From 431b5904dfada44c7dc7d672261146dd55359a7e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 2 Nov 2025 22:48:36 +0900 Subject: [PATCH] 5.4-stable patches added patches: acpi-video-fix-use-after-free-in-acpi_video_switch_brightness.patch fbdev-atyfb-check-if-pll_ops-init_pll-failed.patch fbdev-bitblit-bound-check-glyph-index-in-bit_putcs.patch fbdev-pvr2fb-fix-leftover-reference-to-onchip_nr_dma_channels.patch fbdev-valkyriefb-fix-reference-count-leak-in-valkyriefb_init.patch net-usb-asix_devices-check-return-value-of-usbnet_get_endpoints.patch --- ...free-in-acpi_video_switch_brightness.patch | 49 +++++++++++++ ...yfb-check-if-pll_ops-init_pll-failed.patch | 49 +++++++++++++ ...bound-check-glyph-index-in-bit_putcs.patch | 70 +++++++++++++++++++ ...-reference-to-onchip_nr_dma_channels.patch | 34 +++++++++ ...erence-count-leak-in-valkyriefb_init.patch | 40 +++++++++++ ...return-value-of-usbnet_get_endpoints.patch | 61 ++++++++++++++++ queue-5.4/series | 6 ++ 7 files changed, 309 insertions(+) create mode 100644 queue-5.4/acpi-video-fix-use-after-free-in-acpi_video_switch_brightness.patch create mode 100644 queue-5.4/fbdev-atyfb-check-if-pll_ops-init_pll-failed.patch create mode 100644 queue-5.4/fbdev-bitblit-bound-check-glyph-index-in-bit_putcs.patch create mode 100644 queue-5.4/fbdev-pvr2fb-fix-leftover-reference-to-onchip_nr_dma_channels.patch create mode 100644 queue-5.4/fbdev-valkyriefb-fix-reference-count-leak-in-valkyriefb_init.patch create mode 100644 queue-5.4/net-usb-asix_devices-check-return-value-of-usbnet_get_endpoints.patch diff --git a/queue-5.4/acpi-video-fix-use-after-free-in-acpi_video_switch_brightness.patch b/queue-5.4/acpi-video-fix-use-after-free-in-acpi_video_switch_brightness.patch new file mode 100644 index 0000000000..55f0efe938 --- /dev/null +++ b/queue-5.4/acpi-video-fix-use-after-free-in-acpi_video_switch_brightness.patch @@ -0,0 +1,49 @@ +From 8f067aa59430266386b83c18b983ca583faa6a11 Mon Sep 17 00:00:00 2001 +From: Yuhao Jiang +Date: Wed, 22 Oct 2025 15:07:04 -0500 +Subject: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() + +From: Yuhao Jiang + +commit 8f067aa59430266386b83c18b983ca583faa6a11 upstream. + +The switch_brightness_work delayed work accesses device->brightness +and device->backlight, freed by acpi_video_dev_unregister_backlight() +during device removal. + +If the work executes after acpi_video_bus_unregister_backlight() +frees these resources, it causes a use-after-free when +acpi_video_switch_brightness() dereferences device->brightness or +device->backlight. + +Fix this by calling cancel_delayed_work_sync() for each device's +switch_brightness_work in acpi_video_bus_remove_notify_handler() +after removing the notify handler that queues the work. This ensures +the work completes before the memory is freed. + +Fixes: 8ab58e8e7e097 ("ACPI / video: Fix backlight taking 2 steps on a brightness up/down keypress") +Cc: All applicable +Signed-off-by: Yuhao Jiang +Reviewed-by: Hans de Goede +[ rjw: Changelog edit ] +Link: https://patch.msgid.link/20251022200704.2655507-1-danisjiang@gmail.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpi_video.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/acpi_video.c ++++ b/drivers/acpi/acpi_video.c +@@ -2024,8 +2024,10 @@ static void acpi_video_bus_remove_notify + struct acpi_video_device *dev; + + mutex_lock(&video->device_list_lock); +- list_for_each_entry(dev, &video->video_device_list, entry) ++ list_for_each_entry(dev, &video->video_device_list, entry) { + acpi_video_dev_remove_notify_handler(dev); ++ cancel_delayed_work_sync(&dev->switch_brightness_work); ++ } + mutex_unlock(&video->device_list_lock); + + acpi_video_bus_stop_devices(video); diff --git a/queue-5.4/fbdev-atyfb-check-if-pll_ops-init_pll-failed.patch b/queue-5.4/fbdev-atyfb-check-if-pll_ops-init_pll-failed.patch new file mode 100644 index 0000000000..df0be0dbfa --- /dev/null +++ b/queue-5.4/fbdev-atyfb-check-if-pll_ops-init_pll-failed.patch @@ -0,0 +1,49 @@ +From 7073c7fc8d8ba47194e5fc58fcafc0efe7586e9b Mon Sep 17 00:00:00 2001 +From: Daniel Palmer +Date: Fri, 24 Oct 2025 18:37:15 +0900 +Subject: fbdev: atyfb: Check if pll_ops->init_pll failed + +From: Daniel Palmer + +commit 7073c7fc8d8ba47194e5fc58fcafc0efe7586e9b upstream. + +Actually check the return value from pll_ops->init_pll() +as it can return an error. + +If the card's BIOS didn't run because it's not the primary VGA card +the fact that the xclk source is unsupported is printed as shown +below but the driver continues on regardless and on my machine causes +a hard lock up. + +[ 61.470088] atyfb 0000:03:05.0: enabling device (0080 -> 0083) +[ 61.476191] atyfb: using auxiliary register aperture +[ 61.481239] atyfb: 3D RAGE XL (Mach64 GR, PCI-33) [0x4752 rev 0x27] +[ 61.487569] atyfb: 512K SGRAM (1:1), 14.31818 MHz XTAL, 230 MHz PLL, 83 Mhz MCLK, 63 MHz XCLK +[ 61.496112] atyfb: Unsupported xclk source: 5. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Daniel Palmer +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/aty/atyfb_base.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/video/fbdev/aty/atyfb_base.c ++++ b/drivers/video/fbdev/aty/atyfb_base.c +@@ -2576,8 +2576,12 @@ static int aty_init(struct fb_info *info + pr_cont("\n"); + } + #endif +- if (par->pll_ops->init_pll) +- par->pll_ops->init_pll(info, &par->pll); ++ if (par->pll_ops->init_pll) { ++ ret = par->pll_ops->init_pll(info, &par->pll); ++ if (ret) ++ return ret; ++ } ++ + if (par->pll_ops->resume_pll) + par->pll_ops->resume_pll(info, &par->pll); + diff --git a/queue-5.4/fbdev-bitblit-bound-check-glyph-index-in-bit_putcs.patch b/queue-5.4/fbdev-bitblit-bound-check-glyph-index-in-bit_putcs.patch new file mode 100644 index 0000000000..7a798eb341 --- /dev/null +++ b/queue-5.4/fbdev-bitblit-bound-check-glyph-index-in-bit_putcs.patch @@ -0,0 +1,70 @@ +From 18c4ef4e765a798b47980555ed665d78b71aeadf Mon Sep 17 00:00:00 2001 +From: Junjie Cao +Date: Mon, 20 Oct 2025 21:47:01 +0800 +Subject: fbdev: bitblit: bound-check glyph index in bit_putcs* + +From: Junjie Cao + +commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream. + +bit_putcs_aligned()/unaligned() derived the glyph pointer from the +character value masked by 0xff/0x1ff, which may exceed the actual font's +glyph count and read past the end of the built-in font array. +Clamp the index to the actual glyph count before computing the address. + +This fixes a global out-of-bounds read reported by syzbot. + +Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2 +Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com +Signed-off-by: Junjie Cao +Reviewed-by: Thomas Zimmermann +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/video/fbdev/core/bitblit.c ++++ b/drivers/video/fbdev/core/bitblit.c +@@ -80,12 +80,16 @@ static inline void bit_putcs_aligned(str + struct fb_image *image, u8 *buf, u8 *dst) + { + u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; ++ unsigned int charcnt = vc->vc_font.charcount; + u32 idx = vc->vc_font.width >> 3; + u8 *src; + + while (cnt--) { +- src = vc->vc_font.data + (scr_readw(s++)& +- charmask)*cellsize; ++ u16 ch = scr_readw(s++) & charmask; ++ ++ if (ch >= charcnt) ++ ch = 0; ++ src = vc->vc_font.data + (unsigned int)ch * cellsize; + + if (attr) { + update_attr(buf, src, attr, vc); +@@ -113,14 +117,18 @@ static inline void bit_putcs_unaligned(s + u8 *dst) + { + u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; ++ unsigned int charcnt = vc->vc_font.charcount; + u32 shift_low = 0, mod = vc->vc_font.width % 8; + u32 shift_high = 8; + u32 idx = vc->vc_font.width >> 3; + u8 *src; + + while (cnt--) { +- src = vc->vc_font.data + (scr_readw(s++)& +- charmask)*cellsize; ++ u16 ch = scr_readw(s++) & charmask; ++ ++ if (ch >= charcnt) ++ ch = 0; ++ src = vc->vc_font.data + (unsigned int)ch * cellsize; + + if (attr) { + update_attr(buf, src, attr, vc); diff --git a/queue-5.4/fbdev-pvr2fb-fix-leftover-reference-to-onchip_nr_dma_channels.patch b/queue-5.4/fbdev-pvr2fb-fix-leftover-reference-to-onchip_nr_dma_channels.patch new file mode 100644 index 0000000000..087a02d67b --- /dev/null +++ b/queue-5.4/fbdev-pvr2fb-fix-leftover-reference-to-onchip_nr_dma_channels.patch @@ -0,0 +1,34 @@ +From 5f566c0ac51cd2474e47da68dbe719d3acf7d999 Mon Sep 17 00:00:00 2001 +From: Florian Fuchs +Date: Sun, 26 Oct 2025 00:38:50 +0200 +Subject: fbdev: pvr2fb: Fix leftover reference to ONCHIP_NR_DMA_CHANNELS + +From: Florian Fuchs + +commit 5f566c0ac51cd2474e47da68dbe719d3acf7d999 upstream. + +Commit e24cca19babe ("sh: Kill off MAX_DMA_ADDRESS leftovers.") removed +the define ONCHIP_NR_DMA_CHANNELS. So that the leftover reference needs +to be replaced by CONFIG_NR_ONCHIP_DMA_CHANNELS to compile successfully +with CONFIG_PVR2_DMA enabled. + +Signed-off-by: Florian Fuchs +Reviewed-by: John Paul Adrian Glaubitz +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/pvr2fb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/fbdev/pvr2fb.c ++++ b/drivers/video/fbdev/pvr2fb.c +@@ -191,7 +191,7 @@ static unsigned long pvr2fb_map; + + #ifdef CONFIG_PVR2_DMA + static unsigned int shdma = PVR2_CASCADE_CHAN; +-static unsigned int pvr2dma = ONCHIP_NR_DMA_CHANNELS; ++static unsigned int pvr2dma = CONFIG_NR_ONCHIP_DMA_CHANNELS; + #endif + + static struct fb_videomode pvr2_modedb[] = { diff --git a/queue-5.4/fbdev-valkyriefb-fix-reference-count-leak-in-valkyriefb_init.patch b/queue-5.4/fbdev-valkyriefb-fix-reference-count-leak-in-valkyriefb_init.patch new file mode 100644 index 0000000000..e3cf1df07c --- /dev/null +++ b/queue-5.4/fbdev-valkyriefb-fix-reference-count-leak-in-valkyriefb_init.patch @@ -0,0 +1,40 @@ +From eb53368f8d6e2dfba84c8a94d245719bcf9ae270 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 27 Oct 2025 16:43:37 +0800 +Subject: fbdev: valkyriefb: Fix reference count leak in valkyriefb_init + +From: Miaoqian Lin + +commit eb53368f8d6e2dfba84c8a94d245719bcf9ae270 upstream. + +The of_find_node_by_name() function returns a device tree node with its +reference count incremented. The caller is responsible for calling +of_node_put() to release this reference when done. + +Found via static analysis. + +Fixes: cc5d0189b9ba ("[PATCH] powerpc: Remove device_node addrs/n_addr") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/valkyriefb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/video/fbdev/valkyriefb.c ++++ b/drivers/video/fbdev/valkyriefb.c +@@ -336,11 +336,13 @@ int __init valkyriefb_init(void) + + if (of_address_to_resource(dp, 0, &r)) { + printk(KERN_ERR "can't find address for valkyrie\n"); ++ of_node_put(dp); + return 0; + } + + frame_buffer_phys = r.start; + cmap_regs_phys = r.start + 0x304000; ++ of_node_put(dp); + } + #endif /* ppc (!CONFIG_MAC) */ + diff --git a/queue-5.4/net-usb-asix_devices-check-return-value-of-usbnet_get_endpoints.patch b/queue-5.4/net-usb-asix_devices-check-return-value-of-usbnet_get_endpoints.patch new file mode 100644 index 0000000000..28055da14d --- /dev/null +++ b/queue-5.4/net-usb-asix_devices-check-return-value-of-usbnet_get_endpoints.patch @@ -0,0 +1,61 @@ +From dc89548c6926d68dfdda11bebc1a5258bc41d887 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 27 Oct 2025 00:43:16 +0800 +Subject: net: usb: asix_devices: Check return value of usbnet_get_endpoints + +From: Miaoqian Lin + +commit dc89548c6926d68dfdda11bebc1a5258bc41d887 upstream. + +The code did not check the return value of usbnet_get_endpoints. +Add checks and return the error if it fails to transfer the error. + +Found via static anlaysis and this is similar to +commit 07161b2416f7 ("sr9800: Add check for usbnet_get_endpoints"). + +Fixes: 933a27d39e0e ("USB: asix - Add AX88178 support and many other changes") +Fixes: 2e55cc7210fe ("[PATCH] USB: usbnet (3/9) module for ASIX Ethernet adapters") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Link: https://patch.msgid.link/20251026164318.57624-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/asix_devices.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/net/usb/asix_devices.c ++++ b/drivers/net/usb/asix_devices.c +@@ -230,7 +230,9 @@ static int ax88172_bind(struct usbnet *d + int i; + unsigned long gpio_bits = dev->driver_info->data; + +- usbnet_get_endpoints(dev,intf); ++ ret = usbnet_get_endpoints(dev, intf); ++ if (ret) ++ goto out; + + /* Toggle the GPIOs in a manufacturer/model specific way */ + for (i = 2; i >= 0; i--) { +@@ -681,7 +683,9 @@ static int ax88772_bind(struct usbnet *d + u32 phyid; + struct asix_common_private *priv; + +- usbnet_get_endpoints(dev, intf); ++ ret = usbnet_get_endpoints(dev, intf); ++ if (ret) ++ return ret; + + /* Maybe the boot loader passed the MAC address via device tree */ + if (!eth_platform_get_mac_address(&dev->udev->dev, buf)) { +@@ -1063,7 +1067,9 @@ static int ax88178_bind(struct usbnet *d + int ret; + u8 buf[ETH_ALEN] = {0}; + +- usbnet_get_endpoints(dev,intf); ++ ret = usbnet_get_endpoints(dev, intf); ++ if (ret) ++ return ret; + + /* Get the MAC address */ + ret = asix_read_cmd(dev, AX_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, buf, 0); diff --git a/queue-5.4/series b/queue-5.4/series index 342fc0f590..42eaacb64d 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1,3 +1,9 @@ net-sched-sch_qfq-fix-null-deref-in-agg_dequeue.patch x86-bugs-fix-reporting-of-lfence-retpoline.patch btrfs-use-smp_mb__after_atomic-when-forcing-cow-in-c.patch +net-usb-asix_devices-check-return-value-of-usbnet_get_endpoints.patch +fbdev-atyfb-check-if-pll_ops-init_pll-failed.patch +acpi-video-fix-use-after-free-in-acpi_video_switch_brightness.patch +fbdev-bitblit-bound-check-glyph-index-in-bit_putcs.patch +fbdev-pvr2fb-fix-leftover-reference-to-onchip_nr_dma_channels.patch +fbdev-valkyriefb-fix-reference-count-leak-in-valkyriefb_init.patch -- 2.47.3