6.12-stable patches

added patches:
	f2fs-fix-is_checkpointed-flag-inconsistency-issue-caused-by-concurrent-atomic-commit-and-checkpoint-writes.patch
	f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch
	iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch

diff --git a/queue-6.12/f2fs-fix-is_checkpointed-flag-inconsistency-issue-caused-by-concurrent-atomic-commit-and-checkpoint-writes.patch b/queue-6.12/f2fs-fix-is_checkpointed-flag-inconsistency-issue-caused-by-concurrent-atomic-commit-and-checkpoint-writes.patch
new file mode 100644 (file)
index 0000000..5bf75e6
--- /dev/null
+++ b/queue-6.12/f2fs-fix-is_checkpointed-flag-inconsistency-issue-caused-by-concurrent-atomic-commit-and-checkpoint-writes.patch
@@ -0,0 +1,103 @@
+From stable+bounces-216847-greg=kroah.com@vger.kernel.org Tue Feb 17 16:19:16 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Feb 2026 10:19:06 -0500
+Subject: f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes
+To: stable@vger.kernel.org
+Cc: Yongpeng Yang <yangyongpeng@xiaomi.com>, stable@kernel.org, Sheng Yong <shengyong1@xiaomi.com>, Jinbao Liu <liujinbao1@xiaomi.com>, Chao Yu <chao@kernel.org>, Jaegeuk Kim <jaegeuk@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260217151906.3676334-1-sashal@kernel.org>
+
+From: Yongpeng Yang <yangyongpeng@xiaomi.com>
+
+[ Upstream commit 7633a7387eb4d0259d6bea945e1d3469cd135bbc ]
+
+During SPO tests, when mounting F2FS, an -EINVAL error was returned from
+f2fs_recover_inode_page. The issue occurred under the following scenario
+
+Thread A                                     Thread B
+f2fs_ioc_commit_atomic_write
+ - f2fs_do_sync_file // atomic = true
+  - f2fs_fsync_node_pages
+    : last_folio = inode folio
+    : schedule before folio_lock(last_folio) f2fs_write_checkpoint
+                                              - block_operations// writeback last_folio
+                                              - schedule before f2fs_flush_nat_entries
+    : set_fsync_mark(last_folio, 1)
+    : set_dentry_mark(last_folio, 1)
+    : folio_mark_dirty(last_folio)
+    - __write_node_folio(last_folio)
+      : f2fs_down_read(&sbi->node_write)//block
+                                              - f2fs_flush_nat_entries
+                                                : {struct nat_entry}->flag |= BIT(IS_CHECKPOINTED)
+                                              - unblock_operations
+                                                : f2fs_up_write(&sbi->node_write)
+                                             f2fs_write_checkpoint//return
+      : f2fs_do_write_node_page()
+f2fs_ioc_commit_atomic_write//return
+                                             SPO
+
+Thread A calls f2fs_need_dentry_mark(sbi, ino), and the last_folio has
+already been written once. However, the {struct nat_entry}->flag did not
+have the IS_CHECKPOINTED set, causing set_dentry_mark(last_folio, 1) and
+write last_folio again after Thread B finishes f2fs_write_checkpoint.
+
+After SPO and reboot, it was detected that {struct node_info}->blk_addr
+was not NULL_ADDR because Thread B successfully write the checkpoint.
+
+This issue only occurs in atomic write scenarios. For regular file
+fsync operations, the folio must be dirty. If
+block_operations->f2fs_sync_node_pages successfully submit the folio
+write, this path will not be executed. Otherwise, the
+f2fs_write_checkpoint will need to wait for the folio write submission
+to complete, as sbi->nr_pages[F2FS_DIRTY_NODES] > 0. Therefore, the
+situation where f2fs_need_dentry_mark checks that the {struct
+nat_entry}->flag /wo the IS_CHECKPOINTED flag, but the folio write has
+already been submitted, will not occur.
+
+Therefore, for atomic file fsync, sbi->node_write should be acquired
+through __write_node_folio to ensure that the IS_CHECKPOINTED flag
+correctly indicates that the checkpoint write has been completed.
+
+Fixes: 608514deba38 ("f2fs: set fsync mark only for the last dnode")
+Cc: stable@kernel.org
+Signed-off-by: Sheng Yong <shengyong1@xiaomi.com>
+Signed-off-by: Jinbao Liu <liujinbao1@xiaomi.com>
+Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+[ folio => page ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/node.c |   14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -1713,8 +1713,13 @@ static int __write_node_page(struct page
+               goto redirty_out;
+       }
+ 
+-      if (atomic && !test_opt(sbi, NOBARRIER))
+-              fio.op_flags |= REQ_PREFLUSH | REQ_FUA;
++      if (atomic) {
++              if (!test_opt(sbi, NOBARRIER))
++                      fio.op_flags |= REQ_PREFLUSH | REQ_FUA;
++              if (IS_INODE(page))
++                      set_dentry_mark(page,
++                              f2fs_need_dentry_mark(sbi, ino_of_node(page)));
++      }
+ 
+       /* should add to global list before clearing PAGECACHE status */
+       if (f2fs_in_warm_node_list(sbi, page)) {
+@@ -1869,8 +1874,9 @@ continue_unlock:
+                                       if (is_inode_flag_set(inode,
+                                                               FI_DIRTY_INODE))
+                                               f2fs_update_inode(inode, page);
+-                                      set_dentry_mark(page,
+-                                              f2fs_need_dentry_mark(sbi, ino));
++                                      if (!atomic)
++                                              set_dentry_mark(page,
++                                                      f2fs_need_dentry_mark(sbi, ino));
+                               }
+                               /* may be written by other thread */
+                               if (!PageDirty(page))

diff --git a/queue-6.12/f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch b/queue-6.12/f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch
new file mode 100644 (file)
index 0000000..cfdc169
--- /dev/null
+++ b/queue-6.12/f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch
@@ -0,0 +1,80 @@
+From stable+bounces-216849-greg=kroah.com@vger.kernel.org Tue Feb 17 16:20:04 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Feb 2026 10:19:55 -0500
+Subject: f2fs: fix to avoid UAF in f2fs_write_end_io()
+To: stable@vger.kernel.org
+Cc: Chao Yu <chao@kernel.org>, stable@kernel.org, syzbot+b4444e3c972a7a124187@syzkaller.appspotmail.com, Jaegeuk Kim <jaegeuk@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260217151955.3678030-1-sashal@kernel.org>
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit ce2739e482bce8d2c014d76c4531c877f382aa54 ]
+
+As syzbot reported an use-after-free issue in f2fs_write_end_io().
+
+It is caused by below race condition:
+
+loop device                            umount
+- worker_thread
+ - loop_process_work
+  - do_req_filebacked
+   - lo_rw_aio
+    - lo_rw_aio_complete
+     - blk_mq_end_request
+      - blk_update_request
+       - f2fs_write_end_io
+        - dec_page_count
+        - folio_end_writeback
+                                       - kill_f2fs_super
+                                        - kill_block_super
+                                         - f2fs_put_super
+                                        : free(sbi)
+       : get_pages(, F2FS_WB_CP_DATA)
+         accessed sbi which is freed
+
+In kill_f2fs_super(), we will drop all page caches of f2fs inodes before
+call free(sbi), it guarantee that all folios should end its writeback, so
+it should be safe to access sbi before last folio_end_writeback().
+
+Let's relocate ckpt thread wakeup flow before folio_end_writeback() to
+resolve this issue.
+
+Cc: stable@kernel.org
+Fixes: e234088758fc ("f2fs: avoid wait if IO end up when do_checkpoint for better performance")
+Reported-by: syzbot+b4444e3c972a7a124187@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=b4444e3c972a7a124187
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+[ folio => page ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/data.c |   12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -357,14 +357,20 @@ static void f2fs_write_end_io(struct bio
+                               page_folio(page)->index != nid_of_node(page));
+ 
+               dec_page_count(sbi, type);
++
++              /*
++               * we should access sbi before end_page_writeback() to
++               * avoid racing w/ kill_f2fs_super()
++               */
++              if (type == F2FS_WB_CP_DATA && !get_pages(sbi, type) &&
++                              wq_has_sleeper(&sbi->cp_wait))
++                      wake_up(&sbi->cp_wait);
++
+               if (f2fs_in_warm_node_list(sbi, page))
+                       f2fs_del_fsync_node_entry(sbi, page);
+               clear_page_private_gcing(page);
+               end_page_writeback(page);
+       }
+-      if (!get_pages(sbi, F2FS_WB_CP_DATA) &&
+-                              wq_has_sleeper(&sbi->cp_wait))
+-              wake_up(&sbi->cp_wait);
+ 
+       bio_put(bio);
+ }

diff --git a/queue-6.12/iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch b/queue-6.12/iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch
new file mode 100644 (file)
index 0000000..7635b79
--- /dev/null
+++ b/queue-6.12/iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch
@@ -0,0 +1,150 @@
+From ed1ac3c977dd6b119405fa36dd41f7151bd5b4de Mon Sep 17 00:00:00 2001
+From: Danilo Krummrich <dakr@kernel.org>
+Date: Wed, 21 Jan 2026 15:12:01 +0100
+Subject: iommu/arm-smmu-qcom: do not register driver in probe()
+
+From: Danilo Krummrich <dakr@kernel.org>
+
+commit ed1ac3c977dd6b119405fa36dd41f7151bd5b4de upstream.
+
+Commit 0b4eeee2876f ("iommu/arm-smmu-qcom: Register the TBU driver in
+qcom_smmu_impl_init") intended to also probe the TBU driver when
+CONFIG_ARM_SMMU_QCOM_DEBUG is disabled, but also moved the corresponding
+platform_driver_register() call into qcom_smmu_impl_init() which is
+called from arm_smmu_device_probe().
+
+However, it neither makes sense to register drivers from probe()
+callbacks of other drivers, nor does the driver core allow registering
+drivers with a device lock already being held.
+
+The latter was revealed by commit dc23806a7c47 ("driver core: enforce
+device_lock for driver_match_device()") leading to a deadlock condition
+described in [1].
+
+Additionally, it was noted by Robin that the current approach is
+potentially racy with async probe [2].
+
+Hence, fix this by registering the qcom_smmu_tbu_driver from
+module_init(). Unfortunately, due to the vendoring of the driver, this
+requires an indirection through arm-smmu-impl.c.
+
+Reported-by: Mark Brown <broonie@kernel.org>
+Closes: https://lore.kernel.org/lkml/7ae38e31-ef31-43ad-9106-7c76ea0e8596@sirena.org.uk/
+Link: https://lore.kernel.org/lkml/DFU7CEPUSG9A.1KKGVW4HIPMSH@kernel.org/ [1]
+Link: https://lore.kernel.org/lkml/0c0d3707-9ea5-44f9-88a1-a65c62e3df8d@arm.com/ [2]
+Fixes: dc23806a7c47 ("driver core: enforce device_lock for driver_match_device()")
+Fixes: 0b4eeee2876f ("iommu/arm-smmu-qcom: Register the TBU driver in qcom_smmu_impl_init")
+Acked-by: Robin Murphy <robin.murphy@arm.com>
+Tested-by: Bjorn Andersson <andersson@kernel.org>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Acked-by: Konrad Dybcio <konradybcio@kernel.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Tested-by: Ioana Ciornei <ioana.ciornei@nxp.com> #LX2160ARDB
+Tested-by: Wang Jiayue <akaieurus@gmail.com>
+Reviewed-by: Wang Jiayue <akaieurus@gmail.com>
+Tested-by: Mark Brown <broonie@kernel.org>
+Acked-by: Joerg Roedel <joerg.roedel@amd.com>
+Link: https://patch.msgid.link/20260121141215.29658-1-dakr@kernel.org
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/arm/arm-smmu/arm-smmu-impl.c |   14 ++++++++++++++
+ drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c |   14 ++++++++++----
+ drivers/iommu/arm/arm-smmu/arm-smmu.c      |   24 +++++++++++++++++++++++-
+ drivers/iommu/arm/arm-smmu/arm-smmu.h      |    5 +++++
+ 4 files changed, 52 insertions(+), 5 deletions(-)
+
+--- a/drivers/iommu/arm/arm-smmu/arm-smmu-impl.c
++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-impl.c
+@@ -227,3 +227,17 @@ struct arm_smmu_device *arm_smmu_impl_in
+ 
+       return smmu;
+ }
++
++int __init arm_smmu_impl_module_init(void)
++{
++      if (IS_ENABLED(CONFIG_ARM_SMMU_QCOM))
++              return qcom_smmu_module_init();
++
++      return 0;
++}
++
++void __exit arm_smmu_impl_module_exit(void)
++{
++      if (IS_ENABLED(CONFIG_ARM_SMMU_QCOM))
++              qcom_smmu_module_exit();
++}
+--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+@@ -638,10 +638,6 @@ struct arm_smmu_device *qcom_smmu_impl_i
+ {
+       const struct device_node *np = smmu->dev->of_node;
+       const struct of_device_id *match;
+-      static u8 tbu_registered;
+-
+-      if (!tbu_registered++)
+-              platform_driver_register(&qcom_smmu_tbu_driver);
+ 
+ #ifdef CONFIG_ACPI
+       if (np == NULL) {
+@@ -666,3 +662,13 @@ struct arm_smmu_device *qcom_smmu_impl_i
+ 
+       return smmu;
+ }
++
++int __init qcom_smmu_module_init(void)
++{
++      return platform_driver_register(&qcom_smmu_tbu_driver);
++}
++
++void __exit qcom_smmu_module_exit(void)
++{
++      platform_driver_unregister(&qcom_smmu_tbu_driver);
++}
+--- a/drivers/iommu/arm/arm-smmu/arm-smmu.c
++++ b/drivers/iommu/arm/arm-smmu/arm-smmu.c
+@@ -2386,7 +2386,29 @@ static struct platform_driver arm_smmu_d
+       .remove_new = arm_smmu_device_remove,
+       .shutdown = arm_smmu_device_shutdown,
+ };
+-module_platform_driver(arm_smmu_driver);
++
++static int __init arm_smmu_init(void)
++{
++      int ret;
++
++      ret = platform_driver_register(&arm_smmu_driver);
++      if (ret)
++              return ret;
++
++      ret = arm_smmu_impl_module_init();
++      if (ret)
++              platform_driver_unregister(&arm_smmu_driver);
++
++      return ret;
++}
++module_init(arm_smmu_init);
++
++static void __exit arm_smmu_exit(void)
++{
++      arm_smmu_impl_module_exit();
++      platform_driver_unregister(&arm_smmu_driver);
++}
++module_exit(arm_smmu_exit);
+ 
+ MODULE_DESCRIPTION("IOMMU API for ARM architected SMMU implementations");
+ MODULE_AUTHOR("Will Deacon <will@kernel.org>");
+--- a/drivers/iommu/arm/arm-smmu/arm-smmu.h
++++ b/drivers/iommu/arm/arm-smmu/arm-smmu.h
+@@ -538,6 +538,11 @@ struct arm_smmu_device *arm_smmu_impl_in
+ struct arm_smmu_device *nvidia_smmu_impl_init(struct arm_smmu_device *smmu);
+ struct arm_smmu_device *qcom_smmu_impl_init(struct arm_smmu_device *smmu);
+ 
++int __init arm_smmu_impl_module_init(void);
++void __exit arm_smmu_impl_module_exit(void);
++int __init qcom_smmu_module_init(void);
++void __exit qcom_smmu_module_exit(void);
++
+ void arm_smmu_write_context_bank(struct arm_smmu_device *smmu, int idx);
+ int arm_mmu500_reset(struct arm_smmu_device *smmu);
+ 

diff --git a/queue-6.12/series b/queue-6.12/series
index 756c8272153f95e05fdbb445fa3d79e88d6810a0..67ba5df29f4d75b846b46465f64c3197b6b34f10 100644 (file)
--- a/queue-6.12/series
+++ b/queue-6.12/series
@@ -36,3 +36,6 @@ f2fs-fix-to-add-gc-count-stat-in-f2fs_gc_range.patch
 f2fs-fix-to-check-sysfs-filename-w-gc_pin_file_thresh-correctly.patch
 f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch
 f2fs-fix-to-avoid-mapping-wrong-physical-block-for-swapfile.patch
+iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch
+f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch
+f2fs-fix-is_checkpointed-flag-inconsistency-issue-caused-by-concurrent-atomic-commit-and-checkpoint-writes.patch