From: Greg Kroah-Hartman Date: Thu, 25 Jun 2026 12:51:58 +0000 (+0100) Subject: 7.1-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b5d97f292c753b1467453d178f7d9adfd8749c64;p=thirdparty%2Fkernel%2Fstable-queue.git 7.1-stable patches added patches: crypto-qat-remove-unused-character-device-and-ioctls.patch drivers-base-memory-set-mem-altmap-after-successful-device-registration.patch iio-adc-ti-ads1298-add-bounds-check-to-pga_settings-index.patch iio-light-veml6075-add-bounds-check-to-veml6075_it_ms-index.patch input-rmi4-fix-bit-count-in-bitmap_copy.patch input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch input-rmi4-fix-register-descriptor-address-calculation.patch input-rmi4-fix-type-overflow-in-register-counts.patch input-rmi4-iterative-irq-handler.patch input-rmi4-refactor-register-descriptor-parsing.patch ksmbd-reject-non-valid-session-in-compound-request-branch.patch media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch serial-8250_dw-unregister-8250-port-if-clk_notifier_register-fails.patch serial-qcom_geni-fix-rx-dma-stall-when-se_dma_rx_len_in-is-zero.patch vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch virtiofs-fix-uaf-on-submount-umount.patch --- diff --git a/queue-7.1/crypto-qat-remove-unused-character-device-and-ioctls.patch b/queue-7.1/crypto-qat-remove-unused-character-device-and-ioctls.patch new file mode 100644 index 0000000000..f40a692d56 --- /dev/null +++ b/queue-7.1/crypto-qat-remove-unused-character-device-and-ioctls.patch @@ -0,0 +1,726 @@ +From d237230728c567297f2f98b425d63156ab2ed17f Mon Sep 17 00:00:00 2001 +From: Giovanni Cabiddu +Date: Mon, 11 May 2026 11:04:08 +0100 +Subject: crypto: qat - remove unused character device and IOCTLs + +From: Giovanni Cabiddu + +commit d237230728c567297f2f98b425d63156ab2ed17f upstream. + +The QAT driver exposes a character device (qat_adf_ctl) with IOCTLs +for device configuration, start, stop, status query and enumeration. +These IOCTLs are not part of any public uAPI header and have no known +in-tree or out-of-tree users. Device lifecycle is already managed via +sysfs. + +The ioctl interface also increases the attack surface and is the +subject of a number of bug reports. + +Remove the character device, the IOCTL definitions, and the related +data structures (adf_dev_status_info, adf_user_cfg_key_val, +adf_user_cfg_section, adf_user_cfg_ctl_data). Drop the now-unused +adf_cfg_user.h header and strip adf_ctl_drv.c down to the minimal +module_init/module_exit hooks for workqueue, AER, and crypto/compression +algorithm registration. + +Clean up leftover dead code that was only reachable from the removed +IOCTL paths: adf_cfg_del_all(), adf_devmgr_verify_id(), +adf_devmgr_get_num_dev(), adf_devmgr_get_dev_by_id(), +adf_get_vf_real_id() and the unused ADF_CFG macros. + +Additionally, drop the entry associated to QAT IOCTLs in +ioctl-number.rst. + +Cc: stable@vger.kernel.org +Fixes: d8cba25d2c68 ("crypto: qat - Intel(R) QAT driver framework") +Reported-by: Zhi Wang +Reported-by: Bin Yu +Reported-by: MingYu Wang +Closes: https://lore.kernel.org/all/61d6d499.ab89.19b9b7f3186.Coremail.wangzhi_xd@stu.xidian.edu.cn/ +Link: https://lore.kernel.org/all/20260508034841.256794-1-w15303746062@163.com/ +Link: https://lore.kernel.org/all/20260508023542.256299-1-w15303746062@163.com/ +Link: https://lore.kernel.org/all/20260504025120.98242-1-w15303746062@163.com/ +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Ahsan Atta +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/userspace-api/ioctl/ioctl-number.rst | 1 + drivers/crypto/intel/qat/qat_common/adf_cfg.c | 10 + drivers/crypto/intel/qat/qat_common/adf_cfg.h | 1 + drivers/crypto/intel/qat/qat_common/adf_cfg_common.h | 32 - + drivers/crypto/intel/qat/qat_common/adf_cfg_user.h | 38 - + drivers/crypto/intel/qat/qat_common/adf_common_drv.h | 3 + drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c | 404 ------------------- + drivers/crypto/intel/qat/qat_common/adf_dev_mgr.c | 70 --- + 8 files changed, 1 insertion(+), 558 deletions(-) + delete mode 100644 drivers/crypto/intel/qat/qat_common/adf_cfg_user.h + +--- a/Documentation/userspace-api/ioctl/ioctl-number.rst ++++ b/Documentation/userspace-api/ioctl/ioctl-number.rst +@@ -229,7 +229,6 @@ Code Seq# Include File + + 'a' all linux/atm*.h, linux/sonet.h ATM on linux + +-'a' 00-0F drivers/crypto/qat/qat_common/adf_cfg_common.h conflict! qat driver + 'b' 00-FF conflict! bit3 vme host bridge + + 'b' 00-0F linux/dma-buf.h conflict! +--- a/drivers/crypto/intel/qat/qat_common/adf_cfg.c ++++ b/drivers/crypto/intel/qat/qat_common/adf_cfg.c +@@ -103,16 +103,6 @@ static void adf_cfg_section_del_all(stru + static void adf_cfg_section_del_all_except(struct list_head *head, + const char *section_name); + +-void adf_cfg_del_all(struct adf_accel_dev *accel_dev) +-{ +- struct adf_cfg_device_data *dev_cfg_data = accel_dev->cfg; +- +- down_write(&dev_cfg_data->lock); +- adf_cfg_section_del_all(&dev_cfg_data->sec_list); +- up_write(&dev_cfg_data->lock); +- clear_bit(ADF_STATUS_CONFIGURED, &accel_dev->status); +-} +- + void adf_cfg_del_all_except(struct adf_accel_dev *accel_dev, + const char *section_name) + { +--- a/drivers/crypto/intel/qat/qat_common/adf_cfg.h ++++ b/drivers/crypto/intel/qat/qat_common/adf_cfg.h +@@ -34,7 +34,6 @@ void adf_cfg_dev_remove(struct adf_accel + void adf_cfg_dev_dbgfs_add(struct adf_accel_dev *accel_dev); + void adf_cfg_dev_dbgfs_rm(struct adf_accel_dev *accel_dev); + int adf_cfg_section_add(struct adf_accel_dev *accel_dev, const char *name); +-void adf_cfg_del_all(struct adf_accel_dev *accel_dev); + void adf_cfg_del_all_except(struct adf_accel_dev *accel_dev, + const char *section_name); + int adf_cfg_add_key_value_param(struct adf_accel_dev *accel_dev, +--- a/drivers/crypto/intel/qat/qat_common/adf_cfg_common.h ++++ b/drivers/crypto/intel/qat/qat_common/adf_cfg_common.h +@@ -4,18 +4,11 @@ + #define ADF_CFG_COMMON_H_ + + #include +-#include + + #define ADF_CFG_MAX_STR_LEN 64 + #define ADF_CFG_MAX_KEY_LEN_IN_BYTES ADF_CFG_MAX_STR_LEN + #define ADF_CFG_MAX_VAL_LEN_IN_BYTES ADF_CFG_MAX_STR_LEN + #define ADF_CFG_MAX_SECTION_LEN_IN_BYTES ADF_CFG_MAX_STR_LEN +-#define ADF_CFG_BASE_DEC 10 +-#define ADF_CFG_BASE_HEX 16 +-#define ADF_CFG_ALL_DEVICES 0xFE +-#define ADF_CFG_NO_DEVICE 0xFF +-#define ADF_CFG_AFFINITY_WHATEVER 0xFF +-#define MAX_DEVICE_NAME_SIZE 32 + #define ADF_MAX_DEVICES (32 * 32) + #define ADF_DEVS_ARRAY_SIZE BITS_TO_LONGS(ADF_MAX_DEVICES) + +@@ -51,29 +44,4 @@ enum adf_device_type { + DEV_420XX, + DEV_6XXX, + }; +- +-struct adf_dev_status_info { +- enum adf_device_type type; +- __u32 accel_id; +- __u32 instance_id; +- __u8 num_ae; +- __u8 num_accel; +- __u8 num_logical_accel; +- __u8 banks_per_accel; +- __u8 state; +- __u8 bus; +- __u8 dev; +- __u8 fun; +- char name[MAX_DEVICE_NAME_SIZE]; +-}; +- +-#define ADF_CTL_IOC_MAGIC 'a' +-#define IOCTL_CONFIG_SYS_RESOURCE_PARAMETERS _IOW(ADF_CTL_IOC_MAGIC, 0, \ +- struct adf_user_cfg_ctl_data) +-#define IOCTL_STOP_ACCEL_DEV _IOW(ADF_CTL_IOC_MAGIC, 1, \ +- struct adf_user_cfg_ctl_data) +-#define IOCTL_START_ACCEL_DEV _IOW(ADF_CTL_IOC_MAGIC, 2, \ +- struct adf_user_cfg_ctl_data) +-#define IOCTL_STATUS_ACCEL_DEV _IOW(ADF_CTL_IOC_MAGIC, 3, __u32) +-#define IOCTL_GET_NUM_DEVICES _IOW(ADF_CTL_IOC_MAGIC, 4, __s32) + #endif +--- a/drivers/crypto/intel/qat/qat_common/adf_cfg_user.h ++++ /dev/null +@@ -1,38 +0,0 @@ +-/* SPDX-License-Identifier: (BSD-3-Clause OR GPL-2.0-only) */ +-/* Copyright(c) 2014 - 2020 Intel Corporation */ +-#ifndef ADF_CFG_USER_H_ +-#define ADF_CFG_USER_H_ +- +-#include "adf_cfg_common.h" +-#include "adf_cfg_strings.h" +- +-struct adf_user_cfg_key_val { +- char key[ADF_CFG_MAX_KEY_LEN_IN_BYTES]; +- char val[ADF_CFG_MAX_VAL_LEN_IN_BYTES]; +- union { +- struct adf_user_cfg_key_val *next; +- __u64 padding3; +- }; +- enum adf_cfg_val_type type; +-} __packed; +- +-struct adf_user_cfg_section { +- char name[ADF_CFG_MAX_SECTION_LEN_IN_BYTES]; +- union { +- struct adf_user_cfg_key_val *params; +- __u64 padding1; +- }; +- union { +- struct adf_user_cfg_section *next; +- __u64 padding3; +- }; +-} __packed; +- +-struct adf_user_cfg_ctl_data { +- union { +- struct adf_user_cfg_section *config_section; +- __u64 padding; +- }; +- __u8 device_id; +-} __packed; +-#endif +--- a/drivers/crypto/intel/qat/qat_common/adf_common_drv.h ++++ b/drivers/crypto/intel/qat/qat_common/adf_common_drv.h +@@ -68,10 +68,7 @@ int adf_devmgr_add_dev(struct adf_accel_ + void adf_devmgr_rm_dev(struct adf_accel_dev *accel_dev, + struct adf_accel_dev *pf); + struct list_head *adf_devmgr_get_head(void); +-struct adf_accel_dev *adf_devmgr_get_dev_by_id(u32 id); + struct adf_accel_dev *adf_devmgr_pci_to_accel_dev(struct pci_dev *pci_dev); +-int adf_devmgr_verify_id(u32 id); +-void adf_devmgr_get_num_dev(u32 *num); + int adf_devmgr_in_reset(struct adf_accel_dev *accel_dev); + int adf_dev_started(struct adf_accel_dev *accel_dev); + int adf_dev_restarting_notify(struct adf_accel_dev *accel_dev); +--- a/drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c ++++ b/drivers/crypto/intel/qat/qat_common/adf_ctl_drv.c +@@ -2,410 +2,13 @@ + /* Copyright(c) 2014 - 2020 Intel Corporation */ + + #include ++#include + #include +-#include +-#include +-#include +-#include +-#include +-#include +-#include + +-#include "adf_accel_devices.h" + #include "adf_common_drv.h" +-#include "adf_cfg.h" +-#include "adf_cfg_common.h" +-#include "adf_cfg_user.h" +- +-#define ADF_CFG_MAX_SECTION 512 +-#define ADF_CFG_MAX_KEY_VAL 256 +- +-#define DEVICE_NAME "qat_adf_ctl" +- +-static DEFINE_MUTEX(adf_ctl_lock); +-static long adf_ctl_ioctl(struct file *fp, unsigned int cmd, unsigned long arg); +- +-static const struct file_operations adf_ctl_ops = { +- .owner = THIS_MODULE, +- .unlocked_ioctl = adf_ctl_ioctl, +- .compat_ioctl = compat_ptr_ioctl, +-}; +- +-static const struct class adf_ctl_class = { +- .name = DEVICE_NAME, +-}; +- +-struct adf_ctl_drv_info { +- unsigned int major; +- struct cdev drv_cdev; +-}; +- +-static struct adf_ctl_drv_info adf_ctl_drv; +- +-static void adf_chr_drv_destroy(void) +-{ +- device_destroy(&adf_ctl_class, MKDEV(adf_ctl_drv.major, 0)); +- cdev_del(&adf_ctl_drv.drv_cdev); +- class_unregister(&adf_ctl_class); +- unregister_chrdev_region(MKDEV(adf_ctl_drv.major, 0), 1); +-} +- +-static int adf_chr_drv_create(void) +-{ +- dev_t dev_id; +- struct device *drv_device; +- int ret; +- +- if (alloc_chrdev_region(&dev_id, 0, 1, DEVICE_NAME)) { +- pr_err("QAT: unable to allocate chrdev region\n"); +- return -EFAULT; +- } +- +- ret = class_register(&adf_ctl_class); +- if (ret) +- goto err_chrdev_unreg; +- +- adf_ctl_drv.major = MAJOR(dev_id); +- cdev_init(&adf_ctl_drv.drv_cdev, &adf_ctl_ops); +- if (cdev_add(&adf_ctl_drv.drv_cdev, dev_id, 1)) { +- pr_err("QAT: cdev add failed\n"); +- goto err_class_destr; +- } +- +- drv_device = device_create(&adf_ctl_class, NULL, +- MKDEV(adf_ctl_drv.major, 0), +- NULL, DEVICE_NAME); +- if (IS_ERR(drv_device)) { +- pr_err("QAT: failed to create device\n"); +- goto err_cdev_del; +- } +- return 0; +-err_cdev_del: +- cdev_del(&adf_ctl_drv.drv_cdev); +-err_class_destr: +- class_unregister(&adf_ctl_class); +-err_chrdev_unreg: +- unregister_chrdev_region(dev_id, 1); +- return -EFAULT; +-} +- +-static struct adf_user_cfg_ctl_data *adf_ctl_alloc_resources(unsigned long arg) +-{ +- struct adf_user_cfg_ctl_data *cfg_data; +- +- cfg_data = memdup_user((void __user *)arg, sizeof(*cfg_data)); +- if (IS_ERR(cfg_data)) +- pr_err("QAT: failed to copy from user cfg_data.\n"); +- return cfg_data; +-} +- +-static int adf_add_key_value_data(struct adf_accel_dev *accel_dev, +- const char *section, +- const struct adf_user_cfg_key_val *key_val) +-{ +- if (key_val->type == ADF_HEX) { +- long *ptr = (long *)key_val->val; +- long val = *ptr; +- +- if (adf_cfg_add_key_value_param(accel_dev, section, +- key_val->key, (void *)val, +- key_val->type)) { +- dev_err(&GET_DEV(accel_dev), +- "failed to add hex keyvalue.\n"); +- return -EFAULT; +- } +- } else { +- if (adf_cfg_add_key_value_param(accel_dev, section, +- key_val->key, key_val->val, +- key_val->type)) { +- dev_err(&GET_DEV(accel_dev), +- "failed to add keyvalue.\n"); +- return -EFAULT; +- } +- } +- return 0; +-} +- +-static int adf_copy_key_value_data(struct adf_accel_dev *accel_dev, +- struct adf_user_cfg_ctl_data *ctl_data) +-{ +- struct adf_user_cfg_key_val key_val; +- struct adf_user_cfg_key_val *params_head; +- struct adf_user_cfg_section section, *section_head; +- int i, j; +- +- section_head = ctl_data->config_section; +- +- for (i = 0; section_head && i < ADF_CFG_MAX_SECTION; i++) { +- if (copy_from_user(§ion, (void __user *)section_head, +- sizeof(*section_head))) { +- dev_err(&GET_DEV(accel_dev), +- "failed to copy section info\n"); +- goto out_err; +- } +- +- if (adf_cfg_section_add(accel_dev, section.name)) { +- dev_err(&GET_DEV(accel_dev), +- "failed to add section.\n"); +- goto out_err; +- } +- +- params_head = section.params; +- +- for (j = 0; params_head && j < ADF_CFG_MAX_KEY_VAL; j++) { +- if (copy_from_user(&key_val, (void __user *)params_head, +- sizeof(key_val))) { +- dev_err(&GET_DEV(accel_dev), +- "Failed to copy keyvalue.\n"); +- goto out_err; +- } +- if (adf_add_key_value_data(accel_dev, section.name, +- &key_val)) { +- goto out_err; +- } +- params_head = key_val.next; +- } +- section_head = section.next; +- } +- return 0; +-out_err: +- adf_cfg_del_all(accel_dev); +- return -EFAULT; +-} +- +-static int adf_ctl_ioctl_dev_config(struct file *fp, unsigned int cmd, +- unsigned long arg) +-{ +- struct adf_user_cfg_ctl_data *ctl_data; +- struct adf_accel_dev *accel_dev; +- int ret = 0; +- +- ctl_data = adf_ctl_alloc_resources(arg); +- if (IS_ERR(ctl_data)) +- return PTR_ERR(ctl_data); +- +- accel_dev = adf_devmgr_get_dev_by_id(ctl_data->device_id); +- if (!accel_dev) { +- ret = -EFAULT; +- goto out; +- } +- +- if (adf_dev_started(accel_dev)) { +- ret = -EFAULT; +- goto out; +- } +- +- if (adf_copy_key_value_data(accel_dev, ctl_data)) { +- ret = -EFAULT; +- goto out; +- } +- set_bit(ADF_STATUS_CONFIGURED, &accel_dev->status); +-out: +- kfree(ctl_data); +- return ret; +-} +- +-static int adf_ctl_is_device_in_use(int id) +-{ +- struct adf_accel_dev *dev; +- +- list_for_each_entry(dev, adf_devmgr_get_head(), list) { +- if (id == dev->accel_id || id == ADF_CFG_ALL_DEVICES) { +- if (adf_devmgr_in_reset(dev) || adf_dev_in_use(dev)) { +- dev_info(&GET_DEV(dev), +- "device qat_dev%d is busy\n", +- dev->accel_id); +- return -EBUSY; +- } +- } +- } +- return 0; +-} +- +-static void adf_ctl_stop_devices(u32 id) +-{ +- struct adf_accel_dev *accel_dev; +- +- list_for_each_entry(accel_dev, adf_devmgr_get_head(), list) { +- if (id == accel_dev->accel_id || id == ADF_CFG_ALL_DEVICES) { +- if (!adf_dev_started(accel_dev)) +- continue; +- +- /* First stop all VFs */ +- if (!accel_dev->is_vf) +- continue; +- +- adf_dev_down(accel_dev); +- } +- } +- +- list_for_each_entry(accel_dev, adf_devmgr_get_head(), list) { +- if (id == accel_dev->accel_id || id == ADF_CFG_ALL_DEVICES) { +- if (!adf_dev_started(accel_dev)) +- continue; +- +- adf_dev_down(accel_dev); +- } +- } +-} +- +-static int adf_ctl_ioctl_dev_stop(struct file *fp, unsigned int cmd, +- unsigned long arg) +-{ +- int ret; +- struct adf_user_cfg_ctl_data *ctl_data; +- +- ctl_data = adf_ctl_alloc_resources(arg); +- if (IS_ERR(ctl_data)) +- return PTR_ERR(ctl_data); +- +- if (adf_devmgr_verify_id(ctl_data->device_id)) { +- pr_err("QAT: Device %d not found\n", ctl_data->device_id); +- ret = -ENODEV; +- goto out; +- } +- +- ret = adf_ctl_is_device_in_use(ctl_data->device_id); +- if (ret) +- goto out; +- +- if (ctl_data->device_id == ADF_CFG_ALL_DEVICES) +- pr_info("QAT: Stopping all acceleration devices.\n"); +- else +- pr_info("QAT: Stopping acceleration device qat_dev%d.\n", +- ctl_data->device_id); +- +- adf_ctl_stop_devices(ctl_data->device_id); +- +-out: +- kfree(ctl_data); +- return ret; +-} +- +-static int adf_ctl_ioctl_dev_start(struct file *fp, unsigned int cmd, +- unsigned long arg) +-{ +- int ret; +- struct adf_user_cfg_ctl_data *ctl_data; +- struct adf_accel_dev *accel_dev; +- +- ctl_data = adf_ctl_alloc_resources(arg); +- if (IS_ERR(ctl_data)) +- return PTR_ERR(ctl_data); +- +- ret = -ENODEV; +- accel_dev = adf_devmgr_get_dev_by_id(ctl_data->device_id); +- if (!accel_dev) +- goto out; +- +- dev_info(&GET_DEV(accel_dev), +- "Starting acceleration device qat_dev%d.\n", +- ctl_data->device_id); +- +- ret = adf_dev_up(accel_dev, false); +- +- if (ret) { +- dev_err(&GET_DEV(accel_dev), "Failed to start qat_dev%d\n", +- ctl_data->device_id); +- adf_dev_down(accel_dev); +- } +-out: +- kfree(ctl_data); +- return ret; +-} +- +-static int adf_ctl_ioctl_get_num_devices(struct file *fp, unsigned int cmd, +- unsigned long arg) +-{ +- u32 num_devices = 0; +- +- adf_devmgr_get_num_dev(&num_devices); +- if (copy_to_user((void __user *)arg, &num_devices, sizeof(num_devices))) +- return -EFAULT; +- +- return 0; +-} +- +-static int adf_ctl_ioctl_get_status(struct file *fp, unsigned int cmd, +- unsigned long arg) +-{ +- struct adf_hw_device_data *hw_data; +- struct adf_dev_status_info dev_info; +- struct adf_accel_dev *accel_dev; +- +- if (copy_from_user(&dev_info, (void __user *)arg, +- sizeof(struct adf_dev_status_info))) { +- pr_err("QAT: failed to copy from user.\n"); +- return -EFAULT; +- } +- +- accel_dev = adf_devmgr_get_dev_by_id(dev_info.accel_id); +- if (!accel_dev) +- return -ENODEV; +- +- hw_data = accel_dev->hw_device; +- dev_info.state = adf_dev_started(accel_dev) ? DEV_UP : DEV_DOWN; +- dev_info.num_ae = hw_data->get_num_aes(hw_data); +- dev_info.num_accel = hw_data->get_num_accels(hw_data); +- dev_info.num_logical_accel = hw_data->num_logical_accel; +- dev_info.banks_per_accel = hw_data->num_banks +- / hw_data->num_logical_accel; +- strscpy(dev_info.name, hw_data->dev_class->name, sizeof(dev_info.name)); +- dev_info.instance_id = hw_data->instance_id; +- dev_info.type = hw_data->dev_class->type; +- dev_info.bus = accel_to_pci_dev(accel_dev)->bus->number; +- dev_info.dev = PCI_SLOT(accel_to_pci_dev(accel_dev)->devfn); +- dev_info.fun = PCI_FUNC(accel_to_pci_dev(accel_dev)->devfn); +- +- if (copy_to_user((void __user *)arg, &dev_info, +- sizeof(struct adf_dev_status_info))) { +- dev_err(&GET_DEV(accel_dev), "failed to copy status.\n"); +- return -EFAULT; +- } +- return 0; +-} +- +-static long adf_ctl_ioctl(struct file *fp, unsigned int cmd, unsigned long arg) +-{ +- int ret; +- +- if (mutex_lock_interruptible(&adf_ctl_lock)) +- return -EFAULT; +- +- switch (cmd) { +- case IOCTL_CONFIG_SYS_RESOURCE_PARAMETERS: +- ret = adf_ctl_ioctl_dev_config(fp, cmd, arg); +- break; +- +- case IOCTL_STOP_ACCEL_DEV: +- ret = adf_ctl_ioctl_dev_stop(fp, cmd, arg); +- break; +- +- case IOCTL_START_ACCEL_DEV: +- ret = adf_ctl_ioctl_dev_start(fp, cmd, arg); +- break; +- +- case IOCTL_GET_NUM_DEVICES: +- ret = adf_ctl_ioctl_get_num_devices(fp, cmd, arg); +- break; +- +- case IOCTL_STATUS_ACCEL_DEV: +- ret = adf_ctl_ioctl_get_status(fp, cmd, arg); +- break; +- default: +- pr_err_ratelimited("QAT: Invalid ioctl %d\n", cmd); +- ret = -EFAULT; +- break; +- } +- mutex_unlock(&adf_ctl_lock); +- return ret; +-} + + static int __init adf_register_ctl_device_driver(void) + { +- if (adf_chr_drv_create()) +- goto err_chr_dev; +- + if (adf_init_misc_wq()) + goto err_misc_wq; + +@@ -437,15 +40,11 @@ err_pf_wq: + err_aer: + adf_exit_misc_wq(); + err_misc_wq: +- adf_chr_drv_destroy(); +-err_chr_dev: +- mutex_destroy(&adf_ctl_lock); + return -EFAULT; + } + + static void __exit adf_unregister_ctl_device_driver(void) + { +- adf_chr_drv_destroy(); + adf_exit_misc_wq(); + adf_exit_aer(); + adf_exit_vf_wq(); +@@ -453,7 +52,6 @@ static void __exit adf_unregister_ctl_de + qat_crypto_unregister(); + qat_compression_unregister(); + adf_clean_vf_map(false); +- mutex_destroy(&adf_ctl_lock); + } + + module_init(adf_register_ctl_device_driver); +--- a/drivers/crypto/intel/qat/qat_common/adf_dev_mgr.c ++++ b/drivers/crypto/intel/qat/qat_common/adf_dev_mgr.c +@@ -45,19 +45,6 @@ static struct vf_id_map *adf_find_vf(u32 + return NULL; + } + +-static int adf_get_vf_real_id(u32 fake) +-{ +- struct list_head *itr; +- +- list_for_each(itr, &vfs_table) { +- struct vf_id_map *ptr = +- list_entry(itr, struct vf_id_map, list); +- if (ptr->fake_id == fake) +- return ptr->id; +- } +- return -1; +-} +- + /** + * adf_clean_vf_map() - Cleans VF id mappings + * @vf: flag indicating whether mappings is cleaned +@@ -304,63 +291,6 @@ struct adf_accel_dev *adf_devmgr_pci_to_ + } + EXPORT_SYMBOL_GPL(adf_devmgr_pci_to_accel_dev); + +-struct adf_accel_dev *adf_devmgr_get_dev_by_id(u32 id) +-{ +- struct list_head *itr; +- int real_id; +- +- mutex_lock(&table_lock); +- real_id = adf_get_vf_real_id(id); +- if (real_id < 0) +- goto unlock; +- +- id = real_id; +- +- list_for_each(itr, &accel_table) { +- struct adf_accel_dev *ptr = +- list_entry(itr, struct adf_accel_dev, list); +- if (ptr->accel_id == id) { +- mutex_unlock(&table_lock); +- return ptr; +- } +- } +-unlock: +- mutex_unlock(&table_lock); +- return NULL; +-} +- +-int adf_devmgr_verify_id(u32 id) +-{ +- if (id == ADF_CFG_ALL_DEVICES) +- return 0; +- +- if (adf_devmgr_get_dev_by_id(id)) +- return 0; +- +- return -ENODEV; +-} +- +-static int adf_get_num_dettached_vfs(void) +-{ +- struct list_head *itr; +- int vfs = 0; +- +- mutex_lock(&table_lock); +- list_for_each(itr, &vfs_table) { +- struct vf_id_map *ptr = +- list_entry(itr, struct vf_id_map, list); +- if (ptr->bdf != ~0 && !ptr->attached) +- vfs++; +- } +- mutex_unlock(&table_lock); +- return vfs; +-} +- +-void adf_devmgr_get_num_dev(u32 *num) +-{ +- *num = num_devices - adf_get_num_dettached_vfs(); +-} +- + /** + * adf_dev_in_use() - Check whether accel_dev is currently in use + * @accel_dev: Pointer to acceleration device. diff --git a/queue-7.1/drivers-base-memory-set-mem-altmap-after-successful-device-registration.patch b/queue-7.1/drivers-base-memory-set-mem-altmap-after-successful-device-registration.patch new file mode 100644 index 0000000000..3b68229ee4 --- /dev/null +++ b/queue-7.1/drivers-base-memory-set-mem-altmap-after-successful-device-registration.patch @@ -0,0 +1,54 @@ +From a2b8d7827f48ee54a686cb80e4a1d0ff954ec42a Mon Sep 17 00:00:00 2001 +From: Georgi Djakov +Date: Thu, 14 May 2026 02:26:57 -0700 +Subject: drivers/base/memory: set mem->altmap after successful device registration + +From: Georgi Djakov + +commit a2b8d7827f48ee54a686cb80e4a1d0ff954ec42a upstream. + +If __add_memory_block() fails at xa_store() (under memory pressure for +example), device_unregister() is called, which eventually triggers +memory_block_release() with mem->altmap still set, causing a +WARN_ON(mem->altmap). This was triggered by modifying virtio-mem driver. + +Fix this by delaying the assignment of mem->altmap until after +__add_memory_block() has succeeded. + +Link: https://lore.kernel.org/20260514092657.3057141-1-georgi.djakov@oss.qualcomm.com +Fixes: 1a8c64e11043 ("mm/memory_hotplug: embed vmem_altmap details in memory block") +Signed-off-by: Georgi Djakov +Acked-by: Oscar Salvador (SUSE) +Cc: Vishal Verma +Cc: Mike Rapoport +Cc: Richard Cheng +Cc: David Hildenbrand +Cc: Georgi Djakov +Cc: Greg Kroah-Hartman +Cc: "Rafael J. Wysocki" +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/memory.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/base/memory.c ++++ b/drivers/base/memory.c +@@ -807,7 +807,6 @@ static int add_memory_block(unsigned lon + mem->start_section_nr = block_id * sections_per_block; + mem->state = state; + mem->nid = nid; +- mem->altmap = altmap; + INIT_LIST_HEAD(&mem->group_next); + + #ifndef CONFIG_NUMA +@@ -825,6 +824,8 @@ static int add_memory_block(unsigned lon + if (ret) + return ret; + ++ mem->altmap = altmap; ++ + if (group) { + mem->group = group; + list_add(&mem->group_next, &group->memory_blocks); diff --git a/queue-7.1/iio-adc-ti-ads1298-add-bounds-check-to-pga_settings-index.patch b/queue-7.1/iio-adc-ti-ads1298-add-bounds-check-to-pga_settings-index.patch new file mode 100644 index 0000000000..d72d5c7322 --- /dev/null +++ b/queue-7.1/iio-adc-ti-ads1298-add-bounds-check-to-pga_settings-index.patch @@ -0,0 +1,57 @@ +From 95e8a48d7a85d4226934020e57815a3316d3a14b Mon Sep 17 00:00:00 2001 +From: Sam Daly +Date: Thu, 14 May 2026 18:23:20 +0200 +Subject: iio: adc: ti-ads1298: add bounds check to pga_settings index +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sam Daly + +commit 95e8a48d7a85d4226934020e57815a3316d3a14b upstream. + +ads1298_pga_settings has 7 elements but ADS1298_MASK_CH_PGA can yield +values 0-7. If it yields a value >= 7, this causes an out-of-bounds +array access. Add a bounds check and return -EINVAL if the index +is out of range. + +Note that the remaining value b111 is reserved so should not be seen +in a correctly functioning system. + +Assisted-by: gkh_clanker_2000 +Cc: stable +Cc: Jonathan Cameron +Cc: David Lechner +Cc: "Nuno Sá" +Cc: Andy Shevchenko +Signed-off-by: Sam Daly +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ti-ads1298.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/iio/adc/ti-ads1298.c ++++ b/drivers/iio/adc/ti-ads1298.c +@@ -279,6 +279,7 @@ static const u8 ads1298_pga_settings[] = + static int ads1298_get_scale(struct ads1298_private *priv, + int channel, int *val, int *val2) + { ++ unsigned int pga_idx; + int ret; + unsigned int regval; + u8 gain; +@@ -302,7 +303,11 @@ static int ads1298_get_scale(struct ads1 + if (ret) + return ret; + +- gain = ads1298_pga_settings[FIELD_GET(ADS1298_MASK_CH_PGA, regval)]; ++ pga_idx = FIELD_GET(ADS1298_MASK_CH_PGA, regval); ++ if (pga_idx >= ARRAY_SIZE(ads1298_pga_settings)) ++ return -EINVAL; ++ ++ gain = ads1298_pga_settings[pga_idx]; + *val /= gain; /* Full scale is VREF / gain */ + + *val2 = ADS1298_BITS_PER_SAMPLE - 1; /* Signed, hence the -1 */ diff --git a/queue-7.1/iio-light-veml6075-add-bounds-check-to-veml6075_it_ms-index.patch b/queue-7.1/iio-light-veml6075-add-bounds-check-to-veml6075_it_ms-index.patch new file mode 100644 index 0000000000..c113a2e024 --- /dev/null +++ b/queue-7.1/iio-light-veml6075-add-bounds-check-to-veml6075_it_ms-index.patch @@ -0,0 +1,52 @@ +From 307dc4240bd41852d9e0912921e298160db1c109 Mon Sep 17 00:00:00 2001 +From: Sam Daly +Date: Thu, 14 May 2026 18:23:21 +0200 +Subject: iio: light: veml6075: add bounds check to veml6075_it_ms index + +From: Sam Daly + +commit 307dc4240bd41852d9e0912921e298160db1c109 upstream. + +veml6075_it_ms has 5 elements but VEML6075_CONF_IT can yield values 0-7. +If it returns a value >= 5, this causes an out-of-bounds array access. +Add a bounds check and return -EINVAL if the index is out of range. + +The problem values are reserved so should never be read from the +register. Hence this is hardening against fault device, missprogramming +or bus corruption. + +Assisted-by: gkh_clanker_2000 +Cc: stable +Signed-off-by: Sam Daly +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: Javier Carrasco +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/veml6075.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/iio/light/veml6075.c ++++ b/drivers/iio/light/veml6075.c +@@ -100,7 +100,7 @@ static const struct iio_chan_spec veml60 + + static int veml6075_request_measurement(struct veml6075_data *data) + { +- int ret, conf, int_time; ++ int ret, conf, int_time, int_index; + + ret = regmap_read(data->regmap, VEML6075_CMD_CONF, &conf); + if (ret < 0) +@@ -117,7 +117,11 @@ static int veml6075_request_measurement( + * time for all possible configurations. Using a 1.50 factor simplifies + * operations and ensures reliability under all circumstances. + */ +- int_time = veml6075_it_ms[FIELD_GET(VEML6075_CONF_IT, conf)]; ++ int_index = FIELD_GET(VEML6075_CONF_IT, conf); ++ if (int_index >= ARRAY_SIZE(veml6075_it_ms)) ++ return -EINVAL; ++ ++ int_time = veml6075_it_ms[int_index]; + msleep(int_time + (int_time / 2)); + + /* shutdown again, data registers are still accessible */ diff --git a/queue-7.1/input-rmi4-fix-bit-count-in-bitmap_copy.patch b/queue-7.1/input-rmi4-fix-bit-count-in-bitmap_copy.patch new file mode 100644 index 0000000000..beca842509 --- /dev/null +++ b/queue-7.1/input-rmi4-fix-bit-count-in-bitmap_copy.patch @@ -0,0 +1,47 @@ +From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 4 May 2026 21:59:37 -0700 +Subject: Input: rmi4 - fix bit count in bitmap_copy() + +From: Dmitry Torokhov + +commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream. + +bitmap_copy() takes number of bits, not bytes (or longs). Correct +the bit count in rmi_driver_set_irq_bits() and +rmi_driver_clear_irq_bits(). + +Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") +Cc: stable@vger.kernel.org +Assisted-by: Gemini:gemini-3.1-pro +Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/rmi4/rmi_driver.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -388,9 +388,8 @@ static int rmi_driver_set_irq_bits(struc + __func__); + goto error_unlock; + } +- bitmap_copy(data->current_irq_mask, data->new_irq_mask, +- data->num_of_irq_regs); + ++ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); + bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count); + + error_unlock: +@@ -419,8 +418,8 @@ static int rmi_driver_clear_irq_bits(str + __func__); + goto error_unlock; + } +- bitmap_copy(data->current_irq_mask, data->new_irq_mask, +- data->num_of_irq_regs); ++ ++ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); + + error_unlock: + mutex_unlock(&data->irq_mutex); diff --git a/queue-7.1/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch b/queue-7.1/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch new file mode 100644 index 0000000000..006668e86d --- /dev/null +++ b/queue-7.1/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch @@ -0,0 +1,37 @@ +From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 4 May 2026 21:59:35 -0700 +Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data() + +From: Dmitry Torokhov + +commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream. + +kfifo_put() returns 0 if the FIFO is full. In this case, we must +free the memory allocated for the attention data to avoid a leak. + +Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") +Cc: stable@vger.kernel.org +Assisted-by: Gemini:gemini-3.1-pro +Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/rmi4/rmi_driver.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -183,7 +183,11 @@ void rmi_set_attn_data(struct rmi_device + attn_data.size = size; + attn_data.data = fifo_data; + +- kfifo_put(&drvdata->attn_fifo, attn_data); ++ if (!kfifo_put(&drvdata->attn_fifo, attn_data)) { ++ dev_warn_ratelimited(&rmi_dev->dev, ++ "Failed to enqueue attention data, FIFO full\n"); ++ kfree(fifo_data); ++ } + } + EXPORT_SYMBOL_GPL(rmi_set_attn_data); + diff --git a/queue-7.1/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch b/queue-7.1/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch new file mode 100644 index 0000000000..2b07bcd9b2 --- /dev/null +++ b/queue-7.1/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch @@ -0,0 +1,53 @@ +From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 4 May 2026 21:59:34 -0700 +Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor + +From: Dmitry Torokhov + +commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream. + +RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This +may overflow num_subpackets in struct rmi_register_desc_item which is +defined as a u8. + +Fix this by changing the type of num_subpackets to u16. + +Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") +Cc: stable@vger.kernel.org +Assisted-by: Gemini:gemini-3.1-pro +Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/rmi4/rmi_driver.h | 2 +- + drivers/input/rmi4/rmi_f12.c | 7 +++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/input/rmi4/rmi_driver.h ++++ b/drivers/input/rmi4/rmi_driver.h +@@ -53,7 +53,7 @@ struct pdt_entry { + struct rmi_register_desc_item { + u16 reg; + unsigned long reg_size; +- u8 num_subpackets; ++ u16 num_subpackets; + unsigned long subpacket_map[BITS_TO_LONGS( + RMI_REG_DESC_SUBPACKET_BITS)]; + }; +--- a/drivers/input/rmi4/rmi_f12.c ++++ b/drivers/input/rmi4/rmi_f12.c +@@ -467,6 +467,13 @@ static int rmi_f12_probe(struct rmi_func + f12->data1 = item; + f12->data1_offset = data_offset; + data_offset += item->reg_size; ++ ++ if (item->num_subpackets > 255) { ++ dev_err(&fn->dev, "Too many fingers declared: %d\n", ++ item->num_subpackets); ++ return -EINVAL; ++ } ++ + sensor->nbr_fingers = item->num_subpackets; + sensor->report_abs = 1; + sensor->attn_size += item->reg_size; diff --git a/queue-7.1/input-rmi4-fix-register-descriptor-address-calculation.patch b/queue-7.1/input-rmi4-fix-register-descriptor-address-calculation.patch new file mode 100644 index 0000000000..b32bd203b9 --- /dev/null +++ b/queue-7.1/input-rmi4-fix-register-descriptor-address-calculation.patch @@ -0,0 +1,40 @@ +From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 4 May 2026 21:59:31 -0700 +Subject: Input: rmi4 - fix register descriptor address calculation + +From: Dmitry Torokhov + +commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream. + +When reading the register descriptor, the base address is incremented by +1 to read the presence register block. However, after reading the +presence register block, the address is incorrectly incremented by only +1 byte (++addr) instead of the actual size of the presence block +(size_presence_reg). This causes the subsequent structure block read to +read from the wrong memory location if the presence block is larger than +1 byte. + +Fix this by advancing the address by size_presence_reg. + +Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") +Cc: stable@vger.kernel.org +Assisted-by: Gemini:gemini-3.1-pro +Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/rmi4/rmi_driver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -594,7 +594,7 @@ int rmi_read_register_desc(struct rmi_de + ret = rmi_read_block(d, addr, buf, size_presence_reg); + if (ret) + return ret; +- ++addr; ++ addr += size_presence_reg; + + if (buf[0] == 0) { + presense_offset = 3; diff --git a/queue-7.1/input-rmi4-fix-type-overflow-in-register-counts.patch b/queue-7.1/input-rmi4-fix-type-overflow-in-register-counts.patch new file mode 100644 index 0000000000..0c40092d6c --- /dev/null +++ b/queue-7.1/input-rmi4-fix-type-overflow-in-register-counts.patch @@ -0,0 +1,39 @@ +From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 4 May 2026 21:59:33 -0700 +Subject: Input: rmi4 - fix type overflow in register counts + +From: Dmitry Torokhov + +commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream. + +The number of registers in the RMI4 register descriptor is populated +by counting the bits in the presence map using bitmap_weight(). Since +the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS), +storing this count in a u8 can overflow to 0 if all 256 bits are set. + +Change the num_registers field in struct rmi_register_descriptor +from u8 to u16 to prevent potential integer overflow and ensure safe +processing of devices reporting large descriptors. + +Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") +Cc: stable@vger.kernel.org +Assisted-by: Gemini:gemini-3.1-pro +Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/rmi4/rmi_driver.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/rmi4/rmi_driver.h ++++ b/drivers/input/rmi4/rmi_driver.h +@@ -65,7 +65,7 @@ struct rmi_register_desc_item { + struct rmi_register_descriptor { + unsigned long struct_size; + unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)]; +- u8 num_registers; ++ u16 num_registers; + struct rmi_register_desc_item *registers; + }; + diff --git a/queue-7.1/input-rmi4-iterative-irq-handler.patch b/queue-7.1/input-rmi4-iterative-irq-handler.patch new file mode 100644 index 0000000000..6852b8662e --- /dev/null +++ b/queue-7.1/input-rmi4-iterative-irq-handler.patch @@ -0,0 +1,66 @@ +From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 4 May 2026 21:59:36 -0700 +Subject: Input: rmi4 - iterative IRQ handler + +From: Dmitry Torokhov + +commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream. + +The current IRQ handler uses recursion to drain the attention FIFO, +which can lead to stack overflow on deep queues. Convert it to a +loop. + +Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") +Cc: stable@vger.kernel.org +Assisted-by: Gemini:gemini-3.1-pro +Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/rmi4/rmi_driver.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -198,24 +198,24 @@ static irqreturn_t rmi_irq_fn(int irq, v + struct rmi4_attn_data attn_data = {0}; + int ret, count; + +- count = kfifo_get(&drvdata->attn_fifo, &attn_data); +- if (count) { +- *(drvdata->irq_status) = attn_data.irq_status; +- drvdata->attn_data = attn_data; +- } ++ do { ++ count = kfifo_get(&drvdata->attn_fifo, &attn_data); ++ if (count) { ++ *drvdata->irq_status = attn_data.irq_status; ++ drvdata->attn_data = attn_data; ++ } + +- ret = rmi_process_interrupt_requests(rmi_dev); +- if (ret) +- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, +- "Failed to process interrupt request: %d\n", ret); ++ ret = rmi_process_interrupt_requests(rmi_dev); ++ if (ret) ++ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, ++ "Failed to process interrupt request: %d\n", ++ ret); + +- if (count) { +- kfree(attn_data.data); +- drvdata->attn_data.data = NULL; +- } +- +- if (!kfifo_is_empty(&drvdata->attn_fifo)) +- return rmi_irq_fn(irq, dev_id); ++ if (count) { ++ kfree(attn_data.data); ++ drvdata->attn_data.data = NULL; ++ } ++ } while (!kfifo_is_empty(&drvdata->attn_fifo)); + + return IRQ_HANDLED; + } diff --git a/queue-7.1/input-rmi4-refactor-register-descriptor-parsing.patch b/queue-7.1/input-rmi4-refactor-register-descriptor-parsing.patch new file mode 100644 index 0000000000..27017a9767 --- /dev/null +++ b/queue-7.1/input-rmi4-refactor-register-descriptor-parsing.patch @@ -0,0 +1,224 @@ +From 0adb483fbf2dc43c875cd7550a58b41e92efc52d Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 4 May 2026 21:59:32 -0700 +Subject: Input: rmi4 - refactor register descriptor parsing + +From: Dmitry Torokhov + +commit 0adb483fbf2dc43c875cd7550a58b41e92efc52d upstream. + +Factor out parsing a register descriptor item from +rmi_read_register_desc() and ensure there are no out-of-bounds accesses. + +Use get_unaligned_le16() and get_unaligned_le32() for reading multi-byte +values. + +Reported-by: Greg Kroah-Hartman +Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") +Cc: stable@vger.kernel.org +Assisted-by: Gemini:gemini-3.1-pro +Link: https://patch.msgid.link/20260505045952.1570713-2-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/rmi4/rmi_driver.c | 124 ++++++++++++++++++++++++---------------- + 1 file changed, 76 insertions(+), 48 deletions(-) + +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include "rmi_bus.h" + #include "rmi_driver.h" + +@@ -558,30 +559,74 @@ int rmi_scan_pdt(struct rmi_device *rmi_ + return retval < 0 ? retval : 0; + } + ++static int rmi_parse_register_desc_item(struct rmi_register_desc_item *item, ++ const u8 *buf, size_t size) ++{ ++ unsigned int offset = 0; ++ unsigned int map_offset = 0; ++ int b; ++ ++ if (offset >= size) ++ return -EIO; ++ ++ item->reg_size = buf[offset++]; ++ if (item->reg_size == 0) { ++ if (size - offset < 2) ++ return -EIO; ++ item->reg_size = get_unaligned_le16(&buf[offset]); ++ offset += 2; ++ } ++ ++ if (item->reg_size == 0) { ++ if (size - offset < 4) ++ return -EIO; ++ item->reg_size = get_unaligned_le32(&buf[offset]); ++ offset += 4; ++ } ++ ++ do { ++ if (offset >= size) ++ return -EIO; ++ ++ for (b = 0; b < 7; b++) { ++ if (buf[offset] & BIT(b)) { ++ if (map_offset >= RMI_REG_DESC_SUBPACKET_BITS) ++ return -EIO; ++ __set_bit(map_offset, item->subpacket_map); ++ } ++ ++map_offset; ++ } ++ } while (buf[offset++] & BIT(7)); ++ ++ item->num_subpackets = bitmap_weight(item->subpacket_map, ++ RMI_REG_DESC_SUBPACKET_BITS); ++ ++ return offset; ++} ++ + int rmi_read_register_desc(struct rmi_device *d, u16 addr, +- struct rmi_register_descriptor *rdesc) ++ struct rmi_register_descriptor *rdesc) + { + int ret; + u8 size_presence_reg; + u8 buf[35]; +- int presense_offset = 1; +- u8 *struct_buf; +- int reg; +- int offset = 0; +- int map_offset = 0; ++ unsigned int presence_offset; ++ unsigned int map_offset; ++ unsigned int offset; ++ unsigned int reg; + int i; + int b; + + /* + * The first register of the register descriptor is the size of +- * the register descriptor's presense register. ++ * the register descriptor's presence register. + */ + ret = rmi_read(d, addr, &size_presence_reg); + if (ret) + return ret; + ++addr; + +- if (size_presence_reg < 0 || size_presence_reg > 35) ++ if (size_presence_reg < 1 || size_presence_reg > 35) + return -EIO; + + memset(buf, 0, sizeof(buf)); +@@ -597,16 +642,23 @@ int rmi_read_register_desc(struct rmi_de + addr += size_presence_reg; + + if (buf[0] == 0) { +- presense_offset = 3; +- rdesc->struct_size = buf[1] | (buf[2] << 8); ++ if (size_presence_reg < 3) ++ return -EIO; ++ presence_offset = 3; ++ rdesc->struct_size = get_unaligned_le16(&buf[1]); + } else { ++ presence_offset = 1; + rdesc->struct_size = buf[0]; + } + +- for (i = presense_offset; i < size_presence_reg; i++) { ++ map_offset = 0; ++ for (i = presence_offset; i < size_presence_reg; i++) { + for (b = 0; b < 8; b++) { +- if (buf[i] & (0x1 << b)) ++ if (buf[i] & BIT(b)) { ++ if (map_offset >= RMI_REG_DESC_PRESENSE_BITS) ++ return -EIO; + bitmap_set(rdesc->presense_map, map_offset, 1); ++ } + ++map_offset; + } + } +@@ -626,7 +678,7 @@ int rmi_read_register_desc(struct rmi_de + * I'm not using devm_kzalloc here since it will not be retained + * after exiting this function + */ +- struct_buf = kzalloc(rdesc->struct_size, GFP_KERNEL); ++ u8 *struct_buf __free(kfree) = kzalloc(rdesc->struct_size, GFP_KERNEL); + if (!struct_buf) + return -ENOMEM; + +@@ -638,56 +690,32 @@ int rmi_read_register_desc(struct rmi_de + */ + ret = rmi_read_block(d, addr, struct_buf, rdesc->struct_size); + if (ret) +- goto free_struct_buff; ++ return ret; + + reg = find_first_bit(rdesc->presense_map, RMI_REG_DESC_PRESENSE_BITS); ++ offset = 0; + for (i = 0; i < rdesc->num_registers; i++) { + struct rmi_register_desc_item *item = &rdesc->registers[i]; +- int reg_size = struct_buf[offset]; ++ int item_size; + +- ++offset; +- if (reg_size == 0) { +- reg_size = struct_buf[offset] | +- (struct_buf[offset + 1] << 8); +- offset += 2; +- } +- +- if (reg_size == 0) { +- reg_size = struct_buf[offset] | +- (struct_buf[offset + 1] << 8) | +- (struct_buf[offset + 2] << 16) | +- (struct_buf[offset + 3] << 24); +- offset += 4; +- } ++ item_size = rmi_parse_register_desc_item(item, ++ &struct_buf[offset], ++ rdesc->struct_size - offset); ++ if (item_size < 0) ++ return item_size; + + item->reg = reg; +- item->reg_size = reg_size; +- +- map_offset = 0; +- +- do { +- for (b = 0; b < 7; b++) { +- if (struct_buf[offset] & (0x1 << b)) +- bitmap_set(item->subpacket_map, +- map_offset, 1); +- ++map_offset; +- } +- } while (struct_buf[offset++] & 0x80); +- +- item->num_subpackets = bitmap_weight(item->subpacket_map, +- RMI_REG_DESC_SUBPACKET_BITS); ++ offset += item_size; + + rmi_dbg(RMI_DEBUG_CORE, &d->dev, + "%s: reg: %d reg size: %ld subpackets: %d\n", __func__, + item->reg, item->reg_size, item->num_subpackets); + + reg = find_next_bit(rdesc->presense_map, +- RMI_REG_DESC_PRESENSE_BITS, reg + 1); ++ RMI_REG_DESC_PRESENSE_BITS, reg + 1); + } + +-free_struct_buff: +- kfree(struct_buf); +- return ret; ++ return 0; + } + + const struct rmi_register_desc_item *rmi_get_register_desc_item( diff --git a/queue-7.1/ksmbd-reject-non-valid-session-in-compound-request-branch.patch b/queue-7.1/ksmbd-reject-non-valid-session-in-compound-request-branch.patch new file mode 100644 index 0000000000..8468a5b1b5 --- /dev/null +++ b/queue-7.1/ksmbd-reject-non-valid-session-in-compound-request-branch.patch @@ -0,0 +1,58 @@ +From 609ca17d869d04ba249e32cdcbf13c0b1c66f43c Mon Sep 17 00:00:00 2001 +From: Gil Portnoy +Date: Thu, 11 Jun 2026 22:59:19 +0900 +Subject: ksmbd: reject non-VALID session in compound request branch + +From: Gil Portnoy + +commit 609ca17d869d04ba249e32cdcbf13c0b1c66f43c upstream. + +smb2_check_user_session() takes a shortcut for any operation that is not +the first in a COMPOUND request: it reuses work->sess (the session bound by +the first operation) and validates only the SessionId, then returns +"valid". It never re-checks work->sess->state == SMB2_SESSION_VALID, and a +SessionId of 0xFFFFFFFFFFFFFFFF (ULLONG_MAX, the MS-SMB2 related-operation +value) skips even the id comparison. The standalone path +(ksmbd_session_lookup_all() plus the SESSION_SETUP state machine) does +enforce the VALID state; the compound branch bypasses all of it. + +A SESSION_SETUP carrying only an NTLM Type-1 (NtLmNegotiate) blob publishes +a fresh SMB2_SESSION_IN_PROGRESS session whose sess->user is still NULL +(->user is assigned later, by ntlm_authenticate()). Used as operation 1 of +a COMPOUND with operation 2 = TREE_CONNECT (related, SessionId=ULLONG_MAX, +\\host\IPC$), the tree-connect then runs on that IN_PROGRESS session and +reaches ksmbd_ipc_tree_connect_request(), which dereferences +user_name(sess->user) with sess->user == NULL (transport_ipc.c:687/701/704) +-> remote NULL-pointer dereference and a kernel Oops that wedges the ksmbd +worker for all clients. + +Reject any non-first compound operation that lands on a session which is +not SMB2_SESSION_VALID, mirroring the validity the standalone lookup path +enforces. SESSION_SETUP itself legitimately runs on an IN_PROGRESS session, +but it is never carried as a non-first compound operation, so multi-leg +authentication is unaffected by this check. + +Fixes: 5005bcb42191 ("ksmbd: validate session id and tree id in the compound request") +Cc: stable@vger.kernel.org +Signed-off-by: Gil Portnoy +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -613,6 +613,11 @@ int smb2_check_user_session(struct ksmbd + sess_id, work->sess->id); + return -EINVAL; + } ++ if (work->sess->state != SMB2_SESSION_VALID) { ++ pr_err("compound request on a non-valid session (state %d)\n", ++ work->sess->state); ++ return -EINVAL; ++ } + return 1; + } + diff --git a/queue-7.1/media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch b/queue-7.1/media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch new file mode 100644 index 0000000000..d508767910 --- /dev/null +++ b/queue-7.1/media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch @@ -0,0 +1,81 @@ +From 7d8bf3d8f91073f4db347ed3aa6302b56107499c Mon Sep 17 00:00:00 2001 +From: Ruslan Valiyev +Date: Tue, 17 Mar 2026 17:05:44 +0000 +Subject: media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si + +From: Ruslan Valiyev + +commit 7d8bf3d8f91073f4db347ed3aa6302b56107499c upstream. + +syzbot reported a general protection fault in +vidtv_psi_ts_psi_write_into [1]. + +vidtv_mux_get_pid_ctx() can return NULL, but vidtv_mux_push_si() does +not check for this before dereferencing the returned pointer to access +the continuity counter. This leads to a general protection fault when +accessing a near-NULL address. + +The root cause is that vidtv_mux_pid_ctx_init() does not check the +return value of vidtv_mux_create_pid_ctx_once() for PMT section PIDs. +If the allocation fails, the PID context is never created, but init +returns success. The subsequent vidtv_mux_push_si() call then gets +NULL from vidtv_mux_get_pid_ctx() and crashes. + +Fix both the root cause (add error check in vidtv_mux_pid_ctx_init +for PMT PIDs) and add defensive NULL checks in vidtv_mux_push_si for +all vidtv_mux_get_pid_ctx() calls. + +[1] +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +Workqueue: events vidtv_mux_tick +RIP: 0010:vidtv_psi_ts_psi_write_into+0x54a/0xbc0 drivers/media/test-drivers/vidtv/vidtv_psi.c:197 +Call Trace: + + vidtv_psi_table_header_write_into drivers/media/test-drivers/vidtv/vidtv_psi.c:799 [inline] + vidtv_psi_pmt_write_into+0x3b2/0xa70 drivers/media/test-drivers/vidtv/vidtv_psi.c:1231 + vidtv_mux_push_si+0x932/0xe80 drivers/media/test-drivers/vidtv/vidtv_mux.c:196 + vidtv_mux_tick+0xe9b/0x1480 drivers/media/test-drivers/vidtv/vidtv_mux.c:408 + +Fixes: f90cf6079bf67 ("media: vidtv: add a bridge driver") +Cc: stable@vger.kernel.org +Reported-by: syzbot+814c351d094f4f1a1b86@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=814c351d094f4f1a1b86 +Signed-off-by: Ruslan Valiyev +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/test-drivers/vidtv/vidtv_mux.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/media/test-drivers/vidtv/vidtv_mux.c ++++ b/drivers/media/test-drivers/vidtv/vidtv_mux.c +@@ -101,7 +101,8 @@ static int vidtv_mux_pid_ctx_init(struct + /* add a ctx for all PMT sections */ + while (p) { + pid = vidtv_psi_get_pat_program_pid(p); +- vidtv_mux_create_pid_ctx_once(m, pid); ++ if (!vidtv_mux_create_pid_ctx_once(m, pid)) ++ goto free; + p = p->next; + } + +@@ -170,6 +171,9 @@ static u32 vidtv_mux_push_si(struct vidt + nit_ctx = vidtv_mux_get_pid_ctx(m, VIDTV_NIT_PID); + eit_ctx = vidtv_mux_get_pid_ctx(m, VIDTV_EIT_PID); + ++ if (!pat_ctx || !sdt_ctx || !nit_ctx || !eit_ctx) ++ return 0; ++ + pat_args.offset = m->mux_buf_offset; + pat_args.continuity_counter = &pat_ctx->cc; + +@@ -186,6 +190,8 @@ static u32 vidtv_mux_push_si(struct vidt + } + + pmt_ctx = vidtv_mux_get_pid_ctx(m, pmt_pid); ++ if (!pmt_ctx) ++ continue; + + pmt_args.offset = m->mux_buf_offset; + pmt_args.pmt = m->si.pmt_secs[i]; diff --git a/queue-7.1/serial-8250_dw-unregister-8250-port-if-clk_notifier_register-fails.patch b/queue-7.1/serial-8250_dw-unregister-8250-port-if-clk_notifier_register-fails.patch new file mode 100644 index 0000000000..662a8a22fb --- /dev/null +++ b/queue-7.1/serial-8250_dw-unregister-8250-port-if-clk_notifier_register-fails.patch @@ -0,0 +1,46 @@ +From 10fc708b4de7f86002d2d735a2dbf3b5b7f65692 Mon Sep 17 00:00:00 2001 +From: Stepan Ionichev +Date: Thu, 14 May 2026 19:37:45 +0500 +Subject: serial: 8250_dw: unregister 8250 port if clk_notifier_register() fails + +From: Stepan Ionichev + +commit 10fc708b4de7f86002d2d735a2dbf3b5b7f65692 upstream. + +dw8250_probe() registers the 8250 port via serial8250_register_8250_port() +and then, if the device has a clock, registers a clock notifier. If +clk_notifier_register() fails, probe returns the error but leaves the +8250 port registered. The matching serial8250_unregister_port() lives +in dw8250_remove(), which is not called when probe fails, so the port +slot stays occupied until the device is rebound or the system is +rebooted. The devm-allocated driver data is freed while the port still +references it (via the saved private_data and serial_in/serial_out +callbacks), so any access to that port slot before a rebind is a +use-after-free hazard. + +Unregister the port on the clk_notifier_register() error path. + +Fixes: cc816969d7b5 ("serial: 8250_dw: Fix common clocks usage race condition") +Cc: stable@vger.kernel.org +Signed-off-by: Stepan Ionichev +Reviewed-by: Andy Shevchenko +Link: https://patch.msgid.link/20260514143746.23671-2-sozdayvek@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_dw.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/8250/8250_dw.c ++++ b/drivers/tty/serial/8250/8250_dw.c +@@ -850,8 +850,10 @@ static int dw8250_probe(struct platform_ + */ + if (data->clk) { + err = clk_notifier_register(data->clk, &data->clk_notifier); +- if (err) ++ if (err) { ++ serial8250_unregister_port(data->data.line); + return dev_err_probe(dev, err, "Failed to set the clock notifier\n"); ++ } + queue_work(system_dfl_wq, &data->clk_work); + } + diff --git a/queue-7.1/serial-qcom_geni-fix-rx-dma-stall-when-se_dma_rx_len_in-is-zero.patch b/queue-7.1/serial-qcom_geni-fix-rx-dma-stall-when-se_dma_rx_len_in-is-zero.patch new file mode 100644 index 0000000000..d71b315668 --- /dev/null +++ b/queue-7.1/serial-qcom_geni-fix-rx-dma-stall-when-se_dma_rx_len_in-is-zero.patch @@ -0,0 +1,50 @@ +From b93062b6d8a1b2d9bad235cac25558a909819026 Mon Sep 17 00:00:00 2001 +From: Viken Dadhaniya +Date: Thu, 28 May 2026 22:48:07 +0530 +Subject: serial: qcom_geni: Fix RX DMA stall when SE_DMA_RX_LEN_IN is zero + +From: Viken Dadhaniya + +commit b93062b6d8a1b2d9bad235cac25558a909819026 upstream. + +In qcom_geni_serial_handle_rx_dma(), geni_se_rx_dma_unprep() clears +port->rx_dma_addr before SE_DMA_RX_LEN_IN is read. If the register is zero, +for example when the RX stale counter fires on an idle line, the handler +returns without calling geni_se_rx_dma_prep(). + +The next RX DMA interrupt then hits the !port->rx_dma_addr guard and +returns immediately, so the RX DMA buffer is never rearmed and later input +is lost. + +Keep the handler on the rearm path when rx_in is zero. Warn about the +unexpected zero-length DMA completion, skip received-data handling, and +always call geni_se_rx_dma_prep(). + +Fixes: 2aaa43c70778 ("tty: serial: qcom-geni-serial: add support for serial engine DMA") +Cc: stable@vger.kernel.org +Reviewed-by: Bartosz Golaszewski +Signed-off-by: Viken Dadhaniya +Link: https://patch.msgid.link/20260528-serial-rx-0-byte-fix-v2-1-b4195cfe342f@oss.qualcomm.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/qcom_geni_serial.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/tty/serial/qcom_geni_serial.c ++++ b/drivers/tty/serial/qcom_geni_serial.c +@@ -905,12 +905,9 @@ static void qcom_geni_serial_handle_rx_d + port->rx_dma_addr = 0; + + rx_in = readl(uport->membase + SE_DMA_RX_LEN_IN); +- if (!rx_in) { +- dev_warn(uport->dev, "serial engine reports 0 RX bytes in!\n"); +- return; +- } +- +- if (!drop) ++ if (!rx_in) ++ dev_warn_ratelimited(uport->dev, "serial engine reports 0 RX bytes in!\n"); ++ else if (!drop) + handle_rx_uart(uport, rx_in); + + ret = geni_se_rx_dma_prep(&port->se, port->rx_buf, diff --git a/queue-7.1/series b/queue-7.1/series index 51ef577c10..cacf2f2248 100644 --- a/queue-7.1/series +++ b/queue-7.1/series @@ -2,3 +2,20 @@ io_uring-net-avoid-msghdr-on-op_connect-op_bind-asyn.patch fuse-re-lock-request-before-replacing-page-cache-folio.patch revert-nfsd-defer-sub-object-cleanup-in-export-put-callbacks.patch agp-amd64-fix-broken-error-propagation-in-agp_amd64_probe.patch +iio-light-veml6075-add-bounds-check-to-veml6075_it_ms-index.patch +iio-adc-ti-ads1298-add-bounds-check-to-pga_settings-index.patch +input-rmi4-fix-register-descriptor-address-calculation.patch +input-rmi4-refactor-register-descriptor-parsing.patch +input-rmi4-fix-type-overflow-in-register-counts.patch +input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch +input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch +input-rmi4-iterative-irq-handler.patch +input-rmi4-fix-bit-count-in-bitmap_copy.patch +crypto-qat-remove-unused-character-device-and-ioctls.patch +vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch +serial-qcom_geni-fix-rx-dma-stall-when-se_dma_rx_len_in-is-zero.patch +serial-8250_dw-unregister-8250-port-if-clk_notifier_register-fails.patch +drivers-base-memory-set-mem-altmap-after-successful-device-registration.patch +ksmbd-reject-non-valid-session-in-compound-request-branch.patch +media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch +virtiofs-fix-uaf-on-submount-umount.patch diff --git a/queue-7.1/vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch b/queue-7.1/vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch new file mode 100644 index 0000000000..d3fd27a87a --- /dev/null +++ b/queue-7.1/vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch @@ -0,0 +1,46 @@ +From a287620312dc6dcb9a093417a0e589bf30fcf38a Mon Sep 17 00:00:00 2001 +From: Yi Yang +Date: Thu, 4 Jun 2026 06:07:34 +0000 +Subject: vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write + +From: Yi Yang + +commit a287620312dc6dcb9a093417a0e589bf30fcf38a upstream. + +A KASAN null-ptr-deref was observed in vcs_notifier(): + +BUG: KASAN: null-ptr-deref in vcs_notifier+0x98/0x130 +Read of size 2 at addr qmp_cmd_name: qmp_capabilities, arguments: {} + +The issue is a race condition in vcs_write(). When the console_lock is +temporarily dropped (to copy data from userspace), the vc_data pointer +obtained from vcs_vc() may become stale. After re-acquiring the lock, +vcs_vc() is called again to re-validate the pointer. If the vc has been +deallocated in the meantime, vcs_vc() returns NULL, and the while loop +breaks (with written > 0). However, after the loop, vcs_scr_updated(vc) +is still called with the now-NULL vc pointer, leading to a null pointer +dereference in the notifier chain (vcs_notifier dereferences param->vc). + +Fix this by adding a NULL check for vc before calling vcs_scr_updated(). + +Fixes: 8fb9ea65c9d1 ("vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF") +Cc: stable@vger.kernel.org +Signed-off-by: Yi Yang +Reviewed-by: Jiri Slaby +Link: https://patch.msgid.link/20260604060734.2914976-1-yiyang13@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/vt/vc_screen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/vt/vc_screen.c ++++ b/drivers/tty/vt/vc_screen.c +@@ -686,7 +686,7 @@ vcs_write(struct file *file, const char + } + *ppos += written; + ret = written; +- if (written) ++ if (written && vc) + vcs_scr_updated(vc); + + return ret; diff --git a/queue-7.1/virtiofs-fix-uaf-on-submount-umount.patch b/queue-7.1/virtiofs-fix-uaf-on-submount-umount.patch new file mode 100644 index 0000000000..5aed9db8ef --- /dev/null +++ b/queue-7.1/virtiofs-fix-uaf-on-submount-umount.patch @@ -0,0 +1,53 @@ +From 06b41351779e9289e8785694ade9042ae85e41ea Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 28 May 2026 10:58:24 +0200 +Subject: virtiofs: fix UAF on submount umount +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Miklos Szeredi + +commit 06b41351779e9289e8785694ade9042ae85e41ea upstream. + +iput() called from fuse_release_end() can Oops if the super block has +already been destroyed. Normally this is prevented by waiting for +num_waiting to go down to zero before commencing with super block shutdown. + +This only works, however, for the last submount instance, as the wait +counter is per connection, not per superblock. + +Revert to using synchronous release requests for the auto_submounts case, +which is virtiofs only at this time. + +Reported-by: Aurélien Bombo +Reported-by: Zhihao Cheng +Cc: Greg Kurz +Closes: https://github.com/kata-containers/kata-containers/issues/12589 +Fixes: 26e5c67deb2e ("fuse: fix livelock in synchronous file put from fuseblk workers") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kurz +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/file.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -380,8 +380,14 @@ void fuse_file_release(struct inode *ino + * aio and closes the fd before the aio completes. Since aio takes its + * own ref to the file, the IO completion has to drop the ref, which is + * how the fuse server can end up closing its clients' files. ++ * ++ * Exception is virtio-fs, which is not affected by the above (server is ++ * on host, cannot close open files in guest). Virtio-fs needs sync ++ * release, because the num_waiting mechanism to wait for all requests ++ * before commencing with fs shutdown doesn't work if submounts are ++ * used. + */ +- fuse_file_put(ff, false); ++ fuse_file_put(ff, ff->fm->fc->auto_submounts); + } + + void fuse_release_common(struct file *file, bool isdir)