--- /dev/null
+From 20a8e451ec1c7e99060b1bbaaad03ce88c39ddb8 Mon Sep 17 00:00:00 2001
+From: Mingzhe Zou <mingzhe.zou@easystack.cn>
+Date: Fri, 3 Apr 2026 12:21:35 +0800
+Subject: bcache: fix uninitialized closure object
+
+From: Mingzhe Zou <mingzhe.zou@easystack.cn>
+
+commit 20a8e451ec1c7e99060b1bbaaad03ce88c39ddb8 upstream.
+
+In the previous patch ("bcache: fix cached_dev.sb_bio use-after-free and
+crash"), we adopted a simple modification suggestion from AI to fix the
+use-after-free.
+
+But in actual testing, we found an extreme case where the device is
+stopped before calling bch_write_bdev_super().
+
+At this point, struct closure sb_write has not been initialized yet.
+For this patch, we ensure that sb_bio has been completed via
+sb_write_mutex.
+
+Signed-off-by: Mingzhe Zou <mingzhe.zou@easystack.cn>
+Signed-off-by: Coly Li <colyli@fnnas.com>
+Link: https://patch.msgid.link/20260403042135.2221247-1-colyli@fnnas.com
+Fixes: fec114a98b87 ("bcache: fix cached_dev.sb_bio use-after-free and crash")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/super.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1382,7 +1382,8 @@ static void cached_dev_free(struct closu
+ * The sb_bio is embedded in struct cached_dev, so we must
+ * ensure no I/O is in progress.
+ */
+- closure_sync(&dc->sb_write);
++ down(&dc->sb_write_mutex);
++ up(&dc->sb_write_mutex);
+
+ if (dc->sb_disk)
+ put_page(virt_to_page(dc->sb_disk));
--- /dev/null
+From e6e9faba8100628990cccd13f0f044a648c303cf Mon Sep 17 00:00:00 2001
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+Date: Mon, 13 Apr 2026 09:22:15 -0400
+Subject: drm/amdgpu/vcn3: Avoid overflow on msg bound check
+
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+
+commit e6e9faba8100628990cccd13f0f044a648c303cf upstream.
+
+As pointed out by SDL, the previous condition may be vulnerable to
+overflow.
+
+Fixes: b193019860d6 ("drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg")
+Cc: SDL <sdl@nppct.ru>
+Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit db00257ac9e4a51eb2515aaea161a019f7125e10)
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
+@@ -1924,6 +1924,7 @@ static int vcn_v3_0_dec_msg(struct amdgp
+
+ for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
+ uint32_t offset, size, *create;
++ uint64_t buf_end;
+
+ if (msg[0] != RDECODE_MESSAGE_CREATE)
+ continue;
+@@ -1931,7 +1932,8 @@ static int vcn_v3_0_dec_msg(struct amdgp
+ offset = msg[1];
+ size = msg[2];
+
+- if (size < 4 || offset + size > end - addr) {
++ if (size < 4 || check_add_overflow(offset, size, &buf_end) ||
++ buf_end > end - addr) {
+ DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
+ r = -EINVAL;
+ goto out;
bluetooth-l2cap-fix-null-ptr-deref-in-l2cap_sock_get_sndtimeo_cb.patch
vsock-fix-buffer-size-clamping-order.patch
vsock-virtio-fix-accept-queue-count-leak-on-transport-mismatch.patch
+drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch
+bcache-fix-uninitialized-closure-object.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
