From: Greg Kroah-Hartman Date: Tue, 4 Feb 2025 17:58:00 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v6.6.76~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0fe9ec514968aae45dba0bee1c940d8cc114b397;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: btrfs-output-the-reason-for-open_ctree-failure.patch media-uvcvideo-fix-double-free-in-error-path.patch usb-gadget-f_tcm-don-t-free-command-immediately.patch --- diff --git a/queue-5.10/btrfs-output-the-reason-for-open_ctree-failure.patch b/queue-5.10/btrfs-output-the-reason-for-open_ctree-failure.patch new file mode 100644 index 0000000000..d179beef40 --- /dev/null +++ b/queue-5.10/btrfs-output-the-reason-for-open_ctree-failure.patch @@ -0,0 +1,46 @@ +From d0f038104fa37380e2a725e669508e43d0c503e9 Mon Sep 17 00:00:00 2001 +From: Qu Wenruo +Date: Tue, 10 Dec 2024 15:23:06 +1030 +Subject: btrfs: output the reason for open_ctree() failure + +From: Qu Wenruo + +commit d0f038104fa37380e2a725e669508e43d0c503e9 upstream. + +There is a recent ML report that mounting a large fs backed by hardware +RAID56 controller (with one device missing) took too much time, and +systemd seems to kill the mount attempt. + +In that case, the only error message is: + + BTRFS error (device sdj): open_ctree failed + +There is no reason on why the failure happened, making it very hard to +understand the reason. + +At least output the error number (in the particular case it should be +-EINTR) to provide some clue. + +Link: https://lore.kernel.org/linux-btrfs/9b9c4d2810abcca2f9f76e32220ed9a90febb235.camel@scientia.org/ +Reported-by: Christoph Anton Mitterer +Cc: stable@vger.kernel.org +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -1340,7 +1340,7 @@ static int btrfs_fill_super(struct super + + err = open_ctree(sb, fs_devices, (char *)data); + if (err) { +- btrfs_err(fs_info, "open_ctree failed"); ++ btrfs_err(fs_info, "open_ctree failed: %d", err); + return err; + } + diff --git a/queue-5.10/media-uvcvideo-fix-double-free-in-error-path.patch b/queue-5.10/media-uvcvideo-fix-double-free-in-error-path.patch new file mode 100644 index 0000000000..08d7ec4215 --- /dev/null +++ b/queue-5.10/media-uvcvideo-fix-double-free-in-error-path.patch @@ -0,0 +1,36 @@ +From c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Fri, 8 Nov 2024 01:51:30 +0200 +Subject: media: uvcvideo: Fix double free in error path + +From: Laurent Pinchart + +commit c6ef3a7fa97ec823a1e1af9085cf13db9f7b3bac upstream. + +If the uvc_status_init() function fails to allocate the int_urb, it will +free the dev->status pointer but doesn't reset the pointer to NULL. This +results in the kfree() call in uvc_status_cleanup() trying to +double-free the memory. Fix it by resetting the dev->status pointer to +NULL after freeing it. + +Fixes: a31a4055473b ("V4L/DVB:usbvideo:don't use part of buffer for USB transfer #4") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20241107235130.31372-1-laurent.pinchart@ideasonboard.com +Signed-off-by: Laurent Pinchart +Reviewed by: Ricardo Ribalda +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_status.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/usb/uvc/uvc_status.c ++++ b/drivers/media/usb/uvc/uvc_status.c +@@ -269,6 +269,7 @@ int uvc_status_init(struct uvc_device *d + dev->int_urb = usb_alloc_urb(0, GFP_KERNEL); + if (dev->int_urb == NULL) { + kfree(dev->status); ++ dev->status = NULL; + return -ENOMEM; + } + diff --git a/queue-5.10/series b/queue-5.10/series index 207426926e..fe82523738 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -132,3 +132,6 @@ drivers-card_reader-rtsx_usb-restore-interrupt-based-detection.patch usb-gadget-f_tcm-fix-get-setinterface-return-value.patch usb-typec-tcpm-set-src_send_capabilities-timeout-to-pd_t_sender_response.patch hid-core-fix-assumption-that-resolution-multipliers-must-be-in-logical-collections.patch +media-uvcvideo-fix-double-free-in-error-path.patch +usb-gadget-f_tcm-don-t-free-command-immediately.patch +btrfs-output-the-reason-for-open_ctree-failure.patch diff --git a/queue-5.10/usb-gadget-f_tcm-don-t-free-command-immediately.patch b/queue-5.10/usb-gadget-f_tcm-don-t-free-command-immediately.patch new file mode 100644 index 0000000000..616e31bb00 --- /dev/null +++ b/queue-5.10/usb-gadget-f_tcm-don-t-free-command-immediately.patch @@ -0,0 +1,40 @@ +From c225d006a31949d673e646d585d9569bc28feeb9 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Wed, 11 Dec 2024 00:31:36 +0000 +Subject: usb: gadget: f_tcm: Don't free command immediately + +From: Thinh Nguyen + +commit c225d006a31949d673e646d585d9569bc28feeb9 upstream. + +Don't prematurely free the command. Wait for the status completion of +the sense status. It can be freed then. Otherwise we will double-free +the command. + +Fixes: cff834c16d23 ("usb-gadget/tcm: Convert to TARGET_SCF_ACK_KREF I/O krefs") +Cc: stable@vger.kernel.org +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/ae919ac431f16275e05ec819bdffb3ac5f44cbe1.1733876548.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_tcm.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/usb/gadget/function/f_tcm.c ++++ b/drivers/usb/gadget/function/f_tcm.c +@@ -1068,7 +1068,6 @@ static void usbg_cmd_work(struct work_st + out: + transport_send_check_condition_and_sense(se_cmd, + TCM_UNSUPPORTED_SCSI_OPCODE, 1); +- transport_generic_free_cmd(&cmd->se_cmd, 0); + } + + static struct usbg_cmd *usbg_get_cmd(struct f_uas *fu, +@@ -1199,7 +1198,6 @@ static void bot_cmd_work(struct work_str + out: + transport_send_check_condition_and_sense(se_cmd, + TCM_UNSUPPORTED_SCSI_OPCODE, 1); +- transport_generic_free_cmd(&cmd->se_cmd, 0); + } + + static int bot_submit_command(struct f_uas *fu,