From 04f1891c147ee80780873d2cbae132680a9303f8 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 17 Oct 2025 10:38:10 +0200 Subject: [PATCH] 5.10-stable patches added patches: arm64-dts-qcom-sdm845-fix-slimbam-num-channels-ees.patch asoc-codecs-wcd934x-simplify-with-dev_err_probe.patch asoc-wcd934x-fix-error-handling-in-wcd934x_codec_parse_data.patch dm-fix-null-pointer-dereference-in-__dm_suspend.patch fs-udf-fix-oob-read-in-lengthallocdescs-handling.patch kvm-x86-don-t-re-check-l1-intercepts-when-completing-userspace-i-o.patch media-mc-clear-minor-number-before-put-device.patch mfd-intel_soc_pmic_chtdc_ti-drop-unneeded-assignment-for-cache_type.patch mfd-intel_soc_pmic_chtdc_ti-fix-invalid-regmap-config-max_register-value.patch mfd-intel_soc_pmic_chtdc_ti-set-use_single_read-regmap_config-flag.patch net-9p-fix-double-req-put-in-p9_fd_cancelled.patch squashfs-add-additional-inode-sanity-checking.patch squashfs-reject-negative-file-sizes-in-squashfs_read_inode.patch tracing-fix-race-condition-in-kprobe-initialization-causing-null-pointer-dereference.patch udf-fix-uninit-value-use-in-udf_get_fileshortad.patch --- ...-sdm845-fix-slimbam-num-channels-ees.patch | 49 ++++ ...-wcd934x-simplify-with-dev_err_probe.patch | 66 +++++ ...handling-in-wcd934x_codec_parse_data.patch | 85 +++++++ ...-pointer-dereference-in-__dm_suspend.patch | 98 ++++++++ ...ob-read-in-lengthallocdescs-handling.patch | 81 ++++++ ...rcepts-when-completing-userspace-i-o.patch | 145 +++++++++++ ...clear-minor-number-before-put-device.patch | 51 ++++ ...p-unneeded-assignment-for-cache_type.patch | 39 +++ ...lid-regmap-config-max_register-value.patch | 40 +++ ...t-use_single_read-regmap_config-flag.patch | 43 ++++ ...ix-double-req-put-in-p9_fd_cancelled.patch | 126 ++++++++++ queue-5.10/series | 15 ++ ...add-additional-inode-sanity-checking.patch | 90 +++++++ ...ve-file-sizes-in-squashfs_read_inode.patch | 48 ++++ ...ion-causing-null-pointer-dereference.patch | 235 ++++++++++++++++++ ...nit-value-use-in-udf_get_fileshortad.patch | 54 ++++ 16 files changed, 1265 insertions(+) create mode 100644 queue-5.10/arm64-dts-qcom-sdm845-fix-slimbam-num-channels-ees.patch create mode 100644 queue-5.10/asoc-codecs-wcd934x-simplify-with-dev_err_probe.patch create mode 100644 queue-5.10/asoc-wcd934x-fix-error-handling-in-wcd934x_codec_parse_data.patch create mode 100644 queue-5.10/dm-fix-null-pointer-dereference-in-__dm_suspend.patch create mode 100644 queue-5.10/fs-udf-fix-oob-read-in-lengthallocdescs-handling.patch create mode 100644 queue-5.10/kvm-x86-don-t-re-check-l1-intercepts-when-completing-userspace-i-o.patch create mode 100644 queue-5.10/media-mc-clear-minor-number-before-put-device.patch create mode 100644 queue-5.10/mfd-intel_soc_pmic_chtdc_ti-drop-unneeded-assignment-for-cache_type.patch create mode 100644 queue-5.10/mfd-intel_soc_pmic_chtdc_ti-fix-invalid-regmap-config-max_register-value.patch create mode 100644 queue-5.10/mfd-intel_soc_pmic_chtdc_ti-set-use_single_read-regmap_config-flag.patch create mode 100644 queue-5.10/net-9p-fix-double-req-put-in-p9_fd_cancelled.patch create mode 100644 queue-5.10/squashfs-add-additional-inode-sanity-checking.patch create mode 100644 queue-5.10/squashfs-reject-negative-file-sizes-in-squashfs_read_inode.patch create mode 100644 queue-5.10/tracing-fix-race-condition-in-kprobe-initialization-causing-null-pointer-dereference.patch create mode 100644 queue-5.10/udf-fix-uninit-value-use-in-udf_get_fileshortad.patch diff --git a/queue-5.10/arm64-dts-qcom-sdm845-fix-slimbam-num-channels-ees.patch b/queue-5.10/arm64-dts-qcom-sdm845-fix-slimbam-num-channels-ees.patch new file mode 100644 index 0000000000..9201ba2a3e --- /dev/null +++ b/queue-5.10/arm64-dts-qcom-sdm845-fix-slimbam-num-channels-ees.patch @@ -0,0 +1,49 @@ +From stable+bounces-186221-greg=kroah.com@vger.kernel.org Fri Oct 17 02:11:11 2025 +From: Sasha Levin +Date: Thu, 16 Oct 2025 20:11:02 -0400 +Subject: arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees +To: stable@vger.kernel.org +Cc: Stephan Gerhold , Dmitry Baryshkov , Bjorn Andersson , Sasha Levin +Message-ID: <20251017001102.3477703-1-sashal@kernel.org> + +From: Stephan Gerhold + +[ Upstream commit 316294bb6695a43a9181973ecd4e6fb3e576a9f7 ] + +Reading the hardware registers of the &slimbam on RB3 reveals that the BAM +supports only 23 pipes (channels) and supports 4 EEs instead of 2. This +hasn't caused problems so far since nothing is using the extra channels, +but attempting to use them would lead to crashes. + +The bam_dma driver might warn in the future if the num-channels in the DT +are wrong, so correct the properties in the DT to avoid future regressions. + +Cc: stable@vger.kernel.org +Fixes: 27ca1de07dc3 ("arm64: dts: qcom: sdm845: add slimbus nodes") +Signed-off-by: Stephan Gerhold +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20250821-sdm845-slimbam-channels-v1-1-498f7d46b9ee@linaro.org +Signed-off-by: Bjorn Andersson +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/sdm845.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi +@@ -4492,11 +4492,11 @@ + compatible = "qcom,bam-v1.7.0"; + qcom,controlled-remotely; + reg = <0 0x17184000 0 0x2a000>; +- num-channels = <31>; ++ num-channels = <23>; + interrupts = ; + #dma-cells = <1>; + qcom,ee = <1>; +- qcom,num-ees = <2>; ++ qcom,num-ees = <4>; + iommus = <&apps_smmu 0x1806 0x0>; + }; + diff --git a/queue-5.10/asoc-codecs-wcd934x-simplify-with-dev_err_probe.patch b/queue-5.10/asoc-codecs-wcd934x-simplify-with-dev_err_probe.patch new file mode 100644 index 0000000000..7396a58f7a --- /dev/null +++ b/queue-5.10/asoc-codecs-wcd934x-simplify-with-dev_err_probe.patch @@ -0,0 +1,66 @@ +From stable+bounces-185503-greg=kroah.com@vger.kernel.org Mon Oct 13 21:42:28 2025 +From: Sasha Levin +Date: Mon, 13 Oct 2025 15:42:17 -0400 +Subject: ASoC: codecs: wcd934x: Simplify with dev_err_probe +To: stable@vger.kernel.org +Cc: Krzysztof Kozlowski , Mark Brown , Sasha Levin +Message-ID: <20251013194218.3571206-1-sashal@kernel.org> + +From: Krzysztof Kozlowski + +[ Upstream commit fa92f4294283cc7d1f29151420be9e9336182518 ] + +Replace dev_err() in probe() path with dev_err_probe() to: +1. Make code a bit simpler and easier to read, +2. Do not print messages on deferred probe. + +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20230418074630.8681-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Mark Brown +Stable-dep-of: 4e65bda8273c ("ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd934x.c | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +--- a/sound/soc/codecs/wcd934x.c ++++ b/sound/soc/codecs/wcd934x.c +@@ -5032,10 +5032,9 @@ static int wcd934x_codec_parse_data(stru + slim_get_logical_addr(wcd->sidev); + wcd->if_regmap = regmap_init_slimbus(wcd->sidev, + &wcd934x_ifc_regmap_config); +- if (IS_ERR(wcd->if_regmap)) { +- dev_err(dev, "Failed to allocate ifc register map\n"); +- return PTR_ERR(wcd->if_regmap); +- } ++ if (IS_ERR(wcd->if_regmap)) ++ return dev_err_probe(dev, PTR_ERR(wcd->if_regmap), ++ "Failed to allocate ifc register map\n"); + + of_property_read_u32(dev->parent->of_node, "qcom,dmic-sample-rate", + &wcd->dmic_sample_rate); +@@ -5074,19 +5073,15 @@ static int wcd934x_codec_probe(struct pl + memcpy(wcd->tx_chs, wcd934x_tx_chs, sizeof(wcd934x_tx_chs)); + + irq = regmap_irq_get_virq(data->irq_data, WCD934X_IRQ_SLIMBUS); +- if (irq < 0) { +- dev_err(wcd->dev, "Failed to get SLIM IRQ\n"); +- return irq; +- } ++ if (irq < 0) ++ return dev_err_probe(wcd->dev, irq, "Failed to get SLIM IRQ\n"); + + ret = devm_request_threaded_irq(dev, irq, NULL, + wcd934x_slim_irq_handler, + IRQF_TRIGGER_RISING, + "slim", wcd); +- if (ret) { +- dev_err(dev, "Failed to request slimbus irq\n"); +- return ret; +- } ++ if (ret) ++ return dev_err_probe(dev, ret, "Failed to request slimbus irq\n"); + + wcd934x_register_mclk_output(wcd); + platform_set_drvdata(pdev, wcd); diff --git a/queue-5.10/asoc-wcd934x-fix-error-handling-in-wcd934x_codec_parse_data.patch b/queue-5.10/asoc-wcd934x-fix-error-handling-in-wcd934x_codec_parse_data.patch new file mode 100644 index 0000000000..096d1ee9bb --- /dev/null +++ b/queue-5.10/asoc-wcd934x-fix-error-handling-in-wcd934x_codec_parse_data.patch @@ -0,0 +1,85 @@ +From stable+bounces-185504-greg=kroah.com@vger.kernel.org Mon Oct 13 21:42:31 2025 +From: Sasha Levin +Date: Mon, 13 Oct 2025 15:42:18 -0400 +Subject: ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data() +To: stable@vger.kernel.org +Cc: Ma Ke , Dmitry Baryshkov , Mark Brown , Sasha Levin +Message-ID: <20251013194218.3571206-2-sashal@kernel.org> + +From: Ma Ke + +[ Upstream commit 4e65bda8273c938039403144730923e77916a3d7 ] + +wcd934x_codec_parse_data() contains a device reference count leak in +of_slim_get_device() where device_find_child() increases the reference +count of the device but this reference is not properly decreased in +the success path. Add put_device() in wcd934x_codec_parse_data() and +add devm_add_action_or_reset() in the probe function, which ensures +that the reference count of the device is correctly managed. + +Memory leak in regmap_init_slimbus() as the allocated regmap is not +released when the device is removed. Using devm_regmap_init_slimbus() +instead of regmap_init_slimbus() to ensure automatic regmap cleanup on +device removal. + +Calling path: of_slim_get_device() -> of_find_slim_device() -> +device_find_child(). As comment of device_find_child() says, 'NOTE: +you will need to drop the reference with put_device() after use.'. + +Found by code review. + +Cc: stable@vger.kernel.org +Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec") +Signed-off-by: Ma Ke +Reviewed-by: Dmitry Baryshkov +Link: https://patch.msgid.link/20250923065212.26660-1-make24@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/wcd934x.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/sound/soc/codecs/wcd934x.c ++++ b/sound/soc/codecs/wcd934x.c +@@ -5011,6 +5011,13 @@ static const struct snd_soc_component_dr + .num_dapm_routes = ARRAY_SIZE(wcd934x_audio_map), + }; + ++static void wcd934x_put_device_action(void *data) ++{ ++ struct device *dev = data; ++ ++ put_device(dev); ++} ++ + static int wcd934x_codec_parse_data(struct wcd934x_codec *wcd) + { + struct device *dev = &wcd->sdev->dev; +@@ -5030,11 +5037,13 @@ static int wcd934x_codec_parse_data(stru + } + + slim_get_logical_addr(wcd->sidev); +- wcd->if_regmap = regmap_init_slimbus(wcd->sidev, ++ wcd->if_regmap = devm_regmap_init_slimbus(wcd->sidev, + &wcd934x_ifc_regmap_config); +- if (IS_ERR(wcd->if_regmap)) ++ if (IS_ERR(wcd->if_regmap)) { ++ put_device(&wcd->sidev->dev); + return dev_err_probe(dev, PTR_ERR(wcd->if_regmap), + "Failed to allocate ifc register map\n"); ++ } + + of_property_read_u32(dev->parent->of_node, "qcom,dmic-sample-rate", + &wcd->dmic_sample_rate); +@@ -5065,6 +5074,10 @@ static int wcd934x_codec_probe(struct pl + return ret; + } + ++ ret = devm_add_action_or_reset(dev, wcd934x_put_device_action, &wcd->sidev->dev); ++ if (ret) ++ return ret; ++ + /* set default rate 9P6MHz */ + regmap_update_bits(wcd->regmap, WCD934X_CODEC_RPM_CLK_MCLK_CFG, + WCD934X_CODEC_RPM_CLK_MCLK_CFG_MCLK_MASK, diff --git a/queue-5.10/dm-fix-null-pointer-dereference-in-__dm_suspend.patch b/queue-5.10/dm-fix-null-pointer-dereference-in-__dm_suspend.patch new file mode 100644 index 0000000000..7124b904e0 --- /dev/null +++ b/queue-5.10/dm-fix-null-pointer-dereference-in-__dm_suspend.patch @@ -0,0 +1,98 @@ +From stable+bounces-185568-greg=kroah.com@vger.kernel.org Tue Oct 14 05:03:44 2025 +From: Sasha Levin +Date: Mon, 13 Oct 2025 23:03:34 -0400 +Subject: dm: fix NULL pointer dereference in __dm_suspend() +To: stable@vger.kernel.org +Cc: Zheng Qixing , Mikulas Patocka , Sasha Levin +Message-ID: <20251014030334.3868139-1-sashal@kernel.org> + +From: Zheng Qixing + +[ Upstream commit 8d33a030c566e1f105cd5bf27f37940b6367f3be ] + +There is a race condition between dm device suspend and table load that +can lead to null pointer dereference. The issue occurs when suspend is +invoked before table load completes: + +BUG: kernel NULL pointer dereference, address: 0000000000000054 +Oops: 0000 [#1] PREEMPT SMP PTI +CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 +RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50 +Call Trace: + + blk_mq_quiesce_queue+0x2c/0x50 + dm_stop_queue+0xd/0x20 + __dm_suspend+0x130/0x330 + dm_suspend+0x11a/0x180 + dev_suspend+0x27e/0x560 + ctl_ioctl+0x4cf/0x850 + dm_ctl_ioctl+0xd/0x20 + vfs_ioctl+0x1d/0x50 + __se_sys_ioctl+0x9b/0xc0 + __x64_sys_ioctl+0x19/0x30 + x64_sys_call+0x2c4a/0x4620 + do_syscall_64+0x9e/0x1b0 + +The issue can be triggered as below: + +T1 T2 +dm_suspend table_load +__dm_suspend dm_setup_md_queue + dm_mq_init_request_queue + blk_mq_init_allocated_queue + => q->mq_ops = set->ops; (1) +dm_stop_queue / dm_wait_for_completion +=> q->tag_set NULL pointer! (2) + => q->tag_set = set; (3) + +Fix this by checking if a valid table (map) exists before performing +request-based suspend and waiting for target I/O. When map is NULL, +skip these table-dependent suspend steps. + +Even when map is NULL, no I/O can reach any target because there is +no table loaded; I/O submitted in this state will fail early in the +DM layer. Skipping the table-dependent suspend logic in this case +is safe and avoids NULL pointer dereferences. + +Fixes: c4576aed8d85 ("dm: fix request-based dm's use of dm_wait_for_completion") +Cc: stable@vger.kernel.org +Signed-off-by: Zheng Qixing +Signed-off-by: Mikulas Patocka +[ omitted DMF_QUEUE_STOPPED flag setting and braces absent in 5.15 ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -2457,7 +2457,7 @@ static int __dm_suspend(struct mapped_de + { + bool do_lockfs = suspend_flags & DM_SUSPEND_LOCKFS_FLAG; + bool noflush = suspend_flags & DM_SUSPEND_NOFLUSH_FLAG; +- int r; ++ int r = 0; + + lockdep_assert_held(&md->suspend_lock); + +@@ -2509,7 +2509,7 @@ static int __dm_suspend(struct mapped_de + * Stop md->queue before flushing md->wq in case request-based + * dm defers requests to md->wq from md->queue. + */ +- if (dm_request_based(md)) ++ if (map && dm_request_based(md)) + dm_stop_queue(md->queue); + + flush_workqueue(md->wq); +@@ -2519,7 +2519,8 @@ static int __dm_suspend(struct mapped_de + * We call dm_wait_for_completion to wait for all existing requests + * to finish. + */ +- r = dm_wait_for_completion(md, task_state); ++ if (map) ++ r = dm_wait_for_completion(md, task_state); + if (!r) + set_bit(dmf_suspended_flag, &md->flags); + diff --git a/queue-5.10/fs-udf-fix-oob-read-in-lengthallocdescs-handling.patch b/queue-5.10/fs-udf-fix-oob-read-in-lengthallocdescs-handling.patch new file mode 100644 index 0000000000..2b81d8628f --- /dev/null +++ b/queue-5.10/fs-udf-fix-oob-read-in-lengthallocdescs-handling.patch @@ -0,0 +1,81 @@ +From stable+bounces-185514-greg=kroah.com@vger.kernel.org Mon Oct 13 22:45:32 2025 +From: Sasha Levin +Date: Mon, 13 Oct 2025 16:41:24 -0400 +Subject: fs: udf: fix OOB read in lengthAllocDescs handling +To: stable@vger.kernel.org +Cc: Larshin Sergey , syzbot+8743fca924afed42f93e@syzkaller.appspotmail.com, Jan Kara , Sasha Levin +Message-ID: <20251013204124.3599728-2-sashal@kernel.org> + +From: Larshin Sergey + +[ Upstream commit 3bd5e45c2ce30e239d596becd5db720f7eb83c99 ] + +When parsing Allocation Extent Descriptor, lengthAllocDescs comes from +on-disk data and must be validated against the block size. Crafted or +corrupted images may set lengthAllocDescs so that the total descriptor +length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, +leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and +trigger a KASAN use-after-free read. + +BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 +Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309 + +CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0x169/0x550 mm/kasan/report.c:488 + kasan_report+0x143/0x180 mm/kasan/report.c:601 + crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 + udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261 + udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179 + extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46 + udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106 + udf_release_file+0xc1/0x120 fs/udf/file.c:185 + __fput+0x23f/0x880 fs/file_table.c:431 + task_work_run+0x24f/0x310 kernel/task_work.c:239 + exit_task_work include/linux/task_work.h:43 [inline] + do_exit+0xa2f/0x28e0 kernel/exit.c:939 + do_group_exit+0x207/0x2c0 kernel/exit.c:1088 + __do_sys_exit_group kernel/exit.c:1099 [inline] + __se_sys_exit_group kernel/exit.c:1097 [inline] + __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 + x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +Validate the computed total length against epos->bh->b_size. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Reported-by: syzbot+8743fca924afed42f93e@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=8743fca924afed42f93e +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org + +Signed-off-by: Larshin Sergey +Link: https://patch.msgid.link/20250922131358.745579-1-Sergey.Larshin@kaspersky.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/udf/inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -2199,6 +2199,9 @@ int8_t udf_current_aext(struct inode *in + if (check_add_overflow(sizeof(struct allocExtDesc), + le32_to_cpu(header->lengthAllocDescs), &alen)) + return -1; ++ ++ if (alen > epos->bh->b_size) ++ return -1; + } + + switch (iinfo->i_alloc_type) { diff --git a/queue-5.10/kvm-x86-don-t-re-check-l1-intercepts-when-completing-userspace-i-o.patch b/queue-5.10/kvm-x86-don-t-re-check-l1-intercepts-when-completing-userspace-i-o.patch new file mode 100644 index 0000000000..925c2c94c2 --- /dev/null +++ b/queue-5.10/kvm-x86-don-t-re-check-l1-intercepts-when-completing-userspace-i-o.patch @@ -0,0 +1,145 @@ +From stable+bounces-185491-greg=kroah.com@vger.kernel.org Mon Oct 13 19:52:59 2025 +From: Sasha Levin +Date: Mon, 13 Oct 2025 13:51:46 -0400 +Subject: KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O +To: stable@vger.kernel.org +Cc: Sean Christopherson , syzbot+cc2032ba16cc2018ca25@syzkaller.appspotmail.com, Jim Mattson , Sasha Levin +Message-ID: <20251013175146.3408710-1-sashal@kernel.org> + +From: Sean Christopherson + +[ Upstream commit e750f85391286a4c8100275516973324b621a269 ] + +When completing emulation of instruction that generated a userspace exit +for I/O, don't recheck L1 intercepts as KVM has already finished that +phase of instruction execution, i.e. has already committed to allowing L2 +to perform I/O. If L1 (or host userspace) modifies the I/O permission +bitmaps during the exit to userspace, KVM will treat the access as being +intercepted despite already having emulated the I/O access. + +Pivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation. +Of the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the +intended "recipient") can reach the code in question. gp_interception()'s +use is mutually exclusive with is_guest_mode(), and +complete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with +EMULTYPE_SKIP. + +The bad behavior was detected by a syzkaller program that toggles port I/O +interception during the userspace I/O exit, ultimately resulting in a WARN +on vcpu->arch.pio.count being non-zero due to KVM no completing emulation +of the I/O instruction. + + WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm] + Modules linked in: kvm_intel kvm irqbypass + CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm] + PKRU: 55555554 + Call Trace: + + kvm_fast_pio+0xd6/0x1d0 [kvm] + vmx_handle_exit+0x149/0x610 [kvm_intel] + kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm] + kvm_vcpu_ioctl+0x244/0x8c0 [kvm] + __x64_sys_ioctl+0x8a/0xd0 + do_syscall_64+0x5d/0xc60 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + + +Reported-by: syzbot+cc2032ba16cc2018ca25@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68790db4.a00a0220.3af5df.0020.GAE@google.com +Fixes: 8a76d7f25f8f ("KVM: x86: Add x86 callback for intercept check") +Cc: stable@vger.kernel.org +Cc: Jim Mattson +Link: https://lore.kernel.org/r/20250715190638.1899116-1-seanjc@google.com +Signed-off-by: Sean Christopherson +[ is_guest_mode() was open coded ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/emulate.c | 11 ++++------- + arch/x86/kvm/kvm_emulate.h | 2 +- + arch/x86/kvm/x86.c | 9 ++++++++- + 3 files changed, 13 insertions(+), 9 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -5544,12 +5544,11 @@ void init_decode_cache(struct x86_emulat + ctxt->mem_read.end = 0; + } + +-int x86_emulate_insn(struct x86_emulate_ctxt *ctxt) ++int x86_emulate_insn(struct x86_emulate_ctxt *ctxt, bool check_intercepts) + { + const struct x86_emulate_ops *ops = ctxt->ops; + int rc = X86EMUL_CONTINUE; + int saved_dst_type = ctxt->dst.type; +- unsigned emul_flags; + + ctxt->mem_read.pos = 0; + +@@ -5563,8 +5562,6 @@ int x86_emulate_insn(struct x86_emulate_ + rc = emulate_ud(ctxt); + goto done; + } +- +- emul_flags = ctxt->ops->get_hflags(ctxt); + if (unlikely(ctxt->d & + (No64|Undefined|Sse|Mmx|Intercept|CheckPerm|Priv|Prot|String))) { + if ((ctxt->mode == X86EMUL_MODE_PROT64 && (ctxt->d & No64)) || +@@ -5598,7 +5595,7 @@ int x86_emulate_insn(struct x86_emulate_ + fetch_possible_mmx_operand(&ctxt->dst); + } + +- if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && ctxt->intercept) { ++ if (unlikely(check_intercepts) && ctxt->intercept) { + rc = emulator_check_intercept(ctxt, ctxt->intercept, + X86_ICPT_PRE_EXCEPT); + if (rc != X86EMUL_CONTINUE) +@@ -5627,7 +5624,7 @@ int x86_emulate_insn(struct x86_emulate_ + goto done; + } + +- if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) { ++ if (unlikely(check_intercepts) && (ctxt->d & Intercept)) { + rc = emulator_check_intercept(ctxt, ctxt->intercept, + X86_ICPT_POST_EXCEPT); + if (rc != X86EMUL_CONTINUE) +@@ -5681,7 +5678,7 @@ int x86_emulate_insn(struct x86_emulate_ + + special_insn: + +- if (unlikely(emul_flags & X86EMUL_GUEST_MASK) && (ctxt->d & Intercept)) { ++ if (unlikely(check_intercepts) && (ctxt->d & Intercept)) { + rc = emulator_check_intercept(ctxt, ctxt->intercept, + X86_ICPT_POST_MEMACCESS); + if (rc != X86EMUL_CONTINUE) +--- a/arch/x86/kvm/kvm_emulate.h ++++ b/arch/x86/kvm/kvm_emulate.h +@@ -499,7 +499,7 @@ bool x86_page_table_writing_insn(struct + #define EMULATION_RESTART 1 + #define EMULATION_INTERCEPTED 2 + void init_decode_cache(struct x86_emulate_ctxt *ctxt); +-int x86_emulate_insn(struct x86_emulate_ctxt *ctxt); ++int x86_emulate_insn(struct x86_emulate_ctxt *ctxt, bool check_intercepts); + int emulator_task_switch(struct x86_emulate_ctxt *ctxt, + u16 tss_selector, int idt_index, int reason, + bool has_error_code, u32 error_code); +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -7668,7 +7668,14 @@ restart: + ctxt->exception.address = 0; + } + +- r = x86_emulate_insn(ctxt); ++ /* ++ * Check L1's instruction intercepts when emulating instructions for ++ * L2, unless KVM is re-emulating a previously decoded instruction, ++ * e.g. to complete userspace I/O, in which case KVM has already ++ * checked the intercepts. ++ */ ++ r = x86_emulate_insn(ctxt, is_guest_mode(vcpu) && ++ !(emulation_type & EMULTYPE_NO_DECODE)); + + if (r == EMULATION_INTERCEPTED) + return 1; diff --git a/queue-5.10/media-mc-clear-minor-number-before-put-device.patch b/queue-5.10/media-mc-clear-minor-number-before-put-device.patch new file mode 100644 index 0000000000..a2d617a8ab --- /dev/null +++ b/queue-5.10/media-mc-clear-minor-number-before-put-device.patch @@ -0,0 +1,51 @@ +From stable+bounces-185529-greg=kroah.com@vger.kernel.org Tue Oct 14 00:40:20 2025 +From: Sasha Levin +Date: Mon, 13 Oct 2025 18:36:18 -0400 +Subject: media: mc: Clear minor number before put device +To: stable@vger.kernel.org +Cc: Edward Adam Davis , syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com, Sakari Ailus , Hans Verkuil , Sasha Levin +Message-ID: <20251013223618.3673050-1-sashal@kernel.org> + +From: Edward Adam Davis + +[ Upstream commit 8cfc8cec1b4da88a47c243a11f384baefd092a50 ] + +The device minor should not be cleared after the device is released. + +Fixes: 9e14868dc952 ("media: mc: Clear minor number reservation at unregistration time") +Cc: stable@vger.kernel.org +Reported-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=031d0cfd7c362817963f +Tested-by: syzbot+031d0cfd7c362817963f@syzkaller.appspotmail.com +Signed-off-by: Edward Adam Davis +Signed-off-by: Sakari Ailus +Signed-off-by: Hans Verkuil +[ moved clear_bit from media_devnode_release callback to media_devnode_unregister before put_device ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/mc/mc-devnode.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/media/mc/mc-devnode.c ++++ b/drivers/media/mc/mc-devnode.c +@@ -50,11 +50,6 @@ static void media_devnode_release(struct + { + struct media_devnode *devnode = to_media_devnode(cd); + +- mutex_lock(&media_devnode_lock); +- /* Mark device node number as free */ +- clear_bit(devnode->minor, media_devnode_nums); +- mutex_unlock(&media_devnode_lock); +- + /* Release media_devnode and perform other cleanups as needed. */ + if (devnode->release) + devnode->release(devnode); +@@ -283,6 +278,7 @@ void media_devnode_unregister(struct med + /* Delete the cdev on this minor as well */ + cdev_device_del(&devnode->cdev, &devnode->dev); + devnode->media_dev = NULL; ++ clear_bit(devnode->minor, media_devnode_nums); + mutex_unlock(&media_devnode_lock); + + put_device(&devnode->dev); diff --git a/queue-5.10/mfd-intel_soc_pmic_chtdc_ti-drop-unneeded-assignment-for-cache_type.patch b/queue-5.10/mfd-intel_soc_pmic_chtdc_ti-drop-unneeded-assignment-for-cache_type.patch new file mode 100644 index 0000000000..5bcfe67e48 --- /dev/null +++ b/queue-5.10/mfd-intel_soc_pmic_chtdc_ti-drop-unneeded-assignment-for-cache_type.patch @@ -0,0 +1,39 @@ +From stable+bounces-185552-greg=kroah.com@vger.kernel.org Tue Oct 14 01:57:02 2025 +From: Sasha Levin +Date: Mon, 13 Oct 2025 19:56:22 -0400 +Subject: mfd: intel_soc_pmic_chtdc_ti: Drop unneeded assignment for cache_type +To: stable@vger.kernel.org +Cc: Andy Shevchenko , Hans de Goede , Lee Jones , Sasha Levin +Message-ID: <20251013235623.3733198-2-sashal@kernel.org> + +From: Andy Shevchenko + +[ Upstream commit 9eb99c08508714906db078b5efbe075329a3fb06 ] + +REGCACHE_NONE is the default type of the cache when not provided. +Drop unneeded explicit assignment to it. + +Note, it's defined to 0, and if ever be redefined, it will break +literally a lot of the drivers, so it very unlikely to happen. + +Signed-off-by: Andy Shevchenko +Reviewed-by: Hans de Goede +Link: https://lore.kernel.org/r/20250129152823.1802273-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Lee Jones +Stable-dep-of: 64e0d839c589 ("mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mfd/intel_soc_pmic_chtdc_ti.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/mfd/intel_soc_pmic_chtdc_ti.c ++++ b/drivers/mfd/intel_soc_pmic_chtdc_ti.c +@@ -82,7 +82,6 @@ static const struct regmap_config chtdc_ + .reg_bits = 8, + .val_bits = 8, + .max_register = 0xff, +- .cache_type = REGCACHE_NONE, + }; + + static const struct regmap_irq chtdc_ti_irqs[] = { diff --git a/queue-5.10/mfd-intel_soc_pmic_chtdc_ti-fix-invalid-regmap-config-max_register-value.patch b/queue-5.10/mfd-intel_soc_pmic_chtdc_ti-fix-invalid-regmap-config-max_register-value.patch new file mode 100644 index 0000000000..4e8723f1d8 --- /dev/null +++ b/queue-5.10/mfd-intel_soc_pmic_chtdc_ti-fix-invalid-regmap-config-max_register-value.patch @@ -0,0 +1,40 @@ +From stable+bounces-185551-greg=kroah.com@vger.kernel.org Tue Oct 14 01:56:59 2025 +From: Sasha Levin +Date: Mon, 13 Oct 2025 19:56:21 -0400 +Subject: mfd: intel_soc_pmic_chtdc_ti: Fix invalid regmap-config max_register value +To: stable@vger.kernel.org +Cc: Hans de Goede , Andy Shevchenko , Lee Jones , Sasha Levin +Message-ID: <20251013235623.3733198-1-sashal@kernel.org> + +From: Hans de Goede + +[ Upstream commit 70e997e0107e5ed85c1a3ef2adfccbe351c29d71 ] + +The max_register = 128 setting in the regmap config is not valid. + +The Intel Dollar Cove TI PMIC has an eeprom unlock register at address 0x88 +and a number of EEPROM registers at 0xF?. Increase max_register to 0xff so +that these registers can be accessed. + +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20241208150028.325349-1-hdegoede@redhat.com +Signed-off-by: Lee Jones +Stable-dep-of: 64e0d839c589 ("mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mfd/intel_soc_pmic_chtdc_ti.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mfd/intel_soc_pmic_chtdc_ti.c ++++ b/drivers/mfd/intel_soc_pmic_chtdc_ti.c +@@ -81,7 +81,7 @@ static struct mfd_cell chtdc_ti_dev[] = + static const struct regmap_config chtdc_ti_regmap_config = { + .reg_bits = 8, + .val_bits = 8, +- .max_register = 128, ++ .max_register = 0xff, + .cache_type = REGCACHE_NONE, + }; + diff --git a/queue-5.10/mfd-intel_soc_pmic_chtdc_ti-set-use_single_read-regmap_config-flag.patch b/queue-5.10/mfd-intel_soc_pmic_chtdc_ti-set-use_single_read-regmap_config-flag.patch new file mode 100644 index 0000000000..5c3335b8e2 --- /dev/null +++ b/queue-5.10/mfd-intel_soc_pmic_chtdc_ti-set-use_single_read-regmap_config-flag.patch @@ -0,0 +1,43 @@ +From stable+bounces-185553-greg=kroah.com@vger.kernel.org Tue Oct 14 01:57:05 2025 +From: Sasha Levin +Date: Mon, 13 Oct 2025 19:56:23 -0400 +Subject: mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag +To: stable@vger.kernel.org +Cc: Hans de Goede , Andy Shevchenko , Lee Jones , Sasha Levin +Message-ID: <20251013235623.3733198-3-sashal@kernel.org> + +From: Hans de Goede + +[ Upstream commit 64e0d839c589f4f2ecd2e3e5bdb5cee6ba6bade9 ] + +Testing has shown that reading multiple registers at once (for 10-bit +ADC values) does not work. Set the use_single_read regmap_config flag +to make regmap split these for us. + +This should fix temperature opregion accesses done by +drivers/acpi/pmic/intel_pmic_chtdc_ti.c and is also necessary for +the upcoming drivers for the ADC and battery MFD cells. + +Fixes: 6bac0606fdba ("mfd: Add support for Cherry Trail Dollar Cove TI PMIC") +Cc: stable@vger.kernel.org +Reviewed-by: Andy Shevchenko +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20250804133240.312383-1-hansg@kernel.org +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mfd/intel_soc_pmic_chtdc_ti.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mfd/intel_soc_pmic_chtdc_ti.c ++++ b/drivers/mfd/intel_soc_pmic_chtdc_ti.c +@@ -82,6 +82,8 @@ static const struct regmap_config chtdc_ + .reg_bits = 8, + .val_bits = 8, + .max_register = 0xff, ++ /* The hardware does not support reading multiple registers at once */ ++ .use_single_read = true, + }; + + static const struct regmap_irq chtdc_ti_irqs[] = { diff --git a/queue-5.10/net-9p-fix-double-req-put-in-p9_fd_cancelled.patch b/queue-5.10/net-9p-fix-double-req-put-in-p9_fd_cancelled.patch new file mode 100644 index 0000000000..5eed640c14 --- /dev/null +++ b/queue-5.10/net-9p-fix-double-req-put-in-p9_fd_cancelled.patch @@ -0,0 +1,126 @@ +From stable+bounces-184695-greg=kroah.com@vger.kernel.org Mon Oct 13 17:35:28 2025 +From: Sasha Levin +Date: Mon, 13 Oct 2025 11:09:32 -0400 +Subject: net/9p: fix double req put in p9_fd_cancelled +To: stable@vger.kernel.org +Cc: Nalivayko Sergey , Dominique Martinet , Sasha Levin +Message-ID: <20251013150932.3383360-1-sashal@kernel.org> + +From: Nalivayko Sergey + +[ Upstream commit 674b56aa57f9379854cb6798c3bbcef7e7b51ab7 ] + +Syzkaller reports a KASAN issue as below: + +general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI +KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f] +CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +RIP: 0010:__list_del include/linux/list.h:114 [inline] +RIP: 0010:__list_del_entry include/linux/list.h:137 [inline] +RIP: 0010:list_del include/linux/list.h:148 [inline] +RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734 + +Call Trace: + + p9_client_flush+0x351/0x440 net/9p/client.c:614 + p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734 + p9_client_version net/9p/client.c:920 [inline] + p9_client_create+0xb51/0x1240 net/9p/client.c:1027 + v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408 + v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126 + legacy_get_tree+0x108/0x220 fs/fs_context.c:632 + vfs_get_tree+0x8e/0x300 fs/super.c:1573 + do_new_mount fs/namespace.c:3056 [inline] + path_mount+0x6a6/0x1e90 fs/namespace.c:3386 + do_mount fs/namespace.c:3399 [inline] + __do_sys_mount fs/namespace.c:3607 [inline] + __se_sys_mount fs/namespace.c:3584 [inline] + __x64_sys_mount+0x283/0x300 fs/namespace.c:3584 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +This happens because of a race condition between: + +- The 9p client sending an invalid flush request and later cleaning it up; +- The 9p client in p9_read_work() canceled all pending requests. + + Thread 1 Thread 2 + ... + p9_client_create() + ... + p9_fd_create() + ... + p9_conn_create() + ... + // start Thread 2 + INIT_WORK(&m->rq, p9_read_work); + p9_read_work() + ... + p9_client_rpc() + ... + ... + p9_conn_cancel() + ... + spin_lock(&m->req_lock); + ... + p9_fd_cancelled() + ... + ... + spin_unlock(&m->req_lock); + // status rewrite + p9_client_cb(m->client, req, REQ_STATUS_ERROR) + // first remove + list_del(&req->req_list); + ... + + spin_lock(&m->req_lock) + ... + // second remove + list_del(&req->req_list); + spin_unlock(&m->req_lock) + ... + +Commit 74d6a5d56629 ("9p/trans_fd: Fix concurrency del of req_list in +p9_fd_cancelled/p9_read_work") fixes a concurrency issue in the 9p filesystem +client where the req_list could be deleted simultaneously by both +p9_read_work and p9_fd_cancelled functions, but for the case where req->status +equals REQ_STATUS_RCVD. + +Update the check for req->status in p9_fd_cancelled to skip processing not +just received requests, but anything that is not SENT, as whatever +changed the state from SENT also removed the request from its list. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: afd8d6541155 ("9P: Add cancelled() to the transport functions.") +Cc: stable@vger.kernel.org +Signed-off-by: Nalivayko Sergey +Message-ID: <20250715154815.3501030-1-Sergey.Nalivayko@kaspersky.com> +[updated the check from status == RECV || status == ERROR to status != SENT] +Signed-off-by: Dominique Martinet +[ replaced m->req_lock with client->lock ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/9p/trans_fd.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -711,10 +711,10 @@ static int p9_fd_cancelled(struct p9_cli + p9_debug(P9_DEBUG_TRANS, "client %p req %p\n", client, req); + + spin_lock(&client->lock); +- /* Ignore cancelled request if message has been received +- * before lock. +- */ +- if (req->status == REQ_STATUS_RCVD) { ++ /* Ignore cancelled request if status changed since the request was ++ * processed in p9_client_flush() ++ */ ++ if (req->status != REQ_STATUS_SENT) { + spin_unlock(&client->lock); + return 0; + } diff --git a/queue-5.10/series b/queue-5.10/series index fd7e7fd5e6..6baeadbb80 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -171,3 +171,18 @@ ext4-increase-i_disksize-to-offset-len-in-ext4_update_disksize_before_punch.patc ext4-correctly-handle-queries-for-metadata-mappings.patch ext4-guard-against-ea-inode-refcount-underflow-in-xattr-update.patch lib-crypto-curve25519-hacl64-disable-kasan-with-clang-17-and-older.patch +arm64-dts-qcom-sdm845-fix-slimbam-num-channels-ees.patch +tracing-fix-race-condition-in-kprobe-initialization-causing-null-pointer-dereference.patch +dm-fix-null-pointer-dereference-in-__dm_suspend.patch +mfd-intel_soc_pmic_chtdc_ti-fix-invalid-regmap-config-max_register-value.patch +mfd-intel_soc_pmic_chtdc_ti-drop-unneeded-assignment-for-cache_type.patch +mfd-intel_soc_pmic_chtdc_ti-set-use_single_read-regmap_config-flag.patch +media-mc-clear-minor-number-before-put-device.patch +squashfs-add-additional-inode-sanity-checking.patch +squashfs-reject-negative-file-sizes-in-squashfs_read_inode.patch +udf-fix-uninit-value-use-in-udf_get_fileshortad.patch +fs-udf-fix-oob-read-in-lengthallocdescs-handling.patch +asoc-codecs-wcd934x-simplify-with-dev_err_probe.patch +asoc-wcd934x-fix-error-handling-in-wcd934x_codec_parse_data.patch +kvm-x86-don-t-re-check-l1-intercepts-when-completing-userspace-i-o.patch +net-9p-fix-double-req-put-in-p9_fd_cancelled.patch diff --git a/queue-5.10/squashfs-add-additional-inode-sanity-checking.patch b/queue-5.10/squashfs-add-additional-inode-sanity-checking.patch new file mode 100644 index 0000000000..1f9a5f0a33 --- /dev/null +++ b/queue-5.10/squashfs-add-additional-inode-sanity-checking.patch @@ -0,0 +1,90 @@ +From stable+bounces-185523-greg=kroah.com@vger.kernel.org Tue Oct 14 00:05:43 2025 +From: Sasha Levin +Date: Mon, 13 Oct 2025 17:57:00 -0400 +Subject: Squashfs: add additional inode sanity checking +To: stable@vger.kernel.org +Cc: Phillip Lougher , Andrew Morton , Sasha Levin +Message-ID: <20251013215701.3645486-1-sashal@kernel.org> + +From: Phillip Lougher + +[ Upstream commit 9ee94bfbe930a1b39df53fa2d7b31141b780eb5a ] + +Patch series "Squashfs: performance improvement and a sanity check". + +This patchset adds an additional sanity check when reading regular file +inodes, and adds support for SEEK_DATA/SEEK_HOLE lseek() whence values. + +This patch (of 2): + +Add an additional sanity check when reading regular file inodes. + +A regular file if the file size is an exact multiple of the filesystem +block size cannot have a fragment. This is because by definition a +fragment block stores tailends which are not a whole block in size. + +Link: https://lkml.kernel.org/r/20250923220652.568416-1-phillip@squashfs.org.uk +Link: https://lkml.kernel.org/r/20250923220652.568416-2-phillip@squashfs.org.uk +Signed-off-by: Phillip Lougher +Signed-off-by: Andrew Morton +Stable-dep-of: 9f1c14c1de1b ("Squashfs: reject negative file sizes in squashfs_read_inode()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/inode.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +--- a/fs/squashfs/inode.c ++++ b/fs/squashfs/inode.c +@@ -140,8 +140,17 @@ int squashfs_read_inode(struct inode *in + if (err < 0) + goto failed_read; + ++ inode->i_size = le32_to_cpu(sqsh_ino->file_size); + frag = le32_to_cpu(sqsh_ino->fragment); + if (frag != SQUASHFS_INVALID_FRAG) { ++ /* ++ * the file cannot have a fragment (tailend) and have a ++ * file size a multiple of the block size ++ */ ++ if ((inode->i_size & (msblk->block_size - 1)) == 0) { ++ err = -EINVAL; ++ goto failed_read; ++ } + frag_offset = le32_to_cpu(sqsh_ino->offset); + frag_size = squashfs_frag_lookup(sb, frag, &frag_blk); + if (frag_size < 0) { +@@ -155,7 +164,6 @@ int squashfs_read_inode(struct inode *in + } + + set_nlink(inode, 1); +- inode->i_size = le32_to_cpu(sqsh_ino->file_size); + inode->i_fop = &generic_ro_fops; + inode->i_mode |= S_IFREG; + inode->i_blocks = ((inode->i_size - 1) >> 9) + 1; +@@ -184,8 +192,17 @@ int squashfs_read_inode(struct inode *in + if (err < 0) + goto failed_read; + ++ inode->i_size = le64_to_cpu(sqsh_ino->file_size); + frag = le32_to_cpu(sqsh_ino->fragment); + if (frag != SQUASHFS_INVALID_FRAG) { ++ /* ++ * the file cannot have a fragment (tailend) and have a ++ * file size a multiple of the block size ++ */ ++ if ((inode->i_size & (msblk->block_size - 1)) == 0) { ++ err = -EINVAL; ++ goto failed_read; ++ } + frag_offset = le32_to_cpu(sqsh_ino->offset); + frag_size = squashfs_frag_lookup(sb, frag, &frag_blk); + if (frag_size < 0) { +@@ -200,7 +217,6 @@ int squashfs_read_inode(struct inode *in + + xattr_id = le32_to_cpu(sqsh_ino->xattr); + set_nlink(inode, le32_to_cpu(sqsh_ino->nlink)); +- inode->i_size = le64_to_cpu(sqsh_ino->file_size); + inode->i_op = &squashfs_inode_ops; + inode->i_fop = &generic_ro_fops; + inode->i_mode |= S_IFREG; diff --git a/queue-5.10/squashfs-reject-negative-file-sizes-in-squashfs_read_inode.patch b/queue-5.10/squashfs-reject-negative-file-sizes-in-squashfs_read_inode.patch new file mode 100644 index 0000000000..f70be17e65 --- /dev/null +++ b/queue-5.10/squashfs-reject-negative-file-sizes-in-squashfs_read_inode.patch @@ -0,0 +1,48 @@ +From stable+bounces-185522-greg=kroah.com@vger.kernel.org Tue Oct 14 00:05:44 2025 +From: Sasha Levin +Date: Mon, 13 Oct 2025 17:57:01 -0400 +Subject: Squashfs: reject negative file sizes in squashfs_read_inode() +To: stable@vger.kernel.org +Cc: Phillip Lougher , syzbot+f754e01116421e9754b9@syzkaller.appspotmail.com, Amir Goldstein , Andrew Morton , Sasha Levin +Message-ID: <20251013215701.3645486-2-sashal@kernel.org> + +From: Phillip Lougher + +[ Upstream commit 9f1c14c1de1bdde395f6cc893efa4f80a2ae3b2b ] + +Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs. + +This warning is ultimately caused because the underlying Squashfs file +system returns a file with a negative file size. + +This commit checks for a negative file size and returns EINVAL. + +[phillip@squashfs.org.uk: only need to check 64 bit quantity] + Link: https://lkml.kernel.org/r/20250926222305.110103-1-phillip@squashfs.org.uk +Link: https://lkml.kernel.org/r/20250926215935.107233-1-phillip@squashfs.org.uk +Fixes: 6545b246a2c8 ("Squashfs: inode operations") +Signed-off-by: Phillip Lougher +Reported-by: syzbot+f754e01116421e9754b9@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68d580e5.a00a0220.303701.0019.GAE@google.com/ +Cc: Amir Goldstein +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/squashfs/inode.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/squashfs/inode.c ++++ b/fs/squashfs/inode.c +@@ -193,6 +193,10 @@ int squashfs_read_inode(struct inode *in + goto failed_read; + + inode->i_size = le64_to_cpu(sqsh_ino->file_size); ++ if (inode->i_size < 0) { ++ err = -EINVAL; ++ goto failed_read; ++ } + frag = le32_to_cpu(sqsh_ino->fragment); + if (frag != SQUASHFS_INVALID_FRAG) { + /* diff --git a/queue-5.10/tracing-fix-race-condition-in-kprobe-initialization-causing-null-pointer-dereference.patch b/queue-5.10/tracing-fix-race-condition-in-kprobe-initialization-causing-null-pointer-dereference.patch new file mode 100644 index 0000000000..8b8c687b93 --- /dev/null +++ b/queue-5.10/tracing-fix-race-condition-in-kprobe-initialization-causing-null-pointer-dereference.patch @@ -0,0 +1,235 @@ +From stable+bounces-185652-greg=kroah.com@vger.kernel.org Tue Oct 14 14:47:42 2025 +From: Sasha Levin +Date: Tue, 14 Oct 2025 08:46:22 -0400 +Subject: tracing: Fix race condition in kprobe initialization causing NULL pointer dereference +To: stable@vger.kernel.org +Cc: Yuan Chen , "Masami Hiramatsu (Google)" , Sasha Levin +Message-ID: <20251014124622.3222-1-sashal@kernel.org> + +From: Yuan Chen + +[ Upstream commit 9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f ] + +There is a critical race condition in kprobe initialization that can lead to +NULL pointer dereference and kernel crash. + +[1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000 +... +[1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO) +[1135630.269239] pc : kprobe_perf_func+0x30/0x260 +[1135630.277643] lr : kprobe_dispatcher+0x44/0x60 +[1135630.286041] sp : ffffaeff4977fa40 +[1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400 +[1135630.302837] x27: 0000000000000000 x26: 0000000000000000 +[1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528 +[1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50 +[1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50 +[1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000 +[1135630.349985] x17: 0000000000000000 x16: 0000000000000000 +[1135630.359285] x15: 0000000000000000 x14: 0000000000000000 +[1135630.368445] x13: 0000000000000000 x12: 0000000000000000 +[1135630.377473] x11: 0000000000000000 x10: 0000000000000000 +[1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000 +[1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000 +[1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000 +[1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006 +[1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000 +[1135630.429410] Call trace: +[1135630.434828] kprobe_perf_func+0x30/0x260 +[1135630.441661] kprobe_dispatcher+0x44/0x60 +[1135630.448396] aggr_pre_handler+0x70/0xc8 +[1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0 +[1135630.462435] brk_handler+0xbc/0xd8 +[1135630.468437] do_debug_exception+0x84/0x138 +[1135630.475074] el1_dbg+0x18/0x8c +[1135630.480582] security_file_permission+0x0/0xd0 +[1135630.487426] vfs_write+0x70/0x1c0 +[1135630.493059] ksys_write+0x5c/0xc8 +[1135630.498638] __arm64_sys_write+0x24/0x30 +[1135630.504821] el0_svc_common+0x78/0x130 +[1135630.510838] el0_svc_handler+0x38/0x78 +[1135630.516834] el0_svc+0x8/0x1b0 + +kernel/trace/trace_kprobe.c: 1308 +0xffff3df8995039ec : ldr x21, [x24,#120] +include/linux/compiler.h: 294 +0xffff3df8995039f0 : ldr x1, [x21,x0] + +kernel/trace/trace_kprobe.c +1308: head = this_cpu_ptr(call->perf_events); +1309: if (hlist_empty(head)) +1310: return 0; + +crash> struct trace_event_call -o +struct trace_event_call { + ... + [120] struct hlist_head *perf_events; //(call->perf_event) + ... +} + +crash> struct trace_event_call ffffaf015340e528 +struct trace_event_call { + ... + perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0 + ... +} + +Race Condition Analysis: + +The race occurs between kprobe activation and perf_events initialization: + + CPU0 CPU1 + ==== ==== + perf_kprobe_init + perf_trace_event_init + tp_event->perf_events = list;(1) + tp_event->class->reg (2)← KPROBE ACTIVE + Debug exception triggers + ... + kprobe_dispatcher + kprobe_perf_func (tk->tp.flags & TP_FLAG_PROFILE) + head = this_cpu_ptr(call->perf_events)(3) + (perf_events is still NULL) + +Problem: +1. CPU0 executes (1) assigning tp_event->perf_events = list +2. CPU0 executes (2) enabling kprobe functionality via class->reg() +3. CPU1 triggers and reaches kprobe_dispatcher +4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed) +5. CPU1 calls kprobe_perf_func() and crashes at (3) because + call->perf_events is still NULL + +CPU1 sees that kprobe functionality is enabled but does not see that +perf_events has been assigned. + +Add pairing read and write memory barriers to guarantee that if CPU1 +sees that kprobe functionality is enabled, it must also see that +perf_events has been assigned. + +Link: https://lore.kernel.org/all/20251001022025.44626-1-chenyuan_fl@163.com/ + +Fixes: 50d780560785 ("tracing/kprobes: Add probe handler dispatcher to support perf and ftrace concurrent use") +Cc: stable@vger.kernel.org +Signed-off-by: Yuan Chen +Signed-off-by: Masami Hiramatsu (Google) +[ Dropped ftrace changes + context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_kprobe.c | 11 +++++++---- + kernel/trace/trace_probe.h | 9 +++++++-- + kernel/trace/trace_uprobe.c | 12 ++++++++---- + 3 files changed, 22 insertions(+), 10 deletions(-) + +--- a/kernel/trace/trace_kprobe.c ++++ b/kernel/trace/trace_kprobe.c +@@ -1782,14 +1782,15 @@ static int kprobe_register(struct trace_ + static int kprobe_dispatcher(struct kprobe *kp, struct pt_regs *regs) + { + struct trace_kprobe *tk = container_of(kp, struct trace_kprobe, rp.kp); ++ unsigned int flags = trace_probe_load_flag(&tk->tp); + int ret = 0; + + raw_cpu_inc(*tk->nhit); + +- if (trace_probe_test_flag(&tk->tp, TP_FLAG_TRACE)) ++ if (flags & TP_FLAG_TRACE) + kprobe_trace_func(tk, regs); + #ifdef CONFIG_PERF_EVENTS +- if (trace_probe_test_flag(&tk->tp, TP_FLAG_PROFILE)) ++ if (flags & TP_FLAG_PROFILE) + ret = kprobe_perf_func(tk, regs); + #endif + return ret; +@@ -1800,13 +1801,15 @@ static int + kretprobe_dispatcher(struct kretprobe_instance *ri, struct pt_regs *regs) + { + struct trace_kprobe *tk = container_of(ri->rp, struct trace_kprobe, rp); ++ unsigned int flags; + + raw_cpu_inc(*tk->nhit); + +- if (trace_probe_test_flag(&tk->tp, TP_FLAG_TRACE)) ++ flags = trace_probe_load_flag(&tk->tp); ++ if (flags & TP_FLAG_TRACE) + kretprobe_trace_func(tk, ri, regs); + #ifdef CONFIG_PERF_EVENTS +- if (trace_probe_test_flag(&tk->tp, TP_FLAG_PROFILE)) ++ if (flags & TP_FLAG_PROFILE) + kretprobe_perf_func(tk, ri, regs); + #endif + return 0; /* We don't tweek kernel, so just return 0 */ +--- a/kernel/trace/trace_probe.h ++++ b/kernel/trace/trace_probe.h +@@ -251,16 +251,21 @@ struct event_file_link { + struct list_head list; + }; + ++static inline unsigned int trace_probe_load_flag(struct trace_probe *tp) ++{ ++ return smp_load_acquire(&tp->event->flags); ++} ++ + static inline bool trace_probe_test_flag(struct trace_probe *tp, + unsigned int flag) + { +- return !!(tp->event->flags & flag); ++ return !!(trace_probe_load_flag(tp) & flag); + } + + static inline void trace_probe_set_flag(struct trace_probe *tp, + unsigned int flag) + { +- tp->event->flags |= flag; ++ smp_store_release(&tp->event->flags, tp->event->flags | flag); + } + + static inline void trace_probe_clear_flag(struct trace_probe *tp, +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -1484,6 +1484,7 @@ static int uprobe_dispatcher(struct upro + struct uprobe_dispatch_data udd; + struct uprobe_cpu_buffer *ucb; + int dsize, esize; ++ unsigned int flags; + int ret = 0; + + +@@ -1504,11 +1505,12 @@ static int uprobe_dispatcher(struct upro + ucb = uprobe_buffer_get(); + store_trace_args(ucb->buf, &tu->tp, regs, esize, dsize); + +- if (trace_probe_test_flag(&tu->tp, TP_FLAG_TRACE)) ++ flags = trace_probe_load_flag(&tu->tp); ++ if (flags & TP_FLAG_TRACE) + ret |= uprobe_trace_func(tu, regs, ucb, dsize); + + #ifdef CONFIG_PERF_EVENTS +- if (trace_probe_test_flag(&tu->tp, TP_FLAG_PROFILE)) ++ if (flags & TP_FLAG_PROFILE) + ret |= uprobe_perf_func(tu, regs, ucb, dsize); + #endif + uprobe_buffer_put(ucb); +@@ -1522,6 +1524,7 @@ static int uretprobe_dispatcher(struct u + struct uprobe_dispatch_data udd; + struct uprobe_cpu_buffer *ucb; + int dsize, esize; ++ unsigned int flags; + + tu = container_of(con, struct trace_uprobe, consumer); + +@@ -1539,11 +1542,12 @@ static int uretprobe_dispatcher(struct u + ucb = uprobe_buffer_get(); + store_trace_args(ucb->buf, &tu->tp, regs, esize, dsize); + +- if (trace_probe_test_flag(&tu->tp, TP_FLAG_TRACE)) ++ flags = trace_probe_load_flag(&tu->tp); ++ if (flags & TP_FLAG_TRACE) + uretprobe_trace_func(tu, func, regs, ucb, dsize); + + #ifdef CONFIG_PERF_EVENTS +- if (trace_probe_test_flag(&tu->tp, TP_FLAG_PROFILE)) ++ if (flags & TP_FLAG_PROFILE) + uretprobe_perf_func(tu, func, regs, ucb, dsize); + #endif + uprobe_buffer_put(ucb); diff --git a/queue-5.10/udf-fix-uninit-value-use-in-udf_get_fileshortad.patch b/queue-5.10/udf-fix-uninit-value-use-in-udf_get_fileshortad.patch new file mode 100644 index 0000000000..242abf749a --- /dev/null +++ b/queue-5.10/udf-fix-uninit-value-use-in-udf_get_fileshortad.patch @@ -0,0 +1,54 @@ +From stable+bounces-185513-greg=kroah.com@vger.kernel.org Mon Oct 13 22:45:50 2025 +From: Sasha Levin +Date: Mon, 13 Oct 2025 16:41:23 -0400 +Subject: udf: fix uninit-value use in udf_get_fileshortad +To: stable@vger.kernel.org +Cc: Gianfranco Trad , syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com, Jan Kara , Jan Kara , Sasha Levin +Message-ID: <20251013204124.3599728-1-sashal@kernel.org> + +From: Gianfranco Trad + +[ Upstream commit 264db9d666ad9a35075cc9ed9ec09d021580fbb1 ] + +Check for overflow when computing alen in udf_current_aext to mitigate +later uninit-value use in udf_get_fileshortad KMSAN bug[1]. +After applying the patch reproducer did not trigger any issue[2]. + +[1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df +[2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000 + +Reported-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df +Tested-by: syzbot+8901c4560b7ab5c2f9df@syzkaller.appspotmail.com +Suggested-by: Jan Kara +Signed-off-by: Gianfranco Trad +Signed-off-by: Jan Kara +Link: https://patch.msgid.link/20240925074613.8475-3-gianf.trad@gmail.com +Stable-dep-of: 3bd5e45c2ce3 ("fs: udf: fix OOB read in lengthAllocDescs handling") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/udf/inode.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -2190,12 +2190,15 @@ int8_t udf_current_aext(struct inode *in + alen = udf_file_entry_alloc_offset(inode) + + iinfo->i_lenAlloc; + } else { ++ struct allocExtDesc *header = ++ (struct allocExtDesc *)epos->bh->b_data; ++ + if (!epos->offset) + epos->offset = sizeof(struct allocExtDesc); + ptr = epos->bh->b_data + epos->offset; +- alen = sizeof(struct allocExtDesc) + +- le32_to_cpu(((struct allocExtDesc *)epos->bh->b_data)-> +- lengthAllocDescs); ++ if (check_add_overflow(sizeof(struct allocExtDesc), ++ le32_to_cpu(header->lengthAllocDescs), &alen)) ++ return -1; + } + + switch (iinfo->i_alloc_type) { -- 2.47.3