--- /dev/null
+From stable+bounces-216862-greg=kroah.com@vger.kernel.org Tue Feb 17 17:27:05 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Feb 2026 11:24:58 -0500
+Subject: f2fs: fix out-of-bounds access in sysfs attribute read/write
+To: stable@vger.kernel.org
+Cc: Yongpeng Yang <yangyongpeng@xiaomi.com>, stable@kernel.org, Jinbao Liu <liujinbao1@xiaomi.com>, Chao Yu <chao@kernel.org>, Jaegeuk Kim <jaegeuk@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260217162458.3771870-1-sashal@kernel.org>
+
+From: Yongpeng Yang <yangyongpeng@xiaomi.com>
+
+[ Upstream commit 98ea0039dbfdd00e5cc1b9a8afa40434476c0955 ]
+
+Some f2fs sysfs attributes suffer from out-of-bounds memory access and
+incorrect handling of integer values whose size is not 4 bytes.
+
+For example:
+vm:~# echo 65537 > /sys/fs/f2fs/vde/carve_out
+vm:~# cat /sys/fs/f2fs/vde/carve_out
+65537
+vm:~# echo 4294967297 > /sys/fs/f2fs/vde/atgc_age_threshold
+vm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold
+1
+
+carve_out maps to {struct f2fs_sb_info}->carve_out, which is a 8-bit
+integer. However, the sysfs interface allows setting it to a value
+larger than 255, resulting in an out-of-range update.
+
+atgc_age_threshold maps to {struct atgc_management}->age_threshold,
+which is a 64-bit integer, but its sysfs interface cannot correctly set
+values larger than UINT_MAX.
+
+The root causes are:
+1. __sbi_store() treats all default values as unsigned int, which
+prevents updating integers larger than 4 bytes and causes out-of-bounds
+writes for integers smaller than 4 bytes.
+
+2. f2fs_sbi_show() also assumes all default values are unsigned int,
+leading to out-of-bounds reads and incorrect access to integers larger
+than 4 bytes.
+
+This patch introduces {struct f2fs_attr}->size to record the actual size
+of the integer associated with each sysfs attribute. With this
+information, sysfs read and write operations can correctly access and
+update values according to their real data size, avoiding memory
+corruption and truncation.
+
+Fixes: b59d0bae6ca3 ("f2fs: add sysfs support for controlling the gc_thread")
+Cc: stable@kernel.org
+Signed-off-by: Jinbao Liu <liujinbao1@xiaomi.com>
+Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+[ f2fs_sbi_show() changes + .size for F2FS_STAT_ATTR ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/sysfs.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 51 insertions(+), 7 deletions(-)
+
+--- a/fs/f2fs/sysfs.c
++++ b/fs/f2fs/sysfs.c
+@@ -43,6 +43,7 @@ struct f2fs_attr {
+ const char *, size_t);
+ int struct_type;
+ int offset;
++ int size;
+ int id;
+ };
+
+@@ -232,11 +233,30 @@ static ssize_t main_blkaddr_show(struct
+ (unsigned long long)MAIN_BLKADDR(sbi));
+ }
+
++static ssize_t __sbi_show_value(struct f2fs_attr *a,
++ struct f2fs_sb_info *sbi, char *buf,
++ unsigned char *value)
++{
++ switch (a->size) {
++ case 1:
++ return sysfs_emit(buf, "%u\n", *(u8 *)value);
++ case 2:
++ return sysfs_emit(buf, "%u\n", *(u16 *)value);
++ case 4:
++ return sysfs_emit(buf, "%u\n", *(u32 *)value);
++ case 8:
++ return sysfs_emit(buf, "%llu\n", *(u64 *)value);
++ default:
++ f2fs_bug_on(sbi, 1);
++ return sysfs_emit(buf,
++ "show sysfs node value with wrong type\n");
++ }
++}
++
+ static ssize_t f2fs_sbi_show(struct f2fs_attr *a,
+ struct f2fs_sb_info *sbi, char *buf)
+ {
+ unsigned char *ptr = NULL;
+- unsigned int *ui;
+
+ ptr = __struct_ptr(sbi, a->struct_type);
+ if (!ptr)
+@@ -263,9 +283,30 @@ static ssize_t f2fs_sbi_show(struct f2fs
+ return len;
+ }
+
+- ui = (unsigned int *)(ptr + a->offset);
++ return __sbi_show_value(a, sbi, buf, ptr + a->offset);
++}
+
+- return sprintf(buf, "%u\n", *ui);
++static void __sbi_store_value(struct f2fs_attr *a,
++ struct f2fs_sb_info *sbi,
++ unsigned char *ui, unsigned long value)
++{
++ switch (a->size) {
++ case 1:
++ *(u8 *)ui = value;
++ break;
++ case 2:
++ *(u16 *)ui = value;
++ break;
++ case 4:
++ *(u32 *)ui = value;
++ break;
++ case 8:
++ *(u64 *)ui = value;
++ break;
++ default:
++ f2fs_bug_on(sbi, 1);
++ f2fs_err(sbi, "store sysfs node value with wrong type");
++ }
+ }
+
+ static ssize_t __sbi_store(struct f2fs_attr *a,
+@@ -409,7 +450,7 @@ out:
+ return count;
+ }
+
+- *ui = (unsigned int)t;
++ __sbi_store_value(a, sbi, ptr + a->offset, t);
+
+ return count;
+ }
+@@ -502,19 +543,21 @@ static ssize_t f2fs_feature_show(struct
+ return 0;
+ }
+
+-#define F2FS_ATTR_OFFSET(_struct_type, _name, _mode, _show, _store, _offset) \
++#define F2FS_ATTR_OFFSET(_struct_type, _name, _mode, _show, _store, _offset, _size) \
+ static struct f2fs_attr f2fs_attr_##_name = { \
+ .attr = {.name = __stringify(_name), .mode = _mode }, \
+ .show = _show, \
+ .store = _store, \
+ .struct_type = _struct_type, \
+- .offset = _offset \
++ .offset = _offset, \
++ .size = _size \
+ }
+
+ #define F2FS_RW_ATTR(struct_type, struct_name, name, elname) \
+ F2FS_ATTR_OFFSET(struct_type, name, 0644, \
+ f2fs_sbi_show, f2fs_sbi_store, \
+- offsetof(struct struct_name, elname))
++ offsetof(struct struct_name, elname), \
++ sizeof_field(struct struct_name, elname))
+
+ #define F2FS_GENERAL_RO_ATTR(name) \
+ static struct f2fs_attr f2fs_attr_##name = __ATTR(name, 0444, name##_show, NULL)
+@@ -532,6 +575,7 @@ static struct f2fs_attr f2fs_attr_##_nam
+ .show = f2fs_sbi_show, \
+ .struct_type = _struct_type, \
+ .offset = offsetof(struct _struct_name, _elname), \
++ .size = sizeof_field(struct _struct_name, _elname), \
+ }
+
+ F2FS_RW_ATTR(GC_THREAD, f2fs_gc_kthread, gc_urgent_sleep_time,
--- /dev/null
+From stable+bounces-216861-greg=kroah.com@vger.kernel.org Tue Feb 17 17:18:39 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Feb 2026 11:18:33 -0500
+Subject: f2fs: fix to avoid UAF in f2fs_write_end_io()
+To: stable@vger.kernel.org
+Cc: Chao Yu <chao@kernel.org>, stable@kernel.org, syzbot+b4444e3c972a7a124187@syzkaller.appspotmail.com, Jaegeuk Kim <jaegeuk@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260217161833.3766136-1-sashal@kernel.org>
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit ce2739e482bce8d2c014d76c4531c877f382aa54 ]
+
+As syzbot reported an use-after-free issue in f2fs_write_end_io().
+
+It is caused by below race condition:
+
+loop device umount
+- worker_thread
+ - loop_process_work
+ - do_req_filebacked
+ - lo_rw_aio
+ - lo_rw_aio_complete
+ - blk_mq_end_request
+ - blk_update_request
+ - f2fs_write_end_io
+ - dec_page_count
+ - folio_end_writeback
+ - kill_f2fs_super
+ - kill_block_super
+ - f2fs_put_super
+ : free(sbi)
+ : get_pages(, F2FS_WB_CP_DATA)
+ accessed sbi which is freed
+
+In kill_f2fs_super(), we will drop all page caches of f2fs inodes before
+call free(sbi), it guarantee that all folios should end its writeback, so
+it should be safe to access sbi before last folio_end_writeback().
+
+Let's relocate ckpt thread wakeup flow before folio_end_writeback() to
+resolve this issue.
+
+Cc: stable@kernel.org
+Fixes: e234088758fc ("f2fs: avoid wait if IO end up when do_checkpoint for better performance")
+Reported-by: syzbot+b4444e3c972a7a124187@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=b4444e3c972a7a124187
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+[ folio => page ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/data.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -379,14 +379,20 @@ static void f2fs_write_end_io(struct bio
+ page->index != nid_of_node(page));
+
+ dec_page_count(sbi, type);
++
++ /*
++ * we should access sbi before end_page_writeback() to
++ * avoid racing w/ kill_f2fs_super()
++ */
++ if (type == F2FS_WB_CP_DATA && !get_pages(sbi, type) &&
++ wq_has_sleeper(&sbi->cp_wait))
++ wake_up(&sbi->cp_wait);
++
+ if (f2fs_in_warm_node_list(sbi, page))
+ f2fs_del_fsync_node_entry(sbi, page);
+ clear_cold_data(page);
+ end_page_writeback(page);
+ }
+- if (!get_pages(sbi, F2FS_WB_CP_DATA) &&
+- wq_has_sleeper(&sbi->cp_wait))
+- wake_up(&sbi->cp_wait);
+
+ bio_put(bio);
+ }
--- /dev/null
+From ed1ac3c977dd6b119405fa36dd41f7151bd5b4de Mon Sep 17 00:00:00 2001
+From: Danilo Krummrich <dakr@kernel.org>
+Date: Wed, 21 Jan 2026 15:12:01 +0100
+Subject: iommu/arm-smmu-qcom: do not register driver in probe()
+
+From: Danilo Krummrich <dakr@kernel.org>
+
+commit ed1ac3c977dd6b119405fa36dd41f7151bd5b4de upstream.
+
+Commit 0b4eeee2876f ("iommu/arm-smmu-qcom: Register the TBU driver in
+qcom_smmu_impl_init") intended to also probe the TBU driver when
+CONFIG_ARM_SMMU_QCOM_DEBUG is disabled, but also moved the corresponding
+platform_driver_register() call into qcom_smmu_impl_init() which is
+called from arm_smmu_device_probe().
+
+However, it neither makes sense to register drivers from probe()
+callbacks of other drivers, nor does the driver core allow registering
+drivers with a device lock already being held.
+
+The latter was revealed by commit dc23806a7c47 ("driver core: enforce
+device_lock for driver_match_device()") leading to a deadlock condition
+described in [1].
+
+Additionally, it was noted by Robin that the current approach is
+potentially racy with async probe [2].
+
+Hence, fix this by registering the qcom_smmu_tbu_driver from
+module_init(). Unfortunately, due to the vendoring of the driver, this
+requires an indirection through arm-smmu-impl.c.
+
+Reported-by: Mark Brown <broonie@kernel.org>
+Closes: https://lore.kernel.org/lkml/7ae38e31-ef31-43ad-9106-7c76ea0e8596@sirena.org.uk/
+Link: https://lore.kernel.org/lkml/DFU7CEPUSG9A.1KKGVW4HIPMSH@kernel.org/ [1]
+Link: https://lore.kernel.org/lkml/0c0d3707-9ea5-44f9-88a1-a65c62e3df8d@arm.com/ [2]
+Fixes: dc23806a7c47 ("driver core: enforce device_lock for driver_match_device()")
+Fixes: 0b4eeee2876f ("iommu/arm-smmu-qcom: Register the TBU driver in qcom_smmu_impl_init")
+Acked-by: Robin Murphy <robin.murphy@arm.com>
+Tested-by: Bjorn Andersson <andersson@kernel.org>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Acked-by: Konrad Dybcio <konradybcio@kernel.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Tested-by: Ioana Ciornei <ioana.ciornei@nxp.com> #LX2160ARDB
+Tested-by: Wang Jiayue <akaieurus@gmail.com>
+Reviewed-by: Wang Jiayue <akaieurus@gmail.com>
+Tested-by: Mark Brown <broonie@kernel.org>
+Acked-by: Joerg Roedel <joerg.roedel@amd.com>
+Link: https://patch.msgid.link/20260121141215.29658-1-dakr@kernel.org
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/arm/arm-smmu/arm-smmu-impl.c | 14 ++++++++++++++
+ drivers/iommu/arm/arm-smmu/arm-smmu.c | 24 +++++++++++++++++++++++-
+ drivers/iommu/arm/arm-smmu/arm-smmu.h | 5 +++++
+ 3 files changed, 42 insertions(+), 1 deletion(-)
+
+--- a/drivers/iommu/arm/arm-smmu/arm-smmu-impl.c
++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-impl.c
+@@ -228,3 +228,17 @@ struct arm_smmu_device *arm_smmu_impl_in
+
+ return smmu;
+ }
++
++int __init arm_smmu_impl_module_init(void)
++{
++ if (IS_ENABLED(CONFIG_ARM_SMMU_QCOM))
++ return qcom_smmu_module_init();
++
++ return 0;
++}
++
++void __exit arm_smmu_impl_module_exit(void)
++{
++ if (IS_ENABLED(CONFIG_ARM_SMMU_QCOM))
++ qcom_smmu_module_exit();
++}
+--- a/drivers/iommu/arm/arm-smmu/arm-smmu.c
++++ b/drivers/iommu/arm/arm-smmu/arm-smmu.c
+@@ -2352,7 +2352,29 @@ static struct platform_driver arm_smmu_d
+ .remove = arm_smmu_device_remove,
+ .shutdown = arm_smmu_device_shutdown,
+ };
+-module_platform_driver(arm_smmu_driver);
++
++static int __init arm_smmu_init(void)
++{
++ int ret;
++
++ ret = platform_driver_register(&arm_smmu_driver);
++ if (ret)
++ return ret;
++
++ ret = arm_smmu_impl_module_init();
++ if (ret)
++ platform_driver_unregister(&arm_smmu_driver);
++
++ return ret;
++}
++module_init(arm_smmu_init);
++
++static void __exit arm_smmu_exit(void)
++{
++ arm_smmu_impl_module_exit();
++ platform_driver_unregister(&arm_smmu_driver);
++}
++module_exit(arm_smmu_exit);
+
+ MODULE_DESCRIPTION("IOMMU API for ARM architected SMMU implementations");
+ MODULE_AUTHOR("Will Deacon <will@kernel.org>");
+--- a/drivers/iommu/arm/arm-smmu/arm-smmu.h
++++ b/drivers/iommu/arm/arm-smmu/arm-smmu.h
+@@ -522,6 +522,11 @@ struct arm_smmu_device *arm_smmu_impl_in
+ struct arm_smmu_device *nvidia_smmu_impl_init(struct arm_smmu_device *smmu);
+ struct arm_smmu_device *qcom_smmu_impl_init(struct arm_smmu_device *smmu);
+
++int __init arm_smmu_impl_module_init(void);
++void __exit arm_smmu_impl_module_exit(void);
++int __init qcom_smmu_module_init(void);
++void __exit qcom_smmu_module_exit(void);
++
+ void arm_smmu_write_context_bank(struct arm_smmu_device *smmu, int idx);
+ int arm_mmu500_reset(struct arm_smmu_device *smmu);
+
scsi-qla2xxx-fix-bsg_done-causing-double-free.patch
fbdev-rivafb-fix-divide-error-in-nv3_arb.patch
fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch
+iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch
+f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch
+f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
