]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
6.1-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 16 Oct 2025 12:06:08 +0000 (14:06 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 16 Oct 2025 12:06:08 +0000 (14:06 +0200)
added patches:
blk-crypto-fix-missing-blktrace-bio-split-events.patch
btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch
bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch

queue-6.1/blk-crypto-fix-missing-blktrace-bio-split-events.patch [new file with mode: 0644]
queue-6.1/btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch [new file with mode: 0644]
queue-6.1/bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch [new file with mode: 0644]
queue-6.1/series

diff --git a/queue-6.1/blk-crypto-fix-missing-blktrace-bio-split-events.patch b/queue-6.1/blk-crypto-fix-missing-blktrace-bio-split-events.patch
new file mode 100644 (file)
index 0000000..40ad6f8
--- /dev/null
@@ -0,0 +1,43 @@
+From 06d712d297649f48ebf1381d19bd24e942813b37 Mon Sep 17 00:00:00 2001
+From: Yu Kuai <yukuai3@huawei.com>
+Date: Wed, 10 Sep 2025 14:30:45 +0800
+Subject: blk-crypto: fix missing blktrace bio split events
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+commit 06d712d297649f48ebf1381d19bd24e942813b37 upstream.
+
+trace_block_split() is missing, resulting in blktrace inability to catch
+BIO split events and making it harder to analyze the BIO sequence.
+
+Cc: stable@vger.kernel.org
+Fixes: 488f6682c832 ("block: blk-crypto-fallback for Inline Encryption")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-crypto-fallback.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/block/blk-crypto-fallback.c
++++ b/block/blk-crypto-fallback.c
+@@ -18,6 +18,7 @@
+ #include <linux/module.h>
+ #include <linux/random.h>
+ #include <linux/scatterlist.h>
++#include <trace/events/block.h>
+ #include "blk-cgroup.h"
+ #include "blk-crypto-internal.h"
+@@ -229,7 +230,9 @@ static bool blk_crypto_fallback_split_bi
+                       bio->bi_status = BLK_STS_RESOURCE;
+                       return false;
+               }
++
+               bio_chain(split_bio, bio);
++              trace_block_split(split_bio, bio->bi_iter.bi_sector);
+               submit_bio_noacct(bio);
+               *bio_ptr = split_bio;
+       }
diff --git a/queue-6.1/btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch b/queue-6.1/btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch
new file mode 100644 (file)
index 0000000..ba5e522
--- /dev/null
@@ -0,0 +1,71 @@
+From dff4f9ff5d7f289e4545cc936362e01ed3252742 Mon Sep 17 00:00:00 2001
+From: Anderson Nascimento <anderson@allelesecurity.com>
+Date: Mon, 8 Sep 2025 09:49:02 -0300
+Subject: btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
+
+From: Anderson Nascimento <anderson@allelesecurity.com>
+
+commit dff4f9ff5d7f289e4545cc936362e01ed3252742 upstream.
+
+The function btrfs_encode_fh() does not properly account for the three
+cases it handles.
+
+Before writing to the file handle (fh), the function only returns to the
+user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or
+BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).
+
+However, when a parent exists and the root ID of the parent and the
+inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT
+(10 dwords, 40 bytes).
+
+If *max_len is not large enough, this write goes out of bounds because
+BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than
+BTRFS_FID_SIZE_CONNECTABLE originally returned.
+
+This results in an 8-byte out-of-bounds write at
+fid->parent_root_objectid = parent_root_id.
+
+A previous attempt to fix this issue was made but was lost.
+
+https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/
+
+Although this issue does not seem to be easily triggerable, it is a
+potential memory corruption bug that should be fixed. This patch
+resolves the issue by ensuring the function returns the appropriate size
+for all three cases and validates that *max_len is large enough before
+writing any data.
+
+Fixes: be6e8dc0ba84 ("NFS support for btrfs - v3")
+CC: stable@vger.kernel.org # 3.0+
+Signed-off-by: Anderson Nascimento <anderson@allelesecurity.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/export.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/export.c
++++ b/fs/btrfs/export.c
+@@ -22,7 +22,11 @@ static int btrfs_encode_fh(struct inode
+       int type;
+       if (parent && (len < BTRFS_FID_SIZE_CONNECTABLE)) {
+-              *max_len = BTRFS_FID_SIZE_CONNECTABLE;
++              if (btrfs_root_id(BTRFS_I(inode)->root) !=
++                  btrfs_root_id(BTRFS_I(parent)->root))
++                      *max_len = BTRFS_FID_SIZE_CONNECTABLE_ROOT;
++              else
++                      *max_len = BTRFS_FID_SIZE_CONNECTABLE;
+               return FILEID_INVALID;
+       } else if (len < BTRFS_FID_SIZE_NON_CONNECTABLE) {
+               *max_len = BTRFS_FID_SIZE_NON_CONNECTABLE;
+@@ -44,6 +48,8 @@ static int btrfs_encode_fh(struct inode
+               parent_root_id = BTRFS_I(parent)->root->root_key.objectid;
+               if (parent_root_id != fid->root_objectid) {
++                      if (*max_len < BTRFS_FID_SIZE_CONNECTABLE_ROOT)
++                              return FILEID_INVALID;
+                       fid->parent_root_objectid = parent_root_id;
+                       len = BTRFS_FID_SIZE_CONNECTABLE_ROOT;
+                       type = FILEID_BTRFS_WITH_PARENT_ROOT;
diff --git a/queue-6.1/bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch b/queue-6.1/bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch
new file mode 100644 (file)
index 0000000..1c04792
--- /dev/null
@@ -0,0 +1,53 @@
+From d0856a6dff57f95cc5d2d74e50880f01697d0cc4 Mon Sep 17 00:00:00 2001
+From: Adam Xue <zxue@semtech.com>
+Date: Fri, 5 Sep 2025 10:41:18 -0700
+Subject: bus: mhi: host: Do not use uninitialized 'dev' pointer in mhi_init_irq_setup()
+
+From: Adam Xue <zxue@semtech.com>
+
+commit d0856a6dff57f95cc5d2d74e50880f01697d0cc4 upstream.
+
+In mhi_init_irq_setup, the device pointer used for dev_err() was not
+initialized. Use the pointer from mhi_cntrl instead.
+
+Fixes: b0fc0167f254 ("bus: mhi: core: Allow shared IRQ for event rings")
+Fixes: 3000f85b8f47 ("bus: mhi: core: Add support for basic PM operations")
+Signed-off-by: Adam Xue <zxue@semtech.com>
+[mani: reworded subject/description and CCed stable]
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+Reviewed-by: Krishna Chaitanya Chundru <krishna.chundru@oss.qualcomm.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250905174118.38512-1-zxue@semtech.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/mhi/host/init.c |    5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/bus/mhi/host/init.c
++++ b/drivers/bus/mhi/host/init.c
+@@ -164,7 +164,6 @@ void mhi_deinit_free_irq(struct mhi_cont
+ int mhi_init_irq_setup(struct mhi_controller *mhi_cntrl)
+ {
+       struct mhi_event *mhi_event = mhi_cntrl->mhi_event;
+-      struct device *dev = &mhi_cntrl->mhi_dev->dev;
+       unsigned long irq_flags = IRQF_SHARED | IRQF_NO_SUSPEND;
+       int i, ret;
+@@ -191,7 +190,7 @@ int mhi_init_irq_setup(struct mhi_contro
+                       continue;
+               if (mhi_event->irq >= mhi_cntrl->nr_irqs) {
+-                      dev_err(dev, "irq %d not available for event ring\n",
++                      dev_err(mhi_cntrl->cntrl_dev, "irq %d not available for event ring\n",
+                               mhi_event->irq);
+                       ret = -EINVAL;
+                       goto error_request;
+@@ -202,7 +201,7 @@ int mhi_init_irq_setup(struct mhi_contro
+                                 irq_flags,
+                                 "mhi", mhi_event);
+               if (ret) {
+-                      dev_err(dev, "Error requesting irq:%d for ev:%d\n",
++                      dev_err(mhi_cntrl->cntrl_dev, "Error requesting irq:%d for ev:%d\n",
+                               mhi_cntrl->irq[mhi_event->irq], i);
+                       goto error_request;
+               }
index b96e02b21924243f1a125c4c828749cffe350c8f..0450d3c6e467df48e3a29ed845898cfcae206f27 100644 (file)
@@ -67,3 +67,6 @@ media-mc-fix-must_connect-handling-for-pads-with-no-links.patch
 media-pci-ivtv-add-missing-check-after-dma-map.patch
 media-lirc-fix-error-handling-in-lirc_register.patch
 drm-nouveau-fix-bad-ret-code-in-nouveau_bo_move_prep.patch
+blk-crypto-fix-missing-blktrace-bio-split-events.patch
+btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch
+bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch