANY), + ++ /* ++ * Some SD cards reports discard support while they don't ++ */ ++ MMC_FIXUP(CID_NAME_ANY, CID_MANFID_SANDISK_SD, 0x5344, add_quirk_sd, ++ MMC_QUIRK_BROKEN_SD_DISCARD), ++ + END_FIXUP + }; + +@@ -147,12 +153,6 @@ static const struct mmc_fixup __maybe_un + MMC_FIXUP("M62704", CID_MANFID_KINGSTON, 0x0100, add_quirk_mmc, + MMC_QUIRK_TRIM_BROKEN), + +- /* +- * Some SD cards reports discard support while they don't +- */ +- MMC_FIXUP(CID_NAME_ANY, CID_MANFID_SANDISK_SD, 0x5344, add_quirk_sd, +- MMC_QUIRK_BROKEN_SD_DISCARD), +- + END_FIXUP + }; + diff --git a/queue-6.6/mmc-sdhci-add-a-helper-function-for-dump-register-in-dynamic-debug-mode.patch b/queue-6.6/mmc-sdhci-add-a-helper-function-for-dump-register-in-dynamic-debug-mode.patch new file mode 100644 index 0000000000..3a38e0cd74 --- /dev/null +++ b/queue-6.6/mmc-sdhci-add-a-helper-function-for-dump-register-in-dynamic-debug-mode.patch @@ -0,0 +1,44 @@ +From 2881ba9af073faa8ee7408a8d1e0575e50eb3f6c Mon Sep 17 00:00:00 2001 +From: Victor Shih +Date: Fri, 6 Jun 2025 19:01:20 +0800 +Subject: mmc: sdhci: Add a helper function for dump register in dynamic debug mode + +From: Victor Shih + +commit 2881ba9af073faa8ee7408a8d1e0575e50eb3f6c upstream. + +Add a helper function for dump register in dynamic debug mode. + +Signed-off-by: Victor Shih +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250606110121.96314-3-victorshihgli@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci.h | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/mmc/host/sdhci.h ++++ b/drivers/mmc/host/sdhci.h +@@ -825,4 +825,20 @@ void sdhci_switch_external_dma(struct sd + void sdhci_set_data_timeout_irq(struct sdhci_host *host, bool enable); + void __sdhci_set_timeout(struct sdhci_host *host, struct mmc_command *cmd); + ++#if defined(CONFIG_DYNAMIC_DEBUG) || \ ++ (defined(CONFIG_DYNAMIC_DEBUG_CORE) && defined(DYNAMIC_DEBUG_MODULE)) ++#define SDHCI_DBG_ANYWAY 0 ++#elif defined(DEBUG) ++#define SDHCI_DBG_ANYWAY 1 ++#else ++#define SDHCI_DBG_ANYWAY 0 ++#endif ++ ++#define sdhci_dbg_dumpregs(host, fmt) \ ++do { \ ++ DEFINE_DYNAMIC_DEBUG_METADATA(descriptor, fmt); \ ++ if (DYNAMIC_DEBUG_BRANCH(descriptor) || SDHCI_DBG_ANYWAY) \ ++ sdhci_dumpregs(host); \ ++} while (0) ++ + #endif /* __SDHCI_HW_H */ diff --git a/queue-6.6/mtk-sd-fix-a-pagefault-in-dma_unmap_sg-for-not-prepared-data.patch b/queue-6.6/mtk-sd-fix-a-pagefault-in-dma_unmap_sg-for-not-prepared-data.patch new file mode 100644 index 0000000000..8a50271342 --- /dev/null +++ b/queue-6.6/mtk-sd-fix-a-pagefault-in-dma_unmap_sg-for-not-prepared-data.patch @@ -0,0 +1,54 @@ +From 539d80575b810c7a5987c7ac8915e3bc99c03695 Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Thu, 5 Jun 2025 10:07:38 +0900 +Subject: mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data + +From: Masami Hiramatsu (Google) + +commit 539d80575b810c7a5987c7ac8915e3bc99c03695 upstream. + +When swiotlb buffer is full, the dma_map_sg() returns 0 to +msdc_prepare_data(), but it does not check it and sets the +MSDC_PREPARE_FLAG. + +swiotlb_tbl_map_single() /* prints "swiotlb buffer is full" */ + <-swiotlb_map() + <-dma_direct_map_page() + <-dma_direct_map_sg() + <-__dma_map_sg_attrs() + <-dma_map_sg_attrs() + <-dma_map_sg() /* returns 0 (pages mapped) */ + <-msdc_prepare_data() + +Then, the msdc_unprepare_data() checks MSDC_PREPARE_FLAG and calls +dma_unmap_sg() with unmapped pages. It causes a page fault. + +To fix this problem, Do not set MSDC_PREPARE_FLAG if dma_map_sg() +fails because this is not prepared. + +Fixes: 208489032bdd ("mmc: mediatek: Add Mediatek MMC driver") +Signed-off-by: Masami Hiramatsu (Google) +Tested-by: Sergey Senozhatsky +Reviewed-by: AngeloGioacchino Del Regno +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/174908565814.4056588.769599127120955383.stgit@mhiramat.tok.corp.google.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/mtk-sd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/mtk-sd.c ++++ b/drivers/mmc/host/mtk-sd.c +@@ -770,9 +770,10 @@ static inline void msdc_dma_setup(struct + static void msdc_prepare_data(struct msdc_host *host, struct mmc_data *data) + { + if (!(data->host_cookie & MSDC_PREPARE_FLAG)) { +- data->host_cookie |= MSDC_PREPARE_FLAG; + data->sg_count = dma_map_sg(host->dev, data->sg, data->sg_len, + mmc_get_dma_dir(data)); ++ if (data->sg_count) ++ data->host_cookie |= MSDC_PREPARE_FLAG; + } + } + diff --git a/queue-6.6/mtk-sd-prevent-memory-corruption-from-dma-map-failure.patch b/queue-6.6/mtk-sd-prevent-memory-corruption-from-dma-map-failure.patch new file mode 100644 index 0000000000..564acdd7c8 --- /dev/null +++ b/queue-6.6/mtk-sd-prevent-memory-corruption-from-dma-map-failure.patch @@ -0,0 +1,60 @@ +From f5de469990f19569627ea0dd56536ff5a13beaa3 Mon Sep 17 00:00:00 2001 +From: "Masami Hiramatsu (Google)" +Date: Thu, 12 Jun 2025 20:26:10 +0900 +Subject: mtk-sd: Prevent memory corruption from DMA map failure + +From: Masami Hiramatsu (Google) + +commit f5de469990f19569627ea0dd56536ff5a13beaa3 upstream. + +If msdc_prepare_data() fails to map the DMA region, the request is +not prepared for data receiving, but msdc_start_data() proceeds +the DMA with previous setting. +Since this will lead a memory corruption, we have to stop the +request operation soon after the msdc_prepare_data() fails to +prepare it. + +Signed-off-by: Masami Hiramatsu (Google) +Fixes: 208489032bdd ("mmc: mediatek: Add Mediatek MMC driver") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/174972756982.3337526.6755001617701603082.stgit@mhiramat.tok.corp.google.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/mtk-sd.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/mtk-sd.c ++++ b/drivers/mmc/host/mtk-sd.c +@@ -777,6 +777,11 @@ static void msdc_prepare_data(struct msd + } + } + ++static bool msdc_data_prepared(struct mmc_data *data) ++{ ++ return data->host_cookie & MSDC_PREPARE_FLAG; ++} ++ + static void msdc_unprepare_data(struct msdc_host *host, struct mmc_data *data) + { + if (data->host_cookie & MSDC_ASYNC_FLAG) +@@ -1339,8 +1344,18 @@ static void msdc_ops_request(struct mmc_ + WARN_ON(host->mrq); + host->mrq = mrq; + +- if (mrq->data) ++ if (mrq->data) { + msdc_prepare_data(host, mrq->data); ++ if (!msdc_data_prepared(mrq->data)) { ++ /* ++ * Failed to prepare DMA area, fail fast before ++ * starting any commands. ++ */ ++ mrq->cmd->error = -ENOSPC; ++ mmc_request_done(mmc_from_priv(host), mrq); ++ return; ++ } ++ } + + /* if SBC is required, we have HW option and SW option. + * if HW option is enabled, and SBC does not have "special" flags, diff --git a/queue-6.6/mtk-sd-reset-host-mrq-on-prepare_data-error.patch b/queue-6.6/mtk-sd-reset-host-mrq-on-prepare_data-error.patch new file mode 100644 index 0000000000..294f7f7661 --- /dev/null +++ b/queue-6.6/mtk-sd-reset-host-mrq-on-prepare_data-error.patch @@ -0,0 +1,33 @@ +From ec54c0a20709ed6e56f40a8d59eee725c31a916b Mon Sep 17 00:00:00 2001 +From: Sergey Senozhatsky +Date: Wed, 25 Jun 2025 14:20:37 +0900 +Subject: mtk-sd: reset host->mrq on prepare_data() error + +From: Sergey Senozhatsky + +commit ec54c0a20709ed6e56f40a8d59eee725c31a916b upstream. + +Do not leave host with dangling ->mrq pointer if we hit +the msdc_prepare_data() error out path. + +Signed-off-by: Sergey Senozhatsky +Reviewed-by: Masami Hiramatsu (Google) +Fixes: f5de469990f1 ("mtk-sd: Prevent memory corruption from DMA map failure") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250625052106.584905-1-senozhatsky@chromium.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/mtk-sd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mmc/host/mtk-sd.c ++++ b/drivers/mmc/host/mtk-sd.c +@@ -1347,6 +1347,7 @@ static void msdc_ops_request(struct mmc_ + if (mrq->data) { + msdc_prepare_data(host, mrq->data); + if (!msdc_data_prepared(mrq->data)) { ++ host->mrq = NULL; + /* + * Failed to prepare DMA area, fail fast before + * starting any commands. diff --git a/queue-6.6/regulator-gpio-fix-the-out-of-bounds-access-to-drvdata-gpiods.patch b/queue-6.6/regulator-gpio-fix-the-out-of-bounds-access-to-drvdata-gpiods.patch new file mode 100644 index 0000000000..855034fcef --- /dev/null +++ b/queue-6.6/regulator-gpio-fix-the-out-of-bounds-access-to-drvdata-gpiods.patch @@ -0,0 +1,52 @@ +From c9764fd88bc744592b0604ccb6b6fc1a5f76b4e3 Mon Sep 17 00:00:00 2001 +From: Manivannan Sadhasivam +Date: Thu, 3 Jul 2025 16:05:49 +0530 +Subject: regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods + +From: Manivannan Sadhasivam + +commit c9764fd88bc744592b0604ccb6b6fc1a5f76b4e3 upstream. + +drvdata::gpiods is supposed to hold an array of 'gpio_desc' pointers. But +the memory is allocated for only one pointer. This will lead to +out-of-bounds access later in the code if 'config::ngpios' is > 1. So +fix the code to allocate enough memory to hold 'config::ngpios' of GPIO +descriptors. + +While at it, also move the check for memory allocation failure to be below +the allocation to make it more readable. + +Cc: stable@vger.kernel.org # 5.0 +Fixes: d6cd33ad7102 ("regulator: gpio: Convert to use descriptors") +Signed-off-by: Manivannan Sadhasivam +Link: https://patch.msgid.link/20250703103549.16558-1-mani@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/gpio-regulator.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/regulator/gpio-regulator.c ++++ b/drivers/regulator/gpio-regulator.c +@@ -260,8 +260,10 @@ static int gpio_regulator_probe(struct p + return -ENOMEM; + } + +- drvdata->gpiods = devm_kzalloc(dev, sizeof(struct gpio_desc *), +- GFP_KERNEL); ++ drvdata->gpiods = devm_kcalloc(dev, config->ngpios, ++ sizeof(struct gpio_desc *), GFP_KERNEL); ++ if (!drvdata->gpiods) ++ return -ENOMEM; + + if (config->input_supply) { + drvdata->desc.supply_name = devm_kstrdup(&pdev->dev, +@@ -274,8 +276,6 @@ static int gpio_regulator_probe(struct p + } + } + +- if (!drvdata->gpiods) +- return -ENOMEM; + for (i = 0; i < config->ngpios; i++) { + drvdata->gpiods[i] = devm_gpiod_get_index(dev, + NULL, diff --git a/queue-6.6/revert-mmc-sdhci-disable-sd-card-clock-before-changing-parameters.patch b/queue-6.6/revert-mmc-sdhci-disable-sd-card-clock-before-changing-parameters.patch new file mode 100644 index 0000000000..6696dccb68 --- /dev/null +++ b/queue-6.6/revert-mmc-sdhci-disable-sd-card-clock-before-changing-parameters.patch @@ -0,0 +1,49 @@ +From dcc3bcfc5b50c625b475dcc25d167b6b947a6637 Mon Sep 17 00:00:00 2001 +From: Ulf Hansson +Date: Tue, 24 Jun 2025 13:09:32 +0200 +Subject: Revert "mmc: sdhci: Disable SD card clock before changing parameters" + +From: Ulf Hansson + +commit dcc3bcfc5b50c625b475dcc25d167b6b947a6637 upstream. + +It has turned out the trying to strictly conform to the SDHCI specification +is causing problems. Let's revert and start over. + +This reverts commit fb3bbc46c94f261b6156ee863c1b06c84cf157dc. + +Cc: Erick Shepherd +Cc: stable@vger.kernel.org +Fixes: fb3bbc46c94f ("mmc: sdhci: Disable SD card clock before changing parameters") +Suggested-by: Adrian Hunter +Reported-by: Jonathan Liu +Reported-by: Salvatore Bonaccorso +Closes: https://bugs.debian.org/1108065 +Acked-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Link: https://lore.kernel.org/r/20250624110932.176925-1-ulf.hansson@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -2035,15 +2035,10 @@ void sdhci_set_clock(struct sdhci_host * + + host->mmc->actual_clock = 0; + +- clk = sdhci_readw(host, SDHCI_CLOCK_CONTROL); +- if (clk & SDHCI_CLOCK_CARD_EN) +- sdhci_writew(host, clk & ~SDHCI_CLOCK_CARD_EN, +- SDHCI_CLOCK_CONTROL); ++ sdhci_writew(host, 0, SDHCI_CLOCK_CONTROL); + +- if (clock == 0) { +- sdhci_writew(host, 0, SDHCI_CLOCK_CONTROL); ++ if (clock == 0) + return; +- } + + clk = sdhci_calc_clk(host, clock, &host->mmc->actual_clock); + sdhci_enable_clk(host, clk); diff --git a/queue-6.6/s390-pci-do-not-try-re-enabling-load-store-if-device-is-disabled.patch b/queue-6.6/s390-pci-do-not-try-re-enabling-load-store-if-device-is-disabled.patch new file mode 100644 index 0000000000..52cd356bc2 --- /dev/null +++ b/queue-6.6/s390-pci-do-not-try-re-enabling-load-store-if-device-is-disabled.patch @@ -0,0 +1,37 @@ +From b97a7972b1f4f81417840b9a2ab0c19722b577d5 Mon Sep 17 00:00:00 2001 +From: Niklas Schnelle +Date: Wed, 25 Jun 2025 11:28:29 +0200 +Subject: s390/pci: Do not try re-enabling load/store if device is disabled + +From: Niklas Schnelle + +commit b97a7972b1f4f81417840b9a2ab0c19722b577d5 upstream. + +If a device is disabled unblocking load/store on its own is not useful +as a full re-enable of the function is necessary anyway. Note that SCLP +Write Event Data Action Qualifier 0 (Reset) leaves the device disabled +and triggers this case unless the driver already requests a reset. + +Cc: stable@vger.kernel.org +Fixes: 4cdf2f4e24ff ("s390/pci: implement minimal PCI error recovery") +Reviewed-by: Farhan Ali +Signed-off-by: Niklas Schnelle +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/pci/pci_event.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/s390/pci/pci_event.c ++++ b/arch/s390/pci/pci_event.c +@@ -98,6 +98,10 @@ static pci_ers_result_t zpci_event_do_er + struct zpci_dev *zdev = to_zpci(pdev); + int rc; + ++ /* The underlying device may have been disabled by the event */ ++ if (!zdev_enabled(zdev)) ++ return PCI_ERS_RESULT_NEED_RESET; ++ + pr_info("%s: Unblocking device access for examination\n", pci_name(pdev)); + rc = zpci_reset_load_store_blocked(zdev); + if (rc) { diff --git a/queue-6.6/series b/queue-6.6/series index 42640c199f..725bf7e4ec 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -1,3 +1,17 @@ rtc-pcf2127-add-missing-semicolon-after-statement.patch rtc-pcf2127-fix-spi-command-byte-for-pcf2131.patch rtc-cmos-use-spin_lock_irqsave-in-cmos_interrupt.patch +virtio-net-ensure-the-received-length-does-not-exceed-allocated-size.patch +s390-pci-do-not-try-re-enabling-load-store-if-device-is-disabled.patch +vsock-vmci-clear-the-vmci-transport-packet-properly-when-initializing-it.patch +mmc-sdhci-add-a-helper-function-for-dump-register-in-dynamic-debug-mode.patch +revert-mmc-sdhci-disable-sd-card-clock-before-changing-parameters.patch +mmc-core-sd-apply-broken_sd_discard-quirk-earlier.patch +bluetooth-hci_sync-revert-some-mesh-modifications.patch +bluetooth-mgmt-set_mesh-update-le-scan-interval-and-window.patch +bluetooth-mgmt-mesh_send-check-instances-prior-disabling-advertising.patch +regulator-gpio-fix-the-out-of-bounds-access-to-drvdata-gpiods.patch +usb-typec-altmodes-displayport-do-not-index-invalid-pin_assignments.patch +mtk-sd-fix-a-pagefault-in-dma_unmap_sg-for-not-prepared-data.patch +mtk-sd-prevent-memory-corruption-from-dma-map-failure.patch +mtk-sd-reset-host-mrq-on-prepare_data-error.patch diff --git a/queue-6.6/usb-typec-altmodes-displayport-do-not-index-invalid-pin_assignments.patch b/queue-6.6/usb-typec-altmodes-displayport-do-not-index-invalid-pin_assignments.patch new file mode 100644 index 0000000000..5a6f697366 --- /dev/null +++ b/queue-6.6/usb-typec-altmodes-displayport-do-not-index-invalid-pin_assignments.patch @@ -0,0 +1,53 @@ +From af4db5a35a4ef7a68046883bfd12468007db38f1 Mon Sep 17 00:00:00 2001 +From: RD Babiera +Date: Wed, 18 Jun 2025 22:49:42 +0000 +Subject: usb: typec: altmodes/displayport: do not index invalid pin_assignments + +From: RD Babiera + +commit af4db5a35a4ef7a68046883bfd12468007db38f1 upstream. + +A poorly implemented DisplayPort Alt Mode port partner can indicate +that its pin assignment capabilities are greater than the maximum +value, DP_PIN_ASSIGN_F. In this case, calls to pin_assignment_show +will cause a BRK exception due to an out of bounds array access. + +Prevent for loop in pin_assignment_show from accessing +invalid values in pin_assignments by adding DP_PIN_ASSIGN_MAX +value in typec_dp.h and using i < DP_PIN_ASSIGN_MAX as a loop +condition. + +Fixes: 0e3bb7d6894d ("usb: typec: Add driver for DisplayPort alternate mode") +Cc: stable +Signed-off-by: RD Babiera +Reviewed-by: Badhri Jagan Sridharan +Reviewed-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20250618224943.3263103-2-rdbabiera@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/altmodes/displayport.c | 2 +- + include/linux/usb/typec_dp.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/typec/altmodes/displayport.c ++++ b/drivers/usb/typec/altmodes/displayport.c +@@ -528,7 +528,7 @@ static ssize_t pin_assignment_show(struc + + assignments = get_current_pin_assignments(dp); + +- for (i = 0; assignments; assignments >>= 1, i++) { ++ for (i = 0; assignments && i < DP_PIN_ASSIGN_MAX; assignments >>= 1, i++) { + if (assignments & 1) { + if (i == cur) + len += sprintf(buf + len, "[%s] ", +--- a/include/linux/usb/typec_dp.h ++++ b/include/linux/usb/typec_dp.h +@@ -56,6 +56,7 @@ enum { + DP_PIN_ASSIGN_D, + DP_PIN_ASSIGN_E, + DP_PIN_ASSIGN_F, /* Not supported after v1.0b */ ++ DP_PIN_ASSIGN_MAX, + }; + + /* DisplayPort alt mode specific commands */ diff --git a/queue-6.6/virtio-net-ensure-the-received-length-does-not-exceed-allocated-size.patch b/queue-6.6/virtio-net-ensure-the-received-length-does-not-exceed-allocated-size.patch new file mode 100644 index 0000000000..a5e5af6072 --- /dev/null +++ b/queue-6.6/virtio-net-ensure-the-received-length-does-not-exceed-allocated-size.patch @@ -0,0 +1,110 @@ +From 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 Mon Sep 17 00:00:00 2001 +From: Bui Quang Minh +Date: Mon, 30 Jun 2025 21:42:10 +0700 +Subject: virtio-net: ensure the received length does not exceed allocated size + +From: Bui Quang Minh + +commit 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 upstream. + +In xdp_linearize_page, when reading the following buffers from the ring, +we forget to check the received length with the true allocate size. This +can lead to an out-of-bound read. This commit adds that missing check. + +Cc: +Fixes: 4941d472bf95 ("virtio-net: do not reset during XDP set") +Signed-off-by: Bui Quang Minh +Acked-by: Jason Wang +Link: https://patch.msgid.link/20250630144212.48471-2-minhquangbui99@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 38 ++++++++++++++++++++++++++++++++++---- + 1 file changed, 34 insertions(+), 4 deletions(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -487,6 +487,26 @@ static unsigned int mergeable_ctx_to_tru + return (unsigned long)mrg_ctx & ((1 << MRG_CTX_HEADER_SHIFT) - 1); + } + ++static int check_mergeable_len(struct net_device *dev, void *mrg_ctx, ++ unsigned int len) ++{ ++ unsigned int headroom, tailroom, room, truesize; ++ ++ truesize = mergeable_ctx_to_truesize(mrg_ctx); ++ headroom = mergeable_ctx_to_headroom(mrg_ctx); ++ tailroom = headroom ? sizeof(struct skb_shared_info) : 0; ++ room = SKB_DATA_ALIGN(headroom + tailroom); ++ ++ if (len > truesize - room) { ++ pr_debug("%s: rx error: len %u exceeds truesize %lu\n", ++ dev->name, len, (unsigned long)(truesize - room)); ++ DEV_STATS_INC(dev, rx_length_errors); ++ return -1; ++ } ++ ++ return 0; ++} ++ + static struct sk_buff *virtnet_build_skb(void *buf, unsigned int buflen, + unsigned int headroom, + unsigned int len) +@@ -1084,7 +1104,8 @@ static unsigned int virtnet_get_headroom + * across multiple buffers (num_buf > 1), and we make sure buffers + * have enough headroom. + */ +-static struct page *xdp_linearize_page(struct receive_queue *rq, ++static struct page *xdp_linearize_page(struct net_device *dev, ++ struct receive_queue *rq, + int *num_buf, + struct page *p, + int offset, +@@ -1104,18 +1125,27 @@ static struct page *xdp_linearize_page(s + memcpy(page_address(page) + page_off, page_address(p) + offset, *len); + page_off += *len; + ++ /* Only mergeable mode can go inside this while loop. In small mode, ++ * *num_buf == 1, so it cannot go inside. ++ */ + while (--*num_buf) { + unsigned int buflen; + void *buf; ++ void *ctx; + int off; + +- buf = virtnet_rq_get_buf(rq, &buflen, NULL); ++ buf = virtnet_rq_get_buf(rq, &buflen, &ctx); + if (unlikely(!buf)) + goto err_buf; + + p = virt_to_head_page(buf); + off = buf - page_address(p); + ++ if (check_mergeable_len(dev, ctx, buflen)) { ++ put_page(p); ++ goto err_buf; ++ } ++ + /* guard against a misconfigured or uncooperative backend that + * is sending packet larger than the MTU. + */ +@@ -1204,7 +1234,7 @@ static struct sk_buff *receive_small_xdp + headroom = vi->hdr_len + header_offset; + buflen = SKB_DATA_ALIGN(GOOD_PACKET_LEN + headroom) + + SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); +- xdp_page = xdp_linearize_page(rq, &num_buf, page, ++ xdp_page = xdp_linearize_page(dev, rq, &num_buf, page, + offset, header_offset, + &tlen); + if (!xdp_page) +@@ -1539,7 +1569,7 @@ static void *mergeable_xdp_get_buf(struc + */ + if (!xdp_prog->aux->xdp_has_frags) { + /* linearize data for XDP */ +- xdp_page = xdp_linearize_page(rq, num_buf, ++ xdp_page = xdp_linearize_page(vi->dev, rq, num_buf, + *page, offset, + VIRTIO_XDP_HEADROOM, + len); diff --git a/queue-6.6/vsock-vmci-clear-the-vmci-transport-packet-properly-when-initializing-it.patch b/queue-6.6/vsock-vmci-clear-the-vmci-transport-packet-properly-when-initializing-it.patch new file mode 100644 index 0000000000..359065a6ff --- /dev/null +++ b/queue-6.6/vsock-vmci-clear-the-vmci-transport-packet-properly-when-initializing-it.patch @@ -0,0 +1,56 @@ +From 223e2288f4b8c262a864e2c03964ffac91744cd5 Mon Sep 17 00:00:00 2001 +From: HarshaVardhana S A +Date: Tue, 1 Jul 2025 14:22:54 +0200 +Subject: vsock/vmci: Clear the vmci transport packet properly when initializing it + +From: HarshaVardhana S A + +commit 223e2288f4b8c262a864e2c03964ffac91744cd5 upstream. + +In vmci_transport_packet_init memset the vmci_transport_packet before +populating the fields to avoid any uninitialised data being left in the +structure. + +Cc: Bryan Tan +Cc: Vishnu Dasa +Cc: Broadcom internal kernel review list +Cc: Stefano Garzarella +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Simon Horman +Cc: virtualization@lists.linux.dev +Cc: netdev@vger.kernel.org +Cc: stable +Signed-off-by: HarshaVardhana S A +Signed-off-by: Greg Kroah-Hartman +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Acked-by: Stefano Garzarella +Link: https://patch.msgid.link/20250701122254.2397440-1-gregkh@linuxfoundation.org +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/vmw_vsock/vmci_transport.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/vmw_vsock/vmci_transport.c ++++ b/net/vmw_vsock/vmci_transport.c +@@ -119,6 +119,8 @@ vmci_transport_packet_init(struct vmci_t + u16 proto, + struct vmci_handle handle) + { ++ memset(pkt, 0, sizeof(*pkt)); ++ + /* We register the stream control handler as an any cid handle so we + * must always send from a source address of VMADDR_CID_ANY + */ +@@ -131,8 +133,6 @@ vmci_transport_packet_init(struct vmci_t + pkt->type = type; + pkt->src_port = src->svm_port; + pkt->dst_port = dst->svm_port; +- memset(&pkt->proto, 0, sizeof(pkt->proto)); +- memset(&pkt->_reserved2, 0, sizeof(pkt->_reserved2)); + + switch (pkt->type) { + case VMCI_TRANSPORT_PACKET_TYPE_INVALID: