--- /dev/null
+From 20a8e451ec1c7e99060b1bbaaad03ce88c39ddb8 Mon Sep 17 00:00:00 2001
+From: Mingzhe Zou <mingzhe.zou@easystack.cn>
+Date: Fri, 3 Apr 2026 12:21:35 +0800
+Subject: bcache: fix uninitialized closure object
+
+From: Mingzhe Zou <mingzhe.zou@easystack.cn>
+
+commit 20a8e451ec1c7e99060b1bbaaad03ce88c39ddb8 upstream.
+
+In the previous patch ("bcache: fix cached_dev.sb_bio use-after-free and
+crash"), we adopted a simple modification suggestion from AI to fix the
+use-after-free.
+
+But in actual testing, we found an extreme case where the device is
+stopped before calling bch_write_bdev_super().
+
+At this point, struct closure sb_write has not been initialized yet.
+For this patch, we ensure that sb_bio has been completed via
+sb_write_mutex.
+
+Signed-off-by: Mingzhe Zou <mingzhe.zou@easystack.cn>
+Signed-off-by: Coly Li <colyli@fnnas.com>
+Link: https://patch.msgid.link/20260403042135.2221247-1-colyli@fnnas.com
+Fixes: fec114a98b87 ("bcache: fix cached_dev.sb_bio use-after-free and crash")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/super.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1373,7 +1373,8 @@ static void cached_dev_free(struct closu
+ * The sb_bio is embedded in struct cached_dev, so we must
+ * ensure no I/O is in progress.
+ */
+- closure_sync(&dc->sb_write);
++ down(&dc->sb_write_mutex);
++ up(&dc->sb_write_mutex);
+
+ if (dc->sb_disk)
+ put_page(virt_to_page(dc->sb_disk));
--- /dev/null
+From e6e9faba8100628990cccd13f0f044a648c303cf Mon Sep 17 00:00:00 2001
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+Date: Mon, 13 Apr 2026 09:22:15 -0400
+Subject: drm/amdgpu/vcn3: Avoid overflow on msg bound check
+
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+
+commit e6e9faba8100628990cccd13f0f044a648c303cf upstream.
+
+As pointed out by SDL, the previous condition may be vulnerable to
+overflow.
+
+Fixes: b193019860d6 ("drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg")
+Cc: SDL <sdl@nppct.ru>
+Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit db00257ac9e4a51eb2515aaea161a019f7125e10)
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
+@@ -1844,6 +1844,7 @@ static int vcn_v3_0_dec_msg(struct amdgp
+
+ for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
+ uint32_t offset, size, *create;
++ uint64_t buf_end;
+
+ if (msg[0] != RDECODE_MESSAGE_CREATE)
+ continue;
+@@ -1851,7 +1852,8 @@ static int vcn_v3_0_dec_msg(struct amdgp
+ offset = msg[1];
+ size = msg[2];
+
+- if (size < 4 || offset + size > end - addr) {
++ if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
++ buf_end > end - addr) {
+ DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
+ r = -EINVAL;
+ goto out;
--- /dev/null
+From 65bce27ea6192320448c30267ffc17ffa094e713 Mon Sep 17 00:00:00 2001
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+Date: Mon, 13 Apr 2026 09:22:15 -0400
+Subject: drm/amdgpu/vcn4: Avoid overflow on msg bound check
+
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+
+commit 65bce27ea6192320448c30267ffc17ffa094e713 upstream.
+
+As pointed out by SDL, the previous condition may be vulnerable to
+overflow.
+
+Fixes: 0a78f2bac142 ("drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg")
+Cc: SDL <sdl@nppct.ru>
+Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 3c5367d950140d4ec7af830b2268a5a6fdaa3885)
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+@@ -1675,6 +1675,7 @@ static int vcn_v4_0_dec_msg(struct amdgp
+
+ for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
+ uint32_t offset, size, *create;
++ uint64_t buf_end;
+
+ if (msg[0] != RDECODE_MESSAGE_CREATE)
+ continue;
+@@ -1682,7 +1683,8 @@ static int vcn_v4_0_dec_msg(struct amdgp
+ offset = msg[1];
+ size = msg[2];
+
+- if (size < 4 || offset + size > end - addr) {
++ if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
++ buf_end > end - addr) {
+ DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
+ r = -EINVAL;
+ goto out;
--- /dev/null
+From 539bd20352832b9244238a055eb169ccf1c41ff6 Mon Sep 17 00:00:00 2001
+From: Amit Kumar Mahapatra <amit.kumar-mahapatra@amd.com>
+Date: Thu, 13 Feb 2025 11:15:46 +0530
+Subject: mtd: spi-nor: sst: Fix SST write failure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Amit Kumar Mahapatra <amit.kumar-mahapatra@amd.com>
+
+commit 539bd20352832b9244238a055eb169ccf1c41ff6 upstream.
+
+'commit 18bcb4aa54ea ("mtd: spi-nor: sst: Factor out common write operation
+to `sst_nor_write_data()`")' introduced a bug where only one byte of data
+is written, regardless of the number of bytes passed to
+sst_nor_write_data(), causing a kernel crash during the write operation.
+Ensure the correct number of bytes are written as passed to
+sst_nor_write_data().
+
+Call trace:
+[ 57.400180] ------------[ cut here ]------------
+[ 57.404842] While writing 2 byte written 1 bytes
+[ 57.409493] WARNING: CPU: 0 PID: 737 at drivers/mtd/spi-nor/sst.c:187 sst_nor_write_data+0x6c/0x74
+[ 57.418464] Modules linked in:
+[ 57.421517] CPU: 0 UID: 0 PID: 737 Comm: mtd_debug Not tainted 6.12.0-g5ad04afd91f9 #30
+[ 57.429517] Hardware name: Xilinx Versal A2197 Processor board revA - x-prc-02 revA (DT)
+[ 57.437600] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 57.444557] pc : sst_nor_write_data+0x6c/0x74
+[ 57.448911] lr : sst_nor_write_data+0x6c/0x74
+[ 57.453264] sp : ffff80008232bb40
+[ 57.456570] x29: ffff80008232bb40 x28: 0000000000010000 x27: 0000000000000001
+[ 57.463708] x26: 000000000000ffff x25: 0000000000000000 x24: 0000000000000000
+[ 57.470843] x23: 0000000000010000 x22: ffff80008232bbf0 x21: ffff000816230000
+[ 57.477978] x20: ffff0008056c0080 x19: 0000000000000002 x18: 0000000000000006
+[ 57.485112] x17: 0000000000000000 x16: 0000000000000000 x15: ffff80008232b580
+[ 57.492246] x14: 0000000000000000 x13: ffff8000816d1530 x12: 00000000000004a4
+[ 57.499380] x11: 000000000000018c x10: ffff8000816fd530 x9 : ffff8000816d1530
+[ 57.506515] x8 : 00000000fffff7ff x7 : ffff8000816fd530 x6 : 0000000000000001
+[ 57.513649] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
+[ 57.520782] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0008049b0000
+[ 57.527916] Call trace:
+[ 57.530354] sst_nor_write_data+0x6c/0x74
+[ 57.534361] sst_nor_write+0xb4/0x18c
+[ 57.538019] mtd_write_oob_std+0x7c/0x88
+[ 57.541941] mtd_write_oob+0x70/0xbc
+[ 57.545511] mtd_write+0x68/0xa8
+[ 57.548733] mtdchar_write+0x10c/0x290
+[ 57.552477] vfs_write+0xb4/0x3a8
+[ 57.555791] ksys_write+0x74/0x10c
+[ 57.559189] __arm64_sys_write+0x1c/0x28
+[ 57.563109] invoke_syscall+0x54/0x11c
+[ 57.566856] el0_svc_common.constprop.0+0xc0/0xe0
+[ 57.571557] do_el0_svc+0x1c/0x28
+[ 57.574868] el0_svc+0x30/0xcc
+[ 57.577921] el0t_64_sync_handler+0x120/0x12c
+[ 57.582276] el0t_64_sync+0x190/0x194
+[ 57.585933] ---[ end trace 0000000000000000 ]---
+
+Cc: stable@vger.kernel.org
+Fixes: 18bcb4aa54ea ("mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()`")
+Signed-off-by: Amit Kumar Mahapatra <amit.kumar-mahapatra@amd.com>
+Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
+Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
+Reviewed-by: Bence Csókás <csokas.bence@prolan.hu>
+[pratyush@kernel.org: add Cc stable tag]
+Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
+Link: https://lore.kernel.org/r/20250213054546.2078121-1-amit.kumar-mahapatra@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/spi-nor/sst.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/spi-nor/sst.c
++++ b/drivers/mtd/spi-nor/sst.c
+@@ -124,7 +124,7 @@ static int sst_nor_write_data(struct spi
+ int ret;
+
+ nor->program_opcode = op;
+- ret = spi_nor_write_data(nor, to, 1, buf);
++ ret = spi_nor_write_data(nor, to, len, buf);
+ if (ret < 0)
+ return ret;
+ WARN(ret != len, "While writing %zu byte written %i bytes\n", len, ret);
pwm-imx-tpm-count-the-number-of-enabled-channels-in-probe.patch
vsock-fix-buffer-size-clamping-order.patch
vsock-virtio-fix-accept-queue-count-leak-on-transport-mismatch.patch
+drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch
+drm-amdgpu-vcn4-avoid-overflow-on-msg-bound-check.patch
+mtd-spi-nor-sst-fix-sst-write-failure.patch
+bcache-fix-uninitialized-closure-object.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
