From: Greg Kroah-Hartman Date: Mon, 20 Apr 2026 13:15:26 +0000 (+0200) Subject: 5.15-stable patches X-Git-Url: http://git.ipfire.org/index.cgi?a=commitdiff_plain;h=c70530c7bca627da2c5aa176ac5dc06d0798bd27;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: alsa-ctxfi-limit-ptp-to-a-single-page.patch fbdev-udlfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch kvm-sev-drop-warn-on-large-size-for-kvm_memory_encrypt_reg_region.patch media-vidtv-fix-null-pointer-dereference-in-vidtv_channel_pmt_match_sections.patch ocfs2-fix-use-after-free-in-ocfs2_fault-when-vm_fault_retry.patch ocfs2-handle-invalid-dinode-in-ocfs2_group_extend.patch scripts-checkpatch-add-assisted-by-tag-validation.patch staging-sm750fb-fix-division-by-zero-in-ps_to_hz.patch usb-serial-option-add-telit-cinterion-fn990a-mbim-composition.patch --- diff --git a/queue-5.15/alsa-ctxfi-limit-ptp-to-a-single-page.patch b/queue-5.15/alsa-ctxfi-limit-ptp-to-a-single-page.patch new file mode 100644 index 0000000000..c6a8fd2c0d --- /dev/null +++ b/queue-5.15/alsa-ctxfi-limit-ptp-to-a-single-page.patch @@ -0,0 +1,58 @@ +From e9418da50d9e5c496c22fe392e4ad74c038a94eb Mon Sep 17 00:00:00 2001 +From: Harin Lee +Date: Mon, 6 Apr 2026 16:48:57 +0900 +Subject: ALSA: ctxfi: Limit PTP to a single page + +From: Harin Lee + +commit e9418da50d9e5c496c22fe392e4ad74c038a94eb upstream. + +Commit 391e69143d0a increased CT_PTP_NUM from 1 to 4 to support 256 +playback streams, but the additional pages are not used by the card +correctly. The CT20K2 hardware already has multiple VMEM_PTPAL +registers, but using them separately would require refactoring the +entire virtual memory allocation logic. + +ct_vm_map() always uses PTEs in vm->ptp[0].area regardless of +CT_PTP_NUM. On AMD64 systems, a single PTP covers 512 PTEs (2M). When +aggregate memory allocations exceed this limit, ct_vm_map() tries to +access beyond the allocated space and causes a page fault: + + BUG: unable to handle page fault for address: ffffd4ae8a10a000 + Oops: Oops: 0002 [#1] SMP PTI + RIP: 0010:ct_vm_map+0x17c/0x280 [snd_ctxfi] + Call Trace: + atc_pcm_playback_prepare+0x225/0x3b0 + ct_pcm_playback_prepare+0x38/0x60 + snd_pcm_do_prepare+0x2f/0x50 + snd_pcm_action_single+0x36/0x90 + snd_pcm_action_nonatomic+0xbf/0xd0 + snd_pcm_ioctl+0x28/0x40 + __x64_sys_ioctl+0x97/0xe0 + do_syscall_64+0x81/0x610 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Revert CT_PTP_NUM to 1. The 256 SRC_RESOURCE_NUM and playback_count +remain unchanged. + +Fixes: 391e69143d0a ("ALSA: ctxfi: Bump playback substreams to 256") +Cc: stable@vger.kernel.org +Signed-off-by: Harin Lee +Link: https://patch.msgid.link/20260406074857.216034-1-me@harin.net +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/ctxfi/ctvmem.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/ctxfi/ctvmem.h ++++ b/sound/pci/ctxfi/ctvmem.h +@@ -15,7 +15,7 @@ + #ifndef CTVMEM_H + #define CTVMEM_H + +-#define CT_PTP_NUM 4 /* num of device page table pages */ ++#define CT_PTP_NUM 1 /* num of device page table pages */ + + #include + #include diff --git a/queue-5.15/fbdev-udlfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch b/queue-5.15/fbdev-udlfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch new file mode 100644 index 0000000000..cad1087f01 --- /dev/null +++ b/queue-5.15/fbdev-udlfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch @@ -0,0 +1,37 @@ +From a31e4518bec70333a0a98f2946a12b53b45fe5b9 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 9 Apr 2026 15:23:46 +0200 +Subject: fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO + +From: Greg Kroah-Hartman + +commit a31e4518bec70333a0a98f2946a12b53b45fe5b9 upstream. + +Much like commit 19f953e74356 ("fbdev: fb_pm2fb: Avoid potential divide +by zero error"), we also need to prevent that same crash from happening +in the udlfb driver as it uses pixclock directly when dividing, which +will crash. + +Cc: Bernie Thompson +Cc: Helge Deller +Fixes: 59277b679f8b ("Staging: udlfb: add dynamic modeset support") +Assisted-by: gregkh_clanker_t1000 +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/udlfb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/video/fbdev/udlfb.c ++++ b/drivers/video/fbdev/udlfb.c +@@ -1077,6 +1077,9 @@ static int dlfb_ops_check_var(struct fb_ + struct fb_videomode mode; + struct dlfb_data *dlfb = info->par; + ++ if (!var->pixclock) ++ return -EINVAL; ++ + /* set device-specific elements of var unrelated to mode */ + dlfb_var_color_format(var); + diff --git a/queue-5.15/kvm-sev-drop-warn-on-large-size-for-kvm_memory_encrypt_reg_region.patch b/queue-5.15/kvm-sev-drop-warn-on-large-size-for-kvm_memory_encrypt_reg_region.patch new file mode 100644 index 0000000000..b08ad6ff72 --- /dev/null +++ b/queue-5.15/kvm-sev-drop-warn-on-large-size-for-kvm_memory_encrypt_reg_region.patch @@ -0,0 +1,71 @@ +From 8acffeef5ef720c35e513e322ab08e32683f32f2 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 12 Mar 2026 17:32:58 -0700 +Subject: KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION + +From: Sean Christopherson + +commit 8acffeef5ef720c35e513e322ab08e32683f32f2 upstream. + +Drop the WARN in sev_pin_memory() on npages overflowing an int, as the +WARN is comically trivially to trigger from userspace, e.g. by doing: + + struct kvm_enc_region range = { + .addr = 0, + .size = -1ul, + }; + + __vm_ioctl(vm, KVM_MEMORY_ENCRYPT_REG_REGION, &range); + +Note, the checks in sev_mem_enc_register_region() that presumably exist to +verify the incoming address+size are completely worthless, as both "addr" +and "size" are u64s and SEV is 64-bit only, i.e. they _can't_ be greater +than ULONG_MAX. That wart will be cleaned up in the near future. + + if (range->addr > ULONG_MAX || range->size > ULONG_MAX) + return -EINVAL; + +Opportunistically add a comment to explain why the code calculates the +number of pages the "hard" way, e.g. instead of just shifting @ulen. + +Fixes: 78824fabc72e ("KVM: SVM: fix svn_pin_memory()'s use of get_user_pages_fast()") +Cc: stable@vger.kernel.org +Reviewed-by: Liam Merwick +Tested-by: Liam Merwick +Link: https://patch.msgid.link/20260313003302.3136111-2-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/sev.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/svm/sev.c ++++ b/arch/x86/kvm/svm/sev.c +@@ -388,10 +388,16 @@ static struct page **sev_pin_memory(stru + if (ulen == 0 || uaddr + ulen < uaddr) + return ERR_PTR(-EINVAL); + +- /* Calculate number of pages. */ ++ /* ++ * Calculate the number of pages that need to be pinned to cover the ++ * entire range. Note! This isn't simply ulen >> PAGE_SHIFT, as KVM ++ * doesn't require the incoming address+size to be page aligned! ++ */ + first = (uaddr & PAGE_MASK) >> PAGE_SHIFT; + last = ((uaddr + ulen - 1) & PAGE_MASK) >> PAGE_SHIFT; + npages = (last - first + 1); ++ if (npages > INT_MAX) ++ return ERR_PTR(-EINVAL); + + locked = sev->pages_locked + npages; + lock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT; +@@ -400,9 +406,6 @@ static struct page **sev_pin_memory(stru + return ERR_PTR(-ENOMEM); + } + +- if (WARN_ON_ONCE(npages > INT_MAX)) +- return ERR_PTR(-EINVAL); +- + /* Avoid using vmalloc for smaller buffers. */ + size = npages * sizeof(struct page *); + if (size > PAGE_SIZE) diff --git a/queue-5.15/media-vidtv-fix-null-pointer-dereference-in-vidtv_channel_pmt_match_sections.patch b/queue-5.15/media-vidtv-fix-null-pointer-dereference-in-vidtv_channel_pmt_match_sections.patch new file mode 100644 index 0000000000..65417f47b8 --- /dev/null +++ b/queue-5.15/media-vidtv-fix-null-pointer-dereference-in-vidtv_channel_pmt_match_sections.patch @@ -0,0 +1,56 @@ +From f8e1fc918a9fe67103bcda01d20d745f264d00a7 Mon Sep 17 00:00:00 2001 +From: Ruslan Valiyev +Date: Tue, 3 Mar 2026 11:27:54 +0000 +Subject: media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections + +From: Ruslan Valiyev + +commit f8e1fc918a9fe67103bcda01d20d745f264d00a7 upstream. + +syzbot reported a general protection fault in vidtv_psi_desc_assign [1]. + +vidtv_psi_pmt_stream_init() can return NULL on memory allocation +failure, but vidtv_channel_pmt_match_sections() does not check for +this. When tail is NULL, the subsequent call to +vidtv_psi_desc_assign(&tail->descriptor, desc) dereferences a NULL +pointer offset, causing a general protection fault. + +Add a NULL check after vidtv_psi_pmt_stream_init(). On failure, clean +up the already-allocated stream chain and return. + +[1] +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +RIP: 0010:vidtv_psi_desc_assign+0x24/0x90 drivers/media/test-drivers/vidtv/vidtv_psi.c:629 +Call Trace: + + vidtv_channel_pmt_match_sections drivers/media/test-drivers/vidtv/vidtv_channel.c:349 [inline] + vidtv_channel_si_init+0x1445/0x1a50 drivers/media/test-drivers/vidtv/vidtv_channel.c:479 + vidtv_mux_init+0x526/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:519 + vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline] + vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 + +Fixes: f90cf6079bf67 ("media: vidtv: add a bridge driver") +Cc: stable@vger.kernel.org +Reported-by: syzbot+1f5bcc7c919ec578777a@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=1f5bcc7c919ec578777a +Signed-off-by: Ruslan Valiyev +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/test-drivers/vidtv/vidtv_channel.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/test-drivers/vidtv/vidtv_channel.c ++++ b/drivers/media/test-drivers/vidtv/vidtv_channel.c +@@ -341,6 +341,10 @@ vidtv_channel_pmt_match_sections(struct + tail = vidtv_psi_pmt_stream_init(tail, + s->type, + e_pid); ++ if (!tail) { ++ vidtv_psi_pmt_stream_destroy(head); ++ return; ++ } + + if (!head) + head = tail; diff --git a/queue-5.15/ocfs2-fix-use-after-free-in-ocfs2_fault-when-vm_fault_retry.patch b/queue-5.15/ocfs2-fix-use-after-free-in-ocfs2_fault-when-vm_fault_retry.patch new file mode 100644 index 0000000000..2023ccca2a --- /dev/null +++ b/queue-5.15/ocfs2-fix-use-after-free-in-ocfs2_fault-when-vm_fault_retry.patch @@ -0,0 +1,101 @@ +From 7de554cabf160e331e4442e2a9ad874ca9875921 Mon Sep 17 00:00:00 2001 +From: Tejas Bharambe +Date: Fri, 10 Apr 2026 01:38:16 -0700 +Subject: ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY + +From: Tejas Bharambe + +commit 7de554cabf160e331e4442e2a9ad874ca9875921 upstream. + +filemap_fault() may drop the mmap_lock before returning VM_FAULT_RETRY, +as documented in mm/filemap.c: + + "If our return value has VM_FAULT_RETRY set, it's because the mmap_lock + may be dropped before doing I/O or by lock_folio_maybe_drop_mmap()." + +When this happens, a concurrent munmap() can call remove_vma() and free +the vm_area_struct via RCU. The saved 'vma' pointer in ocfs2_fault() then +becomes a dangling pointer, and the subsequent trace_ocfs2_fault() call +dereferences it -- a use-after-free. + +Fix this by saving ip_blkno as a plain integer before calling +filemap_fault(), and removing vma from the trace event. Since +ip_blkno is copied by value before the lock can be dropped, it +remains valid regardless of what happens to the vma or inode +afterward. + +Link: https://lkml.kernel.org/r/20260410083816.34951-1-tejas.bharambe@outlook.com +Fixes: 614a9e849ca6 ("ocfs2: Remove FILE_IO from masklog.") +Signed-off-by: Tejas Bharambe +Reported-by: syzbot+a49010a0e8fcdeea075f@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=a49010a0e8fcdeea075f +Suggested-by: Joseph Qi +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Heming Zhao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/mmap.c | 7 +++---- + fs/ocfs2/ocfs2_trace.h | 10 ++++------ + 2 files changed, 7 insertions(+), 10 deletions(-) + +--- a/fs/ocfs2/mmap.c ++++ b/fs/ocfs2/mmap.c +@@ -30,7 +30,8 @@ + + static vm_fault_t ocfs2_fault(struct vm_fault *vmf) + { +- struct vm_area_struct *vma = vmf->vma; ++ unsigned long long ip_blkno = ++ OCFS2_I(file_inode(vmf->vma->vm_file))->ip_blkno; + sigset_t oldset; + vm_fault_t ret; + +@@ -38,11 +39,9 @@ static vm_fault_t ocfs2_fault(struct vm_ + ret = filemap_fault(vmf); + ocfs2_unblock_signals(&oldset); + +- trace_ocfs2_fault(OCFS2_I(vma->vm_file->f_mapping->host)->ip_blkno, +- vma, vmf->page, vmf->pgoff); ++ trace_ocfs2_fault(ip_blkno, vmf->page, vmf->pgoff); + return ret; + } +- + static vm_fault_t __ocfs2_page_mkwrite(struct file *file, + struct buffer_head *di_bh, struct page *page) + { +--- a/fs/ocfs2/ocfs2_trace.h ++++ b/fs/ocfs2/ocfs2_trace.h +@@ -1248,22 +1248,20 @@ TRACE_EVENT(ocfs2_write_end_inline, + + TRACE_EVENT(ocfs2_fault, + TP_PROTO(unsigned long long ino, +- void *area, void *page, unsigned long pgoff), +- TP_ARGS(ino, area, page, pgoff), ++ void *page, unsigned long pgoff), ++ TP_ARGS(ino, page, pgoff), + TP_STRUCT__entry( + __field(unsigned long long, ino) +- __field(void *, area) + __field(void *, page) + __field(unsigned long, pgoff) + ), + TP_fast_assign( + __entry->ino = ino; +- __entry->area = area; + __entry->page = page; + __entry->pgoff = pgoff; + ), +- TP_printk("%llu %p %p %lu", +- __entry->ino, __entry->area, __entry->page, __entry->pgoff) ++ TP_printk("%llu %p %lu", ++ __entry->ino, __entry->page, __entry->pgoff) + ); + + /* End of trace events for fs/ocfs2/mmap.c. */ diff --git a/queue-5.15/ocfs2-handle-invalid-dinode-in-ocfs2_group_extend.patch b/queue-5.15/ocfs2-handle-invalid-dinode-in-ocfs2_group_extend.patch new file mode 100644 index 0000000000..5241708609 --- /dev/null +++ b/queue-5.15/ocfs2-handle-invalid-dinode-in-ocfs2_group_extend.patch @@ -0,0 +1,77 @@ +From 4a1c0ddc6e7bcf2e9db0eeaab9340dcfe97f448f Mon Sep 17 00:00:00 2001 +From: ZhengYuan Huang +Date: Wed, 1 Apr 2026 17:23:03 +0800 +Subject: ocfs2: handle invalid dinode in ocfs2_group_extend + +From: ZhengYuan Huang + +commit 4a1c0ddc6e7bcf2e9db0eeaab9340dcfe97f448f upstream. + +[BUG] +kernel BUG at fs/ocfs2/resize.c:308! +Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI +RIP: 0010:ocfs2_group_extend+0x10aa/0x1ae0 fs/ocfs2/resize.c:308 +Code: 8b8520ff ffff83f8 860f8580 030000e8 5cc3c1fe +Call Trace: + ... + ocfs2_ioctl+0x175/0x6e0 fs/ocfs2/ioctl.c:869 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl fs/ioctl.c:583 [inline] + __x64_sys_ioctl+0x197/0x1e0 fs/ioctl.c:583 + x64_sys_call+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:17 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0x93/0xf80 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + ... + +[CAUSE] +ocfs2_group_extend() assumes that the global bitmap inode block +returned from ocfs2_inode_lock() has already been validated and +BUG_ONs when the signature is not a dinode. That assumption is too +strong for crafted filesystems because the JBD2-managed buffer path +can bypass structural validation and return an invalid dinode to the +resize ioctl. + +[FIX] +Validate the dinode explicitly in ocfs2_group_extend(). If the global +bitmap buffer does not contain a valid dinode, report filesystem +corruption with ocfs2_error() and fail the resize operation instead of +crashing the kernel. + +Link: https://lkml.kernel.org/r/20260401092303.3709187-1-gality369@gmail.com +Fixes: 10995aa2451a ("ocfs2: Morph the haphazard OCFS2_IS_VALID_DINODE() checks.") +Signed-off-by: ZhengYuan Huang +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Heming Zhao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/resize.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/fs/ocfs2/resize.c ++++ b/fs/ocfs2/resize.c +@@ -295,9 +295,13 @@ int ocfs2_group_extend(struct inode * in + + fe = (struct ocfs2_dinode *)main_bm_bh->b_data; + +- /* main_bm_bh is validated by inode read inside ocfs2_inode_lock(), +- * so any corruption is a code bug. */ +- BUG_ON(!OCFS2_IS_VALID_DINODE(fe)); ++ /* JBD-managed buffers can bypass validation, so treat this as corruption. */ ++ if (!OCFS2_IS_VALID_DINODE(fe)) { ++ ret = ocfs2_error(main_bm_inode->i_sb, ++ "Invalid dinode #%llu\n", ++ (unsigned long long)OCFS2_I(main_bm_inode)->ip_blkno); ++ goto out_unlock; ++ } + + if (le16_to_cpu(fe->id2.i_chain.cl_cpg) != + ocfs2_group_bitmap_size(osb->sb, 0, diff --git a/queue-5.15/scripts-checkpatch-add-assisted-by-tag-validation.patch b/queue-5.15/scripts-checkpatch-add-assisted-by-tag-validation.patch new file mode 100644 index 0000000000..7738b65aa9 --- /dev/null +++ b/queue-5.15/scripts-checkpatch-add-assisted-by-tag-validation.patch @@ -0,0 +1,82 @@ +From 8545d9bc4bd0801e0bdfbfdfdc2532ff31236ddf Mon Sep 17 00:00:00 2001 +From: Harry Wentland +Date: Fri, 27 Mar 2026 11:41:57 -0400 +Subject: scripts/checkpatch: add Assisted-by: tag validation + +From: Harry Wentland + +commit 8545d9bc4bd0801e0bdfbfdfdc2532ff31236ddf upstream. + +The coding-assistants.rst documentation defines the Assisted-by: tag +format for AI-assisted contributions as: + + Assisted-by: AGENT_NAME:MODEL_VERSION [TOOL1] [TOOL2] + +This format does not use an email address, so checkpatch currently +reports a false positive about an invalid email when encountering this +tag. + +Add Assisted-by: to the recognized signature tags and standard signature +list. When an Assisted-by: tag is found, validate it instead of checking +for an email address. + +Examples of passing tags: +- Claude:claude-3-opus coccinelle sparse +- FOO:BAR.baz +- Copilot Github:claude-3-opus +- GitHub Copilot:Claude Opus 4.6 +- My Cool Agent:v1.2.3 coccinelle sparse + +Examples of tags triggering the new warning: +- Claude coccinelle sparse +- JustAName +- :missing-agent + +Cc: Jani Nikula +Assisted-by: Claude:claude-opus-4.6 +Co-developed-by: Alex Hung +Signed-off-by: Alex Hung +Signed-off-by: Harry Wentland +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Corbet +Message-ID: <20260327154157.162962-1-harry.wentland@amd.com> +Signed-off-by: Greg Kroah-Hartman +--- + scripts/checkpatch.pl | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/scripts/checkpatch.pl ++++ b/scripts/checkpatch.pl +@@ -588,6 +588,7 @@ our $signature_tags = qr{(?xi: + Reviewed-by:| + Reported-by:| + Suggested-by:| ++ Assisted-by:| + To:| + Cc: + )}; +@@ -665,7 +666,7 @@ sub find_standard_signature { + my ($sign_off) = @_; + my @standard_signature_tags = ( + 'Signed-off-by:', 'Co-developed-by:', 'Acked-by:', 'Tested-by:', +- 'Reviewed-by:', 'Reported-by:', 'Suggested-by:' ++ 'Reviewed-by:', 'Reported-by:', 'Suggested-by:', 'Assisted-by:' + ); + foreach my $signature (@standard_signature_tags) { + return $signature if (get_edit_distance($sign_off, $signature) <= 2); +@@ -3000,6 +3001,15 @@ sub process { + } + } + ++# Assisted-by: uses format AGENT_NAME:MODEL_VERSION [TOOL1] [TOOL2] instead of email ++ if ($sign_off =~ /^assisted-by:$/i) { ++ if ($email !~ /^[^:]+:\S+(\s+\S+)*$/) { ++ WARN("BAD_ASSISTED_BY", ++ "Assisted-by: should use format: 'Assisted-by: AGENT_NAME:MODEL_VERSION [TOOL1] [TOOL2]'\n" . $herecurr); ++ } ++ next; ++ } ++ + my ($email_name, $name_comment, $email_address, $comment) = parse_email($email); + my $suggested_email = format_email(($email_name, $name_comment, $email_address, $comment)); + if ($suggested_email eq "") { diff --git a/queue-5.15/series b/queue-5.15/series index 9b67f8febb..36b1c2b16a 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -67,3 +67,12 @@ usb-gadget-f_phonet-fix-skb-frags-overflow-in-pn_rx_complete.patch usb-gadget-renesas_usb3-validate-endpoint-index-in-standard-request-handlers.patch usbip-validate-number_of_packets-in-usbip_pack_ret_submit.patch usb-storage-expand-range-of-matched-versions-for-vl817-quirks-entry.patch +fbdev-udlfb-avoid-divide-by-zero-on-fbioput_vscreeninfo.patch +scripts-checkpatch-add-assisted-by-tag-validation.patch +staging-sm750fb-fix-division-by-zero-in-ps_to_hz.patch +usb-serial-option-add-telit-cinterion-fn990a-mbim-composition.patch +alsa-ctxfi-limit-ptp-to-a-single-page.patch +media-vidtv-fix-null-pointer-dereference-in-vidtv_channel_pmt_match_sections.patch +ocfs2-fix-use-after-free-in-ocfs2_fault-when-vm_fault_retry.patch +ocfs2-handle-invalid-dinode-in-ocfs2_group_extend.patch +kvm-sev-drop-warn-on-large-size-for-kvm_memory_encrypt_reg_region.patch diff --git a/queue-5.15/staging-sm750fb-fix-division-by-zero-in-ps_to_hz.patch b/queue-5.15/staging-sm750fb-fix-division-by-zero-in-ps_to_hz.patch new file mode 100644 index 0000000000..39bcf439cb --- /dev/null +++ b/queue-5.15/staging-sm750fb-fix-division-by-zero-in-ps_to_hz.patch @@ -0,0 +1,38 @@ +From 75a1621e4f91310673c9acbcbb25c2a7ff821cd3 Mon Sep 17 00:00:00 2001 +From: Junrui Luo +Date: Mon, 23 Mar 2026 15:31:56 +0800 +Subject: staging: sm750fb: fix division by zero in ps_to_hz() + +From: Junrui Luo + +commit 75a1621e4f91310673c9acbcbb25c2a7ff821cd3 upstream. + +ps_to_hz() is called from hw_sm750_crtc_set_mode() without validating +that pixclock is non-zero. A zero pixclock passed via FBIOPUT_VSCREENINFO +causes a division by zero. + +Fix by rejecting zero pixclock in lynxfb_ops_check_var(), consistent +with other framebuffer drivers. + +Fixes: 81dee67e215b ("staging: sm750fb: add sm750 to staging") +Reported-by: Yuhao Jiang +Cc: stable@vger.kernel.org +Signed-off-by: Junrui Luo +Link: https://patch.msgid.link/SYBPR01MB7881AFBFCE28CCF528B35D0CAF4BA@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/sm750fb/sm750.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/staging/sm750fb/sm750.c ++++ b/drivers/staging/sm750fb/sm750.c +@@ -482,6 +482,9 @@ static int lynxfb_ops_check_var(struct f + struct lynxfb_crtc *crtc; + resource_size_t request; + ++ if (!var->pixclock) ++ return -EINVAL; ++ + ret = 0; + par = info->par; + crtc = &par->crtc; diff --git a/queue-5.15/usb-serial-option-add-telit-cinterion-fn990a-mbim-composition.patch b/queue-5.15/usb-serial-option-add-telit-cinterion-fn990a-mbim-composition.patch new file mode 100644 index 0000000000..60a4661935 --- /dev/null +++ b/queue-5.15/usb-serial-option-add-telit-cinterion-fn990a-mbim-composition.patch @@ -0,0 +1,66 @@ +From f8cc59ecc22841be5deb07b549c0c6a2657cd5f9 Mon Sep 17 00:00:00 2001 +From: Fabio Porcedda +Date: Thu, 2 Apr 2026 11:57:27 +0200 +Subject: USB: serial: option: add Telit Cinterion FN990A MBIM composition + +From: Fabio Porcedda + +commit f8cc59ecc22841be5deb07b549c0c6a2657cd5f9 upstream. + +Add the following Telit Cinterion FN990A MBIM composition: + +0x1074: MBIM + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (diag) + + DPL (Data Packet Logging) + adb + +T: Bus=01 Lev=01 Prnt=04 Port=06 Cnt=01 Dev#= 7 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=1bc7 ProdID=1074 Rev=05.04 +S: Manufacturer=Telit Wireless Solutions +S: Product=FN990 +S: SerialNumber=70628d0c +C: #Ifs= 8 Cfg#= 1 Atr=e0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none) +E: Ad=8f(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I: If#= 7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Cc: stable@vger.kernel.org +Signed-off-by: Fabio Porcedda +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1383,6 +1383,8 @@ static const struct usb_device_id option + .driver_info = NCTRL(2) | RSVD(3) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1073, 0xff), /* Telit FN990A (ECM) */ + .driver_info = NCTRL(0) | RSVD(1) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1074, 0xff), /* Telit FN990A (MBIM) */ ++ .driver_info = NCTRL(5) | RSVD(6) | RSVD(7) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1075, 0xff), /* Telit FN990A (PCIe) */ + .driver_info = RSVD(0) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1077, 0xff), /* Telit FN990A (rmnet + audio) */