From: Greg Kroah-Hartman Date: Tue, 23 Dec 2025 16:53:15 +0000 (+0100) Subject: 5.10-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d7314c5f1ddf8dfe7b9a3a5f74eec711b830fa04;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch input-lkkbd-disable-pending-work-before-freeing-device.patch input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch net-hsr-fix-null-pointer-dereference-in-prp_get_untagged_frame.patch spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch --- diff --git a/queue-5.10/acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch b/queue-5.10/acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch new file mode 100644 index 0000000000..432e81d755 --- /dev/null +++ b/queue-5.10/acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch @@ -0,0 +1,40 @@ +From 6ea3a44cef28add2d93b1ef119d84886cb1e3c9b Mon Sep 17 00:00:00 2001 +From: Pengjie Zhang +Date: Wed, 10 Dec 2025 21:22:27 +0800 +Subject: ACPI: CPPC: Fix missing PCC check for guaranteed_perf + +From: Pengjie Zhang + +commit 6ea3a44cef28add2d93b1ef119d84886cb1e3c9b upstream. + +The current implementation overlooks the 'guaranteed_perf' +register in this check. + +If the Guaranteed Performance register is located in the PCC +subspace, the function currently attempts to read it without +acquiring the lock and without sending the CMD_READ doorbell +to the firmware. This can result in reading stale data. + +Fixes: 29523f095397 ("ACPI / CPPC: Add support for guaranteed performance") +Signed-off-by: Pengjie Zhang +Cc: 4.20+ # 4.20+ +[ rjw: Subject and changelog edits ] +Link: https://patch.msgid.link/20251210132227.1988380-1-zhangpengjie2@huawei.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/cppc_acpi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/cppc_acpi.c ++++ b/drivers/acpi/cppc_acpi.c +@@ -1097,7 +1097,8 @@ int cppc_get_perf_caps(int cpunum, struc + /* Are any of the regs PCC ?*/ + if (CPC_IN_PCC(highest_reg) || CPC_IN_PCC(lowest_reg) || + CPC_IN_PCC(lowest_non_linear_reg) || CPC_IN_PCC(nominal_reg) || +- CPC_IN_PCC(low_freq_reg) || CPC_IN_PCC(nom_freq_reg)) { ++ CPC_IN_PCC(low_freq_reg) || CPC_IN_PCC(nom_freq_reg) || ++ CPC_IN_PCC(guaranteed_reg)) { + if (pcc_ss_id < 0) { + pr_debug("Invalid pcc_ss_id\n"); + return -ENODEV; diff --git a/queue-5.10/hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch b/queue-5.10/hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch new file mode 100644 index 0000000000..2890c436d6 --- /dev/null +++ b/queue-5.10/hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch @@ -0,0 +1,70 @@ +From 7953794f741e94d30df9dafaaa4c031c85b891d6 Mon Sep 17 00:00:00 2001 +From: Ping Cheng +Date: Mon, 27 Oct 2025 13:37:42 -0700 +Subject: HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen + +From: Ping Cheng + +commit 7953794f741e94d30df9dafaaa4c031c85b891d6 upstream. + +HID_GD_Z is mapped to ABS_Z for stylus and pen in hid-input.c. But HID_GD_Z +should be used to report ABS_DISTANCE for stylus and pen as described at: +Documentation/input/event-codes.rst#n226 + +* ABS_DISTANCE: + + - Used to describe the distance of a tool from an interaction surface. This + event should only be emitted while the tool is hovering, meaning in close + proximity of the device and while the value of the BTN_TOUCH code is 0. If + the input device may be used freely in three dimensions, consider ABS_Z + instead. + - BTN_TOOL_ should be set to 1 when the tool comes into detectable + proximity and set to 0 when the tool leaves detectable proximity. + BTN_TOOL_ signals the type of tool that is currently detected by the + hardware and is otherwise independent of ABS_DISTANCE and/or BTN_TOUCH. + +This patch makes the correct mapping. The ABS_DISTANCE is currently not mapped +by any HID usage in hid-generic driver. + +Signed-off-by: Ping Cheng +Cc: stable@kernel.org +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-input.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -718,7 +718,7 @@ static void hidinput_configure_usage(str + + switch (usage->hid) { + /* These usage IDs map directly to the usage codes. */ +- case HID_GD_X: case HID_GD_Y: case HID_GD_Z: ++ case HID_GD_X: case HID_GD_Y: + case HID_GD_RX: case HID_GD_RY: case HID_GD_RZ: + if (field->flags & HID_MAIN_ITEM_RELATIVE) + map_rel(usage->hid & 0xf); +@@ -726,6 +726,22 @@ static void hidinput_configure_usage(str + map_abs_clear(usage->hid & 0xf); + break; + ++ case HID_GD_Z: ++ /* HID_GD_Z is mapped to ABS_DISTANCE for stylus/pen */ ++ if (field->flags & HID_MAIN_ITEM_RELATIVE) { ++ map_rel(usage->hid & 0xf); ++ } else { ++ if (field->application == HID_DG_PEN || ++ field->physical == HID_DG_PEN || ++ field->logical == HID_DG_STYLUS || ++ field->physical == HID_DG_STYLUS || ++ field->application == HID_DG_DIGITIZER) ++ map_abs_clear(ABS_DISTANCE); ++ else ++ map_abs_clear(usage->hid & 0xf); ++ } ++ break; ++ + case HID_GD_WHEEL: + if (field->flags & HID_MAIN_ITEM_RELATIVE) { + set_bit(REL_WHEEL, input->relbit); diff --git a/queue-5.10/input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch b/queue-5.10/input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch new file mode 100644 index 0000000000..569606ef88 --- /dev/null +++ b/queue-5.10/input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch @@ -0,0 +1,39 @@ +From aed3716db7fff74919cc5775ca3a80c8bb246489 Mon Sep 17 00:00:00 2001 +From: Christoffer Sandberg +Date: Mon, 24 Nov 2025 21:31:34 +0100 +Subject: Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table + +From: Christoffer Sandberg + +commit aed3716db7fff74919cc5775ca3a80c8bb246489 upstream. + +The device occasionally wakes up from suspend with missing input on the +internal keyboard and the following suspend attempt results in an instant +wake-up. The quirks fix both issues for this device. + +Signed-off-by: Christoffer Sandberg +Signed-off-by: Werner Sembach +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251124203336.64072-1-wse@tuxedocomputers.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/serio/i8042-acpipnpio.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/serio/i8042-acpipnpio.h ++++ b/drivers/input/serio/i8042-acpipnpio.h +@@ -1169,6 +1169,13 @@ static const struct dmi_system_id i8042_ + .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | + SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) + }, ++ { ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "X5KK45xS_X5SP45xS"), ++ }, ++ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS | ++ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP) ++ }, + /* + * A lot of modern Clevo barebones have touchpad and/or keyboard issues + * after suspend fixable with nomux + reset + noloop + nopnp. Luckily, diff --git a/queue-5.10/input-lkkbd-disable-pending-work-before-freeing-device.patch b/queue-5.10/input-lkkbd-disable-pending-work-before-freeing-device.patch new file mode 100644 index 0000000000..cac32540b0 --- /dev/null +++ b/queue-5.10/input-lkkbd-disable-pending-work-before-freeing-device.patch @@ -0,0 +1,52 @@ +From e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c Mon Sep 17 00:00:00 2001 +From: Minseong Kim +Date: Fri, 12 Dec 2025 00:29:23 -0800 +Subject: Input: lkkbd - disable pending work before freeing device + +From: Minseong Kim + +commit e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c upstream. + +lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work +handler lkkbd_reinit() dereferences the lkkbd structure and its +serio/input_dev fields. + +lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd +structure without preventing the reinit work from being queued again +until serio_close() returns. This can allow the work handler to run +after the structure has been freed, leading to a potential use-after-free. + +Use disable_work_sync() instead of cancel_work_sync() to ensure the +reinit work cannot be re-queued, and call it both in lkkbd_disconnect() +and in lkkbd_connect() error paths after serio_open(). + +Signed-off-by: Minseong Kim +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251212052314.16139-1-ii4gsp@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/keyboard/lkkbd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/input/keyboard/lkkbd.c ++++ b/drivers/input/keyboard/lkkbd.c +@@ -673,7 +673,8 @@ static int lkkbd_connect(struct serio *s + + return 0; + +- fail3: serio_close(serio); ++ fail3: disable_work_sync(&lk->tq); ++ serio_close(serio); + fail2: serio_set_drvdata(serio, NULL); + fail1: input_free_device(input_dev); + kfree(lk); +@@ -687,6 +688,8 @@ static void lkkbd_disconnect(struct seri + { + struct lkkbd *lk = serio_get_drvdata(serio); + ++ disable_work_sync(&lk->tq); ++ + input_get_device(lk->dev); + input_unregister_device(lk->dev); + serio_close(serio); diff --git a/queue-5.10/input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch b/queue-5.10/input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch new file mode 100644 index 0000000000..a368a9bc9f --- /dev/null +++ b/queue-5.10/input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch @@ -0,0 +1,38 @@ +From 248d3a73a0167dce15ba100477c3e778c4787178 Mon Sep 17 00:00:00 2001 +From: Junjie Cao +Date: Thu, 18 Dec 2025 21:56:59 -0800 +Subject: Input: ti_am335x_tsc - fix off-by-one error in wire_order validation + +From: Junjie Cao + +commit 248d3a73a0167dce15ba100477c3e778c4787178 upstream. + +The current validation 'wire_order[i] > ARRAY_SIZE(config_pins)' allows +wire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds +access when used as index in 'config_pins[wire_order[i]]'. + +Since config_pins has 4 elements (indices 0-3), the valid range for +wire_order should be 0-3. Fix the off-by-one error by using >= instead +of > in the validation check. + +Signed-off-by: Junjie Cao +Link: https://patch.msgid.link/20251114062817.852698-1-junjie.cao@intel.com +Fixes: bb76dc09ddfc ("input: ti_am33x_tsc: Order of TSC wires, made configurable") +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/ti_am335x_tsc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/ti_am335x_tsc.c ++++ b/drivers/input/touchscreen/ti_am335x_tsc.c +@@ -86,7 +86,7 @@ static int titsc_config_wires(struct tit + wire_order[i] = ts_dev->config_inp[i] & 0x0F; + if (WARN_ON(analog_line[i] > 7)) + return -EINVAL; +- if (WARN_ON(wire_order[i] > ARRAY_SIZE(config_pins))) ++ if (WARN_ON(wire_order[i] >= ARRAY_SIZE(config_pins))) + return -EINVAL; + } + diff --git a/queue-5.10/net-hsr-fix-null-pointer-dereference-in-prp_get_untagged_frame.patch b/queue-5.10/net-hsr-fix-null-pointer-dereference-in-prp_get_untagged_frame.patch new file mode 100644 index 0000000000..85b8883ae6 --- /dev/null +++ b/queue-5.10/net-hsr-fix-null-pointer-dereference-in-prp_get_untagged_frame.patch @@ -0,0 +1,85 @@ +From 188e0fa5a679570ea35474575e724d8211423d17 Mon Sep 17 00:00:00 2001 +From: Shaurya Rane +Date: Sat, 29 Nov 2025 15:07:18 +0530 +Subject: net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() + +From: Shaurya Rane + +commit 188e0fa5a679570ea35474575e724d8211423d17 upstream. + +prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std +but doesn't check if the allocation failed. If __pskb_copy() returns +NULL, skb_clone() is called with a NULL pointer, causing a crash: + +Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI +KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] +CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +RIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041 +Code: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 <43> 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c +RSP: 0018:ffffc9000d00f200 EFLAGS: 00010207 +RAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480 +RDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000 +RBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee +R10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000 +R13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00 +FS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0 +Call Trace: + + hsr_forward_do net/hsr/hsr_forward.c:-1 [inline] + hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741 + hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84 + __netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966 + __netif_receive_skb_one_core net/core/dev.c:6077 [inline] + __netif_receive_skb+0x72/0x380 net/core/dev.c:6192 + netif_receive_skb_internal net/core/dev.c:6278 [inline] + netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337 + tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485 + tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953 + tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999 + new_sync_write fs/read_write.c:593 [inline] + vfs_write+0x5c9/0xb30 fs/read_write.c:686 + ksys_write+0x145/0x250 fs/read_write.c:738 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f0449f8e1ff +Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48 +RSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff +RDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8 +RBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000 +R10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001 +R13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003 + + +Add a NULL check immediately after __pskb_copy() to handle allocation +failures gracefully. + +Reported-by: syzbot+2fa344348a579b779e05@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2fa344348a579b779e05 +Fixes: f266a683a480 ("net/hsr: Better frame dispatch") +Cc: stable@vger.kernel.org +Signed-off-by: Shaurya Rane +Reviewed-by: Felix Maurer +Tested-by: Felix Maurer +Link: https://patch.msgid.link/20251129093718.25320-1-ssrane_b23@ee.vjti.ac.in +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/hsr/hsr_forward.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/hsr/hsr_forward.c ++++ b/net/hsr/hsr_forward.c +@@ -134,6 +134,8 @@ struct sk_buff *prp_get_untagged_frame(s + __pskb_copy(frame->skb_prp, + skb_headroom(frame->skb_prp), + GFP_ATOMIC); ++ if (!frame->skb_std) ++ return NULL; + } else { + /* Unexpected */ + WARN_ONCE(1, "%s:%d: Unexpected frame received (port_src %s)\n", diff --git a/queue-5.10/series b/queue-5.10/series index ad303286e9..cfe900d896 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -191,3 +191,10 @@ mips-fix-a-reference-leak-bug-in-ip22_check_gio.patch block-rnbd-remove-a-useless-mutex.patch block-rnbd-clt-fix-wrong-max-id-in-ida_alloc_max.patch block-rnbd-clt-fix-leaked-id-in-init_dev.patch +hid-input-map-hid_gd_z-to-abs_distance-for-stylus-pen.patch +input-ti_am335x_tsc-fix-off-by-one-error-in-wire_order-validation.patch +input-lkkbd-disable-pending-work-before-freeing-device.patch +input-i8042-add-tuxedo-infinitybook-max-gen10-amd-to-i8042-quirk-table.patch +acpi-cppc-fix-missing-pcc-check-for-guaranteed_perf.patch +spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch +net-hsr-fix-null-pointer-dereference-in-prp_get_untagged_frame.patch diff --git a/queue-5.10/spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch b/queue-5.10/spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch new file mode 100644 index 0000000000..8db63b1541 --- /dev/null +++ b/queue-5.10/spi-fsl-cpm-check-length-parity-before-switching-to-16-bit-mode.patch @@ -0,0 +1,46 @@ +From 1417927df8049a0194933861e9b098669a95c762 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Thu, 20 Nov 2025 09:34:49 +0100 +Subject: spi: fsl-cpm: Check length parity before switching to 16 bit mode + +From: Christophe Leroy + +commit 1417927df8049a0194933861e9b098669a95c762 upstream. + +Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers +with even size") failed to make sure that the size is really even +before switching to 16 bit mode. Until recently the problem went +unnoticed because kernfs uses a pre-allocated bounce buffer of size +PAGE_SIZE for reading EEPROM. + +But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API") +introduced an additional dynamically allocated bounce buffer whose size +is exactly the size of the transfer, leading to a buffer overrun in +the fsl-cpm driver when that size is odd. + +Add the missing length parity verification and remain in 8 bit mode +when the length is not even. + +Fixes: fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size") +Cc: stable@vger.kernel.org +Closes: https://lore.kernel.org/all/638496dd-ec60-4e53-bad7-eb657f67d580@csgroup.eu/ +Signed-off-by: Christophe Leroy +Reviewed-by: Sverdlin Alexander +Link: https://patch.msgid.link/3c4d81c3923c93f95ec56702a454744a4bad3cfc.1763627618.git.christophe.leroy@csgroup.eu +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-fsl-spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-fsl-spi.c ++++ b/drivers/spi/spi-fsl-spi.c +@@ -369,7 +369,7 @@ static int fsl_spi_do_one_msg(struct spi + if (t->bits_per_word == 16 || t->bits_per_word == 32) + t->bits_per_word = 8; /* pretend its 8 bits */ + if (t->bits_per_word == 8 && t->len >= 256 && +- (mpc8xxx_spi->flags & SPI_CPM1)) ++ !(t->len & 1) && (mpc8xxx_spi->flags & SPI_CPM1)) + t->bits_per_word = 16; + } + }