From: Greg Kroah-Hartman Date: Fri, 15 May 2026 15:41:58 +0000 (+0200) Subject: 6.1-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=16c146ec89466f7a085251ae29408fc61f835ac8;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: bcache-fix-uninitialized-closure-object.patch drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch drm-amdgpu-vcn4-avoid-overflow-on-msg-bound-check.patch mtd-spi-nor-sst-fix-sst-write-failure.patch --- diff --git a/queue-6.1/bcache-fix-uninitialized-closure-object.patch b/queue-6.1/bcache-fix-uninitialized-closure-object.patch new file mode 100644 index 0000000000..4b9919c825 --- /dev/null +++ b/queue-6.1/bcache-fix-uninitialized-closure-object.patch @@ -0,0 +1,42 @@ +From 20a8e451ec1c7e99060b1bbaaad03ce88c39ddb8 Mon Sep 17 00:00:00 2001 +From: Mingzhe Zou +Date: Fri, 3 Apr 2026 12:21:35 +0800 +Subject: bcache: fix uninitialized closure object + +From: Mingzhe Zou + +commit 20a8e451ec1c7e99060b1bbaaad03ce88c39ddb8 upstream. + +In the previous patch ("bcache: fix cached_dev.sb_bio use-after-free and +crash"), we adopted a simple modification suggestion from AI to fix the +use-after-free. + +But in actual testing, we found an extreme case where the device is +stopped before calling bch_write_bdev_super(). + +At this point, struct closure sb_write has not been initialized yet. +For this patch, we ensure that sb_bio has been completed via +sb_write_mutex. + +Signed-off-by: Mingzhe Zou +Signed-off-by: Coly Li +Link: https://patch.msgid.link/20260403042135.2221247-1-colyli@fnnas.com +Fixes: fec114a98b87 ("bcache: fix cached_dev.sb_bio use-after-free and crash") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1373,7 +1373,8 @@ static void cached_dev_free(struct closu + * The sb_bio is embedded in struct cached_dev, so we must + * ensure no I/O is in progress. + */ +- closure_sync(&dc->sb_write); ++ down(&dc->sb_write_mutex); ++ up(&dc->sb_write_mutex); + + if (dc->sb_disk) + put_page(virt_to_page(dc->sb_disk)); diff --git a/queue-6.1/drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch b/queue-6.1/drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch new file mode 100644 index 0000000000..0c68bef005 --- /dev/null +++ b/queue-6.1/drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch @@ -0,0 +1,43 @@ +From e6e9faba8100628990cccd13f0f044a648c303cf Mon Sep 17 00:00:00 2001 +From: Benjamin Cheng +Date: Mon, 13 Apr 2026 09:22:15 -0400 +Subject: drm/amdgpu/vcn3: Avoid overflow on msg bound check + +From: Benjamin Cheng + +commit e6e9faba8100628990cccd13f0f044a648c303cf upstream. + +As pointed out by SDL, the previous condition may be vulnerable to +overflow. + +Fixes: b193019860d6 ("drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg") +Cc: SDL +Signed-off-by: Benjamin Cheng +Reviewed-by: Ruijing Dong +Signed-off-by: Alex Deucher +(cherry picked from commit db00257ac9e4a51eb2515aaea161a019f7125e10) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c +@@ -1844,6 +1844,7 @@ static int vcn_v3_0_dec_msg(struct amdgp + + for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) { + uint32_t offset, size, *create; ++ uint64_t buf_end; + + if (msg[0] != RDECODE_MESSAGE_CREATE) + continue; +@@ -1851,7 +1852,8 @@ static int vcn_v3_0_dec_msg(struct amdgp + offset = msg[1]; + size = msg[2]; + +- if (size < 4 || offset + size > end - addr) { ++ if (size < 4 || check_add_overflow(offset, size, &buf_end) || ++ buf_end > end - addr) { + DRM_ERROR("VCN message buffer exceeds BO bounds!\n"); + r = -EINVAL; + goto out; diff --git a/queue-6.1/drm-amdgpu-vcn4-avoid-overflow-on-msg-bound-check.patch b/queue-6.1/drm-amdgpu-vcn4-avoid-overflow-on-msg-bound-check.patch new file mode 100644 index 0000000000..d50aa72925 --- /dev/null +++ b/queue-6.1/drm-amdgpu-vcn4-avoid-overflow-on-msg-bound-check.patch @@ -0,0 +1,43 @@ +From 65bce27ea6192320448c30267ffc17ffa094e713 Mon Sep 17 00:00:00 2001 +From: Benjamin Cheng +Date: Mon, 13 Apr 2026 09:22:15 -0400 +Subject: drm/amdgpu/vcn4: Avoid overflow on msg bound check + +From: Benjamin Cheng + +commit 65bce27ea6192320448c30267ffc17ffa094e713 upstream. + +As pointed out by SDL, the previous condition may be vulnerable to +overflow. + +Fixes: 0a78f2bac142 ("drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg") +Cc: SDL +Signed-off-by: Benjamin Cheng +Reviewed-by: Ruijing Dong +Signed-off-by: Alex Deucher +(cherry picked from commit 3c5367d950140d4ec7af830b2268a5a6fdaa3885) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c +@@ -1675,6 +1675,7 @@ static int vcn_v4_0_dec_msg(struct amdgp + + for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) { + uint32_t offset, size, *create; ++ uint64_t buf_end; + + if (msg[0] != RDECODE_MESSAGE_CREATE) + continue; +@@ -1682,7 +1683,8 @@ static int vcn_v4_0_dec_msg(struct amdgp + offset = msg[1]; + size = msg[2]; + +- if (size < 4 || offset + size > end - addr) { ++ if (size < 4 || check_add_overflow(offset, size, &buf_end) || ++ buf_end > end - addr) { + DRM_ERROR("VCN message buffer exceeds BO bounds!\n"); + r = -EINVAL; + goto out; diff --git a/queue-6.1/mtd-spi-nor-sst-fix-sst-write-failure.patch b/queue-6.1/mtd-spi-nor-sst-fix-sst-write-failure.patch new file mode 100644 index 0000000000..80503a7756 --- /dev/null +++ b/queue-6.1/mtd-spi-nor-sst-fix-sst-write-failure.patch @@ -0,0 +1,83 @@ +From 539bd20352832b9244238a055eb169ccf1c41ff6 Mon Sep 17 00:00:00 2001 +From: Amit Kumar Mahapatra +Date: Thu, 13 Feb 2025 11:15:46 +0530 +Subject: mtd: spi-nor: sst: Fix SST write failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Amit Kumar Mahapatra + +commit 539bd20352832b9244238a055eb169ccf1c41ff6 upstream. + +'commit 18bcb4aa54ea ("mtd: spi-nor: sst: Factor out common write operation +to `sst_nor_write_data()`")' introduced a bug where only one byte of data +is written, regardless of the number of bytes passed to +sst_nor_write_data(), causing a kernel crash during the write operation. +Ensure the correct number of bytes are written as passed to +sst_nor_write_data(). + +Call trace: +[ 57.400180] ------------[ cut here ]------------ +[ 57.404842] While writing 2 byte written 1 bytes +[ 57.409493] WARNING: CPU: 0 PID: 737 at drivers/mtd/spi-nor/sst.c:187 sst_nor_write_data+0x6c/0x74 +[ 57.418464] Modules linked in: +[ 57.421517] CPU: 0 UID: 0 PID: 737 Comm: mtd_debug Not tainted 6.12.0-g5ad04afd91f9 #30 +[ 57.429517] Hardware name: Xilinx Versal A2197 Processor board revA - x-prc-02 revA (DT) +[ 57.437600] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 57.444557] pc : sst_nor_write_data+0x6c/0x74 +[ 57.448911] lr : sst_nor_write_data+0x6c/0x74 +[ 57.453264] sp : ffff80008232bb40 +[ 57.456570] x29: ffff80008232bb40 x28: 0000000000010000 x27: 0000000000000001 +[ 57.463708] x26: 000000000000ffff x25: 0000000000000000 x24: 0000000000000000 +[ 57.470843] x23: 0000000000010000 x22: ffff80008232bbf0 x21: ffff000816230000 +[ 57.477978] x20: ffff0008056c0080 x19: 0000000000000002 x18: 0000000000000006 +[ 57.485112] x17: 0000000000000000 x16: 0000000000000000 x15: ffff80008232b580 +[ 57.492246] x14: 0000000000000000 x13: ffff8000816d1530 x12: 00000000000004a4 +[ 57.499380] x11: 000000000000018c x10: ffff8000816fd530 x9 : ffff8000816d1530 +[ 57.506515] x8 : 00000000fffff7ff x7 : ffff8000816fd530 x6 : 0000000000000001 +[ 57.513649] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 +[ 57.520782] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0008049b0000 +[ 57.527916] Call trace: +[ 57.530354] sst_nor_write_data+0x6c/0x74 +[ 57.534361] sst_nor_write+0xb4/0x18c +[ 57.538019] mtd_write_oob_std+0x7c/0x88 +[ 57.541941] mtd_write_oob+0x70/0xbc +[ 57.545511] mtd_write+0x68/0xa8 +[ 57.548733] mtdchar_write+0x10c/0x290 +[ 57.552477] vfs_write+0xb4/0x3a8 +[ 57.555791] ksys_write+0x74/0x10c +[ 57.559189] __arm64_sys_write+0x1c/0x28 +[ 57.563109] invoke_syscall+0x54/0x11c +[ 57.566856] el0_svc_common.constprop.0+0xc0/0xe0 +[ 57.571557] do_el0_svc+0x1c/0x28 +[ 57.574868] el0_svc+0x30/0xcc +[ 57.577921] el0t_64_sync_handler+0x120/0x12c +[ 57.582276] el0t_64_sync+0x190/0x194 +[ 57.585933] ---[ end trace 0000000000000000 ]--- + +Cc: stable@vger.kernel.org +Fixes: 18bcb4aa54ea ("mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()`") +Signed-off-by: Amit Kumar Mahapatra +Reviewed-by: Pratyush Yadav +Reviewed-by: Tudor Ambarus +Reviewed-by: Bence Csókás +[pratyush@kernel.org: add Cc stable tag] +Signed-off-by: Pratyush Yadav +Link: https://lore.kernel.org/r/20250213054546.2078121-1-amit.kumar-mahapatra@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/sst.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/spi-nor/sst.c ++++ b/drivers/mtd/spi-nor/sst.c +@@ -124,7 +124,7 @@ static int sst_nor_write_data(struct spi + int ret; + + nor->program_opcode = op; +- ret = spi_nor_write_data(nor, to, 1, buf); ++ ret = spi_nor_write_data(nor, to, len, buf); + if (ret < 0) + return ret; + WARN(ret != len, "While writing %zu byte written %i bytes\n", len, ret); diff --git a/queue-6.1/series b/queue-6.1/series index 30bd2e055b..757f8e66f6 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -426,3 +426,7 @@ mtd-spi-nor-sst-fix-write-enable-before-aai-sequence.patch pwm-imx-tpm-count-the-number-of-enabled-channels-in-probe.patch vsock-fix-buffer-size-clamping-order.patch vsock-virtio-fix-accept-queue-count-leak-on-transport-mismatch.patch +drm-amdgpu-vcn3-avoid-overflow-on-msg-bound-check.patch +drm-amdgpu-vcn4-avoid-overflow-on-msg-bound-check.patch +mtd-spi-nor-sst-fix-sst-write-failure.patch +bcache-fix-uninitialized-closure-object.patch