From: Greg Kroah-Hartman Date: Mon, 29 Dec 2025 13:07:09 +0000 (+0100) Subject: 5.10-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2deb75b2f9ba5597ab871447dc91ec69303f2ce8;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: ext4-fix-incorrect-group-number-assertion-in-mb_check_buddy.patch ext4-xattr-fix-null-pointer-deref-in-ext4_raw_inode.patch jbd2-use-a-weaker-annotation-in-journal-handling.patch media-v4l2-mem2mem-fix-outdated-documentation.patch --- diff --git a/queue-5.10/ext4-fix-incorrect-group-number-assertion-in-mb_check_buddy.patch b/queue-5.10/ext4-fix-incorrect-group-number-assertion-in-mb_check_buddy.patch new file mode 100644 index 0000000000..25b065a754 --- /dev/null +++ b/queue-5.10/ext4-fix-incorrect-group-number-assertion-in-mb_check_buddy.patch @@ -0,0 +1,63 @@ +From 3f7a79d05c692c7cfec70bf104b1b3c3d0ce6247 Mon Sep 17 00:00:00 2001 +From: Yongjian Sun +Date: Thu, 6 Nov 2025 14:06:13 +0800 +Subject: ext4: fix incorrect group number assertion in mb_check_buddy + +From: Yongjian Sun + +commit 3f7a79d05c692c7cfec70bf104b1b3c3d0ce6247 upstream. + +When the MB_CHECK_ASSERT macro is enabled, an assertion failure can +occur in __mb_check_buddy when checking preallocated blocks (pa) in +a block group: + +Assertion failure in mb_free_blocks() : "groupnr == e4b->bd_group" + +This happens when a pa at the very end of a block group (e.g., +pa_pstart=32765, pa_len=3 in a group of 32768 blocks) becomes +exhausted - its pa_pstart is advanced by pa_len to 32768, which +lies in the next block group. If this exhausted pa (with pa_len == 0) +is still in the bb_prealloc_list during the buddy check, the assertion +incorrectly flags it as belonging to the wrong group. A possible +sequence is as follows: + +ext4_mb_new_blocks + ext4_mb_release_context + pa->pa_pstart += EXT4_C2B(sbi, ac->ac_b_ex.fe_len) + pa->pa_len -= ac->ac_b_ex.fe_len + + __mb_check_buddy + for each pa in group + ext4_get_group_no_and_offset + MB_CHECK_ASSERT(groupnr == e4b->bd_group) + +To fix this, we modify the check to skip block group validation for +exhausted preallocations (where pa_len == 0). Such entries are in a +transitional state and will be removed from the list soon, so they +should not trigger an assertion. This change prevents the false +positive while maintaining the integrity of the checks for active +allocations. + +Fixes: c9de560ded61f ("ext4: Add multi block allocator for ext4") +Signed-off-by: Yongjian Sun +Reviewed-by: Baokun Li +Reviewed-by: Jan Kara +Message-ID: <20251106060614.631382-2-sunyongjian@huaweicloud.com> +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mballoc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -706,6 +706,8 @@ static void __mb_check_buddy(struct ext4 + ext4_group_t groupnr; + struct ext4_prealloc_space *pa; + pa = list_entry(cur, struct ext4_prealloc_space, pa_group_list); ++ if (!pa->pa_len) ++ continue; + ext4_get_group_no_and_offset(sb, pa->pa_pstart, &groupnr, &k); + MB_CHECK_ASSERT(groupnr == e4b->bd_group); + for (i = 0; i < pa->pa_len; i++) diff --git a/queue-5.10/ext4-xattr-fix-null-pointer-deref-in-ext4_raw_inode.patch b/queue-5.10/ext4-xattr-fix-null-pointer-deref-in-ext4_raw_inode.patch new file mode 100644 index 0000000000..0225a5c7c2 --- /dev/null +++ b/queue-5.10/ext4-xattr-fix-null-pointer-deref-in-ext4_raw_inode.patch @@ -0,0 +1,43 @@ +From b97cb7d6a051aa6ebd57906df0e26e9e36c26d14 Mon Sep 17 00:00:00 2001 +From: Karina Yankevich +Date: Wed, 22 Oct 2025 12:32:53 +0300 +Subject: ext4: xattr: fix null pointer deref in ext4_raw_inode() + +From: Karina Yankevich + +commit b97cb7d6a051aa6ebd57906df0e26e9e36c26d14 upstream. + +If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED), +iloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all() +lacks error checking, this will lead to a null pointer dereference +in ext4_raw_inode(), called right after ext4_get_inode_loc(). + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: c8e008b60492 ("ext4: ignore xattrs past end") +Cc: stable@kernel.org +Signed-off-by: Karina Yankevich +Reviewed-by: Sergey Shtylyov +Reviewed-by: Baokun Li +Message-ID: <20251022093253.3546296-1-k.yankevich@omp.ru> +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1134,7 +1134,11 @@ ext4_xattr_inode_dec_ref_all(handle_t *h + if (block_csum) + end = (void *)bh->b_data + bh->b_size; + else { +- ext4_get_inode_loc(parent, &iloc); ++ err = ext4_get_inode_loc(parent, &iloc); ++ if (err) { ++ EXT4_ERROR_INODE(parent, "parent inode loc (error %d)", err); ++ return; ++ } + end = (void *)ext4_raw_inode(&iloc) + EXT4_SB(parent->i_sb)->s_inode_size; + } + diff --git a/queue-5.10/jbd2-use-a-weaker-annotation-in-journal-handling.patch b/queue-5.10/jbd2-use-a-weaker-annotation-in-journal-handling.patch new file mode 100644 index 0000000000..be3deaef00 --- /dev/null +++ b/queue-5.10/jbd2-use-a-weaker-annotation-in-journal-handling.patch @@ -0,0 +1,49 @@ +From 40a71b53d5a6d4ea17e4d54b99b2ac03a7f5e783 Mon Sep 17 00:00:00 2001 +From: Byungchul Park +Date: Fri, 24 Oct 2025 16:39:40 +0900 +Subject: jbd2: use a weaker annotation in journal handling + +From: Byungchul Park + +commit 40a71b53d5a6d4ea17e4d54b99b2ac03a7f5e783 upstream. + +jbd2 journal handling code doesn't want jbd2_might_wait_for_commit() +to be placed between start_this_handle() and stop_this_handle(). So it +marks the region with rwsem_acquire_read() and rwsem_release(). + +However, the annotation is too strong for that purpose. We don't have +to use more than try lock annotation for that. + +rwsem_acquire_read() implies: + + 1. might be a waiter on contention of the lock. + 2. enter to the critical section of the lock. + +All we need in here is to act 2, not 1. So trylock version of +annotation is sufficient for that purpose. Now that dept partially +relies on lockdep annotaions, dept interpets rwsem_acquire_read() as a +potential wait and might report a deadlock by the wait. + +Replace it with trylock version of annotation. + +Signed-off-by: Byungchul Park +Reviewed-by: Jan Kara +Cc: stable@kernel.org +Message-ID: <20251024073940.1063-1-byungchul@sk.com> +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/transaction.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -448,7 +448,7 @@ repeat: + read_unlock(&journal->j_state_lock); + current->journal_info = handle; + +- rwsem_acquire_read(&journal->j_trans_commit_map, 0, 0, _THIS_IP_); ++ rwsem_acquire_read(&journal->j_trans_commit_map, 0, 1, _THIS_IP_); + jbd2_journal_free_transaction(new_transaction); + /* + * Ensure that no allocations done while the transaction is open are diff --git a/queue-5.10/media-v4l2-mem2mem-fix-outdated-documentation.patch b/queue-5.10/media-v4l2-mem2mem-fix-outdated-documentation.patch new file mode 100644 index 0000000000..3ccd1e021a --- /dev/null +++ b/queue-5.10/media-v4l2-mem2mem-fix-outdated-documentation.patch @@ -0,0 +1,37 @@ +From 082b86919b7a94de01d849021b4da820a6cb89dc Mon Sep 17 00:00:00 2001 +From: Laurent Pinchart +Date: Wed, 8 Oct 2025 12:55:18 +0300 +Subject: media: v4l2-mem2mem: Fix outdated documentation + +From: Laurent Pinchart + +commit 082b86919b7a94de01d849021b4da820a6cb89dc upstream. + +Commit cbd9463da1b1 ("media: v4l2-mem2mem: Avoid calling .device_run in +v4l2_m2m_job_finish") deferred calls to .device_run() to a work queue to +avoid recursive calls when a job is finished right away from +.device_run(). It failed to update the v4l2_m2m_job_finish() +documentation that still states the function must not be called from +.device_run(). Fix it. + +Fixes: cbd9463da1b1 ("media: v4l2-mem2mem: Avoid calling .device_run in v4l2_m2m_job_finish") +Cc: stable@vger.kernel.org +Signed-off-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + include/media/v4l2-mem2mem.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/include/media/v4l2-mem2mem.h ++++ b/include/media/v4l2-mem2mem.h +@@ -185,8 +185,7 @@ void v4l2_m2m_try_schedule(struct v4l2_m + * other instances to take control of the device. + * + * This function has to be called only after &v4l2_m2m_ops->device_run +- * callback has been called on the driver. To prevent recursion, it should +- * not be called directly from the &v4l2_m2m_ops->device_run callback though. ++ * callback has been called on the driver. + */ + void v4l2_m2m_job_finish(struct v4l2_m2m_dev *m2m_dev, + struct v4l2_m2m_ctx *m2m_ctx); diff --git a/queue-5.10/series b/queue-5.10/series index 45cf576595..ef1da0381d 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -222,3 +222,7 @@ vhost-vsock-improve-rcu-read-sections-around-vhost_v.patch lib-crypto-x86-blake2s-fix-32-bit-arg-treated-as-64-bit.patch floppy-fix-for-page_size-4kb.patch ktest.pl-fix-uninitialized-var-in-config-bisect.pl.patch +ext4-xattr-fix-null-pointer-deref-in-ext4_raw_inode.patch +ext4-fix-incorrect-group-number-assertion-in-mb_check_buddy.patch +jbd2-use-a-weaker-annotation-in-journal-handling.patch +media-v4l2-mem2mem-fix-outdated-documentation.patch