From: Greg Kroah-Hartman Date: Thu, 25 Jun 2026 12:53:45 +0000 (+0100) Subject: 6.12-stable patches X-Git-Tag: v6.18.37~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c2ec1784a5af395120de10b5111b390116f5026a;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: iio-adc-ti-ads1298-add-bounds-check-to-pga_settings-index.patch iio-light-veml6075-add-bounds-check-to-veml6075_it_ms-index.patch input-rmi4-fix-bit-count-in-bitmap_copy.patch input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch input-rmi4-fix-register-descriptor-address-calculation.patch input-rmi4-fix-type-overflow-in-register-counts.patch input-rmi4-iterative-irq-handler.patch ksmbd-reject-non-valid-session-in-compound-request-branch.patch media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch serial-qcom_geni-fix-rx-dma-stall-when-se_dma_rx_len_in-is-zero.patch vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch virtiofs-fix-uaf-on-submount-umount.patch --- diff --git a/queue-6.12/iio-adc-ti-ads1298-add-bounds-check-to-pga_settings-index.patch b/queue-6.12/iio-adc-ti-ads1298-add-bounds-check-to-pga_settings-index.patch new file mode 100644 index 0000000000..d72d5c7322 --- /dev/null +++ b/queue-6.12/iio-adc-ti-ads1298-add-bounds-check-to-pga_settings-index.patch @@ -0,0 +1,57 @@ +From 95e8a48d7a85d4226934020e57815a3316d3a14b Mon Sep 17 00:00:00 2001 +From: Sam Daly +Date: Thu, 14 May 2026 18:23:20 +0200 +Subject: iio: adc: ti-ads1298: add bounds check to pga_settings index +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sam Daly + +commit 95e8a48d7a85d4226934020e57815a3316d3a14b upstream. + +ads1298_pga_settings has 7 elements but ADS1298_MASK_CH_PGA can yield +values 0-7. If it yields a value >= 7, this causes an out-of-bounds +array access. Add a bounds check and return -EINVAL if the index +is out of range. + +Note that the remaining value b111 is reserved so should not be seen +in a correctly functioning system. + +Assisted-by: gkh_clanker_2000 +Cc: stable +Cc: Jonathan Cameron +Cc: David Lechner +Cc: "Nuno Sá" +Cc: Andy Shevchenko +Signed-off-by: Sam Daly +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ti-ads1298.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/iio/adc/ti-ads1298.c ++++ b/drivers/iio/adc/ti-ads1298.c +@@ -279,6 +279,7 @@ static const u8 ads1298_pga_settings[] = + static int ads1298_get_scale(struct ads1298_private *priv, + int channel, int *val, int *val2) + { ++ unsigned int pga_idx; + int ret; + unsigned int regval; + u8 gain; +@@ -302,7 +303,11 @@ static int ads1298_get_scale(struct ads1 + if (ret) + return ret; + +- gain = ads1298_pga_settings[FIELD_GET(ADS1298_MASK_CH_PGA, regval)]; ++ pga_idx = FIELD_GET(ADS1298_MASK_CH_PGA, regval); ++ if (pga_idx >= ARRAY_SIZE(ads1298_pga_settings)) ++ return -EINVAL; ++ ++ gain = ads1298_pga_settings[pga_idx]; + *val /= gain; /* Full scale is VREF / gain */ + + *val2 = ADS1298_BITS_PER_SAMPLE - 1; /* Signed, hence the -1 */ diff --git a/queue-6.12/iio-light-veml6075-add-bounds-check-to-veml6075_it_ms-index.patch b/queue-6.12/iio-light-veml6075-add-bounds-check-to-veml6075_it_ms-index.patch new file mode 100644 index 0000000000..c113a2e024 --- /dev/null +++ b/queue-6.12/iio-light-veml6075-add-bounds-check-to-veml6075_it_ms-index.patch @@ -0,0 +1,52 @@ +From 307dc4240bd41852d9e0912921e298160db1c109 Mon Sep 17 00:00:00 2001 +From: Sam Daly +Date: Thu, 14 May 2026 18:23:21 +0200 +Subject: iio: light: veml6075: add bounds check to veml6075_it_ms index + +From: Sam Daly + +commit 307dc4240bd41852d9e0912921e298160db1c109 upstream. + +veml6075_it_ms has 5 elements but VEML6075_CONF_IT can yield values 0-7. +If it returns a value >= 5, this causes an out-of-bounds array access. +Add a bounds check and return -EINVAL if the index is out of range. + +The problem values are reserved so should never be read from the +register. Hence this is hardening against fault device, missprogramming +or bus corruption. + +Assisted-by: gkh_clanker_2000 +Cc: stable +Signed-off-by: Sam Daly +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: Javier Carrasco +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/veml6075.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/iio/light/veml6075.c ++++ b/drivers/iio/light/veml6075.c +@@ -100,7 +100,7 @@ static const struct iio_chan_spec veml60 + + static int veml6075_request_measurement(struct veml6075_data *data) + { +- int ret, conf, int_time; ++ int ret, conf, int_time, int_index; + + ret = regmap_read(data->regmap, VEML6075_CMD_CONF, &conf); + if (ret < 0) +@@ -117,7 +117,11 @@ static int veml6075_request_measurement( + * time for all possible configurations. Using a 1.50 factor simplifies + * operations and ensures reliability under all circumstances. + */ +- int_time = veml6075_it_ms[FIELD_GET(VEML6075_CONF_IT, conf)]; ++ int_index = FIELD_GET(VEML6075_CONF_IT, conf); ++ if (int_index >= ARRAY_SIZE(veml6075_it_ms)) ++ return -EINVAL; ++ ++ int_time = veml6075_it_ms[int_index]; + msleep(int_time + (int_time / 2)); + + /* shutdown again, data registers are still accessible */ diff --git a/queue-6.12/input-rmi4-fix-bit-count-in-bitmap_copy.patch b/queue-6.12/input-rmi4-fix-bit-count-in-bitmap_copy.patch new file mode 100644 index 0000000000..0177932fcb --- /dev/null +++ b/queue-6.12/input-rmi4-fix-bit-count-in-bitmap_copy.patch @@ -0,0 +1,47 @@ +From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 4 May 2026 21:59:37 -0700 +Subject: Input: rmi4 - fix bit count in bitmap_copy() + +From: Dmitry Torokhov + +commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream. + +bitmap_copy() takes number of bits, not bytes (or longs). Correct +the bit count in rmi_driver_set_irq_bits() and +rmi_driver_clear_irq_bits(). + +Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") +Cc: stable@vger.kernel.org +Assisted-by: Gemini:gemini-3.1-pro +Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/rmi4/rmi_driver.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -386,9 +386,8 @@ static int rmi_driver_set_irq_bits(struc + __func__); + goto error_unlock; + } +- bitmap_copy(data->current_irq_mask, data->new_irq_mask, +- data->num_of_irq_regs); + ++ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); + bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count); + + error_unlock: +@@ -417,8 +416,8 @@ static int rmi_driver_clear_irq_bits(str + __func__); + goto error_unlock; + } +- bitmap_copy(data->current_irq_mask, data->new_irq_mask, +- data->num_of_irq_regs); ++ ++ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); + + error_unlock: + mutex_unlock(&data->irq_mutex); diff --git a/queue-6.12/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch b/queue-6.12/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch new file mode 100644 index 0000000000..4542767c78 --- /dev/null +++ b/queue-6.12/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch @@ -0,0 +1,37 @@ +From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 4 May 2026 21:59:35 -0700 +Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data() + +From: Dmitry Torokhov + +commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream. + +kfifo_put() returns 0 if the FIFO is full. In this case, we must +free the memory allocated for the attention data to avoid a leak. + +Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") +Cc: stable@vger.kernel.org +Assisted-by: Gemini:gemini-3.1-pro +Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/rmi4/rmi_driver.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -181,7 +181,11 @@ void rmi_set_attn_data(struct rmi_device + attn_data.size = size; + attn_data.data = fifo_data; + +- kfifo_put(&drvdata->attn_fifo, attn_data); ++ if (!kfifo_put(&drvdata->attn_fifo, attn_data)) { ++ dev_warn_ratelimited(&rmi_dev->dev, ++ "Failed to enqueue attention data, FIFO full\n"); ++ kfree(fifo_data); ++ } + } + EXPORT_SYMBOL_GPL(rmi_set_attn_data); + diff --git a/queue-6.12/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch b/queue-6.12/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch new file mode 100644 index 0000000000..2b07bcd9b2 --- /dev/null +++ b/queue-6.12/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch @@ -0,0 +1,53 @@ +From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 4 May 2026 21:59:34 -0700 +Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor + +From: Dmitry Torokhov + +commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream. + +RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This +may overflow num_subpackets in struct rmi_register_desc_item which is +defined as a u8. + +Fix this by changing the type of num_subpackets to u16. + +Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") +Cc: stable@vger.kernel.org +Assisted-by: Gemini:gemini-3.1-pro +Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/rmi4/rmi_driver.h | 2 +- + drivers/input/rmi4/rmi_f12.c | 7 +++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/input/rmi4/rmi_driver.h ++++ b/drivers/input/rmi4/rmi_driver.h +@@ -53,7 +53,7 @@ struct pdt_entry { + struct rmi_register_desc_item { + u16 reg; + unsigned long reg_size; +- u8 num_subpackets; ++ u16 num_subpackets; + unsigned long subpacket_map[BITS_TO_LONGS( + RMI_REG_DESC_SUBPACKET_BITS)]; + }; +--- a/drivers/input/rmi4/rmi_f12.c ++++ b/drivers/input/rmi4/rmi_f12.c +@@ -467,6 +467,13 @@ static int rmi_f12_probe(struct rmi_func + f12->data1 = item; + f12->data1_offset = data_offset; + data_offset += item->reg_size; ++ ++ if (item->num_subpackets > 255) { ++ dev_err(&fn->dev, "Too many fingers declared: %d\n", ++ item->num_subpackets); ++ return -EINVAL; ++ } ++ + sensor->nbr_fingers = item->num_subpackets; + sensor->report_abs = 1; + sensor->attn_size += item->reg_size; diff --git a/queue-6.12/input-rmi4-fix-register-descriptor-address-calculation.patch b/queue-6.12/input-rmi4-fix-register-descriptor-address-calculation.patch new file mode 100644 index 0000000000..8c138b24f5 --- /dev/null +++ b/queue-6.12/input-rmi4-fix-register-descriptor-address-calculation.patch @@ -0,0 +1,40 @@ +From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 4 May 2026 21:59:31 -0700 +Subject: Input: rmi4 - fix register descriptor address calculation + +From: Dmitry Torokhov + +commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream. + +When reading the register descriptor, the base address is incremented by +1 to read the presence register block. However, after reading the +presence register block, the address is incorrectly incremented by only +1 byte (++addr) instead of the actual size of the presence block +(size_presence_reg). This causes the subsequent structure block read to +read from the wrong memory location if the presence block is larger than +1 byte. + +Fix this by advancing the address by size_presence_reg. + +Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") +Cc: stable@vger.kernel.org +Assisted-by: Gemini:gemini-3.1-pro +Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/rmi4/rmi_driver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -593,7 +593,7 @@ int rmi_read_register_desc(struct rmi_de + ret = rmi_read_block(d, addr, buf, size_presence_reg); + if (ret) + return ret; +- ++addr; ++ addr += size_presence_reg; + + if (buf[0] == 0) { + presense_offset = 3; diff --git a/queue-6.12/input-rmi4-fix-type-overflow-in-register-counts.patch b/queue-6.12/input-rmi4-fix-type-overflow-in-register-counts.patch new file mode 100644 index 0000000000..0c40092d6c --- /dev/null +++ b/queue-6.12/input-rmi4-fix-type-overflow-in-register-counts.patch @@ -0,0 +1,39 @@ +From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 4 May 2026 21:59:33 -0700 +Subject: Input: rmi4 - fix type overflow in register counts + +From: Dmitry Torokhov + +commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream. + +The number of registers in the RMI4 register descriptor is populated +by counting the bits in the presence map using bitmap_weight(). Since +the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS), +storing this count in a u8 can overflow to 0 if all 256 bits are set. + +Change the num_registers field in struct rmi_register_descriptor +from u8 to u16 to prevent potential integer overflow and ensure safe +processing of devices reporting large descriptors. + +Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") +Cc: stable@vger.kernel.org +Assisted-by: Gemini:gemini-3.1-pro +Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/rmi4/rmi_driver.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/rmi4/rmi_driver.h ++++ b/drivers/input/rmi4/rmi_driver.h +@@ -65,7 +65,7 @@ struct rmi_register_desc_item { + struct rmi_register_descriptor { + unsigned long struct_size; + unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)]; +- u8 num_registers; ++ u16 num_registers; + struct rmi_register_desc_item *registers; + }; + diff --git a/queue-6.12/input-rmi4-iterative-irq-handler.patch b/queue-6.12/input-rmi4-iterative-irq-handler.patch new file mode 100644 index 0000000000..bed47cf0e6 --- /dev/null +++ b/queue-6.12/input-rmi4-iterative-irq-handler.patch @@ -0,0 +1,66 @@ +From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 4 May 2026 21:59:36 -0700 +Subject: Input: rmi4 - iterative IRQ handler + +From: Dmitry Torokhov + +commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream. + +The current IRQ handler uses recursion to drain the attention FIFO, +which can lead to stack overflow on deep queues. Convert it to a +loop. + +Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") +Cc: stable@vger.kernel.org +Assisted-by: Gemini:gemini-3.1-pro +Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/rmi4/rmi_driver.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -196,24 +196,24 @@ static irqreturn_t rmi_irq_fn(int irq, v + struct rmi4_attn_data attn_data = {0}; + int ret, count; + +- count = kfifo_get(&drvdata->attn_fifo, &attn_data); +- if (count) { +- *(drvdata->irq_status) = attn_data.irq_status; +- drvdata->attn_data = attn_data; +- } ++ do { ++ count = kfifo_get(&drvdata->attn_fifo, &attn_data); ++ if (count) { ++ *drvdata->irq_status = attn_data.irq_status; ++ drvdata->attn_data = attn_data; ++ } + +- ret = rmi_process_interrupt_requests(rmi_dev); +- if (ret) +- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, +- "Failed to process interrupt request: %d\n", ret); ++ ret = rmi_process_interrupt_requests(rmi_dev); ++ if (ret) ++ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, ++ "Failed to process interrupt request: %d\n", ++ ret); + +- if (count) { +- kfree(attn_data.data); +- drvdata->attn_data.data = NULL; +- } +- +- if (!kfifo_is_empty(&drvdata->attn_fifo)) +- return rmi_irq_fn(irq, dev_id); ++ if (count) { ++ kfree(attn_data.data); ++ drvdata->attn_data.data = NULL; ++ } ++ } while (!kfifo_is_empty(&drvdata->attn_fifo)); + + return IRQ_HANDLED; + } diff --git a/queue-6.12/ksmbd-reject-non-valid-session-in-compound-request-branch.patch b/queue-6.12/ksmbd-reject-non-valid-session-in-compound-request-branch.patch new file mode 100644 index 0000000000..ad18867d40 --- /dev/null +++ b/queue-6.12/ksmbd-reject-non-valid-session-in-compound-request-branch.patch @@ -0,0 +1,58 @@ +From 609ca17d869d04ba249e32cdcbf13c0b1c66f43c Mon Sep 17 00:00:00 2001 +From: Gil Portnoy +Date: Thu, 11 Jun 2026 22:59:19 +0900 +Subject: ksmbd: reject non-VALID session in compound request branch + +From: Gil Portnoy + +commit 609ca17d869d04ba249e32cdcbf13c0b1c66f43c upstream. + +smb2_check_user_session() takes a shortcut for any operation that is not +the first in a COMPOUND request: it reuses work->sess (the session bound by +the first operation) and validates only the SessionId, then returns +"valid". It never re-checks work->sess->state == SMB2_SESSION_VALID, and a +SessionId of 0xFFFFFFFFFFFFFFFF (ULLONG_MAX, the MS-SMB2 related-operation +value) skips even the id comparison. The standalone path +(ksmbd_session_lookup_all() plus the SESSION_SETUP state machine) does +enforce the VALID state; the compound branch bypasses all of it. + +A SESSION_SETUP carrying only an NTLM Type-1 (NtLmNegotiate) blob publishes +a fresh SMB2_SESSION_IN_PROGRESS session whose sess->user is still NULL +(->user is assigned later, by ntlm_authenticate()). Used as operation 1 of +a COMPOUND with operation 2 = TREE_CONNECT (related, SessionId=ULLONG_MAX, +\\host\IPC$), the tree-connect then runs on that IN_PROGRESS session and +reaches ksmbd_ipc_tree_connect_request(), which dereferences +user_name(sess->user) with sess->user == NULL (transport_ipc.c:687/701/704) +-> remote NULL-pointer dereference and a kernel Oops that wedges the ksmbd +worker for all clients. + +Reject any non-first compound operation that lands on a session which is +not SMB2_SESSION_VALID, mirroring the validity the standalone lookup path +enforces. SESSION_SETUP itself legitimately runs on an IN_PROGRESS session, +but it is never carried as a non-first compound operation, so multi-leg +authentication is unaffected by this check. + +Fixes: 5005bcb42191 ("ksmbd: validate session id and tree id in the compound request") +Cc: stable@vger.kernel.org +Signed-off-by: Gil Portnoy +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -612,6 +612,11 @@ int smb2_check_user_session(struct ksmbd + sess_id, work->sess->id); + return -EINVAL; + } ++ if (work->sess->state != SMB2_SESSION_VALID) { ++ pr_err("compound request on a non-valid session (state %d)\n", ++ work->sess->state); ++ return -EINVAL; ++ } + return 1; + } + diff --git a/queue-6.12/media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch b/queue-6.12/media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch new file mode 100644 index 0000000000..d508767910 --- /dev/null +++ b/queue-6.12/media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch @@ -0,0 +1,81 @@ +From 7d8bf3d8f91073f4db347ed3aa6302b56107499c Mon Sep 17 00:00:00 2001 +From: Ruslan Valiyev +Date: Tue, 17 Mar 2026 17:05:44 +0000 +Subject: media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si + +From: Ruslan Valiyev + +commit 7d8bf3d8f91073f4db347ed3aa6302b56107499c upstream. + +syzbot reported a general protection fault in +vidtv_psi_ts_psi_write_into [1]. + +vidtv_mux_get_pid_ctx() can return NULL, but vidtv_mux_push_si() does +not check for this before dereferencing the returned pointer to access +the continuity counter. This leads to a general protection fault when +accessing a near-NULL address. + +The root cause is that vidtv_mux_pid_ctx_init() does not check the +return value of vidtv_mux_create_pid_ctx_once() for PMT section PIDs. +If the allocation fails, the PID context is never created, but init +returns success. The subsequent vidtv_mux_push_si() call then gets +NULL from vidtv_mux_get_pid_ctx() and crashes. + +Fix both the root cause (add error check in vidtv_mux_pid_ctx_init +for PMT PIDs) and add defensive NULL checks in vidtv_mux_push_si for +all vidtv_mux_get_pid_ctx() calls. + +[1] +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +Workqueue: events vidtv_mux_tick +RIP: 0010:vidtv_psi_ts_psi_write_into+0x54a/0xbc0 drivers/media/test-drivers/vidtv/vidtv_psi.c:197 +Call Trace: + + vidtv_psi_table_header_write_into drivers/media/test-drivers/vidtv/vidtv_psi.c:799 [inline] + vidtv_psi_pmt_write_into+0x3b2/0xa70 drivers/media/test-drivers/vidtv/vidtv_psi.c:1231 + vidtv_mux_push_si+0x932/0xe80 drivers/media/test-drivers/vidtv/vidtv_mux.c:196 + vidtv_mux_tick+0xe9b/0x1480 drivers/media/test-drivers/vidtv/vidtv_mux.c:408 + +Fixes: f90cf6079bf67 ("media: vidtv: add a bridge driver") +Cc: stable@vger.kernel.org +Reported-by: syzbot+814c351d094f4f1a1b86@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=814c351d094f4f1a1b86 +Signed-off-by: Ruslan Valiyev +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/test-drivers/vidtv/vidtv_mux.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/media/test-drivers/vidtv/vidtv_mux.c ++++ b/drivers/media/test-drivers/vidtv/vidtv_mux.c +@@ -101,7 +101,8 @@ static int vidtv_mux_pid_ctx_init(struct + /* add a ctx for all PMT sections */ + while (p) { + pid = vidtv_psi_get_pat_program_pid(p); +- vidtv_mux_create_pid_ctx_once(m, pid); ++ if (!vidtv_mux_create_pid_ctx_once(m, pid)) ++ goto free; + p = p->next; + } + +@@ -170,6 +171,9 @@ static u32 vidtv_mux_push_si(struct vidt + nit_ctx = vidtv_mux_get_pid_ctx(m, VIDTV_NIT_PID); + eit_ctx = vidtv_mux_get_pid_ctx(m, VIDTV_EIT_PID); + ++ if (!pat_ctx || !sdt_ctx || !nit_ctx || !eit_ctx) ++ return 0; ++ + pat_args.offset = m->mux_buf_offset; + pat_args.continuity_counter = &pat_ctx->cc; + +@@ -186,6 +190,8 @@ static u32 vidtv_mux_push_si(struct vidt + } + + pmt_ctx = vidtv_mux_get_pid_ctx(m, pmt_pid); ++ if (!pmt_ctx) ++ continue; + + pmt_args.offset = m->mux_buf_offset; + pmt_args.pmt = m->si.pmt_secs[i]; diff --git a/queue-6.12/serial-qcom_geni-fix-rx-dma-stall-when-se_dma_rx_len_in-is-zero.patch b/queue-6.12/serial-qcom_geni-fix-rx-dma-stall-when-se_dma_rx_len_in-is-zero.patch new file mode 100644 index 0000000000..d7256958ef --- /dev/null +++ b/queue-6.12/serial-qcom_geni-fix-rx-dma-stall-when-se_dma_rx_len_in-is-zero.patch @@ -0,0 +1,50 @@ +From b93062b6d8a1b2d9bad235cac25558a909819026 Mon Sep 17 00:00:00 2001 +From: Viken Dadhaniya +Date: Thu, 28 May 2026 22:48:07 +0530 +Subject: serial: qcom_geni: Fix RX DMA stall when SE_DMA_RX_LEN_IN is zero + +From: Viken Dadhaniya + +commit b93062b6d8a1b2d9bad235cac25558a909819026 upstream. + +In qcom_geni_serial_handle_rx_dma(), geni_se_rx_dma_unprep() clears +port->rx_dma_addr before SE_DMA_RX_LEN_IN is read. If the register is zero, +for example when the RX stale counter fires on an idle line, the handler +returns without calling geni_se_rx_dma_prep(). + +The next RX DMA interrupt then hits the !port->rx_dma_addr guard and +returns immediately, so the RX DMA buffer is never rearmed and later input +is lost. + +Keep the handler on the rearm path when rx_in is zero. Warn about the +unexpected zero-length DMA completion, skip received-data handling, and +always call geni_se_rx_dma_prep(). + +Fixes: 2aaa43c70778 ("tty: serial: qcom-geni-serial: add support for serial engine DMA") +Cc: stable@vger.kernel.org +Reviewed-by: Bartosz Golaszewski +Signed-off-by: Viken Dadhaniya +Link: https://patch.msgid.link/20260528-serial-rx-0-byte-fix-v2-1-b4195cfe342f@oss.qualcomm.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/qcom_geni_serial.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/tty/serial/qcom_geni_serial.c ++++ b/drivers/tty/serial/qcom_geni_serial.c +@@ -867,12 +867,9 @@ static void qcom_geni_serial_handle_rx_d + port->rx_dma_addr = 0; + + rx_in = readl(uport->membase + SE_DMA_RX_LEN_IN); +- if (!rx_in) { +- dev_warn(uport->dev, "serial engine reports 0 RX bytes in!\n"); +- return; +- } +- +- if (!drop) ++ if (!rx_in) ++ dev_warn_ratelimited(uport->dev, "serial engine reports 0 RX bytes in!\n"); ++ else if (!drop) + handle_rx_uart(uport, rx_in); + + ret = geni_se_rx_dma_prep(&port->se, port->rx_buf, diff --git a/queue-6.12/series b/queue-6.12/series index f075319a59..52d924faed 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -83,3 +83,16 @@ scripts-sorttable-allow-matches-to-functions-before-function-entry.patch scripts-sorttable-fix-endianness-handling-in-build-time-mcount-sort.patch net-ipv6-make-udp_tunnel6_xmit_skb-void.patch sctp-disable-bh-before-calling-udp_tunnel_xmit_skb.patch +iio-light-veml6075-add-bounds-check-to-veml6075_it_ms-index.patch +iio-adc-ti-ads1298-add-bounds-check-to-pga_settings-index.patch +input-rmi4-fix-register-descriptor-address-calculation.patch +input-rmi4-fix-type-overflow-in-register-counts.patch +input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch +input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch +input-rmi4-iterative-irq-handler.patch +input-rmi4-fix-bit-count-in-bitmap_copy.patch +vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch +serial-qcom_geni-fix-rx-dma-stall-when-se_dma_rx_len_in-is-zero.patch +ksmbd-reject-non-valid-session-in-compound-request-branch.patch +media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch +virtiofs-fix-uaf-on-submount-umount.patch diff --git a/queue-6.12/vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch b/queue-6.12/vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch new file mode 100644 index 0000000000..6db9094c53 --- /dev/null +++ b/queue-6.12/vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch @@ -0,0 +1,46 @@ +From a287620312dc6dcb9a093417a0e589bf30fcf38a Mon Sep 17 00:00:00 2001 +From: Yi Yang +Date: Thu, 4 Jun 2026 06:07:34 +0000 +Subject: vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write + +From: Yi Yang + +commit a287620312dc6dcb9a093417a0e589bf30fcf38a upstream. + +A KASAN null-ptr-deref was observed in vcs_notifier(): + +BUG: KASAN: null-ptr-deref in vcs_notifier+0x98/0x130 +Read of size 2 at addr qmp_cmd_name: qmp_capabilities, arguments: {} + +The issue is a race condition in vcs_write(). When the console_lock is +temporarily dropped (to copy data from userspace), the vc_data pointer +obtained from vcs_vc() may become stale. After re-acquiring the lock, +vcs_vc() is called again to re-validate the pointer. If the vc has been +deallocated in the meantime, vcs_vc() returns NULL, and the while loop +breaks (with written > 0). However, after the loop, vcs_scr_updated(vc) +is still called with the now-NULL vc pointer, leading to a null pointer +dereference in the notifier chain (vcs_notifier dereferences param->vc). + +Fix this by adding a NULL check for vc before calling vcs_scr_updated(). + +Fixes: 8fb9ea65c9d1 ("vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF") +Cc: stable@vger.kernel.org +Signed-off-by: Yi Yang +Reviewed-by: Jiri Slaby +Link: https://patch.msgid.link/20260604060734.2914976-1-yiyang13@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/vt/vc_screen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/vt/vc_screen.c ++++ b/drivers/tty/vt/vc_screen.c +@@ -699,7 +699,7 @@ vcs_write(struct file *file, const char + } + *ppos += written; + ret = written; +- if (written) ++ if (written && vc) + vcs_scr_updated(vc); + + unlock_out: diff --git a/queue-6.12/virtiofs-fix-uaf-on-submount-umount.patch b/queue-6.12/virtiofs-fix-uaf-on-submount-umount.patch new file mode 100644 index 0000000000..e491ddadb1 --- /dev/null +++ b/queue-6.12/virtiofs-fix-uaf-on-submount-umount.patch @@ -0,0 +1,53 @@ +From 06b41351779e9289e8785694ade9042ae85e41ea Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 28 May 2026 10:58:24 +0200 +Subject: virtiofs: fix UAF on submount umount +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Miklos Szeredi + +commit 06b41351779e9289e8785694ade9042ae85e41ea upstream. + +iput() called from fuse_release_end() can Oops if the super block has +already been destroyed. Normally this is prevented by waiting for +num_waiting to go down to zero before commencing with super block shutdown. + +This only works, however, for the last submount instance, as the wait +counter is per connection, not per superblock. + +Revert to using synchronous release requests for the auto_submounts case, +which is virtiofs only at this time. + +Reported-by: Aurélien Bombo +Reported-by: Zhihao Cheng +Cc: Greg Kurz +Closes: https://github.com/kata-containers/kata-containers/issues/12589 +Fixes: 26e5c67deb2e ("fuse: fix livelock in synchronous file put from fuseblk workers") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kurz +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/file.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -373,8 +373,14 @@ void fuse_file_release(struct inode *ino + * aio and closes the fd before the aio completes. Since aio takes its + * own ref to the file, the IO completion has to drop the ref, which is + * how the fuse server can end up closing its clients' files. ++ * ++ * Exception is virtio-fs, which is not affected by the above (server is ++ * on host, cannot close open files in guest). Virtio-fs needs sync ++ * release, because the num_waiting mechanism to wait for all requests ++ * before commencing with fs shutdown doesn't work if submounts are ++ * used. + */ +- fuse_file_put(ff, false); ++ fuse_file_put(ff, ff->fm->fc->auto_submounts); + } + + void fuse_release_common(struct file *file, bool isdir)