From: Greg Kroah-Hartman Date: Mon, 13 Oct 2025 09:17:14 +0000 (+0200) Subject: 6.1-stable patches X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4e126c14efdb20c2c858ce1772cca522bde808e4;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: dm-fix-null-pointer-dereference-in-__dm_suspend.patch dm-fix-queue-start-stop-imbalance-under-suspend-load-resume-races.patch ext4-fix-checks-for-orphan-inodes.patch ksmbd-fix-error-code-overwriting-in-smb2_get_info_filesystem.patch --- diff --git a/queue-6.1/dm-fix-null-pointer-dereference-in-__dm_suspend.patch b/queue-6.1/dm-fix-null-pointer-dereference-in-__dm_suspend.patch new file mode 100644 index 0000000000..cc65e4cbdd --- /dev/null +++ b/queue-6.1/dm-fix-null-pointer-dereference-in-__dm_suspend.patch @@ -0,0 +1,93 @@ +From 8d33a030c566e1f105cd5bf27f37940b6367f3be Mon Sep 17 00:00:00 2001 +From: Zheng Qixing +Date: Tue, 26 Aug 2025 15:42:04 +0800 +Subject: dm: fix NULL pointer dereference in __dm_suspend() + +From: Zheng Qixing + +commit 8d33a030c566e1f105cd5bf27f37940b6367f3be upstream. + +There is a race condition between dm device suspend and table load that +can lead to null pointer dereference. The issue occurs when suspend is +invoked before table load completes: + +BUG: kernel NULL pointer dereference, address: 0000000000000054 +Oops: 0000 [#1] PREEMPT SMP PTI +CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 +RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50 +Call Trace: + + blk_mq_quiesce_queue+0x2c/0x50 + dm_stop_queue+0xd/0x20 + __dm_suspend+0x130/0x330 + dm_suspend+0x11a/0x180 + dev_suspend+0x27e/0x560 + ctl_ioctl+0x4cf/0x850 + dm_ctl_ioctl+0xd/0x20 + vfs_ioctl+0x1d/0x50 + __se_sys_ioctl+0x9b/0xc0 + __x64_sys_ioctl+0x19/0x30 + x64_sys_call+0x2c4a/0x4620 + do_syscall_64+0x9e/0x1b0 + +The issue can be triggered as below: + +T1 T2 +dm_suspend table_load +__dm_suspend dm_setup_md_queue + dm_mq_init_request_queue + blk_mq_init_allocated_queue + => q->mq_ops = set->ops; (1) +dm_stop_queue / dm_wait_for_completion +=> q->tag_set NULL pointer! (2) + => q->tag_set = set; (3) + +Fix this by checking if a valid table (map) exists before performing +request-based suspend and waiting for target I/O. When map is NULL, +skip these table-dependent suspend steps. + +Even when map is NULL, no I/O can reach any target because there is +no table loaded; I/O submitted in this state will fail early in the +DM layer. Skipping the table-dependent suspend logic in this case +is safe and avoids NULL pointer dereferences. + +Fixes: c4576aed8d85 ("dm: fix request-based dm's use of dm_wait_for_completion") +Cc: stable@vger.kernel.org +Signed-off-by: Zheng Qixing +Signed-off-by: Mikulas Patocka +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -2668,7 +2668,7 @@ static int __dm_suspend(struct mapped_de + { + bool do_lockfs = suspend_flags & DM_SUSPEND_LOCKFS_FLAG; + bool noflush = suspend_flags & DM_SUSPEND_NOFLUSH_FLAG; +- int r; ++ int r = 0; + + lockdep_assert_held(&md->suspend_lock); + +@@ -2720,7 +2720,7 @@ static int __dm_suspend(struct mapped_de + * Stop md->queue before flushing md->wq in case request-based + * dm defers requests to md->wq from md->queue. + */ +- if (dm_request_based(md)) { ++ if (map && dm_request_based(md)) { + dm_stop_queue(md->queue); + set_bit(DMF_QUEUE_STOPPED, &md->flags); + } +@@ -2732,7 +2732,8 @@ static int __dm_suspend(struct mapped_de + * We call dm_wait_for_completion to wait for all existing requests + * to finish. + */ +- r = dm_wait_for_completion(md, task_state); ++ if (map) ++ r = dm_wait_for_completion(md, task_state); + if (!r) + set_bit(dmf_suspended_flag, &md->flags); + diff --git a/queue-6.1/dm-fix-queue-start-stop-imbalance-under-suspend-load-resume-races.patch b/queue-6.1/dm-fix-queue-start-stop-imbalance-under-suspend-load-resume-races.patch new file mode 100644 index 0000000000..ad58a320ad --- /dev/null +++ b/queue-6.1/dm-fix-queue-start-stop-imbalance-under-suspend-load-resume-races.patch @@ -0,0 +1,82 @@ +From 7f597c2cdb9d3263a6fce07c4fc0a9eaa8e8fc43 Mon Sep 17 00:00:00 2001 +From: Zheng Qixing +Date: Tue, 26 Aug 2025 15:42:03 +0800 +Subject: dm: fix queue start/stop imbalance under suspend/load/resume races + +From: Zheng Qixing + +commit 7f597c2cdb9d3263a6fce07c4fc0a9eaa8e8fc43 upstream. + +When suspend and load run concurrently, before q->mq_ops is set in +blk_mq_init_allocated_queue(), __dm_suspend() skip dm_stop_queue(). As a +result, the queue's quiesce depth is not incremented. + +Later, once table load has finished and __dm_resume() runs, which triggers +q->quiesce_depth ==0 warning in blk_mq_unquiesce_queue(): +Call Trace: + + dm_start_queue+0x16/0x20 [dm_mod] + __dm_resume+0xac/0xb0 [dm_mod] + dm_resume+0x12d/0x150 [dm_mod] + do_resume+0x2c2/0x420 [dm_mod] + dev_suspend+0x30/0x130 [dm_mod] + ctl_ioctl+0x402/0x570 [dm_mod] + dm_ctl_ioctl+0x23/0x30 [dm_mod] + +Fix this by explicitly tracking whether the request queue was +stopped in __dm_suspend() via a new DMF_QUEUE_STOPPED flag. +Only call dm_start_queue() in __dm_resume() if the queue was +actually stopped. + +Fixes: e70feb8b3e68 ("blk-mq: support concurrent queue quiesce/unquiesce") +Cc: stable@vger.kernel.org +Signed-off-by: Zheng Qixing +Signed-off-by: Mikulas Patocka +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-core.h | 1 + + drivers/md/dm.c | 8 +++++--- + 2 files changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm-core.h ++++ b/drivers/md/dm-core.h +@@ -160,6 +160,7 @@ struct mapped_device { + #define DMF_SUSPENDED_INTERNALLY 7 + #define DMF_POST_SUSPENDING 8 + #define DMF_EMULATE_ZONE_APPEND 9 ++#define DMF_QUEUE_STOPPED 10 + + void disable_discard(struct mapped_device *md); + void disable_write_zeroes(struct mapped_device *md); +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -2720,8 +2720,10 @@ static int __dm_suspend(struct mapped_de + * Stop md->queue before flushing md->wq in case request-based + * dm defers requests to md->wq from md->queue. + */ +- if (dm_request_based(md)) ++ if (dm_request_based(md)) { + dm_stop_queue(md->queue); ++ set_bit(DMF_QUEUE_STOPPED, &md->flags); ++ } + + flush_workqueue(md->wq); + +@@ -2743,7 +2745,7 @@ static int __dm_suspend(struct mapped_de + if (r < 0) { + dm_queue_flush(md); + +- if (dm_request_based(md)) ++ if (test_and_clear_bit(DMF_QUEUE_STOPPED, &md->flags)) + dm_start_queue(md->queue); + + unlock_fs(md); +@@ -2826,7 +2828,7 @@ static int __dm_resume(struct mapped_dev + * so that mapping of targets can work correctly. + * Request-based dm is queueing the deferred I/Os in its request_queue. + */ +- if (dm_request_based(md)) ++ if (test_and_clear_bit(DMF_QUEUE_STOPPED, &md->flags)) + dm_start_queue(md->queue); + + unlock_fs(md); diff --git a/queue-6.1/ext4-fix-checks-for-orphan-inodes.patch b/queue-6.1/ext4-fix-checks-for-orphan-inodes.patch new file mode 100644 index 0000000000..42479d1d70 --- /dev/null +++ b/queue-6.1/ext4-fix-checks-for-orphan-inodes.patch @@ -0,0 +1,106 @@ +From acf943e9768ec9d9be80982ca0ebc4bfd6b7631e Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 25 Sep 2025 14:30:39 +0200 +Subject: ext4: fix checks for orphan inodes + +From: Jan Kara + +commit acf943e9768ec9d9be80982ca0ebc4bfd6b7631e upstream. + +When orphan file feature is enabled, inode can be tracked as orphan +either in the standard orphan list or in the orphan file. The first can +be tested by checking ei->i_orphan list head, the second is recorded by +EXT4_STATE_ORPHAN_FILE inode state flag. There are several places where +we want to check whether inode is tracked as orphan and only some of +them properly check for both possibilities. Luckily the consequences are +mostly minor, the worst that can happen is that we track an inode as +orphan although we don't need to and e2fsck then complains (resulting in +occasional ext4/307 xfstest failures). Fix the problem by introducing a +helper for checking whether an inode is tracked as orphan and use it in +appropriate places. + +Fixes: 4a79a98c7b19 ("ext4: Improve scalability of ext4 orphan file handling") +Cc: stable@kernel.org +Signed-off-by: Jan Kara +Reviewed-by: Zhang Yi +Message-ID: <20250925123038.20264-2-jack@suse.cz> +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/ext4.h | 10 ++++++++++ + fs/ext4/file.c | 2 +- + fs/ext4/inode.c | 2 +- + fs/ext4/orphan.c | 6 +----- + fs/ext4/super.c | 4 ++-- + 5 files changed, 15 insertions(+), 9 deletions(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -1962,6 +1962,16 @@ static inline bool ext4_verity_in_progre + #define NEXT_ORPHAN(inode) EXT4_I(inode)->i_dtime + + /* ++ * Check whether the inode is tracked as orphan (either in orphan file or ++ * orphan list). ++ */ ++static inline bool ext4_inode_orphan_tracked(struct inode *inode) ++{ ++ return ext4_test_inode_state(inode, EXT4_STATE_ORPHAN_FILE) || ++ !list_empty(&EXT4_I(inode)->i_orphan); ++} ++ ++/* + * Codes for operating systems + */ + #define EXT4_OS_LINUX 0 +--- a/fs/ext4/file.c ++++ b/fs/ext4/file.c +@@ -344,7 +344,7 @@ static void ext4_inode_extension_cleanup + * to cleanup the orphan list in ext4_handle_inode_extension(). Do it + * now. + */ +- if (!list_empty(&EXT4_I(inode)->i_orphan) && inode->i_nlink) { ++ if (ext4_inode_orphan_tracked(inode) && inode->i_nlink) { + handle_t *handle = ext4_journal_start(inode, EXT4_HT_INODE, 2); + + if (IS_ERR(handle)) { +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4394,7 +4394,7 @@ static int ext4_fill_raw_inode(struct in + * old inodes get re-used with the upper 16 bits of the + * uid/gid intact. + */ +- if (ei->i_dtime && list_empty(&ei->i_orphan)) { ++ if (ei->i_dtime && !ext4_inode_orphan_tracked(inode)) { + raw_inode->i_uid_high = 0; + raw_inode->i_gid_high = 0; + } else { +--- a/fs/ext4/orphan.c ++++ b/fs/ext4/orphan.c +@@ -109,11 +109,7 @@ int ext4_orphan_add(handle_t *handle, st + + WARN_ON_ONCE(!(inode->i_state & (I_NEW | I_FREEING)) && + !inode_is_locked(inode)); +- /* +- * Inode orphaned in orphan file or in orphan list? +- */ +- if (ext4_test_inode_state(inode, EXT4_STATE_ORPHAN_FILE) || +- !list_empty(&EXT4_I(inode)->i_orphan)) ++ if (ext4_inode_orphan_tracked(inode)) + return 0; + + /* +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -1379,9 +1379,9 @@ static void ext4_free_in_core_inode(stru + + static void ext4_destroy_inode(struct inode *inode) + { +- if (!list_empty(&(EXT4_I(inode)->i_orphan))) { ++ if (ext4_inode_orphan_tracked(inode)) { + ext4_msg(inode->i_sb, KERN_ERR, +- "Inode %lu (%p): orphan list check failed!", ++ "Inode %lu (%p): inode tracked as orphan!", + inode->i_ino, EXT4_I(inode)); + print_hex_dump(KERN_INFO, "", DUMP_PREFIX_ADDRESS, 16, 4, + EXT4_I(inode), sizeof(struct ext4_inode_info), diff --git a/queue-6.1/ksmbd-fix-error-code-overwriting-in-smb2_get_info_filesystem.patch b/queue-6.1/ksmbd-fix-error-code-overwriting-in-smb2_get_info_filesystem.patch new file mode 100644 index 0000000000..e2cf92610a --- /dev/null +++ b/queue-6.1/ksmbd-fix-error-code-overwriting-in-smb2_get_info_filesystem.patch @@ -0,0 +1,38 @@ +From 88daf2f448aad05a2e6df738d66fe8b0cf85cee0 Mon Sep 17 00:00:00 2001 +From: Matvey Kovalev +Date: Thu, 25 Sep 2025 15:12:34 +0300 +Subject: ksmbd: fix error code overwriting in smb2_get_info_filesystem() + +From: Matvey Kovalev + +commit 88daf2f448aad05a2e6df738d66fe8b0cf85cee0 upstream. + +If client doesn't negotiate with SMB3.1.1 POSIX Extensions, +then proper error code won't be returned due to overwriting. + +Return error immediately. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: e2f34481b24db ("cifsd: add server-side procedures for SMB3") +Cc: stable@vger.kernel.org +Signed-off-by: Matvey Kovalev +Acked-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/smb2pdu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/smb/server/smb2pdu.c ++++ b/fs/smb/server/smb2pdu.c +@@ -5233,7 +5233,8 @@ static int smb2_get_info_filesystem(stru + + if (!work->tcon->posix_extensions) { + pr_err("client doesn't negotiate with SMB3.1.1 POSIX Extensions\n"); +- rc = -EOPNOTSUPP; ++ path_put(&path); ++ return -EOPNOTSUPP; + } else { + info = (struct filesystem_posix_info *)(rsp->Buffer); + info->OptimalTransferSize = cpu_to_le32(stfs.f_bsize); diff --git a/queue-6.1/series b/queue-6.1/series index dc0fcf45d2..c64da3ff86 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -175,3 +175,7 @@ uio_hv_generic-let-userspace-take-care-of-interrupt-mask.patch fs-udf-fix-oob-read-in-lengthallocdescs-handling.patch net-nfc-nci-add-parameter-validation-for-packet-data.patch mfd-vexpress-sysreg-check-the-return-value-of-devm_gpiochip_add_data.patch +dm-fix-queue-start-stop-imbalance-under-suspend-load-resume-races.patch +dm-fix-null-pointer-dereference-in-__dm_suspend.patch +ksmbd-fix-error-code-overwriting-in-smb2_get_info_filesystem.patch +ext4-fix-checks-for-orphan-inodes.patch