From: Greg Kroah-Hartman Date: Fri, 1 May 2026 11:14:45 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v6.12.86~62 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=66b958c54c21808688446afd411704625a6f99fa;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: erofs-fix-the-out-of-bounds-nameoff-handling-for-trailing-dirents.patch iio-adc-ti-ads7950-use-iio_push_to_buffers_with_ts_unaligned.patch io_uring-poll-ensure-epoll_oneshot-is-propagated-for-epoll_uring_wake.patch io_uring-poll-fix-signed-comparison-in-io_poll_get_ownership.patch io_uring-timeout-check-unused-sqe-fields.patch md-raid10-fix-deadlock-with-check-operation-and-nowait-requests.patch nvme-pci-add-nvme_quirk_disable_write_zeroes-for-kingston-om3sgp4.patch nvme-respect-nvme_quirk_disable_write_zeroes-when-wzsl-is-set.patch parisc-_llseek-syscall-is-only-available-for-32-bit-userspace.patch rbd-fix-null-ptr-deref-when-device_add_disk-fails.patch selftests-mqueue-fix-incorrectly-named-file.patch --- diff --git a/queue-6.1/erofs-fix-the-out-of-bounds-nameoff-handling-for-trailing-dirents.patch b/queue-6.1/erofs-fix-the-out-of-bounds-nameoff-handling-for-trailing-dirents.patch new file mode 100644 index 0000000000..109182edba --- /dev/null +++ b/queue-6.1/erofs-fix-the-out-of-bounds-nameoff-handling-for-trailing-dirents.patch @@ -0,0 +1,88 @@ +From d18a3b5d337fa412a38e776e6b4b857a58836575 Mon Sep 17 00:00:00 2001 +From: Gao Xiang +Date: Tue, 21 Apr 2026 15:59:52 +0800 +Subject: erofs: fix the out-of-bounds nameoff handling for trailing dirents + +From: Gao Xiang + +commit d18a3b5d337fa412a38e776e6b4b857a58836575 upstream. + +Currently we already have boundary-checks for nameoffs, but the trailing +dirents are special since the namelens are calculated with strnlen() +with unchecked nameoffs. + +If a crafted EROFS has a trailing dirent with nameoff >= maxsize, +maxsize - nameoff can underflow, causing strnlen() to read past the +directory block. + +nameoff0 should also be verified to be a multiple of +`sizeof(struct erofs_dirent)` as well [1]. + +[1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com + +Fixes: 3aa8ec716e52 ("staging: erofs: add directory operations") +Fixes: 33bac912840f ("staging: erofs: keep corrupted fs from crashing kernel in erofs_readdir()") +Reported-by: Yuhao Jiang +Reported-by: Junrui Luo +Closes: https://lore.kernel.org/r/A0FD7E0F-7558-49B0-8BC8-EB1ECDB2479A@outlook.com +Cc: stable@vger.kernel.org +Signed-off-by: Gao Xiang +Reviewed-by: Chao Yu +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/dir.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +--- a/fs/erofs/dir.c ++++ b/fs/erofs/dir.c +@@ -22,20 +22,18 @@ static int erofs_fill_dentries(struct in + nameoff = le16_to_cpu(de->nameoff); + de_name = (char *)dentry_blk + nameoff; + +- /* the last dirent in the block? */ +- if (de + 1 >= end) +- de_namelen = strnlen(de_name, maxsize - nameoff); +- else ++ /* non-trailing dirent in the directory block? */ ++ if (de + 1 < end) + de_namelen = le16_to_cpu(de[1].nameoff) - nameoff; ++ else if (maxsize <= nameoff) ++ goto err_bogus; ++ else ++ de_namelen = strnlen(de_name, maxsize - nameoff); + +- /* a corrupted entry is found */ +- if (nameoff + de_namelen > maxsize || +- de_namelen > EROFS_NAME_LEN) { +- erofs_err(dir->i_sb, "bogus dirent @ nid %llu", +- EROFS_I(dir)->nid); +- DBG_BUGON(1); +- return -EFSCORRUPTED; +- } ++ /* a corrupted entry is found (including negative namelen) */ ++ if (!in_range32(de_namelen, 1, EROFS_NAME_LEN) || ++ nameoff + de_namelen > maxsize) ++ goto err_bogus; + + if (!dir_emit(ctx, de_name, de_namelen, + le64_to_cpu(de->nid), d_type)) +@@ -44,6 +42,10 @@ static int erofs_fill_dentries(struct in + ctx->pos += sizeof(struct erofs_dirent); + } + return 0; ++err_bogus: ++ erofs_err(dir->i_sb, "bogus dirent @ nid %llu", EROFS_I(dir)->nid); ++ DBG_BUGON(1); ++ return -EFSCORRUPTED; + } + + static int erofs_readdir(struct file *f, struct dir_context *ctx) +@@ -71,7 +73,7 @@ static int erofs_readdir(struct file *f, + } + + nameoff = le16_to_cpu(de->nameoff); +- if (nameoff < sizeof(struct erofs_dirent) || nameoff >= bsz) { ++ if (!nameoff || nameoff >= bsz || (nameoff % sizeof(*de))) { + erofs_err(sb, "invalid de[0].nameoff %u @ nid %llu", + nameoff, EROFS_I(dir)->nid); + err = -EFSCORRUPTED; diff --git a/queue-6.1/iio-adc-ti-ads7950-use-iio_push_to_buffers_with_ts_unaligned.patch b/queue-6.1/iio-adc-ti-ads7950-use-iio_push_to_buffers_with_ts_unaligned.patch new file mode 100644 index 0000000000..3fb8760471 --- /dev/null +++ b/queue-6.1/iio-adc-ti-ads7950-use-iio_push_to_buffers_with_ts_unaligned.patch @@ -0,0 +1,59 @@ +From 7806c060cceb2d6895efbb6cff2f2f17cf1ec5de Mon Sep 17 00:00:00 2001 +From: David Lechner +Date: Sat, 14 Mar 2026 16:12:24 -0500 +Subject: iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned() + +From: David Lechner + +commit 7806c060cceb2d6895efbb6cff2f2f17cf1ec5de upstream. + +Use iio_push_to_buffers_with_ts_unaligned() to avoid unaligned access +when writing the timestamp in the rx_buf. + +The previous implementation would have been fine on architectures that +support 4-byte alignment of 64-bit integers but could cause issues on +architectures that require 8-byte alignment. + +Fixes: 902c4b2446d4 ("iio: adc: New driver for TI ADS7950 chips") +Signed-off-by: David Lechner +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ti-ads7950.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/iio/adc/ti-ads7950.c ++++ b/drivers/iio/adc/ti-ads7950.c +@@ -47,8 +47,6 @@ + #define TI_ADS7950_MAX_CHAN 16 + #define TI_ADS7950_NUM_GPIOS 4 + +-#define TI_ADS7950_TIMESTAMP_SIZE (sizeof(int64_t) / sizeof(__be16)) +- + /* val = value, dec = left shift, bits = number of bits of the mask */ + #define TI_ADS7950_EXTRACT(val, dec, bits) \ + (((val) >> (dec)) & ((1 << (bits)) - 1)) +@@ -105,8 +103,7 @@ struct ti_ads7950_state { + * DMA (thus cache coherency maintenance) may require the + * transfer buffers to live in their own cache lines. + */ +- u16 rx_buf[TI_ADS7950_MAX_CHAN + 2 + TI_ADS7950_TIMESTAMP_SIZE] +- __aligned(IIO_DMA_MINALIGN); ++ u16 rx_buf[TI_ADS7950_MAX_CHAN + 2] __aligned(IIO_DMA_MINALIGN); + u16 tx_buf[TI_ADS7950_MAX_CHAN + 2]; + u16 single_tx; + u16 single_rx; +@@ -313,8 +310,10 @@ static irqreturn_t ti_ads7950_trigger_ha + if (ret < 0) + goto out; + +- iio_push_to_buffers_with_timestamp(indio_dev, &st->rx_buf[2], +- iio_get_time_ns(indio_dev)); ++ iio_push_to_buffers_with_ts_unaligned(indio_dev, &st->rx_buf[2], ++ sizeof(*st->rx_buf) * ++ TI_ADS7950_MAX_CHAN, ++ iio_get_time_ns(indio_dev)); + + out: + mutex_unlock(&st->slock); diff --git a/queue-6.1/io_uring-poll-ensure-epoll_oneshot-is-propagated-for-epoll_uring_wake.patch b/queue-6.1/io_uring-poll-ensure-epoll_oneshot-is-propagated-for-epoll_uring_wake.patch new file mode 100644 index 0000000000..36f88f9083 --- /dev/null +++ b/queue-6.1/io_uring-poll-ensure-epoll_oneshot-is-propagated-for-epoll_uring_wake.patch @@ -0,0 +1,52 @@ +From 1967f0b1cafdde37aa9e08e6021c14bcc484b7a5 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Tue, 21 Apr 2026 13:24:33 -0600 +Subject: io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jens Axboe + +commit 1967f0b1cafdde37aa9e08e6021c14bcc484b7a5 upstream. + +Commit: + +aacf2f9f382c ("io_uring: fix req->apoll_events") + +fixed an issue where poll->events and req->apoll_events weren't +synchronized, but then when the commit referenced in Fixes got added, +it didn't ensure the same thing. + +If we mask in EPOLLONESHOT in the regular EPOLL_URING_WAKE path, then +ensure it's done for both. Including a link to the original report +below, even though it's mostly nonsense. But it includes a reproducer +that does show that IORING_CQE_F_MORE is set in the previous CQE, +while no more CQEs will be generated for this request. Just ignore +anything that pretends this is security related in any way, it's just +the typical AI nonsense. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/io-uring/CAM0zi7yQzF3eKncgHo4iVM5yFLAjsiob_ucqyWKs=hyd_GqiMg@mail.gmail.com/ +Reported-by: Azizcan Daştan +Fixes: 4464853277d0 ("io_uring: pass in EPOLL_URING_WAKE for eventfd signaling and wakeups") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/poll.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/io_uring/poll.c ++++ b/io_uring/poll.c +@@ -451,8 +451,10 @@ static int io_poll_wake(struct wait_queu + * disable multishot as there is a circular dependency between + * CQ posting and triggering the event. + */ +- if (mask & EPOLL_URING_WAKE) ++ if (mask & EPOLL_URING_WAKE) { + poll->events |= EPOLLONESHOT; ++ req->apoll_events |= EPOLLONESHOT; ++ } + + /* optional, saves extra locking for removal in tw handler */ + if (mask && poll->events & EPOLLONESHOT) { diff --git a/queue-6.1/io_uring-poll-fix-signed-comparison-in-io_poll_get_ownership.patch b/queue-6.1/io_uring-poll-fix-signed-comparison-in-io_poll_get_ownership.patch new file mode 100644 index 0000000000..feb6fd751f --- /dev/null +++ b/queue-6.1/io_uring-poll-fix-signed-comparison-in-io_poll_get_ownership.patch @@ -0,0 +1,52 @@ +From 326941b22806cbf2df1fbfe902b7908b368cce42 Mon Sep 17 00:00:00 2001 +From: Longxuan Yu +Date: Sun, 12 Apr 2026 16:38:20 +0800 +Subject: io_uring/poll: fix signed comparison in io_poll_get_ownership() + +From: Longxuan Yu + +commit 326941b22806cbf2df1fbfe902b7908b368cce42 upstream. + +io_poll_get_ownership() uses a signed comparison to check whether +poll_refs has reached the threshold for the slowpath: + + if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS)) + +atomic_read() returns int (signed). When IO_POLL_CANCEL_FLAG +(BIT(31)) is set in poll_refs, the value becomes negative in +signed arithmetic, so the >= 128 comparison always evaluates to +false and the slowpath is never taken. + +Fix this by casting the atomic_read() result to unsigned int +before the comparison, so that the cancel flag is treated as a +large positive value and correctly triggers the slowpath. + +Fixes: a26a35e9019f ("io_uring: make poll refs more robust") +Cc: stable@vger.kernel.org +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Zhengchuan Liang +Signed-off-by: Longxuan Yu +Signed-off-by: Ren Wei +Reviewed-by: Pavel Begunkov +Link: https://patch.msgid.link/3a3508b08bcd7f1bc3beff848ae6e1d73d355043.1775965597.git.ylong030@ucr.edu +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/poll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/io_uring/poll.c ++++ b/io_uring/poll.c +@@ -88,7 +88,7 @@ static bool io_poll_get_ownership_slowpa + */ + static inline bool io_poll_get_ownership(struct io_kiocb *req) + { +- if (unlikely(atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS)) ++ if (unlikely((unsigned int)atomic_read(&req->poll_refs) >= IO_POLL_REF_BIAS)) + return io_poll_get_ownership_slowpath(req); + return !(atomic_fetch_inc(&req->poll_refs) & IO_POLL_REF_MASK); + } diff --git a/queue-6.1/io_uring-timeout-check-unused-sqe-fields.patch b/queue-6.1/io_uring-timeout-check-unused-sqe-fields.patch new file mode 100644 index 0000000000..5ec2e63d3c --- /dev/null +++ b/queue-6.1/io_uring-timeout-check-unused-sqe-fields.patch @@ -0,0 +1,41 @@ +From 484ae637a3e3d909718de7c07afd3bb34b6b8504 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Mon, 2 Mar 2026 13:10:34 +0000 +Subject: io_uring/timeout: check unused sqe fields + +From: Pavel Begunkov + +commit 484ae637a3e3d909718de7c07afd3bb34b6b8504 upstream. + +Zero check unused SQE fields addr3 and pad2 for timeout and timeout +update requests. They're not needed now, but could be used sometime +in the future. + +Cc: stable@vger.kernel.org +Signed-off-by: Pavel Begunkov +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/timeout.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/io_uring/timeout.c ++++ b/io_uring/timeout.c +@@ -394,6 +394,8 @@ int io_timeout_remove_prep(struct io_kio + + if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT))) + return -EINVAL; ++ if (sqe->addr3 || sqe->__pad2[0]) ++ return -EINVAL; + if (sqe->buf_index || sqe->len || sqe->splice_fd_in) + return -EINVAL; + +@@ -466,6 +468,8 @@ static int __io_timeout_prep(struct io_k + unsigned flags; + u32 off = READ_ONCE(sqe->off); + ++ if (sqe->addr3 || sqe->__pad2[0]) ++ return -EINVAL; + if (sqe->buf_index || sqe->len != 1 || sqe->splice_fd_in) + return -EINVAL; + if (off && is_timeout_link) diff --git a/queue-6.1/md-raid10-fix-deadlock-with-check-operation-and-nowait-requests.patch b/queue-6.1/md-raid10-fix-deadlock-with-check-operation-and-nowait-requests.patch new file mode 100644 index 0000000000..7c8ba5a6e0 --- /dev/null +++ b/queue-6.1/md-raid10-fix-deadlock-with-check-operation-and-nowait-requests.patch @@ -0,0 +1,100 @@ +From 7d96f3120a7fb7210d21b520c5b6f495da6ba436 Mon Sep 17 00:00:00 2001 +From: Josh Hunt +Date: Mon, 2 Mar 2026 19:56:19 -0500 +Subject: md/raid10: fix deadlock with check operation and nowait requests + +From: Josh Hunt + +commit 7d96f3120a7fb7210d21b520c5b6f495da6ba436 upstream. + +When an array check is running it will raise the barrier at which point +normal requests will become blocked and increment the nr_pending value to +signal there is work pending inside of wait_barrier(). NOWAIT requests +do not block and so will return immediately with an error, and additionally +do not increment nr_pending in wait_barrier(). Upstream change commit +43806c3d5b9b ("raid10: cleanup memleak at raid10_make_request") added a +call to raid_end_bio_io() to fix a memory leak when NOWAIT requests hit +this condition. raid_end_bio_io() eventually calls allow_barrier() and +it will unconditionally do an atomic_dec_and_test(&conf->nr_pending) even +though the corresponding increment on nr_pending didn't happen in the +NOWAIT case. + +This can be easily seen by starting a check operation while an application +is doing nowait IO on the same array. This results in a deadlocked state +due to nr_pending value underflowing and so the md resync thread gets stuck +waiting for nr_pending to == 0. + +Output of r10conf state of the array when we hit this condition: + +crash> struct r10conf + barrier = 1, + nr_pending = { + counter = -41 + }, + nr_waiting = 15, + nr_queued = 0, + +Example of md_sync thread stuck waiting on raise_barrier() and other +requests stuck in wait_barrier(): + +md1_resync +[<0>] raise_barrier+0xce/0x1c0 +[<0>] raid10_sync_request+0x1ca/0x1ed0 +[<0>] md_do_sync+0x779/0x1110 +[<0>] md_thread+0x90/0x160 +[<0>] kthread+0xbe/0xf0 +[<0>] ret_from_fork+0x34/0x50 +[<0>] ret_from_fork_asm+0x1a/0x30 + +kworker/u1040:2+flush-253:4 +[<0>] wait_barrier+0x1de/0x220 +[<0>] regular_request_wait+0x30/0x180 +[<0>] raid10_make_request+0x261/0x1000 +[<0>] md_handle_request+0x13b/0x230 +[<0>] __submit_bio+0x107/0x1f0 +[<0>] submit_bio_noacct_nocheck+0x16f/0x390 +[<0>] ext4_io_submit+0x24/0x40 +[<0>] ext4_do_writepages+0x254/0xc80 +[<0>] ext4_writepages+0x84/0x120 +[<0>] do_writepages+0x7a/0x260 +[<0>] __writeback_single_inode+0x3d/0x300 +[<0>] writeback_sb_inodes+0x1dd/0x470 +[<0>] __writeback_inodes_wb+0x4c/0xe0 +[<0>] wb_writeback+0x18b/0x2d0 +[<0>] wb_workfn+0x2a1/0x400 +[<0>] process_one_work+0x149/0x330 +[<0>] worker_thread+0x2d2/0x410 +[<0>] kthread+0xbe/0xf0 +[<0>] ret_from_fork+0x34/0x50 +[<0>] ret_from_fork_asm+0x1a/0x30 + +Fixes: 43806c3d5b9b ("raid10: cleanup memleak at raid10_make_request") +Cc: stable@vger.kernel.org +Signed-off-by: Josh Hunt +Link: https://lore.kernel.org/linux-raid/20260303005619.1352958-1-johunt@akamai.com +Signed-off-by: Yu Kuai +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid10.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -1211,7 +1211,7 @@ static void raid10_read_request(struct m + } + + if (!regular_request_wait(mddev, conf, bio, r10_bio->sectors)) { +- raid_end_bio_io(r10_bio); ++ free_r10bio(r10_bio); + return; + } + +@@ -1436,7 +1436,7 @@ static void raid10_write_request(struct + + sectors = r10_bio->sectors; + if (!regular_request_wait(mddev, conf, bio, sectors)) { +- raid_end_bio_io(r10_bio); ++ free_r10bio(r10_bio); + return; + } + diff --git a/queue-6.1/nvme-pci-add-nvme_quirk_disable_write_zeroes-for-kingston-om3sgp4.patch b/queue-6.1/nvme-pci-add-nvme_quirk_disable_write_zeroes-for-kingston-om3sgp4.patch new file mode 100644 index 0000000000..3377c7d279 --- /dev/null +++ b/queue-6.1/nvme-pci-add-nvme_quirk_disable_write_zeroes-for-kingston-om3sgp4.patch @@ -0,0 +1,41 @@ +From a8eebf9699d69987cc49cec4e4fdb4111ab32423 Mon Sep 17 00:00:00 2001 +From: Robert Beckett +Date: Fri, 20 Mar 2026 19:22:09 +0000 +Subject: nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4 + +From: Robert Beckett + +commit a8eebf9699d69987cc49cec4e4fdb4111ab32423 upstream. + +The Kingston OM3SGP42048K2-A00 (PCI ID 2646:502f) firmware has a race +condition when processing concurrent write zeroes and DSM (discard) +commands, causing spurious "LBA Out of Range" errors and IOMMU page +faults at address 0x0. + +The issue is reliably triggered by running two concurrent mkfs commands +on different partitions of the same drive, which generates interleaved +write zeroes and discard operations. + +Disable write zeroes for this device, matching the pattern used for +other Kingston OM* drives that have similar firmware issues. + +Cc: stable@vger.kernel.org +Signed-off-by: Robert Beckett +Assisted-by: claude-opus-4-6-v1 +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3620,6 +3620,8 @@ static const struct pci_device_id nvme_i + .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, }, + { PCI_DEVICE(0x2646, 0x501E), /* KINGSTON OM3PGP4xxxxQ OS21011 NVMe SSD */ + .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, }, ++ { PCI_DEVICE(0x2646, 0x502F), /* KINGSTON OM3SGP4xxxxK NVMe SSD */ ++ .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, }, + { PCI_DEVICE(0x1f40, 0x1202), /* Netac Technologies Co. NV3000 NVMe SSD */ + .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(0x1f40, 0x5236), /* Netac Technologies Co. NV7000 NVMe SSD */ diff --git a/queue-6.1/nvme-respect-nvme_quirk_disable_write_zeroes-when-wzsl-is-set.patch b/queue-6.1/nvme-respect-nvme_quirk_disable_write_zeroes-when-wzsl-is-set.patch new file mode 100644 index 0000000000..f5c6188360 --- /dev/null +++ b/queue-6.1/nvme-respect-nvme_quirk_disable_write_zeroes-when-wzsl-is-set.patch @@ -0,0 +1,41 @@ +From 40f0496b617b431f8d2dd94d7f785c1121f8a68a Mon Sep 17 00:00:00 2001 +From: Robert Beckett +Date: Fri, 20 Mar 2026 19:22:08 +0000 +Subject: nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set + +From: Robert Beckett + +commit 40f0496b617b431f8d2dd94d7f785c1121f8a68a upstream. + +The NVM Command Set Identify Controller data may report a non-zero +Write Zeroes Size Limit (wzsl). When present, nvme_init_non_mdts_limits() +unconditionally overrides max_zeroes_sectors from wzsl, even if +NVME_QUIRK_DISABLE_WRITE_ZEROES previously set it to zero. + +This effectively re-enables write zeroes for devices that need it +disabled, defeating the quirk. Several Kingston OM* drives rely on +this quirk to avoid firmware issues with write zeroes commands. + +Check for the quirk before applying the wzsl override. + +Fixes: 5befc7c26e5a ("nvme: implement non-mdts command limits") +Cc: stable@vger.kernel.org +Signed-off-by: Robert Beckett +Assisted-by: claude-opus-4-6-v1 +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -3188,7 +3188,7 @@ static int nvme_init_non_mdts_limits(str + if (id->dmrl) + ctrl->max_discard_segments = id->dmrl; + ctrl->dmrsl = le32_to_cpu(id->dmrsl); +- if (id->wzsl) ++ if (id->wzsl && !(ctrl->quirks & NVME_QUIRK_DISABLE_WRITE_ZEROES)) + ctrl->max_zeroes_sectors = nvme_mps_to_sectors(ctrl, id->wzsl); + + free_data: diff --git a/queue-6.1/parisc-_llseek-syscall-is-only-available-for-32-bit-userspace.patch b/queue-6.1/parisc-_llseek-syscall-is-only-available-for-32-bit-userspace.patch new file mode 100644 index 0000000000..d36e6e5a28 --- /dev/null +++ b/queue-6.1/parisc-_llseek-syscall-is-only-available-for-32-bit-userspace.patch @@ -0,0 +1,27 @@ +From da3680f564bd787ce974f9931e6e924d908b3b2a Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Tue, 7 Apr 2026 23:56:28 +0200 +Subject: parisc: _llseek syscall is only available for 32-bit userspace + +From: Helge Deller + +commit da3680f564bd787ce974f9931e6e924d908b3b2a upstream. + +Cc: stable@vger.kernel.org +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/syscalls/syscall.tbl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/kernel/syscalls/syscall.tbl ++++ b/arch/parisc/kernel/syscalls/syscall.tbl +@@ -154,7 +154,7 @@ + # 137 was afs_syscall + 138 common setfsuid sys_setfsuid + 139 common setfsgid sys_setfsgid +-140 common _llseek sys_llseek ++140 32 _llseek sys_llseek + 141 common getdents sys_getdents compat_sys_getdents + 142 common _newselect sys_select compat_sys_select + 143 common flock sys_flock diff --git a/queue-6.1/rbd-fix-null-ptr-deref-when-device_add_disk-fails.patch b/queue-6.1/rbd-fix-null-ptr-deref-when-device_add_disk-fails.patch new file mode 100644 index 0000000000..36cb320ccf --- /dev/null +++ b/queue-6.1/rbd-fix-null-ptr-deref-when-device_add_disk-fails.patch @@ -0,0 +1,116 @@ +From d1fef92e414433ca7b89abf85cb0df42b8d475eb Mon Sep 17 00:00:00 2001 +From: Dawei Feng +Date: Sun, 19 Apr 2026 17:03:48 +0800 +Subject: rbd: fix null-ptr-deref when device_add_disk() fails + +From: Dawei Feng + +commit d1fef92e414433ca7b89abf85cb0df42b8d475eb upstream. + +do_rbd_add() publishes the device with device_add() before calling +device_add_disk(). If device_add_disk() fails after device_add() +succeeds, the error path calls rbd_free_disk() directly and then later +falls through to rbd_dev_device_release(), which calls rbd_free_disk() +again. This double teardown can leave blk-mq cleanup operating on +invalid state and trigger a null-ptr-deref in +__blk_mq_free_map_and_rqs(), reached from blk_mq_free_tag_set(). + +Fix this by following the normal remove ordering: call device_del() +before rbd_dev_device_release() when device_add_disk() fails after +device_add(). That keeps the teardown sequence consistent and avoids +re-entering disk cleanup through the wrong path. + +The bug was first flagged by an experimental analysis tool we are +developing for kernel memory-management bugs while analyzing +v6.13-rc1. The tool is still under development and is not yet publicly +available. + +We reproduced the bug on v7.0 with a real Ceph backend and a QEMU x86_64 +guest booted with KASAN and CONFIG_FAILSLAB enabled. The reproducer +confines failslab injections to the __add_disk() range and injects +fail-nth while mapping an RBD image through +/sys/bus/rbd/add_single_major. + +On the unpatched kernel, fail-nth=4 reliably triggered the fault: + + Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI + KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + CPU: 0 UID: 0 PID: 273 Comm: bash Not tainted 7.0.0-01247-gd60bc1401583 #6 PREEMPT(lazy) + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 + RIP: 0010:__blk_mq_free_map_and_rqs+0x8c/0x240 + Code: 00 00 48 8b 6b 60 41 89 f4 49 c1 e4 03 4c 01 e5 45 85 ed 0f 85 0a 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 e9 48 c1 e9 03 <80> 3c 01 00 0f 85 31 01 00 00 4c 8b 6d 00 4d 85 ed 0f 84 e2 00 00 + RSP: 0018:ff1100000ab0fac8 EFLAGS: 00000246 + RAX: dffffc0000000000 RBX: ff1100000c4806a0 RCX: 0000000000000000 + RDX: 0000000000000002 RSI: 0000000000000000 RDI: ff1100000c4806f4 + RBP: 0000000000000000 R08: 0000000000000001 R09: ffe21c000189001b + R10: ff1100000c4800df R11: ff1100006cf37be0 R12: 0000000000000000 + R13: 0000000000000000 R14: ff1100000c480700 R15: ff1100000c480004 + FS: 00007f0fbe8fe740(0000) GS:ff110000e5851000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fe53473b2e0 CR3: 0000000012eef000 CR4: 00000000007516f0 + PKRU: 55555554 + Call Trace: + + blk_mq_free_tag_set+0x77/0x460 + do_rbd_add+0x1446/0x2b80 + ? __pfx_do_rbd_add+0x10/0x10 + ? lock_acquire+0x18c/0x300 + ? find_held_lock+0x2b/0x80 + ? sysfs_file_kobj+0xb6/0x1b0 + ? __pfx_sysfs_kf_write+0x10/0x10 + kernfs_fop_write_iter+0x2f4/0x4a0 + vfs_write+0x98e/0x1000 + ? expand_files+0x51f/0x850 + ? __pfx_vfs_write+0x10/0x10 + ksys_write+0xf2/0x1d0 + ? __pfx_ksys_write+0x10/0x10 + do_syscall_64+0x115/0x690 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + RIP: 0033:0x7f0fbea15907 + Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 + RSP: 002b:00007ffe22346ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 + RAX: ffffffffffffffda RBX: 0000000000000058 RCX: 00007f0fbea15907 + RDX: 0000000000000058 RSI: 0000563ace6c0ef0 RDI: 0000000000000001 + RBP: 0000563ace6c0ef0 R08: 0000563ace6c0ef0 R09: 6b6435726d694141 + R10: 5250337279762f78 R11: 0000000000000246 R12: 0000000000000058 + R13: 00007f0fbeb1c780 R14: ff1100000c480700 R15: ff1100000c480004 + + +With this fix applied, rerunning the reproducer over fail-nth=1..256 +yields no KASAN reports. + +[ idryomov: rename err_out_device_del -> err_out_device ] + +Cc: stable@vger.kernel.org +Fixes: 27c97abc30e2 ("rbd: add add_disk() error handling") +Signed-off-by: Zilin Guan +Signed-off-by: Dawei Feng +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/rbd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -7175,7 +7175,7 @@ static ssize_t do_rbd_add(struct bus_typ + + rc = device_add_disk(&rbd_dev->dev, rbd_dev->disk, NULL); + if (rc) +- goto err_out_cleanup_disk; ++ goto err_out_device; + + spin_lock(&rbd_dev_list_lock); + list_add_tail(&rbd_dev->node, &rbd_dev_list); +@@ -7189,8 +7189,8 @@ out: + module_put(THIS_MODULE); + return rc; + +-err_out_cleanup_disk: +- rbd_free_disk(rbd_dev); ++err_out_device: ++ device_del(&rbd_dev->dev); + err_out_image_lock: + rbd_dev_image_unlock(rbd_dev); + rbd_dev_device_release(rbd_dev); diff --git a/queue-6.1/selftests-mqueue-fix-incorrectly-named-file.patch b/queue-6.1/selftests-mqueue-fix-incorrectly-named-file.patch new file mode 100644 index 0000000000..95a67fdced --- /dev/null +++ b/queue-6.1/selftests-mqueue-fix-incorrectly-named-file.patch @@ -0,0 +1,41 @@ +From 64fac99037689020ad97e472ae898e96ea3616dc Mon Sep 17 00:00:00 2001 +From: Simon Liebold +Date: Thu, 12 Mar 2026 14:02:00 +0000 +Subject: selftests/mqueue: Fix incorrectly named file + +From: Simon Liebold + +commit 64fac99037689020ad97e472ae898e96ea3616dc upstream. + +Commit 85506aca2eb4 ("selftests/mqueue: Set timeout to 180 seconds") +intended to increase the timeout for mq_perf_tests from the default +kselftest limit of 45 seconds to 180 seconds. + +Unfortunately, the file storing this information was incorrectly named +`setting` instead of `settings`, causing the kselftest runner not to +pick up the limit and keep using the default 45 seconds limit. + +Fix this by renaming it to `settings` to ensure that the kselftest +runner uses the increased timeout of 180 seconds for this test. + +Fixes: 85506aca2eb4 ("selftests/mqueue: Set timeout to 180 seconds") +Cc: # 5.10.y +Signed-off-by: Simon Liebold +Link: https://lore.kernel.org/r/20260312140200.2224850-1-simonlie@amazon.de +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/mqueue/{setting => settings} | 0 + tools/testing/selftests/mqueue/setting | 1 - + tools/testing/selftests/mqueue/settings | 1 + + 2 files changed, 1 insertion(+), 1 deletion(-) + rename tools/testing/selftests/mqueue/{setting => settings} (100%) + +--- a/tools/testing/selftests/mqueue/setting ++++ /dev/null +@@ -1 +0,0 @@ +-timeout=180 +--- /dev/null ++++ b/tools/testing/selftests/mqueue/settings +@@ -0,0 +1 @@ ++timeout=180 diff --git a/queue-6.1/series b/queue-6.1/series index 08744feb90..50536cc6df 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -194,3 +194,14 @@ ext2-reject-inodes-with-zero-i_nlink-and-valid-mode-in-ext2_iget.patch alsa-aoa-i2sbus-fix-of-node-lifetime-handling.patch alsa-ctxfi-add-fallback-to-default-rsr-for-s-pdif.patch alsa-seq_oss-return-full-count-for-successful-seq_fullsize-writes.patch +erofs-fix-the-out-of-bounds-nameoff-handling-for-trailing-dirents.patch +md-raid10-fix-deadlock-with-check-operation-and-nowait-requests.patch +nvme-pci-add-nvme_quirk_disable_write_zeroes-for-kingston-om3sgp4.patch +nvme-respect-nvme_quirk_disable_write_zeroes-when-wzsl-is-set.patch +parisc-_llseek-syscall-is-only-available-for-32-bit-userspace.patch +selftests-mqueue-fix-incorrectly-named-file.patch +rbd-fix-null-ptr-deref-when-device_add_disk-fails.patch +io_uring-timeout-check-unused-sqe-fields.patch +iio-adc-ti-ads7950-use-iio_push_to_buffers_with_ts_unaligned.patch +io_uring-poll-fix-signed-comparison-in-io_poll_get_ownership.patch +io_uring-poll-ensure-epoll_oneshot-is-propagated-for-epoll_uring_wake.patch