From: Greg Kroah-Hartman Date: Sun, 29 Mar 2026 07:58:11 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v6.6.131~62 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=69a0782606bb43ee764825c69012373b88e55812;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: can-gw-fix-oob-heap-access-in-cgw_csum_crc8_rel.patch cpufreq-conservative-reset-requested_freq-on-limits-change.patch s390-barrier-make-array_index_mask_nospec-__always_inline.patch s390-syscalls-add-spectre-boundary-for-syscall-dispatch-table.patch --- diff --git a/queue-5.15/can-gw-fix-oob-heap-access-in-cgw_csum_crc8_rel.patch b/queue-5.15/can-gw-fix-oob-heap-access-in-cgw_csum_crc8_rel.patch new file mode 100644 index 0000000000..26e5d773af --- /dev/null +++ b/queue-5.15/can-gw-fix-oob-heap-access-in-cgw_csum_crc8_rel.patch @@ -0,0 +1,77 @@ +From b9c310d72783cc2f30d103eed83920a5a29c671a Mon Sep 17 00:00:00 2001 +From: Ali Norouzi +Date: Thu, 19 Mar 2026 16:47:44 +0100 +Subject: can: gw: fix OOB heap access in cgw_csum_crc8_rel() + +From: Ali Norouzi + +commit b9c310d72783cc2f30d103eed83920a5a29c671a upstream. + +cgw_csum_crc8_rel() correctly computes bounds-safe indices via calc_idx(): + + int from = calc_idx(crc8->from_idx, cf->len); + int to = calc_idx(crc8->to_idx, cf->len); + int res = calc_idx(crc8->result_idx, cf->len); + + if (from < 0 || to < 0 || res < 0) + return; + +However, the loop and the result write then use the raw s8 fields directly +instead of the computed variables: + + for (i = crc8->from_idx; ...) /* BUG: raw negative index */ + cf->data[crc8->result_idx] = ...; /* BUG: raw negative index */ + +With from_idx = to_idx = result_idx = -64 on a 64-byte CAN FD frame, +calc_idx(-64, 64) = 0 so the guard passes, but the loop iterates with +i = -64, reading cf->data[-64], and the write goes to cf->data[-64]. +This write might end up to 56 (7.0-rc) or 40 (<= 6.19) bytes before the +start of the canfd_frame on the heap. + +The companion function cgw_csum_xor_rel() uses `from`/`to`/`res` +correctly throughout; fix cgw_csum_crc8_rel() to match. + +Confirmed with KASAN on linux-7.0-rc2: + BUG: KASAN: slab-out-of-bounds in cgw_csum_crc8_rel+0x515/0x5b0 + Read of size 1 at addr ffff8880076619c8 by task poc_cgw_oob/62 + +To configure the can-gw crc8 checksums CAP_NET_ADMIN is needed. + +Fixes: 456a8a646b25 ("can: gw: add support for CAN FD frames") +Cc: stable@vger.kernel.org +Reported-by: Ali Norouzi +Reviewed-by: Oliver Hartkopp +Acked-by: Oliver Hartkopp +Signed-off-by: Ali Norouzi +Signed-off-by: Oliver Hartkopp +Link: https://patch.msgid.link/20260319-fix-can-gw-and-can-isotp-v2-1-c45d52c6d2d8@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + net/can/gw.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/can/gw.c ++++ b/net/can/gw.c +@@ -374,10 +374,10 @@ static void cgw_csum_crc8_rel(struct can + return; + + if (from <= to) { +- for (i = crc8->from_idx; i <= crc8->to_idx; i++) ++ for (i = from; i <= to; i++) + crc = crc8->crctab[crc ^ cf->data[i]]; + } else { +- for (i = crc8->from_idx; i >= crc8->to_idx; i--) ++ for (i = from; i >= to; i--) + crc = crc8->crctab[crc ^ cf->data[i]]; + } + +@@ -396,7 +396,7 @@ static void cgw_csum_crc8_rel(struct can + break; + } + +- cf->data[crc8->result_idx] = crc ^ crc8->final_xor_val; ++ cf->data[res] = crc ^ crc8->final_xor_val; + } + + static void cgw_csum_crc8_pos(struct canfd_frame *cf, diff --git a/queue-5.15/cpufreq-conservative-reset-requested_freq-on-limits-change.patch b/queue-5.15/cpufreq-conservative-reset-requested_freq-on-limits-change.patch new file mode 100644 index 0000000000..f82b40622a --- /dev/null +++ b/queue-5.15/cpufreq-conservative-reset-requested_freq-on-limits-change.patch @@ -0,0 +1,95 @@ +From 6a28fb8cb28b9eb39a392e531d938a889eacafc5 Mon Sep 17 00:00:00 2001 +From: Viresh Kumar +Date: Fri, 20 Mar 2026 15:08:14 +0530 +Subject: cpufreq: conservative: Reset requested_freq on limits change + +From: Viresh Kumar + +commit 6a28fb8cb28b9eb39a392e531d938a889eacafc5 upstream. + +A recently reported issue highlighted that the cached requested_freq +is not guaranteed to stay in sync with policy->cur. If the platform +changes the actual CPU frequency after the governor sets one (e.g. +due to platform-specific frequency scaling) and a re-sync occurs +later, policy->cur may diverge from requested_freq. + +This can lead to incorrect behavior in the conservative governor. +For example, the governor may assume the CPU is already running at +the maximum frequency and skip further increases even though there +is still headroom. + +Avoid this by resetting the cached requested_freq to policy->cur on +detecting a change in policy limits. + +Reported-by: Lifeng Zheng +Tested-by: Lifeng Zheng +Link: https://lore.kernel.org/all/20260210115458.3493646-1-zhenglifeng1@huawei.com/ +Signed-off-by: Viresh Kumar +Reviewed-by: Zhongqiu Han +Cc: All applicable +Link: https://patch.msgid.link/d846a141a98ac0482f20560fcd7525c0f0ec2f30.1773999467.git.viresh.kumar@linaro.org +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cpufreq_conservative.c | 12 ++++++++++++ + drivers/cpufreq/cpufreq_governor.c | 3 +++ + drivers/cpufreq/cpufreq_governor.h | 1 + + 3 files changed, 16 insertions(+) + +--- a/drivers/cpufreq/cpufreq_conservative.c ++++ b/drivers/cpufreq/cpufreq_conservative.c +@@ -311,6 +311,17 @@ static void cs_start(struct cpufreq_poli + dbs_info->requested_freq = policy->cur; + } + ++static void cs_limits(struct cpufreq_policy *policy) ++{ ++ struct cs_policy_dbs_info *dbs_info = to_dbs_info(policy->governor_data); ++ ++ /* ++ * The limits have changed, so may have the current frequency. Reset ++ * requested_freq to avoid any unintended outcomes due to the mismatch. ++ */ ++ dbs_info->requested_freq = policy->cur; ++} ++ + static struct dbs_governor cs_governor = { + .gov = CPUFREQ_DBS_GOVERNOR_INITIALIZER("conservative"), + .kobj_type = { .default_attrs = cs_attributes }, +@@ -320,6 +331,7 @@ static struct dbs_governor cs_governor = + .init = cs_init, + .exit = cs_exit, + .start = cs_start, ++ .limits = cs_limits, + }; + + #define CPU_FREQ_GOV_CONSERVATIVE (cs_governor.gov) +--- a/drivers/cpufreq/cpufreq_governor.c ++++ b/drivers/cpufreq/cpufreq_governor.c +@@ -561,6 +561,7 @@ EXPORT_SYMBOL_GPL(cpufreq_dbs_governor_s + + void cpufreq_dbs_governor_limits(struct cpufreq_policy *policy) + { ++ struct dbs_governor *gov = dbs_governor_of(policy); + struct policy_dbs_info *policy_dbs; + + /* Protect gov->gdbs_data against cpufreq_dbs_governor_exit() */ +@@ -572,6 +573,8 @@ void cpufreq_dbs_governor_limits(struct + mutex_lock(&policy_dbs->update_mutex); + cpufreq_policy_apply_limits(policy); + gov_update_sample_delay(policy_dbs, 0); ++ if (gov->limits) ++ gov->limits(policy); + mutex_unlock(&policy_dbs->update_mutex); + + out: +--- a/drivers/cpufreq/cpufreq_governor.h ++++ b/drivers/cpufreq/cpufreq_governor.h +@@ -140,6 +140,7 @@ struct dbs_governor { + int (*init)(struct dbs_data *dbs_data); + void (*exit)(struct dbs_data *dbs_data); + void (*start)(struct cpufreq_policy *policy); ++ void (*limits)(struct cpufreq_policy *policy); + }; + + static inline struct dbs_governor *dbs_governor_of(struct cpufreq_policy *policy) diff --git a/queue-5.15/s390-barrier-make-array_index_mask_nospec-__always_inline.patch b/queue-5.15/s390-barrier-make-array_index_mask_nospec-__always_inline.patch new file mode 100644 index 0000000000..fb7d68258e --- /dev/null +++ b/queue-5.15/s390-barrier-make-array_index_mask_nospec-__always_inline.patch @@ -0,0 +1,34 @@ +From c5c0a268b38adffbb2e70e6957017537ff54c157 Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Thu, 26 Mar 2026 14:38:44 +0100 +Subject: s390/barrier: Make array_index_mask_nospec() __always_inline + +From: Vasily Gorbik + +commit c5c0a268b38adffbb2e70e6957017537ff54c157 upstream. + +Mark array_index_mask_nospec() as __always_inline to guarantee the +mitigation is emitted inline regardless of compiler inlining decisions. + +Fixes: e2dd833389cc ("s390: add optimized array_index_mask_nospec") +Cc: stable@kernel.org +Reviewed-by: Ilya Leoshkevich +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/barrier.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/s390/include/asm/barrier.h ++++ b/arch/s390/include/asm/barrier.h +@@ -56,8 +56,8 @@ do { \ + * @size: number of elements in array + */ + #define array_index_mask_nospec array_index_mask_nospec +-static inline unsigned long array_index_mask_nospec(unsigned long index, +- unsigned long size) ++static __always_inline unsigned long array_index_mask_nospec(unsigned long index, ++ unsigned long size) + { + unsigned long mask; + diff --git a/queue-5.15/s390-syscalls-add-spectre-boundary-for-syscall-dispatch-table.patch b/queue-5.15/s390-syscalls-add-spectre-boundary-for-syscall-dispatch-table.patch new file mode 100644 index 0000000000..2f69b2195c --- /dev/null +++ b/queue-5.15/s390-syscalls-add-spectre-boundary-for-syscall-dispatch-table.patch @@ -0,0 +1,49 @@ +From 48b8814e25d073dd84daf990a879a820bad2bcbd Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 24 Mar 2026 17:34:05 +0100 +Subject: s390/syscalls: Add spectre boundary for syscall dispatch table + +From: Greg Kroah-Hartman + +commit 48b8814e25d073dd84daf990a879a820bad2bcbd upstream. + +The s390 syscall number is directly controlled by userspace, but does +not have an array_index_nospec() boundary to prevent access past the +syscall function pointer tables. + +Cc: Heiko Carstens +Cc: Vasily Gorbik +Cc: Alexander Gordeev +Cc: Christian Borntraeger +Cc: Sven Schnelle +Cc: Arnd Bergmann +Fixes: 56e62a737028 ("s390: convert to generic entry") +Cc: stable@kernel.org +Assisted-by: gkh_clanker_2000 +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: Vasily Gorbik +Link: https://lore.kernel.org/r/2026032404-sterling-swoosh-43e6@gregkh +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/syscall.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/s390/kernel/syscall.c ++++ b/arch/s390/kernel/syscall.c +@@ -13,6 +13,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -141,6 +142,7 @@ static void do_syscall(struct pt_regs *r + if (likely(nr >= NR_syscalls)) + goto out; + do { ++ nr = array_index_nospec(nr, NR_syscalls); + regs->gprs[2] = current->thread.sys_call_table[nr](regs); + } while (test_and_clear_pt_regs_flag(regs, PIF_EXECVE_PGSTE_RESTART)); + out: diff --git a/queue-5.15/series b/queue-5.15/series index 61f0b09b60..40d42a49af 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -365,3 +365,7 @@ sysctl-fix-uninitialized-variable-in-proc_do_large_b.patch asoc-adau1372-fix-unchecked-clk_prepare_enable-retur.patch asoc-adau1372-fix-clock-leak-on-pll-lock-failure.patch spi-spi-fsl-lpspi-fix-teardown-order-issue-uaf.patch +s390-syscalls-add-spectre-boundary-for-syscall-dispatch-table.patch +s390-barrier-make-array_index_mask_nospec-__always_inline.patch +can-gw-fix-oob-heap-access-in-cgw_csum_crc8_rel.patch +cpufreq-conservative-reset-requested_freq-on-limits-change.patch