From a16229334722927db83587cbd1e61e132147d57f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 21 Oct 2025 20:14:32 +0200 Subject: [PATCH] 5.4-stable patches added patches: hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_strcasecmp.patch nfsd-decouple-the-xprtsec-policy-check-from-check_nfsd_access.patch pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch --- ...of-bounds-read-in-hfsplus_strcasecmp.patch | 223 ++++++++++++++++++ ...-policy-check-from-check_nfsd_access.patch | 186 +++++++++++++++ ...-are-powered-for-config-reads-part-2.patch | 71 ++++++ queue-5.4/series | 3 + 4 files changed, 483 insertions(+) create mode 100644 queue-5.4/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_strcasecmp.patch create mode 100644 queue-5.4/nfsd-decouple-the-xprtsec-policy-check-from-check_nfsd_access.patch create mode 100644 queue-5.4/pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch diff --git a/queue-5.4/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_strcasecmp.patch b/queue-5.4/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_strcasecmp.patch new file mode 100644 index 0000000000..0660fa2a1e --- /dev/null +++ b/queue-5.4/hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_strcasecmp.patch @@ -0,0 +1,223 @@ +From 42520df65bf67189541a425f7d36b0b3e7bd7844 Mon Sep 17 00:00:00 2001 +From: Viacheslav Dubeyko +Date: Fri, 19 Sep 2025 12:12:44 -0700 +Subject: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() + +From: Viacheslav Dubeyko + +commit 42520df65bf67189541a425f7d36b0b3e7bd7844 upstream. + +The hfsplus_strcasecmp() logic can trigger the issue: + +[ 117.317703][ T9855] ================================================================== +[ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490 +[ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855 +[ 117.319577][ T9855] +[ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full) +[ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 117.319783][ T9855] Call Trace: +[ 117.319785][ T9855] +[ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0 +[ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 +[ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10 +[ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0 +[ 117.319816][ T9855] ? lock_release+0x4b/0x3e0 +[ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40 +[ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 +[ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 +[ 117.319842][ T9855] print_report+0x17e/0x7e0 +[ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0 +[ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0 +[ 117.319862][ T9855] ? __phys_addr+0xd3/0x180 +[ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 +[ 117.319876][ T9855] kasan_report+0x147/0x180 +[ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490 +[ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490 +[ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10 +[ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0 +[ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470 +[ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10 +[ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 +[ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10 +[ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510 +[ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10 +[ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10 +[ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510 +[ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0 +[ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120 +[ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890 +[ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10 +[ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0 +[ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80 +[ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10 +[ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100 +[ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150 +[ 117.320034][ T9855] __lookup_slow+0x297/0x3d0 +[ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10 +[ 117.320045][ T9855] ? down_read+0x1ad/0x2e0 +[ 117.320055][ T9855] lookup_slow+0x53/0x70 +[ 117.320065][ T9855] walk_component+0x2f0/0x430 +[ 117.320073][ T9855] path_lookupat+0x169/0x440 +[ 117.320081][ T9855] filename_lookup+0x212/0x590 +[ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10 +[ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290 +[ 117.320105][ T9855] ? getname_flags+0x1e5/0x540 +[ 117.320112][ T9855] user_path_at+0x3a/0x60 +[ 117.320117][ T9855] __x64_sys_umount+0xee/0x160 +[ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10 +[ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0 +[ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0 +[ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0 +[ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07 +[ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08 +[ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6 +[ 117.320172][ T9855] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7dd7908b07 +[ 117.320176][ T9855] RDX: 0000000000000009 RSI: 0000000000000009 RDI: 00007ffd5ebd9740 +[ 117.320179][ T9855] RBP: 00007ffd5ebda780 R08: 0000000000000005 R09: 00007ffd5ebd9530 +[ 117.320181][ T9855] R10: 00007f7dd799bfc0 R11: 0000000000000202 R12: 000055e2008b32d0 +[ 117.320184][ T9855] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 117.320189][ T9855] +[ 117.320190][ T9855] +[ 117.351311][ T9855] Allocated by task 9855: +[ 117.351683][ T9855] kasan_save_track+0x3e/0x80 +[ 117.352093][ T9855] __kasan_kmalloc+0x8d/0xa0 +[ 117.352490][ T9855] __kmalloc_noprof+0x288/0x510 +[ 117.352914][ T9855] hfsplus_find_init+0x8c/0x1d0 +[ 117.353342][ T9855] hfsplus_lookup+0x19c/0x890 +[ 117.353747][ T9855] __lookup_slow+0x297/0x3d0 +[ 117.354148][ T9855] lookup_slow+0x53/0x70 +[ 117.354514][ T9855] walk_component+0x2f0/0x430 +[ 117.354921][ T9855] path_lookupat+0x169/0x440 +[ 117.355325][ T9855] filename_lookup+0x212/0x590 +[ 117.355740][ T9855] user_path_at+0x3a/0x60 +[ 117.356115][ T9855] __x64_sys_umount+0xee/0x160 +[ 117.356529][ T9855] do_syscall_64+0xf3/0x3a0 +[ 117.356920][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 117.357429][ T9855] +[ 117.357636][ T9855] The buggy address belongs to the object at ffff88802160f000 +[ 117.357636][ T9855] which belongs to the cache kmalloc-2k of size 2048 +[ 117.358827][ T9855] The buggy address is located 0 bytes to the right of +[ 117.358827][ T9855] allocated 1036-byte region [ffff88802160f000, ffff88802160f40c) +[ 117.360061][ T9855] +[ 117.360266][ T9855] The buggy address belongs to the physical page: +[ 117.360813][ T9855] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21608 +[ 117.361562][ T9855] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 +[ 117.362285][ T9855] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) +[ 117.362929][ T9855] page_type: f5(slab) +[ 117.363282][ T9855] raw: 00fff00000000040 ffff88801a842f00 ffffea0000932000 dead000000000002 +[ 117.364015][ T9855] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 +[ 117.364750][ T9855] head: 00fff00000000040 ffff88801a842f00 ffffea0000932000 dead000000000002 +[ 117.365491][ T9855] head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 +[ 117.366232][ T9855] head: 00fff00000000003 ffffea0000858201 00000000ffffffff 00000000ffffffff +[ 117.366968][ T9855] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 +[ 117.367711][ T9855] page dumped because: kasan: bad access detected +[ 117.368259][ T9855] page_owner tracks the page as allocated +[ 117.368745][ T9855] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN1 +[ 117.370541][ T9855] post_alloc_hook+0x240/0x2a0 +[ 117.370954][ T9855] get_page_from_freelist+0x2101/0x21e0 +[ 117.371435][ T9855] __alloc_frozen_pages_noprof+0x274/0x380 +[ 117.371935][ T9855] alloc_pages_mpol+0x241/0x4b0 +[ 117.372360][ T9855] allocate_slab+0x8d/0x380 +[ 117.372752][ T9855] ___slab_alloc+0xbe3/0x1400 +[ 117.373159][ T9855] __kmalloc_cache_noprof+0x296/0x3d0 +[ 117.373621][ T9855] nexthop_net_init+0x75/0x100 +[ 117.374038][ T9855] ops_init+0x35c/0x5c0 +[ 117.374400][ T9855] setup_net+0x10c/0x320 +[ 117.374768][ T9855] copy_net_ns+0x31b/0x4d0 +[ 117.375156][ T9855] create_new_namespaces+0x3f3/0x720 +[ 117.375613][ T9855] unshare_nsproxy_namespaces+0x11c/0x170 +[ 117.376094][ T9855] ksys_unshare+0x4ca/0x8d0 +[ 117.376477][ T9855] __x64_sys_unshare+0x38/0x50 +[ 117.376879][ T9855] do_syscall_64+0xf3/0x3a0 +[ 117.377265][ T9855] page last free pid 9110 tgid 9110 stack trace: +[ 117.377795][ T9855] __free_frozen_pages+0xbeb/0xd50 +[ 117.378229][ T9855] __put_partials+0x152/0x1a0 +[ 117.378625][ T9855] put_cpu_partial+0x17c/0x250 +[ 117.379026][ T9855] __slab_free+0x2d4/0x3c0 +[ 117.379404][ T9855] qlist_free_all+0x97/0x140 +[ 117.379790][ T9855] kasan_quarantine_reduce+0x148/0x160 +[ 117.380250][ T9855] __kasan_slab_alloc+0x22/0x80 +[ 117.380662][ T9855] __kmalloc_noprof+0x232/0x510 +[ 117.381074][ T9855] tomoyo_supervisor+0xc0a/0x1360 +[ 117.381498][ T9855] tomoyo_env_perm+0x149/0x1e0 +[ 117.381903][ T9855] tomoyo_find_next_domain+0x15ad/0x1b90 +[ 117.382378][ T9855] tomoyo_bprm_check_security+0x11c/0x180 +[ 117.382859][ T9855] security_bprm_check+0x89/0x280 +[ 117.383289][ T9855] bprm_execve+0x8f1/0x14a0 +[ 117.383673][ T9855] do_execveat_common+0x528/0x6b0 +[ 117.384103][ T9855] __x64_sys_execve+0x94/0xb0 +[ 117.384500][ T9855] +[ 117.384706][ T9855] Memory state around the buggy address: +[ 117.385179][ T9855] ffff88802160f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 117.385854][ T9855] ffff88802160f380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 117.386534][ T9855] >ffff88802160f400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 117.387204][ T9855] ^ +[ 117.387566][ T9855] ffff88802160f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 117.388243][ T9855] ffff88802160f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 117.388918][ T9855] ================================================================== + +The issue takes place if the length field of struct hfsplus_unistr +is bigger than HFSPLUS_MAX_STRLEN. The patch simply checks +the length of comparing strings. And if the strings' length +is bigger than HFSPLUS_MAX_STRLEN, then it is corrected +to this value. + +v2 +The string length correction has been added for hfsplus_strcmp(). + +Reported-by: Jiaming Zhang +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +cc: syzkaller@googlegroups.com +Link: https://lore.kernel.org/r/20250919191243.1370388-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Greg Kroah-Hartman +--- + fs/hfsplus/unicode.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/fs/hfsplus/unicode.c ++++ b/fs/hfsplus/unicode.c +@@ -40,6 +40,18 @@ int hfsplus_strcasecmp(const struct hfsp + p1 = s1->unicode; + p2 = s2->unicode; + ++ if (len1 > HFSPLUS_MAX_STRLEN) { ++ len1 = HFSPLUS_MAX_STRLEN; ++ pr_err("invalid length %u has been corrected to %d\n", ++ be16_to_cpu(s1->length), len1); ++ } ++ ++ if (len2 > HFSPLUS_MAX_STRLEN) { ++ len2 = HFSPLUS_MAX_STRLEN; ++ pr_err("invalid length %u has been corrected to %d\n", ++ be16_to_cpu(s2->length), len2); ++ } ++ + while (1) { + c1 = c2 = 0; + +@@ -74,6 +86,18 @@ int hfsplus_strcmp(const struct hfsplus_ + p1 = s1->unicode; + p2 = s2->unicode; + ++ if (len1 > HFSPLUS_MAX_STRLEN) { ++ len1 = HFSPLUS_MAX_STRLEN; ++ pr_err("invalid length %u has been corrected to %d\n", ++ be16_to_cpu(s1->length), len1); ++ } ++ ++ if (len2 > HFSPLUS_MAX_STRLEN) { ++ len2 = HFSPLUS_MAX_STRLEN; ++ pr_err("invalid length %u has been corrected to %d\n", ++ be16_to_cpu(s2->length), len2); ++ } ++ + for (len = min(len1, len2); len > 0; len--) { + c1 = be16_to_cpu(*p1); + c2 = be16_to_cpu(*p2); diff --git a/queue-5.4/nfsd-decouple-the-xprtsec-policy-check-from-check_nfsd_access.patch b/queue-5.4/nfsd-decouple-the-xprtsec-policy-check-from-check_nfsd_access.patch new file mode 100644 index 0000000000..ad38340935 --- /dev/null +++ b/queue-5.4/nfsd-decouple-the-xprtsec-policy-check-from-check_nfsd_access.patch @@ -0,0 +1,186 @@ +From smayhew@redhat.com Tue Oct 21 20:11:20 2025 +From: Scott Mayhew +Date: Mon, 20 Oct 2025 16:50:04 -0400 +Subject: nfsd: decouple the xprtsec policy check from check_nfsd_access() +To: stable@vger.kernel.org +Cc: chuck.lever@oracle.com +Message-ID: <20251020205004.1034718-1-smayhew@redhat.com> + +From: Scott Mayhew + +[ Upstream commit e4f574ca9c6dfa66695bb054ff5df43ecea873ec ] + +This is a backport of e4f574ca9c6d specifically for the 6.6-stable +kernel. It differs from the upstream version mainly in that it's +working around the absence of some 6.12-era commits: +- 1459ad57673b nfsd: Move error code mapping to per-version proc code. +- 0a183f24a7ae NFSD: Handle @rqstp == NULL in check_nfsd_access() +- 5e66d2d92a1c nfsd: factor out __fh_verify to allow NULL rqstp to be + passed + +A while back I had reported that an NFSv3 client could successfully +mount using '-o xprtsec=none' an export that had been exported with +'xprtsec=tls:mtls'. By "successfully" I mean that the mount command +would succeed and the mount would show up in /proc/mount. Attempting +to do anything futher with the mount would be met with NFS3ERR_ACCES. + +Transport Layer Security isn't an RPC security flavor or pseudo-flavor, +so we shouldn't be conflating them when determining whether the access +checks can be bypassed. Split check_nfsd_access() into two helpers, and +have fh_verify() call the helpers directly since fh_verify() has +logic that allows one or both of the checks to be skipped. All other +sites will continue to call check_nfsd_access(). + +Link: https://lore.kernel.org/linux-nfs/ZjO3Qwf_G87yNXb2@aion/ +Fixes: 9280c5774314 ("NFSD: Handle new xprtsec= export option") +Signed-off-by: Scott Mayhew +Acked-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/export.c | 60 +++++++++++++++++++++++++++++++++++++++++------- + fs/nfsd/export.h | 2 ++ + fs/nfsd/nfsfh.c | 12 +++++++++- + 3 files changed, 65 insertions(+), 9 deletions(-) + +diff --git a/fs/nfsd/export.c b/fs/nfsd/export.c +index 4b5d998cbc2f..f4e77859aa85 100644 +--- a/fs/nfsd/export.c ++++ b/fs/nfsd/export.c +@@ -1071,28 +1071,62 @@ static struct svc_export *exp_find(struct cache_detail *cd, + return exp; + } + +-__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) ++/** ++ * check_xprtsec_policy - check if access to export is allowed by the ++ * xprtsec policy ++ * @exp: svc_export that is being accessed. ++ * @rqstp: svc_rqst attempting to access @exp. ++ * ++ * Helper function for check_nfsd_access(). Note that callers should be ++ * using check_nfsd_access() instead of calling this function directly. The ++ * one exception is fh_verify() since it has logic that may result in one ++ * or both of the helpers being skipped. ++ * ++ * Return values: ++ * %nfs_ok if access is granted, or ++ * %nfserr_acces or %nfserr_wrongsec if access is denied ++ */ ++__be32 check_xprtsec_policy(struct svc_export *exp, struct svc_rqst *rqstp) + { +- struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors; + struct svc_xprt *xprt = rqstp->rq_xprt; + + if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_NONE) { + if (!test_bit(XPT_TLS_SESSION, &xprt->xpt_flags)) +- goto ok; ++ return nfs_ok; + } + if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_TLS) { + if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) && + !test_bit(XPT_PEER_AUTH, &xprt->xpt_flags)) +- goto ok; ++ return nfs_ok; + } + if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_MTLS) { + if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) && + test_bit(XPT_PEER_AUTH, &xprt->xpt_flags)) +- goto ok; ++ return nfs_ok; + } +- goto denied; + +-ok: ++ return rqstp->rq_vers < 4 ? nfserr_acces : nfserr_wrongsec; ++} ++ ++/** ++ * check_security_flavor - check if access to export is allowed by the ++ * xprtsec policy ++ * @exp: svc_export that is being accessed. ++ * @rqstp: svc_rqst attempting to access @exp. ++ * ++ * Helper function for check_nfsd_access(). Note that callers should be ++ * using check_nfsd_access() instead of calling this function directly. The ++ * one exception is fh_verify() since it has logic that may result in one ++ * or both of the helpers being skipped. ++ * ++ * Return values: ++ * %nfs_ok if access is granted, or ++ * %nfserr_acces or %nfserr_wrongsec if access is denied ++ */ ++__be32 check_security_flavor(struct svc_export *exp, struct svc_rqst *rqstp) ++{ ++ struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors; ++ + /* legacy gss-only clients are always OK: */ + if (exp->ex_client == rqstp->rq_gssclient) + return 0; +@@ -1117,10 +1151,20 @@ __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) + if (nfsd4_spo_must_allow(rqstp)) + return 0; + +-denied: + return rqstp->rq_vers < 4 ? nfserr_acces : nfserr_wrongsec; + } + ++__be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) ++{ ++ __be32 status; ++ ++ status = check_xprtsec_policy(exp, rqstp); ++ if (status != nfs_ok) ++ return status; ++ ++ return check_security_flavor(exp, rqstp); ++} ++ + /* + * Uses rq_client and rq_gssclient to find an export; uses rq_client (an + * auth_unix client) if it's available and has secinfo information; +diff --git a/fs/nfsd/export.h b/fs/nfsd/export.h +index ca9dc230ae3d..4a48b2ad5606 100644 +--- a/fs/nfsd/export.h ++++ b/fs/nfsd/export.h +@@ -100,6 +100,8 @@ struct svc_expkey { + #define EX_WGATHER(exp) ((exp)->ex_flags & NFSEXP_GATHERED_WRITES) + + int nfsexp_flags(struct svc_rqst *rqstp, struct svc_export *exp); ++__be32 check_xprtsec_policy(struct svc_export *exp, struct svc_rqst *rqstp); ++__be32 check_security_flavor(struct svc_export *exp, struct svc_rqst *rqstp); + __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp); + + /* +diff --git a/fs/nfsd/nfsfh.c b/fs/nfsd/nfsfh.c +index c2495d98c189..283c1a60c846 100644 +--- a/fs/nfsd/nfsfh.c ++++ b/fs/nfsd/nfsfh.c +@@ -370,6 +370,16 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type, int access) + if (error) + goto out; + ++ /* ++ * NLM is allowed to bypass the xprtsec policy check because lockd ++ * doesn't support xprtsec. ++ */ ++ if (!(access & NFSD_MAY_LOCK)) { ++ error = check_xprtsec_policy(exp, rqstp); ++ if (error) ++ goto out; ++ } ++ + /* + * pseudoflavor restrictions are not enforced on NLM, + * which clients virtually always use auth_sys for, +@@ -386,7 +396,7 @@ fh_verify(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type, int access) + && exp->ex_path.dentry == dentry) + goto skip_pseudoflavor_check; + +- error = check_nfsd_access(exp, rqstp); ++ error = check_security_flavor(exp, rqstp); + if (error) + goto out; + +-- +2.47.3 + diff --git a/queue-5.4/pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch b/queue-5.4/pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch new file mode 100644 index 0000000000..7e81ab5c6d --- /dev/null +++ b/queue-5.4/pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch @@ -0,0 +1,71 @@ +From briannorris@chromium.org Tue Oct 21 20:12:10 2025 +From: Brian Norris +Date: Mon, 20 Oct 2025 13:41:36 -0700 +Subject: PCI/sysfs: Ensure devices are powered for config reads (part 2) +To: stable@vger.kernel.org +Cc: bhelgaas@google.com, Brian Norris , Brian Norris +Message-ID: <20251020204146.3193844-1-briannorris@chromium.org> + +From: Brian Norris + +Commit 48991e493507 ("PCI/sysfs: Ensure devices are powered for config +reads") was applied to various linux-stable trees. However, prior to +6.12.y, we do not have commit d2bd39c0456b ("PCI: Store all PCIe +Supported Link Speeds"). Therefore, we also need to apply the change to +max_link_speed_show(). + +This was pointed out here: + + Re: Patch "PCI/sysfs: Ensure devices are powered for config reads" has been added to the 6.6-stable tree + https://lore.kernel.org/all/aPEMIreBYZ7yk3cm@google.com/ + +Original change description follows: + + The "max_link_width", "current_link_speed", "current_link_width", + "secondary_bus_number", and "subordinate_bus_number" sysfs files all access + config registers, but they don't check the runtime PM state. If the device + is in D3cold or a parent bridge is suspended, we may see -EINVAL, bogus + values, or worse, depending on implementation details. + + Wrap these access in pci_config_pm_runtime_{get,put}() like most of the + rest of the similar sysfs attributes. + + Notably, "max_link_speed" does not access config registers; it returns a + cached value since d2bd39c0456b ("PCI: Store all PCIe Supported Link + Speeds"). + +Fixes: 56c1af4606f0 ("PCI: Add sysfs max_link_speed/width, current_link_speed/width, etc") +Link: https://lore.kernel.org/all/aPEMIreBYZ7yk3cm@google.com/ +Signed-off-by: Brian Norris +Signed-off-by: Brian Norris +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-sysfs.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c +index 449d42744d33..300caafcfa10 100644 +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -186,9 +186,15 @@ static ssize_t max_link_speed_show(struct device *dev, + struct device_attribute *attr, char *buf) + { + struct pci_dev *pdev = to_pci_dev(dev); ++ ssize_t ret; ++ ++ /* We read PCI_EXP_LNKCAP, so we need the device to be accessible. */ ++ pci_config_pm_runtime_get(pdev); ++ ret = sysfs_emit(buf, "%s\n", ++ pci_speed_string(pcie_get_speed_cap(pdev))); ++ pci_config_pm_runtime_put(pdev); + +- return sysfs_emit(buf, "%s\n", +- pci_speed_string(pcie_get_speed_cap(pdev))); ++ return ret; + } + static DEVICE_ATTR_RO(max_link_speed); + +-- +2.51.0.869.ge66316f041-goog + diff --git a/queue-5.4/series b/queue-5.4/series index 9a6a9c5bf6..7f48b1ae7a 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -169,3 +169,6 @@ sched-fair-trivial-correction-of-the-newidle_balance.patch sched-balancing-rename-newidle_balance-sched_balance.patch sched-fair-fix-pelt-lost-idle-time-detection.patch alsa-firewire-amdtp-stream-fix-enum-kernel-doc-warni.patch +hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_strcasecmp.patch +pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch +nfsd-decouple-the-xprtsec-policy-check-from-check_nfsd_access.patch -- 2.47.3