From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 19 Mar 2025 14:20:53 +0000 (-0700)
Subject: 6.13-stable patches
X-Git-Tag: v6.6.84~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=86964bfbbfaf53aab09222ff9bec426773e91c4b;p=thirdparty%2Fkernel%2Fstable-queue.git

6.13-stable patches

added patches:
	fs-netfs-read_collect-add-to-next-prev_donated.patch
---

diff --git a/queue-6.13/fs-netfs-read_collect-add-to-next-prev_donated.patch b/queue-6.13/fs-netfs-read_collect-add-to-next-prev_donated.patch
new file mode 100644
index 0000000000..8aed32a9b9
--- /dev/null
+++ b/queue-6.13/fs-netfs-read_collect-add-to-next-prev_donated.patch
@@ -0,0 +1,36 @@
+From stable+bounces-118455-greg=kroah.com@vger.kernel.org Thu Feb 20 07:27:34 2025
+From: Max Kellermann <max.kellermann@ionos.com>
+Date: Thu, 20 Feb 2025 16:24:50 +0100
+Subject: fs/netfs/read_collect: add to next->prev_donated
+To: dhowells@redhat.com, netfs@lists.linux.dev, linux-kernel@vger.kernel.org
+Cc: Max Kellermann <max.kellermann@ionos.com>, stable@vger.kernel.org
+Message-ID: <20250220152450.1075727-1-max.kellermann@ionos.com>
+
+From: Max Kellermann <max.kellermann@ionos.com>
+
+If multiple subrequests donate data to the same "next" request
+(depending on the subrequest completion order), each of them would
+overwrite the `prev_donated` field, causing data corruption and a
+BUG() crash ("Can't donate prior to front").
+
+Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading")
+Closes: https://lore.kernel.org/netfs/CAKPOu+_4mUwYgQtRTbXCmi+-k3PGvLysnPadkmHOyB7Gz0iSMA@mail.gmail.com/
+Cc: stable@vger.kernel.org
+Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/netfs/read_collect.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/netfs/read_collect.c
++++ b/fs/netfs/read_collect.c
+@@ -284,7 +284,7 @@ donation_changed:
+ 				   netfs_trace_donate_to_deferred_next);
+ 	} else {
+ 		next = list_next_entry(subreq, rreq_link);
+-		WRITE_ONCE(next->prev_donated, excess);
++		WRITE_ONCE(next->prev_donated, next->prev_donated + excess);
+ 		trace_netfs_donate(rreq, subreq, next, excess,
+ 				   netfs_trace_donate_to_next);
+ 	}
diff --git a/queue-6.13/series b/queue-6.13/series
index 0397be0470..76c8fa2e78 100644
--- a/queue-6.13/series
+++ b/queue-6.13/series
@@ -238,3 +238,4 @@ drm-xe-guc-fix-size_t-print-format.patch
 bluetooth-l2cap-fix-corrupted-list-in-hci_chan_del.patch
 nvme-fc-rely-on-state-transitions-to-handle-connectivity-loss.patch
 hid-apple-disable-fn-key-handling-on-the-omoton-kb066.patch
+fs-netfs-read_collect-add-to-next-prev_donated.patch