--- /dev/null
+From stable+bounces-178946-greg=kroah.com@vger.kernel.org Mon Sep 8 20:02:00 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Sep 2025 14:01:51 -0400
+Subject: ima: limit the number of ToMToU integrity violations
+To: stable@vger.kernel.org
+Cc: Mimi Zohar <zohar@linux.ibm.com>, Stefan Berger <stefanb@linux.ibm.com>, Petr Vorel <pvorel@suse.cz>, Roberto Sassu <roberto.sassu@huawei.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250908180151.1333407-1-sashal@kernel.org>
+
+From: Mimi Zohar <zohar@linux.ibm.com>
+
+[ Upstream commit a414016218ca97140171aa3bb926b02e1f68c2cc ]
+
+Each time a file in policy, that is already opened for read, is opened
+for write, a Time-of-Measure-Time-of-Use (ToMToU) integrity violation
+audit message is emitted and a violation record is added to the IMA
+measurement list. This occurs even if a ToMToU violation has already
+been recorded.
+
+Limit the number of ToMToU integrity violations per file open for read.
+
+Note: The IMA_MAY_EMIT_TOMTOU atomic flag must be set from the reader
+side based on policy. This may result in a per file open for read
+ToMToU violation.
+
+Since IMA_MUST_MEASURE is only used for violations, rename the atomic
+IMA_MUST_MEASURE flag to IMA_MAY_EMIT_TOMTOU.
+
+Cc: stable@vger.kernel.org # applies cleanly up to linux-6.6
+Tested-by: Stefan Berger <stefanb@linux.ibm.com>
+Reviewed-by: Petr Vorel <pvorel@suse.cz>
+Tested-by: Petr Vorel <pvorel@suse.cz>
+Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+[ adapted IMA flag definitions location from ima.h to integrity.h ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/integrity/ima/ima_main.c | 16 +++++++++++-----
+ security/integrity/integrity.h | 3 ++-
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+
+--- a/security/integrity/ima/ima_main.c
++++ b/security/integrity/ima/ima_main.c
+@@ -128,16 +128,22 @@ static void ima_rdwr_violation_check(str
+ if (atomic_read(&inode->i_readcount) && IS_IMA(inode)) {
+ if (!iint)
+ iint = integrity_iint_find(inode);
++
+ /* IMA_MEASURE is set from reader side */
+- if (iint && test_bit(IMA_MUST_MEASURE,
+- &iint->atomic_flags))
++ if (iint && test_and_clear_bit(IMA_MAY_EMIT_TOMTOU,
++ &iint->atomic_flags))
+ send_tomtou = true;
+ }
+ } else {
+ if (must_measure)
+- set_bit(IMA_MUST_MEASURE, &iint->atomic_flags);
+- if (inode_is_open_for_write(inode) && must_measure)
+- send_writers = true;
++ set_bit(IMA_MAY_EMIT_TOMTOU, &iint->atomic_flags);
++
++ /* Limit number of open_writers violations */
++ if (inode_is_open_for_write(inode) && must_measure) {
++ if (!test_and_set_bit(IMA_EMITTED_OPENWRITERS,
++ &iint->atomic_flags))
++ send_writers = true;
++ }
+ }
+
+ if (!send_tomtou && !send_writers)
+--- a/security/integrity/integrity.h
++++ b/security/integrity/integrity.h
+@@ -74,7 +74,8 @@
+ #define IMA_UPDATE_XATTR 1
+ #define IMA_CHANGE_ATTR 2
+ #define IMA_DIGSIG 3
+-#define IMA_MUST_MEASURE 4
++#define IMA_MAY_EMIT_TOMTOU 4
++#define IMA_EMITTED_OPENWRITERS 5
+
+ enum evm_ima_xattr_type {
+ IMA_XATTR_DIGEST = 0x01,
--- /dev/null
+From stable+bounces-179196-greg=kroah.com@vger.kernel.org Wed Sep 10 13:53:55 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Sep 2025 07:53:46 -0400
+Subject: kasan: fix GCC mem-intrinsic prefix with sw tags
+To: stable@vger.kernel.org
+Cc: Ada Couprie Diaz <ada.coupriediaz@arm.com>, Yeoreum Yun <yeoreum.yun@arm.com>, Alexander Potapenko <glider@google.com>, Andrey Konovalov <andreyknvl@gmail.com>, Andrey Ryabinin <ryabinin.a.a@gmail.com>, Dmitriy Vyukov <dvyukov@google.com>, Marco Elver <elver@google.com>, Marc Rutland <mark.rutland@arm.com>, Michael Ellerman <mpe@ellerman.id.au>, Nathan Chancellor <nathan@kernel.org>, Vincenzo Frascino <vincenzo.frascino@arm.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250910115346.3588109-1-sashal@kernel.org>
+
+From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
+
+[ Upstream commit 51337a9a3a404fde0f5337662ffc7699793dfeb5 ]
+
+GCC doesn't support "hwasan-kernel-mem-intrinsic-prefix", only
+"asan-kernel-mem-intrinsic-prefix"[0], while LLVM supports both. This is
+already taken into account when checking
+"CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX", but not in the KASAN Makefile
+adding those parameters when "CONFIG_KASAN_SW_TAGS" is enabled.
+
+Replace the version check with "CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX",
+which already validates that mem-intrinsic prefix parameter can be used,
+and choose the correct name depending on compiler.
+
+GCC 13 and above trigger "CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX" which
+prevents `mem{cpy,move,set}()` being redefined in "mm/kasan/shadow.c"
+since commit 36be5cba99f6 ("kasan: treat meminstrinsic as builtins in
+uninstrumented files"), as we expect the compiler to prefix those calls
+with `__(hw)asan_` instead. But as the option passed to GCC has been
+incorrect, the compiler has not been emitting those prefixes, effectively
+never calling the instrumented versions of `mem{cpy,move,set}()` with
+"CONFIG_KASAN_SW_TAGS" enabled.
+
+If "CONFIG_FORTIFY_SOURCES" is enabled, this issue would be mitigated as
+it redefines `mem{cpy,move,set}()` and properly aliases the
+`__underlying_mem*()` that will be called to the instrumented versions.
+
+Link: https://lkml.kernel.org/r/20250821120735.156244-1-ada.coupriediaz@arm.com
+Link: https://gcc.gnu.org/onlinedocs/gcc-13.4.0/gcc/Optimize-Options.html [0]
+Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
+Fixes: 36be5cba99f6 ("kasan: treat meminstrinsic as builtins in uninstrumented files")
+Reviewed-by: Yeoreum Yun <yeoreum.yun@arm.com>
+Cc: Alexander Potapenko <glider@google.com>
+Cc: Andrey Konovalov <andreyknvl@gmail.com>
+Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
+Cc: Dmitriy Vyukov <dvyukov@google.com>
+Cc: Marco Elver <elver@google.com>
+Cc: Marc Rutland <mark.rutland@arm.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+[ kasan_params => CFLAGS_KASAN ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/Makefile.kasan | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/scripts/Makefile.kasan
++++ b/scripts/Makefile.kasan
+@@ -68,10 +68,14 @@ CFLAGS_KASAN := -fsanitize=kernel-hwaddr
+ $(call cc-param,hwasan-inline-all-checks=0) \
+ $(instrumentation_flags)
+
+-# Instrument memcpy/memset/memmove calls by using instrumented __hwasan_mem*().
+-ifeq ($(call clang-min-version, 150000)$(call gcc-min-version, 130000),y)
+-CFLAGS_KASAN += $(call cc-param,hwasan-kernel-mem-intrinsic-prefix=1)
+-endif
++# Instrument memcpy/memset/memmove calls by using instrumented __(hw)asan_mem*().
++ifdef CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX
++ ifdef CONFIG_CC_IS_GCC
++ CFLAGS_KASAN += $(call cc-param,asan-kernel-mem-intrinsic-prefix=1)
++ else
++ CFLAGS_KASAN += $(call cc-param,hwasan-kernel-mem-intrinsic-prefix=1)
++ endif
++endif # CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX
+
+ endif # CONFIG_KASAN_SW_TAGS
+
--- /dev/null
+From stable+bounces-178960-greg=kroah.com@vger.kernel.org Mon Sep 8 21:49:41 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Sep 2025 15:49:31 -0400
+Subject: media: i2c: imx214: Fix link frequency validation
+To: stable@vger.kernel.org
+Cc: "André Apitzsch" <git@apitzsch.eu>, "Ricardo Ribalda" <ribalda@chromium.org>, "Sakari Ailus" <sakari.ailus@linux.intel.com>, "Hans Verkuil" <hverkuil@xs4all.nl>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250908194931.2306968-1-sashal@kernel.org>
+
+From: André Apitzsch <git@apitzsch.eu>
+
+[ Upstream commit acc294519f1749041e1b8c74d46bbf6c57d8b061 ]
+
+The driver defines IMX214_DEFAULT_LINK_FREQ 480000000, and then
+IMX214_DEFAULT_PIXEL_RATE ((IMX214_DEFAULT_LINK_FREQ * 8LL) / 10),
+which works out as 384MPix/s. (The 8 is 4 lanes and DDR.)
+
+Parsing the PLL registers with the defined 24MHz input. We're in single
+PLL mode, so MIPI frequency is directly linked to pixel rate. VTCK ends
+up being 1200MHz, and VTPXCK and OPPXCK both are 120MHz. Section 5.3
+"Frame rate calculation formula" says "Pixel rate
+[pixels/s] = VTPXCK [MHz] * 4", so 120 * 4 = 480MPix/s, which basically
+agrees with my number above.
+
+3.1.4. MIPI global timing setting says "Output bitrate = OPPXCK * reg
+0x113[7:0]", so 120MHz * 10, or 1200Mbit/s. That would be a link
+frequency of 600MHz due to DDR.
+That also matches to 480MPix/s * 10bpp / 4 lanes / 2 for DDR.
+
+Keep the previous link frequency for backward compatibility.
+
+Acked-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: André Apitzsch <git@apitzsch.eu>
+Fixes: 436190596241 ("media: imx214: Add imx214 camera sensor driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+[ changed dev_err() to dev_err_probe() for the final error case ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/imx214.c | 27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+--- a/drivers/media/i2c/imx214.c
++++ b/drivers/media/i2c/imx214.c
+@@ -20,7 +20,9 @@
+ #include <media/v4l2-subdev.h>
+
+ #define IMX214_DEFAULT_CLK_FREQ 24000000
+-#define IMX214_DEFAULT_LINK_FREQ 480000000
++#define IMX214_DEFAULT_LINK_FREQ 600000000
++/* Keep wrong link frequency for backward compatibility */
++#define IMX214_DEFAULT_LINK_FREQ_LEGACY 480000000
+ #define IMX214_DEFAULT_PIXEL_RATE ((IMX214_DEFAULT_LINK_FREQ * 8LL) / 10)
+ #define IMX214_FPS 30
+ #define IMX214_MBUS_CODE MEDIA_BUS_FMT_SRGGB10_1X10
+@@ -892,17 +894,26 @@ static int imx214_parse_fwnode(struct de
+ goto done;
+ }
+
+- for (i = 0; i < bus_cfg.nr_of_link_frequencies; i++)
++ if (bus_cfg.nr_of_link_frequencies != 1)
++ dev_warn(dev, "Only one link-frequency supported, please review your DT. Continuing anyway\n");
++
++ for (i = 0; i < bus_cfg.nr_of_link_frequencies; i++) {
+ if (bus_cfg.link_frequencies[i] == IMX214_DEFAULT_LINK_FREQ)
+ break;
+-
+- if (i == bus_cfg.nr_of_link_frequencies) {
+- dev_err(dev, "link-frequencies %d not supported, Please review your DT\n",
+- IMX214_DEFAULT_LINK_FREQ);
+- ret = -EINVAL;
+- goto done;
++ if (bus_cfg.link_frequencies[i] ==
++ IMX214_DEFAULT_LINK_FREQ_LEGACY) {
++ dev_warn(dev,
++ "link-frequencies %d not supported, please review your DT. Continuing anyway\n",
++ IMX214_DEFAULT_LINK_FREQ);
++ break;
++ }
+ }
+
++ if (i == bus_cfg.nr_of_link_frequencies)
++ ret = dev_err_probe(dev, -EINVAL,
++ "link-frequencies %d not supported, please review your DT\n",
++ IMX214_DEFAULT_LINK_FREQ);
++
+ done:
+ v4l2_fwnode_endpoint_free(&bus_cfg);
+ fwnode_handle_put(endpoint);
--- /dev/null
+From stable+bounces-178948-greg=kroah.com@vger.kernel.org Mon Sep 8 20:17:03 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Sep 2025 14:16:00 -0400
+Subject: net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.
+To: stable@vger.kernel.org
+Cc: Kuniyuki Iwashima <kuniyu@amazon.com>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250908181600.1342061-1-sashal@kernel.org>
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 0bb2f7a1ad1f11d861f58e5ee5051c8974ff9569 ]
+
+When I ran the repro [0] and waited a few seconds, I observed two
+LOCKDEP splats: a warning immediately followed by a null-ptr-deref. [1]
+
+Reproduction Steps:
+
+ 1) Mount CIFS
+ 2) Add an iptables rule to drop incoming FIN packets for CIFS
+ 3) Unmount CIFS
+ 4) Unload the CIFS module
+ 5) Remove the iptables rule
+
+At step 3), the CIFS module calls sock_release() for the underlying
+TCP socket, and it returns quickly. However, the socket remains in
+FIN_WAIT_1 because incoming FIN packets are dropped.
+
+At this point, the module's refcnt is 0 while the socket is still
+alive, so the following rmmod command succeeds.
+
+ # ss -tan
+ State Recv-Q Send-Q Local Address:Port Peer Address:Port
+ FIN-WAIT-1 0 477 10.0.2.15:51062 10.0.0.137:445
+
+ # lsmod | grep cifs
+ cifs 1159168 0
+
+This highlights a discrepancy between the lifetime of the CIFS module
+and the underlying TCP socket. Even after CIFS calls sock_release()
+and it returns, the TCP socket does not die immediately in order to
+close the connection gracefully.
+
+While this is generally fine, it causes an issue with LOCKDEP because
+CIFS assigns a different lock class to the TCP socket's sk->sk_lock
+using sock_lock_init_class_and_name().
+
+Once an incoming packet is processed for the socket or a timer fires,
+sk->sk_lock is acquired.
+
+Then, LOCKDEP checks the lock context in check_wait_context(), where
+hlock_class() is called to retrieve the lock class. However, since
+the module has already been unloaded, hlock_class() logs a warning
+and returns NULL, triggering the null-ptr-deref.
+
+If LOCKDEP is enabled, we must ensure that a module calling
+sock_lock_init_class_and_name() (CIFS, NFS, etc) cannot be unloaded
+while such a socket is still alive to prevent this issue.
+
+Let's hold the module reference in sock_lock_init_class_and_name()
+and release it when the socket is freed in sk_prot_free().
+
+Note that sock_lock_init() clears sk->sk_owner for svc_create_socket()
+that calls sock_lock_init_class_and_name() for a listening socket,
+which clones a socket by sk_clone_lock() without GFP_ZERO.
+
+[0]:
+CIFS_SERVER="10.0.0.137"
+CIFS_PATH="//${CIFS_SERVER}/Users/Administrator/Desktop/CIFS_TEST"
+DEV="enp0s3"
+CRED="/root/WindowsCredential.txt"
+
+MNT=$(mktemp -d /tmp/XXXXXX)
+mount -t cifs ${CIFS_PATH} ${MNT} -o vers=3.0,credentials=${CRED},cache=none,echo_interval=1
+
+iptables -A INPUT -s ${CIFS_SERVER} -j DROP
+
+for i in $(seq 10);
+do
+ umount ${MNT}
+ rmmod cifs
+ sleep 1
+done
+
+rm -r ${MNT}
+
+iptables -D INPUT -s ${CIFS_SERVER} -j DROP
+
+[1]:
+DEBUG_LOCKS_WARN_ON(1)
+WARNING: CPU: 10 PID: 0 at kernel/locking/lockdep.c:234 hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)
+Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs]
+CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Not tainted 6.14.0 #36
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+RIP: 0010:hlock_class (kernel/locking/lockdep.c:234 kernel/locking/lockdep.c:223)
+...
+Call Trace:
+ <IRQ>
+ __lock_acquire (kernel/locking/lockdep.c:4853 kernel/locking/lockdep.c:5178)
+ lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816)
+ _raw_spin_lock_nested (kernel/locking/spinlock.c:379)
+ tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350)
+...
+
+BUG: kernel NULL pointer dereference, address: 00000000000000c4
+ PF: supervisor read access in kernel mode
+ PF: error_code(0x0000) - not-present page
+PGD 0
+Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
+CPU: 10 UID: 0 PID: 0 Comm: swapper/10 Tainted: G W 6.14.0 #36
+Tainted: [W]=WARN
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+RIP: 0010:__lock_acquire (kernel/locking/lockdep.c:4852 kernel/locking/lockdep.c:5178)
+Code: 15 41 09 c7 41 8b 44 24 20 25 ff 1f 00 00 41 09 c7 8b 84 24 a0 00 00 00 45 89 7c 24 20 41 89 44 24 24 e8 e1 bc ff ff 4c 89 e7 <44> 0f b6 b8 c4 00 00 00 e8 d1 bc ff ff 0f b6 80 c5 00 00 00 88 44
+RSP: 0018:ffa0000000468a10 EFLAGS: 00010046
+RAX: 0000000000000000 RBX: ff1100010091cc38 RCX: 0000000000000027
+RDX: ff1100081f09ca48 RSI: 0000000000000001 RDI: ff1100010091cc88
+RBP: ff1100010091c200 R08: ff1100083fe6e228 R09: 00000000ffffbfff
+R10: ff1100081eca0000 R11: ff1100083fe10dc0 R12: ff1100010091cc88
+R13: 0000000000000001 R14: 0000000000000000 R15: 00000000000424b1
+FS: 0000000000000000(0000) GS:ff1100081f080000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000000000c4 CR3: 0000000002c4a003 CR4: 0000000000771ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ <IRQ>
+ lock_acquire (kernel/locking/lockdep.c:469 kernel/locking/lockdep.c:5853 kernel/locking/lockdep.c:5816)
+ _raw_spin_lock_nested (kernel/locking/spinlock.c:379)
+ tcp_v4_rcv (./include/linux/skbuff.h:1678 ./include/net/tcp.h:2547 net/ipv4/tcp_ipv4.c:2350)
+ ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1))
+ ip_local_deliver_finish (./include/linux/rcupdate.h:878 net/ipv4/ip_input.c:234)
+ ip_sublist_rcv_finish (net/ipv4/ip_input.c:576)
+ ip_list_rcv_finish (net/ipv4/ip_input.c:628)
+ ip_list_rcv (net/ipv4/ip_input.c:670)
+ __netif_receive_skb_list_core (net/core/dev.c:5939 net/core/dev.c:5986)
+ netif_receive_skb_list_internal (net/core/dev.c:6040 net/core/dev.c:6129)
+ napi_complete_done (./include/linux/list.h:37 ./include/net/gro.h:519 ./include/net/gro.h:514 net/core/dev.c:6496)
+ e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3815)
+ __napi_poll.constprop.0 (net/core/dev.c:7191)
+ net_rx_action (net/core/dev.c:7262 net/core/dev.c:7382)
+ handle_softirqs (kernel/softirq.c:561)
+ __irq_exit_rcu (kernel/softirq.c:596 kernel/softirq.c:435 kernel/softirq.c:662)
+ irq_exit_rcu (kernel/softirq.c:680)
+ common_interrupt (arch/x86/kernel/irq.c:280 (discriminator 14))
+ </IRQ>
+ <TASK>
+ asm_common_interrupt (./arch/x86/include/asm/idtentry.h:693)
+RIP: 0010:default_idle (./arch/x86/include/asm/irqflags.h:37 ./arch/x86/include/asm/irqflags.h:92 arch/x86/kernel/process.c:744)
+Code: 4c 01 c7 4c 29 c2 e9 72 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d c3 2b 15 00 fb f4 <fa> c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90
+RSP: 0018:ffa00000000ffee8 EFLAGS: 00000202
+RAX: 000000000000640b RBX: ff1100010091c200 RCX: 0000000000061aa4
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff812f30c5
+RBP: 000000000000000a R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000002 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+ ? do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325)
+ default_idle_call (./include/linux/cpuidle.h:143 kernel/sched/idle.c:118)
+ do_idle (kernel/sched/idle.c:186 kernel/sched/idle.c:325)
+ cpu_startup_entry (kernel/sched/idle.c:422 (discriminator 1))
+ start_secondary (arch/x86/kernel/smpboot.c:315)
+ common_startup_64 (arch/x86/kernel/head_64.S:421)
+ </TASK>
+Modules linked in: cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs]
+CR2: 00000000000000c4
+
+Fixes: ed07536ed673 ("[PATCH] lockdep: annotate nfs/nfsd in-kernel sockets")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250407163313.22682-1-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/sock.h | 40 ++++++++++++++++++++++++++++++++++++++--
+ net/core/sock.c | 5 +++++
+ 2 files changed, 43 insertions(+), 2 deletions(-)
+
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -353,6 +353,8 @@ struct sk_filter;
+ * @sk_txtime_unused: unused txtime flags
+ * @ns_tracker: tracker for netns reference
+ * @sk_bind2_node: bind node in the bhash2 table
++ * @sk_owner: reference to the real owner of the socket that calls
++ * sock_lock_init_class_and_name().
+ */
+ struct sock {
+ /*
+@@ -545,6 +547,10 @@ struct sock {
+ struct rcu_head sk_rcu;
+ netns_tracker ns_tracker;
+ struct hlist_node sk_bind2_node;
++
++#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES)
++ struct module *sk_owner;
++#endif
+ };
+
+ enum sk_pacing {
+@@ -1699,6 +1705,35 @@ static inline void sk_mem_uncharge(struc
+ sk_mem_reclaim(sk);
+ }
+
++#if IS_ENABLED(CONFIG_PROVE_LOCKING) && IS_ENABLED(CONFIG_MODULES)
++static inline void sk_owner_set(struct sock *sk, struct module *owner)
++{
++ __module_get(owner);
++ sk->sk_owner = owner;
++}
++
++static inline void sk_owner_clear(struct sock *sk)
++{
++ sk->sk_owner = NULL;
++}
++
++static inline void sk_owner_put(struct sock *sk)
++{
++ module_put(sk->sk_owner);
++}
++#else
++static inline void sk_owner_set(struct sock *sk, struct module *owner)
++{
++}
++
++static inline void sk_owner_clear(struct sock *sk)
++{
++}
++
++static inline void sk_owner_put(struct sock *sk)
++{
++}
++#endif
+ /*
+ * Macro so as to not evaluate some arguments when
+ * lockdep is not enabled.
+@@ -1708,13 +1743,14 @@ static inline void sk_mem_uncharge(struc
+ */
+ #define sock_lock_init_class_and_name(sk, sname, skey, name, key) \
+ do { \
++ sk_owner_set(sk, THIS_MODULE); \
+ sk->sk_lock.owned = 0; \
+ init_waitqueue_head(&sk->sk_lock.wq); \
+ spin_lock_init(&(sk)->sk_lock.slock); \
+ debug_check_no_locks_freed((void *)&(sk)->sk_lock, \
+- sizeof((sk)->sk_lock)); \
++ sizeof((sk)->sk_lock)); \
+ lockdep_set_class_and_name(&(sk)->sk_lock.slock, \
+- (skey), (sname)); \
++ (skey), (sname)); \
+ lockdep_init_map(&(sk)->sk_lock.dep_map, (name), (key), 0); \
+ } while (0)
+
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2029,6 +2029,8 @@ lenout:
+ */
+ static inline void sock_lock_init(struct sock *sk)
+ {
++ sk_owner_clear(sk);
++
+ if (sk->sk_kern_sock)
+ sock_lock_init_class_and_name(
+ sk,
+@@ -2124,6 +2126,9 @@ static void sk_prot_free(struct proto *p
+ cgroup_sk_free(&sk->sk_cgrp_data);
+ mem_cgroup_sk_free(sk);
+ security_sk_free(sk);
++
++ sk_owner_put(sk);
++
+ if (slab != NULL)
+ kmem_cache_free(slab, sk);
+ else
--- /dev/null
+From stable+bounces-178998-greg=kroah.com@vger.kernel.org Tue Sep 9 02:36:51 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Sep 2025 20:36:43 -0400
+Subject: nfsd: Fix a regression in nfsd_setattr()
+To: stable@vger.kernel.org
+Cc: Trond Myklebust <trond.myklebust@hammerspace.com>, Jeff Layton <jlayton@kernel.org>, NeilBrown <neilb@suse.de>, Chuck Lever <chuck.lever@oracle.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250909003644.2495376-1-sashal@kernel.org>
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 6412e44c40aaf8f1d7320b2099c5bdd6cb9126ac ]
+
+Commit bb4d53d66e4b ("NFSD: use (un)lock_inode instead of
+fh_(un)lock for file operations") broke the NFSv3 pre/post op
+attributes behaviour when doing a SETATTR rpc call by stripping out
+the calls to fh_fill_pre_attrs() and fh_fill_post_attrs().
+
+Fixes: bb4d53d66e4b ("NFSD: use (un)lock_inode instead of fh_(un)lock for file operations")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: NeilBrown <neilb@suse.de>
+Message-ID: <20240216012451.22725-1-trondmy@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Stable-dep-of: d7d8e3169b56 ("NFSD: nfsd_unlink() clobbers non-zero status returned from fh_fill_pre_attrs()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4proc.c | 4 ++++
+ fs/nfsd/vfs.c | 9 +++++++--
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1131,6 +1131,7 @@ nfsd4_setattr(struct svc_rqst *rqstp, st
+ };
+ struct inode *inode;
+ __be32 status = nfs_ok;
++ bool save_no_wcc;
+ int err;
+
+ if (setattr->sa_iattr.ia_valid & ATTR_SIZE) {
+@@ -1156,8 +1157,11 @@ nfsd4_setattr(struct svc_rqst *rqstp, st
+
+ if (status)
+ goto out;
++ save_no_wcc = cstate->current_fh.fh_no_wcc;
++ cstate->current_fh.fh_no_wcc = true;
+ status = nfsd_setattr(rqstp, &cstate->current_fh, &attrs,
+ 0, (time64_t)0);
++ cstate->current_fh.fh_no_wcc = save_no_wcc;
+ if (!status)
+ status = nfserrno(attrs.na_labelerr);
+ if (!status)
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -480,7 +480,7 @@ nfsd_setattr(struct svc_rqst *rqstp, str
+ int accmode = NFSD_MAY_SATTR;
+ umode_t ftype = 0;
+ __be32 err;
+- int host_err;
++ int host_err = 0;
+ bool get_write_count;
+ bool size_change = (iap->ia_valid & ATTR_SIZE);
+ int retries;
+@@ -538,6 +538,9 @@ nfsd_setattr(struct svc_rqst *rqstp, str
+ }
+
+ inode_lock(inode);
++ err = fh_fill_pre_attrs(fhp);
++ if (err)
++ goto out_unlock;
+ for (retries = 1;;) {
+ struct iattr attrs;
+
+@@ -565,13 +568,15 @@ nfsd_setattr(struct svc_rqst *rqstp, str
+ attr->na_aclerr = set_posix_acl(&nop_mnt_idmap,
+ dentry, ACL_TYPE_DEFAULT,
+ attr->na_dpacl);
++ fh_fill_post_attrs(fhp);
++out_unlock:
+ inode_unlock(inode);
+ if (size_change)
+ put_write_access(inode);
+ out:
+ if (!host_err)
+ host_err = commit_metadata(fhp);
+- return nfserrno(host_err);
++ return err != 0 ? err : nfserrno(host_err);
+ }
+
+ #if defined(CONFIG_NFSD_V4)
--- /dev/null
+From stable+bounces-178999-greg=kroah.com@vger.kernel.org Tue Sep 9 02:36:52 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Sep 2025 20:36:44 -0400
+Subject: NFSD: nfsd_unlink() clobbers non-zero status returned from fh_fill_pre_attrs()
+To: stable@vger.kernel.org
+Cc: Chuck Lever <chuck.lever@oracle.com>, Jeff Layton <jlayton@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250909003644.2495376-2-sashal@kernel.org>
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+[ Upstream commit d7d8e3169b56e7696559a2427c922c0d55debcec ]
+
+If fh_fill_pre_attrs() returns a non-zero status, the error flow
+takes it through out_unlock, which then overwrites the returned
+status code with
+
+ err = nfserrno(host_err);
+
+Fixes: a332018a91c4 ("nfsd: handle failure to collect pre/post-op attrs more sanely")
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+[ Slightly different error mapping ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/vfs.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -1970,11 +1970,9 @@ out_nfserr:
+ err = nfserr_file_open;
+ else
+ err = nfserr_acces;
+- } else {
+- err = nfserrno(host_err);
+ }
+ out:
+- return err;
++ return err != nfs_ok ? err : nfserrno(host_err);
+ out_unlock:
+ inode_unlock(dirp);
+ goto out_drop_write;
kunit-kasan_test-disable-fortify-string-checker-on-kasan_strings-test.patch
mm-introduce-and-use-pgd-p4d-_populate_kernel.patch
+kasan-fix-gcc-mem-intrinsic-prefix-with-sw-tags.patch
+nfsd-fix-a-regression-in-nfsd_setattr.patch
+nfsd-nfsd_unlink-clobbers-non-zero-status-returned-from-fh_fill_pre_attrs.patch
+media-i2c-imx214-fix-link-frequency-validation.patch
+net-fix-null-ptr-deref-by-sock_lock_init_class_and_name-and-rmmod.patch
+ima-limit-the-number-of-tomtou-integrity-violations.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
