--- /dev/null
+From b9c310d72783cc2f30d103eed83920a5a29c671a Mon Sep 17 00:00:00 2001
+From: Ali Norouzi <ali.norouzi@keysight.com>
+Date: Thu, 19 Mar 2026 16:47:44 +0100
+Subject: can: gw: fix OOB heap access in cgw_csum_crc8_rel()
+
+From: Ali Norouzi <ali.norouzi@keysight.com>
+
+commit b9c310d72783cc2f30d103eed83920a5a29c671a upstream.
+
+cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx():
+
+ int from = calc_idx(crc8->from_idx, cf->len);
+ int to = calc_idx(crc8->to_idx, cf->len);
+ int res = calc_idx(crc8->result_idx, cf->len);
+
+ if (from < 0 || to < 0 || res < 0)
+ return;
+
+However, the loop and the result write then use the raw s8 fields directly
+instead of the computed variables:
+
+ for (i = crc8->from_idx; ...) /* BUG: raw negative index */
+ cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */
+
+With from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame,
+calc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with
+i = -64, reading cf->data[-64], and the write goes to cf->data[-64].
+This write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the
+start of the canfd_frame on the heap.
+
+The companion function cgw_csum_xor_rel() uses `from`/`to`/`res`
+correctly throughout; fix cgw_csum_crc8_rel() to match.
+
+Confirmed with KASAN on linux-7.0-rc2:
+ BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0
+ Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62
+
+To configure the can-gw crc8 checksums CAP_NET_ADMIN is needed.
+
+Fixes: 456a8a646b25 ("can: gw: add support for CAN FD frames")
+Cc: stable@vger.kernel.org
+Reported-by: Ali Norouzi <ali.norouzi@keysight.com>
+Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: Ali Norouzi <ali.norouzi@keysight.com>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Link: https://patch.msgid.link/20260319-fix-can-gw-and-can-isotp-v2-1-c45d52c6d2d8@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/gw.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/can/gw.c
++++ b/net/can/gw.c
+@@ -312,10 +312,10 @@ static void cgw_csum_crc8_rel(struct can
+ return;
+
+ if (from <= to) {
+- for (i = crc8->from_idx; i <= crc8->to_idx; i++)
++ for (i = from; i <= to; i++)
+ crc = crc8->crctab[crc ^ cf->data[i]];
+ } else {
+- for (i = crc8->from_idx; i >= crc8->to_idx; i--)
++ for (i = from; i >= to; i--)
+ crc = crc8->crctab[crc ^ cf->data[i]];
+ }
+
+@@ -334,7 +334,7 @@ static void cgw_csum_crc8_rel(struct can
+ break;
+ }
+
+- cf->data[crc8->result_idx] = crc ^ crc8->final_xor_val;
++ cf->data[res] = crc ^ crc8->final_xor_val;
+ }
+
+ static void cgw_csum_crc8_pos(struct canfd_frame *cf,
--- /dev/null
+From 6a28fb8cb28b9eb39a392e531d938a889eacafc5 Mon Sep 17 00:00:00 2001
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Fri, 20 Mar 2026 15:08:14 +0530
+Subject: cpufreq: conservative: Reset requested_freq on limits change
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+commit 6a28fb8cb28b9eb39a392e531d938a889eacafc5 upstream.
+
+A recently reported issue highlighted that the cached requested_freq
+is not guaranteed to stay in sync with policy->cur. If the platform
+changes the actual CPU frequency after the governor sets one (e.g.
+due to platform-specific frequency scaling) and a re-sync occurs
+later, policy->cur may diverge from requested_freq.
+
+This can lead to incorrect behavior in the conservative governor.
+For example, the governor may assume the CPU is already running at
+the maximum frequency and skip further increases even though there
+is still headroom.
+
+Avoid this by resetting the cached requested_freq to policy->cur on
+detecting a change in policy limits.
+
+Reported-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Tested-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Link: https://lore.kernel.org/all/20260210115458.3493646-1-zhenglifeng1@huawei.com/
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Reviewed-by: Zhongqiu Han <zhongqiu.han@oss.qualcomm.com>
+Cc: All applicable <stable@vger.kernel.org>
+Link: https://patch.msgid.link/d846a141a98ac0482f20560fcd7525c0f0ec2f30.1773999467.git.viresh.kumar@linaro.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/cpufreq_conservative.c | 12 ++++++++++++
+ drivers/cpufreq/cpufreq_governor.c | 3 +++
+ drivers/cpufreq/cpufreq_governor.h | 1 +
+ 3 files changed, 16 insertions(+)
+
+--- a/drivers/cpufreq/cpufreq_conservative.c
++++ b/drivers/cpufreq/cpufreq_conservative.c
+@@ -311,6 +311,17 @@ static void cs_start(struct cpufreq_poli
+ dbs_info->requested_freq = policy->cur;
+ }
+
++static void cs_limits(struct cpufreq_policy *policy)
++{
++ struct cs_policy_dbs_info *dbs_info = to_dbs_info(policy->governor_data);
++
++ /*
++ * The limits have changed, so may have the current frequency. Reset
++ * requested_freq to avoid any unintended outcomes due to the mismatch.
++ */
++ dbs_info->requested_freq = policy->cur;
++}
++
+ static struct dbs_governor cs_governor = {
+ .gov = CPUFREQ_DBS_GOVERNOR_INITIALIZER("conservative"),
+ .kobj_type = { .default_attrs = cs_attributes },
+@@ -320,6 +331,7 @@ static struct dbs_governor cs_governor =
+ .init = cs_init,
+ .exit = cs_exit,
+ .start = cs_start,
++ .limits = cs_limits,
+ };
+
+ #define CPU_FREQ_GOV_CONSERVATIVE (cs_governor.gov)
+--- a/drivers/cpufreq/cpufreq_governor.c
++++ b/drivers/cpufreq/cpufreq_governor.c
+@@ -555,6 +555,7 @@ EXPORT_SYMBOL_GPL(cpufreq_dbs_governor_s
+
+ void cpufreq_dbs_governor_limits(struct cpufreq_policy *policy)
+ {
++ struct dbs_governor *gov = dbs_governor_of(policy);
+ struct policy_dbs_info *policy_dbs;
+
+ /* Protect gov->gdbs_data against cpufreq_dbs_governor_exit() */
+@@ -566,6 +567,8 @@ void cpufreq_dbs_governor_limits(struct
+ mutex_lock(&policy_dbs->update_mutex);
+ cpufreq_policy_apply_limits(policy);
+ gov_update_sample_delay(policy_dbs, 0);
++ if (gov->limits)
++ gov->limits(policy);
+ mutex_unlock(&policy_dbs->update_mutex);
+
+ out:
+--- a/drivers/cpufreq/cpufreq_governor.h
++++ b/drivers/cpufreq/cpufreq_governor.h
+@@ -139,6 +139,7 @@ struct dbs_governor {
+ int (*init)(struct dbs_data *dbs_data);
+ void (*exit)(struct dbs_data *dbs_data);
+ void (*start)(struct cpufreq_policy *policy);
++ void (*limits)(struct cpufreq_policy *policy);
+ };
+
+ static inline struct dbs_governor *dbs_governor_of(struct cpufreq_policy *policy)
--- /dev/null
+From c5c0a268b38adffbb2e70e6957017537ff54c157 Mon Sep 17 00:00:00 2001
+From: Vasily Gorbik <gor@linux.ibm.com>
+Date: Thu, 26 Mar 2026 14:38:44 +0100
+Subject: s390/barrier: Make array_index_mask_nospec() __always_inline
+
+From: Vasily Gorbik <gor@linux.ibm.com>
+
+commit c5c0a268b38adffbb2e70e6957017537ff54c157 upstream.
+
+Mark array_index_mask_nospec() as __always_inline to guarantee the
+mitigation is emitted inline regardless of compiler inlining decisions.
+
+Fixes: e2dd833389cc ("s390: add optimized array_index_mask_nospec")
+Cc: stable@kernel.org
+Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/include/asm/barrier.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/include/asm/barrier.h
++++ b/arch/s390/include/asm/barrier.h
+@@ -56,8 +56,8 @@ do { \
+ * @size: number of elements in array
+ */
+ #define array_index_mask_nospec array_index_mask_nospec
+-static inline unsigned long array_index_mask_nospec(unsigned long index,
+- unsigned long size)
++static __always_inline unsigned long array_index_mask_nospec(unsigned long index,
++ unsigned long size)
+ {
+ unsigned long mask;
+
hwmon-adm1177-fix-sysfs-abi-violation-and-current-un.patch
sysctl-fix-uninitialized-variable-in-proc_do_large_b.patch
spi-spi-fsl-lpspi-fix-teardown-order-issue-uaf.patch
+s390-barrier-make-array_index_mask_nospec-__always_inline.patch
+can-gw-fix-oob-heap-access-in-cgw_csum_crc8_rel.patch
+cpufreq-conservative-reset-requested_freq-on-limits-change.patch
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- drivers/spi/spi-fsl-lpspi.c | 3 ++-
+ drivers/spi/spi-fsl-lpspi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c
-index 319cd96bd201b..540815ae49e78 100644
--- a/drivers/spi/spi-fsl-lpspi.c
+++ b/drivers/spi/spi-fsl-lpspi.c
-@@ -914,7 +914,7 @@ static int fsl_lpspi_probe(struct platform_device *pdev)
+@@ -914,7 +914,7 @@ static int fsl_lpspi_probe(struct platfo
enable_irq(irq);
}
if (ret < 0) {
dev_err_probe(&pdev->dev, ret, "spi_register_controller error\n");
goto free_dma;
-@@ -943,6 +943,7 @@ static int fsl_lpspi_remove(struct platform_device *pdev)
+@@ -943,6 +943,7 @@ static int fsl_lpspi_remove(struct platf
struct fsl_lpspi_data *fsl_lpspi =
spi_controller_get_devdata(controller);
fsl_lpspi_dma_exit(controller);
pm_runtime_dont_use_autosuspend(fsl_lpspi->dev);
---
-2.53.0
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
