--- /dev/null
+From inwardvessel@gmail.com Tue Feb 3 17:29:41 2026
+From: JP Kobryn <inwardvessel@gmail.com>
+Date: Sat, 31 Jan 2026 23:13:46 -0800
+Subject: btrfs: prevent use-after-free on folio private data in btrfs_subpage_clear_uptodate()
+To: wqu@suse.com, boris@bur.io, clm@fb.com, dsterba@suse.com
+Cc: linux-btrfs@vger.kernel.org, stable@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@meta.com
+Message-ID: <20260201071346.130641-1-inwardvessel@gmail.com>
+
+From: JP Kobryn <inwardvessel@gmail.com>
+
+This is a stable-only patch. The issue was inadvertently fixed in 6.17 [0]
+as part of a refactoring, but this patch serves as a minimal targeted fix
+for prior kernels.
+
+Users of filemap_lock_folio() need to guard against the situation where
+release_folio() has been invoked during reclaim but the folio was
+ultimately not removed from the page cache. This patch covers one location
+that was overlooked.
+
+After acquiring the folio, use set_folio_extent_mapped() to ensure the
+folio private state is valid. This is especially important in the subpage
+case, where the private field is an allocated struct containing bitmap and
+lock data.
+
+Without this protection, the race below is possible:
+
+[mm] page cache reclaim path [fs] relocation in subpage mode
+shrink_folio_list()
+ folio_trylock() /* lock acquired */
+ filemap_release_folio()
+ mapping->a_ops->release_folio()
+ btrfs_release_folio()
+ __btrfs_release_folio()
+ clear_folio_extent_mapped()
+ btrfs_detach_subpage()
+ subpage = folio_detach_private(folio)
+ btrfs_free_subpage(subpage)
+ kfree(subpage) /* point A */
+
+ prealloc_file_extent_cluster()
+ filemap_lock_folio()
+ folio_try_get() /* inc refcount */
+ folio_lock() /* wait for lock */
+
+ if (...)
+ ...
+ else if (!mapping || !__remove_mapping(..))
+ /*
+ * __remove_mapping() returns zero when
+ * folio_ref_freeze(folio, refcount) fails /* point B */
+ */
+ goto keep_locked /* folio remains in cache */
+
+keep_locked:
+ folio_unlock(folio) /* lock released */
+
+ /* lock acquired */
+ btrfs_subpage_clear_uptodate()
+ /* use-after-free */
+ subpage = folio_get_private(folio)
+
+[0] 4e346baee95f ("btrfs: reloc: unconditionally invalidate the page cache for each cluster")
+
+Fixes: 9d9ea1e68a05 ("btrfs: subpage: fix relocation potentially overwriting last page data")
+Cc: stable@vger.kernel.org # 6.10-6.16
+Signed-off-by: JP Kobryn <inwardvessel@gmail.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/relocation.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -2811,6 +2811,20 @@ static noinline_for_stack int prealloc_f
+ * will re-read the whole page anyway.
+ */
+ if (!IS_ERR(folio)) {
++ /*
++ * release_folio() could have cleared the folio private data
++ * while we were not holding the lock. Reset the mapping if
++ * needed so subpage operations can access a valid private
++ * folio state.
++ */
++ ret = set_folio_extent_mapped(folio);
++ if (ret) {
++ folio_unlock(folio);
++ folio_put(folio);
++
++ return ret;
++ }
++
+ btrfs_subpage_clear_uptodate(fs_info, folio, i_size,
+ round_up(i_size, PAGE_SIZE) - i_size);
+ folio_unlock(folio);
--- /dev/null
+From 205305c028ad986d0649b8b100bab6032dcd1bb5 Mon Sep 17 00:00:00 2001
+From: Chen Ni <nichen@iscas.ac.cn>
+Date: Wed, 12 Nov 2025 15:27:09 +0800
+Subject: net/sched: act_ife: convert comma to semicolon
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+commit 205305c028ad986d0649b8b100bab6032dcd1bb5 upstream.
+
+Replace comma between expressions with semicolons.
+
+Using a ',' in place of a ';' can have unintended side effects.
+Although that is not the case here, it is seems best to use ';'
+unless ',' is intended.
+
+Found by inspection.
+No functional change intended.
+Compile tested only.
+
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20251112072709.73755-1-nichen@iscas.ac.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ife.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/sched/act_ife.c
++++ b/net/sched/act_ife.c
+@@ -649,9 +649,9 @@ static int tcf_ife_dump(struct sk_buff *
+
+ memset(&opt, 0, sizeof(opt));
+
+- opt.index = ife->tcf_index,
+- opt.refcnt = refcount_read(&ife->tcf_refcnt) - ref,
+- opt.bindcnt = atomic_read(&ife->tcf_bindcnt) - bind,
++ opt.index = ife->tcf_index;
++ opt.refcnt = refcount_read(&ife->tcf_refcnt) - ref;
++ opt.bindcnt = atomic_read(&ife->tcf_bindcnt) - bind;
+
+ spin_lock_bh(&ife->tcf_lock);
+ opt.action = ife->tcf_action;
projects / thirdparty / kernel / stable-queue.git / commitdiff
