--- /dev/null
+From c18ecd99e0c707ef8f83cace861cbc3162f4fdf1 Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Sat, 23 Aug 2025 13:45:34 +0800
+Subject: f2fs: fix to do sanity check on node footer for non inode dnode
+
+From: Chao Yu <chao@kernel.org>
+
+commit c18ecd99e0c707ef8f83cace861cbc3162f4fdf1 upstream.
+
+As syzbot reported below:
+
+------------[ cut here ]------------
+kernel BUG at fs/f2fs/file.c:1243!
+Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
+CPU: 0 UID: 0 PID: 5354 Comm: syz.0.0 Not tainted 6.17.0-rc1-syzkaller-00211-g90d970cade8e #0 PREEMPT(full)
+RIP: 0010:f2fs_truncate_hole+0x69e/0x6c0 fs/f2fs/file.c:1243
+Call Trace:
+ <TASK>
+ f2fs_punch_hole+0x2db/0x330 fs/f2fs/file.c:1306
+ f2fs_fallocate+0x546/0x990 fs/f2fs/file.c:2018
+ vfs_fallocate+0x666/0x7e0 fs/open.c:342
+ ksys_fallocate fs/open.c:366 [inline]
+ __do_sys_fallocate fs/open.c:371 [inline]
+ __se_sys_fallocate fs/open.c:369 [inline]
+ __x64_sys_fallocate+0xc0/0x110 fs/open.c:369
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f1e65f8ebe9
+
+w/ a fuzzed image, f2fs may encounter panic due to it detects inconsistent
+truncation range in direct node in f2fs_truncate_hole().
+
+The root cause is: a non-inode dnode may has the same footer.ino and
+footer.nid, so the dnode will be parsed as an inode, then ADDRS_PER_PAGE()
+may return wrong blkaddr count which may be 923 typically, by chance,
+dn.ofs_in_node is equal to 923, then count can be calculated to 0 in below
+statement, later it will trigger panic w/ f2fs_bug_on(, count == 0 || ...).
+
+ count = min(end_offset - dn.ofs_in_node, pg_end - pg_start);
+
+This patch introduces a new node_type NODE_TYPE_NON_INODE, then allowing
+passing the new_type to sanity_check_node_footer in f2fs_get_node_folio()
+to detect corruption that a non-inode dnode has the same footer.ino and
+footer.nid.
+
+Scripts to reproduce:
+mkfs.f2fs -f /dev/vdb
+mount /dev/vdb /mnt/f2fs
+touch /mnt/f2fs/foo
+touch /mnt/f2fs/bar
+dd if=/dev/zero of=/mnt/f2fs/foo bs=1M count=8
+umount /mnt/f2fs
+inject.f2fs --node --mb i_nid --nid 4 --idx 0 --val 5 /dev/vdb
+mount /dev/vdb /mnt/f2fs
+xfs_io /mnt/f2fs/foo -c "fpunch 6984k 4k"
+
+Cc: stable@kernel.org
+Reported-by: syzbot+b9c7ffd609c3f09416ab@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-f2fs-devel/68a68e27.050a0220.1a3988.0002.GAE@google.com
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/f2fs.h | 4 ++-
+ fs/f2fs/gc.c | 4 +--
+ fs/f2fs/node.c | 58 +++++++++++++++++++++++++++++++++++------------------
+ fs/f2fs/node.h | 1
+ fs/f2fs/recovery.c | 2 -
+ 5 files changed, 46 insertions(+), 23 deletions(-)
+
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -3764,6 +3764,7 @@ void f2fs_hash_filename(const struct ino
+ * node.c
+ */
+ struct node_info;
++enum node_type;
+
+ int f2fs_check_nid_range(struct f2fs_sb_info *sbi, nid_t nid);
+ bool f2fs_available_free_memory(struct f2fs_sb_info *sbi, int type);
+@@ -3786,7 +3787,8 @@ int f2fs_remove_inode_page(struct inode
+ struct folio *f2fs_new_inode_folio(struct inode *inode);
+ struct folio *f2fs_new_node_folio(struct dnode_of_data *dn, unsigned int ofs);
+ void f2fs_ra_node_page(struct f2fs_sb_info *sbi, nid_t nid);
+-struct folio *f2fs_get_node_folio(struct f2fs_sb_info *sbi, pgoff_t nid);
++struct folio *f2fs_get_node_folio(struct f2fs_sb_info *sbi, pgoff_t nid,
++ enum node_type node_type);
+ struct folio *f2fs_get_inode_folio(struct f2fs_sb_info *sbi, pgoff_t ino);
+ struct folio *f2fs_get_xnode_folio(struct f2fs_sb_info *sbi, pgoff_t xnid);
+ int f2fs_move_node_folio(struct folio *node_folio, int gc_type);
+--- a/fs/f2fs/gc.c
++++ b/fs/f2fs/gc.c
+@@ -1071,7 +1071,7 @@ next_step:
+ }
+
+ /* phase == 2 */
+- node_folio = f2fs_get_node_folio(sbi, nid);
++ node_folio = f2fs_get_node_folio(sbi, nid, NODE_TYPE_REGULAR);
+ if (IS_ERR(node_folio))
+ continue;
+
+@@ -1145,7 +1145,7 @@ static bool is_alive(struct f2fs_sb_info
+ nid = le32_to_cpu(sum->nid);
+ ofs_in_node = le16_to_cpu(sum->ofs_in_node);
+
+- node_folio = f2fs_get_node_folio(sbi, nid);
++ node_folio = f2fs_get_node_folio(sbi, nid, NODE_TYPE_REGULAR);
+ if (IS_ERR(node_folio))
+ return false;
+
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -871,7 +871,8 @@ int f2fs_get_dnode_of_data(struct dnode_
+ }
+
+ if (!done) {
+- nfolio[i] = f2fs_get_node_folio(sbi, nids[i]);
++ nfolio[i] = f2fs_get_node_folio(sbi, nids[i],
++ NODE_TYPE_NON_INODE);
+ if (IS_ERR(nfolio[i])) {
+ err = PTR_ERR(nfolio[i]);
+ f2fs_folio_put(nfolio[0], false);
+@@ -989,7 +990,7 @@ static int truncate_dnode(struct dnode_o
+ return 1;
+
+ /* get direct node */
+- folio = f2fs_get_node_folio(sbi, dn->nid);
++ folio = f2fs_get_node_folio(sbi, dn->nid, NODE_TYPE_NON_INODE);
+ if (PTR_ERR(folio) == -ENOENT)
+ return 1;
+ else if (IS_ERR(folio))
+@@ -1033,7 +1034,8 @@ static int truncate_nodes(struct dnode_o
+
+ trace_f2fs_truncate_nodes_enter(dn->inode, dn->nid, dn->data_blkaddr);
+
+- folio = f2fs_get_node_folio(F2FS_I_SB(dn->inode), dn->nid);
++ folio = f2fs_get_node_folio(F2FS_I_SB(dn->inode), dn->nid,
++ NODE_TYPE_NON_INODE);
+ if (IS_ERR(folio)) {
+ trace_f2fs_truncate_nodes_exit(dn->inode, PTR_ERR(folio));
+ return PTR_ERR(folio);
+@@ -1111,7 +1113,8 @@ static int truncate_partial_nodes(struct
+ /* get indirect nodes in the path */
+ for (i = 0; i < idx + 1; i++) {
+ /* reference count'll be increased */
+- folios[i] = f2fs_get_node_folio(F2FS_I_SB(dn->inode), nid[i]);
++ folios[i] = f2fs_get_node_folio(F2FS_I_SB(dn->inode), nid[i],
++ NODE_TYPE_NON_INODE);
+ if (IS_ERR(folios[i])) {
+ err = PTR_ERR(folios[i]);
+ idx = i - 1;
+@@ -1496,21 +1499,37 @@ static int sanity_check_node_footer(stru
+ struct folio *folio, pgoff_t nid,
+ enum node_type ntype)
+ {
+- if (unlikely(nid != nid_of_node(folio) ||
+- (ntype == NODE_TYPE_INODE && !IS_INODE(folio)) ||
+- (ntype == NODE_TYPE_XATTR &&
+- !f2fs_has_xattr_block(ofs_of_node(folio))) ||
+- time_to_inject(sbi, FAULT_INCONSISTENT_FOOTER))) {
+- f2fs_warn(sbi, "inconsistent node block, node_type:%d, nid:%lu, "
+- "node_footer[nid:%u,ino:%u,ofs:%u,cpver:%llu,blkaddr:%u]",
+- ntype, nid, nid_of_node(folio), ino_of_node(folio),
+- ofs_of_node(folio), cpver_of_node(folio),
+- next_blkaddr_of_node(folio));
+- set_sbi_flag(sbi, SBI_NEED_FSCK);
+- f2fs_handle_error(sbi, ERROR_INCONSISTENT_FOOTER);
+- return -EFSCORRUPTED;
++ if (unlikely(nid != nid_of_node(folio)))
++ goto out_err;
++
++ switch (ntype) {
++ case NODE_TYPE_INODE:
++ if (!IS_INODE(folio))
++ goto out_err;
++ break;
++ case NODE_TYPE_XATTR:
++ if (!f2fs_has_xattr_block(ofs_of_node(folio)))
++ goto out_err;
++ break;
++ case NODE_TYPE_NON_INODE:
++ if (IS_INODE(folio))
++ goto out_err;
++ break;
++ default:
++ break;
+ }
++ if (time_to_inject(sbi, FAULT_INCONSISTENT_FOOTER))
++ goto out_err;
+ return 0;
++out_err:
++ f2fs_warn(sbi, "inconsistent node block, node_type:%d, nid:%lu, "
++ "node_footer[nid:%u,ino:%u,ofs:%u,cpver:%llu,blkaddr:%u]",
++ ntype, nid, nid_of_node(folio), ino_of_node(folio),
++ ofs_of_node(folio), cpver_of_node(folio),
++ next_blkaddr_of_node(folio));
++ set_sbi_flag(sbi, SBI_NEED_FSCK);
++ f2fs_handle_error(sbi, ERROR_INCONSISTENT_FOOTER);
++ return -EFSCORRUPTED;
+ }
+
+ static struct folio *__get_node_folio(struct f2fs_sb_info *sbi, pgoff_t nid,
+@@ -1567,9 +1586,10 @@ out_put_err:
+ return ERR_PTR(err);
+ }
+
+-struct folio *f2fs_get_node_folio(struct f2fs_sb_info *sbi, pgoff_t nid)
++struct folio *f2fs_get_node_folio(struct f2fs_sb_info *sbi, pgoff_t nid,
++ enum node_type node_type)
+ {
+- return __get_node_folio(sbi, nid, NULL, 0, NODE_TYPE_REGULAR);
++ return __get_node_folio(sbi, nid, NULL, 0, node_type);
+ }
+
+ struct folio *f2fs_get_inode_folio(struct f2fs_sb_info *sbi, pgoff_t ino)
+--- a/fs/f2fs/node.h
++++ b/fs/f2fs/node.h
+@@ -57,6 +57,7 @@ enum node_type {
+ NODE_TYPE_REGULAR,
+ NODE_TYPE_INODE,
+ NODE_TYPE_XATTR,
++ NODE_TYPE_NON_INODE,
+ };
+
+ /*
+--- a/fs/f2fs/recovery.c
++++ b/fs/f2fs/recovery.c
+@@ -548,7 +548,7 @@ got_it:
+ }
+
+ /* Get the node page */
+- node_folio = f2fs_get_node_folio(sbi, nid);
++ node_folio = f2fs_get_node_folio(sbi, nid, NODE_TYPE_REGULAR);
+ if (IS_ERR(node_folio))
+ return PTR_ERR(node_folio);
+
--- /dev/null
+From e750f85391286a4c8100275516973324b621a269 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 15 Jul 2025 12:06:38 -0700
+Subject: KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit e750f85391286a4c8100275516973324b621a269 upstream.
+
+When completing emulation of instruction that generated a userspace exit
+for I/O, don't recheck L1 intercepts as KVM has already finished that
+phase of instruction execution, i.e. has already committed to allowing L2
+to perform I/O. If L1 (or host userspace) modifies the I/O permission
+bitmaps during the exit to userspace, KVM will treat the access as being
+intercepted despite already having emulated the I/O access.
+
+Pivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation.
+Of the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the
+intended "recipient") can reach the code in question. gp_interception()'s
+use is mutually exclusive with is_guest_mode(), and
+complete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with
+EMULTYPE_SKIP.
+
+The bad behavior was detected by a syzkaller program that toggles port I/O
+interception during the userspace I/O exit, ultimately resulting in a WARN
+on vcpu->arch.pio.count being non-zero due to KVM no completing emulation
+of the I/O instruction.
+
+ WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm]
+ Modules linked in: kvm_intel kvm irqbypass
+ CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
+ RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm]
+ PKRU: 55555554
+ Call Trace:
+ <TASK>
+ kvm_fast_pio+0xd6/0x1d0 [kvm]
+ vmx_handle_exit+0x149/0x610 [kvm_intel]
+ kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm]
+ kvm_vcpu_ioctl+0x244/0x8c0 [kvm]
+ __x64_sys_ioctl+0x8a/0xd0
+ do_syscall_64+0x5d/0xc60
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+ </TASK>
+
+Reported-by: syzbot+cc2032ba16cc2018ca25@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68790db4.a00a0220.3af5df.0020.GAE@google.com
+Fixes: 8a76d7f25f8f ("KVM: x86: Add x86 callback for intercept check")
+Cc: stable@vger.kernel.org
+Cc: Jim Mattson <jmattson@google.com>
+Link: https://lore.kernel.org/r/20250715190638.1899116-1-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/emulate.c | 9 ++++-----
+ arch/x86/kvm/kvm_emulate.h | 3 +--
+ arch/x86/kvm/x86.c | 15 ++++++++-------
+ 3 files changed, 13 insertions(+), 14 deletions(-)
+
+--- a/arch/x86/kvm/emulate.c
++++ b/arch/x86/kvm/emulate.c
+@@ -5107,12 +5107,11 @@ void init_decode_cache(struct x86_emulat
+ ctxt->mem_read.end = 0;
+ }
+
+-int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
++int x86_emulate_insn(struct x86_emulate_ctxt *ctxt, bool check_intercepts)
+ {
+ const struct x86_emulate_ops *ops = ctxt->ops;
+ int rc = X86EMUL_CONTINUE;
+ int saved_dst_type = ctxt->dst.type;
+- bool is_guest_mode = ctxt->ops->is_guest_mode(ctxt);
+
+ ctxt->mem_read.pos = 0;
+
+@@ -5160,7 +5159,7 @@ int x86_emulate_insn(struct x86_emulate_
+ fetch_possible_mmx_operand(&ctxt->dst);
+ }
+
+- if (unlikely(is_guest_mode) && ctxt->intercept) {
++ if (unlikely(check_intercepts) && ctxt->intercept) {
+ rc = emulator_check_intercept(ctxt, ctxt->intercept,
+ X86_ICPT_PRE_EXCEPT);
+ if (rc != X86EMUL_CONTINUE)
+@@ -5189,7 +5188,7 @@ int x86_emulate_insn(struct x86_emulate_
+ goto done;
+ }
+
+- if (unlikely(is_guest_mode) && (ctxt->d & Intercept)) {
++ if (unlikely(check_intercepts) && (ctxt->d & Intercept)) {
+ rc = emulator_check_intercept(ctxt, ctxt->intercept,
+ X86_ICPT_POST_EXCEPT);
+ if (rc != X86EMUL_CONTINUE)
+@@ -5243,7 +5242,7 @@ int x86_emulate_insn(struct x86_emulate_
+
+ special_insn:
+
+- if (unlikely(is_guest_mode) && (ctxt->d & Intercept)) {
++ if (unlikely(check_intercepts) && (ctxt->d & Intercept)) {
+ rc = emulator_check_intercept(ctxt, ctxt->intercept,
+ X86_ICPT_POST_MEMACCESS);
+ if (rc != X86EMUL_CONTINUE)
+--- a/arch/x86/kvm/kvm_emulate.h
++++ b/arch/x86/kvm/kvm_emulate.h
+@@ -235,7 +235,6 @@ struct x86_emulate_ops {
+ void (*set_nmi_mask)(struct x86_emulate_ctxt *ctxt, bool masked);
+
+ bool (*is_smm)(struct x86_emulate_ctxt *ctxt);
+- bool (*is_guest_mode)(struct x86_emulate_ctxt *ctxt);
+ int (*leave_smm)(struct x86_emulate_ctxt *ctxt);
+ void (*triple_fault)(struct x86_emulate_ctxt *ctxt);
+ int (*set_xcr)(struct x86_emulate_ctxt *ctxt, u32 index, u64 xcr);
+@@ -521,7 +520,7 @@ bool x86_page_table_writing_insn(struct
+ #define EMULATION_RESTART 1
+ #define EMULATION_INTERCEPTED 2
+ void init_decode_cache(struct x86_emulate_ctxt *ctxt);
+-int x86_emulate_insn(struct x86_emulate_ctxt *ctxt);
++int x86_emulate_insn(struct x86_emulate_ctxt *ctxt, bool check_intercepts);
+ int emulator_task_switch(struct x86_emulate_ctxt *ctxt,
+ u16 tss_selector, int idt_index, int reason,
+ bool has_error_code, u32 error_code);
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -8470,11 +8470,6 @@ static bool emulator_is_smm(struct x86_e
+ return is_smm(emul_to_vcpu(ctxt));
+ }
+
+-static bool emulator_is_guest_mode(struct x86_emulate_ctxt *ctxt)
+-{
+- return is_guest_mode(emul_to_vcpu(ctxt));
+-}
+-
+ #ifndef CONFIG_KVM_SMM
+ static int emulator_leave_smm(struct x86_emulate_ctxt *ctxt)
+ {
+@@ -8558,7 +8553,6 @@ static const struct x86_emulate_ops emul
+ .guest_cpuid_is_intel_compatible = emulator_guest_cpuid_is_intel_compatible,
+ .set_nmi_mask = emulator_set_nmi_mask,
+ .is_smm = emulator_is_smm,
+- .is_guest_mode = emulator_is_guest_mode,
+ .leave_smm = emulator_leave_smm,
+ .triple_fault = emulator_triple_fault,
+ .set_xcr = emulator_set_xcr,
+@@ -9143,7 +9137,14 @@ restart:
+ ctxt->exception.address = 0;
+ }
+
+- r = x86_emulate_insn(ctxt);
++ /*
++ * Check L1's instruction intercepts when emulating instructions for
++ * L2, unless KVM is re-emulating a previously decoded instruction,
++ * e.g. to complete userspace I/O, in which case KVM has already
++ * checked the intercepts.
++ */
++ r = x86_emulate_insn(ctxt, is_guest_mode(vcpu) &&
++ !(emulation_type & EMULTYPE_NO_DECODE));
+
+ if (r == EMULATION_INTERCEPTED)
+ return 1;
--- /dev/null
+From 674b56aa57f9379854cb6798c3bbcef7e7b51ab7 Mon Sep 17 00:00:00 2001
+From: Nalivayko Sergey <Sergey.Nalivayko@kaspersky.com>
+Date: Tue, 15 Jul 2025 18:48:15 +0300
+Subject: net/9p: fix double req put in p9_fd_cancelled
+
+From: Nalivayko Sergey <Sergey.Nalivayko@kaspersky.com>
+
+commit 674b56aa57f9379854cb6798c3bbcef7e7b51ab7 upstream.
+
+Syzkaller reports a KASAN issue as below:
+
+general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI
+KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f]
+CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
+RIP: 0010:__list_del include/linux/list.h:114 [inline]
+RIP: 0010:__list_del_entry include/linux/list.h:137 [inline]
+RIP: 0010:list_del include/linux/list.h:148 [inline]
+RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734
+
+Call Trace:
+ <TASK>
+ p9_client_flush+0x351/0x440 net/9p/client.c:614
+ p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734
+ p9_client_version net/9p/client.c:920 [inline]
+ p9_client_create+0xb51/0x1240 net/9p/client.c:1027
+ v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408
+ v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126
+ legacy_get_tree+0x108/0x220 fs/fs_context.c:632
+ vfs_get_tree+0x8e/0x300 fs/super.c:1573
+ do_new_mount fs/namespace.c:3056 [inline]
+ path_mount+0x6a6/0x1e90 fs/namespace.c:3386
+ do_mount fs/namespace.c:3399 [inline]
+ __do_sys_mount fs/namespace.c:3607 [inline]
+ __se_sys_mount fs/namespace.c:3584 [inline]
+ __x64_sys_mount+0x283/0x300 fs/namespace.c:3584
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+This happens because of a race condition between:
+
+- The 9p client sending an invalid flush request and later cleaning it up;
+- The 9p client in p9_read_work() canceled all pending requests.
+
+ Thread 1 Thread 2
+ ...
+ p9_client_create()
+ ...
+ p9_fd_create()
+ ...
+ p9_conn_create()
+ ...
+ // start Thread 2
+ INIT_WORK(&m->rq, p9_read_work);
+ p9_read_work()
+ ...
+ p9_client_rpc()
+ ...
+ ...
+ p9_conn_cancel()
+ ...
+ spin_lock(&m->req_lock);
+ ...
+ p9_fd_cancelled()
+ ...
+ ...
+ spin_unlock(&m->req_lock);
+ // status rewrite
+ p9_client_cb(m->client, req, REQ_STATUS_ERROR)
+ // first remove
+ list_del(&req->req_list);
+ ...
+
+ spin_lock(&m->req_lock)
+ ...
+ // second remove
+ list_del(&req->req_list);
+ spin_unlock(&m->req_lock)
+ ...
+
+Commit 74d6a5d56629 ("9p/trans_fd: Fix concurrency del of req_list in
+p9_fd_cancelled/p9_read_work") fixes a concurrency issue in the 9p filesystem
+client where the req_list could be deleted simultaneously by both
+p9_read_work and p9_fd_cancelled functions, but for the case where req->status
+equals REQ_STATUS_RCVD.
+
+Update the check for req->status in p9_fd_cancelled to skip processing not
+just received requests, but anything that is not SENT, as whatever
+changed the state from SENT also removed the request from its list.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: afd8d6541155 ("9P: Add cancelled() to the transport functions.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Nalivayko Sergey <Sergey.Nalivayko@kaspersky.com>
+Message-ID: <20250715154815.3501030-1-Sergey.Nalivayko@kaspersky.com>
+[updated the check from status == RECV || status == ERROR to status != SENT]
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/9p/trans_fd.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/9p/trans_fd.c
++++ b/net/9p/trans_fd.c
+@@ -726,10 +726,10 @@ static int p9_fd_cancelled(struct p9_cli
+ p9_debug(P9_DEBUG_TRANS, "client %p req %p\n", client, req);
+
+ spin_lock(&m->req_lock);
+- /* Ignore cancelled request if message has been received
+- * before lock.
+- */
+- if (req->status == REQ_STATUS_RCVD) {
++ /* Ignore cancelled request if status changed since the request was
++ * processed in p9_client_flush()
++ */
++ if (req->status != REQ_STATUS_SENT) {
+ spin_unlock(&m->req_lock);
+ return 0;
+ }
--- /dev/null
+From de4cbd704731778a2dc833ce5a24b38e5d672c05 Mon Sep 17 00:00:00 2001
+From: Ankit Khushwaha <ankitkhushwaha.linux@gmail.com>
+Date: Wed, 8 Oct 2025 22:55:16 +0530
+Subject: ring buffer: Propagate __rb_map_vma return value to caller
+
+From: Ankit Khushwaha <ankitkhushwaha.linux@gmail.com>
+
+commit de4cbd704731778a2dc833ce5a24b38e5d672c05 upstream.
+
+The return value from `__rb_map_vma()`, which rejects writable or
+executable mappings (VM_WRITE, VM_EXEC, or !VM_MAYSHARE), was being
+ignored. As a result the caller of `__rb_map_vma` always returned 0
+even when the mapping had actually failed, allowing it to proceed
+with an invalid VMA.
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Link: https://lore.kernel.org/20251008172516.20697-1-ankitkhushwaha.linux@gmail.com
+Fixes: 117c39200d9d7 ("ring-buffer: Introducing ring-buffer mapping functions")
+Reported-by: syzbot+ddc001b92c083dbf2b97@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?id=194151be8eaebd826005329b2e123aecae714bdb
+Signed-off-by: Ankit Khushwaha <ankitkhushwaha.linux@gmail.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ring_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -7273,7 +7273,7 @@ int ring_buffer_map(struct trace_buffer
+ atomic_dec(&cpu_buffer->resize_disabled);
+ }
+
+- return 0;
++ return err;
+ }
+
+ int ring_buffer_unmap(struct trace_buffer *buffer, int cpu)
revert-crypto-testmgr-desupport-sha-1-for-fips-140.patch
crypto-zstd-fix-compression-bug-caused-by-truncation.patch
crypto-rng-ensure-set_ent-is-always-present.patch
+net-9p-fix-double-req-put-in-p9_fd_cancelled.patch
+kvm-x86-don-t-re-check-l1-intercepts-when-completing-userspace-i-o.patch
+f2fs-fix-to-do-sanity-check-on-node-footer-for-non-inode-dnode.patch
+ring-buffer-propagate-__rb_map_vma-return-value-to-caller.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
