]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
6.1-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 2 Jul 2026 13:17:08 +0000 (15:17 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 2 Jul 2026 13:17:08 +0000 (15:17 +0200)
added patches:
bpf-use-kvfree-for-replaced-sysctl-write-buffer.patch
exfat-fix-potential-use-after-free-in-exfat_find_dir_entry.patch
f2fs-fix-to-round-down-start-offset-of-fallocate-for-pin-file.patch
f2fs-validate-acl-entry-sizes-in-f2fs_acl_from_disk.patch
f2fs-validate-compress-cache-inode-only-when-enabled.patch
mips-dec-prevent-initial-console-buffer-from-landing-in-xkphys.patch

queue-6.1/bpf-use-kvfree-for-replaced-sysctl-write-buffer.patch [new file with mode: 0644]
queue-6.1/exfat-fix-potential-use-after-free-in-exfat_find_dir_entry.patch [new file with mode: 0644]
queue-6.1/f2fs-fix-to-round-down-start-offset-of-fallocate-for-pin-file.patch [new file with mode: 0644]
queue-6.1/f2fs-validate-acl-entry-sizes-in-f2fs_acl_from_disk.patch [new file with mode: 0644]
queue-6.1/f2fs-validate-compress-cache-inode-only-when-enabled.patch [new file with mode: 0644]
queue-6.1/mips-dec-prevent-initial-console-buffer-from-landing-in-xkphys.patch [new file with mode: 0644]
queue-6.1/series

diff --git a/queue-6.1/bpf-use-kvfree-for-replaced-sysctl-write-buffer.patch b/queue-6.1/bpf-use-kvfree-for-replaced-sysctl-write-buffer.patch
new file mode 100644 (file)
index 0000000..e7ef70f
--- /dev/null
@@ -0,0 +1,89 @@
+From 4c21b5927d4364bfe7365f2700da5fea0ed0d004 Mon Sep 17 00:00:00 2001
+From: Dawei Feng <dawei.feng@seu.edu.cn>
+Date: Wed, 3 Jun 2026 18:53:16 +0800
+Subject: bpf: use kvfree() for replaced sysctl write buffer
+
+From: Dawei Feng <dawei.feng@seu.edu.cn>
+
+commit 4c21b5927d4364bfe7365f2700da5fea0ed0d004 upstream.
+
+proc_sys_call_handler() allocates its temporary sysctl buffer with
+kvzalloc() and passes it to __cgroup_bpf_run_filter_sysctl(). Since
+kvzalloc() may fall back to vmalloc() for large allocations, freeing
+that buffer with kfree() is wrong and can corrupt memory.
+
+Use kvfree() to safely handle both kmalloc and kvzalloc()/vmalloc
+allocations.
+
+The bug was first flagged by an experimental analysis tool we are
+developing for kernel memory-management bugs while analyzing
+v6.13-rc1. The tool is still under development and is not yet publicly
+available. Manual inspection confirms that the bug is still
+present in v7.1-rc5.
+
+Reproduced the bug based on v7.1-rc4 in a QEMU x86_64 guest booted with
+KASAN and CONFIG_FAILSLAB enabled. To exercise the replacement path, the
+test tree also included the accompanying fix for the stale ret == 1
+check in __cgroup_bpf_run_filter_sysctl(). The reproducer confines
+failslab injections to the proc_sys_call_handler() range, uses
+stacktrace-depth=32, and injects fail-nth=1 while writing 8191 bytes to
+/proc/sys/kernel/domainname from a task in the target cgroup. Under
+that setup, fail-nth=1 triggered the fault:
+
+  BUG: unable to handle page fault for address: ffffeb0200024d48
+  #PF: supervisor read access in kernel mode
+  #PF: error_code(0x0000) - not-present page
+  PGD 0 P4D 0
+  Oops: Oops: 0000  SMP KASAN NOPTI
+  CPU: 2 UID: 0 PID: 209 Comm: repro_proc_sys_ Not tainted 7.1.0-rc4-00686-g97625979a5d4  PREEMPT(lazy)
+  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+  RIP: 0010:kfree+0x6e/0x510
+  ...
+  Call Trace:
+   <TASK>
+   ? __cgroup_bpf_run_filter_sysctl+0x626/0xc30
+   __cgroup_bpf_run_filter_sysctl+0x74d/0xc30
+   ? __pfx___cgroup_bpf_run_filter_sysctl+0x10/0x10
+   ? srso_return_thunk+0x5/0x5f
+   ? __kvmalloc_node_noprof+0x345/0x870
+   ? proc_sys_call_handler+0x250/0x480
+   ? srso_return_thunk+0x5/0x5f
+   proc_sys_call_handler+0x3a2/0x480
+   ? __pfx_proc_sys_call_handler+0x10/0x10
+   ? srso_return_thunk+0x5/0x5f
+   ? selinux_file_permission+0x39f/0x500
+   ? srso_return_thunk+0x5/0x5f
+   ? lock_is_held_type+0x9e/0x120
+   vfs_write+0x98e/0x1000
+   ...
+   </TASK>
+
+With this fix applied on top of the same test setup, rerunning the
+reproducer with fail-nth=1 yields no corresponding Oops reports.
+
+Fixes: 4508943794ef ("proc: use kvzalloc for our kernel buffer")
+Cc: stable@vger.kernel.org
+
+Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
+Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Acked-by: Yonghong Song <yonghong.song@linux.dev>
+Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
+Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
+Link: https://lore.kernel.org/r/20260603105317.944304-3-dawei.feng@seu.edu.cn
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/cgroup.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/bpf/cgroup.c
++++ b/kernel/bpf/cgroup.c
+@@ -1745,7 +1745,7 @@ int __cgroup_bpf_run_filter_sysctl(struc
+       kfree(ctx.cur_val);
+       if (ret == 1 && ctx.new_updated) {
+-              kfree(*buf);
++              kvfree(*buf);
+               *buf = ctx.new_val;
+               *pcount = ctx.new_len;
+       } else {
diff --git a/queue-6.1/exfat-fix-potential-use-after-free-in-exfat_find_dir_entry.patch b/queue-6.1/exfat-fix-potential-use-after-free-in-exfat_find_dir_entry.patch
new file mode 100644 (file)
index 0000000..4f9b71d
--- /dev/null
@@ -0,0 +1,90 @@
+From 3f5f8ee9917cc2b9076ac533492d8a200edcabb8 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Wed, 22 Apr 2026 11:58:44 -0400
+Subject: exfat: fix potential use-after-free in exfat_find_dir_entry()
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit 3f5f8ee9917cc2b9076ac533492d8a200edcabb8 upstream.
+
+In exfat_find_dir_entry(), the buffer_head obtained from
+exfat_get_dentry() is released with brelse(bh) before the fall-through
+TYPE_EXTEND branch reads the directory entry through ep (which points
+into bh->b_data):
+
+       brelse(bh);
+       if (entry_type == TYPE_EXTEND) {
+               ...
+               len = exfat_extract_uni_name(ep, entry_uniname);
+               ...
+       }
+
+After brelse() drops our reference, nothing guarantees that the
+underlying page backing bh->b_data remains valid for the subsequent
+exfat_extract_uni_name() read. This is the same pattern fixed in
+commit fc961522ddbd ("exfat: Fix potential use after free in
+exfat_load_upcase_table()").
+
+Move brelse(bh) so it runs after ep is no longer dereferenced on
+each branch.
+
+Confirmed on QEMU x86_64 with CONFIG_KASAN=y + CONFIG_DEBUG_PAGEALLOC=y
++ CONFIG_PAGE_POISONING=y on linux-next, using a crafted exFAT image
+(long filename with same-hash collisions forcing the TYPE_EXTEND path).
+With a debug-only invalidate_bdev() inserted between brelse(bh) and
+the ep read to make the stale-deref window deterministic, the
+unpatched kernel faults:
+
+  BUG: KASAN: use-after-free in exfat_find_dir_entry+0x133b/0x15a0
+  BUG: unable to handle page fault for address: ffff88801a5fa0c2
+  Oops: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI
+  RIP: 0010:exfat_find_dir_entry+0x1188/0x15a0
+
+With this patch applied, the same instrumented harness completes
+cleanly under the same sanitizer stack. I have not reproduced a
+crash on an uninstrumented kernel under ordinary reclaim; the
+instrumented A/B establishes the lifetime violation and that the
+patch closes it, not an unaided triggerability claim.
+
+Fixes: ca06197382bd ("exfat: add directory operations")
+Cc: stable@vger.kernel.org
+Assisted-by: Claude:claude-opus-4-7
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/exfat/dir.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/exfat/dir.c
++++ b/fs/exfat/dir.c
+@@ -1040,12 +1040,12 @@ rewind:
+                               continue;
+                       }
+-                      brelse(bh);
+                       if (entry_type == TYPE_EXTEND) {
+                               unsigned short entry_uniname[16], unichar;
+                               if (step != DIRENT_STEP_NAME ||
+                                   name_len >= MAX_NAME_LENGTH) {
++                                      brelse(bh);
+                                       step = DIRENT_STEP_FILE;
+                                       continue;
+                               }
+@@ -1056,6 +1056,7 @@ rewind:
+                                       uniname += EXFAT_FILE_NAME_LEN;
+                               len = exfat_extract_uni_name(ep, entry_uniname);
++                              brelse(bh);
+                               name_len += len;
+                               unichar = *(uniname+len);
+@@ -1074,6 +1075,7 @@ rewind:
+                               continue;
+                       }
++                      brelse(bh);
+                       if (entry_type &
+                                       (TYPE_CRITICAL_SEC | TYPE_BENIGN_SEC)) {
+                               if (step == DIRENT_STEP_SECD) {
diff --git a/queue-6.1/f2fs-fix-to-round-down-start-offset-of-fallocate-for-pin-file.patch b/queue-6.1/f2fs-fix-to-round-down-start-offset-of-fallocate-for-pin-file.patch
new file mode 100644 (file)
index 0000000..108ae58
--- /dev/null
@@ -0,0 +1,71 @@
+From 4275b59673eb60b02eec3997816c83f1f4b909c4 Mon Sep 17 00:00:00 2001
+From: Sunmin Jeong <s_min.jeong@samsung.com>
+Date: Mon, 22 Jun 2026 14:28:17 +0900
+Subject: f2fs: fix to round down start offset of fallocate for pin file
+
+From: Sunmin Jeong <s_min.jeong@samsung.com>
+
+commit 4275b59673eb60b02eec3997816c83f1f4b909c4 upstream.
+
+Currently, the length of fallocate for pin file is section-aligned to
+keep allocated sections from being selected as victims of GC. However,
+for the case that the start offset of fallocate is not aligned in
+section, the allocated sections can't be fully utilized. It's because a
+new section is allocated by f2fs_allocate_pinning_section() after using
+blks_per_sec blocks regardless of the start offset. As a result, several
+unexpected dirty segments may be created, including blocks assigned to
+the pinned file.
+
+To address this issue, let's round down the start offset of fallocate
+to the length of section.
+
+The reproducing scenario is as below
+
+chunk=$(((2<<20)+4096)) # 2MB + 4KB
+touch test
+f2fs_io pinfile set test
+f2fs_io fallocate 0 0 $chunk test
+f2fs_io fallocate 0 $chunk $chunk test
+f2fs_io fallocate 0 $((chunk*2)) $chunk test
+f2fs_io fiemap 0 $((chunk*3)) test
+
+Fiemap: offset = 0 len = 12288
+    logical addr.    physical addr.   length           flags
+0   0000000000000000 000000068c600000 0000000000400000 00001088
+1   0000000000400000 000000003d400000 0000000000001000 00001088
+2   0000000000401000 00000003eb200000 0000000000200000 00001088
+3   0000000000601000 00000005e4200000 0000000000001000 00001088
+4   0000000000602000 0000000605400000 0000000000200000 00001089
+
+Cc: stable@vger.kernel.org
+Fixes: f5a53edcf01e ("f2fs: support aligned pinned file")
+Reviewed-by: Yunji Kang <yunji0.kang@samsung.com>
+Reviewed-by: Yeongjin Gil <youngjin.gil@samsung.com>
+Reviewed-by: Sungjong Seo <sj1557.seo@samsung.com>
+Signed-off-by: Sunmin Jeong <s_min.jeong@samsung.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/file.c |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -1786,8 +1786,15 @@ static int expand_inode_data(struct inod
+       if (f2fs_is_pinned_file(inode)) {
+               block_t sec_blks = CAP_BLKS_PER_SEC(sbi);
+-              block_t sec_len = roundup(map.m_len, sec_blks);
++              block_t sec_len;
++              if (map.m_lblk % sec_blks) {
++                      map.m_lblk = rounddown(map.m_lblk, sec_blks);
++                      map.m_len = pg_end - map.m_lblk;
++                      if (off_end)
++                              map.m_len++;
++              }
++              sec_len = roundup(map.m_len, sec_blks);
+               map.m_len = sec_blks;
+ next_alloc:
+               if (has_not_enough_free_secs(sbi, 0,
diff --git a/queue-6.1/f2fs-validate-acl-entry-sizes-in-f2fs_acl_from_disk.patch b/queue-6.1/f2fs-validate-acl-entry-sizes-in-f2fs_acl_from_disk.patch
new file mode 100644 (file)
index 0000000..5fea004
--- /dev/null
@@ -0,0 +1,118 @@
+From c4810ada31e80cbe4011467c4f3b1e93f94134f3 Mon Sep 17 00:00:00 2001
+From: Zhang Cen <rollkingzzc@gmail.com>
+Date: Mon, 15 Jun 2026 15:19:54 +0800
+Subject: f2fs: validate ACL entry sizes in f2fs_acl_from_disk()
+
+From: Zhang Cen <rollkingzzc@gmail.com>
+
+commit c4810ada31e80cbe4011467c4f3b1e93f94134f3 upstream.
+
+f2fs_acl_count() only validates the aggregate ACL xattr length. A
+malformed ACL can still place ACL_USER or ACL_GROUP in a slot that only
+contains struct f2fs_acl_entry_short bytes, and f2fs_acl_from_disk()
+then reads entry->e_id before verifying that a full entry fits.
+
+Require a short entry before reading e_tag and e_perm, and require a
+full entry before reading e_id for ACL_USER and ACL_GROUP. Return
+-EFSCORRUPTED from these new truncated-entry checks, while keeping the
+pre-existing -EINVAL paths unchanged.
+
+Validation reproduced this kernel report:
+KASAN slab-out-of-bounds in __f2fs_get_acl+0x6fb/0x7e0
+RIP: 0033:0x7f4b835ea7aa
+The buggy address belongs to the object at ffff888114589960 which belongs
+to the cache kmalloc-8 of size 8
+The buggy address is located 0 bytes to the right of allocated 8-byte
+region [ffff888114589960, ffff888114589968)
+Read of size 4
+Call trace:
+  dump_stack_lvl+0x66/0xa0 (?:?)
+  print_report+0xce/0x630 (?:?)
+  __f2fs_get_acl+0x6fb/0x7e0 (fs/f2fs/acl.c:169)
+  srso_alias_return_thunk+0x5/0xfbef5 (?:?)
+  __virt_addr_valid+0x224/0x430 (?:?)
+  kasan_report+0xe0/0x110 (?:?)
+  __f2fs_get_acl+0x5/0x7e0 (fs/f2fs/acl.c:169)
+  __get_acl+0x281/0x380 (?:?)
+  vfs_get_acl+0x10b/0x190 (?:?)
+  do_get_acl+0x2a/0x410 (?:?)
+  do_get_acl+0x9/0x410 (?:?)
+  do_getxattr+0xe8/0x260 (?:?)
+  filename_getxattr+0xd1/0x140 (?:?)
+  do_getname+0x2d/0x2d0 (?:?)
+  path_getxattrat+0x16c/0x200 (?:?)
+  lock_release+0xc8/0x290 (?:?)
+  cgroup_update_frozen+0x9d/0x320 (?:?)
+  lockdep_hardirqs_on_prepare+0xea/0x1a0 (?:?)
+  trace_hardirqs_on+0x1a/0x170 (?:?)
+  _raw_spin_unlock_irq+0x28/0x50 (?:?)
+  do_syscall_64+0x115/0x6a0 (arch/x86/entry/syscall_64.c:87)
+  entry_SYSCALL_64_after_hwframe+0x77/0x7f (?:?)
+
+Cc: stable@kernel.org
+Fixes: af48b85b8cd3 ("f2fs: add xattr and acl functionalities")
+Assisted-by: Codex:gpt-5.5
+Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/acl.c |   18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/fs/f2fs/acl.c
++++ b/fs/f2fs/acl.c
+@@ -46,6 +46,7 @@ static inline int f2fs_acl_count(size_t
+ static struct posix_acl *f2fs_acl_from_disk(const char *value, size_t size)
+ {
+       int i, count;
++      int err = -EINVAL;
+       struct posix_acl *acl;
+       struct f2fs_acl_header *hdr = (struct f2fs_acl_header *)value;
+       struct f2fs_acl_entry *entry = (struct f2fs_acl_entry *)(hdr + 1);
+@@ -69,8 +70,11 @@ static struct posix_acl *f2fs_acl_from_d
+       for (i = 0; i < count; i++) {
+-              if ((char *)entry > end)
++              if (unlikely((char *)entry +
++                              sizeof(struct f2fs_acl_entry_short) > end)) {
++                      err = -EFSCORRUPTED;
+                       goto fail;
++              }
+               acl->a_entries[i].e_tag  = le16_to_cpu(entry->e_tag);
+               acl->a_entries[i].e_perm = le16_to_cpu(entry->e_perm);
+@@ -85,6 +89,11 @@ static struct posix_acl *f2fs_acl_from_d
+                       break;
+               case ACL_USER:
++                      if (unlikely((char *)entry +
++                                      sizeof(struct f2fs_acl_entry) > end)) {
++                              err = -EFSCORRUPTED;
++                              goto fail;
++                      }
+                       acl->a_entries[i].e_uid =
+                               make_kuid(&init_user_ns,
+                                               le32_to_cpu(entry->e_id));
+@@ -92,6 +101,11 @@ static struct posix_acl *f2fs_acl_from_d
+                                       sizeof(struct f2fs_acl_entry));
+                       break;
+               case ACL_GROUP:
++                      if (unlikely((char *)entry +
++                                      sizeof(struct f2fs_acl_entry) > end)) {
++                              err = -EFSCORRUPTED;
++                              goto fail;
++                      }
+                       acl->a_entries[i].e_gid =
+                               make_kgid(&init_user_ns,
+                                               le32_to_cpu(entry->e_id));
+@@ -107,7 +121,7 @@ static struct posix_acl *f2fs_acl_from_d
+       return acl;
+ fail:
+       posix_acl_release(acl);
+-      return ERR_PTR(-EINVAL);
++      return ERR_PTR(err);
+ }
+ static void *f2fs_acl_to_disk(struct f2fs_sb_info *sbi,
diff --git a/queue-6.1/f2fs-validate-compress-cache-inode-only-when-enabled.patch b/queue-6.1/f2fs-validate-compress-cache-inode-only-when-enabled.patch
new file mode 100644 (file)
index 0000000..b727568
--- /dev/null
@@ -0,0 +1,53 @@
+From 5073c66a96a9c23c0c2533ed4ed06e42f9021208 Mon Sep 17 00:00:00 2001
+From: Wenjie Qi <qwjhust@gmail.com>
+Date: Thu, 21 May 2026 11:16:18 +0800
+Subject: f2fs: validate compress cache inode only when enabled
+
+From: Wenjie Qi <qwjhust@gmail.com>
+
+commit 5073c66a96a9c23c0c2533ed4ed06e42f9021208 upstream.
+
+F2FS_COMPRESS_INO() uses NM_I(sbi)->max_nid as the synthetic inode
+number for the compressed page cache inode. That inode only exists when
+the compress_cache mount option is enabled.
+
+When compress_cache is disabled, max_nid is outside the valid inode
+range. A corrupted directory entry that points to ino == max_nid should
+therefore be rejected by f2fs_check_nid_range(). However, is_meta_ino()
+currently treats F2FS_COMPRESS_INO() as a meta inode unconditionally,
+so f2fs_iget() bypasses do_read_inode() and its nid range check, and
+instantiates a fake internal inode instead.
+
+Gate the compressed cache inode case on COMPRESS_CACHE, matching
+f2fs_init_compress_inode(). With compress_cache disabled, ino ==
+max_nid now follows the normal inode path and is rejected as an
+out-of-range nid.
+
+Cc: stable@kernel.org
+Fixes: 6ce19aff0b8c ("f2fs: compress: add compress_inode to cache compressed blocks")
+Signed-off-by: Wenjie Qi <qiwenjie@xiaomi.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/inode.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/f2fs/inode.c
++++ b/fs/f2fs/inode.c
+@@ -476,8 +476,13 @@ static int do_read_inode(struct inode *i
+ static bool is_meta_ino(struct f2fs_sb_info *sbi, unsigned int ino)
+ {
+-      return ino == F2FS_NODE_INO(sbi) || ino == F2FS_META_INO(sbi) ||
+-              ino == F2FS_COMPRESS_INO(sbi);
++      if (ino == F2FS_NODE_INO(sbi) || ino == F2FS_META_INO(sbi))
++              return true;
++#ifdef CONFIG_F2FS_FS_COMPRESSION
++      if (test_opt(sbi, COMPRESS_CACHE) && ino == F2FS_COMPRESS_INO(sbi))
++              return true;
++#endif
++      return false;
+ }
+ struct inode *f2fs_iget(struct super_block *sb, unsigned long ino)
diff --git a/queue-6.1/mips-dec-prevent-initial-console-buffer-from-landing-in-xkphys.patch b/queue-6.1/mips-dec-prevent-initial-console-buffer-from-landing-in-xkphys.patch
new file mode 100644 (file)
index 0000000..92f4cda
--- /dev/null
@@ -0,0 +1,116 @@
+From 7fb13fd35110ebe95eb053faf79d018f51144d85 Mon Sep 17 00:00:00 2001
+From: "Maciej W. Rozycki" <macro@orcam.me.uk>
+Date: Wed, 6 May 2026 23:42:27 +0100
+Subject: MIPS: DEC: Prevent initial console buffer from landing in XKPHYS
+
+From: Maciej W. Rozycki <macro@orcam.me.uk>
+
+commit 7fb13fd35110ebe95eb053faf79d018f51144d85 upstream.
+
+In 64-bit configurations calling the initial console output handler from
+a kernel thread other than the initial one will result in a situation
+where the stack has been placed in the XKPHYS 64-bit memory segment and
+consequently so has been the buffer allocated there that is used as the
+argument corresponding to the `%s' output conversion specifier for the
+firmware's printf() entry point.
+
+This 64-bit address will then be truncated by 32-bit firmware, resulting
+in an attempt to access the wrong memory location, which in turn will
+cause all kinds of unpredictable behaviour, such as a kernel crash:
+
+  Console: colour dummy device 160x64
+  Calibrating delay loop... 49.36 BogoMIPS (lpj=192512)
+  pid_max: default: 32768 minimum: 301
+  CPU 0 Unable to handle kernel paging request at virtual address 000000000203bd00, epc == ffffffffbfc08364, ra == ffffffffbfc08800
+  Oops[#1]:
+  CPU: 0 PID: 0 Comm: swapper Not tainted 5.18.0-rc2-00254-gfb649bda6f56-dirty #121
+  $ 0   : 0000000000000000 0000000000000001 0000000000000023 ffffffff80684ba0
+  $ 4   : 000000000203bd00 ffffffffbfc0f3b4 ffffffffffffffff 0000000000000073
+  $ 8   : 0a303d7469000000 0000000000000000 0000000000000073 ffffffffbfc0f473
+  $12   : 0000000000000002 0000000000000000 ffffffff80684c1c 0000000000000000
+  $16   : 0000000000000000 ffffffff80596dc9 0000000000000000 ffffffffbfc09240
+  $20   : ffffffff80684c40 ffffffffbfc0f400 000000000000002d 000000000000002b
+  $24   : ffffffffffffffbf 000000000203bd00
+  $28   : ffffffff805f0000 ffffffff80684b58 0000000000000030 ffffffffbfc08800
+  Hi    : 0000000000000000
+  Lo    : 0000000000000aa8
+  epc   : ffffffffbfc08364 0xffffffffbfc08364
+  ra    : ffffffffbfc08800 0xffffffffbfc08800
+  Status: 140120e2        KX SX UX KERNEL EXL
+  Cause : 00000008 (ExcCode 02)
+  BadVA : 000000000203bd00
+  PrId  : 00000430 (R4000SC)
+  Modules linked in:
+  Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____), tls=0000000000000000)
+  Stack : 0000000000000000 0000000000000000 0000000000000000 0000004d0000004d
+          80684cc0806a2a40 80596dc80000004d 8061000000000000 bfc0850c80684c38
+          0000000000000000 000000000203bd00 0000000000000000 0000000000000000
+          0000000000000000 00000000bfc0f3b4 0000000000000000 0000000000000000
+          0000000000000000 0000000000000000 0000000000000000 0000000000000000
+          0000000000000000 0000000000000000 0000000000000000 0000000000000000
+          0000002500000000 0000000000000000 0000000000000000 802c1a7400000000
+          0203bd0080596dc8 0203bd4d69000000 6c61632000000018 5f746567646e6172
+          6c616320625f6d6f 5f736e5f6d6f7266 206361323778302b 303d74696e726320
+          806a0a38806b0000 806a0a38806b0000 00000000806b0000 80683c58806b0000
+          ...
+  Call Trace:
+
+  Code: a082ffff  03e00008  00601021 <80820000> 00001821  10400005  24840001  80820000  24630001
+
+  ---[ end trace 0000000000000000 ]---
+  Kernel panic - not syncing: Fatal exception in interrupt
+
+  KN04 V2.1k    (PC: 0xa0026768, SP: 0x806848e8)
+  >>
+
+In this case the pointer in $4 was truncated from 0x980000000203bd00 to
+0x000000000203bd00.
+
+This may happen when no final console driver has been enabled in the
+configuration and consequently the initial console continues being used
+late into bootstrap or with an upcoming change that will switch the zs
+driver to use a platform device, which in turn will make the console
+handover happen only after other kernel threads have already been
+started.
+
+Fix the issue by making the buffer static and initdata, and therefore
+placed in the CKSEG0 32-bit compatibility segment, observing that the
+console output handler is called with the console lock held, implying
+no need for this code to be reentrant.  Add an assertion to verify the
+buffer actually has been placed in a compatibility segment.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
+Cc: stable@vger.kernel.org # v2.6.12+
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/dec/prom/console.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/mips/dec/prom/console.c
++++ b/arch/mips/dec/prom/console.c
+@@ -2,8 +2,9 @@
+ /*
+  *    DECstation PROM-based early console support.
+  *
+- *    Copyright (C) 2004, 2007  Maciej W. Rozycki
++ *    Copyright (C) 2004, 2007, 2026  Maciej W. Rozycki
+  */
++#include <linux/bug.h>
+ #include <linux/console.h>
+ #include <linux/init.h>
+ #include <linux/kernel.h>
+@@ -14,9 +15,11 @@
+ static void __init prom_console_write(struct console *con, const char *s,
+                                     unsigned int c)
+ {
+-      char buf[81];
++      static char buf[81] __initdata = { 0 };
+       unsigned int chunk = sizeof(buf) - 1;
++      BUG_ON((long)buf != (int)(long)buf);
++
+       while (c > 0) {
+               if (chunk > c)
+                       chunk = c;
index 5cab42e43d564b2d5baa372ecc2c9cd657ff868e..1780be9f1a302bebd0be8c93120402866205cb10 100644 (file)
@@ -84,3 +84,9 @@ keys-pin-request_key_auth-payload-in-instantiate-paths.patch
 wifi-mt76-mt76x2u-add-support-for-elecom-wdc-867su3s.patch
 wifi-ath11k-fix-warning-when-unbinding.patch
 wifi-rtlwifi-rtl8821ae-fix-c2h-bit-location-in-rx-descriptor.patch
+f2fs-validate-compress-cache-inode-only-when-enabled.patch
+f2fs-fix-to-round-down-start-offset-of-fallocate-for-pin-file.patch
+f2fs-validate-acl-entry-sizes-in-f2fs_acl_from_disk.patch
+bpf-use-kvfree-for-replaced-sysctl-write-buffer.patch
+mips-dec-prevent-initial-console-buffer-from-landing-in-xkphys.patch
+exfat-fix-potential-use-after-free-in-exfat_find_dir_entry.patch