From: Greg Kroah-Hartman Date: Mon, 15 Jun 2026 15:59:18 +0000 (+0200) Subject: 6.6-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7f050f9fdc9fb2b804b6e5cefc48dc79cab8c7a6;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: mm-hugetlb-restore-reservation-on-error-in-hugetlb-folio-copy-paths.patch mmc-core-fix-host-controller-programming-for-fixed-driver-type.patch mmc-litex_mmc-set-mandatory-idle-clocks-before-cmd0.patch mmc-renesas_sdhi-add-of-entry-for-rz-g2h-soc.patch mmc-sdhci-add-signal-voltage-switch-in-sdhci_resume_host.patch sctp-diag-reject-stale-associations-in-dump_one-path.patch sctp-stream-fully-roll-back-denied-add-stream-state.patch slimbus-qcom-ngd-ctrl-avoid-abba-on-tx_lock-ctrl-lock.patch slimbus-qcom-ngd-ctrl-fix-of-node-refcount.patch thunderbolt-bound-root-directory-content-to-block-size.patch thunderbolt-clamp-xdomain-response-data-copy-to-allocation-size.patch thunderbolt-limit-xdomain-response-copy-to-actual-frame-size.patch thunderbolt-reject-zero-length-property-entries-in-validator.patch thunderbolt-validate-xdomain-request-packet-size-before-type-cast.patch --- diff --git a/queue-6.6/mm-hugetlb-restore-reservation-on-error-in-hugetlb-folio-copy-paths.patch b/queue-6.6/mm-hugetlb-restore-reservation-on-error-in-hugetlb-folio-copy-paths.patch new file mode 100644 index 0000000000..da1c8d8daf --- /dev/null +++ b/queue-6.6/mm-hugetlb-restore-reservation-on-error-in-hugetlb-folio-copy-paths.patch @@ -0,0 +1,68 @@ +From 40c81856e622a9dc59294a90d169ac07ea25b0b0 Mon Sep 17 00:00:00 2001 +From: David Carlier +Date: Wed, 20 May 2026 05:49:12 +0100 +Subject: mm/hugetlb: restore reservation on error in hugetlb folio copy paths + +From: David Carlier + +commit 40c81856e622a9dc59294a90d169ac07ea25b0b0 upstream. + +Two sites in mm/hugetlb.c allocate a hugetlb folio via +alloc_hugetlb_folio() (consuming a VMA reservation) and then call +copy_user_large_folio(), which became int-returning in commit 1cb9dc4b475c +("mm: hwpoison: support recovery from HugePage copy-on-write faults") and +can now fail (e.g. -EHWPOISON on a hwpoisoned source page). On the +failure path, folio_put() restores the global hugetlb pool count through +free_huge_folio(), but the per-VMA reservation map entry is left marked +consumed: + + - hugetlb_mfill_atomic_pte() resubmission path (UFFDIO_COPY) + - copy_hugetlb_page_range() fork-time CoW path when + hugetlb_try_dup_anon_rmap() fails (rare: pinned hugetlb anon + folio under fork) + +User-visible effect: on UFFDIO_COPY into a private hugetlb VMA where the +resubmission copy fails, the reservation for that address is leaked from +the VMA's reserve map. A subsequent fault at the same address takes the +no-reservation path, and under hugetlb pool pressure the task is SIGBUSed +at an address it had previously reserved. The fork-time CoW path leaks +the same way in the child VMA's reserve map, though it requires the much +rarer combination of pinned hugetlb anon page + hwpoisoned source. + +Add the missing restore_reserve_on_error() call before folio_put() on both +error paths. + +Link: https://lore.kernel.org/20260520044912.6751-1-devnexen@gmail.com +Fixes: 1cb9dc4b475c ("mm: hwpoison: support recovery from HugePage copy-on-write faults") +Signed-off-by: David Carlier +Reviewed-by: Muchun Song +Cc: David Hildenbrand +Cc: Mina Almasry +Cc: Muchun Song +Cc: Oscar Salvador +Cc: yuehaibing +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/hugetlb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -5174,6 +5174,7 @@ again: + addr, dst_vma); + folio_put(pte_folio); + if (ret) { ++ restore_reserve_on_error(h, dst_vma, addr, new_folio); + folio_put(new_folio); + break; + } +@@ -6383,6 +6384,7 @@ int hugetlb_mfill_atomic_pte(pte_t *dst_ + folio_put(*foliop); + *foliop = NULL; + if (ret) { ++ restore_reserve_on_error(h, dst_vma, dst_addr, folio); + folio_put(folio); + goto out; + } diff --git a/queue-6.6/mmc-core-fix-host-controller-programming-for-fixed-driver-type.patch b/queue-6.6/mmc-core-fix-host-controller-programming-for-fixed-driver-type.patch new file mode 100644 index 0000000000..c86cba41c9 --- /dev/null +++ b/queue-6.6/mmc-core-fix-host-controller-programming-for-fixed-driver-type.patch @@ -0,0 +1,46 @@ +From 5a52c5701a67d5176eb1afbf1bdaf7d6dfeec597 Mon Sep 17 00:00:00 2001 +From: Kamal Dasu +Date: Thu, 23 Apr 2026 15:18:55 -0400 +Subject: mmc: core: Fix host controller programming for fixed driver type + +From: Kamal Dasu + +commit 5a52c5701a67d5176eb1afbf1bdaf7d6dfeec597 upstream. + +When using the fixed-emmc-driver-type device tree property, the MMC core +correctly selects the driver strength for the card but fails to program +the host controller accordingly. This causes a mismatch where the card +uses the specified driver type while the host controller defaults to +Type B (since ios->drv_type remains zero). + +Split the driver type programming logic to handle both fixed and dynamic +driver type selection paths. For fixed driver types, program the host +controller with the selected drive_strength value. For dynamic selection, +use the existing drv_type as before. + +This ensures both the eMMC device and host controller use matching driver +strengths, preventing potential signal integrity issues. + +Fixes: 6186d06c519e ("mmc: parse new binding for eMMC fixed driver type") +Signed-off-by: Kamal Dasu +Reviewed-by: Shawn Lin +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/mmc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -1354,7 +1354,9 @@ static void mmc_select_driver_type(struc + + card->drive_strength = drive_strength; + +- if (drv_type) ++ if (fixed_drv_type >= 0 && drive_strength) ++ mmc_set_driver_type(card->host, drive_strength); ++ else if (drv_type) + mmc_set_driver_type(card->host, drv_type); + } + diff --git a/queue-6.6/mmc-litex_mmc-set-mandatory-idle-clocks-before-cmd0.patch b/queue-6.6/mmc-litex_mmc-set-mandatory-idle-clocks-before-cmd0.patch new file mode 100644 index 0000000000..e212dd869a --- /dev/null +++ b/queue-6.6/mmc-litex_mmc-set-mandatory-idle-clocks-before-cmd0.patch @@ -0,0 +1,63 @@ +From 99982b743e5ba72bd1f5de0e03e3b96ae70b1e51 Mon Sep 17 00:00:00 2001 +From: Inochi Amaoto +Date: Thu, 21 May 2026 15:21:21 +0800 +Subject: mmc: litex_mmc: Set mandatory idle clocks before CMD0 + +From: Inochi Amaoto + +commit 99982b743e5ba72bd1f5de0e03e3b96ae70b1e51 upstream. + +The litex_mmc driver assumes the card is already probed in the BIOS +and skip the phy initialization. This will cause the command fail +like the following when the old card is unplugged and then insert +a new card: + +[ 62.923593] litex-mmc f0004000.mmc: Command (cmd 8) error, status -110 +[ 62.949717] litex-mmc f0004000.mmc: Command (cmd 55) error, status -110 +[ 62.976606] litex-mmc f0004000.mmc: Command (cmd 55) error, status -110 +[ 63.002516] litex-mmc f0004000.mmc: Command (cmd 55) error, status -110 +[ 63.028442] litex-mmc f0004000.mmc: Command (cmd 55) error, status -110 + +Add required clock settings and initialization for the CMD 0, so it can +probe the new card. + +Fixes: 92e099104729 ("mmc: Add driver for LiteX's LiteSDCard interface") +Signed-off-by: Inochi Amaoto +Reviewed-by: Gabriel Somlo +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/litex_mmc.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/mmc/host/litex_mmc.c ++++ b/drivers/mmc/host/litex_mmc.c +@@ -69,6 +69,9 @@ + #define SD_SLEEP_US 5 + #define SD_TIMEOUT_US 20000 + ++#define SD_INIT_DELAY_US 1000 ++#define SD_INIT_CLK_HZ 400000 ++ + #define SDIRQ_CARD_DETECT 1 + #define SDIRQ_SD_TO_MEM_DONE 2 + #define SDIRQ_MEM_TO_SD_DONE 4 +@@ -450,6 +453,17 @@ static void litex_mmc_set_ios(struct mmc + struct litex_mmc_host *host = mmc_priv(mmc); + + /* ++ * The SD specification requires at least 74 idle clocks before CMD0. ++ * These dummy cycles is generated by writing LITEX_PHY_INITIALIZE. ++ */ ++ if (ios->chip_select == MMC_CS_HIGH) { ++ litex_mmc_setclk(host, SD_INIT_CLK_HZ); ++ litex_write8(host->sdphy + LITEX_PHY_INITIALIZE, 1); ++ fsleep(SD_INIT_DELAY_US); ++ return; ++ } ++ ++ /* + * NOTE: Ignore any ios->bus_width updates; they occur right after + * the mmc core sends its own acmd6 bus-width change notification, + * which is redundant since we snoop on the command flow and inject diff --git a/queue-6.6/mmc-renesas_sdhi-add-of-entry-for-rz-g2h-soc.patch b/queue-6.6/mmc-renesas_sdhi-add-of-entry-for-rz-g2h-soc.patch new file mode 100644 index 0000000000..3f7c0376a3 --- /dev/null +++ b/queue-6.6/mmc-renesas_sdhi-add-of-entry-for-rz-g2h-soc.patch @@ -0,0 +1,40 @@ +From f48ee49726ee4ab545fd2dc644f169c0809b19b3 Mon Sep 17 00:00:00 2001 +From: Lad Prabhakar +Date: Tue, 19 May 2026 14:53:40 +0100 +Subject: mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC + +From: Lad Prabhakar + +commit f48ee49726ee4ab545fd2dc644f169c0809b19b3 upstream. + +The RZ/G2H (R8A774E1) SoC was previously handled via the generic +"renesas,rcar-gen3-sdhi" fallback compatible string. However, because +the SDHI IP on RZ/G2H is identical with the R-Car H3-N (R8A77951), it +requires the specific quirks and configuration defined in +`of_r8a7795_compatible` rather than the generic Gen3 data. + +Add the explicit "renesas,sdhi-r8a774e1" match entry to map it correctly. +Note that the DT binding file renesas,sdhi.yaml does not need an update +as the entry for this SoC is already present. + +Fixes: 31941342888d ("arm64: dts: renesas: r8a774e1: Add SDHI nodes") +Cc: stable@vger.kernel.org +Signed-off-by: Lad Prabhakar +Reviewed-by: Wolfram Sang +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/renesas_sdhi_internal_dmac.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mmc/host/renesas_sdhi_internal_dmac.c ++++ b/drivers/mmc/host/renesas_sdhi_internal_dmac.c +@@ -277,6 +277,7 @@ static const struct renesas_sdhi_of_data + static const struct of_device_id renesas_sdhi_internal_dmac_of_match[] = { + { .compatible = "renesas,sdhi-r7s9210", .data = &of_rza2_compatible, }, + { .compatible = "renesas,sdhi-mmc-r8a77470", .data = &of_rcar_gen3_compatible, }, ++ { .compatible = "renesas,sdhi-r8a774e1", .data = &of_r8a7795_compatible, }, + { .compatible = "renesas,sdhi-r8a7795", .data = &of_r8a7795_compatible, }, + { .compatible = "renesas,sdhi-r8a77961", .data = &of_r8a77961_compatible, }, + { .compatible = "renesas,sdhi-r8a77965", .data = &of_r8a77965_compatible, }, diff --git a/queue-6.6/mmc-sdhci-add-signal-voltage-switch-in-sdhci_resume_host.patch b/queue-6.6/mmc-sdhci-add-signal-voltage-switch-in-sdhci_resume_host.patch new file mode 100644 index 0000000000..ef9c44536e --- /dev/null +++ b/queue-6.6/mmc-sdhci-add-signal-voltage-switch-in-sdhci_resume_host.patch @@ -0,0 +1,47 @@ +From f595e8e77a51eee35e331f69321766593a845ef2 Mon Sep 17 00:00:00 2001 +From: Jisheng Zhang +Date: Sun, 24 May 2026 10:34:55 +0800 +Subject: mmc: sdhci: add signal voltage switch in sdhci_resume_host + +From: Jisheng Zhang + +commit f595e8e77a51eee35e331f69321766593a845ef2 upstream. + +I met one suspend/resume issue with sdr104 capable sdio wifi card (with +"keep-power-in-suspend" set in DT property): +After resuming from suspend to ram, the sdio wifi card stops working. +Further debug shows that although ios shows the sdio card is at sdr104 +mode, the voltage is still at 3V3. This is due to missing the calling +of ->start_signal_voltage_switch() in sdhci_resume_host(). + +Fix this issue by adding ->start_signal_voltage_switch() in +sdhci_resume_host(). This also matches what we do for +sdhci_runtime_resume_host(). + +Then the question is: why this issue hasn't reported and fixed for so +long time. IMHO, several reasons: Some host controllers just kick off +the runtime resume for system resume, so they benefit from the well +supported runtime pm code; Some platforms just use the old sdio wifi +card which doesn't need signal voltage switch at all, the default +voltage is 3v3 after resuming. + +Fixes: 6308d2905bd3 ("mmc: sdhci: add quirk for keeping card power during suspend") +Signed-off-by: Jisheng Zhang +Acked-by: Adrian Hunter +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -3800,6 +3800,7 @@ int sdhci_resume_host(struct sdhci_host + host->pwr = 0; + host->clock = 0; + host->reinit_uhs = true; ++ mmc->ops->start_signal_voltage_switch(mmc, &mmc->ios); + mmc->ops->set_ios(mmc, &mmc->ios); + } else { + sdhci_init(host, (mmc->pm_flags & MMC_PM_KEEP_POWER)); diff --git a/queue-6.6/sctp-diag-reject-stale-associations-in-dump_one-path.patch b/queue-6.6/sctp-diag-reject-stale-associations-in-dump_one-path.patch new file mode 100644 index 0000000000..8b05822df7 --- /dev/null +++ b/queue-6.6/sctp-diag-reject-stale-associations-in-dump_one-path.patch @@ -0,0 +1,78 @@ +From 5eba3e48d78edd7551b992cb7ba687019b3a78da Mon Sep 17 00:00:00 2001 +From: Zhao Zhang +Date: Sat, 30 May 2026 23:57:14 +0800 +Subject: sctp: diag: reject stale associations in dump_one path + +From: Zhao Zhang + +commit 5eba3e48d78edd7551b992cb7ba687019b3a78da upstream. + +The SCTP exact sock_diag lookup can hold a transport reference, block on +lock_sock(sk), and then resume after sctp_association_free() has marked +the association dead and freed its bind address list. + +When that happens, inet_assoc_attr_size() and +inet_diag_msg_sctpasoc_fill() can still dereference association state +that is no longer valid for reporting. In particular, +inet_diag_msg_sctpasoc_fill() may read an empty bind-address list as a +real sctp_sockaddr_entry and trigger an out-of-bounds read from +unrelated association memory. + +Reject the association after taking the socket lock if it has been +reaped or detached from the endpoint, and report the lookup as stale. +This keeps the exact dump-one path from formatting torn association +state. + +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Zhengchuan Liang +Reported-by: Xin Liu +Signed-off-by: Zhao Zhang +Signed-off-by: Ren Wei +Acked-by: Xin Long +Link: https://patch.msgid.link/fac6043fa20a2ff68e12958c431836f692c51268.1780113823.git.zzhan461@ucr.edu +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/diag.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -266,15 +266,15 @@ static int sctp_sock_dump_one(struct sct + + lock_sock(sk); + +- rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL); +- if (!rep) { +- release_sock(sk); +- return -ENOMEM; ++ if (ep != assoc->ep || assoc->base.dead) { ++ err = -ESTALE; ++ goto out_unlock; + } + +- if (ep != assoc->ep) { +- err = -EAGAIN; +- goto out; ++ rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL); ++ if (!rep) { ++ err = -ENOMEM; ++ goto out_unlock; + } + + err = inet_sctp_diag_fill(sk, assoc, rep, req, sk_user_ns(NETLINK_CB(skb).sk), +@@ -289,8 +289,9 @@ static int sctp_sock_dump_one(struct sct + return nlmsg_unicast(sock_net(skb->sk)->diag_nlsk, rep, NETLINK_CB(skb).portid); + + out: +- release_sock(sk); + kfree_skb(rep); ++out_unlock: ++ release_sock(sk); + return err; + } + diff --git a/queue-6.6/sctp-stream-fully-roll-back-denied-add-stream-state.patch b/queue-6.6/sctp-stream-fully-roll-back-denied-add-stream-state.patch new file mode 100644 index 0000000000..3da2d88952 --- /dev/null +++ b/queue-6.6/sctp-stream-fully-roll-back-denied-add-stream-state.patch @@ -0,0 +1,61 @@ +From a5f8a90ac9f77c678a9781c0a464b635e0d63e49 Mon Sep 17 00:00:00 2001 +From: Wyatt Feng +Date: Fri, 5 Jun 2026 13:53:42 +0800 +Subject: sctp: stream: fully roll back denied add-stream state + +From: Wyatt Feng + +commit a5f8a90ac9f77c678a9781c0a464b635e0d63e49 upstream. + +When ADD_OUT_STREAMS is denied, SCTP only shrinks the queued chunks and +then lowers outcnt. That leaves removed stream metadata behind, so a +later re-add can reuse a stale ext and hit a null-pointer dereference in +the scheduler get path. + +Fix the rollback by tearing down the removed stream state the same way +other stream resizes do. Unschedule the current scheduler state, drop +the removed stream ext state with sctp_stream_outq_migrate(), and then +reschedule the remaining streams. + +This keeps scheduler-private RR/FC/PRIO lists consistent while fully +rolling back denied outgoing stream additions. + +Fixes: 637784ade221 ("sctp: introduce priority based stream scheduler") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Zhengchuan Liang +Reported-by: Xin Liu +Signed-off-by: Wyatt Feng +Signed-off-by: Ren Wei +Acked-by: Xin Long +Link: https://patch.msgid.link/d78954ecd94954653ee299400e98d74a03a6f7d3.1780603399.git.bronzed_45_vested@icloud.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/stream.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/sctp/stream.c ++++ b/net/sctp/stream.c +@@ -1038,6 +1038,7 @@ struct sctp_chunk *sctp_process_strreset + stsn, rtsn, GFP_ATOMIC); + } else if (req->type == SCTP_PARAM_RESET_ADD_OUT_STREAMS) { + struct sctp_strreset_addstrm *addstrm; ++ const struct sctp_sched_ops *sched; + __u16 number; + + addstrm = (struct sctp_strreset_addstrm *)req; +@@ -1048,7 +1049,10 @@ struct sctp_chunk *sctp_process_strreset + for (i = number; i < stream->outcnt; i++) + SCTP_SO(stream, i)->state = SCTP_STREAM_OPEN; + } else { +- sctp_stream_shrink_out(stream, number); ++ sched = sctp_sched_ops_from_stream(stream); ++ sched->unsched_all(stream); ++ sctp_stream_outq_migrate(stream, NULL, number); ++ sched->sched_all(stream); + stream->outcnt = number; + } + diff --git a/queue-6.6/series b/queue-6.6/series index 5667aaad11..608386ce75 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -344,3 +344,17 @@ bpf-track-equal-scalars-history-on-per-instruction-l.patch bpf-remove-mark_precise_scalar_ids.patch selftests-bpf-tests-for-per-insn-sync_linked_regs-pr.patch selftests-bpf-update-comments-find_equal_scalars-syn.patch +mm-hugetlb-restore-reservation-on-error-in-hugetlb-folio-copy-paths.patch +mmc-core-fix-host-controller-programming-for-fixed-driver-type.patch +mmc-litex_mmc-set-mandatory-idle-clocks-before-cmd0.patch +mmc-renesas_sdhi-add-of-entry-for-rz-g2h-soc.patch +mmc-sdhci-add-signal-voltage-switch-in-sdhci_resume_host.patch +sctp-diag-reject-stale-associations-in-dump_one-path.patch +sctp-stream-fully-roll-back-denied-add-stream-state.patch +thunderbolt-reject-zero-length-property-entries-in-validator.patch +thunderbolt-bound-root-directory-content-to-block-size.patch +thunderbolt-clamp-xdomain-response-data-copy-to-allocation-size.patch +thunderbolt-validate-xdomain-request-packet-size-before-type-cast.patch +thunderbolt-limit-xdomain-response-copy-to-actual-frame-size.patch +slimbus-qcom-ngd-ctrl-fix-of-node-refcount.patch +slimbus-qcom-ngd-ctrl-avoid-abba-on-tx_lock-ctrl-lock.patch diff --git a/queue-6.6/slimbus-qcom-ngd-ctrl-avoid-abba-on-tx_lock-ctrl-lock.patch b/queue-6.6/slimbus-qcom-ngd-ctrl-avoid-abba-on-tx_lock-ctrl-lock.patch new file mode 100644 index 0000000000..d4be480d25 --- /dev/null +++ b/queue-6.6/slimbus-qcom-ngd-ctrl-avoid-abba-on-tx_lock-ctrl-lock.patch @@ -0,0 +1,76 @@ +From 55f2ea9ff83cc27a85526b14bc9b32f96a08d6ec Mon Sep 17 00:00:00 2001 +From: Bjorn Andersson +Date: Sat, 30 May 2026 21:44:21 +0100 +Subject: slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock + +From: Bjorn Andersson + +commit 55f2ea9ff83cc27a85526b14bc9b32f96a08d6ec upstream. + +During the SSR/PDR down notification the tx_lock is taken with the +intent to provide synchronization with active DMA transfers. + +But during this period qcom_slim_ngd_down() is invoked, which ends up in +slim_report_absent(), which takes the slim_controller lock. In multiple +other codepaths these two locks are taken in the opposite order (i.e. +slim_controller then tx_lock). + +The result is a lockdep splat, and a possible deadlock: + + rprocctl/449 is trying to acquire lock: + ffff00009793e620 (&ctrl->lock){+.+.}-{4:4}, at: slim_report_absent (drivers/slimbus/core.c:322) slimbus + + but task is already holding lock: + ffff00009793fb50 (&ctrl->tx_lock){+.+.}-{4:4}, at: qcom_slim_ngd_ssr_pdr_notify (drivers/slimbus/qcom-ngd-ctrl.c:1475) slim_qcom_ngd_ctrl + + which lock already depends on the new lock. + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&ctrl->tx_lock); + lock(&ctrl->lock); + lock(&ctrl->tx_lock); + lock(&ctrl->lock); + +The assumption is that the comment refers to the desire to not call +qcom_slim_ngd_exit_dma() while we have an ongoing DMA TX transaction. +But any such transaction is initiated and completed within a single +qcom_slim_ngd_xfer_msg(). + +Prior to calling qcom_slim_ngd_exit_dma() the slim_controller is torn +down, all child devices are notified that the slimbus is gone and the +child devices are removed. + +Stop taking the tx_lock in qcom_slim_ngd_ssr_pdr_notify() to avoid the +deadlock. + +Fixes: a899d324863a ("slimbus: qcom-ngd-ctrl: add Sub System Restart support") +Cc: stable@vger.kernel.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260530204421.116824-9-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/slimbus/qcom-ngd-ctrl.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/slimbus/qcom-ngd-ctrl.c ++++ b/drivers/slimbus/qcom-ngd-ctrl.c +@@ -1469,15 +1469,12 @@ static int qcom_slim_ngd_ssr_pdr_notify( + switch (action) { + case QCOM_SSR_BEFORE_SHUTDOWN: + case SERVREG_SERVICE_STATE_DOWN: +- /* Make sure the last dma xfer is finished */ +- mutex_lock(&ctrl->tx_lock); + if (ctrl->state != QCOM_SLIM_NGD_CTRL_DOWN) { + pm_runtime_get_noresume(ctrl->ctrl.dev); + ctrl->state = QCOM_SLIM_NGD_CTRL_DOWN; + qcom_slim_ngd_down(ctrl); + qcom_slim_ngd_exit_dma(ctrl); + } +- mutex_unlock(&ctrl->tx_lock); + break; + case QCOM_SSR_AFTER_POWERUP: + case SERVREG_SERVICE_STATE_UP: diff --git a/queue-6.6/slimbus-qcom-ngd-ctrl-fix-of-node-refcount.patch b/queue-6.6/slimbus-qcom-ngd-ctrl-fix-of-node-refcount.patch new file mode 100644 index 0000000000..b305069ec7 --- /dev/null +++ b/queue-6.6/slimbus-qcom-ngd-ctrl-fix-of-node-refcount.patch @@ -0,0 +1,39 @@ +From 120134fe75c6b0ae38f14eb8b548ad1e5761f912 Mon Sep 17 00:00:00 2001 +From: Bartosz Golaszewski +Date: Sat, 30 May 2026 21:44:14 +0100 +Subject: slimbus: qcom-ngd-ctrl: fix OF node refcount + +From: Bartosz Golaszewski + +commit 120134fe75c6b0ae38f14eb8b548ad1e5761f912 upstream. + +Platform devices created with platform_device_alloc() call +platform_device_release() when the last reference to the device's +kobject is dropped. This function calls of_node_put() unconditionally. +This works fine for devices created with platform_device_register_full() +but users of the split approach (platform_device_alloc() + +platform_device_add()) must bump the reference of the of_node they +assign manually. Add the missing call to of_node_get(). + +Cc: stable@vger.kernel.org +Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver") +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260530204421.116824-2-srini@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/slimbus/qcom-ngd-ctrl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/slimbus/qcom-ngd-ctrl.c ++++ b/drivers/slimbus/qcom-ngd-ctrl.c +@@ -1545,7 +1545,7 @@ static int of_qcom_slim_ngd_register(str + of_node_put(node); + return ret; + } +- ngd->pdev->dev.of_node = node; ++ ngd->pdev->dev.of_node = of_node_get(node); + ctrl->ngd = ngd; + + ret = platform_device_add(ngd->pdev); diff --git a/queue-6.6/thunderbolt-bound-root-directory-content-to-block-size.patch b/queue-6.6/thunderbolt-bound-root-directory-content-to-block-size.patch new file mode 100644 index 0000000000..88323bec0f --- /dev/null +++ b/queue-6.6/thunderbolt-bound-root-directory-content-to-block-size.patch @@ -0,0 +1,40 @@ +From 65423079c7420e3dbf9a7aa345c243a3f5752e5d Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Mon, 25 May 2026 05:28:26 -0400 +Subject: thunderbolt: Bound root directory content to block size + +From: Michael Bommarito + +commit 65423079c7420e3dbf9a7aa345c243a3f5752e5d upstream. + +__tb_property_parse_dir() does not check that content_offset + +content_len fits within block_len for the root directory case. +When rootdir->length equals or exceeds block_len - 2, the entry +loop reads past the allocated property block. + +Add a bounds check after computing content_offset and content_len +to reject directories whose content extends past the block. + +Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Michael Bommarito +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/property.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/thunderbolt/property.c ++++ b/drivers/thunderbolt/property.c +@@ -181,6 +181,10 @@ static struct tb_property_dir *__tb_prop + if (is_root) { + content_offset = dir_offset + 2; + content_len = dir_len; ++ if (content_offset + content_len > block_len) { ++ tb_property_free_dir(dir); ++ return NULL; ++ } + } else { + if (dir_len < 4) { + tb_property_free_dir(dir); diff --git a/queue-6.6/thunderbolt-clamp-xdomain-response-data-copy-to-allocation-size.patch b/queue-6.6/thunderbolt-clamp-xdomain-response-data-copy-to-allocation-size.patch new file mode 100644 index 0000000000..3236418b98 --- /dev/null +++ b/queue-6.6/thunderbolt-clamp-xdomain-response-data-copy-to-allocation-size.patch @@ -0,0 +1,39 @@ +From 322e93448d908434ae5545660fcbe8f5a7a8e141 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Mon, 25 May 2026 05:28:27 -0400 +Subject: thunderbolt: Clamp XDomain response data copy to allocation size + +From: Michael Bommarito + +commit 322e93448d908434ae5545660fcbe8f5a7a8e141 upstream. + +tb_xdp_properties_request() derives the per-packet copy length from +the response header without checking that it fits in the previously +allocated data buffer. A malicious peer can set its length field +larger than the declared data_length, causing memcpy to write past +the kcalloc allocation. + +Clamp the per-packet copy length so that the cumulative offset +never exceeds data_len. + +Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Michael Bommarito +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/xdomain.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/thunderbolt/xdomain.c ++++ b/drivers/thunderbolt/xdomain.c +@@ -393,6 +393,8 @@ static int tb_xdp_properties_request(str + } + } + ++ if (req.offset + len > data_len) ++ len = data_len - req.offset; + memcpy(data + req.offset, res->data, len * 4); + req.offset += len; + } while (!data_len || req.offset < data_len); diff --git a/queue-6.6/thunderbolt-limit-xdomain-response-copy-to-actual-frame-size.patch b/queue-6.6/thunderbolt-limit-xdomain-response-copy-to-actual-frame-size.patch new file mode 100644 index 0000000000..046d0e8e0f --- /dev/null +++ b/queue-6.6/thunderbolt-limit-xdomain-response-copy-to-actual-frame-size.patch @@ -0,0 +1,40 @@ +From 4db2bd2ed4785dbadaeeab9f4e346b21ac5fb8eb Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Mon, 25 May 2026 05:28:29 -0400 +Subject: thunderbolt: Limit XDomain response copy to actual frame size + +From: Michael Bommarito + +commit 4db2bd2ed4785dbadaeeab9f4e346b21ac5fb8eb upstream. + +tb_xdomain_copy() copies req->response_size bytes from the received +packet buffer regardless of the actual frame size. When a short +response arrives, this reads past the valid frame data in the DMA +pool buffer into stale contents from previous transactions. + +Use the minimum of frame size and expected response size for the +copy length. + +Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Michael Bommarito +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/xdomain.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/thunderbolt/xdomain.c ++++ b/drivers/thunderbolt/xdomain.c +@@ -123,7 +123,9 @@ static bool tb_xdomain_match(const struc + static bool tb_xdomain_copy(struct tb_cfg_request *req, + const struct ctl_pkg *pkg) + { +- memcpy(req->response, pkg->buffer, req->response_size); ++ size_t len = min_t(size_t, pkg->frame.size, req->response_size); ++ ++ memcpy(req->response, pkg->buffer, len); + req->result.err = 0; + return true; + } diff --git a/queue-6.6/thunderbolt-reject-zero-length-property-entries-in-validator.patch b/queue-6.6/thunderbolt-reject-zero-length-property-entries-in-validator.patch new file mode 100644 index 0000000000..4259805be4 --- /dev/null +++ b/queue-6.6/thunderbolt-reject-zero-length-property-entries-in-validator.patch @@ -0,0 +1,42 @@ +From cff8eb65d1eafe7793e54b4d0cf6bf831644630b Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Mon, 25 May 2026 05:28:25 -0400 +Subject: thunderbolt: Reject zero-length property entries in validator + +From: Michael Bommarito + +commit cff8eb65d1eafe7793e54b4d0cf6bf831644630b upstream. + +tb_property_entry_valid() accepts entries with length == 0 for +DIRECTORY, DATA, and TEXT types. A zero-length TEXT entry passes +validation but causes an underflow in the null-termination logic: + + property->value.text[property->length * 4 - 1] = '\0'; + +When property->length is 0 this writes to offset -1 relative to +the allocation. + +Reject zero-length entries early in the validator since they have no +valid representation in the XDomain property protocol. + +Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Michael Bommarito +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/property.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/thunderbolt/property.c ++++ b/drivers/thunderbolt/property.c +@@ -59,6 +59,8 @@ static bool tb_property_entry_valid(cons + case TB_PROPERTY_TYPE_DIRECTORY: + case TB_PROPERTY_TYPE_DATA: + case TB_PROPERTY_TYPE_TEXT: ++ if (!entry->length) ++ return false; + if (entry->length > block_len) + return false; + if (check_add_overflow(entry->value, entry->length, &end) || diff --git a/queue-6.6/thunderbolt-validate-xdomain-request-packet-size-before-type-cast.patch b/queue-6.6/thunderbolt-validate-xdomain-request-packet-size-before-type-cast.patch new file mode 100644 index 0000000000..7769017e93 --- /dev/null +++ b/queue-6.6/thunderbolt-validate-xdomain-request-packet-size-before-type-cast.patch @@ -0,0 +1,75 @@ +From a504b9f2797b739e0304d537e8aa4ce883ecce39 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Mon, 25 May 2026 05:28:28 -0400 +Subject: thunderbolt: Validate XDomain request packet size before type cast + +From: Michael Bommarito + +commit a504b9f2797b739e0304d537e8aa4ce883ecce39 upstream. + +tb_xdp_handle_request() casts the received packet buffer to +protocol-specific structs without verifying that the allocation +is large enough for the target type. A peer can send a minimal +XDomain packet that passes the generic header length check but is +shorter than the struct accessed after the cast, causing out-of- +bounds reads from the kmemdup allocation. + +Plumb the packet length through xdomain_request_work and validate +it against the expected struct size before each cast. + +Fixes: 8e1de7042596 ("thunderbolt: Add support for XDomain lane bonding") +Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Michael Bommarito +Signed-off-by: Mika Westerberg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thunderbolt/xdomain.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/thunderbolt/xdomain.c ++++ b/drivers/thunderbolt/xdomain.c +@@ -55,6 +55,7 @@ static const char * const state_names[] + struct xdomain_request_work { + struct work_struct work; + struct tb_xdp_header *pkg; ++ size_t pkg_len; + struct tb *tb; + }; + +@@ -731,6 +732,7 @@ static void tb_xdp_handle_request(struct + struct xdomain_request_work *xw = container_of(work, typeof(*xw), work); + const struct tb_xdp_header *pkg = xw->pkg; + const struct tb_xdomain_header *xhdr = &pkg->xd_hdr; ++ size_t pkg_len = xw->pkg_len; + struct tb *tb = xw->tb; + struct tb_ctl *ctl = tb->ctl; + struct tb_xdomain *xd; +@@ -762,7 +764,7 @@ static void tb_xdp_handle_request(struct + switch (pkg->type) { + case PROPERTIES_REQUEST: + tb_dbg(tb, "%llx: received XDomain properties request\n", route); +- if (xd) { ++ if (xd && pkg_len >= sizeof(struct tb_xdp_properties)) { + ret = tb_xdp_properties_response(tb, ctl, xd, sequence, + (const struct tb_xdp_properties *)pkg); + } +@@ -816,7 +818,8 @@ static void tb_xdp_handle_request(struct + tb_dbg(tb, "%llx: received XDomain link state change request\n", + route); + +- if (xd && xd->state == XDOMAIN_STATE_BONDING_UUID_HIGH) { ++ if (xd && xd->state == XDOMAIN_STATE_BONDING_UUID_HIGH && ++ pkg_len >= sizeof(struct tb_xdp_link_state_change)) { + const struct tb_xdp_link_state_change *lsc = + (const struct tb_xdp_link_state_change *)pkg; + +@@ -868,6 +871,7 @@ tb_xdp_schedule_request(struct tb *tb, c + kfree(xw); + return false; + } ++ xw->pkg_len = size; + xw->tb = tb_domain_get(tb); + + schedule_work(&xw->work);