From 4af81cfcc4097fbcc8784e795142a1c68bc6b996 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 17 Feb 2026 13:57:21 +0100 Subject: [PATCH] 6.12-stable patches added patches: f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch f2fs-fix-to-add-gc-count-stat-in-f2fs_gc_range.patch f2fs-fix-to-avoid-mapping-wrong-physical-block-for-swapfile.patch f2fs-fix-to-check-sysfs-filename-w-gc_pin_file_thresh-correctly.patch fbdev-rivafb-fix-divide-error-in-nv3_arb.patch fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch --- ...access-in-sysfs-attribute-read-write.patch | 170 ++++++++++++++++++ ...o-add-gc-count-stat-in-f2fs_gc_range.patch | 31 ++++ ...ng-wrong-physical-block-for-swapfile.patch | 140 +++++++++++++++ ...ename-w-gc_pin_file_thresh-correctly.patch | 32 ++++ ...v-rivafb-fix-divide-error-in-nv3_arb.patch | 65 +++++++ ...rly-copy-ioctl-memory-to-kernelspace.patch | 57 ++++++ queue-6.12/series | 6 + 7 files changed, 501 insertions(+) create mode 100644 queue-6.12/f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch create mode 100644 queue-6.12/f2fs-fix-to-add-gc-count-stat-in-f2fs_gc_range.patch create mode 100644 queue-6.12/f2fs-fix-to-avoid-mapping-wrong-physical-block-for-swapfile.patch create mode 100644 queue-6.12/f2fs-fix-to-check-sysfs-filename-w-gc_pin_file_thresh-correctly.patch create mode 100644 queue-6.12/fbdev-rivafb-fix-divide-error-in-nv3_arb.patch create mode 100644 queue-6.12/fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch diff --git a/queue-6.12/f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch b/queue-6.12/f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch new file mode 100644 index 0000000000..fb0e10f4f9 --- /dev/null +++ b/queue-6.12/f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch @@ -0,0 +1,170 @@ +From 98ea0039dbfdd00e5cc1b9a8afa40434476c0955 Mon Sep 17 00:00:00 2001 +From: Yongpeng Yang +Date: Wed, 7 Jan 2026 10:33:46 +0800 +Subject: f2fs: fix out-of-bounds access in sysfs attribute read/write + +From: Yongpeng Yang + +commit 98ea0039dbfdd00e5cc1b9a8afa40434476c0955 upstream. + +Some f2fs sysfs attributes suffer from out-of-bounds memory access and +incorrect handling of integer values whose size is not 4 bytes. + +For example: +vm:~# echo 65537 > /sys/fs/f2fs/vde/carve_out +vm:~# cat /sys/fs/f2fs/vde/carve_out +65537 +vm:~# echo 4294967297 > /sys/fs/f2fs/vde/atgc_age_threshold +vm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold +1 + +carve_out maps to {struct f2fs_sb_info}->carve_out, which is a 8-bit +integer. However, the sysfs interface allows setting it to a value +larger than 255, resulting in an out-of-range update. + +atgc_age_threshold maps to {struct atgc_management}->age_threshold, +which is a 64-bit integer, but its sysfs interface cannot correctly set +values larger than UINT_MAX. + +The root causes are: +1. __sbi_store() treats all default values as unsigned int, which +prevents updating integers larger than 4 bytes and causes out-of-bounds +writes for integers smaller than 4 bytes. + +2. f2fs_sbi_show() also assumes all default values are unsigned int, +leading to out-of-bounds reads and incorrect access to integers larger +than 4 bytes. + +This patch introduces {struct f2fs_attr}->size to record the actual size +of the integer associated with each sysfs attribute. With this +information, sysfs read and write operations can correctly access and +update values according to their real data size, avoiding memory +corruption and truncation. + +Fixes: b59d0bae6ca3 ("f2fs: add sysfs support for controlling the gc_thread") +Cc: stable@kernel.org +Signed-off-by: Jinbao Liu +Signed-off-by: Yongpeng Yang +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/sysfs.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 52 insertions(+), 8 deletions(-) + +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -58,6 +58,7 @@ struct f2fs_attr { + const char *buf, size_t len); + int struct_type; + int offset; ++ int size; + int id; + }; + +@@ -325,11 +326,30 @@ static ssize_t main_blkaddr_show(struct + (unsigned long long)MAIN_BLKADDR(sbi)); + } + ++static ssize_t __sbi_show_value(struct f2fs_attr *a, ++ struct f2fs_sb_info *sbi, char *buf, ++ unsigned char *value) ++{ ++ switch (a->size) { ++ case 1: ++ return sysfs_emit(buf, "%u\n", *(u8 *)value); ++ case 2: ++ return sysfs_emit(buf, "%u\n", *(u16 *)value); ++ case 4: ++ return sysfs_emit(buf, "%u\n", *(u32 *)value); ++ case 8: ++ return sysfs_emit(buf, "%llu\n", *(u64 *)value); ++ default: ++ f2fs_bug_on(sbi, 1); ++ return sysfs_emit(buf, ++ "show sysfs node value with wrong type\n"); ++ } ++} ++ + static ssize_t f2fs_sbi_show(struct f2fs_attr *a, + struct f2fs_sb_info *sbi, char *buf) + { + unsigned char *ptr = NULL; +- unsigned int *ui; + + ptr = __struct_ptr(sbi, a->struct_type); + if (!ptr) +@@ -409,9 +429,30 @@ static ssize_t f2fs_sbi_show(struct f2fs + atomic_read(&sbi->cp_call_count[BACKGROUND])); + #endif + +- ui = (unsigned int *)(ptr + a->offset); ++ return __sbi_show_value(a, sbi, buf, ptr + a->offset); ++} + +- return sysfs_emit(buf, "%u\n", *ui); ++static void __sbi_store_value(struct f2fs_attr *a, ++ struct f2fs_sb_info *sbi, ++ unsigned char *ui, unsigned long value) ++{ ++ switch (a->size) { ++ case 1: ++ *(u8 *)ui = value; ++ break; ++ case 2: ++ *(u16 *)ui = value; ++ break; ++ case 4: ++ *(u32 *)ui = value; ++ break; ++ case 8: ++ *(u64 *)ui = value; ++ break; ++ default: ++ f2fs_bug_on(sbi, 1); ++ f2fs_err(sbi, "store sysfs node value with wrong type"); ++ } + } + + static ssize_t __sbi_store(struct f2fs_attr *a, +@@ -868,7 +909,7 @@ out: + return count; + } + +- *ui = (unsigned int)t; ++ __sbi_store_value(a, sbi, ptr + a->offset, t); + + return count; + } +@@ -1015,24 +1056,27 @@ static struct f2fs_attr f2fs_attr_sb_##_ + .id = F2FS_FEATURE_##_feat, \ + } + +-#define F2FS_ATTR_OFFSET(_struct_type, _name, _mode, _show, _store, _offset) \ ++#define F2FS_ATTR_OFFSET(_struct_type, _name, _mode, _show, _store, _offset, _size) \ + static struct f2fs_attr f2fs_attr_##_name = { \ + .attr = {.name = __stringify(_name), .mode = _mode }, \ + .show = _show, \ + .store = _store, \ + .struct_type = _struct_type, \ +- .offset = _offset \ ++ .offset = _offset, \ ++ .size = _size \ + } + + #define F2FS_RO_ATTR(struct_type, struct_name, name, elname) \ + F2FS_ATTR_OFFSET(struct_type, name, 0444, \ + f2fs_sbi_show, NULL, \ +- offsetof(struct struct_name, elname)) ++ offsetof(struct struct_name, elname), \ ++ sizeof_field(struct struct_name, elname)) + + #define F2FS_RW_ATTR(struct_type, struct_name, name, elname) \ + F2FS_ATTR_OFFSET(struct_type, name, 0644, \ + f2fs_sbi_show, f2fs_sbi_store, \ +- offsetof(struct struct_name, elname)) ++ offsetof(struct struct_name, elname), \ ++ sizeof_field(struct struct_name, elname)) + + #define F2FS_GENERAL_RO_ATTR(name) \ + static struct f2fs_attr f2fs_attr_##name = __ATTR(name, 0444, name##_show, NULL) diff --git a/queue-6.12/f2fs-fix-to-add-gc-count-stat-in-f2fs_gc_range.patch b/queue-6.12/f2fs-fix-to-add-gc-count-stat-in-f2fs_gc_range.patch new file mode 100644 index 0000000000..a1509dd66e --- /dev/null +++ b/queue-6.12/f2fs-fix-to-add-gc-count-stat-in-f2fs_gc_range.patch @@ -0,0 +1,31 @@ +From 761dac9073cd67d4705a94cd1af674945a117f4c Mon Sep 17 00:00:00 2001 +From: Zhiguo Niu +Date: Fri, 26 Dec 2025 10:56:04 +0800 +Subject: f2fs: fix to add gc count stat in f2fs_gc_range + +From: Zhiguo Niu + +commit 761dac9073cd67d4705a94cd1af674945a117f4c upstream. + +It missed the stat count in f2fs_gc_range. + +Cc: stable@kernel.org +Fixes: 9bf1dcbdfdc8 ("f2fs: fix to account gc stats correctly") +Signed-off-by: Zhiguo Niu +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/gc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -2072,6 +2072,7 @@ int f2fs_gc_range(struct f2fs_sb_info *s + if (unlikely(f2fs_cp_error(sbi))) + return -EIO; + ++ stat_inc_gc_call_count(sbi, FOREGROUND); + for (segno = start_seg; segno <= end_seg; segno += SEGS_PER_SEC(sbi)) { + struct gc_inode_list gc_list = { + .ilist = LIST_HEAD_INIT(gc_list.ilist), diff --git a/queue-6.12/f2fs-fix-to-avoid-mapping-wrong-physical-block-for-swapfile.patch b/queue-6.12/f2fs-fix-to-avoid-mapping-wrong-physical-block-for-swapfile.patch new file mode 100644 index 0000000000..ceed696278 --- /dev/null +++ b/queue-6.12/f2fs-fix-to-avoid-mapping-wrong-physical-block-for-swapfile.patch @@ -0,0 +1,140 @@ +From 5c145c03188bc9ba1c29e0bc4d527a5978fc47f9 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Tue, 13 Jan 2026 14:22:29 +0800 +Subject: f2fs: fix to avoid mapping wrong physical block for swapfile + +From: Chao Yu + +commit 5c145c03188bc9ba1c29e0bc4d527a5978fc47f9 upstream. + +Xiaolong Guo reported a f2fs bug in bugzilla [1] + +[1] https://bugzilla.kernel.org/show_bug.cgi?id=220951 + +Quoted: + +"When using stress-ng's swap stress test on F2FS filesystem with kernel 6.6+, +the system experiences data corruption leading to either: +1 dm-verity corruption errors and device reboot +2 F2FS node corruption errors and boot hangs + +The issue occurs specifically when: +1 Using F2FS filesystem (ext4 is unaffected) +2 Swapfile size is less than F2FS section size (2MB) +3 Swapfile has fragmented physical layout (multiple non-contiguous extents) +4 Kernel version is 6.6+ (6.1 is unaffected) + +The root cause is in check_swap_activate() function in fs/f2fs/data.c. When the +first extent of a small swapfile (< 2MB) is not aligned to section boundaries, +the function incorrectly treats it as the last extent, failing to map +subsequent extents. This results in incorrect swap_extent creation where only +the first extent is mapped, causing subsequent swap writes to overwrite wrong +physical locations (other files' data). + +Steps to Reproduce +1 Setup a device with F2FS-formatted userdata partition +2 Compile stress-ng from https://github.com/ColinIanKing/stress-ng +3 Run swap stress test: (Android devices) +adb shell "cd /data/stressng; ./stress-ng-64 --metrics-brief --timeout 60 +--swap 0" + +Log: +1 Ftrace shows in kernel 6.6, only first extent is mapped during second +f2fs_map_blocks call in check_swap_activate(): +stress-ng-swap-8990: f2fs_map_blocks: ino=11002, file offset=0, start +blkaddr=0x43143, len=0x1 +(Only 4KB mapped, not the full swapfile) +2 in kernel 6.1, both extents are correctly mapped: +stress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=0, start +blkaddr=0x13cd4, len=0x1 +stress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=1, start +blkaddr=0x60c84b, len=0xff + +The problematic code is in check_swap_activate(): +if ((pblock - SM_I(sbi)->main_blkaddr) % blks_per_sec || + nr_pblocks % blks_per_sec || + !f2fs_valid_pinned_area(sbi, pblock)) { + bool last_extent = false; + + not_aligned++; + + nr_pblocks = roundup(nr_pblocks, blks_per_sec); + if (cur_lblock + nr_pblocks > sis->max) + nr_pblocks -= blks_per_sec; + + /* this extent is last one */ + if (!nr_pblocks) { + nr_pblocks = last_lblock - cur_lblock; + last_extent = true; + } + + ret = f2fs_migrate_blocks(inode, cur_lblock, nr_pblocks); + if (ret) { + if (ret == -ENOENT) + ret = -EINVAL; + goto out; + } + + if (!last_extent) + goto retry; +} + +When the first extent is unaligned and roundup(nr_pblocks, blks_per_sec) +exceeds sis->max, we subtract blks_per_sec resulting in nr_pblocks = 0. The +code then incorrectly assumes this is the last extent, sets nr_pblocks = +last_lblock - cur_lblock (entire swapfile), and performs migration. After +migration, it doesn't retry mapping, so subsequent extents are never processed. +" + +In order to fix this issue, we need to lookup block mapping info after +we migrate all blocks in the tail of swapfile. + +Cc: stable@kernel.org +Fixes: 9703d69d9d15 ("f2fs: support file pinning for zoned devices") +Cc: Daeho Jeong +Reported-and-tested-by: Xiaolong Guo +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220951 +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/data.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -3980,6 +3980,7 @@ static int check_swap_activate(struct sw + + while (cur_lblock < last_lblock && cur_lblock < sis->max) { + struct f2fs_map_blocks map; ++ bool last_extent = false; + retry: + cond_resched(); + +@@ -4005,11 +4006,10 @@ retry: + pblock = map.m_pblk; + nr_pblocks = map.m_len; + +- if ((pblock - SM_I(sbi)->main_blkaddr) % blks_per_sec || +- nr_pblocks % blks_per_sec || +- f2fs_is_sequential_zone_area(sbi, pblock)) { +- bool last_extent = false; +- ++ if (!last_extent && ++ ((pblock - SM_I(sbi)->main_blkaddr) % blks_per_sec || ++ nr_pblocks % blks_per_sec || ++ f2fs_is_sequential_zone_area(sbi, pblock))) { + not_aligned++; + + nr_pblocks = roundup(nr_pblocks, blks_per_sec); +@@ -4030,8 +4030,8 @@ retry: + goto out; + } + +- if (!last_extent) +- goto retry; ++ /* lookup block mapping info after block migration */ ++ goto retry; + } + + if (cur_lblock + nr_pblocks >= sis->max) diff --git a/queue-6.12/f2fs-fix-to-check-sysfs-filename-w-gc_pin_file_thresh-correctly.patch b/queue-6.12/f2fs-fix-to-check-sysfs-filename-w-gc_pin_file_thresh-correctly.patch new file mode 100644 index 0000000000..96a6547724 --- /dev/null +++ b/queue-6.12/f2fs-fix-to-check-sysfs-filename-w-gc_pin_file_thresh-correctly.patch @@ -0,0 +1,32 @@ +From 0eda086de85e140f53c6123a4c00662f4e614ee4 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Tue, 6 Jan 2026 14:31:17 +0800 +Subject: f2fs: fix to check sysfs filename w/ gc_pin_file_thresh correctly + +From: Chao Yu + +commit 0eda086de85e140f53c6123a4c00662f4e614ee4 upstream. + +Sysfs entry name is gc_pin_file_thresh instead of gc_pin_file_threshold, +fix it. + +Cc: stable@kernel.org +Fixes: c521a6ab4ad7 ("f2fs: fix to limit gc_pin_file_threshold") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -732,7 +732,7 @@ out: + return count; + } + +- if (!strcmp(a->attr.name, "gc_pin_file_threshold")) { ++ if (!strcmp(a->attr.name, "gc_pin_file_thresh")) { + if (t > MAX_GC_FAILED_PINNED_FILES) + return -EINVAL; + sbi->gc_pin_file_threshold = t; diff --git a/queue-6.12/fbdev-rivafb-fix-divide-error-in-nv3_arb.patch b/queue-6.12/fbdev-rivafb-fix-divide-error-in-nv3_arb.patch new file mode 100644 index 0000000000..508d7baab6 --- /dev/null +++ b/queue-6.12/fbdev-rivafb-fix-divide-error-in-nv3_arb.patch @@ -0,0 +1,65 @@ +From 0209e21e3c372fa2da04c39214bec0b64e4eb5f4 Mon Sep 17 00:00:00 2001 +From: Guangshuo Li +Date: Sun, 7 Dec 2025 15:25:32 +0800 +Subject: fbdev: rivafb: fix divide error in nv3_arb() + +From: Guangshuo Li + +commit 0209e21e3c372fa2da04c39214bec0b64e4eb5f4 upstream. + +A userspace program can trigger the RIVA NV3 arbitration code by calling +the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver +recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz +(derived from the PRAMDAC MCLK PLL) as a divisor without validating it +first. + +In a normal setup, state->mclk_khz is provided by the real hardware and is +non-zero. However, an attacker can construct a malicious or misconfigured +device (e.g. a crafted/emulated PCI device) that exposes a bogus PLL +configuration, causing state->mclk_khz to become zero. Once +nv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns +calculation causes a divide error and crashes the kernel. + +Fix this by checking whether state->mclk_khz is zero and bailing out before +doing the division. + +The following log reveals it: + +rivafb: setting virtual Y resolution to 2184 +divide error: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline] +RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546 +Call Trace: + nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603 + nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline] + CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246 + riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779 + rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196 + fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033 + do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109 + fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188 + __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Guangshuo Li +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/riva/riva_hw.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/video/fbdev/riva/riva_hw.c ++++ b/drivers/video/fbdev/riva/riva_hw.c +@@ -436,6 +436,9 @@ static char nv3_arb(nv3_fifo_info * res_ + vmisses = 2; + eburst_size = state->memory_width * 1; + mburst_size = 32; ++ if (!state->mclk_khz) ++ return (0); ++ + gns = 1000000 * (gmisses*state->mem_page_miss + state->mem_latency)/state->mclk_khz; + ainfo->by_gfacc = gns*ainfo->gdrain_rate/1000000; + ainfo->wcmocc = 0; diff --git a/queue-6.12/fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch b/queue-6.12/fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch new file mode 100644 index 0000000000..558b7db8cc --- /dev/null +++ b/queue-6.12/fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch @@ -0,0 +1,57 @@ +From 120adae7b42faa641179270c067864544a50ab69 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sun, 28 Dec 2025 14:17:03 +0100 +Subject: fbdev: smscufx: properly copy ioctl memory to kernelspace + +From: Greg Kroah-Hartman + +commit 120adae7b42faa641179270c067864544a50ab69 upstream. + +The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from +userspace to kernelspace, and instead directly references the memory, +which can cause problems if invalid data is passed from userspace. Fix +this all up by correctly copying the memory before accessing it within +the kernel. + +Reported-by: Tianchu Chen +Cc: stable +Cc: Steve Glendinning +Cc: Helge Deller +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/smscufx.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/video/fbdev/smscufx.c ++++ b/drivers/video/fbdev/smscufx.c +@@ -932,7 +932,6 @@ static int ufx_ops_ioctl(struct fb_info + unsigned long arg) + { + struct ufx_data *dev = info->par; +- struct dloarea *area = NULL; + + if (!atomic_read(&dev->usb_active)) + return 0; +@@ -947,6 +946,10 @@ static int ufx_ops_ioctl(struct fb_info + + /* TODO: Help propose a standard fb.h ioctl to report mmap damage */ + if (cmd == UFX_IOCTL_REPORT_DAMAGE) { ++ struct dloarea *area __free(kfree) = kmalloc(sizeof(*area), GFP_KERNEL); ++ if (!area) ++ return -ENOMEM; ++ + /* If we have a damage-aware client, turn fb_defio "off" + * To avoid perf imact of unnecessary page fault handling. + * Done by resetting the delay for this fb_info to a very +@@ -956,7 +959,8 @@ static int ufx_ops_ioctl(struct fb_info + if (info->fbdefio) + info->fbdefio->delay = UFX_DEFIO_WRITE_DISABLE; + +- area = (struct dloarea *)arg; ++ if (copy_from_user(area, (u8 __user *)arg, sizeof(*area))) ++ return -EFAULT; + + if (area->x < 0) + area->x = 0; diff --git a/queue-6.12/series b/queue-6.12/series index ae1e48e71b..756c827215 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -30,3 +30,9 @@ mm-hugetlb-fix-excessive-ipi-broadcasts-when-unsharing-pmd-tables-using-mmu_gath loongarch-rework-kasan-initialization-for-ptw-enabled-systems.patch revert-wireguard-device-enable-threaded-napi.patch cpuset-fix-missing-adaptation-for-cpuset_is_populated.patch +fbdev-rivafb-fix-divide-error-in-nv3_arb.patch +fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch +f2fs-fix-to-add-gc-count-stat-in-f2fs_gc_range.patch +f2fs-fix-to-check-sysfs-filename-w-gc_pin_file_thresh-correctly.patch +f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch +f2fs-fix-to-avoid-mapping-wrong-physical-block-for-swapfile.patch -- 2.47.3