--- /dev/null
+From 1caf50ce4af096d0280d59a31abdd85703cd995c Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Fri, 6 Feb 2026 06:30:05 +0800
+Subject: erofs: fix UAF issue for file-backed mounts w/ directio option
+
+From: Chao Yu <chao@kernel.org>
+
+commit 1caf50ce4af096d0280d59a31abdd85703cd995c upstream.
+
+[ 9.269940][ T3222] Call trace:
+[ 9.269948][ T3222] ext4_file_read_iter+0xac/0x108
+[ 9.269979][ T3222] vfs_iocb_iter_read+0xac/0x198
+[ 9.269993][ T3222] erofs_fileio_rq_submit+0x12c/0x180
+[ 9.270008][ T3222] erofs_fileio_submit_bio+0x14/0x24
+[ 9.270030][ T3222] z_erofs_runqueue+0x834/0x8ac
+[ 9.270054][ T3222] z_erofs_read_folio+0x120/0x220
+[ 9.270083][ T3222] filemap_read_folio+0x60/0x120
+[ 9.270102][ T3222] filemap_fault+0xcac/0x1060
+[ 9.270119][ T3222] do_pte_missing+0x2d8/0x1554
+[ 9.270131][ T3222] handle_mm_fault+0x5ec/0x70c
+[ 9.270142][ T3222] do_page_fault+0x178/0x88c
+[ 9.270167][ T3222] do_translation_fault+0x38/0x54
+[ 9.270183][ T3222] do_mem_abort+0x54/0xac
+[ 9.270208][ T3222] el0_da+0x44/0x7c
+[ 9.270227][ T3222] el0t_64_sync_handler+0x5c/0xf4
+[ 9.270253][ T3222] el0t_64_sync+0x1bc/0x1c0
+
+EROFS may encounter above panic when enabling file-backed mount w/
+directio mount option, the root cause is it may suffer UAF in below
+race condition:
+
+- z_erofs_read_folio wq s_dio_done_wq
+ - z_erofs_runqueue
+ - erofs_fileio_submit_bio
+ - erofs_fileio_rq_submit
+ - vfs_iocb_iter_read
+ - ext4_file_read_iter
+ - ext4_dio_read_iter
+ - iomap_dio_rw
+ : bio was submitted and return -EIOCBQUEUED
+ - dio_aio_complete_work
+ - dio_complete
+ - dio->iocb->ki_complete (erofs_fileio_ki_complete())
+ - kfree(rq)
+ : it frees iocb, iocb.ki_filp can be UAF in file_accessed().
+ - file_accessed
+ : access NULL file point
+
+Introduce a reference count in struct erofs_fileio_rq, and initialize it
+as two, both erofs_fileio_ki_complete() and erofs_fileio_rq_submit() will
+decrease reference count, the last one decreasing the reference count
+to zero will free rq.
+
+Cc: stable@kernel.org
+Fixes: fb176750266a ("erofs: add file-backed mount support")
+Fixes: 6422cde1b0d5 ("erofs: use buffered I/O for file-backed mounts by default")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/erofs/fileio.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/erofs/fileio.c
++++ b/fs/erofs/fileio.c
+@@ -10,6 +10,7 @@ struct erofs_fileio_rq {
+ struct bio bio;
+ struct kiocb iocb;
+ struct super_block *sb;
++ refcount_t ref;
+ };
+
+ struct erofs_fileio {
+@@ -42,7 +43,8 @@ static void erofs_fileio_ki_complete(str
+ }
+ }
+ bio_uninit(&rq->bio);
+- kfree(rq);
++ if (refcount_dec_and_test(&rq->ref))
++ kfree(rq);
+ }
+
+ static void erofs_fileio_rq_submit(struct erofs_fileio_rq *rq)
+@@ -63,6 +65,8 @@ static void erofs_fileio_rq_submit(struc
+ ret = vfs_iocb_iter_read(rq->iocb.ki_filp, &rq->iocb, &iter);
+ if (ret != -EIOCBQUEUED)
+ erofs_fileio_ki_complete(&rq->iocb, ret);
++ if (refcount_dec_and_test(&rq->ref))
++ kfree(rq);
+ }
+
+ static struct erofs_fileio_rq *erofs_fileio_rq_alloc(struct erofs_map_dev *mdev)
+@@ -73,6 +77,7 @@ static struct erofs_fileio_rq *erofs_fil
+ bio_init(&rq->bio, NULL, rq->bvecs, BIO_MAX_VECS, REQ_OP_READ);
+ rq->iocb.ki_filp = mdev->m_dif->file;
+ rq->sb = mdev->m_sb;
++ refcount_set(&rq->ref, 2);
+ return rq;
+ }
+
--- /dev/null
+From 7c5c7d06bd1f86d2c3ebe62be903a4ba42db4d2c Mon Sep 17 00:00:00 2001
+From: Liu Song <liu.song13@zte.com.cn>
+Date: Thu, 10 Jul 2025 14:38:45 +0800
+Subject: PCI: endpoint: Avoid creating sub-groups asynchronously
+
+From: Liu Song <liu.song13@zte.com.cn>
+
+commit 7c5c7d06bd1f86d2c3ebe62be903a4ba42db4d2c upstream.
+
+The asynchronous creation of sub-groups by a delayed work could lead to a
+NULL pointer dereference when the driver directory is removed before the
+work completes.
+
+The crash can be easily reproduced with the following commands:
+
+ # cd /sys/kernel/config/pci_ep/functions/pci_epf_test
+ # for i in {1..20}; do mkdir test && rmdir test; done
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000088
+ ...
+ Call Trace:
+ configfs_register_group+0x3d/0x190
+ pci_epf_cfs_work+0x41/0x110
+ process_one_work+0x18f/0x350
+ worker_thread+0x25a/0x3a0
+
+Fix this issue by using configfs_add_default_group() API which does not
+have the deadlock problem as configfs_register_group() and does not require
+the delayed work handler.
+
+Fixes: e85a2d783762 ("PCI: endpoint: Add support in configfs to associate two EPCs with EPF")
+Signed-off-by: Liu Song <liu.song13@zte.com.cn>
+[mani: slightly reworded the description and added stable list]
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@kernel.org
+Link: https://patch.msgid.link/20250710143845409gLM6JdlwPhlHG9iX3F6jK@zte.com.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/endpoint/pci-ep-cfs.c | 15 +++++----------
+ 1 file changed, 5 insertions(+), 10 deletions(-)
+
+--- a/drivers/pci/endpoint/pci-ep-cfs.c
++++ b/drivers/pci/endpoint/pci-ep-cfs.c
+@@ -23,7 +23,6 @@ struct pci_epf_group {
+ struct config_group group;
+ struct config_group primary_epc_group;
+ struct config_group secondary_epc_group;
+- struct delayed_work cfs_work;
+ struct pci_epf *epf;
+ int index;
+ };
+@@ -103,7 +102,7 @@ static struct config_group
+ secondary_epc_group = &epf_group->secondary_epc_group;
+ config_group_init_type_name(secondary_epc_group, "secondary",
+ &pci_secondary_epc_type);
+- configfs_register_group(&epf_group->group, secondary_epc_group);
++ configfs_add_default_group(secondary_epc_group, &epf_group->group);
+
+ return secondary_epc_group;
+ }
+@@ -166,7 +165,7 @@ static struct config_group
+
+ config_group_init_type_name(primary_epc_group, "primary",
+ &pci_primary_epc_type);
+- configfs_register_group(&epf_group->group, primary_epc_group);
++ configfs_add_default_group(primary_epc_group, &epf_group->group);
+
+ return primary_epc_group;
+ }
+@@ -570,15 +569,13 @@ static void pci_ep_cfs_add_type_group(st
+ return;
+ }
+
+- configfs_register_group(&epf_group->group, group);
++ configfs_add_default_group(group, &epf_group->group);
+ }
+
+-static void pci_epf_cfs_work(struct work_struct *work)
++static void pci_epf_cfs_add_sub_groups(struct pci_epf_group *epf_group)
+ {
+- struct pci_epf_group *epf_group;
+ struct config_group *group;
+
+- epf_group = container_of(work, struct pci_epf_group, cfs_work.work);
+ group = pci_ep_cfs_add_primary_group(epf_group);
+ if (IS_ERR(group)) {
+ pr_err("failed to create 'primary' EPC interface\n");
+@@ -637,9 +634,7 @@ static struct config_group *pci_epf_make
+
+ kfree(epf_name);
+
+- INIT_DELAYED_WORK(&epf_group->cfs_work, pci_epf_cfs_work);
+- queue_delayed_work(system_wq, &epf_group->cfs_work,
+- msecs_to_jiffies(1));
++ pci_epf_cfs_add_sub_groups(epf_group);
+
+ return &epf_group->group;
+
scsi-qla2xxx-query-fw-again-before-proceeding-with-login.patch
bus-mhi-host-pci_generic-add-telit-fe990b40-modem-support.patch
mptcp-fix-race-in-mptcp_pm_nl_flush_addrs_doit.patch
+erofs-fix-uaf-issue-for-file-backed-mounts-w-directio-option.patch
+xfs-fix-uaf-in-xchk_btree_check_block_owner.patch
+pci-endpoint-avoid-creating-sub-groups-asynchronously.patch
+wifi-rtl8xxxu-fix-slab-out-of-bounds-in-rtl8xxxu_sta_add.patch
--- /dev/null
+From 86c946bcc00f6390ef65e9614ae60a9377e454f8 Mon Sep 17 00:00:00 2001
+From: Ali Tariq <alitariq45892@gmail.com>
+Date: Thu, 25 Dec 2025 11:54:29 +0000
+Subject: wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add
+
+From: Ali Tariq <alitariq45892@gmail.com>
+
+commit 86c946bcc00f6390ef65e9614ae60a9377e454f8 upstream.
+
+The driver does not set hw->sta_data_size, which causes mac80211 to
+allocate insufficient space for driver private station data in
+__sta_info_alloc(). When rtl8xxxu_sta_add() accesses members of
+struct rtl8xxxu_sta_info through sta->drv_priv, this results in a
+slab-out-of-bounds write.
+
+KASAN report on RISC-V (VisionFive 2) with RTL8192EU adapter:
+
+ BUG: KASAN: slab-out-of-bounds in rtl8xxxu_sta_add+0x31c/0x346
+ Write of size 8 at addr ffffffd6d3e9ae88 by task kworker/u16:0/12
+
+Set hw->sta_data_size to sizeof(struct rtl8xxxu_sta_info) during
+probe, similar to how hw->vif_data_size is configured. This ensures
+mac80211 allocates sufficient space for the driver's per-station
+private data.
+
+Tested on StarFive VisionFive 2 v1.2A board.
+
+Fixes: eef55f1545c9 ("wifi: rtl8xxxu: support multiple interfaces in {add,remove}_interface()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ali Tariq <alitariq45892@gmail.com>
+Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20251225115430.13011-1-alitariq45892@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/realtek/rtl8xxxu/core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/core.c
+@@ -7903,6 +7903,7 @@ static int rtl8xxxu_probe(struct usb_int
+ goto err_set_intfdata;
+
+ hw->vif_data_size = sizeof(struct rtl8xxxu_vif);
++ hw->sta_data_size = sizeof(struct rtl8xxxu_sta_info);
+
+ hw->wiphy->max_scan_ssids = 1;
+ hw->wiphy->max_scan_ie_len = IEEE80211_MAX_DATA_LEN;
--- /dev/null
+From 1c253e11225bc5167217897885b85093e17c2217 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <djwong@kernel.org>
+Date: Fri, 23 Jan 2026 09:27:39 -0800
+Subject: xfs: fix UAF in xchk_btree_check_block_owner
+
+From: Darrick J. Wong <djwong@kernel.org>
+
+commit 1c253e11225bc5167217897885b85093e17c2217 upstream.
+
+We cannot dereference bs->cur when trying to determine if bs->cur
+aliases bs->sc->sa.{bno,rmap}_cur after the latter has been freed.
+Fix this by sampling before type before any freeing could happen.
+The correct temporal ordering was broken when we removed xfs_btnum_t.
+
+Cc: r772577952@gmail.com
+Cc: <stable@vger.kernel.org> # v6.9
+Fixes: ec793e690f801d ("xfs: remove xfs_btnum_t")
+Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Tested-by: Jiaming Zhang <r772577952@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/scrub/btree.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/xfs/scrub/btree.c
++++ b/fs/xfs/scrub/btree.c
+@@ -370,12 +370,15 @@ xchk_btree_check_block_owner(
+ {
+ xfs_agnumber_t agno;
+ xfs_agblock_t agbno;
++ bool is_bnobt, is_rmapbt;
+ bool init_sa;
+ int error = 0;
+
+ if (!bs->cur)
+ return 0;
+
++ is_bnobt = xfs_btree_is_bno(bs->cur->bc_ops);
++ is_rmapbt = xfs_btree_is_rmap(bs->cur->bc_ops);
+ agno = xfs_daddr_to_agno(bs->cur->bc_mp, daddr);
+ agbno = xfs_daddr_to_agbno(bs->cur->bc_mp, daddr);
+
+@@ -398,11 +401,11 @@ xchk_btree_check_block_owner(
+ * have to nullify it (to shut down further block owner checks) if
+ * self-xref encounters problems.
+ */
+- if (!bs->sc->sa.bno_cur && xfs_btree_is_bno(bs->cur->bc_ops))
++ if (!bs->sc->sa.bno_cur && is_bnobt)
+ bs->cur = NULL;
+
+ xchk_xref_is_only_owned_by(bs->sc, agbno, 1, bs->oinfo);
+- if (!bs->sc->sa.rmap_cur && xfs_btree_is_rmap(bs->cur->bc_ops))
++ if (!bs->sc->sa.rmap_cur && is_rmapbt)
+ bs->cur = NULL;
+
+ out_free:
projects / thirdparty / kernel / stable-queue.git / commitdiff
