From: Greg Kroah-Hartman Date: Wed, 3 Dec 2025 13:20:25 +0000 (+0100) Subject: 6.6-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4fbcd383662cfa28c328b5372068b0d2a41b2caf;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: hid-core-harden-s32ton-against-conversion-to-0-bits.patch net-dsa-microchip-fix-symetry-in-ksz_ptp_msg_irq_-setup-free.patch net-dsa-microchip-free-previously-initialized-ports-on-init-failures.patch --- diff --git a/queue-6.6/hid-core-harden-s32ton-against-conversion-to-0-bits.patch b/queue-6.6/hid-core-harden-s32ton-against-conversion-to-0-bits.patch new file mode 100644 index 0000000000..5ae23cd7b7 --- /dev/null +++ b/queue-6.6/hid-core-harden-s32ton-against-conversion-to-0-bits.patch @@ -0,0 +1,55 @@ +From stable+bounces-198189-greg=kroah.com@vger.kernel.org Wed Dec 3 12:24:33 2025 +From: jetlan9@163.com +Date: Wed, 3 Dec 2025 11:23:18 +0000 +Subject: HID: core: Harden s32ton() against conversion to 0 bits +To: stable@vger.kernel.org +Cc: Alan Stern , syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com, Benjamin Tissoires , Wenshan Lan +Message-ID: <20251203112318.4289-1-jetlan9@163.com> + +From: Alan Stern + +[ Upstream commit a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd ] + +Testing by the syzbot fuzzer showed that the HID core gets a +shift-out-of-bounds exception when it tries to convert a 32-bit +quantity to a 0-bit quantity. Ideally this should never occur, but +there are buggy devices and some might have a report field with size +set to zero; we shouldn't reject the report or the device just because +of that. + +Instead, harden the s32ton() routine so that it returns a reasonable +result instead of crashing when it is called with the number of bits +set to 0 -- the same as what snto32() does. + +Signed-off-by: Alan Stern +Reported-by: syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-usb/68753a08.050a0220.33d347.0008.GAE@google.com/ +Tested-by: syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com +Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/613a66cd-4309-4bce-a4f7-2905f9bce0c9@rowland.harvard.edu +Signed-off-by: Benjamin Tissoires +[ s32ton() was moved by c653ffc28340 ("HID: stop exporting hid_snto32()"). + Minor context change fixed. ] +Signed-off-by: Wenshan Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1351,7 +1351,12 @@ EXPORT_SYMBOL_GPL(hid_snto32); + + static u32 s32ton(__s32 value, unsigned n) + { +- s32 a = value >> (n - 1); ++ s32 a; ++ ++ if (!value || !n) ++ return 0; ++ ++ a = value >> (n - 1); + if (a && a != -1) + return value < 0 ? 1 << (n - 1) : (1 << (n - 1)) - 1; + return value & ((1 << n) - 1); diff --git a/queue-6.6/net-dsa-microchip-fix-symetry-in-ksz_ptp_msg_irq_-setup-free.patch b/queue-6.6/net-dsa-microchip-fix-symetry-in-ksz_ptp_msg_irq_-setup-free.patch new file mode 100644 index 0000000000..e488223fda --- /dev/null +++ b/queue-6.6/net-dsa-microchip-fix-symetry-in-ksz_ptp_msg_irq_-setup-free.patch @@ -0,0 +1,88 @@ +From stable+bounces-198140-greg=kroah.com@vger.kernel.org Tue Dec 2 20:26:52 2025 +From: Sasha Levin +Date: Tue, 2 Dec 2025 14:26:37 -0500 +Subject: net: dsa: microchip: Fix symetry in ksz_ptp_msg_irq_{setup/free}() +To: stable@vger.kernel.org +Cc: "Bastien Curutchet (Schneider Electric)" , Andrew Lunn , Paolo Abeni , Sasha Levin +Message-ID: <20251202192637.2408676-1-sashal@kernel.org> + +From: "Bastien Curutchet (Schneider Electric)" + +[ Upstream commit d0b8fec8ae50525b57139393d0bb1f446e82ff7e ] + +The IRQ numbers created through irq_create_mapping() are only assigned +to ptpmsg_irq[n].num at the end of the IRQ setup. So if an error occurs +between their creation and their assignment (for instance during the +request_threaded_irq() step), we enter the error path and fail to +release the newly created virtual IRQs because they aren't yet assigned +to ptpmsg_irq[n].num. + +Move the mapping creation to ksz_ptp_msg_irq_setup() to ensure symetry +with what's released by ksz_ptp_msg_irq_free(). +In the error path, move the irq_dispose_mapping to the out_ptp_msg label +so it will be called only on created IRQs. + +Cc: stable@vger.kernel.org +Fixes: cc13ab18b201 ("net: dsa: microchip: ptp: enable interrupt for timestamping") +Reviewed-by: Andrew Lunn +Signed-off-by: Bastien Curutchet (Schneider Electric) +Link: https://patch.msgid.link/20251120-ksz-fix-v6-5-891f80ae7f8f@bootlin.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/microchip/ksz_ptp.c | 18 +++++++----------- + 1 file changed, 7 insertions(+), 11 deletions(-) + +--- a/drivers/net/dsa/microchip/ksz_ptp.c ++++ b/drivers/net/dsa/microchip/ksz_ptp.c +@@ -1099,19 +1099,19 @@ static int ksz_ptp_msg_irq_setup(struct + static const char * const name[] = {"pdresp-msg", "xdreq-msg", + "sync-msg"}; + const struct ksz_dev_ops *ops = port->ksz_dev->dev_ops; ++ struct ksz_irq *ptpirq = &port->ptpirq; + struct ksz_ptp_irq *ptpmsg_irq; + + ptpmsg_irq = &port->ptpmsg_irq[n]; ++ ptpmsg_irq->num = irq_create_mapping(ptpirq->domain, n); ++ if (!ptpmsg_irq->num) ++ return -EINVAL; + + ptpmsg_irq->port = port; + ptpmsg_irq->ts_reg = ops->get_port_addr(port->num, ts_reg[n]); + + snprintf(ptpmsg_irq->name, sizeof(ptpmsg_irq->name), name[n]); + +- ptpmsg_irq->num = irq_find_mapping(port->ptpirq.domain, n); +- if (ptpmsg_irq->num < 0) +- return ptpmsg_irq->num; +- + return request_threaded_irq(ptpmsg_irq->num, NULL, + ksz_ptp_msg_thread_fn, IRQF_ONESHOT, + ptpmsg_irq->name, ptpmsg_irq); +@@ -1141,9 +1141,6 @@ int ksz_ptp_irq_setup(struct dsa_switch + if (!ptpirq->domain) + return -ENOMEM; + +- for (irq = 0; irq < ptpirq->nirqs; irq++) +- irq_create_mapping(ptpirq->domain, irq); +- + ptpirq->irq_num = irq_find_mapping(port->pirq.domain, PORT_SRC_PTP_INT); + if (!ptpirq->irq_num) { + ret = -EINVAL; +@@ -1165,12 +1162,11 @@ int ksz_ptp_irq_setup(struct dsa_switch + + out_ptp_msg: + free_irq(ptpirq->irq_num, ptpirq); +- while (irq--) ++ while (irq--) { + free_irq(port->ptpmsg_irq[irq].num, &port->ptpmsg_irq[irq]); +-out: +- for (irq = 0; irq < ptpirq->nirqs; irq++) + irq_dispose_mapping(port->ptpmsg_irq[irq].num); +- ++ } ++out: + irq_domain_remove(ptpirq->domain); + + return ret; diff --git a/queue-6.6/net-dsa-microchip-free-previously-initialized-ports-on-init-failures.patch b/queue-6.6/net-dsa-microchip-free-previously-initialized-ports-on-init-failures.patch new file mode 100644 index 0000000000..cc72cc5bd9 --- /dev/null +++ b/queue-6.6/net-dsa-microchip-free-previously-initialized-ports-on-init-failures.patch @@ -0,0 +1,87 @@ +From stable+bounces-198143-greg=kroah.com@vger.kernel.org Tue Dec 2 21:15:22 2025 +From: Sasha Levin +Date: Tue, 2 Dec 2025 15:15:07 -0500 +Subject: net: dsa: microchip: Free previously initialized ports on init failures +To: stable@vger.kernel.org +Cc: "Bastien Curutchet (Schneider Electric)" , Paolo Abeni , Sasha Levin +Message-ID: <20251202201507.2486461-1-sashal@kernel.org> + +From: "Bastien Curutchet (Schneider Electric)" + +[ Upstream commit 0f80e21bf6229637e193248fbd284c0ec44bc0fd ] + +If a port interrupt setup fails after at least one port has already been +successfully initialized, the gotos miss some resource releasing: +- the already initialized PTP IRQs aren't released +- the already initialized port IRQs aren't released if the failure +occurs in ksz_pirq_setup(). + +Merge 'out_girq' and 'out_ptpirq' into a single 'port_release' label. +Behind this label, use the reverse loop to release all IRQ resources +for all initialized ports. +Jump in the middle of the reverse loop if an error occurs in +ksz_ptp_irq_setup() to only release the port IRQ of the current +iteration. + +Cc: stable@vger.kernel.org +Fixes: c9cd961c0d43 ("net: dsa: microchip: lan937x: add interrupt support for port phy link") +Signed-off-by: Bastien Curutchet (Schneider Electric) +Link: https://patch.msgid.link/20251120-ksz-fix-v6-4-891f80ae7f8f@bootlin.com +Signed-off-by: Paolo Abeni +[ replaced dsa_switch_for_each_user_port_continue_reverse() macro with dsa_switch_for_each_port_continue_reverse() plus manual dsa_port_is_user() check ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/microchip/ksz_common.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/drivers/net/dsa/microchip/ksz_common.c ++++ b/drivers/net/dsa/microchip/ksz_common.c +@@ -2163,18 +2163,18 @@ static int ksz_setup(struct dsa_switch * + dsa_switch_for_each_user_port(dp, dev->ds) { + ret = ksz_pirq_setup(dev, dp->index); + if (ret) +- goto out_girq; ++ goto port_release; + + ret = ksz_ptp_irq_setup(ds, dp->index); + if (ret) +- goto out_pirq; ++ goto pirq_release; + } + } + + ret = ksz_ptp_clock_register(ds); + if (ret) { + dev_err(dev->dev, "Failed to register PTP clock: %d\n", ret); +- goto out_ptpirq; ++ goto port_release; + } + + ret = ksz_mdio_register(dev); +@@ -2191,17 +2191,17 @@ static int ksz_setup(struct dsa_switch * + + out_ptp_clock_unregister: + ksz_ptp_clock_unregister(ds); +-out_ptpirq: +- if (dev->irq > 0) +- dsa_switch_for_each_user_port(dp, dev->ds) ++port_release: ++ if (dev->irq > 0) { ++ dsa_switch_for_each_port_continue_reverse(dp, dev->ds) { ++ if (!dsa_port_is_user(dp)) ++ continue; + ksz_ptp_irq_free(ds, dp->index); +-out_pirq: +- if (dev->irq > 0) +- dsa_switch_for_each_user_port(dp, dev->ds) ++pirq_release: + ksz_irq_free(&dev->ports[dp->index].pirq); +-out_girq: +- if (dev->irq > 0) ++ } + ksz_irq_free(&dev->girq); ++ } + + return ret; + } diff --git a/queue-6.6/series b/queue-6.6/series index d50891f00b..cd35d1ffca 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -88,3 +88,6 @@ staging-rtl8712-remove-driver-using-deprecated-api-wext.patch selftests-mptcp-join-properly-kill-background-tasks.patch mptcp-fix-duplicate-reset-on-fastclose.patch ksmbd-fix-use-after-free-in-session-logoff.patch +net-dsa-microchip-fix-symetry-in-ksz_ptp_msg_irq_-setup-free.patch +net-dsa-microchip-free-previously-initialized-ports-on-init-failures.patch +hid-core-harden-s32ton-against-conversion-to-0-bits.patch