diff options
8 files changed, 361 insertions, 0 deletions
diff --git a/queue-6.6/asoc-amd-yc-add-dmi-quirk-for-lenovo-ideapad-slim-5-15.patch b/queue-6.6/asoc-amd-yc-add-dmi-quirk-for-lenovo-ideapad-slim-5-15.patch new file mode 100644 index 0000000000..ee95b6606b --- /dev/null +++ b/queue-6.6/asoc-amd-yc-add-dmi-quirk-for-lenovo-ideapad-slim-5-15.patch @@ -0,0 +1,37 @@ +From bf39286adc5e10ce3e32eb86ad316ae56f3b52a0 Mon Sep 17 00:00:00 2001 +From: Oliver Schramm <oliver.schramm97@gmail.com> +Date: Sun, 22 Jun 2025 00:30:01 +0200 +Subject: ASoC: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15 + +From: Oliver Schramm <oliver.schramm97@gmail.com> + +commit bf39286adc5e10ce3e32eb86ad316ae56f3b52a0 upstream. + +It's smaller brother has already received the patch to enable the microphone, +now add it too to the DMI quirk table. + +Cc: stable@vger.kernel.org +Signed-off-by: Oliver Schramm <oliver.schramm97@gmail.com> +Link: https://patch.msgid.link/20250621223000.11817-2-oliver.schramm97@gmail.com +Signed-off-by: Mark Brown <broonie@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -356,6 +356,13 @@ static const struct dmi_system_id yc_acp + { + .driver_data = &acp6x_card, + .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "83J3"), ++ } ++ }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."), + DMI_MATCH(DMI_PRODUCT_NAME, "UM5302TA"), + } diff --git a/queue-6.6/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch b/queue-6.6/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch new file mode 100644 index 0000000000..9e4b1d2f38 --- /dev/null +++ b/queue-6.6/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch @@ -0,0 +1,50 @@ +From a3ef3c2da675a8a564c8bea1a511cdd0a2a9aa49 Mon Sep 17 00:00:00 2001 +From: Imre Deak <imre.deak@intel.com> +Date: Thu, 5 Jun 2025 11:28:46 +0300 +Subject: drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Imre Deak <imre.deak@intel.com> + +commit a3ef3c2da675a8a564c8bea1a511cdd0a2a9aa49 upstream. + +Reading DPCD registers has side-effects in general. In particular +accessing registers outside of the link training register range +(0x102-0x106, 0x202-0x207, 0x200c-0x200f, 0x2216) is explicitly +forbidden by the DP v2.1 Standard, see + +3.6.5.1 DPTX AUX Transaction Handling Mandates +3.6.7.4 128b/132b DP Link Layer LTTPR Link Training Mandates + +Based on my tests, accessing the DPCD_REV register during the link +training of an UHBR TBT DP tunnel sink leads to link training failures. + +Solve the above by using the DP_LANE0_1_STATUS (0x202) register for the +DPCD register access quirk. + +Cc: <stable@vger.kernel.org> +Cc: Ville Syrjälä <ville.syrjala@linux.intel.com> +Cc: Jani Nikula <jani.nikula@linux.intel.com> +Acked-by: Jani Nikula <jani.nikula@intel.com> +Signed-off-by: Imre Deak <imre.deak@intel.com> +Link: https://lore.kernel.org/r/20250605082850.65136-2-imre.deak@intel.com +(cherry picked from commit a40c5d727b8111b5db424a1e43e14a1dcce1e77f) +Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/gpu/drm/display/drm_dp_helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/display/drm_dp_helper.c ++++ b/drivers/gpu/drm/display/drm_dp_helper.c +@@ -663,7 +663,7 @@ ssize_t drm_dp_dpcd_read(struct drm_dp_a + * monitor doesn't power down exactly after the throw away read. + */ + if (!aux->is_remote) { +- ret = drm_dp_dpcd_probe(aux, DP_DPCD_REV); ++ ret = drm_dp_dpcd_probe(aux, DP_LANE0_1_STATUS); + if (ret < 0) + return ret; + } diff --git a/queue-6.6/i2c-robotfuzz-osif-disable-zero-length-read-messages.patch b/queue-6.6/i2c-robotfuzz-osif-disable-zero-length-read-messages.patch new file mode 100644 index 0000000000..5c4fb2b6f1 --- /dev/null +++ b/queue-6.6/i2c-robotfuzz-osif-disable-zero-length-read-messages.patch @@ -0,0 +1,47 @@ +From 56ad91c1aa9c18064348edf69308080b03c9dc48 Mon Sep 17 00:00:00 2001 +From: Wolfram Sang <wsa+renesas@sang-engineering.com> +Date: Thu, 22 May 2025 08:42:35 +0200 +Subject: i2c: robotfuzz-osif: disable zero-length read messages + +From: Wolfram Sang <wsa+renesas@sang-engineering.com> + +commit 56ad91c1aa9c18064348edf69308080b03c9dc48 upstream. + +This driver passes the length of an i2c_msg directly to +usb_control_msg(). If the message is now a read and of length 0, it +violates the USB protocol and a warning will be printed. Enable the +I2C_AQ_NO_ZERO_LEN_READ quirk for this adapter thus forbidding 0-length +read messages altogether. + +Fixes: 83e53a8f120f ("i2c: Add bus driver for for OSIF USB i2c device.") +Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com> +Cc: <stable@vger.kernel.org> # v3.14+ +Signed-off-by: Andi Shyti <andi.shyti@kernel.org> +Link: https://lore.kernel.org/r/20250522064234.3721-2-wsa+renesas@sang-engineering.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/i2c/busses/i2c-robotfuzz-osif.c ++++ b/drivers/i2c/busses/i2c-robotfuzz-osif.c +@@ -111,6 +111,11 @@ static u32 osif_func(struct i2c_adapter + return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL; + } + ++/* prevent invalid 0-length usb_control_msg */ ++static const struct i2c_adapter_quirks osif_quirks = { ++ .flags = I2C_AQ_NO_ZERO_LEN_READ, ++}; ++ + static const struct i2c_algorithm osif_algorithm = { + .master_xfer = osif_xfer, + .functionality = osif_func, +@@ -143,6 +148,7 @@ static int osif_probe(struct usb_interfa + + priv->adapter.owner = THIS_MODULE; + priv->adapter.class = I2C_CLASS_HWMON; ++ priv->adapter.quirks = &osif_quirks; + priv->adapter.algo = &osif_algorithm; + priv->adapter.algo_data = priv; + snprintf(priv->adapter.name, sizeof(priv->adapter.name), diff --git a/queue-6.6/i2c-tiny-usb-disable-zero-length-read-messages.patch b/queue-6.6/i2c-tiny-usb-disable-zero-length-read-messages.patch new file mode 100644 index 0000000000..f9807c92e8 --- /dev/null +++ b/queue-6.6/i2c-tiny-usb-disable-zero-length-read-messages.patch @@ -0,0 +1,47 @@ +From cbdb25ccf7566eee0c2b945e35cb98baf9ed0aa6 Mon Sep 17 00:00:00 2001 +From: Wolfram Sang <wsa+renesas@sang-engineering.com> +Date: Thu, 22 May 2025 08:43:49 +0200 +Subject: i2c: tiny-usb: disable zero-length read messages + +From: Wolfram Sang <wsa+renesas@sang-engineering.com> + +commit cbdb25ccf7566eee0c2b945e35cb98baf9ed0aa6 upstream. + +This driver passes the length of an i2c_msg directly to +usb_control_msg(). If the message is now a read and of length 0, it +violates the USB protocol and a warning will be printed. Enable the +I2C_AQ_NO_ZERO_LEN_READ quirk for this adapter thus forbidding 0-length +read messages altogether. + +Fixes: e8c76eed2ecd ("i2c: New i2c-tiny-usb bus driver") +Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com> +Cc: <stable@vger.kernel.org> # v2.6.22+ +Signed-off-by: Andi Shyti <andi.shyti@kernel.org> +Link: https://lore.kernel.org/r/20250522064349.3823-2-wsa+renesas@sang-engineering.com +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/i2c/busses/i2c-tiny-usb.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/i2c/busses/i2c-tiny-usb.c ++++ b/drivers/i2c/busses/i2c-tiny-usb.c +@@ -140,6 +140,11 @@ out: + return ret; + } + ++/* prevent invalid 0-length usb_control_msg */ ++static const struct i2c_adapter_quirks usb_quirks = { ++ .flags = I2C_AQ_NO_ZERO_LEN_READ, ++}; ++ + /* This is the actual algorithm we define */ + static const struct i2c_algorithm usb_algorithm = { + .master_xfer = usb_xfer, +@@ -248,6 +253,7 @@ static int i2c_tiny_usb_probe(struct usb + /* setup i2c adapter description */ + dev->adapter.owner = THIS_MODULE; + dev->adapter.class = I2C_CLASS_HWMON; ++ dev->adapter.quirks = &usb_quirks; + dev->adapter.algo = &usb_algorithm; + dev->adapter.algo_data = dev; + snprintf(dev->adapter.name, sizeof(dev->adapter.name), diff --git a/queue-6.6/lib-group_cpus-fix-null-pointer-dereference-from-group_cpus_evenly.patch b/queue-6.6/lib-group_cpus-fix-null-pointer-dereference-from-group_cpus_evenly.patch new file mode 100644 index 0000000000..c116bc3063 --- /dev/null +++ b/queue-6.6/lib-group_cpus-fix-null-pointer-dereference-from-group_cpus_evenly.patch @@ -0,0 +1,90 @@ +From df831e97739405ecbaddb85516bc7d4d1c933d6b Mon Sep 17 00:00:00 2001 +From: Yu Kuai <yukuai3@huawei.com> +Date: Thu, 19 Jun 2025 21:26:55 +0800 +Subject: lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() + +From: Yu Kuai <yukuai3@huawei.com> + +commit df831e97739405ecbaddb85516bc7d4d1c933d6b upstream. + +While testing null_blk with configfs, echo 0 > poll_queues will trigger +following panic: + +BUG: kernel NULL pointer dereference, address: 0000000000000010 +Oops: Oops: 0000 [#1] SMP NOPTI +CPU: 27 UID: 0 PID: 920 Comm: bash Not tainted 6.15.0-02023-gadbdb95c8696-dirty #1238 PREEMPT(undef) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 +RIP: 0010:__bitmap_or+0x48/0x70 +Call Trace: + <TASK> + __group_cpus_evenly+0x822/0x8c0 + group_cpus_evenly+0x2d9/0x490 + blk_mq_map_queues+0x1e/0x110 + null_map_queues+0xc9/0x170 [null_blk] + blk_mq_update_queue_map+0xdb/0x160 + blk_mq_update_nr_hw_queues+0x22b/0x560 + nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] + nullb_device_poll_queues_store+0xa4/0x130 [null_blk] + configfs_write_iter+0x109/0x1d0 + vfs_write+0x26e/0x6f0 + ksys_write+0x79/0x180 + __x64_sys_write+0x1d/0x30 + x64_sys_call+0x45c4/0x45f0 + do_syscall_64+0xa5/0x240 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Root cause is that numgrps is set to 0, and ZERO_SIZE_PTR is returned from +kcalloc(), and later ZERO_SIZE_PTR will be deferenced. + +Fix the problem by checking numgrps first in group_cpus_evenly(), and +return NULL directly if numgrps is zero. + +[yukuai3@huawei.com: also fix the non-SMP version] + Link: https://lkml.kernel.org/r/20250620010958.1265984-1-yukuai1@huaweicloud.com +Link: https://lkml.kernel.org/r/20250619132655.3318883-1-yukuai1@huaweicloud.com +Fixes: 6a6dcae8f486 ("blk-mq: Build default queue map via group_cpus_evenly()") +Signed-off-by: Yu Kuai <yukuai3@huawei.com> +Reviewed-by: Ming Lei <ming.lei@redhat.com> +Reviewed-by: Jens Axboe <axboe@kernel.dk> +Cc: ErKun Yang <yangerkun@huawei.com> +Cc: John Garry <john.g.garry@oracle.com> +Cc: Thomas Gleinxer <tglx@linutronix.de> +Cc: "zhangyi (F)" <yi.zhang@huawei.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + lib/group_cpus.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/lib/group_cpus.c b/lib/group_cpus.c +index ee272c4cefcc..18d43a406114 100644 +--- a/lib/group_cpus.c ++++ b/lib/group_cpus.c +@@ -352,6 +352,9 @@ struct cpumask *group_cpus_evenly(unsigned int numgrps) + int ret = -ENOMEM; + struct cpumask *masks = NULL; + ++ if (numgrps == 0) ++ return NULL; ++ + if (!zalloc_cpumask_var(&nmsk, GFP_KERNEL)) + return NULL; + +@@ -426,8 +429,12 @@ struct cpumask *group_cpus_evenly(unsigned int numgrps) + #else /* CONFIG_SMP */ + struct cpumask *group_cpus_evenly(unsigned int numgrps) + { +- struct cpumask *masks = kcalloc(numgrps, sizeof(*masks), GFP_KERNEL); ++ struct cpumask *masks; + ++ if (numgrps == 0) ++ return NULL; ++ ++ masks = kcalloc(numgrps, sizeof(*masks), GFP_KERNEL); + if (!masks) + return NULL; + +-- +2.50.0 + diff --git a/queue-6.6/mm-damon-sysfs-schemes-free-old-damon_sysfs_scheme_filter-memcg_path-on-write.patch b/queue-6.6/mm-damon-sysfs-schemes-free-old-damon_sysfs_scheme_filter-memcg_path-on-write.patch new file mode 100644 index 0000000000..d4566e6b40 --- /dev/null +++ b/queue-6.6/mm-damon-sysfs-schemes-free-old-damon_sysfs_scheme_filter-memcg_path-on-write.patch @@ -0,0 +1,36 @@ +From 4f489fe6afb395dbc79840efa3c05440b760d883 Mon Sep 17 00:00:00 2001 +From: SeongJae Park <sj@kernel.org> +Date: Thu, 19 Jun 2025 11:36:07 -0700 +Subject: mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write + +From: SeongJae Park <sj@kernel.org> + +commit 4f489fe6afb395dbc79840efa3c05440b760d883 upstream. + +memcg_path_store() assigns a newly allocated memory buffer to +filter->memcg_path, without deallocating the previously allocated and +assigned memory buffer. As a result, users can leak kernel memory by +continuously writing a data to memcg_path DAMOS sysfs file. Fix the leak +by deallocating the previously set memory buffer. + +Link: https://lkml.kernel.org/r/20250619183608.6647-2-sj@kernel.org +Fixes: 7ee161f18b5d ("mm/damon/sysfs-schemes: implement filter directory") +Signed-off-by: SeongJae Park <sj@kernel.org> +Cc: Shuah Khan <shuah@kernel.org> +Cc: <stable@vger.kernel.org> [6.3.x] +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + mm/damon/sysfs-schemes.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/damon/sysfs-schemes.c ++++ b/mm/damon/sysfs-schemes.c +@@ -376,6 +376,7 @@ static ssize_t memcg_path_store(struct k + return -ENOMEM; + + strscpy(path, buf, count + 1); ++ kfree(filter->memcg_path); + filter->memcg_path = path; + return count; + } diff --git a/queue-6.6/s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch b/queue-6.6/s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch new file mode 100644 index 0000000000..fa2c7f246f --- /dev/null +++ b/queue-6.6/s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch @@ -0,0 +1,47 @@ +From 7360ee47599af91a1d5f4e74d635d9408a54e489 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin <pchelkin@ispras.ru> +Date: Wed, 11 Jun 2025 22:20:10 +0300 +Subject: s390/pkey: Prevent overflow in size calculation for memdup_user() + +From: Fedor Pchelkin <pchelkin@ispras.ru> + +commit 7360ee47599af91a1d5f4e74d635d9408a54e489 upstream. + +Number of apqn target list entries contained in 'nr_apqns' variable is +determined by userspace via an ioctl call so the result of the product in +calculation of size passed to memdup_user() may overflow. + +In this case the actual size of the allocated area and the value +describing it won't be in sync leading to various types of unpredictable +behaviour later. + +Use a proper memdup_array_user() helper which returns an error if an +overflow is detected. Note that it is different from when nr_apqns is +initially zero - that case is considered valid and should be handled in +subsequent pkey_handler implementations. + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: f2bbc96e7cfa ("s390/pkey: add CCA AES cipher key support") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> +Reviewed-by: Holger Dengler <dengler@linux.ibm.com> +Reviewed-by: Heiko Carstens <hca@linux.ibm.com> +Link: https://lore.kernel.org/r/20250611192011.206057-1-pchelkin@ispras.ru +Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/s390/crypto/pkey_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/s390/crypto/pkey_api.c ++++ b/drivers/s390/crypto/pkey_api.c +@@ -1333,7 +1333,7 @@ static void *_copy_apqns_from_user(void + if (!uapqns || nr_apqns == 0) + return NULL; + +- return memdup_user(uapqns, nr_apqns * sizeof(struct pkey_apqn)); ++ return memdup_array_user(uapqns, nr_apqns, sizeof(struct pkey_apqn)); + } + + static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd, diff --git a/queue-6.6/series b/queue-6.6/series index 2eab419dba..1a7dabf186 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -68,3 +68,10 @@ af_unix-define-locking-order-for-u_lock_second-in-un.patch af_unix-define-locking-order-for-u_recvq_lock_embryo.patch af_unix-don-t-call-skb_get-for-oob-skb.patch af_unix-don-t-leave-consecutive-consumed-oob-skbs.patch +i2c-tiny-usb-disable-zero-length-read-messages.patch +i2c-robotfuzz-osif-disable-zero-length-read-messages.patch +mm-damon-sysfs-schemes-free-old-damon_sysfs_scheme_filter-memcg_path-on-write.patch +asoc-amd-yc-add-dmi-quirk-for-lenovo-ideapad-slim-5-15.patch +s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch +lib-group_cpus-fix-null-pointer-dereference-from-group_cpus_evenly.patch +drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch |