From: Greg Kroah-Hartman Date: Tue, 3 Feb 2026 15:59:07 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v5.10.249~30 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=31042a6b543969480a669755a1db6b5647d38e25;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: blk-cgroup-reinit-blkg_iostat_set-after-clearing-in-blkcg_reset_stats.patch can-esd_usb-esd_usb_read_bulk_callback-fix-urb-memory-leak.patch crypto-qat-flush-misc-workqueue-during-device-shutdown.patch drm-amd-display-check-dce_hwseq-before-dereferencing-it.patch drm-amdgpu-replace-mutex-with-spinlock-for-rlcg-register-access-to-avoid-priority-inversion-in-sriov.patch drm-amdkfd-fix-a-memory-leak-in-device_queue_manager_init.patch drm-radeon-delete-radeon_fence_process-in-is_signaled-no-deadlock.patch fs-ntfs3-initialize-allocated-memory-before-use.patch gfs2-fix-null-pointer-dereference-in-gfs2_log_flush.patch iomap-fix-possible-overflow-condition-in-iomap_write_delalloc_scan.patch ksmbd-fix-race-condition-in-rpc-handle-list-access.patch ksmbd-fix-use-after-free-in-ksmbd_session_rpc_open.patch net-stmmac-make-sure-that-ptp_rate-is-not-0-before-configuring-est.patch nfsd-fix-race-between-nfsd-registration-and-exports_proc.patch revert-mm-mprotect-delete-pmd_none_or_clear_bad_unless_trans_huge.patch revert-net-mlx5-block-entering-switchdev-mode-with-ns-inconsistency.patch sctp-linearize-cloned-gso-packets-in-sctp_rcv.patch usbnet-fix-using-smp_processor_id-in-preemptible-code-warnings.patch vhost-scsi-fix-handling-of-multiple-calls-to-vhost_scsi_set_endpoint.patch --- diff --git a/queue-6.1/blk-cgroup-reinit-blkg_iostat_set-after-clearing-in-blkcg_reset_stats.patch b/queue-6.1/blk-cgroup-reinit-blkg_iostat_set-after-clearing-in-blkcg_reset_stats.patch new file mode 100644 index 0000000000..0bb2ef9fa2 --- /dev/null +++ b/queue-6.1/blk-cgroup-reinit-blkg_iostat_set-after-clearing-in-blkcg_reset_stats.patch @@ -0,0 +1,58 @@ +From stable+bounces-211719-greg=kroah.com@vger.kernel.org Tue Jan 27 05:03:22 2026 +From: alvalan9@foxmail.com +Date: Tue, 27 Jan 2026 04:02:42 +0000 +Subject: blk-cgroup: Reinit blkg_iostat_set after clearing in blkcg_reset_stats() +To: stable@vger.kernel.org +Cc: Waiman Long , Ming Lei , Tejun Heo , Jens Axboe , Alva Lan +Message-ID: + +From: Waiman Long + +[ Upstream commit 3d2af77e31ade05ff7ccc3658c3635ec1bea0979 ] + +When blkg_alloc() is called to allocate a blkcg_gq structure +with the associated blkg_iostat_set's, there are 2 fields within +blkg_iostat_set that requires proper initialization - blkg & sync. +The former field was introduced by commit 3b8cc6298724 ("blk-cgroup: +Optimize blkcg_rstat_flush()") while the later one was introduced by +commit f73316482977 ("blk-cgroup: reimplement basic IO stats using +cgroup rstat"). + +Unfortunately those fields in the blkg_iostat_set's are not properly +re-initialized when they are cleared in v1's blkcg_reset_stats(). This +can lead to a kernel panic due to NULL pointer access of the blkg +pointer. The missing initialization of sync is less problematic and +can be a problem in a debug kernel due to missing lockdep initialization. + +Fix these problems by re-initializing them after memory clearing. + +Fixes: 3b8cc6298724 ("blk-cgroup: Optimize blkcg_rstat_flush()") +Fixes: f73316482977 ("blk-cgroup: reimplement basic IO stats using cgroup rstat") +Signed-off-by: Waiman Long +Reviewed-by: Ming Lei +Acked-by: Tejun Heo +Link: https://lore.kernel.org/r/20230606180724.2455066-1-longman@redhat.com +Signed-off-by: Jens Axboe +[ Remove this line: bis -> blkg = blkg for blkg was introduced by commit + 3b8cc6298724 ("blk-cgroup: Optimize blkcg_rstat_flush()") since v6.2. ] +Signed-off-by: Alva Lan +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-cgroup.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -531,8 +531,12 @@ static int blkcg_reset_stats(struct cgro + struct blkg_iostat_set *bis = + per_cpu_ptr(blkg->iostat_cpu, cpu); + memset(bis, 0, sizeof(*bis)); ++ ++ /* Re-initialize the cleared blkg_iostat_set */ ++ u64_stats_init(&bis->sync); + } + memset(&blkg->iostat, 0, sizeof(blkg->iostat)); ++ u64_stats_init(&blkg->iostat.sync); + + for (i = 0; i < BLKCG_MAX_POLS; i++) { + struct blkcg_policy *pol = blkcg_policy[i]; diff --git a/queue-6.1/can-esd_usb-esd_usb_read_bulk_callback-fix-urb-memory-leak.patch b/queue-6.1/can-esd_usb-esd_usb_read_bulk_callback-fix-urb-memory-leak.patch new file mode 100644 index 0000000000..9b1a7b15ab --- /dev/null +++ b/queue-6.1/can-esd_usb-esd_usb_read_bulk_callback-fix-urb-memory-leak.patch @@ -0,0 +1,59 @@ +From 5a4391bdc6c8357242f62f22069c865b792406b3 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Sat, 10 Jan 2026 12:52:27 +0100 +Subject: can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak + +From: Marc Kleine-Budde + +commit 5a4391bdc6c8357242f62f22069c865b792406b3 upstream. + +Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: +gs_usb_receive_bulk_callback(): fix URB memory leak"). + +In esd_usb_open(), the URBs for USB-in transfers are allocated, added to +the dev->rx_submitted anchor and submitted. In the complete callback +esd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In +esd_usb_close() the URBs are freed by calling +usb_kill_anchored_urbs(&dev->rx_submitted). + +However, this does not take into account that the USB framework unanchors +the URB before the complete function is called. This means that once an +in-URB has been completed, it is no longer anchored and is ultimately not +released in esd_usb_close(). + +Fix the memory leak by anchoring the URB in the +esd_usb_read_bulk_callback() to the dev->rx_submitted anchor. + +Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-2-4b8cb2915571@pengutronix.de +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/esd_usb.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/usb/esd_usb.c ++++ b/drivers/net/can/usb/esd_usb.c +@@ -447,13 +447,20 @@ resubmit_urb: + urb->transfer_buffer, RX_BUFFER_SIZE, + esd_usb_read_bulk_callback, dev); + ++ usb_anchor_urb(urb, &dev->rx_submitted); ++ + retval = usb_submit_urb(urb, GFP_ATOMIC); ++ if (!retval) ++ return; ++ ++ usb_unanchor_urb(urb); ++ + if (retval == -ENODEV) { + for (i = 0; i < dev->net_count; i++) { + if (dev->nets[i]) + netif_device_detach(dev->nets[i]->netdev); + } +- } else if (retval) { ++ } else { + dev_err(dev->udev->dev.parent, + "failed resubmitting read bulk urb: %d\n", retval); + } diff --git a/queue-6.1/crypto-qat-flush-misc-workqueue-during-device-shutdown.patch b/queue-6.1/crypto-qat-flush-misc-workqueue-during-device-shutdown.patch new file mode 100644 index 0000000000..48b735a0ec --- /dev/null +++ b/queue-6.1/crypto-qat-flush-misc-workqueue-during-device-shutdown.patch @@ -0,0 +1,91 @@ +From stable+bounces-211328-greg=kroah.com@vger.kernel.org Fri Jan 23 04:26:02 2026 +From: jetlan9@163.com +Date: Fri, 23 Jan 2026 03:24:22 +0000 +Subject: crypto: qat - flush misc workqueue during device shutdown +To: stable@vger.kernel.org +Cc: Giovanni Cabiddu , Ahsan Atta , Herbert Xu , Wenshan Lan +Message-ID: <20260123032422.4202-1-jetlan9@163.com> + +From: Giovanni Cabiddu + +[ Upstream commit 3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a ] + +Repeated loading and unloading of a device specific QAT driver, for +example qat_4xxx, in a tight loop can lead to a crash due to a +use-after-free scenario. This occurs when a power management (PM) +interrupt triggers just before the device-specific driver (e.g., +qat_4xxx.ko) is unloaded, while the core driver (intel_qat.ko) remains +loaded. + +Since the driver uses a shared workqueue (`qat_misc_wq`) across all +devices and owned by intel_qat.ko, a deferred routine from the +device-specific driver may still be pending in the queue. If this +routine executes after the driver is unloaded, it can dereference freed +memory, resulting in a page fault and kernel crash like the following: + + BUG: unable to handle page fault for address: ffa000002e50a01c + #PF: supervisor read access in kernel mode + RIP: 0010:pm_bh_handler+0x1d2/0x250 [intel_qat] + Call Trace: + pm_bh_handler+0x1d2/0x250 [intel_qat] + process_one_work+0x171/0x340 + worker_thread+0x277/0x3a0 + kthread+0xf0/0x120 + ret_from_fork+0x2d/0x50 + +To prevent this, flush the misc workqueue during device shutdown to +ensure that all pending work items are completed before the driver is +unloaded. + +Note: This approach may slightly increase shutdown latency if the +workqueue contains jobs from other devices, but it ensures correctness +and stability. + +Fixes: e5745f34113b ("crypto: qat - enable power management for QAT GEN4") +Signed-off-by: Giovanni Cabiddu +Cc: stable@vger.kernel.org +Reviewed-by: Ahsan Atta +Signed-off-by: Herbert Xu +[ Intel crypto drivers was moved by + a4b16dad4657 ("crypto: qat - Move driver to drivers/crypto/intel/qat") + so apply the patch to files under drivers/crypto/qat/qat_common in + 6.1.y. ] +Signed-off-by: Wenshan Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/qat/qat_common/adf_common_drv.h | 1 + + drivers/crypto/qat/qat_common/adf_init.c | 1 + + drivers/crypto/qat/qat_common/adf_isr.c | 5 +++++ + 3 files changed, 7 insertions(+) + +--- a/drivers/crypto/qat/qat_common/adf_common_drv.h ++++ b/drivers/crypto/qat/qat_common/adf_common_drv.h +@@ -194,6 +194,7 @@ int qat_uclo_set_cfg_ae_mask(struct icp_ + int adf_init_misc_wq(void); + void adf_exit_misc_wq(void); + bool adf_misc_wq_queue_work(struct work_struct *work); ++void adf_misc_wq_flush(void); + #if defined(CONFIG_PCI_IOV) + int adf_sriov_configure(struct pci_dev *pdev, int numvfs); + void adf_disable_sriov(struct adf_accel_dev *accel_dev); +--- a/drivers/crypto/qat/qat_common/adf_init.c ++++ b/drivers/crypto/qat/qat_common/adf_init.c +@@ -337,6 +337,7 @@ void adf_dev_shutdown(struct adf_accel_d + hw_data->exit_admin_comms(accel_dev); + + adf_cleanup_etr_data(accel_dev); ++ adf_misc_wq_flush(); + adf_dev_restore(accel_dev); + } + EXPORT_SYMBOL_GPL(adf_dev_shutdown); +--- a/drivers/crypto/qat/qat_common/adf_isr.c ++++ b/drivers/crypto/qat/qat_common/adf_isr.c +@@ -380,3 +380,8 @@ bool adf_misc_wq_queue_work(struct work_ + { + return queue_work(adf_misc_wq, work); + } ++ ++void adf_misc_wq_flush(void) ++{ ++ flush_workqueue(adf_misc_wq); ++} diff --git a/queue-6.1/drm-amd-display-check-dce_hwseq-before-dereferencing-it.patch b/queue-6.1/drm-amd-display-check-dce_hwseq-before-dereferencing-it.patch new file mode 100644 index 0000000000..3a66cc08fd --- /dev/null +++ b/queue-6.1/drm-amd-display-check-dce_hwseq-before-dereferencing-it.patch @@ -0,0 +1,47 @@ +From stable+bounces-210683-greg=kroah.com@vger.kernel.org Wed Jan 21 05:22:43 2026 +From: Rahul Sharma +Date: Wed, 21 Jan 2026 12:21:58 +0800 +Subject: drm/amd/display: Check dce_hwseq before dereferencing it +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Alex Hung , Mario Limonciello , Alex Deucher , Aurabindo Pillai , Rahul Sharma +Message-ID: <20260121042158.3553167-1-black.hawk@163.com> + +From: Alex Hung + +[ Upstream commit b669507b637eb6b1aaecf347f193efccc65d756e ] + +[WHAT] + +hws was checked for null earlier in dce110_blank_stream, indicating hws +can be null, and should be checked whenever it is used. + +Cc: Mario Limonciello +Cc: Alex Deucher +Reviewed-by: Aurabindo Pillai +Signed-off-by: Alex Hung +Signed-off-by: Aurabindo Pillai +Signed-off-by: Alex Deucher +(cherry picked from commit 79db43611ff61280b6de58ce1305e0b2ecf675ad) +Cc: stable@vger.kernel.org +[ The context change is due to the commit 8e7b3f5435b3 +("drm/amd/display: Add control flag to dc_stream_state to skip eDP BL off/link off") +and the commit a8728dbb4ba2 ("drm/amd/display: Refactor edp power +control") and the proper adoption is done. ] +Signed-off-by: Rahul Sharma +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c ++++ b/drivers/gpu/drm/amd/display/dc/dce110/dce110_hw_sequencer.c +@@ -1233,7 +1233,8 @@ void dce110_blank_stream(struct pipe_ctx + struct dce_hwseq *hws = link->dc->hwseq; + + if (link->local_sink && link->local_sink->sink_signal == SIGNAL_TYPE_EDP) { +- hws->funcs.edp_backlight_control(link, false); ++ if (hws) ++ hws->funcs.edp_backlight_control(link, false); + link->dc->hwss.set_abm_immediate_disable(pipe_ctx); + } + diff --git a/queue-6.1/drm-amdgpu-replace-mutex-with-spinlock-for-rlcg-register-access-to-avoid-priority-inversion-in-sriov.patch b/queue-6.1/drm-amdgpu-replace-mutex-with-spinlock-for-rlcg-register-access-to-avoid-priority-inversion-in-sriov.patch new file mode 100644 index 0000000000..f93def5660 --- /dev/null +++ b/queue-6.1/drm-amdgpu-replace-mutex-with-spinlock-for-rlcg-register-access-to-avoid-priority-inversion-in-sriov.patch @@ -0,0 +1,172 @@ +From stable+bounces-212755-greg=kroah.com@vger.kernel.org Thu Jan 29 10:27:16 2026 +From: Li hongliang <1468888505@139.com> +Date: Thu, 29 Jan 2026 17:27:02 +0800 +Subject: drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, srinivasan.shanmugam@amd.com +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, alexander.deucher@amd.com, christian.koenig@amd.com, Xinhui.Pan@amd.com, airlied@gmail.com, daniel@ffwll.ch, sashal@kernel.org, mario.limonciello@amd.com, superm1@kernel.org, Jun.Ma2@amd.com, Zhigang.Luo@amd.com, Hawking.Zhang@amd.com, Jesse.Zhang@amd.com, victor.skvortsov@amd.com, amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, lin.cao@amd.com, Jingwen.Chen2@amd.com +Message-ID: <20260129092702.3671189-1-1468888505@139.com> + +From: Srinivasan Shanmugam + +[ Upstream commit dc0297f3198bd60108ccbd167ee5d9fa4af31ed0 ] + +RLCG Register Access is a way for virtual functions to safely access GPU +registers in a virtualized environment., including TLB flushes and +register reads. When multiple threads or VFs try to access the same +registers simultaneously, it can lead to race conditions. By using the +RLCG interface, the driver can serialize access to the registers. This +means that only one thread can access the registers at a time, +preventing conflicts and ensuring that operations are performed +correctly. Additionally, when a low-priority task holds a mutex that a +high-priority task needs, ie., If a thread holding a spinlock tries to +acquire a mutex, it can lead to priority inversion. register access in +amdgpu_virt_rlcg_reg_rw especially in a fast code path is critical. + +The call stack shows that the function amdgpu_virt_rlcg_reg_rw is being +called, which attempts to acquire the mutex. This function is invoked +from amdgpu_sriov_wreg, which in turn is called from +gmc_v11_0_flush_gpu_tlb. + +The [ BUG: Invalid wait context ] indicates that a thread is trying to +acquire a mutex while it is in a context that does not allow it to sleep +(like holding a spinlock). + +Fixes the below: + +[ 253.013423] ============================= +[ 253.013434] [ BUG: Invalid wait context ] +[ 253.013446] 6.12.0-amdstaging-drm-next-lol-050225 #14 Tainted: G U OE +[ 253.013464] ----------------------------- +[ 253.013475] kworker/0:1/10 is trying to lock: +[ 253.013487] ffff9f30542e3cf8 (&adev->virt.rlcg_reg_lock){+.+.}-{3:3}, at: amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] +[ 253.013815] other info that might help us debug this: +[ 253.013827] context-{4:4} +[ 253.013835] 3 locks held by kworker/0:1/10: +[ 253.013847] #0: ffff9f3040050f58 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x3f5/0x680 +[ 253.013877] #1: ffffb789c008be40 ((work_completion)(&wfc.work)){+.+.}-{0:0}, at: process_one_work+0x1d6/0x680 +[ 253.013905] #2: ffff9f3054281838 (&adev->gmc.invalidate_lock){+.+.}-{2:2}, at: gmc_v11_0_flush_gpu_tlb+0x198/0x4f0 [amdgpu] +[ 253.014154] stack backtrace: +[ 253.014164] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Tainted: G U OE 6.12.0-amdstaging-drm-next-lol-050225 #14 +[ 253.014189] Tainted: [U]=USER, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE +[ 253.014203] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/18/2024 +[ 253.014224] Workqueue: events work_for_cpu_fn +[ 253.014241] Call Trace: +[ 253.014250] +[ 253.014260] dump_stack_lvl+0x9b/0xf0 +[ 253.014275] dump_stack+0x10/0x20 +[ 253.014287] __lock_acquire+0xa47/0x2810 +[ 253.014303] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 253.014321] lock_acquire+0xd1/0x300 +[ 253.014333] ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] +[ 253.014562] ? __lock_acquire+0xa6b/0x2810 +[ 253.014578] __mutex_lock+0x85/0xe20 +[ 253.014591] ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] +[ 253.014782] ? sched_clock_noinstr+0x9/0x10 +[ 253.014795] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 253.014808] ? local_clock_noinstr+0xe/0xc0 +[ 253.014822] ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] +[ 253.015012] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 253.015029] mutex_lock_nested+0x1b/0x30 +[ 253.015044] ? mutex_lock_nested+0x1b/0x30 +[ 253.015057] amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] +[ 253.015249] amdgpu_sriov_wreg+0xc5/0xd0 [amdgpu] +[ 253.015435] gmc_v11_0_flush_gpu_tlb+0x44b/0x4f0 [amdgpu] +[ 253.015667] gfx_v11_0_hw_init+0x499/0x29c0 [amdgpu] +[ 253.015901] ? __pfx_smu_v13_0_update_pcie_parameters+0x10/0x10 [amdgpu] +[ 253.016159] ? srso_alias_return_thunk+0x5/0xfbef5 +[ 253.016173] ? smu_hw_init+0x18d/0x300 [amdgpu] +[ 253.016403] amdgpu_device_init+0x29ad/0x36a0 [amdgpu] +[ 253.016614] amdgpu_driver_load_kms+0x1a/0xc0 [amdgpu] +[ 253.017057] amdgpu_pci_probe+0x1c2/0x660 [amdgpu] +[ 253.017493] local_pci_probe+0x4b/0xb0 +[ 253.017746] work_for_cpu_fn+0x1a/0x30 +[ 253.017995] process_one_work+0x21e/0x680 +[ 253.018248] worker_thread+0x190/0x330 +[ 253.018500] ? __pfx_worker_thread+0x10/0x10 +[ 253.018746] kthread+0xe7/0x120 +[ 253.018988] ? __pfx_kthread+0x10/0x10 +[ 253.019231] ret_from_fork+0x3c/0x60 +[ 253.019468] ? __pfx_kthread+0x10/0x10 +[ 253.019701] ret_from_fork_asm+0x1a/0x30 +[ 253.019939] + +v2: s/spin_trylock/spin_lock_irqsave to be safe (Christian). + +Fixes: e864180ee49b ("drm/amdgpu: Add lock around VF RLCG interface") +Cc: lin cao +Cc: Jingwen Chen +Cc: Victor Skvortsov +Cc: Zhigang Luo +Cc: Christian König +Cc: Alex Deucher +Signed-off-by: Srinivasan Shanmugam +Suggested-by: Alex Deucher +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +[ Minor conflict resolved. ] +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- + drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 5 +++-- + drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | 3 ++- + 3 files changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -3652,7 +3652,6 @@ int amdgpu_device_init(struct amdgpu_dev + mutex_init(&adev->grbm_idx_mutex); + mutex_init(&adev->mn_lock); + mutex_init(&adev->virt.vf_errors.lock); +- mutex_init(&adev->virt.rlcg_reg_lock); + hash_init(adev->mn_hash); + mutex_init(&adev->psp.mutex); + mutex_init(&adev->notifier_lock); +@@ -3674,6 +3673,7 @@ int amdgpu_device_init(struct amdgpu_dev + spin_lock_init(&adev->se_cac_idx_lock); + spin_lock_init(&adev->audio_endpt_idx_lock); + spin_lock_init(&adev->mm_stats.lock); ++ spin_lock_init(&adev->virt.rlcg_reg_lock); + + INIT_LIST_HEAD(&adev->shadow_list); + mutex_init(&adev->shadow_list_lock); +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c +@@ -965,6 +965,7 @@ static u32 amdgpu_virt_rlcg_reg_rw(struc + void *scratch_reg2; + void *scratch_reg3; + void *spare_int; ++ unsigned long flags; + + if (!adev->gfx.rlc.rlcg_reg_access_supported) { + dev_err(adev->dev, +@@ -978,7 +979,7 @@ static u32 amdgpu_virt_rlcg_reg_rw(struc + scratch_reg2 = (void __iomem *)adev->rmmio + 4 * reg_access_ctrl->scratch_reg2; + scratch_reg3 = (void __iomem *)adev->rmmio + 4 * reg_access_ctrl->scratch_reg3; + +- mutex_lock(&adev->virt.rlcg_reg_lock); ++ spin_lock_irqsave(&adev->virt.rlcg_reg_lock, flags); + + if (reg_access_ctrl->spare_int) + spare_int = (void __iomem *)adev->rmmio + 4 * reg_access_ctrl->spare_int; +@@ -1034,7 +1035,7 @@ static u32 amdgpu_virt_rlcg_reg_rw(struc + + ret = readl(scratch_reg0); + +- mutex_unlock(&adev->virt.rlcg_reg_lock); ++ spin_unlock_irqrestore(&adev->virt.rlcg_reg_lock, flags); + + return ret; + } +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h +@@ -264,7 +264,8 @@ struct amdgpu_virt { + /* the ucode id to signal the autoload */ + uint32_t autoload_ucode_id; + +- struct mutex rlcg_reg_lock; ++ /* Spinlock to protect access to the RLCG register interface */ ++ spinlock_t rlcg_reg_lock; + }; + + struct amdgpu_video_codec_info; diff --git a/queue-6.1/drm-amdkfd-fix-a-memory-leak-in-device_queue_manager_init.patch b/queue-6.1/drm-amdkfd-fix-a-memory-leak-in-device_queue_manager_init.patch new file mode 100644 index 0000000000..d1c9862a61 --- /dev/null +++ b/queue-6.1/drm-amdkfd-fix-a-memory-leak-in-device_queue_manager_init.patch @@ -0,0 +1,67 @@ +From 80614c509810fc051312d1a7ccac8d0012d6b8d0 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Thu, 8 Jan 2026 15:18:22 +0800 +Subject: drm/amdkfd: fix a memory leak in device_queue_manager_init() + +From: Haoxiang Li + +commit 80614c509810fc051312d1a7ccac8d0012d6b8d0 upstream. + +If dqm->ops.initialize() fails, add deallocate_hiq_sdma_mqd() +to release the memory allocated by allocate_hiq_sdma_mqd(). +Move deallocate_hiq_sdma_mqd() up to ensure proper function +visibility at the point of use. + +Fixes: 11614c36bc8f ("drm/amdkfd: Allocate MQD trunk for HIQ and SDMA") +Signed-off-by: Haoxiang Li +Signed-off-by: Felix Kuehling +Reviewed-by: Oak Zeng +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +(cherry picked from commit b7cccc8286bb9919a0952c812872da1dcfe9d390) +Cc: stable@vger.kernel.org +Signed-off-by: Felix Kuehling +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +@@ -2257,6 +2257,14 @@ static int allocate_hiq_sdma_mqd(struct + return retval; + } + ++static void deallocate_hiq_sdma_mqd(struct kfd_dev *dev, ++ struct kfd_mem_obj *mqd) ++{ ++ WARN(!mqd, "No hiq sdma mqd trunk to free"); ++ ++ amdgpu_amdkfd_free_gtt_mem(dev->adev, &mqd->gtt_mem); ++} ++ + struct device_queue_manager *device_queue_manager_init(struct kfd_dev *dev) + { + struct device_queue_manager *dqm; +@@ -2382,19 +2390,13 @@ struct device_queue_manager *device_queu + if (!dqm->ops.initialize(dqm)) + return dqm; + ++ deallocate_hiq_sdma_mqd(dev, &dqm->hiq_sdma_mqd); ++ + out_free: + kfree(dqm); + return NULL; + } + +-static void deallocate_hiq_sdma_mqd(struct kfd_dev *dev, +- struct kfd_mem_obj *mqd) +-{ +- WARN(!mqd, "No hiq sdma mqd trunk to free"); +- +- amdgpu_amdkfd_free_gtt_mem(dev->adev, &mqd->gtt_mem); +-} +- + void device_queue_manager_uninit(struct device_queue_manager *dqm) + { + dqm->ops.uninitialize(dqm); diff --git a/queue-6.1/drm-radeon-delete-radeon_fence_process-in-is_signaled-no-deadlock.patch b/queue-6.1/drm-radeon-delete-radeon_fence_process-in-is_signaled-no-deadlock.patch new file mode 100644 index 0000000000..0182e41ee8 --- /dev/null +++ b/queue-6.1/drm-radeon-delete-radeon_fence_process-in-is_signaled-no-deadlock.patch @@ -0,0 +1,52 @@ +From stable+bounces-213031-greg=kroah.com@vger.kernel.org Mon Feb 2 08:59:14 2026 +From: Li hongliang <1468888505@139.com> +Date: Mon, 2 Feb 2026 15:58:55 +0800 +Subject: drm/radeon: delete radeon_fence_process in is_signaled, no deadlock +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, rbmccav@gmail.com +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, alexander.deucher@amd.com, christian.koenig@amd.com, Xinhui.Pan@amd.com, airlied@gmail.com, daniel@ffwll.ch, amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org +Message-ID: <20260202075855.947632-1-1468888505@139.com> + +From: Robert McClinton + +[ Upstream commit 9eb00b5f5697bd56baa3222c7a1426fa15bacfb5 ] + +Delete the attempt to progress the queue when checking if fence is +signaled. This avoids deadlock. + +dma-fence_ops::signaled can be called with the fence lock in unknown +state. For radeon, the fence lock is also the wait queue lock. This can +cause a self deadlock when signaled() tries to make forward progress on +the wait queue. But advancing the queue is unneeded because incorrectly +returning false from signaled() is perfectly acceptable. + +Link: https://github.com/brave/brave-browser/issues/49182 +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4641 +Cc: Alex Deucher +Signed-off-by: Robert McClinton +Signed-off-by: Alex Deucher +(cherry picked from commit 527ba26e50ec2ca2be9c7c82f3ad42998a75d0db) +Cc: stable@vger.kernel.org +[ Minor conflict resolved. ] +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/radeon_fence.c | 8 -------- + 1 file changed, 8 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon_fence.c ++++ b/drivers/gpu/drm/radeon/radeon_fence.c +@@ -362,14 +362,6 @@ static bool radeon_fence_is_signaled(str + return true; + } + +- if (down_read_trylock(&rdev->exclusive_lock)) { +- radeon_fence_process(rdev, ring); +- up_read(&rdev->exclusive_lock); +- +- if (atomic64_read(&rdev->fence_drv[ring].last_seq) >= seq) { +- return true; +- } +- } + return false; + } + diff --git a/queue-6.1/fs-ntfs3-initialize-allocated-memory-before-use.patch b/queue-6.1/fs-ntfs3-initialize-allocated-memory-before-use.patch new file mode 100644 index 0000000000..7eb5925b5d --- /dev/null +++ b/queue-6.1/fs-ntfs3-initialize-allocated-memory-before-use.patch @@ -0,0 +1,75 @@ +From stable+bounces-211512-greg=kroah.com@vger.kernel.org Mon Jan 26 07:21:17 2026 +From: Li hongliang <1468888505@139.com> +Date: Mon, 26 Jan 2026 14:19:33 +0800 +Subject: fs/ntfs3: Initialize allocated memory before use +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, kubik.bartlomiej@gmail.com +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, almaz.alexandrovich@paragon-software.com, ntfs3@lists.linux.dev, khalid@kernel.org +Message-ID: <20260126061933.1206836-1-1468888505@139.com> + +From: Bartlomiej Kubik + +[ Upstream commit a8a3ca23bbd9d849308a7921a049330dc6c91398 ] + +KMSAN reports: Multiple uninitialized values detected: + +- KMSAN: uninit-value in ntfs_read_hdr (3) +- KMSAN: uninit-value in bcmp (3) + +Memory is allocated by __getname(), which is a wrapper for +kmem_cache_alloc(). This memory is used before being properly +cleared. Change kmem_cache_alloc() to kmem_cache_zalloc() to +properly allocate and clear memory before use. + +Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block") +Fixes: 78ab59fee07f ("fs/ntfs3: Rework file operations") +Tested-by: syzbot+332bd4e9d148f11a87dc@syzkaller.appspotmail.com +Reported-by: syzbot+332bd4e9d148f11a87dc@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=332bd4e9d148f11a87dc + +Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block") +Fixes: 78ab59fee07f ("fs/ntfs3: Rework file operations") +Tested-by: syzbot+0399100e525dd9696764@syzkaller.appspotmail.com +Reported-by: syzbot+0399100e525dd9696764@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=0399100e525dd9696764 + +Reviewed-by: Khalid Aziz +Signed-off-by: Bartlomiej Kubik +Signed-off-by: Konstantin Komarov +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/inode.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/fs/ntfs3/inode.c ++++ b/fs/ntfs3/inode.c +@@ -1294,7 +1294,7 @@ struct inode *ntfs_create_inode(struct u + fa |= FILE_ATTRIBUTE_READONLY; + + /* Allocate PATH_MAX bytes. */ +- new_de = __getname(); ++ new_de = kmem_cache_zalloc(names_cachep, GFP_KERNEL); + if (!new_de) { + err = -ENOMEM; + goto out1; +@@ -1698,10 +1698,9 @@ int ntfs_link_inode(struct inode *inode, + struct NTFS_DE *de; + + /* Allocate PATH_MAX bytes. */ +- de = __getname(); ++ de = kmem_cache_zalloc(names_cachep, GFP_KERNEL); + if (!de) + return -ENOMEM; +- memset(de, 0, PATH_MAX); + + /* Mark rw ntfs as dirty. It will be cleared at umount. */ + ntfs_set_state(sbi, NTFS_DIRTY_DIRTY); +@@ -1737,7 +1736,7 @@ int ntfs_unlink_inode(struct inode *dir, + return -EINVAL; + + /* Allocate PATH_MAX bytes. */ +- de = __getname(); ++ de = kmem_cache_zalloc(names_cachep, GFP_KERNEL); + if (!de) + return -ENOMEM; + diff --git a/queue-6.1/gfs2-fix-null-pointer-dereference-in-gfs2_log_flush.patch b/queue-6.1/gfs2-fix-null-pointer-dereference-in-gfs2_log_flush.patch new file mode 100644 index 0000000000..7a3a06c44f --- /dev/null +++ b/queue-6.1/gfs2-fix-null-pointer-dereference-in-gfs2_log_flush.patch @@ -0,0 +1,60 @@ +From stable+bounces-211917-greg=kroah.com@vger.kernel.org Wed Jan 28 04:18:27 2026 +From: Rahul Sharma +Date: Wed, 28 Jan 2026 11:17:52 +0800 +Subject: gfs2: Fix NULL pointer dereference in gfs2_log_flush +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: Andreas Gruenbacher , Rahul Sharma +Message-ID: <20260128031752.222018-1-black.hawk@163.com> + +From: Andreas Gruenbacher + +[ Upstream commit 35264909e9d1973ab9aaa2a1b07cda70f12bb828 ] + +In gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush +lock to provide exclusion against gfs2_log_flush(). + +In gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before +dereferencing it. Otherwise, we could run into a NULL pointer +dereference when outstanding glock work races with an unmount +(glock_work_func -> run_queue -> do_xmote -> inode_go_sync -> +gfs2_log_flush). + +Signed-off-by: Andreas Gruenbacher +[ The context change is due to the commit 4d927b03a688 +("gfs2: Rename gfs2_withdrawn to gfs2_withdrawing_or_withdrawn") in v6.8 +which is irrelevant to the logic of this patch. ] +Signed-off-by: Rahul Sharma +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/log.c | 3 ++- + fs/gfs2/super.c | 4 ++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/gfs2/log.c ++++ b/fs/gfs2/log.c +@@ -1102,7 +1102,8 @@ repeat: + lops_before_commit(sdp, tr); + if (gfs2_withdrawn(sdp)) + goto out_withdraw; +- gfs2_log_submit_bio(&sdp->sd_jdesc->jd_log_bio, REQ_OP_WRITE); ++ if (sdp->sd_jdesc) ++ gfs2_log_submit_bio(&sdp->sd_jdesc->jd_log_bio, REQ_OP_WRITE); + if (gfs2_withdrawn(sdp)) + goto out_withdraw; + +--- a/fs/gfs2/super.c ++++ b/fs/gfs2/super.c +@@ -67,9 +67,13 @@ void gfs2_jindex_free(struct gfs2_sbd *s + sdp->sd_journals = 0; + spin_unlock(&sdp->sd_jindex_spin); + ++ down_write(&sdp->sd_log_flush_lock); + sdp->sd_jdesc = NULL; ++ up_write(&sdp->sd_log_flush_lock); ++ + while (!list_empty(&list)) { + jd = list_first_entry(&list, struct gfs2_jdesc, jd_list); ++ BUG_ON(jd->jd_log_bio); + gfs2_free_journal_extents(jd); + list_del(&jd->jd_list); + iput(jd->jd_inode); diff --git a/queue-6.1/iomap-fix-possible-overflow-condition-in-iomap_write_delalloc_scan.patch b/queue-6.1/iomap-fix-possible-overflow-condition-in-iomap_write_delalloc_scan.patch new file mode 100644 index 0000000000..421ec8e9e1 --- /dev/null +++ b/queue-6.1/iomap-fix-possible-overflow-condition-in-iomap_write_delalloc_scan.patch @@ -0,0 +1,36 @@ +From 681739313@139.com Fri Jan 23 07:33:06 2026 +From: Rajani Kantha <681739313@139.com> +Date: Fri, 23 Jan 2026 14:33:00 +0800 +Subject: iomap: Fix possible overflow condition in iomap_write_delalloc_scan +To: gregkh@linuxfoundation.org, ritesh.list@gmail.com, stable@vger.kernel.org +Cc: djwong@kernel.org, hch@infradead.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-xfs@vger.kernel.org, patches@lists.linux.dev, willy@infradead.org +Message-ID: <20260123063300.3820420-1-681739313@139.com> + +From: "Ritesh Harjani (IBM)" + +[ Upstream commit eee2d2e6ea5550118170dbd5bb1316ceb38455fb ] + +folio_next_index() returns an unsigned long value which left shifted +by PAGE_SHIFT could possibly cause an overflow on 32-bit system. Instead +use folio_pos(folio) + folio_size(folio), which does this correctly. + +Suggested-by: Matthew Wilcox +Signed-off-by: Ritesh Harjani (IBM) +Reviewed-by: Darrick J. Wong +Signed-off-by: Rajani Kantha <681739313@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + fs/iomap/buffered-io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/iomap/buffered-io.c ++++ b/fs/iomap/buffered-io.c +@@ -903,7 +903,7 @@ static int iomap_write_delalloc_scan(str + * the end of this data range, not the end of the folio. + */ + *punch_start_byte = min_t(loff_t, end_byte, +- folio_next_index(folio) << PAGE_SHIFT); ++ folio_pos(folio) + folio_size(folio)); + } + + /* move offset to start of next folio in range */ diff --git a/queue-6.1/ksmbd-fix-race-condition-in-rpc-handle-list-access.patch b/queue-6.1/ksmbd-fix-race-condition-in-rpc-handle-list-access.patch new file mode 100644 index 0000000000..8014ebe3bf --- /dev/null +++ b/queue-6.1/ksmbd-fix-race-condition-in-rpc-handle-list-access.patch @@ -0,0 +1,106 @@ +From stable+bounces-213018-greg=kroah.com@vger.kernel.org Mon Feb 2 04:17:53 2026 +From: Li hongliang <1468888505@139.com> +Date: Mon, 2 Feb 2026 11:17:11 +0800 +Subject: ksmbd: Fix race condition in RPC handle list access +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, ysk@kzalloc.com +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, linkinjeon@kernel.org, sfrench@samba.org, senozhatsky@chromium.org, tom@talpey.com, akendo@akendo.eu, set_pte_at@outlook.com, linux-cifs@vger.kernel.org, stfrench@microsoft.com +Message-ID: <20260202031711.515125-1-1468888505@139.com> + +From: Yunseong Kim + +[ Upstream commit 305853cce379407090a73b38c5de5ba748893aee ] + +The 'sess->rpc_handle_list' XArray manages RPC handles within a ksmbd +session. Access to this list is intended to be protected by +'sess->rpc_lock' (an rw_semaphore). However, the locking implementation was +flawed, leading to potential race conditions. + +In ksmbd_session_rpc_open(), the code incorrectly acquired only a read lock +before calling xa_store() and xa_erase(). Since these operations modify +the XArray structure, a write lock is required to ensure exclusive access +and prevent data corruption from concurrent modifications. + +Furthermore, ksmbd_session_rpc_method() accessed the list using xa_load() +without holding any lock at all. This could lead to reading inconsistent +data or a potential use-after-free if an entry is concurrently removed and +the pointer is dereferenced. + +Fix these issues by: +1. Using down_write() and up_write() in ksmbd_session_rpc_open() + to ensure exclusive access during XArray modification, and ensuring + the lock is correctly released on error paths. +2. Adding down_read() and up_read() in ksmbd_session_rpc_method() + to safely protect the lookup. + +Fixes: a1f46c99d9ea ("ksmbd: fix use-after-free in ksmbd_session_rpc_open") +Fixes: b685757c7b08 ("ksmbd: Implements sess->rpc_handle_list as xarray") +Cc: stable@vger.kernel.org +Signed-off-by: Yunseong Kim +Acked-by: Namjae Jeon +Signed-off-by: Steve French +[ Minor conflict resolved. ] +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/mgmt/user_session.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +--- a/fs/smb/server/mgmt/user_session.c ++++ b/fs/smb/server/mgmt/user_session.c +@@ -104,29 +104,32 @@ int ksmbd_session_rpc_open(struct ksmbd_ + if (!entry) + return -ENOMEM; + +- down_read(&sess->rpc_lock); + entry->method = method; + entry->id = id = ksmbd_ipc_id_alloc(); + if (id < 0) + goto free_entry; ++ ++ down_write(&sess->rpc_lock); + old = xa_store(&sess->rpc_handle_list, id, entry, GFP_KERNEL); +- if (xa_is_err(old)) ++ if (xa_is_err(old)) { ++ up_write(&sess->rpc_lock); + goto free_id; ++ } + + resp = ksmbd_rpc_open(sess, id); +- if (!resp) +- goto erase_xa; ++ if (!resp) { ++ xa_erase(&sess->rpc_handle_list, entry->id); ++ up_write(&sess->rpc_lock); ++ goto free_id; ++ } + +- up_read(&sess->rpc_lock); ++ up_write(&sess->rpc_lock); + kvfree(resp); + return id; +-erase_xa: +- xa_erase(&sess->rpc_handle_list, entry->id); + free_id: + ksmbd_rpc_id_free(entry->id); + free_entry: + kfree(entry); +- up_read(&sess->rpc_lock); + return -EINVAL; + } + +@@ -144,9 +147,14 @@ void ksmbd_session_rpc_close(struct ksmb + int ksmbd_session_rpc_method(struct ksmbd_session *sess, int id) + { + struct ksmbd_session_rpc *entry; ++ int method; + ++ down_read(&sess->rpc_lock); + entry = xa_load(&sess->rpc_handle_list, id); +- return entry ? entry->method : 0; ++ method = entry ? entry->method : 0; ++ up_read(&sess->rpc_lock); ++ ++ return method; + } + + void ksmbd_session_destroy(struct ksmbd_session *sess) diff --git a/queue-6.1/ksmbd-fix-use-after-free-in-ksmbd_session_rpc_open.patch b/queue-6.1/ksmbd-fix-use-after-free-in-ksmbd_session_rpc_open.patch new file mode 100644 index 0000000000..b8eb46c31b --- /dev/null +++ b/queue-6.1/ksmbd-fix-use-after-free-in-ksmbd_session_rpc_open.patch @@ -0,0 +1,119 @@ +From 1468888505@139.com Mon Feb 2 04:15:55 2026 +From: Li hongliang <1468888505@139.com> +Date: Mon, 2 Feb 2026 11:15:50 +0800 +Subject: ksmbd: fix use-after-free in ksmbd_session_rpc_open +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, linkinjeon@kernel.org +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, norbert@doyensec.com, ysk@kzalloc.com, sfrench@samba.org, senozhatsky@chromium.org, tom@talpey.com, akendo@akendo.eu, set_pte_at@outlook.com, linux-cifs@vger.kernel.org, stfrench@microsoft.com +Message-ID: <20260202031550.514894-1-1468888505@139.com> + +From: Namjae Jeon + +[ Upstream commit a1f46c99d9ea411f9bf30025b912d881d36fc709 ] + +A UAF issue can occur due to a race condition between +ksmbd_session_rpc_open() and __session_rpc_close(). +Add rpc_lock to the session to protect it. + +Cc: stable@vger.kernel.org +Reported-by: Norbert Szetei +Tested-by: Norbert Szetei +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +[ KSMBD_DEFAULT_GFP is introduced by commit 0066f623bce8 ("ksmbd: use __GFP_RETRY_MAYFAIL") + after linux-6.13. Here we still use GFP_KERNEL. ] +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/mgmt/user_session.c | 20 ++++++++++++++------ + fs/smb/server/mgmt/user_session.h | 1 + + 2 files changed, 15 insertions(+), 6 deletions(-) + +--- a/fs/smb/server/mgmt/user_session.c ++++ b/fs/smb/server/mgmt/user_session.c +@@ -59,10 +59,12 @@ static void ksmbd_session_rpc_clear_list + struct ksmbd_session_rpc *entry; + long index; + ++ down_write(&sess->rpc_lock); + xa_for_each(&sess->rpc_handle_list, index, entry) { + xa_erase(&sess->rpc_handle_list, index); + __session_rpc_close(sess, entry); + } ++ up_write(&sess->rpc_lock); + + xa_destroy(&sess->rpc_handle_list); + } +@@ -92,7 +94,7 @@ int ksmbd_session_rpc_open(struct ksmbd_ + { + struct ksmbd_session_rpc *entry, *old; + struct ksmbd_rpc_command *resp; +- int method; ++ int method, id; + + method = __rpc_method(rpc_name); + if (!method) +@@ -102,26 +104,29 @@ int ksmbd_session_rpc_open(struct ksmbd_ + if (!entry) + return -ENOMEM; + ++ down_read(&sess->rpc_lock); + entry->method = method; +- entry->id = ksmbd_ipc_id_alloc(); +- if (entry->id < 0) ++ entry->id = id = ksmbd_ipc_id_alloc(); ++ if (id < 0) + goto free_entry; +- old = xa_store(&sess->rpc_handle_list, entry->id, entry, GFP_KERNEL); ++ old = xa_store(&sess->rpc_handle_list, id, entry, GFP_KERNEL); + if (xa_is_err(old)) + goto free_id; + +- resp = ksmbd_rpc_open(sess, entry->id); ++ resp = ksmbd_rpc_open(sess, id); + if (!resp) + goto erase_xa; + ++ up_read(&sess->rpc_lock); + kvfree(resp); +- return entry->id; ++ return id; + erase_xa: + xa_erase(&sess->rpc_handle_list, entry->id); + free_id: + ksmbd_rpc_id_free(entry->id); + free_entry: + kfree(entry); ++ up_read(&sess->rpc_lock); + return -EINVAL; + } + +@@ -129,9 +134,11 @@ void ksmbd_session_rpc_close(struct ksmb + { + struct ksmbd_session_rpc *entry; + ++ down_write(&sess->rpc_lock); + entry = xa_erase(&sess->rpc_handle_list, id); + if (entry) + __session_rpc_close(sess, entry); ++ up_write(&sess->rpc_lock); + } + + int ksmbd_session_rpc_method(struct ksmbd_session *sess, int id) +@@ -404,6 +411,7 @@ static struct ksmbd_session *__session_c + sess->sequence_number = 1; + rwlock_init(&sess->tree_conns_lock); + atomic_set(&sess->refcnt, 2); ++ init_rwsem(&sess->rpc_lock); + + ret = __init_smb2_session(sess); + if (ret) +--- a/fs/smb/server/mgmt/user_session.h ++++ b/fs/smb/server/mgmt/user_session.h +@@ -63,6 +63,7 @@ struct ksmbd_session { + rwlock_t tree_conns_lock; + + atomic_t refcnt; ++ struct rw_semaphore rpc_lock; + }; + + static inline int test_session_flag(struct ksmbd_session *sess, int bit) diff --git a/queue-6.1/net-stmmac-make-sure-that-ptp_rate-is-not-0-before-configuring-est.patch b/queue-6.1/net-stmmac-make-sure-that-ptp_rate-is-not-0-before-configuring-est.patch new file mode 100644 index 0000000000..25331f089b --- /dev/null +++ b/queue-6.1/net-stmmac-make-sure-that-ptp_rate-is-not-0-before-configuring-est.patch @@ -0,0 +1,62 @@ +From stable+bounces-212841-greg=kroah.com@vger.kernel.org Fri Jan 30 07:02:45 2026 +From: Rahul Sharma +Date: Fri, 30 Jan 2026 14:01:31 +0800 +Subject: net: stmmac: make sure that ptp_rate is not 0 before configuring EST +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, "Alexis Lothoré" , "Maxime Chevallier" , "Jakub Kicinski" , "Rahul Sharma" +Message-ID: <20260130060131.3650575-1-black.hawk@163.com> + +From: Alexis Lothoré + +[ Upstream commit cbefe2ffa7784525ec5d008ba87c7add19ec631a ] + +If the ptp_rate recorded earlier in the driver happens to be 0, this +bogus value will propagate up to EST configuration, where it will +trigger a division by 0. + +Prevent this division by 0 by adding the corresponding check and error +code. + +Suggested-by: Maxime Chevallier +Signed-off-by: Alexis Lothoré +Fixes: 8572aec3d0dc ("net: stmmac: Add basic EST support for XGMAC") +Link: https://patch.msgid.link/20250529-stmmac_tstamp_div-v4-2-d73340a794d5@bootlin.com +Signed-off-by: Jakub Kicinski +[ The context change is due to the commit c3f3b97238f6 +("net: stmmac: Refactor EST implementation") +and the proper adoption is done. ] +Signed-off-by: Rahul Sharma +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac5.c | 5 +++++ + drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 5 +++++ + 2 files changed, 10 insertions(+) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac5.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac5.c +@@ -597,6 +597,11 @@ int dwmac5_est_configure(void __iomem *i + int i, ret = 0x0; + u32 ctrl; + ++ if (!ptp_rate) { ++ pr_warn("Dwmac5: Invalid PTP rate"); ++ return -EINVAL; ++ } ++ + ret |= dwmac5_est_write(ioaddr, BTR_LOW, cfg->btr[0], false); + ret |= dwmac5_est_write(ioaddr, BTR_HIGH, cfg->btr[1], false); + ret |= dwmac5_est_write(ioaddr, TER, cfg->ter, false); +--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c +@@ -1497,6 +1497,11 @@ static int dwxgmac3_est_configure(void _ + int i, ret = 0x0; + u32 ctrl; + ++ if (!ptp_rate) { ++ pr_warn("Dwxgmac2: Invalid PTP rate"); ++ return -EINVAL; ++ } ++ + ret |= dwxgmac3_est_write(ioaddr, XGMAC_BTR_LOW, cfg->btr[0], false); + ret |= dwxgmac3_est_write(ioaddr, XGMAC_BTR_HIGH, cfg->btr[1], false); + ret |= dwxgmac3_est_write(ioaddr, XGMAC_TER, cfg->ter, false); diff --git a/queue-6.1/nfsd-fix-race-between-nfsd-registration-and-exports_proc.patch b/queue-6.1/nfsd-fix-race-between-nfsd-registration-and-exports_proc.patch new file mode 100644 index 0000000000..fc5d5939db --- /dev/null +++ b/queue-6.1/nfsd-fix-race-between-nfsd-registration-and-exports_proc.patch @@ -0,0 +1,169 @@ +From stable+bounces-211937-greg=kroah.com@vger.kernel.org Wed Jan 28 09:34:31 2026 +From: Rahul Sharma +Date: Wed, 28 Jan 2026 16:33:34 +0800 +Subject: NFSD: fix race between nfsd registration and exports_proc +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Maninder Singh , Shubham Rana , Jeff Layton , Chuck Lever , Rahul Sharma +Message-ID: <20260128083334.2450566-1-black.hawk@163.com> + +From: Maninder Singh + +[ Upstream commit f7fb730cac9aafda8b9813b55d04e28a9664d17c ] + +As of now nfsd calls create_proc_exports_entry() at start of init_nfsd +and cleanup by remove_proc_entry() at last of exit_nfsd. + +Which causes kernel OOPs if there is race between below 2 operations: +(i) exportfs -r +(ii) mount -t nfsd none /proc/fs/nfsd + +for 5.4 kernel ARM64: + +CPU 1: +el1_irq+0xbc/0x180 +arch_counter_get_cntvct+0x14/0x18 +running_clock+0xc/0x18 +preempt_count_add+0x88/0x110 +prep_new_page+0xb0/0x220 +get_page_from_freelist+0x2d8/0x1778 +__alloc_pages_nodemask+0x15c/0xef0 +__vmalloc_node_range+0x28c/0x478 +__vmalloc_node_flags_caller+0x8c/0xb0 +kvmalloc_node+0x88/0xe0 +nfsd_init_net+0x6c/0x108 [nfsd] +ops_init+0x44/0x170 +register_pernet_operations+0x114/0x270 +register_pernet_subsys+0x34/0x50 +init_nfsd+0xa8/0x718 [nfsd] +do_one_initcall+0x54/0x2e0 + +CPU 2 : +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 + +PC is at : exports_net_open+0x50/0x68 [nfsd] + +Call trace: +exports_net_open+0x50/0x68 [nfsd] +exports_proc_open+0x2c/0x38 [nfsd] +proc_reg_open+0xb8/0x198 +do_dentry_open+0x1c4/0x418 +vfs_open+0x38/0x48 +path_openat+0x28c/0xf18 +do_filp_open+0x70/0xe8 +do_sys_open+0x154/0x248 + +Sometimes it crashes at exports_net_open() and sometimes cache_seq_next_rcu(). + +and same is happening on latest 6.14 kernel as well: + +[ 0.000000] Linux version 6.14.0-rc5-next-20250304-dirty +... +[ 285.455918] Unable to handle kernel paging request at virtual address 00001f4800001f48 +... +[ 285.464902] pc : cache_seq_next_rcu+0x78/0xa4 +... +[ 285.469695] Call trace: +[ 285.470083] cache_seq_next_rcu+0x78/0xa4 (P) +[ 285.470488] seq_read+0xe0/0x11c +[ 285.470675] proc_reg_read+0x9c/0xf0 +[ 285.470874] vfs_read+0xc4/0x2fc +[ 285.471057] ksys_read+0x6c/0xf4 +[ 285.471231] __arm64_sys_read+0x1c/0x28 +[ 285.471428] invoke_syscall+0x44/0x100 +[ 285.471633] el0_svc_common.constprop.0+0x40/0xe0 +[ 285.471870] do_el0_svc_compat+0x1c/0x34 +[ 285.472073] el0_svc_compat+0x2c/0x80 +[ 285.472265] el0t_32_sync_handler+0x90/0x140 +[ 285.472473] el0t_32_sync+0x19c/0x1a0 +[ 285.472887] Code: f9400885 93407c23 937d7c27 11000421 (f86378a3) +[ 285.473422] ---[ end trace 0000000000000000 ]--- + +It reproduced simply with below script: +while [ 1 ] +do +/exportfs -r +done & + +while [ 1 ] +do +insmod /nfsd.ko +mount -t nfsd none /proc/fs/nfsd +umount /proc/fs/nfsd +rmmod nfsd +done & + +So exporting interfaces to user space shall be done at last and +cleanup at first place. + +With change there is no Kernel OOPs. + +Co-developed-by: Shubham Rana +Signed-off-by: Shubham Rana +Signed-off-by: Maninder Singh +Reviewed-by: Jeff Layton +Cc: stable@vger.kernel.org +Signed-off-by: Chuck Lever +[ The context change is due to the commit bd9d6a3efa97 +("NFSD: add rpc_status netlink support") in v6.7 +and the proper adoption is done. ] +Signed-off-by: Rahul Sharma +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfsctl.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -1511,12 +1511,9 @@ static int __init init_nfsd(void) + if (retval) + goto out_free_pnfs; + nfsd_lockd_init(); /* lockd->nfsd callbacks */ +- retval = create_proc_exports_entry(); +- if (retval) +- goto out_free_lockd; + retval = register_pernet_subsys(&nfsd_net_ops); + if (retval < 0) +- goto out_free_exports; ++ goto out_free_lockd; + retval = register_cld_notifier(); + if (retval) + goto out_free_subsys; +@@ -1525,17 +1522,19 @@ static int __init init_nfsd(void) + goto out_free_cld; + retval = register_filesystem(&nfsd_fs_type); + if (retval) ++ goto out_free_nfsd4; ++ retval = create_proc_exports_entry(); ++ if (retval) + goto out_free_all; + return 0; + out_free_all: ++ unregister_filesystem(&nfsd_fs_type); ++out_free_nfsd4: + nfsd4_destroy_laundry_wq(); + out_free_cld: + unregister_cld_notifier(); + out_free_subsys: + unregister_pernet_subsys(&nfsd_net_ops); +-out_free_exports: +- remove_proc_entry("fs/nfs/exports", NULL); +- remove_proc_entry("fs/nfs", NULL); + out_free_lockd: + nfsd_lockd_shutdown(); + nfsd_drc_slab_free(); +@@ -1548,13 +1547,13 @@ out_free_slabs: + + static void __exit exit_nfsd(void) + { ++ remove_proc_entry("fs/nfs/exports", NULL); ++ remove_proc_entry("fs/nfs", NULL); + unregister_filesystem(&nfsd_fs_type); + nfsd4_destroy_laundry_wq(); + unregister_cld_notifier(); + unregister_pernet_subsys(&nfsd_net_ops); + nfsd_drc_slab_free(); +- remove_proc_entry("fs/nfs/exports", NULL); +- remove_proc_entry("fs/nfs", NULL); + nfsd_lockd_shutdown(); + nfsd4_free_slabs(); + nfsd4_exit_pnfs(); diff --git a/queue-6.1/revert-mm-mprotect-delete-pmd_none_or_clear_bad_unless_trans_huge.patch b/queue-6.1/revert-mm-mprotect-delete-pmd_none_or_clear_bad_unless_trans_huge.patch new file mode 100644 index 0000000000..03776015fd --- /dev/null +++ b/queue-6.1/revert-mm-mprotect-delete-pmd_none_or_clear_bad_unless_trans_huge.patch @@ -0,0 +1,192 @@ +From stable+bounces-209984-greg=kroah.com@vger.kernel.org Fri Jan 16 04:40:33 2026 +From: Harry Yoo +Date: Fri, 16 Jan 2026 12:38:38 +0900 +Subject: Revert "mm/mprotect: delete pmd_none_or_clear_bad_unless_trans_huge()" +To: Greg Kroah-Hartman , stable@vger.kernel.org +Cc: Liam.Howlett@oracle.com, akpm@linux-foundation.org, david@kernel.org, hughd@google.com, jannh@google.com, linux-mm@kvack.org, lorenzo.stoakes@oracle.com, pfalcato@suse.de, vbabka@suse.cz, Harry Yoo +Message-ID: <20260116033838.20253-1-harry.yoo@oracle.com> + +From: Harry Yoo + +This reverts commit 91750c8a4be42d73b6810a1c35d73c8a3cd0b481 which is +commit 670ddd8cdcbd1d07a4571266ae3517f821728c3a upstream. + +While the commit fixes a race condition between NUMA balancing and THP +migration, it causes a NULL-pointer-deref when the pmd temporarily +transitions from pmd_trans_huge() to pmd_none(). Verifying whether the +pmd value has changed under page table lock does not prevent the crash, +as it occurs when acquiring the lock. + +Since the original issue addressed by the commit is quite rare and +non-fatal, revert the commit. A better backport solution that more +closely matches the upstream semantics will be provided as a follow-up. + +Signed-off-by: Harry Yoo +Signed-off-by: Greg Kroah-Hartman +--- + mm/mprotect.c | 101 +++++++++++++++++++++++++++++++++------------------------- + 1 file changed, 58 insertions(+), 43 deletions(-) + +--- a/mm/mprotect.c ++++ b/mm/mprotect.c +@@ -73,12 +73,10 @@ static inline bool can_change_pte_writab + } + + static long change_pte_range(struct mmu_gather *tlb, +- struct vm_area_struct *vma, pmd_t *pmd, pmd_t pmd_old, +- unsigned long addr, unsigned long end, pgprot_t newprot, +- unsigned long cp_flags) ++ struct vm_area_struct *vma, pmd_t *pmd, unsigned long addr, ++ unsigned long end, pgprot_t newprot, unsigned long cp_flags) + { + pte_t *pte, oldpte; +- pmd_t _pmd; + spinlock_t *ptl; + long pages = 0; + int target_node = NUMA_NO_NODE; +@@ -88,15 +86,21 @@ static long change_pte_range(struct mmu_ + + tlb_change_page_size(tlb, PAGE_SIZE); + ++ /* ++ * Can be called with only the mmap_lock for reading by ++ * prot_numa so we must check the pmd isn't constantly ++ * changing from under us from pmd_none to pmd_trans_huge ++ * and/or the other way around. ++ */ ++ if (pmd_trans_unstable(pmd)) ++ return 0; ++ ++ /* ++ * The pmd points to a regular pte so the pmd can't change ++ * from under us even if the mmap_lock is only hold for ++ * reading. ++ */ + pte = pte_offset_map_lock(vma->vm_mm, pmd, addr, &ptl); +- /* Make sure pmd didn't change after acquiring ptl */ +- _pmd = pmd_read_atomic(pmd); +- /* See pmd_none_or_trans_huge_or_clear_bad for info on barrier */ +- barrier(); +- if (!pmd_same(pmd_old, _pmd)) { +- pte_unmap_unlock(pte, ptl); +- return -EAGAIN; +- } + + /* Get target node for single threaded private VMAs */ + if (prot_numa && !(vma->vm_flags & VM_SHARED) && +@@ -284,6 +288,31 @@ static long change_pte_range(struct mmu_ + return pages; + } + ++/* ++ * Used when setting automatic NUMA hinting protection where it is ++ * critical that a numa hinting PMD is not confused with a bad PMD. ++ */ ++static inline int pmd_none_or_clear_bad_unless_trans_huge(pmd_t *pmd) ++{ ++ pmd_t pmdval = pmd_read_atomic(pmd); ++ ++ /* See pmd_none_or_trans_huge_or_clear_bad for info on barrier */ ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE ++ barrier(); ++#endif ++ ++ if (pmd_none(pmdval)) ++ return 1; ++ if (pmd_trans_huge(pmdval)) ++ return 0; ++ if (unlikely(pmd_bad(pmdval))) { ++ pmd_clear_bad(pmd); ++ return 1; ++ } ++ ++ return 0; ++} ++ + /* Return true if we're uffd wr-protecting file-backed memory, or false */ + static inline bool + uffd_wp_protect_file(struct vm_area_struct *vma, unsigned long cp_flags) +@@ -331,34 +360,22 @@ static inline long change_pmd_range(stru + + pmd = pmd_offset(pud, addr); + do { +- long ret; +- pmd_t _pmd; +-again: ++ long this_pages; ++ + next = pmd_addr_end(addr, end); +- _pmd = pmd_read_atomic(pmd); +- /* See pmd_none_or_trans_huge_or_clear_bad for info on barrier */ +-#ifdef CONFIG_TRANSPARENT_HUGEPAGE +- barrier(); +-#endif + + change_pmd_prepare(vma, pmd, cp_flags); + /* + * Automatic NUMA balancing walks the tables with mmap_lock + * held for read. It's possible a parallel update to occur +- * between pmd_trans_huge(), is_swap_pmd(), and +- * a pmd_none_or_clear_bad() check leading to a false positive +- * and clearing. Hence, it's necessary to atomically read +- * the PMD value for all the checks. ++ * between pmd_trans_huge() and a pmd_none_or_clear_bad() ++ * check leading to a false positive and clearing. ++ * Hence, it's necessary to atomically read the PMD value ++ * for all the checks. + */ +- if (!is_swap_pmd(_pmd) && !pmd_devmap(_pmd) && !pmd_trans_huge(_pmd)) { +- if (pmd_none(_pmd)) +- goto next; +- +- if (pmd_bad(_pmd)) { +- pmd_clear_bad(pmd); +- goto next; +- } +- } ++ if (!is_swap_pmd(*pmd) && !pmd_devmap(*pmd) && ++ pmd_none_or_clear_bad_unless_trans_huge(pmd)) ++ goto next; + + /* invoke the mmu notifier if the pmd is populated */ + if (!range.start) { +@@ -368,7 +385,7 @@ again: + mmu_notifier_invalidate_range_start(&range); + } + +- if (is_swap_pmd(_pmd) || pmd_trans_huge(_pmd) || pmd_devmap(_pmd)) { ++ if (is_swap_pmd(*pmd) || pmd_trans_huge(*pmd) || pmd_devmap(*pmd)) { + if ((next - addr != HPAGE_PMD_SIZE) || + uffd_wp_protect_file(vma, cp_flags)) { + __split_huge_pmd(vma, pmd, addr, false, NULL); +@@ -383,11 +400,11 @@ again: + * change_huge_pmd() does not defer TLB flushes, + * so no need to propagate the tlb argument. + */ +- ret = change_huge_pmd(tlb, vma, pmd, +- addr, newprot, cp_flags); ++ int nr_ptes = change_huge_pmd(tlb, vma, pmd, ++ addr, newprot, cp_flags); + +- if (ret) { +- if (ret == HPAGE_PMD_NR) { ++ if (nr_ptes) { ++ if (nr_ptes == HPAGE_PMD_NR) { + pages += HPAGE_PMD_NR; + nr_huge_updates++; + } +@@ -398,11 +415,9 @@ again: + } + /* fall through, the trans huge pmd just split */ + } +- ret = change_pte_range(tlb, vma, pmd, _pmd, addr, next, +- newprot, cp_flags); +- if (ret < 0) +- goto again; +- pages += ret; ++ this_pages = change_pte_range(tlb, vma, pmd, addr, next, ++ newprot, cp_flags); ++ pages += this_pages; + next: + cond_resched(); + } while (pmd++, addr = next, addr != end); diff --git a/queue-6.1/revert-net-mlx5-block-entering-switchdev-mode-with-ns-inconsistency.patch b/queue-6.1/revert-net-mlx5-block-entering-switchdev-mode-with-ns-inconsistency.patch new file mode 100644 index 0000000000..f74370a521 --- /dev/null +++ b/queue-6.1/revert-net-mlx5-block-entering-switchdev-mode-with-ns-inconsistency.patch @@ -0,0 +1,64 @@ +From black.hawk@163.com Tue Jan 27 06:17:16 2026 +From: Rahul Sharma +Date: Tue, 27 Jan 2026 13:17:07 +0800 +Subject: Revert "net/mlx5: Block entering switchdev mode with ns inconsistency" +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Gavin Li , Jiri Pirko , Saeed Mahameed , Rahul Sharma +Message-ID: <20260127051707.2439076-1-black.hawk@163.com> + +From: Gavin Li + +[ Upstream commit 8deeefb24786ea7950b37bde4516b286c877db00 ] + +This reverts commit 662404b24a4c4d839839ed25e3097571f5938b9b. +The revert is required due to the suspicion it is not good for anything +and cause crash. + +Fixes: 662404b24a4c ("net/mlx5e: Block entering switchdev mode with ns inconsistency") +Signed-off-by: Gavin Li +Reviewed-by: Jiri Pirko +Signed-off-by: Saeed Mahameed +[ The context change is due to the commit e25373416678 +("net/mlx5e: Rewrite IPsec vs. TC block interface") in v6.6 +which is irrelevant to the logic of this patch. ] +Signed-off-by: Rahul Sharma +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c | 19 ------------- + 1 file changed, 19 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c +@@ -3493,18 +3493,6 @@ static int esw_inline_mode_to_devlink(u8 + return 0; + } + +-static bool esw_offloads_devlink_ns_eq_netdev_ns(struct devlink *devlink) +-{ +- struct net *devl_net, *netdev_net; +- struct mlx5_eswitch *esw; +- +- esw = mlx5_devlink_eswitch_get(devlink); +- netdev_net = dev_net(esw->dev->mlx5e_res.uplink_netdev); +- devl_net = devlink_net(devlink); +- +- return net_eq(devl_net, netdev_net); +-} +- + int mlx5_devlink_eswitch_mode_set(struct devlink *devlink, u16 mode, + struct netlink_ext_ack *extack) + { +@@ -3519,13 +3507,6 @@ int mlx5_devlink_eswitch_mode_set(struct + if (esw_mode_from_devlink(mode, &mlx5_mode)) + return -EINVAL; + +- if (mode == DEVLINK_ESWITCH_MODE_SWITCHDEV && +- !esw_offloads_devlink_ns_eq_netdev_ns(devlink)) { +- NL_SET_ERR_MSG_MOD(extack, +- "Can't change E-Switch mode to switchdev when netdev net namespace has diverged from the devlink's."); +- return -EPERM; +- } +- + mlx5_lag_disable_change(esw->dev); + err = mlx5_esw_try_lock(esw); + if (err < 0) { diff --git a/queue-6.1/sctp-linearize-cloned-gso-packets-in-sctp_rcv.patch b/queue-6.1/sctp-linearize-cloned-gso-packets-in-sctp_rcv.patch new file mode 100644 index 0000000000..5cfc3ea1a8 --- /dev/null +++ b/queue-6.1/sctp-linearize-cloned-gso-packets-in-sctp_rcv.patch @@ -0,0 +1,80 @@ +From stable+bounces-212845-greg=kroah.com@vger.kernel.org Fri Jan 30 08:11:03 2026 +From: Li hongliang <1468888505@139.com> +Date: Fri, 30 Jan 2026 15:10:38 +0800 +Subject: sctp: linearize cloned gso packets in sctp_rcv +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, lucien.xin@gmail.com +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, vyasevich@gmail.com, nhorman@tuxdriver.com, marcelo.leitner@gmail.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, linux-sctp@vger.kernel.org, netdev@vger.kernel.org +Message-ID: <20260130071038.3931297-1-1468888505@139.com> + +From: Xin Long + +[ Upstream commit fd60d8a086191fe33c2d719732d2482052fa6805 ] + +A cloned head skb still shares these frag skbs in fraglist with the +original head skb. It's not safe to access these frag skbs. + +syzbot reported two use-of-uninitialized-memory bugs caused by this: + + BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 + sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 + sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998 + sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 + sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331 + sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122 + __release_sock+0x1da/0x330 net/core/sock.c:3106 + release_sock+0x6b/0x250 net/core/sock.c:3660 + sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360 + sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885 + sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031 + inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851 + sock_sendmsg_nosec net/socket.c:718 [inline] + +and + + BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 + sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 + sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88 + sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331 + sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148 + __release_sock+0x1d3/0x330 net/core/sock.c:3213 + release_sock+0x6b/0x270 net/core/sock.c:3767 + sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367 + sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886 + sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032 + inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851 + sock_sendmsg_nosec net/socket.c:712 [inline] + +This patch fixes it by linearizing cloned gso packets in sctp_rcv(). + +Fixes: 90017accff61 ("sctp: Add GSO support") +Reported-by: syzbot+773e51afe420baaf0e2b@syzkaller.appspotmail.com +Reported-by: syzbot+70a42f45e76bede082be@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Reviewed-by: Marcelo Ricardo Leitner +Link: https://patch.msgid.link/dd7dc337b99876d4132d0961f776913719f7d225.1754595611.git.lucien.xin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Greg Kroah-Hartman +--- +This patch is lost/missing, as it has already been added +into stable branches less than and greater than 6.1. Previous patch in +https://lore.kernel.org/stable/20251022075549.195012-1-kovalev@altlinux.org/ is still not added. +So I resent it again. +Signed-off-by: Greg Kroah-Hartman +--- +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sctp/input.c ++++ b/net/sctp/input.c +@@ -114,7 +114,7 @@ int sctp_rcv(struct sk_buff *skb) + * it's better to just linearize it otherwise crc computing + * takes longer. + */ +- if ((!is_gso && skb_linearize(skb)) || ++ if (((!is_gso || skb_cloned(skb)) && skb_linearize(skb)) || + !pskb_may_pull(skb, sizeof(struct sctphdr))) + goto discard_it; + diff --git a/queue-6.1/series b/queue-6.1/series index 4e2a87244f..ca89e31f97 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -251,3 +251,22 @@ team-move-team-device-type-change-at-the-end-of-team_port_add.patch wifi-mac80211-use-wiphy-work-for-sdata-work.patch wifi-mac80211-move-tdls-work-to-wiphy-work.patch genirq-irq_sim-initialize-work-context-pointers-properly.patch +drm-amdkfd-fix-a-memory-leak-in-device_queue_manager_init.patch +can-esd_usb-esd_usb_read_bulk_callback-fix-urb-memory-leak.patch +revert-mm-mprotect-delete-pmd_none_or_clear_bad_unless_trans_huge.patch +drm-amd-display-check-dce_hwseq-before-dereferencing-it.patch +crypto-qat-flush-misc-workqueue-during-device-shutdown.patch +iomap-fix-possible-overflow-condition-in-iomap_write_delalloc_scan.patch +fs-ntfs3-initialize-allocated-memory-before-use.patch +blk-cgroup-reinit-blkg_iostat_set-after-clearing-in-blkcg_reset_stats.patch +revert-net-mlx5-block-entering-switchdev-mode-with-ns-inconsistency.patch +gfs2-fix-null-pointer-dereference-in-gfs2_log_flush.patch +nfsd-fix-race-between-nfsd-registration-and-exports_proc.patch +usbnet-fix-using-smp_processor_id-in-preemptible-code-warnings.patch +drm-amdgpu-replace-mutex-with-spinlock-for-rlcg-register-access-to-avoid-priority-inversion-in-sriov.patch +net-stmmac-make-sure-that-ptp_rate-is-not-0-before-configuring-est.patch +sctp-linearize-cloned-gso-packets-in-sctp_rcv.patch +ksmbd-fix-use-after-free-in-ksmbd_session_rpc_open.patch +ksmbd-fix-race-condition-in-rpc-handle-list-access.patch +vhost-scsi-fix-handling-of-multiple-calls-to-vhost_scsi_set_endpoint.patch +drm-radeon-delete-radeon_fence_process-in-is_signaled-no-deadlock.patch diff --git a/queue-6.1/usbnet-fix-using-smp_processor_id-in-preemptible-code-warnings.patch b/queue-6.1/usbnet-fix-using-smp_processor_id-in-preemptible-code-warnings.patch new file mode 100644 index 0000000000..d0d303ecdd --- /dev/null +++ b/queue-6.1/usbnet-fix-using-smp_processor_id-in-preemptible-code-warnings.patch @@ -0,0 +1,78 @@ +From stable+bounces-212747-greg=kroah.com@vger.kernel.org Thu Jan 29 09:00:19 2026 +From: Rahul Sharma +Date: Thu, 29 Jan 2026 15:58:54 +0800 +Subject: usbnet: Fix using smp_processor_id() in preemptible code warnings +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Zqiang , Jakub Kicinski , Paolo Abeni , Rahul Sharma +Message-ID: <20260129075854.2945271-1-black.hawk@163.com> + +From: Zqiang + +[ Upstream commit 327cd4b68b4398b6c24f10eb2b2533ffbfc10185 ] + +Syzbot reported the following warning: + +BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 +caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 +CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) +Call Trace: + + __dump_stack lib/dump_stack.c:94 [inline] + dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 + check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 + usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 + usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 + usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 + __dev_set_mtu net/core/dev.c:9443 [inline] + netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 + netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 + dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 + dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 + dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 + sock_do_ioctl+0x19d/0x280 net/socket.c:1204 + sock_ioctl+0x42f/0x6a0 net/socket.c:1311 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:906 [inline] + __se_sys_ioctl fs/ioctl.c:892 [inline] + __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +For historical and portability reasons, the netif_rx() is usually +run in the softirq or interrupt context, this commit therefore add +local_bh_disable/enable() protection in the usbnet_resume_rx(). + +Fixes: 43daa96b166c ("usbnet: Stop RX Q on MTU change") +Link: https://syzkaller.appspot.com/bug?id=81f55dfa587ee544baaaa5a359a060512228c1e1 +Suggested-by: Jakub Kicinski +Signed-off-by: Zqiang +Link: https://patch.msgid.link/20251011070518.7095-1-qiang.zhang@linux.dev +Signed-off-by: Paolo Abeni +[ The context change is due to the commit 2c04d279e857 +("net: usb: Convert tasklet API to new bottom half workqueue mechanism") +in v6.17 which is irrelevant to the logic of this patch.] +Signed-off-by: Rahul Sharma +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/usbnet.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -704,6 +704,7 @@ void usbnet_resume_rx(struct usbnet *dev + struct sk_buff *skb; + int num = 0; + ++ local_bh_disable(); + clear_bit(EVENT_RX_PAUSED, &dev->flags); + + while ((skb = skb_dequeue(&dev->rxq_pause)) != NULL) { +@@ -712,6 +713,7 @@ void usbnet_resume_rx(struct usbnet *dev + } + + tasklet_schedule(&dev->bh); ++ local_bh_enable(); + + netif_dbg(dev, rx_status, dev->net, + "paused rx queue disabled, %d skbs requeued\n", num); diff --git a/queue-6.1/vhost-scsi-fix-handling-of-multiple-calls-to-vhost_scsi_set_endpoint.patch b/queue-6.1/vhost-scsi-fix-handling-of-multiple-calls-to-vhost_scsi_set_endpoint.patch new file mode 100644 index 0000000000..153798279c --- /dev/null +++ b/queue-6.1/vhost-scsi-fix-handling-of-multiple-calls-to-vhost_scsi_set_endpoint.patch @@ -0,0 +1,175 @@ +From stable+bounces-213026-greg=kroah.com@vger.kernel.org Mon Feb 2 07:47:41 2026 +From: Li hongliang <1468888505@139.com> +Date: Mon, 2 Feb 2026 14:47:19 +0800 +Subject: vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, michael.christie@oracle.com +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, mst@redhat.com, jasowang@redhat.com, pbonzini@redhat.com, stefanha@redhat.com, mlombard@redhat.com, asias@redhat.com, nab@linux-iscsi.org, virtualization@lists.linux-foundation.org, kvm@vger.kernel.org, netdev@vger.kernel.org, wh1sper@zju.edu.cn, sgarzare@redhat.com +Message-ID: <20260202064719.642351-1-1468888505@139.com> + +From: Mike Christie + +[ Upstream commit 5dd639a1646ef5fe8f4bf270fad47c5c3755b9b6 ] + +If vhost_scsi_set_endpoint is called multiple times without a +vhost_scsi_clear_endpoint between them, we can hit multiple bugs +found by Haoran Zhang: + +1. Use-after-free when no tpgs are found: + +This fixes a use after free that occurs when vhost_scsi_set_endpoint is +called more than once and calls after the first call do not find any +tpgs to add to the vs_tpg. When vhost_scsi_set_endpoint first finds +tpgs to add to the vs_tpg array match=true, so we will do: + +vhost_vq_set_backend(vq, vs_tpg); +... + +kfree(vs->vs_tpg); +vs->vs_tpg = vs_tpg; + +If vhost_scsi_set_endpoint is called again and no tpgs are found +match=false so we skip the vhost_vq_set_backend call leaving the +pointer to the vs_tpg we then free via: + +kfree(vs->vs_tpg); +vs->vs_tpg = vs_tpg; + +If a scsi request is then sent we do: + +vhost_scsi_handle_vq -> vhost_scsi_get_req -> vhost_vq_get_backend + +which sees the vs_tpg we just did a kfree on. + +2. Tpg dir removal hang: + +This patch fixes an issue where we cannot remove a LIO/target layer +tpg (and structs above it like the target) dir due to the refcount +dropping to -1. + +The problem is that if vhost_scsi_set_endpoint detects a tpg is already +in the vs->vs_tpg array or if the tpg has been removed so +target_depend_item fails, the undepend goto handler will do +target_undepend_item on all tpgs in the vs_tpg array dropping their +refcount to 0. At this time vs_tpg contains both the tpgs we have added +in the current vhost_scsi_set_endpoint call as well as tpgs we added in +previous calls which are also in vs->vs_tpg. + +Later, when vhost_scsi_clear_endpoint runs it will do +target_undepend_item on all the tpgs in the vs->vs_tpg which will drop +their refcount to -1. Userspace will then not be able to remove the tpg +and will hang when it tries to do rmdir on the tpg dir. + +3. Tpg leak: + +This fixes a bug where we can leak tpgs and cause them to be +un-removable because the target name is overwritten when +vhost_scsi_set_endpoint is called multiple times but with different +target names. + +The bug occurs if a user has called VHOST_SCSI_SET_ENDPOINT and setup +a vhost-scsi device to target/tpg mapping, then calls +VHOST_SCSI_SET_ENDPOINT again with a new target name that has tpgs we +haven't seen before (target1 has tpg1 but target2 has tpg2). When this +happens we don't teardown the old target tpg mapping and just overwrite +the target name and the vs->vs_tpg array. Later when we do +vhost_scsi_clear_endpoint, we are passed in either target1 or target2's +name and we will only match that target's tpgs when we loop over the +vs->vs_tpg. We will then return from the function without doing +target_undepend_item on the tpgs. + +Because of all these bugs, it looks like being able to call +vhost_scsi_set_endpoint multiple times was never supported. The major +user, QEMU, already has checks to prevent this use case. So to fix the +issues, this patch prevents vhost_scsi_set_endpoint from being called +if it's already successfully added tpgs. To add, remove or change the +tpg config or target name, you must do a vhost_scsi_clear_endpoint +first. + +Fixes: 25b98b64e284 ("vhost scsi: alloc cmds per vq instead of session") +Fixes: 4f7f46d32c98 ("tcm_vhost: Use vq->private_data to indicate if the endpoint is setup") +Reported-by: Haoran Zhang +Closes: https://lore.kernel.org/virtualization/e418a5ee-45ca-4d18-9b5d-6f8b6b1add8e@oracle.com/T/#me6c0041ce376677419b9b2563494172a01487ecb +Signed-off-by: Mike Christie +Reviewed-by: Stefan Hajnoczi +Message-Id: <20250129210922.121533-1-michael.christie@oracle.com> +Signed-off-by: Michael S. Tsirkin +Acked-by: Stefano Garzarella +[ Minor conflict resolved. ] +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/scsi.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +--- a/drivers/vhost/scsi.c ++++ b/drivers/vhost/scsi.c +@@ -1572,14 +1572,19 @@ vhost_scsi_set_endpoint(struct vhost_scs + } + } + ++ if (vs->vs_tpg) { ++ pr_err("vhost-scsi endpoint already set for %s.\n", ++ vs->vs_vhost_wwpn); ++ ret = -EEXIST; ++ goto out; ++ } ++ + len = sizeof(vs_tpg[0]) * VHOST_SCSI_MAX_TARGET; + vs_tpg = kzalloc(len, GFP_KERNEL); + if (!vs_tpg) { + ret = -ENOMEM; + goto out; + } +- if (vs->vs_tpg) +- memcpy(vs_tpg, vs->vs_tpg, len); + + list_for_each_entry(tpg, &vhost_scsi_list, tv_tpg_list) { + mutex_lock(&tpg->tv_tpg_mutex); +@@ -1594,11 +1599,6 @@ vhost_scsi_set_endpoint(struct vhost_scs + tv_tport = tpg->tport; + + if (!strcmp(tv_tport->tport_name, t->vhost_wwpn)) { +- if (vs->vs_tpg && vs->vs_tpg[tpg->tport_tpgt]) { +- mutex_unlock(&tpg->tv_tpg_mutex); +- ret = -EEXIST; +- goto undepend; +- } + /* + * In order to ensure individual vhost-scsi configfs + * groups cannot be removed while in use by vhost ioctl, +@@ -1643,15 +1643,15 @@ vhost_scsi_set_endpoint(struct vhost_scs + } + ret = 0; + } else { +- ret = -EEXIST; ++ ret = -ENODEV; ++ goto free_tpg; + } + + /* +- * Act as synchronize_rcu to make sure access to +- * old vs->vs_tpg is finished. ++ * Act as synchronize_rcu to make sure requests after this point ++ * see a fully setup device. + */ + vhost_scsi_flush(vs); +- kfree(vs->vs_tpg); + vs->vs_tpg = vs_tpg; + goto out; + +@@ -1668,6 +1668,7 @@ undepend: + target_undepend_item(&tpg->se_tpg.tpg_group.cg_item); + } + } ++free_tpg: + kfree(vs_tpg); + out: + mutex_unlock(&vs->dev.mutex); +@@ -1757,6 +1758,7 @@ vhost_scsi_clear_endpoint(struct vhost_s + vhost_scsi_flush(vs); + kfree(vs->vs_tpg); + vs->vs_tpg = NULL; ++ memset(vs->vs_vhost_wwpn, 0, sizeof(vs->vs_vhost_wwpn)); + WARN_ON(vs->vs_events_nr); + mutex_unlock(&vs->dev.mutex); + mutex_unlock(&vhost_scsi_mutex);