--- /dev/null
+From 148891e95014b5dc5878acefa57f1940c281c431 Mon Sep 17 00:00:00 2001
+From: Gui-Dong Han <hanguidong02@gmail.com>
+Date: Wed, 3 Dec 2025 01:44:38 +0800
+Subject: bus: fsl-mc: fix use-after-free in driver_override_show()
+
+From: Gui-Dong Han <hanguidong02@gmail.com>
+
+commit 148891e95014b5dc5878acefa57f1940c281c431 upstream.
+
+The driver_override_show() function reads the driver_override string
+without holding the device_lock. However, driver_override_store() uses
+driver_set_override(), which modifies and frees the string while holding
+the device_lock.
+
+This can result in a concurrent use-after-free if the string is freed
+by the store function while being read by the show function.
+
+Fix this by holding the device_lock around the read operation.
+
+Fixes: 1f86a00c1159 ("bus/fsl-mc: add support for 'driver_override' in the mc-bus")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
+Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Link: https://lore.kernel.org/r/20251202174438.12658-1-hanguidong02@gmail.com
+Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
+@@ -202,8 +202,12 @@ static ssize_t driver_override_show(stru
+ struct device_attribute *attr, char *buf)
+ {
+ struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev);
++ ssize_t len;
+
+- return sysfs_emit(buf, "%s\n", mc_dev->driver_override);
++ device_lock(dev);
++ len = sysfs_emit(buf, "%s\n", mc_dev->driver_override);
++ device_unlock(dev);
++ return len;
+ }
+ static DEVICE_ATTR_RW(driver_override);
+
--- /dev/null
+From 52b330799e2d6f825ae2bb74662ec1b10eb954bb Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Mon, 19 Jan 2026 17:25:53 +0900
+Subject: drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit 52b330799e2d6f825ae2bb74662ec1b10eb954bb upstream.
+
+Exynos Virtual Display driver performs memory alloc/free operations
+without lock protection, which easily causes concurrency problem.
+
+For example, use-after-free can occur in race scenario like this:
+```
+ CPU0 CPU1 CPU2
+ ---- ---- ----
+ vidi_connection_ioctl()
+ if (vidi->connection) // true
+ drm_edid = drm_edid_alloc(); // alloc drm_edid
+ ...
+ ctx->raw_edid = drm_edid;
+ ...
+ drm_mode_getconnector()
+ drm_helper_probe_single_connector_modes()
+ vidi_get_modes()
+ if (ctx->raw_edid) // true
+ drm_edid_dup(ctx->raw_edid);
+ if (!drm_edid) // false
+ ...
+ vidi_connection_ioctl()
+ if (vidi->connection) // false
+ drm_edid_free(ctx->raw_edid); // free drm_edid
+ ...
+ drm_edid_alloc(drm_edid->edid)
+ kmemdup(edid); // UAF!!
+ ...
+```
+
+To prevent these vulns, at least in vidi_context, member variables related
+to memory alloc/free should be protected with ctx->lock.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_vidi.c | 38 ++++++++++++++++++++++++++-----
+ 1 file changed, 32 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c
+@@ -187,29 +187,37 @@ static ssize_t vidi_store_connection(str
+ const char *buf, size_t len)
+ {
+ struct vidi_context *ctx = dev_get_drvdata(dev);
+- int ret;
++ int ret, new_connected;
+
+- ret = kstrtoint(buf, 0, &ctx->connected);
++ ret = kstrtoint(buf, 0, &new_connected);
+ if (ret)
+ return ret;
+-
+- if (ctx->connected > 1)
++ if (new_connected > 1)
+ return -EINVAL;
+
++ mutex_lock(&ctx->lock);
++
+ /*
+ * Use fake edid data for test. If raw_edid is set then it can't be
+ * tested.
+ */
+ if (ctx->raw_edid) {
+ DRM_DEV_DEBUG_KMS(dev, "edid data is not fake data.\n");
+- return -EINVAL;
++ ret = -EINVAL;
++ goto fail;
+ }
+
++ ctx->connected = new_connected;
++ mutex_unlock(&ctx->lock);
++
+ DRM_DEV_DEBUG_KMS(dev, "requested connection.\n");
+
+ drm_helper_hpd_irq_event(ctx->drm_dev);
+
+ return len;
++fail:
++ mutex_unlock(&ctx->lock);
++ return ret;
+ }
+
+ static DEVICE_ATTR(connection, 0644, vidi_show_connection,
+@@ -239,11 +247,14 @@ int vidi_connection_ioctl(struct drm_dev
+ return -EINVAL;
+ }
+
++ mutex_lock(&ctx->lock);
+ if (ctx->connected == vidi->connection) {
++ mutex_unlock(&ctx->lock);
+ DRM_DEV_DEBUG_KMS(ctx->dev,
+ "same connection request.\n");
+ return -EINVAL;
+ }
++ mutex_unlock(&ctx->lock);
+
+ if (vidi->connection) {
+ const struct drm_edid *drm_edid;
+@@ -263,14 +274,21 @@ int vidi_connection_ioctl(struct drm_dev
+ "edid data is invalid.\n");
+ return -EINVAL;
+ }
++ mutex_lock(&ctx->lock);
+ ctx->raw_edid = drm_edid;
++ mutex_unlock(&ctx->lock);
+ } else {
+ /* with connection = 0, free raw_edid */
++ mutex_lock(&ctx->lock);
+ drm_edid_free(ctx->raw_edid);
+ ctx->raw_edid = NULL;
++ mutex_unlock(&ctx->lock);
+ }
+
++ mutex_lock(&ctx->lock);
+ ctx->connected = vidi->connection;
++ mutex_unlock(&ctx->lock);
++
+ drm_helper_hpd_irq_event(ctx->drm_dev);
+
+ return 0;
+@@ -285,7 +303,7 @@ static enum drm_connector_status vidi_de
+ * connection request would come from user side
+ * to do hotplug through specific ioctl.
+ */
+- return ctx->connected ? connector_status_connected :
++ return READ_ONCE(ctx->connected) ? connector_status_connected :
+ connector_status_disconnected;
+ }
+
+@@ -308,11 +326,15 @@ static int vidi_get_modes(struct drm_con
+ const struct drm_edid *drm_edid;
+ int count;
+
++ mutex_lock(&ctx->lock);
++
+ if (ctx->raw_edid)
+ drm_edid = drm_edid_dup(ctx->raw_edid);
+ else
+ drm_edid = drm_edid_alloc(fake_edid_info, sizeof(fake_edid_info));
+
++ mutex_unlock(&ctx->lock);
++
+ drm_edid_connector_update(connector, drm_edid);
+
+ count = drm_edid_connector_add_modes(connector);
+@@ -457,9 +479,13 @@ static void vidi_remove(struct platform_
+ {
+ struct vidi_context *ctx = platform_get_drvdata(pdev);
+
++ mutex_lock(&ctx->lock);
++
+ drm_edid_free(ctx->raw_edid);
+ ctx->raw_edid = NULL;
+
++ mutex_unlock(&ctx->lock);
++
+ component_del(&pdev->dev, &vidi_component_ops);
+ }
+
--- /dev/null
+From 1caf50ce4af096d0280d59a31abdd85703cd995c Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Fri, 6 Feb 2026 06:30:05 +0800
+Subject: erofs: fix UAF issue for file-backed mounts w/ directio option
+
+From: Chao Yu <chao@kernel.org>
+
+commit 1caf50ce4af096d0280d59a31abdd85703cd995c upstream.
+
+[ 9.269940][ T3222] Call trace:
+[ 9.269948][ T3222] ext4_file_read_iter+0xac/0x108
+[ 9.269979][ T3222] vfs_iocb_iter_read+0xac/0x198
+[ 9.269993][ T3222] erofs_fileio_rq_submit+0x12c/0x180
+[ 9.270008][ T3222] erofs_fileio_submit_bio+0x14/0x24
+[ 9.270030][ T3222] z_erofs_runqueue+0x834/0x8ac
+[ 9.270054][ T3222] z_erofs_read_folio+0x120/0x220
+[ 9.270083][ T3222] filemap_read_folio+0x60/0x120
+[ 9.270102][ T3222] filemap_fault+0xcac/0x1060
+[ 9.270119][ T3222] do_pte_missing+0x2d8/0x1554
+[ 9.270131][ T3222] handle_mm_fault+0x5ec/0x70c
+[ 9.270142][ T3222] do_page_fault+0x178/0x88c
+[ 9.270167][ T3222] do_translation_fault+0x38/0x54
+[ 9.270183][ T3222] do_mem_abort+0x54/0xac
+[ 9.270208][ T3222] el0_da+0x44/0x7c
+[ 9.270227][ T3222] el0t_64_sync_handler+0x5c/0xf4
+[ 9.270253][ T3222] el0t_64_sync+0x1bc/0x1c0
+
+EROFS may encounter above panic when enabling file-backed mount w/
+directio mount option, the root cause is it may suffer UAF in below
+race condition:
+
+- z_erofs_read_folio wq s_dio_done_wq
+ - z_erofs_runqueue
+ - erofs_fileio_submit_bio
+ - erofs_fileio_rq_submit
+ - vfs_iocb_iter_read
+ - ext4_file_read_iter
+ - ext4_dio_read_iter
+ - iomap_dio_rw
+ : bio was submitted and return -EIOCBQUEUED
+ - dio_aio_complete_work
+ - dio_complete
+ - dio->iocb->ki_complete (erofs_fileio_ki_complete())
+ - kfree(rq)
+ : it frees iocb, iocb.ki_filp can be UAF in file_accessed().
+ - file_accessed
+ : access NULL file point
+
+Introduce a reference count in struct erofs_fileio_rq, and initialize it
+as two, both erofs_fileio_ki_complete() and erofs_fileio_rq_submit() will
+decrease reference count, the last one decreasing the reference count
+to zero will free rq.
+
+Cc: stable@kernel.org
+Fixes: fb176750266a ("erofs: add file-backed mount support")
+Fixes: 6422cde1b0d5 ("erofs: use buffered I/O for file-backed mounts by default")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/erofs/fileio.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/erofs/fileio.c
++++ b/fs/erofs/fileio.c
+@@ -10,6 +10,7 @@ struct erofs_fileio_rq {
+ struct bio bio;
+ struct kiocb iocb;
+ struct super_block *sb;
++ refcount_t ref;
+ };
+
+ struct erofs_fileio {
+@@ -42,7 +43,8 @@ static void erofs_fileio_ki_complete(str
+ }
+ bio_endio(&rq->bio);
+ bio_uninit(&rq->bio);
+- kfree(rq);
++ if (refcount_dec_and_test(&rq->ref))
++ kfree(rq);
+ }
+
+ static void erofs_fileio_rq_submit(struct erofs_fileio_rq *rq)
+@@ -64,6 +66,8 @@ static void erofs_fileio_rq_submit(struc
+ ret = vfs_iocb_iter_read(rq->iocb.ki_filp, &rq->iocb, &iter);
+ if (ret != -EIOCBQUEUED)
+ erofs_fileio_ki_complete(&rq->iocb, ret);
++ if (refcount_dec_and_test(&rq->ref))
++ kfree(rq);
+ }
+
+ static struct erofs_fileio_rq *erofs_fileio_rq_alloc(struct erofs_map_dev *mdev)
+@@ -74,6 +78,7 @@ static struct erofs_fileio_rq *erofs_fil
+ bio_init(&rq->bio, NULL, rq->bvecs, ARRAY_SIZE(rq->bvecs), REQ_OP_READ);
+ rq->iocb.ki_filp = mdev->m_dif->file;
+ rq->sb = mdev->m_sb;
++ refcount_set(&rq->ref, 2);
+ return rq;
+ }
+
--- /dev/null
+From 7c5c7d06bd1f86d2c3ebe62be903a4ba42db4d2c Mon Sep 17 00:00:00 2001
+From: Liu Song <liu.song13@zte.com.cn>
+Date: Thu, 10 Jul 2025 14:38:45 +0800
+Subject: PCI: endpoint: Avoid creating sub-groups asynchronously
+
+From: Liu Song <liu.song13@zte.com.cn>
+
+commit 7c5c7d06bd1f86d2c3ebe62be903a4ba42db4d2c upstream.
+
+The asynchronous creation of sub-groups by a delayed work could lead to a
+NULL pointer dereference when the driver directory is removed before the
+work completes.
+
+The crash can be easily reproduced with the following commands:
+
+ # cd /sys/kernel/config/pci_ep/functions/pci_epf_test
+ # for i in {1..20}; do mkdir test && rmdir test; done
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000088
+ ...
+ Call Trace:
+ configfs_register_group+0x3d/0x190
+ pci_epf_cfs_work+0x41/0x110
+ process_one_work+0x18f/0x350
+ worker_thread+0x25a/0x3a0
+
+Fix this issue by using configfs_add_default_group() API which does not
+have the deadlock problem as configfs_register_group() and does not require
+the delayed work handler.
+
+Fixes: e85a2d783762 ("PCI: endpoint: Add support in configfs to associate two EPCs with EPF")
+Signed-off-by: Liu Song <liu.song13@zte.com.cn>
+[mani: slightly reworded the description and added stable list]
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@kernel.org
+Link: https://patch.msgid.link/20250710143845409gLM6JdlwPhlHG9iX3F6jK@zte.com.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/endpoint/pci-ep-cfs.c | 15 +++++----------
+ 1 file changed, 5 insertions(+), 10 deletions(-)
+
+--- a/drivers/pci/endpoint/pci-ep-cfs.c
++++ b/drivers/pci/endpoint/pci-ep-cfs.c
+@@ -23,7 +23,6 @@ struct pci_epf_group {
+ struct config_group group;
+ struct config_group primary_epc_group;
+ struct config_group secondary_epc_group;
+- struct delayed_work cfs_work;
+ struct pci_epf *epf;
+ int index;
+ };
+@@ -103,7 +102,7 @@ static struct config_group
+ secondary_epc_group = &epf_group->secondary_epc_group;
+ config_group_init_type_name(secondary_epc_group, "secondary",
+ &pci_secondary_epc_type);
+- configfs_register_group(&epf_group->group, secondary_epc_group);
++ configfs_add_default_group(secondary_epc_group, &epf_group->group);
+
+ return secondary_epc_group;
+ }
+@@ -166,7 +165,7 @@ static struct config_group
+
+ config_group_init_type_name(primary_epc_group, "primary",
+ &pci_primary_epc_type);
+- configfs_register_group(&epf_group->group, primary_epc_group);
++ configfs_add_default_group(primary_epc_group, &epf_group->group);
+
+ return primary_epc_group;
+ }
+@@ -570,15 +569,13 @@ static void pci_ep_cfs_add_type_group(st
+ return;
+ }
+
+- configfs_register_group(&epf_group->group, group);
++ configfs_add_default_group(group, &epf_group->group);
+ }
+
+-static void pci_epf_cfs_work(struct work_struct *work)
++static void pci_epf_cfs_add_sub_groups(struct pci_epf_group *epf_group)
+ {
+- struct pci_epf_group *epf_group;
+ struct config_group *group;
+
+- epf_group = container_of(work, struct pci_epf_group, cfs_work.work);
+ group = pci_ep_cfs_add_primary_group(epf_group);
+ if (IS_ERR(group)) {
+ pr_err("failed to create 'primary' EPC interface\n");
+@@ -637,9 +634,7 @@ static struct config_group *pci_epf_make
+
+ kfree(epf_name);
+
+- INIT_DELAYED_WORK(&epf_group->cfs_work, pci_epf_cfs_work);
+- queue_delayed_work(system_wq, &epf_group->cfs_work,
+- msecs_to_jiffies(1));
++ pci_epf_cfs_add_sub_groups(epf_group);
+
+ return &epf_group->group;
+
scsi-qla2xxx-free-sp-in-error-path-to-fix-system-crash.patch
scsi-qla2xxx-query-fw-again-before-proceeding-with-login.patch
sched-mmcid-don-t-assume-cid-is-cpu-owned-on-mode-switch.patch
+bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch
+erofs-fix-uaf-issue-for-file-backed-mounts-w-directio-option.patch
+xfs-fix-uaf-in-xchk_btree_check_block_owner.patch
+drm-exynos-vidi-use-ctx-lock-to-protect-struct-vidi_context-member-variables-related-to-memory-alloc-free.patch
+pci-endpoint-avoid-creating-sub-groups-asynchronously.patch
+wifi-rtl8xxxu-fix-slab-out-of-bounds-in-rtl8xxxu_sta_add.patch
--- /dev/null
+From 86c946bcc00f6390ef65e9614ae60a9377e454f8 Mon Sep 17 00:00:00 2001
+From: Ali Tariq <alitariq45892@gmail.com>
+Date: Thu, 25 Dec 2025 11:54:29 +0000
+Subject: wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add
+
+From: Ali Tariq <alitariq45892@gmail.com>
+
+commit 86c946bcc00f6390ef65e9614ae60a9377e454f8 upstream.
+
+The driver does not set hw->sta_data_size, which causes mac80211 to
+allocate insufficient space for driver private station data in
+__sta_info_alloc(). When rtl8xxxu_sta_add() accesses members of
+struct rtl8xxxu_sta_info through sta->drv_priv, this results in a
+slab-out-of-bounds write.
+
+KASAN report on RISC-V (VisionFive 2) with RTL8192EU adapter:
+
+ BUG: KASAN: slab-out-of-bounds in rtl8xxxu_sta_add+0x31c/0x346
+ Write of size 8 at addr ffffffd6d3e9ae88 by task kworker/u16:0/12
+
+Set hw->sta_data_size to sizeof(struct rtl8xxxu_sta_info) during
+probe, similar to how hw->vif_data_size is configured. This ensures
+mac80211 allocates sufficient space for the driver's per-station
+private data.
+
+Tested on StarFive VisionFive 2 v1.2A board.
+
+Fixes: eef55f1545c9 ("wifi: rtl8xxxu: support multiple interfaces in {add,remove}_interface()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ali Tariq <alitariq45892@gmail.com>
+Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20251225115430.13011-1-alitariq45892@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/realtek/rtl8xxxu/core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/core.c
+@@ -7826,6 +7826,7 @@ static int rtl8xxxu_probe(struct usb_int
+ goto err_set_intfdata;
+
+ hw->vif_data_size = sizeof(struct rtl8xxxu_vif);
++ hw->sta_data_size = sizeof(struct rtl8xxxu_sta_info);
+
+ hw->wiphy->max_scan_ssids = 1;
+ hw->wiphy->max_scan_ie_len = IEEE80211_MAX_DATA_LEN;
--- /dev/null
+From 1c253e11225bc5167217897885b85093e17c2217 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <djwong@kernel.org>
+Date: Fri, 23 Jan 2026 09:27:39 -0800
+Subject: xfs: fix UAF in xchk_btree_check_block_owner
+
+From: Darrick J. Wong <djwong@kernel.org>
+
+commit 1c253e11225bc5167217897885b85093e17c2217 upstream.
+
+We cannot dereference bs->cur when trying to determine if bs->cur
+aliases bs->sc->sa.{bno,rmap}_cur after the latter has been freed.
+Fix this by sampling before type before any freeing could happen.
+The correct temporal ordering was broken when we removed xfs_btnum_t.
+
+Cc: r772577952@gmail.com
+Cc: <stable@vger.kernel.org> # v6.9
+Fixes: ec793e690f801d ("xfs: remove xfs_btnum_t")
+Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Tested-by: Jiaming Zhang <r772577952@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/scrub/btree.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/xfs/scrub/btree.c
++++ b/fs/xfs/scrub/btree.c
+@@ -370,12 +370,15 @@ xchk_btree_check_block_owner(
+ {
+ xfs_agnumber_t agno;
+ xfs_agblock_t agbno;
++ bool is_bnobt, is_rmapbt;
+ bool init_sa;
+ int error = 0;
+
+ if (!bs->cur)
+ return 0;
+
++ is_bnobt = xfs_btree_is_bno(bs->cur->bc_ops);
++ is_rmapbt = xfs_btree_is_rmap(bs->cur->bc_ops);
+ agno = xfs_daddr_to_agno(bs->cur->bc_mp, daddr);
+ agbno = xfs_daddr_to_agbno(bs->cur->bc_mp, daddr);
+
+@@ -398,11 +401,11 @@ xchk_btree_check_block_owner(
+ * have to nullify it (to shut down further block owner checks) if
+ * self-xref encounters problems.
+ */
+- if (!bs->sc->sa.bno_cur && xfs_btree_is_bno(bs->cur->bc_ops))
++ if (!bs->sc->sa.bno_cur && is_bnobt)
+ bs->cur = NULL;
+
+ xchk_xref_is_only_owned_by(bs->sc, agbno, 1, bs->oinfo);
+- if (!bs->sc->sa.rmap_cur && xfs_btree_is_rmap(bs->cur->bc_ops))
++ if (!bs->sc->sa.rmap_cur && is_rmapbt)
+ bs->cur = NULL;
+
+ out_free:
projects / thirdparty / kernel / stable-queue.git / commitdiff
