From: Greg Kroah-Hartman Date: Thu, 25 Jun 2026 12:53:26 +0000 (+0100) Subject: 5.15-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=200ab7f954730946ded3b4f8794d74d3c2e69dc1;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: input-rmi4-fix-bit-count-in-bitmap_copy.patch input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch input-rmi4-fix-register-descriptor-address-calculation.patch input-rmi4-fix-type-overflow-in-register-counts.patch input-rmi4-iterative-irq-handler.patch media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch virtiofs-fix-uaf-on-submount-umount.patch --- diff --git a/queue-5.15/input-rmi4-fix-bit-count-in-bitmap_copy.patch b/queue-5.15/input-rmi4-fix-bit-count-in-bitmap_copy.patch new file mode 100644 index 0000000000..0177932fcb --- /dev/null +++ b/queue-5.15/input-rmi4-fix-bit-count-in-bitmap_copy.patch @@ -0,0 +1,47 @@ +From f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 4 May 2026 21:59:37 -0700 +Subject: Input: rmi4 - fix bit count in bitmap_copy() + +From: Dmitry Torokhov + +commit f22dbbcbd1f70ed004a7bf8837e0f0c3cc230b78 upstream. + +bitmap_copy() takes number of bits, not bytes (or longs). Correct +the bit count in rmi_driver_set_irq_bits() and +rmi_driver_clear_irq_bits(). + +Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") +Cc: stable@vger.kernel.org +Assisted-by: Gemini:gemini-3.1-pro +Link: https://patch.msgid.link/20260505045952.1570713-7-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/rmi4/rmi_driver.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -386,9 +386,8 @@ static int rmi_driver_set_irq_bits(struc + __func__); + goto error_unlock; + } +- bitmap_copy(data->current_irq_mask, data->new_irq_mask, +- data->num_of_irq_regs); + ++ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); + bitmap_or(data->fn_irq_bits, data->fn_irq_bits, mask, data->irq_count); + + error_unlock: +@@ -417,8 +416,8 @@ static int rmi_driver_clear_irq_bits(str + __func__); + goto error_unlock; + } +- bitmap_copy(data->current_irq_mask, data->new_irq_mask, +- data->num_of_irq_regs); ++ ++ bitmap_copy(data->current_irq_mask, data->new_irq_mask, data->irq_count); + + error_unlock: + mutex_unlock(&data->irq_mutex); diff --git a/queue-5.15/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch b/queue-5.15/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch new file mode 100644 index 0000000000..4542767c78 --- /dev/null +++ b/queue-5.15/input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch @@ -0,0 +1,37 @@ +From a55a683a8e2bddb5467baab3e597a93022d4ee05 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 4 May 2026 21:59:35 -0700 +Subject: Input: rmi4 - fix memory leak in rmi_set_attn_data() + +From: Dmitry Torokhov + +commit a55a683a8e2bddb5467baab3e597a93022d4ee05 upstream. + +kfifo_put() returns 0 if the FIFO is full. In this case, we must +free the memory allocated for the attention data to avoid a leak. + +Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") +Cc: stable@vger.kernel.org +Assisted-by: Gemini:gemini-3.1-pro +Link: https://patch.msgid.link/20260505045952.1570713-5-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/rmi4/rmi_driver.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -181,7 +181,11 @@ void rmi_set_attn_data(struct rmi_device + attn_data.size = size; + attn_data.data = fifo_data; + +- kfifo_put(&drvdata->attn_fifo, attn_data); ++ if (!kfifo_put(&drvdata->attn_fifo, attn_data)) { ++ dev_warn_ratelimited(&rmi_dev->dev, ++ "Failed to enqueue attention data, FIFO full\n"); ++ kfree(fifo_data); ++ } + } + EXPORT_SYMBOL_GPL(rmi_set_attn_data); + diff --git a/queue-5.15/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch b/queue-5.15/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch new file mode 100644 index 0000000000..ab13f8e531 --- /dev/null +++ b/queue-5.15/input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch @@ -0,0 +1,53 @@ +From 2b4b482d5c4c23c668b998a7da985aea0fa4a978 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 4 May 2026 21:59:34 -0700 +Subject: Input: rmi4 - fix num_subpackets overflow in register descriptor + +From: Dmitry Torokhov + +commit 2b4b482d5c4c23c668b998a7da985aea0fa4a978 upstream. + +RMI_REG_DESC_SUBPACKET_BITS is defined as 296 (37 * BITS_PER_BYTE). This +may overflow num_subpackets in struct rmi_register_desc_item which is +defined as a u8. + +Fix this by changing the type of num_subpackets to u16. + +Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") +Cc: stable@vger.kernel.org +Assisted-by: Gemini:gemini-3.1-pro +Link: https://patch.msgid.link/20260505045952.1570713-4-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/rmi4/rmi_driver.h | 2 +- + drivers/input/rmi4/rmi_f12.c | 7 +++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/input/rmi4/rmi_driver.h ++++ b/drivers/input/rmi4/rmi_driver.h +@@ -53,7 +53,7 @@ struct pdt_entry { + struct rmi_register_desc_item { + u16 reg; + unsigned long reg_size; +- u8 num_subpackets; ++ u16 num_subpackets; + unsigned long subpacket_map[BITS_TO_LONGS( + RMI_REG_DESC_SUBPACKET_BITS)]; + }; +--- a/drivers/input/rmi4/rmi_f12.c ++++ b/drivers/input/rmi4/rmi_f12.c +@@ -444,6 +444,13 @@ static int rmi_f12_probe(struct rmi_func + f12->data1 = item; + f12->data1_offset = data_offset; + data_offset += item->reg_size; ++ ++ if (item->num_subpackets > 255) { ++ dev_err(&fn->dev, "Too many fingers declared: %d\n", ++ item->num_subpackets); ++ return -EINVAL; ++ } ++ + sensor->nbr_fingers = item->num_subpackets; + sensor->report_abs = 1; + sensor->attn_size += item->reg_size; diff --git a/queue-5.15/input-rmi4-fix-register-descriptor-address-calculation.patch b/queue-5.15/input-rmi4-fix-register-descriptor-address-calculation.patch new file mode 100644 index 0000000000..8c138b24f5 --- /dev/null +++ b/queue-5.15/input-rmi4-fix-register-descriptor-address-calculation.patch @@ -0,0 +1,40 @@ +From a98518e72439fd42cbfe641c2896543cb088e3d1 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 4 May 2026 21:59:31 -0700 +Subject: Input: rmi4 - fix register descriptor address calculation + +From: Dmitry Torokhov + +commit a98518e72439fd42cbfe641c2896543cb088e3d1 upstream. + +When reading the register descriptor, the base address is incremented by +1 to read the presence register block. However, after reading the +presence register block, the address is incorrectly incremented by only +1 byte (++addr) instead of the actual size of the presence block +(size_presence_reg). This causes the subsequent structure block read to +read from the wrong memory location if the presence block is larger than +1 byte. + +Fix this by advancing the address by size_presence_reg. + +Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") +Cc: stable@vger.kernel.org +Assisted-by: Gemini:gemini-3.1-pro +Link: https://patch.msgid.link/20260505045952.1570713-1-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/rmi4/rmi_driver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -593,7 +593,7 @@ int rmi_read_register_desc(struct rmi_de + ret = rmi_read_block(d, addr, buf, size_presence_reg); + if (ret) + return ret; +- ++addr; ++ addr += size_presence_reg; + + if (buf[0] == 0) { + presense_offset = 3; diff --git a/queue-5.15/input-rmi4-fix-type-overflow-in-register-counts.patch b/queue-5.15/input-rmi4-fix-type-overflow-in-register-counts.patch new file mode 100644 index 0000000000..0c40092d6c --- /dev/null +++ b/queue-5.15/input-rmi4-fix-type-overflow-in-register-counts.patch @@ -0,0 +1,39 @@ +From a0a87e441238e07c5f7e3de133ef77a9d4229f01 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 4 May 2026 21:59:33 -0700 +Subject: Input: rmi4 - fix type overflow in register counts + +From: Dmitry Torokhov + +commit a0a87e441238e07c5f7e3de133ef77a9d4229f01 upstream. + +The number of registers in the RMI4 register descriptor is populated +by counting the bits in the presence map using bitmap_weight(). Since +the presence map can contain up to 256 bits (RMI_REG_DESC_PRESENSE_BITS), +storing this count in a u8 can overflow to 0 if all 256 bits are set. + +Change the num_registers field in struct rmi_register_descriptor +from u8 to u16 to prevent potential integer overflow and ensure safe +processing of devices reporting large descriptors. + +Fixes: 2b6a321da9a2 ("Input: synaptics-rmi4 - add support for Synaptics RMI4 devices") +Cc: stable@vger.kernel.org +Assisted-by: Gemini:gemini-3.1-pro +Link: https://patch.msgid.link/20260505045952.1570713-3-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/rmi4/rmi_driver.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/rmi4/rmi_driver.h ++++ b/drivers/input/rmi4/rmi_driver.h +@@ -65,7 +65,7 @@ struct rmi_register_desc_item { + struct rmi_register_descriptor { + unsigned long struct_size; + unsigned long presense_map[BITS_TO_LONGS(RMI_REG_DESC_PRESENSE_BITS)]; +- u8 num_registers; ++ u16 num_registers; + struct rmi_register_desc_item *registers; + }; + diff --git a/queue-5.15/input-rmi4-iterative-irq-handler.patch b/queue-5.15/input-rmi4-iterative-irq-handler.patch new file mode 100644 index 0000000000..bed47cf0e6 --- /dev/null +++ b/queue-5.15/input-rmi4-iterative-irq-handler.patch @@ -0,0 +1,66 @@ +From b6ca982afd0e8fbcbb340092d3c6d3b4a217686c Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Mon, 4 May 2026 21:59:36 -0700 +Subject: Input: rmi4 - iterative IRQ handler + +From: Dmitry Torokhov + +commit b6ca982afd0e8fbcbb340092d3c6d3b4a217686c upstream. + +The current IRQ handler uses recursion to drain the attention FIFO, +which can lead to stack overflow on deep queues. Convert it to a +loop. + +Fixes: b908d3cd812a ("Input: synaptics-rmi4 - allow to add attention data") +Cc: stable@vger.kernel.org +Assisted-by: Gemini:gemini-3.1-pro +Link: https://patch.msgid.link/20260505045952.1570713-6-dmitry.torokhov@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/rmi4/rmi_driver.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -196,24 +196,24 @@ static irqreturn_t rmi_irq_fn(int irq, v + struct rmi4_attn_data attn_data = {0}; + int ret, count; + +- count = kfifo_get(&drvdata->attn_fifo, &attn_data); +- if (count) { +- *(drvdata->irq_status) = attn_data.irq_status; +- drvdata->attn_data = attn_data; +- } ++ do { ++ count = kfifo_get(&drvdata->attn_fifo, &attn_data); ++ if (count) { ++ *drvdata->irq_status = attn_data.irq_status; ++ drvdata->attn_data = attn_data; ++ } + +- ret = rmi_process_interrupt_requests(rmi_dev); +- if (ret) +- rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, +- "Failed to process interrupt request: %d\n", ret); ++ ret = rmi_process_interrupt_requests(rmi_dev); ++ if (ret) ++ rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, ++ "Failed to process interrupt request: %d\n", ++ ret); + +- if (count) { +- kfree(attn_data.data); +- drvdata->attn_data.data = NULL; +- } +- +- if (!kfifo_is_empty(&drvdata->attn_fifo)) +- return rmi_irq_fn(irq, dev_id); ++ if (count) { ++ kfree(attn_data.data); ++ drvdata->attn_data.data = NULL; ++ } ++ } while (!kfifo_is_empty(&drvdata->attn_fifo)); + + return IRQ_HANDLED; + } diff --git a/queue-5.15/media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch b/queue-5.15/media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch new file mode 100644 index 0000000000..d508767910 --- /dev/null +++ b/queue-5.15/media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch @@ -0,0 +1,81 @@ +From 7d8bf3d8f91073f4db347ed3aa6302b56107499c Mon Sep 17 00:00:00 2001 +From: Ruslan Valiyev +Date: Tue, 17 Mar 2026 17:05:44 +0000 +Subject: media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si + +From: Ruslan Valiyev + +commit 7d8bf3d8f91073f4db347ed3aa6302b56107499c upstream. + +syzbot reported a general protection fault in +vidtv_psi_ts_psi_write_into [1]. + +vidtv_mux_get_pid_ctx() can return NULL, but vidtv_mux_push_si() does +not check for this before dereferencing the returned pointer to access +the continuity counter. This leads to a general protection fault when +accessing a near-NULL address. + +The root cause is that vidtv_mux_pid_ctx_init() does not check the +return value of vidtv_mux_create_pid_ctx_once() for PMT section PIDs. +If the allocation fails, the PID context is never created, but init +returns success. The subsequent vidtv_mux_push_si() call then gets +NULL from vidtv_mux_get_pid_ctx() and crashes. + +Fix both the root cause (add error check in vidtv_mux_pid_ctx_init +for PMT PIDs) and add defensive NULL checks in vidtv_mux_push_si for +all vidtv_mux_get_pid_ctx() calls. + +[1] +Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +Workqueue: events vidtv_mux_tick +RIP: 0010:vidtv_psi_ts_psi_write_into+0x54a/0xbc0 drivers/media/test-drivers/vidtv/vidtv_psi.c:197 +Call Trace: + + vidtv_psi_table_header_write_into drivers/media/test-drivers/vidtv/vidtv_psi.c:799 [inline] + vidtv_psi_pmt_write_into+0x3b2/0xa70 drivers/media/test-drivers/vidtv/vidtv_psi.c:1231 + vidtv_mux_push_si+0x932/0xe80 drivers/media/test-drivers/vidtv/vidtv_mux.c:196 + vidtv_mux_tick+0xe9b/0x1480 drivers/media/test-drivers/vidtv/vidtv_mux.c:408 + +Fixes: f90cf6079bf67 ("media: vidtv: add a bridge driver") +Cc: stable@vger.kernel.org +Reported-by: syzbot+814c351d094f4f1a1b86@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=814c351d094f4f1a1b86 +Signed-off-by: Ruslan Valiyev +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/test-drivers/vidtv/vidtv_mux.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/media/test-drivers/vidtv/vidtv_mux.c ++++ b/drivers/media/test-drivers/vidtv/vidtv_mux.c +@@ -101,7 +101,8 @@ static int vidtv_mux_pid_ctx_init(struct + /* add a ctx for all PMT sections */ + while (p) { + pid = vidtv_psi_get_pat_program_pid(p); +- vidtv_mux_create_pid_ctx_once(m, pid); ++ if (!vidtv_mux_create_pid_ctx_once(m, pid)) ++ goto free; + p = p->next; + } + +@@ -170,6 +171,9 @@ static u32 vidtv_mux_push_si(struct vidt + nit_ctx = vidtv_mux_get_pid_ctx(m, VIDTV_NIT_PID); + eit_ctx = vidtv_mux_get_pid_ctx(m, VIDTV_EIT_PID); + ++ if (!pat_ctx || !sdt_ctx || !nit_ctx || !eit_ctx) ++ return 0; ++ + pat_args.offset = m->mux_buf_offset; + pat_args.continuity_counter = &pat_ctx->cc; + +@@ -186,6 +190,8 @@ static u32 vidtv_mux_push_si(struct vidt + } + + pmt_ctx = vidtv_mux_get_pid_ctx(m, pmt_pid); ++ if (!pmt_ctx) ++ continue; + + pmt_args.offset = m->mux_buf_offset; + pmt_args.pmt = m->si.pmt_secs[i]; diff --git a/queue-5.15/series b/queue-5.15/series index cec623eabb..36cacfc7d4 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -18,3 +18,12 @@ agp-amd64-fix-broken-error-propagation-in-agp_amd64_probe.patch xhci-fix-memory-leak-regression-when-freeing-xhci-vd.patch af_unix-reject-siocatmark-on-non-stream-sockets.patch regulator-core-fix-locking-in-regulator_resolve_supply-error-path.patch +input-rmi4-fix-register-descriptor-address-calculation.patch +input-rmi4-fix-type-overflow-in-register-counts.patch +input-rmi4-fix-num_subpackets-overflow-in-register-descriptor.patch +input-rmi4-fix-memory-leak-in-rmi_set_attn_data.patch +input-rmi4-iterative-irq-handler.patch +input-rmi4-fix-bit-count-in-bitmap_copy.patch +vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch +media-vidtv-fix-null-pointer-dereference-in-vidtv_mux_push_si.patch +virtiofs-fix-uaf-on-submount-umount.patch diff --git a/queue-5.15/vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch b/queue-5.15/vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch new file mode 100644 index 0000000000..6db9094c53 --- /dev/null +++ b/queue-5.15/vc_screen-fix-null-ptr-deref-in-vcs_notifier-during-concurrent-vcs_write.patch @@ -0,0 +1,46 @@ +From a287620312dc6dcb9a093417a0e589bf30fcf38a Mon Sep 17 00:00:00 2001 +From: Yi Yang +Date: Thu, 4 Jun 2026 06:07:34 +0000 +Subject: vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write + +From: Yi Yang + +commit a287620312dc6dcb9a093417a0e589bf30fcf38a upstream. + +A KASAN null-ptr-deref was observed in vcs_notifier(): + +BUG: KASAN: null-ptr-deref in vcs_notifier+0x98/0x130 +Read of size 2 at addr qmp_cmd_name: qmp_capabilities, arguments: {} + +The issue is a race condition in vcs_write(). When the console_lock is +temporarily dropped (to copy data from userspace), the vc_data pointer +obtained from vcs_vc() may become stale. After re-acquiring the lock, +vcs_vc() is called again to re-validate the pointer. If the vc has been +deallocated in the meantime, vcs_vc() returns NULL, and the while loop +breaks (with written > 0). However, after the loop, vcs_scr_updated(vc) +is still called with the now-NULL vc pointer, leading to a null pointer +dereference in the notifier chain (vcs_notifier dereferences param->vc). + +Fix this by adding a NULL check for vc before calling vcs_scr_updated(). + +Fixes: 8fb9ea65c9d1 ("vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF") +Cc: stable@vger.kernel.org +Signed-off-by: Yi Yang +Reviewed-by: Jiri Slaby +Link: https://patch.msgid.link/20260604060734.2914976-1-yiyang13@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/vt/vc_screen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/vt/vc_screen.c ++++ b/drivers/tty/vt/vc_screen.c +@@ -699,7 +699,7 @@ vcs_write(struct file *file, const char + } + *ppos += written; + ret = written; +- if (written) ++ if (written && vc) + vcs_scr_updated(vc); + + unlock_out: diff --git a/queue-5.15/virtiofs-fix-uaf-on-submount-umount.patch b/queue-5.15/virtiofs-fix-uaf-on-submount-umount.patch new file mode 100644 index 0000000000..36056da60c --- /dev/null +++ b/queue-5.15/virtiofs-fix-uaf-on-submount-umount.patch @@ -0,0 +1,53 @@ +From 06b41351779e9289e8785694ade9042ae85e41ea Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 28 May 2026 10:58:24 +0200 +Subject: virtiofs: fix UAF on submount umount +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Miklos Szeredi + +commit 06b41351779e9289e8785694ade9042ae85e41ea upstream. + +iput() called from fuse_release_end() can Oops if the super block has +already been destroyed. Normally this is prevented by waiting for +num_waiting to go down to zero before commencing with super block shutdown. + +This only works, however, for the last submount instance, as the wait +counter is per connection, not per superblock. + +Revert to using synchronous release requests for the auto_submounts case, +which is virtiofs only at this time. + +Reported-by: Aurélien Bombo +Reported-by: Zhihao Cheng +Cc: Greg Kurz +Closes: https://github.com/kata-containers/kata-containers/issues/12589 +Fixes: 26e5c67deb2e ("fuse: fix livelock in synchronous file put from fuseblk workers") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kurz +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/file.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -358,8 +358,14 @@ void fuse_file_release(struct inode *ino + * aio and closes the fd before the aio completes. Since aio takes its + * own ref to the file, the IO completion has to drop the ref, which is + * how the fuse server can end up closing its clients' files. ++ * ++ * Exception is virtio-fs, which is not affected by the above (server is ++ * on host, cannot close open files in guest). Virtio-fs needs sync ++ * release, because the num_waiting mechanism to wait for all requests ++ * before commencing with fs shutdown doesn't work if submounts are ++ * used. + */ +- fuse_file_put(ff, false); ++ fuse_file_put(ff, ff->fm->fc->auto_submounts); + } + + void fuse_release_common(struct file *file, bool isdir)