From: Greg Kroah-Hartman Date: Sat, 21 Mar 2026 15:52:36 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v6.1.167~47 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f0c374d4795a2107534680e82531d980a3f63ab;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: alsa-pcm-fix-use-after-free-on-linked-stream-runtime-in-snd_pcm_drain.patch alsa-pcm-fix-wait_time-calculations.patch arm64-mm-add-pte_dirty-back-to-page_kernel-to-fix-kexec-hibernation.patch btrfs-fix-transaction-abort-on-set-received-ioctl-due-to-item-overflow.patch btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch can-gs_usb-gs_can_open-always-configure-bitrates-before-starting-device.patch crypto-atmel-sha204a-fix-oom-tfm_count-leak.patch drm-msm-fix-dma_free_attrs-buffer-size.patch iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch iio-light-bh1780-fix-pm-runtime-leak-on-error-path.patch iomap-reject-delalloc-mappings-during-writeback.patch kvm-svm-initialize-avic-vmcb-fields-if-avic-is-enabled-with-in-kernel-apic.patch mtd-avoid-boot-crash-in-redboot-partition-table-parser.patch mtd-partitions-redboot-fix-style-issues.patch net-tcp-md5-fix-mac-comparison-to-be-constant-time.patch nfsd-define-exports_proc_ops-with-config_proc_fs.patch nfsd-fix-heap-overflow-in-nfsv4.0-lock-replay-cache.patch nfsd-hold-net-reference-for-the-lifetime-of-proc-fs-nfs-exports-fd.patch pmdomain-bcm-bcm2835-power-fix-broken-reset-status-read.patch pmdomain-bcm-bcm2835-power-increase-asb-control-timeout.patch s390-xor-fix-xor_xc_2-inline-assembly-constraints.patch s390-zcrypt-enable-autosel_dom-for-cca-serialnr-sysfs-attribute.patch smb-client-compare-macs-in-constant-time.patch smb-client-fix-atomic-open-with-o_direct-o_sync.patch smb-client-fix-iface-port-assignment-in-parse_server_interfaces.patch staging-rtl8723bs-fix-null-dereference-in-find_network.patch tracing-fix-syscall-events-activation-by-ensuring-refcount-hits-zero.patch usb-gadget-f_tcm-fix-null-pointer-dereferences-in-nexus-handling.patch usb-roles-get-usb-role-switch-from-parent-only-for-usb-b-connector.patch xfs-ensure-dquot-item-is-deleted-from-ail-only-after-log-shutdown.patch xfs-fix-integer-overflow-in-bmap-intent-sort-comparator.patch --- diff --git a/queue-5.10/alsa-pcm-fix-use-after-free-on-linked-stream-runtime-in-snd_pcm_drain.patch b/queue-5.10/alsa-pcm-fix-use-after-free-on-linked-stream-runtime-in-snd_pcm_drain.patch new file mode 100644 index 0000000000..b2c58fb121 --- /dev/null +++ b/queue-5.10/alsa-pcm-fix-use-after-free-on-linked-stream-runtime-in-snd_pcm_drain.patch @@ -0,0 +1,82 @@ +From stable+bounces-225626-greg=kroah.com@vger.kernel.org Mon Mar 16 18:06:19 2026 +From: Sasha Levin +Date: Mon, 16 Mar 2026 13:00:45 -0400 +Subject: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() +To: stable@vger.kernel.org +Cc: Mehul Rao , Takashi Iwai , Sasha Levin +Message-ID: <20260316170045.993103-2-sashal@kernel.org> + +From: Mehul Rao + +[ Upstream commit 9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6 ] + +In the drain loop, the local variable 'runtime' is reassigned to a +linked stream's runtime (runtime = s->runtime at line 2157). After +releasing the stream lock at line 2169, the code accesses +runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size +(lines 2170-2178) — all referencing the linked stream's runtime without +any lock or refcount protecting its lifetime. + +A concurrent close() on the linked stream's fd triggers +snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private() +→ snd_pcm_unlink() → snd_pcm_detach_substream() → kfree(runtime). +No synchronization prevents kfree(runtime) from completing while the +drain path dereferences the stale pointer. + +Fix by caching the needed runtime fields (no_period_wakeup, rate, +buffer_size) into local variables while still holding the stream lock, +and using the cached values after the lock is released. + +Fixes: f2b3614cefb6 ("ALSA: PCM - Don't check DMA time-out too shortly") +Cc: stable@vger.kernel.org +Signed-off-by: Mehul Rao +Link: https://patch.msgid.link/20260305193508.311096-1-mehulrao@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/pcm_native.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -2129,6 +2129,10 @@ static int snd_pcm_drain(struct snd_pcm_ + for (;;) { + long tout; + struct snd_pcm_runtime *to_check; ++ unsigned int drain_rate; ++ snd_pcm_uframes_t drain_bufsz; ++ bool drain_no_period_wakeup; ++ + if (signal_pending(current)) { + result = -ERESTARTSYS; + break; +@@ -2148,16 +2152,25 @@ static int snd_pcm_drain(struct snd_pcm_ + snd_pcm_group_unref(group, substream); + if (!to_check) + break; /* all drained */ ++ /* ++ * Cache the runtime fields needed after unlock. ++ * A concurrent close() on the linked stream may free ++ * its runtime via snd_pcm_detach_substream() once we ++ * release the stream lock below. ++ */ ++ drain_no_period_wakeup = to_check->no_period_wakeup; ++ drain_rate = to_check->rate; ++ drain_bufsz = to_check->buffer_size; + init_waitqueue_entry(&wait, current); + set_current_state(TASK_INTERRUPTIBLE); + add_wait_queue(&to_check->sleep, &wait); + snd_pcm_stream_unlock_irq(substream); +- if (runtime->no_period_wakeup) ++ if (drain_no_period_wakeup) + tout = MAX_SCHEDULE_TIMEOUT; + else { + tout = 100; +- if (runtime->rate) { +- long t = runtime->buffer_size * 1100 / runtime->rate; ++ if (drain_rate) { ++ long t = drain_bufsz * 1100 / drain_rate; + tout = max(t, tout); + } + tout = msecs_to_jiffies(tout); diff --git a/queue-5.10/alsa-pcm-fix-wait_time-calculations.patch b/queue-5.10/alsa-pcm-fix-wait_time-calculations.patch new file mode 100644 index 0000000000..79eb4d989a --- /dev/null +++ b/queue-5.10/alsa-pcm-fix-wait_time-calculations.patch @@ -0,0 +1,105 @@ +From stable+bounces-225625-greg=kroah.com@vger.kernel.org Mon Mar 16 18:06:12 2026 +From: Sasha Levin +Date: Mon, 16 Mar 2026 13:00:44 -0400 +Subject: ALSA: pcm: fix wait_time calculations +To: stable@vger.kernel.org +Cc: Oswald Buddenhagen , Takashi Iwai , Sasha Levin +Message-ID: <20260316170045.993103-1-sashal@kernel.org> + +From: Oswald Buddenhagen + +[ Upstream commit 3ed2b549b39f57239aad50a255ece353997183fd ] + +... in wait_for_avail() and snd_pcm_drain(). + +t was calculated in seconds, so it would be pretty much always zero, to +be subsequently de-facto ignored due to being max(t, 10)'d. And then it +(i.e., 10) would be treated as secs, which doesn't seem right. + +However, fixing it to properly calculate msecs would potentially cause +timeouts when using twice the period size for the default timeout (which +seems reasonable to me), so instead use the buffer size plus 10 percent +to be on the safe side ... but that still seems insufficient, presumably +because the hardware typically needs a moment to fire up. To compensate +for this, we up the minimal timeout to 100ms, which is still two orders +of magnitude less than the bogus minimum. + +substream->wait_time was also misinterpreted as jiffies, despite being +documented as being in msecs. Only the soc/sof driver sets it - to 500, +which looks very much like msecs were intended. + +Speaking of which, shouldn't snd_pcm_drain() also use substream-> +wait_time? + +As a drive-by, make the debug messages on timeout less confusing. + +Signed-off-by: Oswald Buddenhagen +Link: https://lore.kernel.org/r/20230405201219.2197774-1-oswald.buddenhagen@gmx.de +Signed-off-by: Takashi Iwai +Stable-dep-of: 9b1dbd69ba6f ("ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain()") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/pcm_lib.c | 11 +++++------ + sound/core/pcm_native.c | 8 ++++---- + 2 files changed, 9 insertions(+), 10 deletions(-) + +--- a/sound/core/pcm_lib.c ++++ b/sound/core/pcm_lib.c +@@ -1843,15 +1843,14 @@ static int wait_for_avail(struct snd_pcm + if (substream->wait_time) { + wait_time = substream->wait_time; + } else { +- wait_time = 10; ++ wait_time = 100; + + if (runtime->rate) { +- long t = runtime->period_size * 2 / +- runtime->rate; ++ long t = runtime->buffer_size * 1100 / runtime->rate; + wait_time = max(t, wait_time); + } +- wait_time = msecs_to_jiffies(wait_time * 1000); + } ++ wait_time = msecs_to_jiffies(wait_time); + } + + for (;;) { +@@ -1899,8 +1898,8 @@ static int wait_for_avail(struct snd_pcm + } + if (!tout) { + pcm_dbg(substream->pcm, +- "%s write error (DMA or IRQ trouble?)\n", +- is_playback ? "playback" : "capture"); ++ "%s timeout (DMA or IRQ trouble?)\n", ++ is_playback ? "playback write" : "capture read"); + err = -EIO; + break; + } +--- a/sound/core/pcm_native.c ++++ b/sound/core/pcm_native.c +@@ -2155,12 +2155,12 @@ static int snd_pcm_drain(struct snd_pcm_ + if (runtime->no_period_wakeup) + tout = MAX_SCHEDULE_TIMEOUT; + else { +- tout = 10; ++ tout = 100; + if (runtime->rate) { +- long t = runtime->period_size * 2 / runtime->rate; ++ long t = runtime->buffer_size * 1100 / runtime->rate; + tout = max(t, tout); + } +- tout = msecs_to_jiffies(tout * 1000); ++ tout = msecs_to_jiffies(tout); + } + tout = schedule_timeout(tout); + +@@ -2183,7 +2183,7 @@ static int snd_pcm_drain(struct snd_pcm_ + result = -ESTRPIPE; + else { + dev_dbg(substream->pcm->card->dev, +- "playback drain error (DMA or IRQ trouble?)\n"); ++ "playback drain timeout (DMA or IRQ trouble?)\n"); + snd_pcm_stop(substream, SNDRV_PCM_STATE_SETUP); + result = -EIO; + } diff --git a/queue-5.10/arm64-mm-add-pte_dirty-back-to-page_kernel-to-fix-kexec-hibernation.patch b/queue-5.10/arm64-mm-add-pte_dirty-back-to-page_kernel-to-fix-kexec-hibernation.patch new file mode 100644 index 0000000000..df9c110aa8 --- /dev/null +++ b/queue-5.10/arm64-mm-add-pte_dirty-back-to-page_kernel-to-fix-kexec-hibernation.patch @@ -0,0 +1,68 @@ +From stable+bounces-227066-greg=kroah.com@vger.kernel.org Wed Mar 18 14:17:26 2026 +From: Sasha Levin +Date: Wed, 18 Mar 2026 09:14:21 -0400 +Subject: arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation +To: stable@vger.kernel.org +Cc: Catalin Marinas , Jianpeng Chang , Will Deacon , "Huang, Ying" , Guenter Roeck , Sasha Levin +Message-ID: <20260318131421.723675-1-sashal@kernel.org> + +From: Catalin Marinas + +[ Upstream commit c25c4aa3f79a488cc270507935a29c07dc6bddfc ] + +Commit 143937ca51cc ("arm64, mm: avoid always making PTE dirty in +pte_mkwrite()") changed pte_mkwrite_novma() to only clear PTE_RDONLY +when PTE_DIRTY is set. This was to allow writable-clean PTEs for swap +pages that haven't actually been written. + +However, this broke kexec and hibernation for some platforms. Both go +through trans_pgd_create_copy() -> _copy_pte(), which calls +pte_mkwrite_novma() to make the temporary linear-map copy fully +writable. With the updated pte_mkwrite_novma(), read-only kernel pages +(without PTE_DIRTY) remain read-only in the temporary mapping. +While such behaviour is fine for user pages where hardware DBM or +trapping will make them writeable, subsequent in-kernel writes by the +kexec relocation code will fault. + +Add PTE_DIRTY back to all _PAGE_KERNEL* protection definitions. This was +the case prior to 5.4, commit aa57157be69f ("arm64: Ensure +VM_WRITE|VM_SHARED ptes are clean by default"). With the kernel +linear-map PTEs always having PTE_DIRTY set, pte_mkwrite_novma() +correctly clears PTE_RDONLY. + +Fixes: 143937ca51cc ("arm64, mm: avoid always making PTE dirty in pte_mkwrite()") +Signed-off-by: Catalin Marinas +Cc: stable@vger.kernel.org +Reported-by: Jianpeng Chang +Link: https://lore.kernel.org/r/20251204062722.3367201-1-jianpeng.chang.cn@windriver.com +Cc: Will Deacon +Cc: Huang, Ying +Cc: Guenter Roeck +Reviewed-by: Huang Ying +Signed-off-by: Will Deacon +[ added PTE_DIRTY to PAGE_KERNEL* macros directly instead of _PAGE_KERNEL* ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/pgtable-prot.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/arm64/include/asm/pgtable-prot.h ++++ b/arch/arm64/include/asm/pgtable-prot.h +@@ -65,11 +65,11 @@ extern bool arm64_use_ng_mappings; + + #define _PAGE_DEFAULT (_PROT_DEFAULT | PTE_ATTRINDX(MT_NORMAL)) + +-#define PAGE_KERNEL __pgprot(PROT_NORMAL) +-#define PAGE_KERNEL_RO __pgprot((PROT_NORMAL & ~PTE_WRITE) | PTE_RDONLY) +-#define PAGE_KERNEL_ROX __pgprot((PROT_NORMAL & ~(PTE_WRITE | PTE_PXN)) | PTE_RDONLY) +-#define PAGE_KERNEL_EXEC __pgprot(PROT_NORMAL & ~PTE_PXN) +-#define PAGE_KERNEL_EXEC_CONT __pgprot((PROT_NORMAL & ~PTE_PXN) | PTE_CONT) ++#define PAGE_KERNEL __pgprot(PROT_NORMAL | PTE_DIRTY) ++#define PAGE_KERNEL_RO __pgprot((PROT_NORMAL & ~PTE_WRITE) | PTE_RDONLY | PTE_DIRTY) ++#define PAGE_KERNEL_ROX __pgprot((PROT_NORMAL & ~(PTE_WRITE | PTE_PXN)) | PTE_RDONLY | PTE_DIRTY) ++#define PAGE_KERNEL_EXEC __pgprot((PROT_NORMAL & ~PTE_PXN) | PTE_DIRTY) ++#define PAGE_KERNEL_EXEC_CONT __pgprot((PROT_NORMAL & ~PTE_PXN) | PTE_CONT | PTE_DIRTY) + + #define PAGE_S2_MEMATTR(attr) \ + ({ \ diff --git a/queue-5.10/btrfs-fix-transaction-abort-on-set-received-ioctl-due-to-item-overflow.patch b/queue-5.10/btrfs-fix-transaction-abort-on-set-received-ioctl-due-to-item-overflow.patch new file mode 100644 index 0000000000..a047367331 --- /dev/null +++ b/queue-5.10/btrfs-fix-transaction-abort-on-set-received-ioctl-due-to-item-overflow.patch @@ -0,0 +1,146 @@ +From stable+bounces-227402-greg=kroah.com@vger.kernel.org Fri Mar 20 01:17:13 2026 +From: Sasha Levin +Date: Thu, 19 Mar 2026 20:17:04 -0400 +Subject: btrfs: fix transaction abort on set received ioctl due to item overflow +To: stable@vger.kernel.org +Cc: Filipe Manana , Anand Jain , David Sterba , Sasha Levin +Message-ID: <20260320001704.3248188-1-sashal@kernel.org> + +From: Filipe Manana + +[ Upstream commit 87f2c46003fce4d739138aab4af1942b1afdadac ] + +If the set received ioctl fails due to an item overflow when attempting to +add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction +since we did some metadata updates before. + +This means that if a user calls this ioctl with the same received UUID +field for a lot of subvolumes, we will hit the overflow, trigger the +transaction abort and turn the filesystem into RO mode. A malicious user +could exploit this, and this ioctl does not even requires that a user +has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume. + +Fix this by doing an early check for item overflow before starting a +transaction. This is also race safe because we are holding the subvol_sem +semaphore in exclusive (write) mode. + +A test case for fstests will follow soon. + +Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree") +CC: stable@vger.kernel.org # 3.12+ +Reviewed-by: Anand Jain +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +[ A whole bunch of small things :) ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ctree.h | 2 ++ + fs/btrfs/ioctl.c | 21 +++++++++++++++++++-- + fs/btrfs/uuid-tree.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 67 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -2869,6 +2869,8 @@ int btrfs_uuid_tree_add(struct btrfs_tra + u64 subid); + int btrfs_uuid_tree_remove(struct btrfs_trans_handle *trans, u8 *uuid, u8 type, + u64 subid); ++int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info, ++ u8 *uuid, u8 type); + int btrfs_uuid_tree_iterate(struct btrfs_fs_info *fs_info); + + /* dir-item.c */ +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -4486,6 +4486,25 @@ static long _btrfs_ioctl_set_received_su + goto out; + } + ++ received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid, ++ BTRFS_UUID_SIZE); ++ ++ /* ++ * Before we attempt to add the new received uuid, check if we have room ++ * for it in case there's already an item. If the size of the existing ++ * item plus this root's ID (u64) exceeds the maximum item size, we can ++ * return here without the need to abort a transaction. If we don't do ++ * this check, the btrfs_uuid_tree_add() call below would fail with ++ * -EOVERFLOW and result in a transaction abort. Malicious users could ++ * exploit this to turn the fs into RO mode. ++ */ ++ if (received_uuid_changed && !btrfs_is_empty_uuid(sa->uuid)) { ++ ret = btrfs_uuid_tree_check_overflow(fs_info, sa->uuid, ++ BTRFS_UUID_KEY_RECEIVED_SUBVOL); ++ if (ret < 0) ++ goto out; ++ } ++ + /* + * 1 - root item + * 2 - uuid items (received uuid + subvol uuid) +@@ -4501,8 +4520,6 @@ static long _btrfs_ioctl_set_received_su + sa->rtime.sec = ct.tv_sec; + sa->rtime.nsec = ct.tv_nsec; + +- received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid, +- BTRFS_UUID_SIZE); + if (received_uuid_changed && + !btrfs_is_empty_uuid(root_item->received_uuid)) { + ret = btrfs_uuid_tree_remove(trans, root_item->received_uuid, +--- a/fs/btrfs/uuid-tree.c ++++ b/fs/btrfs/uuid-tree.c +@@ -226,6 +226,52 @@ out: + return ret; + } + ++/* ++ * Check if we can add one root ID to a UUID key. ++ * If the key does not yet exists, we can, otherwise only if extended item does ++ * not exceeds the maximum item size permitted by the leaf size. ++ * ++ * Returns 0 on success, negative value on error. ++ */ ++int btrfs_uuid_tree_check_overflow(struct btrfs_fs_info *fs_info, ++ u8 *uuid, u8 type) ++{ ++ struct btrfs_path *path = NULL; ++ int ret; ++ u32 item_size; ++ struct btrfs_key key; ++ ++ if (WARN_ON_ONCE(!fs_info->uuid_root)) { ++ ret = -EINVAL; ++ goto out; ++ } ++ ++ path = btrfs_alloc_path(); ++ if (!path) { ++ ret = -ENOMEM; ++ goto out; ++ } ++ ++ btrfs_uuid_to_key(uuid, type, &key); ++ ret = btrfs_search_slot(NULL, fs_info->uuid_root, &key, path, 0, 0); ++ if (ret < 0) ++ goto out; ++ if (ret > 0) { ++ ret = 0; ++ goto out; ++ } ++ ++ item_size = btrfs_item_size(path->nodes[0], path->slots[0]); ++ ++ if (sizeof(struct btrfs_item) + item_size + sizeof(u64) > ++ BTRFS_LEAF_DATA_SIZE(fs_info)) ++ ret = -EOVERFLOW; ++ ++out: ++ btrfs_free_path(path); ++ return ret; ++} ++ + static int btrfs_uuid_iter_rem(struct btrfs_root *uuid_root, u8 *uuid, u8 type, + u64 subid) + { diff --git a/queue-5.10/btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch b/queue-5.10/btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch new file mode 100644 index 0000000000..e6f15de4b5 --- /dev/null +++ b/queue-5.10/btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch @@ -0,0 +1,174 @@ +From stable+bounces-227367-greg=kroah.com@vger.kernel.org Thu Mar 19 19:38:35 2026 +From: Sasha Levin +Date: Thu, 19 Mar 2026 14:34:41 -0400 +Subject: btrfs: fix transaction abort when snapshotting received subvolumes +To: stable@vger.kernel.org +Cc: Filipe Manana , Boris Burkov , Qu Wenruo , David Sterba , Sasha Levin +Message-ID: <20260319183441.2928953-1-sashal@kernel.org> + +From: Filipe Manana + +[ Upstream commit e1b18b959025e6b5dbad668f391f65d34b39595a ] + +Currently a user can trigger a transaction abort by snapshotting a +previously received snapshot a bunch of times until we reach a +BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we +can store in a leaf). This is very likely not common in practice, but +if it happens, it turns the filesystem into RO mode. The snapshot, send +and set_received_subvol and subvol_setflags (used by receive) don't +require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user +could use this to turn a filesystem into RO mode and disrupt a system. + +Reproducer script: + + $ cat test.sh + #!/bin/bash + + DEV=/dev/sdi + MNT=/mnt/sdi + + # Use smallest node size to make the test faster. + mkfs.btrfs -f --nodesize 4K $DEV + mount $DEV $MNT + + # Create a subvolume and set it to RO so that it can be used for send. + btrfs subvolume create $MNT/sv + touch $MNT/sv/foo + btrfs property set $MNT/sv ro true + + # Send and receive the subvolume into snaps/sv. + mkdir $MNT/snaps + btrfs send $MNT/sv | btrfs receive $MNT/snaps + + # Now snapshot the received subvolume, which has a received_uuid, a + # lot of times to trigger the leaf overflow. + total=500 + for ((i = 1; i <= $total; i++)); do + echo -ne "\rCreating snapshot $i/$total" + btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null + done + echo + + umount $MNT + +When running the test: + + $ ./test.sh + (...) + Create subvolume '/mnt/sdi/sv' + At subvol /mnt/sdi/sv + At subvol sv + Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type + Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system + Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system + Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system + Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system + +And in dmesg/syslog: + + $ dmesg + (...) + [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252! + [251067.629212] ------------[ cut here ]------------ + [251067.630033] BTRFS: Transaction aborted (error -75) + [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235 + [251067.632851] Modules linked in: btrfs dm_zero (...) + [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) + [251067.646165] Tainted: [W]=WARN + [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 + [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs] + [251067.649984] Code: f0 48 0f (...) + [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292 + [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3 + [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750 + [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820 + [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0 + [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5 + [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000 + [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0 + [251067.661972] Call Trace: + [251067.662292] + [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs] + [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs] + [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs] + [251067.665238] ? _raw_spin_unlock+0x15/0x30 + [251067.665837] ? record_root_in_trans+0xa2/0xd0 [btrfs] + [251067.666531] btrfs_mksubvol+0x330/0x580 [btrfs] + [251067.667145] btrfs_mksnapshot+0x74/0xa0 [btrfs] + [251067.667827] __btrfs_ioctl_snap_create+0x194/0x1d0 [btrfs] + [251067.668595] btrfs_ioctl_snap_create_v2+0x107/0x130 [btrfs] + [251067.669479] btrfs_ioctl+0x1580/0x2690 [btrfs] + [251067.670093] ? count_memcg_events+0x6d/0x180 + [251067.670849] ? handle_mm_fault+0x1a0/0x2a0 + [251067.671652] __x64_sys_ioctl+0x92/0xe0 + [251067.672406] do_syscall_64+0x50/0xf20 + [251067.673129] entry_SYSCALL_64_after_hwframe+0x76/0x7e + [251067.674096] RIP: 0033:0x7f2a495648db + [251067.674812] Code: 00 48 89 (...) + [251067.678227] RSP: 002b:00007ffc5aa57840 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + [251067.679691] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f2a495648db + [251067.681145] RDX: 00007ffc5aa588b0 RSI: 0000000050009417 RDI: 0000000000000004 + [251067.682511] RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 + [251067.683842] R10: 000000000000000a R11: 0000000000000246 R12: 00007ffc5aa59910 + [251067.685176] R13: 00007ffc5aa588b0 R14: 0000000000000004 R15: 0000000000000006 + [251067.686524] + [251067.686972] ---[ end trace 0000000000000000 ]--- + [251067.687890] BTRFS: error (device sdi state A) in create_pending_snapshot:1907: errno=-75 unknown + [251067.689049] BTRFS info (device sdi state EA): forced readonly + [251067.689054] BTRFS warning (device sdi state EA): Skipping commit of aborted transaction. + [251067.690119] BTRFS: error (device sdi state EA) in cleanup_transaction:2043: errno=-75 unknown + [251067.702028] BTRFS info (device sdi state EA): last unmount of filesystem 46dc3975-30a2-4a69-a18f-418b859cccda + +Fix this by ignoring -EOVERFLOW errors from btrfs_uuid_tree_add() in the +snapshot creation code when attempting to add the +BTRFS_UUID_KEY_RECEIVED_SUBVOL item. This is OK because it's not critical +and we are still able to delete the snapshot, as snapshot/subvolume +deletion ignores if a BTRFS_UUID_KEY_RECEIVED_SUBVOL is missing (see +inode.c:btrfs_delete_subvolume()). As for send/receive, we can still do +send/receive operations since it always peeks the first root ID in the +existing BTRFS_UUID_KEY_RECEIVED_SUBVOL (it could peek any since all +snapshots have the same content), and even if the key is missing, it +falls back to searching by BTRFS_UUID_KEY_SUBVOL key. + +A test case for fstests will be sent soon. + +Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree") +CC: stable@vger.kernel.org # 3.12+ +Reviewed-by: Boris Burkov +Reviewed-by: Qu Wenruo +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +[ adapted error check condition to omit unlikely() wrapper ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/transaction.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -1748,6 +1748,22 @@ static noinline int create_pending_snaps + ret = btrfs_uuid_tree_add(trans, new_root_item->received_uuid, + BTRFS_UUID_KEY_RECEIVED_SUBVOL, + objectid); ++ /* ++ * We are creating of lot of snapshots of the same root that was ++ * received (has a received UUID) and reached a leaf's limit for ++ * an item. We can safely ignore this and avoid a transaction ++ * abort. A deletion of this snapshot will still work since we ++ * ignore if an item with a BTRFS_UUID_KEY_RECEIVED_SUBVOL key ++ * is missing (see btrfs_delete_subvolume()). Send/receive will ++ * work too since it peeks the first root id from the existing ++ * item (it could peek any), and in case it's missing it ++ * falls back to search by BTRFS_UUID_KEY_SUBVOL keys. ++ * Creation of a snapshot does not require CAP_SYS_ADMIN, so ++ * we don't want users triggering transaction aborts, either ++ * intentionally or not. ++ */ ++ if (ret == -EOVERFLOW) ++ ret = 0; + if (ret && ret != -EEXIST) { + btrfs_abort_transaction(trans, ret); + goto fail; diff --git a/queue-5.10/can-gs_usb-gs_can_open-always-configure-bitrates-before-starting-device.patch b/queue-5.10/can-gs_usb-gs_can_open-always-configure-bitrates-before-starting-device.patch new file mode 100644 index 0000000000..04c26f0d60 --- /dev/null +++ b/queue-5.10/can-gs_usb-gs_can_open-always-configure-bitrates-before-starting-device.patch @@ -0,0 +1,84 @@ +From stable+bounces-225679-greg=kroah.com@vger.kernel.org Mon Mar 16 20:23:22 2026 +From: Sasha Levin +Date: Mon, 16 Mar 2026 15:18:40 -0400 +Subject: can: gs_usb: gs_can_open(): always configure bitrates before starting device +To: stable@vger.kernel.org +Cc: Marc Kleine-Budde , Sasha Levin +Message-ID: <20260316191840.1350686-1-sashal@kernel.org> + +From: Marc Kleine-Budde + +[ Upstream commit 2df6162785f31f1bbb598cfc3b08e4efc88f80b6 ] + +So far the driver populated the struct can_priv::do_set_bittiming() and +struct can_priv::fd::do_set_data_bittiming() callbacks. + +Before bringing up the interface, user space has to configure the bitrates. +With these callbacks the configuration is directly forwarded into the CAN +hardware. Then the interface can be brought up. + +An ifdown-ifup cycle (without changing the bit rates) doesn't re-configure +the bitrates in the CAN hardware. This leads to a problem with the +CANable-2.5 [1] firmware, which resets the configured bit rates during +ifdown. + +To fix the problem remove both bit timing callbacks and always configure +the bitrates in the struct net_device_ops::ndo_open() callback. + +[1] https://github.com/Elmue/CANable-2.5-firmware-Slcan-and-Candlelight + +Cc: stable@vger.kernel.org +Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") +Link: https://patch.msgid.link/20260219-gs_usb-always-configure-bitrates-v2-1-671f8ba5b0a5@pengutronix.de +Signed-off-by: Marc Kleine-Budde +[ No CAN-FD ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/gs_usb.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -413,9 +413,8 @@ static void gs_usb_receive_bulk_callback + } + } + +-static int gs_usb_set_bittiming(struct net_device *netdev) ++static int gs_usb_set_bittiming(struct gs_can *dev) + { +- struct gs_can *dev = netdev_priv(netdev); + struct can_bittiming *bt = &dev->can.bittiming; + struct usb_interface *intf = dev->iface; + int rc; +@@ -445,7 +444,7 @@ static int gs_usb_set_bittiming(struct n + kfree(dbt); + + if (rc < 0) +- dev_err(netdev->dev.parent, "Couldn't set bittimings (err=%d)", ++ dev_err(dev->netdev->dev.parent, "Couldn't set bittimings (err=%d)", + rc); + + return (rc > 0) ? 0 : rc; +@@ -675,6 +674,13 @@ static int gs_can_open(struct net_device + if (ctrlmode & CAN_CTRLMODE_3_SAMPLES) + flags |= GS_CAN_MODE_TRIPLE_SAMPLE; + ++ rc = gs_usb_set_bittiming(dev); ++ if (rc) { ++ netdev_err(netdev, "failed to set bittiming: %pe\n", ERR_PTR(rc)); ++ kfree(dm); ++ return rc; ++ } ++ + /* finally start device */ + dev->can.state = CAN_STATE_ERROR_ACTIVE; + dm->mode = cpu_to_le32(GS_CAN_MODE_START); +@@ -888,7 +894,6 @@ static struct gs_can *gs_make_candev(uns + dev->can.state = CAN_STATE_STOPPED; + dev->can.clock.freq = le32_to_cpu(bt_const->fclk_can); + dev->can.bittiming_const = &dev->bt_const; +- dev->can.do_set_bittiming = gs_usb_set_bittiming; + + dev->can.ctrlmode_supported = 0; + diff --git a/queue-5.10/crypto-atmel-sha204a-fix-oom-tfm_count-leak.patch b/queue-5.10/crypto-atmel-sha204a-fix-oom-tfm_count-leak.patch new file mode 100644 index 0000000000..28b1d38f19 --- /dev/null +++ b/queue-5.10/crypto-atmel-sha204a-fix-oom-tfm_count-leak.patch @@ -0,0 +1,41 @@ +From stable+bounces-227200-greg=kroah.com@vger.kernel.org Thu Mar 19 02:37:50 2026 +From: Sasha Levin +Date: Wed, 18 Mar 2026 21:37:02 -0400 +Subject: crypto: atmel-sha204a - Fix OOM ->tfm_count leak +To: stable@vger.kernel.org +Cc: Thorsten Blum , Herbert Xu , Sasha Levin +Message-ID: <20260319013702.1881447-1-sashal@kernel.org> + +From: Thorsten Blum + +[ Upstream commit d240b079a37e90af03fd7dfec94930eb6c83936e ] + +If memory allocation fails, decrement ->tfm_count to avoid blocking +future reads. + +Cc: stable@vger.kernel.org +Fixes: da001fb651b0 ("crypto: atmel-i2c - add support for SHA204A random number generator") +Signed-off-by: Thorsten Blum +Signed-off-by: Herbert Xu +[ adapted kmalloc_obj() macro to kmalloc(sizeof()) ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/atmel-sha204a.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/atmel-sha204a.c ++++ b/drivers/crypto/atmel-sha204a.c +@@ -52,9 +52,10 @@ static int atmel_sha204a_rng_read_nonblo + rng->priv = 0; + } else { + work_data = kmalloc(sizeof(*work_data), GFP_ATOMIC); +- if (!work_data) ++ if (!work_data) { ++ atomic_dec(&i2c_priv->tfm_count); + return -ENOMEM; +- ++ } + work_data->ctx = i2c_priv; + work_data->client = i2c_priv->client; + diff --git a/queue-5.10/drm-msm-fix-dma_free_attrs-buffer-size.patch b/queue-5.10/drm-msm-fix-dma_free_attrs-buffer-size.patch new file mode 100644 index 0000000000..6c075721d3 --- /dev/null +++ b/queue-5.10/drm-msm-fix-dma_free_attrs-buffer-size.patch @@ -0,0 +1,42 @@ +From stable+bounces-227113-greg=kroah.com@vger.kernel.org Wed Mar 18 17:50:06 2026 +From: Sasha Levin +Date: Wed, 18 Mar 2026 12:06:37 -0400 +Subject: drm/msm: Fix dma_free_attrs() buffer size +To: stable@vger.kernel.org +Cc: Thomas Fourier , Dmitry Baryshkov , Rob Clark , Sasha Levin +Message-ID: <20260318160637.905031-1-sashal@kernel.org> + +From: Thomas Fourier + +[ Upstream commit e4eb6e4dd6348dd00e19c2275e3fbaed304ca3bd ] + +The gpummu->table buffer is alloc'd with size TABLE_SIZE + 32 in +a2xx_gpummu_new() but freed with size TABLE_SIZE in +a2xx_gpummu_destroy(). + +Change the free size to match the allocation. + +Fixes: c2052a4e5c99 ("drm/msm: implement a2xx mmu") +Cc: +Signed-off-by: Thomas Fourier +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/707340/ +Message-ID: <20260226095714.12126-2-fourier.thomas@gmail.com> +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/msm_gpummu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/msm/msm_gpummu.c ++++ b/drivers/gpu/drm/msm/msm_gpummu.c +@@ -72,7 +72,7 @@ static void msm_gpummu_destroy(struct ms + { + struct msm_gpummu *gpummu = to_msm_gpummu(mmu); + +- dma_free_attrs(mmu->dev, TABLE_SIZE, gpummu->table, gpummu->pt_base, ++ dma_free_attrs(mmu->dev, TABLE_SIZE + 32, gpummu->table, gpummu->pt_base, + DMA_ATTR_FORCE_CONTIGUOUS); + + kfree(gpummu); diff --git a/queue-5.10/iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch b/queue-5.10/iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch new file mode 100644 index 0000000000..b222115723 --- /dev/null +++ b/queue-5.10/iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch @@ -0,0 +1,48 @@ +From stable+bounces-226616-greg=kroah.com@vger.kernel.org Tue Mar 17 18:16:00 2026 +From: inv.git-commit@tdk.com +Date: Tue, 17 Mar 2026 17:10:59 +0000 +Subject: iio: imu: inv_icm42600: fix odr switch when turning buffer off +To: stable@vger.kernel.org +Cc: Jean-Baptiste Maneyrol , Jonathan Cameron +Message-ID: <20260317171059.746423-1-inv.git-commit@tdk.com> + +From: Jean-Baptiste Maneyrol + +[ Upstream commit ffd32db8263d2d785a2c419486a450dc80693235 ] + +ODR switch is done in 2 steps when FIFO is on : change the ODR register +value and acknowledge change when reading the FIFO ODR change flag. +When we are switching odr and turning buffer off just afterward, we are +losing the FIFO ODR change flag and ODR switch is blocked. + +Fix the issue by force applying any waiting ODR change when turning +buffer off. + +Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping") +Signed-off-by: Jean-Baptiste Maneyrol +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c +@@ -377,6 +377,7 @@ out_unlock: + static int inv_icm42600_buffer_postdisable(struct iio_dev *indio_dev) + { + struct inv_icm42600_state *st = iio_device_get_drvdata(indio_dev); ++ struct inv_icm42600_timestamp *ts = iio_priv(indio_dev); + struct device *dev = regmap_get_device(st->map); + unsigned int sensor; + unsigned int *watermark; +@@ -398,6 +399,8 @@ static int inv_icm42600_buffer_postdisab + + mutex_lock(&st->lock); + ++ inv_icm42600_timestamp_apply_odr(ts, 0, 0, 0); ++ + ret = inv_icm42600_buffer_set_fifo_en(st, st->fifo.en & ~sensor); + if (ret) + goto out_unlock; diff --git a/queue-5.10/iio-light-bh1780-fix-pm-runtime-leak-on-error-path.patch b/queue-5.10/iio-light-bh1780-fix-pm-runtime-leak-on-error-path.patch new file mode 100644 index 0000000000..152598b6e3 --- /dev/null +++ b/queue-5.10/iio-light-bh1780-fix-pm-runtime-leak-on-error-path.patch @@ -0,0 +1,44 @@ +From stable+bounces-227403-greg=kroah.com@vger.kernel.org Fri Mar 20 01:22:18 2026 +From: Sasha Levin +Date: Thu, 19 Mar 2026 20:22:08 -0400 +Subject: iio: light: bh1780: fix PM runtime leak on error path +To: stable@vger.kernel.org +Cc: Antoniu Miclaus , Linus Walleij , Stable@vger.kernel.org, Jonathan Cameron , Sasha Levin +Message-ID: <20260320002208.3250719-1-sashal@kernel.org> + +From: Antoniu Miclaus + +[ Upstream commit dd72e6c3cdea05cad24e99710939086f7a113fb5 ] + +Move pm_runtime_put_autosuspend() before the error check to ensure +the PM runtime reference count is always decremented after +pm_runtime_get_sync(), regardless of whether the read operation +succeeds or fails. + +Fixes: 1f0477f18306 ("iio: light: new driver for the ROHM BH1780") +Signed-off-by: Antoniu Miclaus +Reviewed-by: Linus Walleij +Cc: +Signed-off-by: Jonathan Cameron +[ moved both pm_runtime_mark_last_busy() and pm_runtime_put_autosuspend() before the error check instead of just pm_runtime_put_autosuspend() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/bh1780.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/light/bh1780.c ++++ b/drivers/iio/light/bh1780.c +@@ -109,10 +109,10 @@ static int bh1780_read_raw(struct iio_de + case IIO_LIGHT: + pm_runtime_get_sync(&bh1780->client->dev); + value = bh1780_read_word(bh1780, BH1780_REG_DLOW); +- if (value < 0) +- return value; + pm_runtime_mark_last_busy(&bh1780->client->dev); + pm_runtime_put_autosuspend(&bh1780->client->dev); ++ if (value < 0) ++ return value; + *val = value; + + return IIO_VAL_INT; diff --git a/queue-5.10/iomap-reject-delalloc-mappings-during-writeback.patch b/queue-5.10/iomap-reject-delalloc-mappings-during-writeback.patch new file mode 100644 index 0000000000..2dbf1dbe90 --- /dev/null +++ b/queue-5.10/iomap-reject-delalloc-mappings-during-writeback.patch @@ -0,0 +1,54 @@ +From stable+bounces-227026-greg=kroah.com@vger.kernel.org Wed Mar 18 12:40:17 2026 +From: Sasha Levin +Date: Wed, 18 Mar 2026 07:37:16 -0400 +Subject: iomap: reject delalloc mappings during writeback +To: stable@vger.kernel.org +Cc: "Darrick J. Wong" , Christoph Hellwig , Carlos Maiolino , Christian Brauner , Sasha Levin +Message-ID: <20260318113716.629956-1-sashal@kernel.org> + +From: "Darrick J. Wong" + +[ Upstream commit d320f160aa5ff36cdf83c645cca52b615e866e32 ] + +Filesystems should never provide a delayed allocation mapping to +writeback; they're supposed to allocate the space before replying. +This can lead to weird IO errors and crashes in the block layer if the +filesystem is being malicious, or if it hadn't set iomap->dev because +it's a delalloc mapping. + +Fix this by failing writeback on delalloc mappings. Currently no +filesystems actually misbehave in this manner, but we ought to be +stricter about things like that. + +Cc: stable@vger.kernel.org # v5.5 +Fixes: 598ecfbaa742ac ("iomap: lift the xfs writeback code to iomap") +Signed-off-by: Darrick J. Wong +Link: https://patch.msgid.link/20260302173002.GL13829@frogsfrogsfrogs +Reviewed-by: Christoph Hellwig +Reviewed-by: Carlos Maiolino +Signed-off-by: Christian Brauner +[ Different error handling structure ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/iomap/buffered-io.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/iomap/buffered-io.c ++++ b/fs/iomap/buffered-io.c +@@ -1364,10 +1364,13 @@ iomap_writepage_map(struct iomap_writepa + error = wpc->ops->map_blocks(wpc, inode, file_offset); + if (error) + break; +- if (WARN_ON_ONCE(wpc->iomap.type == IOMAP_INLINE)) +- continue; + if (wpc->iomap.type == IOMAP_HOLE) + continue; ++ if (WARN_ON_ONCE(wpc->iomap.type != IOMAP_UNWRITTEN && ++ wpc->iomap.type != IOMAP_MAPPED)) { ++ error = -EIO; ++ break; ++ } + iomap_add_to_ioend(inode, file_offset, page, iop, wpc, wbc, + &submit_list); + count++; diff --git a/queue-5.10/kvm-svm-initialize-avic-vmcb-fields-if-avic-is-enabled-with-in-kernel-apic.patch b/queue-5.10/kvm-svm-initialize-avic-vmcb-fields-if-avic-is-enabled-with-in-kernel-apic.patch new file mode 100644 index 0000000000..e678c4df38 --- /dev/null +++ b/queue-5.10/kvm-svm-initialize-avic-vmcb-fields-if-avic-is-enabled-with-in-kernel-apic.patch @@ -0,0 +1,66 @@ +From stable+bounces-225665-greg=kroah.com@vger.kernel.org Mon Mar 16 20:12:22 2026 +From: Sasha Levin +Date: Mon, 16 Mar 2026 15:12:16 -0400 +Subject: KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel APIC +To: stable@vger.kernel.org +Cc: Sean Christopherson , "Naveen N Rao (AMD)" , Jim Mattson , Paolo Bonzini , Sasha Levin +Message-ID: <20260316191216.1332463-1-sashal@kernel.org> + +From: Sean Christopherson + +[ Upstream commit 3989a6d036c8ec82c0de3614bed23a1dacd45de5 ] + +Initialize all per-vCPU AVIC control fields in the VMCB if AVIC is enabled +in KVM and the VM has an in-kernel local APIC, i.e. if it's _possible_ the +vCPU could activate AVIC at any point in its lifecycle. Configuring the +VMCB if and only if AVIC is active "works" purely because of optimizations +in kvm_create_lapic() to speculatively set apicv_active if AVIC is enabled +*and* to defer updates until the first KVM_RUN. In quotes because KVM +likely won't do the right thing if kvm_apicv_activated() is false, i.e. if +a vCPU is created while APICv is inhibited at the VM level for whatever +reason. E.g. if the inhibit is *removed* before KVM_REQ_APICV_UPDATE is +handled in KVM_RUN, then __kvm_vcpu_update_apicv() will elide calls to +vendor code due to seeing "apicv_active == activate". + +Cleaning up the initialization code will also allow fixing a bug where KVM +incorrectly leaves CR8 interception enabled when AVIC is activated without +creating a mess with respect to whether AVIC is activated or not. + +Cc: stable@vger.kernel.org +Fixes: 67034bb9dd5e ("KVM: SVM: Add irqchip_split() checks before enabling AVIC") +Fixes: 6c3e4422dd20 ("svm: Add support for dynamic APICv") +Reviewed-by: Naveen N Rao (AMD) +Reviewed-by: Jim Mattson +Link: https://patch.msgid.link/20260203190711.458413-2-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +[ Context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/avic.c | 2 +- + arch/x86/kvm/svm/svm.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/svm/avic.c ++++ b/arch/x86/kvm/svm/avic.c +@@ -203,7 +203,7 @@ void avic_init_vmcb(struct vcpu_svm *svm + vmcb->control.avic_logical_id = lpa & AVIC_HPA_MASK; + vmcb->control.avic_physical_id = ppa & AVIC_HPA_MASK; + vmcb->control.avic_physical_id |= AVIC_MAX_PHYSICAL_ID_COUNT; +- if (kvm_apicv_activated(svm->vcpu.kvm)) ++ if (kvm_vcpu_apicv_active(&svm->vcpu)) + vmcb->control.int_ctl |= AVIC_ENABLE_MASK; + else + vmcb->control.int_ctl &= ~AVIC_ENABLE_MASK; +--- a/arch/x86/kvm/svm/svm.c ++++ b/arch/x86/kvm/svm/svm.c +@@ -1230,7 +1230,7 @@ static void init_vmcb(struct vcpu_svm *s + + svm_check_invpcid(svm); + +- if (kvm_vcpu_apicv_active(&svm->vcpu)) ++ if (avic && irqchip_in_kernel(svm->vcpu.kvm)) + avic_init_vmcb(svm); + + /* diff --git a/queue-5.10/mtd-avoid-boot-crash-in-redboot-partition-table-parser.patch b/queue-5.10/mtd-avoid-boot-crash-in-redboot-partition-table-parser.patch new file mode 100644 index 0000000000..4c4bde6f38 --- /dev/null +++ b/queue-5.10/mtd-avoid-boot-crash-in-redboot-partition-table-parser.patch @@ -0,0 +1,60 @@ +From stable+bounces-227634-greg=kroah.com@vger.kernel.org Fri Mar 20 22:55:34 2026 +From: Sasha Levin +Date: Fri, 20 Mar 2026 17:55:26 -0400 +Subject: mtd: Avoid boot crash in RedBoot partition table parser +To: stable@vger.kernel.org +Cc: Finn Thain , Kees Cook , linux-hardening@vger.kernel.org, Miquel Raynal , Sasha Levin +Message-ID: <20260320215526.133494-2-sashal@kernel.org> + +From: Finn Thain + +[ Upstream commit 8e2f8020270af7777d49c2e7132260983e4fc566 ] + +Given CONFIG_FORTIFY_SOURCE=y and a recent compiler, +commit 439a1bcac648 ("fortify: Use __builtin_dynamic_object_size() when +available") produces the warning below and an oops. + + Searching for RedBoot partition table in 50000000.flash at offset 0x7e0000 + ------------[ cut here ]------------ + WARNING: lib/string_helpers.c:1035 at 0xc029e04c, CPU#0: swapper/0/1 + memcmp: detected buffer overflow: 15 byte read of buffer size 14 + Modules linked in: + CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0 #1 NONE + +As Kees said, "'names' is pointing to the final 'namelen' many bytes +of the allocation ... 'namelen' could be basically any length at all. +This fortify warning looks legit to me -- this code used to be reading +beyond the end of the allocation." + +Since the size of the dynamic allocation is calculated with strlen() +we can use strcmp() instead of memcmp() and remain within bounds. + +Cc: Kees Cook +Cc: stable@vger.kernel.org +Cc: linux-hardening@vger.kernel.org +Link: https://lore.kernel.org/all/202602151911.AD092DFFCD@keescook/ +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Suggested-by: Kees Cook +Signed-off-by: Finn Thain +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/parsers/redboot.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/parsers/redboot.c ++++ b/drivers/mtd/parsers/redboot.c +@@ -270,9 +270,9 @@ nogood: + + strcpy(names, fl->img->name); + #ifdef CONFIG_MTD_REDBOOT_PARTS_READONLY +- if (!memcmp(names, "RedBoot", 8) || +- !memcmp(names, "RedBoot config", 15) || +- !memcmp(names, "FIS directory", 14)) { ++ if (!strcmp(names, "RedBoot") || ++ !strcmp(names, "RedBoot config") || ++ !strcmp(names, "FIS directory")) { + parts[i].mask_flags = MTD_WRITEABLE; + } + #endif diff --git a/queue-5.10/mtd-partitions-redboot-fix-style-issues.patch b/queue-5.10/mtd-partitions-redboot-fix-style-issues.patch new file mode 100644 index 0000000000..8accd593eb --- /dev/null +++ b/queue-5.10/mtd-partitions-redboot-fix-style-issues.patch @@ -0,0 +1,202 @@ +From stable+bounces-227633-greg=kroah.com@vger.kernel.org Fri Mar 20 22:55:31 2026 +From: Sasha Levin +Date: Fri, 20 Mar 2026 17:55:25 -0400 +Subject: mtd: partitions: redboot: fix style issues +To: stable@vger.kernel.org +Cc: Corentin Labbe , Linus Walleij , Miquel Raynal , Sasha Levin +Message-ID: <20260320215526.133494-1-sashal@kernel.org> + +From: Corentin Labbe + +[ Upstream commit eb1765c40530ccc8690b9dad88cec6aaa6bfb498 ] + +This patch fixes easy checkpatch issues. + +Signed-off-by: Corentin Labbe +Reviewed-by: Linus Walleij +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20210520114851.1274609-2-clabbe@baylibre.com +Stable-dep-of: 8e2f8020270a ("mtd: Avoid boot crash in RedBoot partition table parser") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/parsers/redboot.c | 69 ++++++++++++++++++++---------------------- + 1 file changed, 34 insertions(+), 35 deletions(-) + +--- a/drivers/mtd/parsers/redboot.c ++++ b/drivers/mtd/parsers/redboot.c +@@ -17,15 +17,15 @@ + #include + + struct fis_image_desc { +- unsigned char name[16]; // Null terminated name +- uint32_t flash_base; // Address within FLASH of image +- uint32_t mem_base; // Address in memory where it executes +- uint32_t size; // Length of image +- uint32_t entry_point; // Execution entry point +- uint32_t data_length; // Length of actual data +- unsigned char _pad[256-(16+7*sizeof(uint32_t))]; +- uint32_t desc_cksum; // Checksum over image descriptor +- uint32_t file_cksum; // Checksum over image data ++ unsigned char name[16]; // Null terminated name ++ u32 flash_base; // Address within FLASH of image ++ u32 mem_base; // Address in memory where it executes ++ u32 size; // Length of image ++ u32 entry_point; // Execution entry point ++ u32 data_length; // Length of actual data ++ unsigned char _pad[256 - (16 + 7 * sizeof(u32))]; ++ u32 desc_cksum; // Checksum over image descriptor ++ u32 file_cksum; // Checksum over image data + }; + + struct fis_list { +@@ -91,12 +91,12 @@ static int parse_redboot_partitions(stru + + parse_redboot_of(master); + +- if ( directory < 0 ) { ++ if (directory < 0) { + offset = master->size + directory * master->erasesize; + while (mtd_block_isbad(master, offset)) { + if (!offset) { +- nogood: +- printk(KERN_NOTICE "Failed to find a non-bad block to check for RedBoot partition table\n"); ++nogood: ++ pr_notice("Failed to find a non-bad block to check for RedBoot partition table\n"); + return -EIO; + } + offset -= master->erasesize; +@@ -114,8 +114,8 @@ static int parse_redboot_partitions(stru + if (!buf) + return -ENOMEM; + +- printk(KERN_NOTICE "Searching for RedBoot partition table in %s at offset 0x%lx\n", +- master->name, offset); ++ pr_notice("Searching for RedBoot partition table in %s at offset 0x%lx\n", ++ master->name, offset); + + ret = mtd_read(master, offset, master->erasesize, &retlen, + (void *)buf); +@@ -151,14 +151,13 @@ static int parse_redboot_partitions(stru + && swab32(buf[i].size) < master->erasesize)) { + int j; + /* Update numslots based on actual FIS directory size */ +- numslots = swab32(buf[i].size) / sizeof (struct fis_image_desc); ++ numslots = swab32(buf[i].size) / sizeof(struct fis_image_desc); + for (j = 0; j < numslots; ++j) { +- + /* A single 0xff denotes a deleted entry. + * Two of them in a row is the end of the table. + */ + if (buf[j].name[0] == 0xff) { +- if (buf[j].name[1] == 0xff) { ++ if (buf[j].name[1] == 0xff) { + break; + } else { + continue; +@@ -185,8 +184,8 @@ static int parse_redboot_partitions(stru + } + if (i == numslots) { + /* Didn't find it */ +- printk(KERN_NOTICE "No RedBoot partition table detected in %s\n", +- master->name); ++ pr_notice("No RedBoot partition table detected in %s\n", ++ master->name); + ret = 0; + goto out; + } +@@ -205,7 +204,7 @@ static int parse_redboot_partitions(stru + break; + + new_fl = kmalloc(sizeof(struct fis_list), GFP_KERNEL); +- namelen += strlen(buf[i].name)+1; ++ namelen += strlen(buf[i].name) + 1; + if (!new_fl) { + ret = -ENOMEM; + goto out; +@@ -214,13 +213,13 @@ static int parse_redboot_partitions(stru + if (data && data->origin) + buf[i].flash_base -= data->origin; + else +- buf[i].flash_base &= master->size-1; ++ buf[i].flash_base &= master->size - 1; + + /* I'm sure the JFFS2 code has done me permanent damage. + * I now think the following is _normal_ + */ + prev = &fl; +- while(*prev && (*prev)->img->flash_base < new_fl->img->flash_base) ++ while (*prev && (*prev)->img->flash_base < new_fl->img->flash_base) + prev = &(*prev)->next; + new_fl->next = *prev; + *prev = new_fl; +@@ -240,7 +239,7 @@ static int parse_redboot_partitions(stru + } + } + #endif +- parts = kzalloc(sizeof(*parts)*nrparts + nulllen + namelen, GFP_KERNEL); ++ parts = kzalloc(sizeof(*parts) * nrparts + nulllen + namelen, GFP_KERNEL); + + if (!parts) { + ret = -ENOMEM; +@@ -249,23 +248,22 @@ static int parse_redboot_partitions(stru + + nullname = (char *)&parts[nrparts]; + #ifdef CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED +- if (nulllen > 0) { ++ if (nulllen > 0) + strcpy(nullname, nullstring); +- } + #endif + names = nullname + nulllen; + +- i=0; ++ i = 0; + + #ifdef CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED + if (fl->img->flash_base) { +- parts[0].name = nullname; +- parts[0].size = fl->img->flash_base; +- parts[0].offset = 0; ++ parts[0].name = nullname; ++ parts[0].size = fl->img->flash_base; ++ parts[0].offset = 0; + i++; + } + #endif +- for ( ; iimg->size; + parts[i].offset = fl->img->flash_base; + parts[i].name = names; +@@ -273,17 +271,17 @@ static int parse_redboot_partitions(stru + strcpy(names, fl->img->name); + #ifdef CONFIG_MTD_REDBOOT_PARTS_READONLY + if (!memcmp(names, "RedBoot", 8) || +- !memcmp(names, "RedBoot config", 15) || +- !memcmp(names, "FIS directory", 14)) { ++ !memcmp(names, "RedBoot config", 15) || ++ !memcmp(names, "FIS directory", 14)) { + parts[i].mask_flags = MTD_WRITEABLE; + } + #endif +- names += strlen(names)+1; ++ names += strlen(names) + 1; + + #ifdef CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED +- if(fl->next && fl->img->flash_base + fl->img->size + master->erasesize <= fl->next->img->flash_base) { ++ if (fl->next && fl->img->flash_base + fl->img->size + master->erasesize <= fl->next->img->flash_base) { + i++; +- parts[i].offset = parts[i-1].size + parts[i-1].offset; ++ parts[i].offset = parts[i - 1].size + parts[i - 1].offset; + parts[i].size = fl->next->img->flash_base - parts[i].offset; + parts[i].name = nullname; + } +@@ -297,6 +295,7 @@ static int parse_redboot_partitions(stru + out: + while (fl) { + struct fis_list *old = fl; ++ + fl = fl->next; + kfree(old); + } diff --git a/queue-5.10/net-tcp-md5-fix-mac-comparison-to-be-constant-time.patch b/queue-5.10/net-tcp-md5-fix-mac-comparison-to-be-constant-time.patch new file mode 100644 index 0000000000..500ab6d17a --- /dev/null +++ b/queue-5.10/net-tcp-md5-fix-mac-comparison-to-be-constant-time.patch @@ -0,0 +1,83 @@ +From stable+bounces-224570-greg=kroah.com@vger.kernel.org Tue Mar 10 21:18:38 2026 +From: Eric Biggers +Date: Tue, 10 Mar 2026 13:17:08 -0700 +Subject: net/tcp-md5: Fix MAC comparison to be constant-time +To: stable@vger.kernel.org +Cc: linux-crypto@vger.kernel.org, netdev@vger.kernel.org, Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Jakub Kicinski +Message-ID: <20260310201708.120088-1-ebiggers@kernel.org> + +From: Eric Biggers + +commit 46d0d6f50dab706637f4c18a470aac20a21900d3 upstream. + +To prevent timing attacks, MACs need to be compared in constant +time. Use the appropriate helper function for this. + +Fixes: cfb6eeb4c860 ("[TCP]: MD5 Signature Option (RFC2385) support.") +Fixes: 658ddaaf6694 ("tcp: md5: RST: getting md5 key from listener") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Link: https://patch.msgid.link/20260302203409.13388-1-ebiggers@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_ipv4.c | 5 +++-- + net/ipv6/tcp_ipv6.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -78,6 +78,7 @@ + #include + #include + ++#include + #include + #include + +@@ -764,7 +765,7 @@ static void tcp_v4_send_reset(const stru + + + genhash = tcp_v4_md5_hash_skb(newhash, key, NULL, skb); +- if (genhash || memcmp(hash_location, newhash, 16) != 0) ++ if (genhash || crypto_memneq(hash_location, newhash, 16)) + goto out; + + } +@@ -1451,7 +1452,7 @@ static bool tcp_v4_inbound_md5_hash(cons + hash_expected, + NULL, skb); + +- if (genhash || memcmp(hash_location, newhash, 16) != 0) { ++ if (genhash || crypto_memneq(hash_location, newhash, 16)) { + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5FAILURE); + net_info_ratelimited("MD5 Hash failed for (%pI4, %d)->(%pI4, %d)%s L3 index %d\n", + &iph->saddr, ntohs(th->source), +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -63,6 +63,7 @@ + #include + #include + ++#include + #include + #include + +@@ -810,7 +811,7 @@ static bool tcp_v6_inbound_md5_hash(cons + hash_expected, + NULL, skb); + +- if (genhash || memcmp(hash_location, newhash, 16) != 0) { ++ if (genhash || crypto_memneq(hash_location, newhash, 16)) { + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5FAILURE); + net_info_ratelimited("MD5 Hash %s for [%pI6c]:%u->[%pI6c]:%u L3 index %d\n", + genhash ? "failed" : "mismatch", +@@ -1071,7 +1072,7 @@ static void tcp_v6_send_reset(const stru + goto out; + + genhash = tcp_v6_md5_hash_skb(newhash, key, NULL, skb); +- if (genhash || memcmp(hash_location, newhash, 16) != 0) ++ if (genhash || crypto_memneq(hash_location, newhash, 16)) + goto out; + } + #endif diff --git a/queue-5.10/nfsd-define-exports_proc_ops-with-config_proc_fs.patch b/queue-5.10/nfsd-define-exports_proc_ops-with-config_proc_fs.patch new file mode 100644 index 0000000000..78552caa40 --- /dev/null +++ b/queue-5.10/nfsd-define-exports_proc_ops-with-config_proc_fs.patch @@ -0,0 +1,72 @@ +From stable+bounces-227525-greg=kroah.com@vger.kernel.org Fri Mar 20 12:39:52 2026 +From: Sasha Levin +Date: Fri, 20 Mar 2026 07:39:38 -0400 +Subject: nfsd: define exports_proc_ops with CONFIG_PROC_FS +To: stable@vger.kernel.org +Cc: Tom Rix , Jeff Layton , Chuck Lever , Sasha Levin +Message-ID: <20260320113939.3971291-1-sashal@kernel.org> + +From: Tom Rix + +[ Upstream commit 340086da9a87820b40601141a0e9e87c954ac006 ] + +gcc with W=1 and ! CONFIG_PROC_FS +fs/nfsd/nfsctl.c:161:30: error: ‘exports_proc_ops’ + defined but not used [-Werror=unused-const-variable=] + 161 | static const struct proc_ops exports_proc_ops = { + | ^~~~~~~~~~~~~~~~ + +The only use of exports_proc_ops is when CONFIG_PROC_FS +is defined, so its definition should be likewise conditional. + +Signed-off-by: Tom Rix +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Stable-dep-of: e7fcf179b82d ("NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfsctl.c | 25 +++++++++++++------------ + 1 file changed, 13 insertions(+), 12 deletions(-) + +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -155,18 +155,6 @@ static int exports_net_open(struct net * + return 0; + } + +-static int exports_proc_open(struct inode *inode, struct file *file) +-{ +- return exports_net_open(current->nsproxy->net_ns, file); +-} +- +-static const struct proc_ops exports_proc_ops = { +- .proc_open = exports_proc_open, +- .proc_read = seq_read, +- .proc_lseek = seq_lseek, +- .proc_release = seq_release, +-}; +- + static int exports_nfsd_open(struct inode *inode, struct file *file) + { + return exports_net_open(inode->i_sb->s_fs_info, file); +@@ -1423,6 +1411,19 @@ static struct file_system_type nfsd_fs_t + MODULE_ALIAS_FS("nfsd"); + + #ifdef CONFIG_PROC_FS ++ ++static int exports_proc_open(struct inode *inode, struct file *file) ++{ ++ return exports_net_open(current->nsproxy->net_ns, file); ++} ++ ++static const struct proc_ops exports_proc_ops = { ++ .proc_open = exports_proc_open, ++ .proc_read = seq_read, ++ .proc_lseek = seq_lseek, ++ .proc_release = seq_release, ++}; ++ + static int create_proc_exports_entry(void) + { + struct proc_dir_entry *entry; diff --git a/queue-5.10/nfsd-fix-heap-overflow-in-nfsv4.0-lock-replay-cache.patch b/queue-5.10/nfsd-fix-heap-overflow-in-nfsv4.0-lock-replay-cache.patch new file mode 100644 index 0000000000..4742e5fbfb --- /dev/null +++ b/queue-5.10/nfsd-fix-heap-overflow-in-nfsv4.0-lock-replay-cache.patch @@ -0,0 +1,97 @@ +From stable+bounces-227532-greg=kroah.com@vger.kernel.org Fri Mar 20 12:49:59 2026 +From: Sasha Levin +Date: Fri, 20 Mar 2026 07:48:45 -0400 +Subject: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache +To: stable@vger.kernel.org +Cc: Jeff Layton , stable@kernel.org, Nicholas Carlini , Chuck Lever , Sasha Levin +Message-ID: <20260320114846.3998380-1-sashal@kernel.org> + +From: Jeff Layton + +[ Upstream commit 5133b61aaf437e5f25b1b396b14242a6bb0508e2 ] + +The NFSv4.0 replay cache uses a fixed 112-byte inline buffer +(rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. +This size was calculated based on OPEN responses and does not account +for LOCK denied responses, which include the conflicting lock owner as +a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT). + +When a LOCK operation is denied due to a conflict with an existing lock +that has a large owner, nfsd4_encode_operation() copies the full encoded +response into the undersized replay buffer via read_bytes_from_xdr_buf() +with no bounds check. This results in a slab-out-of-bounds write of up +to 944 bytes past the end of the buffer, corrupting adjacent heap memory. + +This can be triggered remotely by an unauthenticated attacker with two +cooperating NFSv4.0 clients: one sets a lock with a large owner string, +then the other requests a conflicting lock to provoke the denial. + +We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full +opaque, but that would increase the size of every stateowner, when most +lockowners are not that large. + +Instead, fix this by checking the encoded response length against +NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the +response is too large, set rp_buflen to 0 to skip caching the replay +payload. The status is still cached, and the client already received the +correct response on the original request. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@kernel.org +Reported-by: Nicholas Carlini +Tested-by: Nicholas Carlini +Signed-off-by: Jeff Layton +Signed-off-by: Chuck Lever +[ replaced `op_status_offset + XDR_UNIT` with existing `post_err_offset` variable ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4xdr.c | 9 +++++++-- + fs/nfsd/state.h | 17 ++++++++++++----- + 2 files changed, 19 insertions(+), 7 deletions(-) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -5438,9 +5438,14 @@ nfsd4_encode_operation(struct nfsd4_comp + int len = xdr->buf->len - post_err_offset; + + so->so_replay.rp_status = op->status; +- so->so_replay.rp_buflen = len; +- read_bytes_from_xdr_buf(xdr->buf, post_err_offset, ++ if (len <= NFSD4_REPLAY_ISIZE) { ++ so->so_replay.rp_buflen = len; ++ read_bytes_from_xdr_buf(xdr->buf, ++ post_err_offset, + so->so_replay.rp_buf, len); ++ } else { ++ so->so_replay.rp_buflen = 0; ++ } + } + status: + *p = op->status; +--- a/fs/nfsd/state.h ++++ b/fs/nfsd/state.h +@@ -430,11 +430,18 @@ struct nfs4_client_reclaim { + struct xdr_netobj cr_princhash; + }; + +-/* A reasonable value for REPLAY_ISIZE was estimated as follows: +- * The OPEN response, typically the largest, requires +- * 4(status) + 8(stateid) + 20(changeinfo) + 4(rflags) + 8(verifier) + +- * 4(deleg. type) + 8(deleg. stateid) + 4(deleg. recall flag) + +- * 20(deleg. space limit) + ~32(deleg. ace) = 112 bytes ++/* ++ * REPLAY_ISIZE is sized for an OPEN response with delegation: ++ * 4(status) + 8(stateid) + 20(changeinfo) + 4(rflags) + ++ * 8(verifier) + 4(deleg. type) + 8(deleg. stateid) + ++ * 4(deleg. recall flag) + 20(deleg. space limit) + ++ * ~32(deleg. ace) = 112 bytes ++ * ++ * Some responses can exceed this. A LOCK denial includes the conflicting ++ * lock owner, which can be up to 1024 bytes (NFS4_OPAQUE_LIMIT). Responses ++ * larger than REPLAY_ISIZE are not cached in rp_ibuf; only rp_status is ++ * saved. Enlarging this constant increases the size of every ++ * nfs4_stateowner. + */ + + #define NFSD4_REPLAY_ISIZE 112 diff --git a/queue-5.10/nfsd-hold-net-reference-for-the-lifetime-of-proc-fs-nfs-exports-fd.patch b/queue-5.10/nfsd-hold-net-reference-for-the-lifetime-of-proc-fs-nfs-exports-fd.patch new file mode 100644 index 0000000000..bf078825ac --- /dev/null +++ b/queue-5.10/nfsd-hold-net-reference-for-the-lifetime-of-proc-fs-nfs-exports-fd.patch @@ -0,0 +1,84 @@ +From stable+bounces-227526-greg=kroah.com@vger.kernel.org Fri Mar 20 12:39:56 2026 +From: Sasha Levin +Date: Fri, 20 Mar 2026 07:39:39 -0400 +Subject: NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd +To: stable@vger.kernel.org +Cc: Chuck Lever , Misbah Anjum N , Jeff Layton , NeilBrown , Olga Kornievskaia , Sasha Levin +Message-ID: <20260320113939.3971291-2-sashal@kernel.org> + +From: Chuck Lever + +[ Upstream commit e7fcf179b82d3a3730fd8615da01b087cc654d0b ] + +The /proc/fs/nfs/exports proc entry is created at module init +and persists for the module's lifetime. exports_proc_open() +captures the caller's current network namespace and stores +its svc_export_cache in seq->private, but takes no reference +on the namespace. If the namespace is subsequently torn down +(e.g. container destruction after the opener does setns() to a +different namespace), nfsd_net_exit() calls nfsd_export_shutdown() +which frees the cache. Subsequent reads on the still-open fd +dereference the freed cache_detail, walking a freed hash table. + +Hold a reference on the struct net for the lifetime of the open +file descriptor. This prevents nfsd_net_exit() from running -- +and thus prevents nfsd_export_shutdown() from freeing the cache +-- while any exports fd is open. cache_detail already stores +its net pointer (cd->net, set by cache_create_net()), so +exports_release() can retrieve it without additional per-file +storage. + +Reported-by: Misbah Anjum N +Closes: https://lore.kernel.org/linux-nfs/dcd371d3a95815a84ba7de52cef447b8@linux.ibm.com/ +Fixes: 96d851c4d28d ("nfsd: use proper net while reading "exports" file") +Cc: stable@vger.kernel.org +Reviewed-by: Jeff Layton +Reviewed-by: NeilBrown +Tested-by: Olga Kornievskaia +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfsctl.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -152,9 +152,19 @@ static int exports_net_open(struct net * + + seq = file->private_data; + seq->private = nn->svc_export_cache; ++ get_net(net); + return 0; + } + ++static int exports_release(struct inode *inode, struct file *file) ++{ ++ struct seq_file *seq = file->private_data; ++ struct cache_detail *cd = seq->private; ++ ++ put_net(cd->net); ++ return seq_release(inode, file); ++} ++ + static int exports_nfsd_open(struct inode *inode, struct file *file) + { + return exports_net_open(inode->i_sb->s_fs_info, file); +@@ -164,7 +174,7 @@ static const struct file_operations expo + .open = exports_nfsd_open, + .read = seq_read, + .llseek = seq_lseek, +- .release = seq_release, ++ .release = exports_release, + }; + + static int export_features_show(struct seq_file *m, void *v) +@@ -1421,7 +1431,7 @@ static const struct proc_ops exports_pro + .proc_open = exports_proc_open, + .proc_read = seq_read, + .proc_lseek = seq_lseek, +- .proc_release = seq_release, ++ .proc_release = exports_release, + }; + + static int create_proc_exports_entry(void) diff --git a/queue-5.10/pmdomain-bcm-bcm2835-power-fix-broken-reset-status-read.patch b/queue-5.10/pmdomain-bcm-bcm2835-power-fix-broken-reset-status-read.patch new file mode 100644 index 0000000000..bfd877eeb7 --- /dev/null +++ b/queue-5.10/pmdomain-bcm-bcm2835-power-fix-broken-reset-status-read.patch @@ -0,0 +1,56 @@ +From stable+bounces-227059-greg=kroah.com@vger.kernel.org Wed Mar 18 13:44:10 2026 +From: Sasha Levin +Date: Wed, 18 Mar 2026 08:43:11 -0400 +Subject: pmdomain: bcm: bcm2835-power: Fix broken reset status read +To: stable@vger.kernel.org +Cc: "Maíra Canal" , "Florian Fainelli" , "Stefan Wahren" , "Ulf Hansson" , "Sasha Levin" +Message-ID: <20260318124311.706015-1-sashal@kernel.org> + +From: Maíra Canal + +[ Upstream commit 550bae2c0931dbb664a61b08c21cf156f0a5362a ] + +bcm2835_reset_status() has a misplaced parenthesis on every PM_READ() +call. Since PM_READ(reg) expands to readl(power->base + (reg)), the +expression: + + PM_READ(PM_GRAFX & PM_V3DRSTN) + +computes the bitwise AND of the register offset PM_GRAFX with the +bitmask PM_V3DRSTN before using the result as a register offset, reading +from the wrong MMIO address instead of the intended PM_GRAFX register. +The same issue affects the PM_IMAGE cases. + +Fix by moving the closing parenthesis so PM_READ() receives only the +register offset, and the bitmask is applied to the value returned by +the read. + +Fixes: 670c672608a1 ("soc: bcm: bcm2835-pm: Add support for power domains under a new binding.") +Signed-off-by: Maíra Canal +Reviewed-by: Florian Fainelli +Reviewed-by: Stefan Wahren +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/bcm/bcm2835-power.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/soc/bcm/bcm2835-power.c ++++ b/drivers/soc/bcm/bcm2835-power.c +@@ -566,11 +566,11 @@ static int bcm2835_reset_status(struct r + + switch (id) { + case BCM2835_RESET_V3D: +- return !PM_READ(PM_GRAFX & PM_V3DRSTN); ++ return !(PM_READ(PM_GRAFX) & PM_V3DRSTN); + case BCM2835_RESET_H264: +- return !PM_READ(PM_IMAGE & PM_H264RSTN); ++ return !(PM_READ(PM_IMAGE) & PM_H264RSTN); + case BCM2835_RESET_ISP: +- return !PM_READ(PM_IMAGE & PM_ISPRSTN); ++ return !(PM_READ(PM_IMAGE) & PM_ISPRSTN); + default: + return -EINVAL; + } diff --git a/queue-5.10/pmdomain-bcm-bcm2835-power-increase-asb-control-timeout.patch b/queue-5.10/pmdomain-bcm-bcm2835-power-increase-asb-control-timeout.patch new file mode 100644 index 0000000000..05646b9e55 --- /dev/null +++ b/queue-5.10/pmdomain-bcm-bcm2835-power-increase-asb-control-timeout.patch @@ -0,0 +1,97 @@ +From stable+bounces-227766-greg=kroah.com@vger.kernel.org Sat Mar 21 13:45:40 2026 +From: Sasha Levin +Date: Sat, 21 Mar 2026 08:45:35 -0400 +Subject: pmdomain: bcm: bcm2835-power: Increase ASB control timeout +To: stable@vger.kernel.org +Cc: "Maíra Canal" , "Stefan Wahren" , "Ulf Hansson" , "Sasha Levin" +Message-ID: <20260321124535.271540-1-sashal@kernel.org> + +From: Maíra Canal + +[ Upstream commit b826d2c0b0ecb844c84431ba6b502e744f5d919a ] + +The bcm2835_asb_control() function uses a tight polling loop to wait +for the ASB bridge to acknowledge a request. During intensive workloads, +this handshake intermittently fails for V3D's master ASB on BCM2711, +resulting in "Failed to disable ASB master for v3d" errors during +runtime PM suspend. As a consequence, the failed power-off leaves V3D in +a broken state, leading to bus faults or system hangs on later accesses. + +As the timeout is insufficient in some scenarios, increase the polling +timeout from 1us to 5us, which is still negligible in the context of a +power domain transition. Also, replace the open-coded ktime_get_ns()/ +cpu_relax() polling loop with readl_poll_timeout_atomic(). + +Cc: stable@vger.kernel.org +Fixes: 670c672608a1 ("soc: bcm: bcm2835-pm: Add support for power domains under a new binding.") +Signed-off-by: Maíra Canal +Reviewed-by: Stefan Wahren +Signed-off-by: Ulf Hansson +[ adapted unified bcm2835_asb_control() function changes to separate bcm2835_asb_enable() and bcm2835_asb_disable() functions ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/bcm/bcm2835-power.c | 27 +++++++++++---------------- + 1 file changed, 11 insertions(+), 16 deletions(-) + +--- a/drivers/soc/bcm/bcm2835-power.c ++++ b/drivers/soc/bcm/bcm2835-power.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -150,40 +151,34 @@ struct bcm2835_power { + + static int bcm2835_asb_enable(struct bcm2835_power *power, u32 reg) + { +- u64 start; ++ u32 val; + + if (!reg) + return 0; + +- start = ktime_get_ns(); +- + /* Enable the module's async AXI bridges. */ + ASB_WRITE(reg, ASB_READ(reg) & ~ASB_REQ_STOP); +- while (ASB_READ(reg) & ASB_ACK) { +- cpu_relax(); +- if (ktime_get_ns() - start >= 1000) +- return -ETIMEDOUT; +- } ++ ++ if (readl_poll_timeout_atomic(power->asb + reg, val, ++ !(val & ASB_ACK), 0, 5)) ++ return -ETIMEDOUT; + + return 0; + } + + static int bcm2835_asb_disable(struct bcm2835_power *power, u32 reg) + { +- u64 start; ++ u32 val; + + if (!reg) + return 0; + +- start = ktime_get_ns(); +- + /* Enable the module's async AXI bridges. */ + ASB_WRITE(reg, ASB_READ(reg) | ASB_REQ_STOP); +- while (!(ASB_READ(reg) & ASB_ACK)) { +- cpu_relax(); +- if (ktime_get_ns() - start >= 1000) +- return -ETIMEDOUT; +- } ++ ++ if (readl_poll_timeout_atomic(power->asb + reg, val, ++ !!(val & ASB_ACK), 0, 5)) ++ return -ETIMEDOUT; + + return 0; + } diff --git a/queue-5.10/s390-xor-fix-xor_xc_2-inline-assembly-constraints.patch b/queue-5.10/s390-xor-fix-xor_xc_2-inline-assembly-constraints.patch new file mode 100644 index 0000000000..df086835a9 --- /dev/null +++ b/queue-5.10/s390-xor-fix-xor_xc_2-inline-assembly-constraints.patch @@ -0,0 +1,41 @@ +From stable+bounces-226990-greg=kroah.com@vger.kernel.org Wed Mar 18 08:58:18 2026 +From: Heiko Carstens +Date: Wed, 18 Mar 2026 08:55:10 +0100 +Subject: s390/xor: Fix xor_xc_2() inline assembly constraints +To: stable@vger.kernel.org +Cc: Heiko Carstens , Vasily Gorbik +Message-ID: <20260318075510.4102927-1-hca@linux.ibm.com> + +From: Heiko Carstens + +The inline assembly constraints for xor_xc_2() are incorrect. "bytes", +"p1", and "p2" are input operands, while all three of them are modified +within the inline assembly. Given that the function consists only of this +inline assembly it seems unlikely that this may cause any problems, however +fix this in any case. + +Fixes: 2cfc5f9ce7f5 ("s390/xor: optimized xor routing using the XC instruction") +Cc: stable@vger.kernel.org +Signed-off-by: Heiko Carstens +Reviewed-by: Vasily Gorbik +Link: https://lore.kernel.org/r/20260302133500.1560531-2-hca@linux.ibm.com +Signed-off-by: Vasily Gorbik +(cherry picked from commit f775276edc0c505dc0f782773796c189f31a1123) +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/lib/xor.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/s390/lib/xor.c ++++ b/arch/s390/lib/xor.c +@@ -28,8 +28,8 @@ static void xor_xc_2(unsigned long bytes + " j 3f\n" + "2: xc 0(1,%1),0(%2)\n" + "3:\n" +- : : "d" (bytes), "a" (p1), "a" (p2) +- : "0", "1", "cc", "memory"); ++ : "+d" (bytes), "+a" (p1), "+a" (p2) ++ : : "0", "1", "cc", "memory"); + } + + static void xor_xc_3(unsigned long bytes, unsigned long *p1, unsigned long *p2, diff --git a/queue-5.10/s390-zcrypt-enable-autosel_dom-for-cca-serialnr-sysfs-attribute.patch b/queue-5.10/s390-zcrypt-enable-autosel_dom-for-cca-serialnr-sysfs-attribute.patch new file mode 100644 index 0000000000..384308ecc3 --- /dev/null +++ b/queue-5.10/s390-zcrypt-enable-autosel_dom-for-cca-serialnr-sysfs-attribute.patch @@ -0,0 +1,73 @@ +From stable+bounces-227277-greg=kroah.com@vger.kernel.org Thu Mar 19 12:52:29 2026 +From: Sasha Levin +Date: Thu, 19 Mar 2026 07:50:01 -0400 +Subject: s390/zcrypt: Enable AUTOSEL_DOM for CCA serialnr sysfs attribute +To: stable@vger.kernel.org +Cc: Harald Freudenberger , Ingo Franzki , Vasily Gorbik , Sasha Levin +Message-ID: <20260319115001.2359762-1-sashal@kernel.org> + +From: Harald Freudenberger + +[ Upstream commit 598bbefa8032cc58b564a81d1ad68bd815c8dc0f ] + +The serialnr sysfs attribute for CCA cards when queried always +used the default domain for sending the request down to the card. +If for any reason exactly this default domain is disabled then +the attribute code fails to retrieve the CCA info and the sysfs +entry shows an empty string. Works as designed but the serial +number is a card attribute and thus it does not matter which +domain is used for the query. So if there are other domains on +this card available, these could be used. + +So extend the code to use AUTOSEL_DOM for the domain value to +address any online domain within the card for querying the cca +info and thus show the serialnr as long as there is one domain +usable regardless of the default domain setting. + +Fixes: 8f291ebf3270 ("s390/zcrypt: enable card/domain autoselect on ep11 cprbs") +Suggested-by: Ingo Franzki +Signed-off-by: Harald Freudenberger +Reviewed-by: Ingo Franzki +Cc: stable@vger.kernel.org +Signed-off-by: Vasily Gorbik +[ preserved zc->online as the fourth argument to cca_get_info() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/crypto/zcrypt_ccamisc.c | 12 +++++++----- + drivers/s390/crypto/zcrypt_cex4.c | 3 +-- + 2 files changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/s390/crypto/zcrypt_ccamisc.c ++++ b/drivers/s390/crypto/zcrypt_ccamisc.c +@@ -1680,11 +1680,13 @@ static int fetch_cca_info(u16 cardnr, u1 + + memset(ci, 0, sizeof(*ci)); + +- /* get first info from zcrypt device driver about this apqn */ +- rc = zcrypt_device_status_ext(cardnr, domain, &devstat); +- if (rc) +- return rc; +- ci->hwtype = devstat.hwtype; ++ /* if specific domain given, fetch status and hw info for this apqn */ ++ if (domain != AUTOSEL_DOM) { ++ rc = zcrypt_device_status_ext(cardnr, domain, &devstat); ++ if (rc) ++ return rc; ++ ci->hwtype = devstat.hwtype; ++ } + + /* prep page for rule array and var array use */ + pg = (u8 *) __get_free_page(GFP_KERNEL); +--- a/drivers/s390/crypto/zcrypt_cex4.c ++++ b/drivers/s390/crypto/zcrypt_cex4.c +@@ -84,8 +84,7 @@ static ssize_t cca_serialnr_show(struct + + memset(&ci, 0, sizeof(ci)); + +- if (ap_domain_index >= 0) +- cca_get_info(ac->id, ap_domain_index, &ci, zc->online); ++ cca_get_info(ac->id, AUTOSEL_DOM, &ci, zc->online); + + return scnprintf(buf, PAGE_SIZE, "%s\n", ci.serial); + } diff --git a/queue-5.10/series b/queue-5.10/series index e32df95d32..5bf27a97d3 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -167,3 +167,34 @@ smb-client-don-t-log-plaintext-credentials-in-cifs_set_cifscreds.patch net-phy-register-phy-led_triggers-during-probe-to-avoid-ab-ba-deadlock.patch drm-amd-display-use-gfp_atomic-in-dc_create_stream_for_sink.patch net-sched-act_gate-snapshot-parameters-with-rcu-on-replace.patch +s390-xor-fix-xor_xc_2-inline-assembly-constraints.patch +iomap-reject-delalloc-mappings-during-writeback.patch +tracing-fix-syscall-events-activation-by-ensuring-refcount-hits-zero.patch +pmdomain-bcm-bcm2835-power-fix-broken-reset-status-read.patch +iio-light-bh1780-fix-pm-runtime-leak-on-error-path.patch +btrfs-fix-transaction-abort-on-set-received-ioctl-due-to-item-overflow.patch +btrfs-fix-transaction-abort-when-snapshotting-received-subvolumes.patch +smb-client-fix-atomic-open-with-o_direct-o_sync.patch +smb-client-fix-iface-port-assignment-in-parse_server_interfaces.patch +s390-zcrypt-enable-autosel_dom-for-cca-serialnr-sysfs-attribute.patch +xfs-ensure-dquot-item-is-deleted-from-ail-only-after-log-shutdown.patch +xfs-fix-integer-overflow-in-bmap-intent-sort-comparator.patch +crypto-atmel-sha204a-fix-oom-tfm_count-leak.patch +drm-msm-fix-dma_free_attrs-buffer-size.patch +arm64-mm-add-pte_dirty-back-to-page_kernel-to-fix-kexec-hibernation.patch +nfsd-define-exports_proc_ops-with-config_proc_fs.patch +nfsd-hold-net-reference-for-the-lifetime-of-proc-fs-nfs-exports-fd.patch +nfsd-fix-heap-overflow-in-nfsv4.0-lock-replay-cache.patch +mtd-partitions-redboot-fix-style-issues.patch +mtd-avoid-boot-crash-in-redboot-partition-table-parser.patch +pmdomain-bcm-bcm2835-power-increase-asb-control-timeout.patch +iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch +usb-roles-get-usb-role-switch-from-parent-only-for-usb-b-connector.patch +usb-gadget-f_tcm-fix-null-pointer-dereferences-in-nexus-handling.patch +can-gs_usb-gs_can_open-always-configure-bitrates-before-starting-device.patch +kvm-svm-initialize-avic-vmcb-fields-if-avic-is-enabled-with-in-kernel-apic.patch +alsa-pcm-fix-wait_time-calculations.patch +alsa-pcm-fix-use-after-free-on-linked-stream-runtime-in-snd_pcm_drain.patch +smb-client-compare-macs-in-constant-time.patch +net-tcp-md5-fix-mac-comparison-to-be-constant-time.patch +staging-rtl8723bs-fix-null-dereference-in-find_network.patch diff --git a/queue-5.10/smb-client-compare-macs-in-constant-time.patch b/queue-5.10/smb-client-compare-macs-in-constant-time.patch new file mode 100644 index 0000000000..8bcf852edd --- /dev/null +++ b/queue-5.10/smb-client-compare-macs-in-constant-time.patch @@ -0,0 +1,65 @@ +From stable+bounces-224558-greg=kroah.com@vger.kernel.org Tue Mar 10 20:51:21 2026 +From: Eric Biggers +Date: Tue, 10 Mar 2026 12:51:10 -0700 +Subject: smb: client: Compare MACs in constant time +To: stable@vger.kernel.org +Cc: linux-crypto@vger.kernel.org, linux-cifs@vger.kernel.org, Eric Biggers , "Paulo Alcantara (Red Hat)" , Steve French +Message-ID: <20260310195110.70753-1-ebiggers@kernel.org> + +From: Eric Biggers + +commit 26bc83b88bbbf054f0980a4a42047a8d1e210e4c upstream. + +To prevent timing attacks, MAC comparisons need to be constant-time. +Replace the memcmp() with the correct function, crypto_memneq(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Acked-by: Paulo Alcantara (Red Hat) +Signed-off-by: Eric Biggers +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifsencrypt.c | 3 ++- + fs/cifs/smb2transport.c | 4 +++- + 2 files changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/cifs/cifsencrypt.c ++++ b/fs/cifs/cifsencrypt.c +@@ -36,6 +36,7 @@ + #include + #include + #include ++#include + + int __cifs_calc_signature(struct smb_rqst *rqst, + struct TCP_Server_Info *server, char *signature, +@@ -255,7 +256,7 @@ int cifs_verify_signature(struct smb_rqs + /* cifs_dump_mem("what we think it should be: ", + what_we_think_sig_should_be, 16); */ + +- if (memcmp(server_response_sig, what_we_think_sig_should_be, 8)) ++ if (crypto_memneq(server_response_sig, what_we_think_sig_should_be, 8)) + return -EACCES; + else + return 0; +--- a/fs/cifs/smb2transport.c ++++ b/fs/cifs/smb2transport.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + #include + #include "smb2pdu.h" + #include "cifsglob.h" +@@ -687,7 +688,8 @@ smb2_verify_signature(struct smb_rqst *r + if (rc) + return rc; + +- if (memcmp(server_response_sig, shdr->Signature, SMB2_SIGNATURE_SIZE)) { ++ if (crypto_memneq(server_response_sig, shdr->Signature, ++ SMB2_SIGNATURE_SIZE)) { + cifs_dbg(VFS, "sign fail cmd 0x%x message id 0x%llx\n", + shdr->Command, shdr->MessageId); + return -EACCES; diff --git a/queue-5.10/smb-client-fix-atomic-open-with-o_direct-o_sync.patch b/queue-5.10/smb-client-fix-atomic-open-with-o_direct-o_sync.patch new file mode 100644 index 0000000000..b66c8135fb --- /dev/null +++ b/queue-5.10/smb-client-fix-atomic-open-with-o_direct-o_sync.patch @@ -0,0 +1,111 @@ +From stable+bounces-227346-greg=kroah.com@vger.kernel.org Thu Mar 19 17:52:20 2026 +From: Sasha Levin +Date: Thu, 19 Mar 2026 12:51:41 -0400 +Subject: smb: client: fix atomic open with O_DIRECT & O_SYNC +To: stable@vger.kernel.org +Cc: Paulo Alcantara , David Howells , Henrique Carvalho , Tom Talpey , linux-cifs@vger.kernel.org, Steve French , Sasha Levin +Message-ID: <20260319165141.2733759-1-sashal@kernel.org> + +From: Paulo Alcantara + +[ Upstream commit 4a7d2729dc99437dbb880a64c47828c0d191b308 ] + +When user application requests O_DIRECT|O_SYNC along with O_CREAT on +open(2), CREATE_NO_BUFFER and CREATE_WRITE_THROUGH bits were missed in +CREATE request when performing an atomic open, thus leading to +potentially data integrity issues. + +Fix this by setting those missing bits in CREATE request when +O_DIRECT|O_SYNC has been specified in cifs_do_create(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Paulo Alcantara (Red Hat) +Reviewed-by: David Howells +Acked-by: Henrique Carvalho +Cc: Tom Talpey +Cc: linux-cifs@vger.kernel.org +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +[ adapted file paths from fs/smb/client/ to fs/cifs/ ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifsglob.h | 11 +++++++++++ + fs/cifs/dir.c | 1 + + fs/cifs/file.c | 17 +++-------------- + 3 files changed, 15 insertions(+), 14 deletions(-) + +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include "cifs_fs_sb.h" + #include "cifsacl.h" + #include +@@ -2124,4 +2125,14 @@ static inline bool cifs_ses_exiting(stru + return ret; + } + ++static inline int cifs_open_create_options(unsigned int oflags, int opts) ++{ ++ /* O_SYNC also has bit for O_DSYNC so following check picks up either */ ++ if (oflags & O_SYNC) ++ opts |= CREATE_WRITE_THROUGH; ++ if (oflags & O_DIRECT) ++ opts |= CREATE_NO_BUFFER; ++ return opts; ++} ++ + #endif /* _CIFS_GLOB_H */ +--- a/fs/cifs/dir.c ++++ b/fs/cifs/dir.c +@@ -348,6 +348,7 @@ cifs_do_create(struct inode *inode, stru + goto out; + } + ++ create_options |= cifs_open_create_options(oflags, create_options); + /* + * if we're not using unix extensions, see if we need to set + * ATTR_READONLY on the create call +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -216,19 +216,13 @@ cifs_nt_open(char *full_path, struct ino + *********************************************************************/ + + disposition = cifs_get_disposition(f_flags); +- + /* BB pass O_SYNC flag through on file attributes .. BB */ + + buf = kmalloc(sizeof(FILE_ALL_INFO), GFP_KERNEL); + if (!buf) + return -ENOMEM; + +- /* O_SYNC also has bit for O_DSYNC so following check picks up either */ +- if (f_flags & O_SYNC) +- create_options |= CREATE_WRITE_THROUGH; +- +- if (f_flags & O_DIRECT) +- create_options |= CREATE_NO_BUFFER; ++ create_options |= cifs_open_create_options(f_flags, create_options); + + oparms.tcon = tcon; + oparms.cifs_sb = cifs_sb; +@@ -750,13 +744,8 @@ cifs_reopen_file(struct cifsFileInfo *cf + } + + desired_access = cifs_convert_flags(cfile->f_flags); +- +- /* O_SYNC also has bit for O_DSYNC so following check picks up either */ +- if (cfile->f_flags & O_SYNC) +- create_options |= CREATE_WRITE_THROUGH; +- +- if (cfile->f_flags & O_DIRECT) +- create_options |= CREATE_NO_BUFFER; ++ create_options |= cifs_open_create_options(cfile->f_flags, ++ create_options); + + if (server->ops->get_lease_key) + server->ops->get_lease_key(inode, &cfile->fid); diff --git a/queue-5.10/smb-client-fix-iface-port-assignment-in-parse_server_interfaces.patch b/queue-5.10/smb-client-fix-iface-port-assignment-in-parse_server_interfaces.patch new file mode 100644 index 0000000000..2bb0a3fbb8 --- /dev/null +++ b/queue-5.10/smb-client-fix-iface-port-assignment-in-parse_server_interfaces.patch @@ -0,0 +1,97 @@ +From stable+bounces-227338-greg=kroah.com@vger.kernel.org Thu Mar 19 17:17:03 2026 +From: Sasha Levin +Date: Thu, 19 Mar 2026 12:06:21 -0400 +Subject: smb: client: fix iface port assignment in parse_server_interfaces +To: stable@vger.kernel.org +Cc: Henrique Carvalho , "Dr. Thomas Orgis" , Enzo Matsumiya , Steve French , Sasha Levin +Message-ID: <20260319160621.2651487-1-sashal@kernel.org> + +From: Henrique Carvalho + +[ Upstream commit d4c7210d2f3ea481a6481f03040a64d9077a6172 ] + +parse_server_interfaces() initializes interface socket addresses with +CIFS_PORT. When the mount uses a non-default port this overwrites the +configured destination port. + +Later, cifs_chan_update_iface() copies this sockaddr into server->dstaddr, +causing reconnect attempts to use the wrong port after server interface +updates. + +Use the existing port from server->dstaddr instead. + +Cc: stable@vger.kernel.org +Fixes: fe856be475f7 ("CIFS: parse and store info on iface queries") +Tested-by: Dr. Thomas Orgis +Reviewed-by: Enzo Matsumiya +Signed-off-by: Henrique Carvalho +Signed-off-by: Steve French +[ adapted struct types, function signature, lock name, and file path ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2ops.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -437,7 +437,7 @@ smb3_negotiate_rsize(struct cifs_tcon *t + + static int + parse_server_interfaces(struct network_interface_info_ioctl_rsp *buf, +- size_t buf_len, ++ size_t buf_len, struct cifs_ses *ses, + struct cifs_server_iface **iface_list, + size_t *iface_count) + { +@@ -447,6 +447,7 @@ parse_server_interfaces(struct network_i + struct iface_info_ipv4 *p4; + struct iface_info_ipv6 *p6; + struct cifs_server_iface *info; ++ __be16 port; + ssize_t bytes_left; + size_t next = 0; + int nb_iface = 0; +@@ -493,6 +494,15 @@ parse_server_interfaces(struct network_i + goto out; + } + ++ spin_lock(&cifs_tcp_ses_lock); ++ if (ses->server->dstaddr.ss_family == AF_INET) ++ port = ((struct sockaddr_in *)&ses->server->dstaddr)->sin_port; ++ else if (ses->server->dstaddr.ss_family == AF_INET6) ++ port = ((struct sockaddr_in6 *)&ses->server->dstaddr)->sin6_port; ++ else ++ port = cpu_to_be16(CIFS_PORT); ++ spin_unlock(&cifs_tcp_ses_lock); ++ + info = *iface_list; + bytes_left = buf_len; + p = buf; +@@ -519,7 +529,7 @@ parse_server_interfaces(struct network_i + memcpy(&addr4->sin_addr, &p4->IPv4Address, 4); + + /* [MS-SMB2] 2.2.32.5.1.1 Clients MUST ignore these */ +- addr4->sin_port = cpu_to_be16(CIFS_PORT); ++ addr4->sin_port = port; + + cifs_dbg(FYI, "%s: ipv4 %pI4\n", __func__, + &addr4->sin_addr); +@@ -533,7 +543,7 @@ parse_server_interfaces(struct network_i + /* [MS-SMB2] 2.2.32.5.1.2 Clients MUST ignore these */ + addr6->sin6_flowinfo = 0; + addr6->sin6_scope_id = 0; +- addr6->sin6_port = cpu_to_be16(CIFS_PORT); ++ addr6->sin6_port = port; + + cifs_dbg(FYI, "%s: ipv6 %pI6\n", __func__, + &addr6->sin6_addr); +@@ -600,7 +610,7 @@ SMB3_request_interfaces(const unsigned i + goto out; + } + +- rc = parse_server_interfaces(out_buf, ret_data_len, ++ rc = parse_server_interfaces(out_buf, ret_data_len, ses, + &iface_list, &iface_count); + if (rc) + goto out; diff --git a/queue-5.10/staging-rtl8723bs-fix-null-dereference-in-find_network.patch b/queue-5.10/staging-rtl8723bs-fix-null-dereference-in-find_network.patch new file mode 100644 index 0000000000..9c6a37b7b2 --- /dev/null +++ b/queue-5.10/staging-rtl8723bs-fix-null-dereference-in-find_network.patch @@ -0,0 +1,43 @@ +From ethantidmore06@gmail.com Tue Mar 10 03:48:36 2026 +From: Ethan Tidmore +Date: Mon, 9 Mar 2026 21:48:15 -0500 +Subject: staging: rtl8723bs: fix null dereference in find_network +To: stable@vger.kernel.org +Cc: gregkh@linuxfoundation.org, sashal@kernel.org, Ethan Tidmore +Message-ID: <20260310024815.53668-1-ethantidmore06@gmail.com> + +From: Ethan Tidmore + +[ Upstream commit 41460a19654c32d39fd0e3a3671cd8d4b7b8479f ] + +The variable pwlan has the possibility of being NULL when passed into +rtw_free_network_nolock() which would later dereference the variable. + +Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") +Cc: stable@vger.kernel.org +Signed-off-by: Ethan Tidmore +Link: https://patch.msgid.link/20260202205429.20181-1-ethantidmore06@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8723bs/core/rtw_mlme.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c ++++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c +@@ -967,10 +967,12 @@ static void find_network(struct adapter + struct wlan_network *tgt_network = &pmlmepriv->cur_network; + + pwlan = rtw_find_network(&pmlmepriv->scanned_queue, tgt_network->network.MacAddress); +- if (pwlan) +- pwlan->fixed = false; +- else ++ if (!pwlan) { + RT_TRACE(_module_rtl871x_mlme_c_, _drv_err_, ("rtw_free_assoc_resources : pwlan == NULL\n\n")); ++ return; ++ } ++ ++ pwlan->fixed = false; + + if (check_fwstate(pmlmepriv, WIFI_ADHOC_MASTER_STATE) && + (adapter->stapriv.asoc_sta_count == 1)) diff --git a/queue-5.10/tracing-fix-syscall-events-activation-by-ensuring-refcount-hits-zero.patch b/queue-5.10/tracing-fix-syscall-events-activation-by-ensuring-refcount-hits-zero.patch new file mode 100644 index 0000000000..07dec8977f --- /dev/null +++ b/queue-5.10/tracing-fix-syscall-events-activation-by-ensuring-refcount-hits-zero.patch @@ -0,0 +1,123 @@ +From stable+bounces-227030-greg=kroah.com@vger.kernel.org Wed Mar 18 12:42:18 2026 +From: Sasha Levin +Date: Wed, 18 Mar 2026 07:42:11 -0400 +Subject: tracing: Fix syscall events activation by ensuring refcount hits zero +To: stable@vger.kernel.org +Cc: Huiwen He , Masami Hiramatsu , Mathieu Desnoyers , "Steven Rostedt (Google)" , Sasha Levin +Message-ID: <20260318114212.632889-1-sashal@kernel.org> + +From: Huiwen He + +[ Upstream commit 0a663b764dbdf135a126284f454c9f01f95a87d4 ] + +When multiple syscall events are specified in the kernel command line +(e.g., trace_event=syscalls:sys_enter_openat,syscalls:sys_enter_close), +they are often not captured after boot, even though they appear enabled +in the tracing/set_event file. + +The issue stems from how syscall events are initialized. Syscall +tracepoints require the global reference count (sys_tracepoint_refcount) +to transition from 0 to 1 to trigger the registration of the syscall +work (TIF_SYSCALL_TRACEPOINT) for tasks, including the init process (pid 1). + +The current implementation of early_enable_events() with disable_first=true +used an interleaved sequence of "Disable A -> Enable A -> Disable B -> Enable B". +If multiple syscalls are enabled, the refcount never drops to zero, +preventing the 0->1 transition that triggers actual registration. + +Fix this by splitting early_enable_events() into two distinct phases: +1. Disable all events specified in the buffer. +2. Enable all events specified in the buffer. + +This ensures the refcount hits zero before re-enabling, allowing syscall +events to be properly activated during early boot. + +The code is also refactored to use a helper function to avoid logic +duplication between the disable and enable phases. + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Link: https://patch.msgid.link/20260224023544.1250787-1-hehuiwen@kylinos.cn +Fixes: ce1039bd3a89 ("tracing: Fix enabling of syscall events on the command line") +Signed-off-by: Huiwen He +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_events.c | 51 +++++++++++++++++++++++++++++++------------- + 1 file changed, 36 insertions(+), 15 deletions(-) + +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -3393,27 +3393,23 @@ static __init int event_trace_memsetup(v + return 0; + } + +-static __init void +-early_enable_events(struct trace_array *tr, bool disable_first) ++/* ++ * Helper function to enable or disable a comma-separated list of events ++ * from the bootup buffer. ++ */ ++static __init void __early_set_events(struct trace_array *tr, bool enable) + { + char *buf = bootup_event_buf; + char *token; +- int ret; +- +- while (true) { +- token = strsep(&buf, ","); +- +- if (!token) +- break; + ++ while ((token = strsep(&buf, ","))) { + if (*token) { +- /* Restarting syscalls requires that we stop them first */ +- if (disable_first) ++ if (enable) { ++ if (ftrace_set_clr_event(tr, token, 1)) ++ pr_warn("Failed to enable trace event: %s\n", token); ++ } else { + ftrace_set_clr_event(tr, token, 0); +- +- ret = ftrace_set_clr_event(tr, token, 1); +- if (ret) +- pr_warn("Failed to enable trace event: %s\n", token); ++ } + } + + /* Put back the comma to allow this to be called again */ +@@ -3422,6 +3418,31 @@ early_enable_events(struct trace_array * + } + } + ++/** ++ * early_enable_events - enable events from the bootup buffer ++ * @tr: The trace array to enable the events in ++ * @disable_first: If true, disable all events before enabling them ++ * ++ * This function enables events from the bootup buffer. If @disable_first ++ * is true, it will first disable all events in the buffer before enabling ++ * them. ++ * ++ * For syscall events, which rely on a global refcount to register the ++ * SYSCALL_WORK_SYSCALL_TRACEPOINT flag (especially for pid 1), we must ++ * ensure the refcount hits zero before re-enabling them. A simple ++ * "disable then enable" per-event is not enough if multiple syscalls are ++ * used, as the refcount will stay above zero. Thus, we need a two-phase ++ * approach: disable all, then enable all. ++ */ ++static __init void ++early_enable_events(struct trace_array *tr, bool disable_first) ++{ ++ if (disable_first) ++ __early_set_events(tr, false); ++ ++ __early_set_events(tr, true); ++} ++ + static __init int event_trace_enable(void) + { + struct trace_array *tr = top_trace_array(); diff --git a/queue-5.10/usb-gadget-f_tcm-fix-null-pointer-dereferences-in-nexus-handling.patch b/queue-5.10/usb-gadget-f_tcm-fix-null-pointer-dereferences-in-nexus-handling.patch new file mode 100644 index 0000000000..896fa914f7 --- /dev/null +++ b/queue-5.10/usb-gadget-f_tcm-fix-null-pointer-dereferences-in-nexus-handling.patch @@ -0,0 +1,75 @@ +From sashal@kernel.org Mon Mar 16 22:23:28 2026 +From: Sasha Levin +Date: Mon, 16 Mar 2026 17:23:25 -0400 +Subject: usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling +To: stable@vger.kernel.org +Cc: Jiasheng Jiang , stable , Thinh Nguyen , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20260316212325.1415578-1-sashal@kernel.org> + +From: Jiasheng Jiang + +[ Upstream commit b9fde507355342a2d64225d582dc8b98ff5ecb19 ] + +The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically +managed and tied to userspace configuration via ConfigFS. It can be +NULL if the USB host sends requests before the nexus is fully +established or immediately after it is dropped. + +Currently, functions like `bot_submit_command()` and the data +transfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately +dereference `tv_nexus->tvn_se_sess` without any validation. If a +malicious or misconfigured USB host sends a BOT (Bulk-Only Transport) +command during this race window, it triggers a NULL pointer +dereference, leading to a kernel panic (local DoS). + +This exposes an inconsistent API usage within the module, as peer +functions like `usbg_submit_command()` and `bot_send_bad_response()` +correctly implement a NULL check for `tv_nexus` before proceeding. + +Fix this by bringing consistency to the nexus handling. Add the +missing `if (!tv_nexus)` checks to the vulnerable BOT command and +request processing paths, aborting the command gracefully with an +error instead of crashing the system. + +Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT") +Cc: stable +Signed-off-by: Jiasheng Jiang +Reviewed-by: Thinh Nguyen +Link: https://patch.msgid.link/20260219023834.17976-1-jiashengjiangcool@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_tcm.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/usb/gadget/function/f_tcm.c ++++ b/drivers/usb/gadget/function/f_tcm.c +@@ -1032,6 +1032,13 @@ static void usbg_cmd_work(struct work_st + se_cmd = &cmd->se_cmd; + tpg = cmd->fu->tpg; + tv_nexus = tpg->tpg_nexus; ++ if (!tv_nexus) { ++ struct usb_gadget *gadget = fuas_to_gadget(cmd->fu); ++ ++ dev_err(&gadget->dev, "Missing nexus, ignoring command\n"); ++ return; ++ } ++ + dir = get_cmd_dir(cmd->cmd_buf); + if (dir < 0) { + transport_init_se_cmd(se_cmd, +@@ -1162,6 +1169,13 @@ static void bot_cmd_work(struct work_str + se_cmd = &cmd->se_cmd; + tpg = cmd->fu->tpg; + tv_nexus = tpg->tpg_nexus; ++ if (!tv_nexus) { ++ struct usb_gadget *gadget = fuas_to_gadget(cmd->fu); ++ ++ dev_err(&gadget->dev, "Missing nexus, ignoring command\n"); ++ return; ++ } ++ + dir = get_cmd_dir(cmd->cmd_buf); + if (dir < 0) { + transport_init_se_cmd(se_cmd, diff --git a/queue-5.10/usb-roles-get-usb-role-switch-from-parent-only-for-usb-b-connector.patch b/queue-5.10/usb-roles-get-usb-role-switch-from-parent-only-for-usb-b-connector.patch new file mode 100644 index 0000000000..dccbaceada --- /dev/null +++ b/queue-5.10/usb-roles-get-usb-role-switch-from-parent-only-for-usb-b-connector.patch @@ -0,0 +1,60 @@ +From stable+bounces-225712-greg=kroah.com@vger.kernel.org Mon Mar 16 23:29:37 2026 +From: Sasha Levin +Date: Mon, 16 Mar 2026 18:28:15 -0400 +Subject: usb: roles: get usb role switch from parent only for usb-b-connector +To: stable@vger.kernel.org +Cc: Xu Yang , stable , Arnaud Ferraris , Heikki Krogerus , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20260316222815.1434974-1-sashal@kernel.org> + +From: Xu Yang + +[ Upstream commit 8345b1539faa49fcf9c9439c3cbd97dac6eca171 ] + +usb_role_switch_is_parent() was walking up to the parent node and checking +for the "usb-role-switch" property regardless of the type of the passed +fwnode. This could cause unrelated device nodes to be probed as potential +role switch parent, leading to spurious matches and "-EPROBE_DEFER" being +returned infinitely. + +Till now only Type-B connector node will have a parent node which may +present "usb-role-switch" property and register the role switch device. +For Type-C connector node, its parent node will always be a Type-C chip +device which will never register the role switch device. However, it may +still present a non-boolean "usb-role-switch = <&usb_controller>" property +for historical compatibility. + +So restrict the helper to only operate on Type-B connector when attempting +to get the role switch from parent node. + +Fixes: 6fadd72943b8 ("usb: roles: get usb-role-switch from parent") +Cc: stable +Signed-off-by: Xu Yang +Tested-by: Arnaud Ferraris +Reviewed-by: Heikki Krogerus +Link: https://patch.msgid.link/20260309074313.2809867-3-xu.yang_2@nxp.com +Signed-off-by: Greg Kroah-Hartman +[ replace fwnode_device_is_compatible() call with it's expansion ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/roles/class.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/usb/roles/class.c ++++ b/drivers/usb/roles/class.c +@@ -108,9 +108,14 @@ static void *usb_role_switch_match(struc + static struct usb_role_switch * + usb_role_switch_is_parent(struct fwnode_handle *fwnode) + { +- struct fwnode_handle *parent = fwnode_get_parent(fwnode); ++ struct fwnode_handle *parent; + struct device *dev; + ++ if (fwnode_property_match_string(fwnode, "compatible", "usb-b-connector") < 0) ++ return NULL; ++ ++ parent = fwnode_get_parent(fwnode); ++ + if (!fwnode_property_present(parent, "usb-role-switch")) { + fwnode_handle_put(parent); + return NULL; diff --git a/queue-5.10/xfs-ensure-dquot-item-is-deleted-from-ail-only-after-log-shutdown.patch b/queue-5.10/xfs-ensure-dquot-item-is-deleted-from-ail-only-after-log-shutdown.patch new file mode 100644 index 0000000000..8b5c419fa5 --- /dev/null +++ b/queue-5.10/xfs-ensure-dquot-item-is-deleted-from-ail-only-after-log-shutdown.patch @@ -0,0 +1,70 @@ +From stable+bounces-227271-greg=kroah.com@vger.kernel.org Thu Mar 19 12:48:22 2026 +From: Sasha Levin +Date: Thu, 19 Mar 2026 07:40:01 -0400 +Subject: xfs: ensure dquot item is deleted from AIL only after log shutdown +To: stable@vger.kernel.org +Cc: Long Li , Carlos Maiolino , Christoph Hellwig , Carlos Maiolino , Sasha Levin +Message-ID: <20260319114001.2348820-1-sashal@kernel.org> + +From: Long Li + +[ Upstream commit 186ac39b8a7d3ec7ce9c5dd45e5c2730177f375c ] + +In xfs_qm_dqflush(), when a dquot flush fails due to corruption +(the out_abort error path), the original code removed the dquot log +item from the AIL before calling xfs_force_shutdown(). This ordering +introduces a subtle race condition that can lead to data loss after +a crash. + +The AIL tracks the oldest dirty metadata in the journal. The position +of the tail item in the AIL determines the log tail LSN, which is the +oldest LSN that must be preserved for crash recovery. When an item is +removed from the AIL, the log tail can advance past the LSN of that item. + +The race window is as follows: if the dquot item happens to be at +the tail of the log, removing it from the AIL allows the log tail +to advance. If a concurrent log write is sampling the tail LSN at +the same time and subsequently writes a complete checkpoint (i.e., +one containing a commit record) to disk before the shutdown takes +effect, the journal will no longer protect the dquot's last +modification. On the next mount, log recovery will not replay the +dquot changes, even though they were never written back to disk, +resulting in silent data loss. + +Fix this by calling xfs_force_shutdown() before xfs_trans_ail_delete() +in the out_abort path. Once the log is shut down, no new log writes +can complete with an updated tail LSN, making it safe to remove the +dquot item from the AIL. + +Cc: stable@vger.kernel.org +Fixes: b707fffda6a3 ("xfs: abort consistently on dquot flush failure") +Signed-off-by: Long Li +Reviewed-by: Carlos Maiolino +Reviewed-by: Christoph Hellwig +Signed-off-by: Carlos Maiolino +[ adapted error path to preserve existing out_unlock label between xfs_trans_ail_delete and xfs_dqfunlock ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_dquot.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/xfs/xfs_dquot.c ++++ b/fs/xfs/xfs_dquot.c +@@ -1324,9 +1324,15 @@ xfs_qm_dqflush( + return 0; + + out_abort: ++ /* ++ * Shut down the log before removing the dquot item from the AIL. ++ * Otherwise, the log tail may advance past this item's LSN while ++ * log writes are still in progress, making these unflushed changes ++ * unrecoverable on the next mount. ++ */ ++ xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE); + dqp->q_flags &= ~XFS_DQFLAG_DIRTY; + xfs_trans_ail_delete(lip, 0); +- xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE); + out_unlock: + xfs_dqfunlock(dqp); + return error; diff --git a/queue-5.10/xfs-fix-integer-overflow-in-bmap-intent-sort-comparator.patch b/queue-5.10/xfs-fix-integer-overflow-in-bmap-intent-sort-comparator.patch new file mode 100644 index 0000000000..a90edb0f4c --- /dev/null +++ b/queue-5.10/xfs-fix-integer-overflow-in-bmap-intent-sort-comparator.patch @@ -0,0 +1,44 @@ +From stable+bounces-227273-greg=kroah.com@vger.kernel.org Thu Mar 19 12:43:23 2026 +From: Sasha Levin +Date: Thu, 19 Mar 2026 07:40:07 -0400 +Subject: xfs: fix integer overflow in bmap intent sort comparator +To: stable@vger.kernel.org +Cc: Long Li , "Darrick J. Wong" , Carlos Maiolino , Sasha Levin +Message-ID: <20260319114007.2348969-1-sashal@kernel.org> + +From: Long Li + +[ Upstream commit 362c490980867930a098b99f421268fbd7ca05fd ] + +xfs_bmap_update_diff_items() sorts bmap intents by inode number using +a subtraction of two xfs_ino_t (uint64_t) values, with the result +truncated to int. This is incorrect when two inode numbers differ by +more than INT_MAX (2^31 - 1), which is entirely possible on large XFS +filesystems. + +Fix this by replacing the subtraction with cmp_int(). + +Cc: # v4.9 +Fixes: 9f3afb57d5f1 ("xfs: implement deferred bmbt map/unmap operations") +Signed-off-by: Long Li +Reviewed-by: Darrick J. Wong +Signed-off-by: Carlos Maiolino +[ replaced `bi_entry()` macro with `container_of()` and inlined `cmp_int()` as a manual three-way comparison expression ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_bmap_item.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/xfs/xfs_bmap_item.c ++++ b/fs/xfs/xfs_bmap_item.c +@@ -273,7 +273,8 @@ xfs_bmap_update_diff_items( + + ba = container_of(a, struct xfs_bmap_intent, bi_list); + bb = container_of(b, struct xfs_bmap_intent, bi_list); +- return ba->bi_owner->i_ino - bb->bi_owner->i_ino; ++ return (ba->bi_owner->i_ino > bb->bi_owner->i_ino) - ++ (ba->bi_owner->i_ino < bb->bi_owner->i_ino); + } + + /* Set the map extent flags for this mapping. */