From: Greg Kroah-Hartman Date: Thu, 2 Jul 2026 13:17:08 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v5.10.260~37 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=98287bd988cd947e0641f7a1d0a00b0dcce1bd37;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: bpf-use-kvfree-for-replaced-sysctl-write-buffer.patch exfat-fix-potential-use-after-free-in-exfat_find_dir_entry.patch f2fs-fix-to-round-down-start-offset-of-fallocate-for-pin-file.patch f2fs-validate-acl-entry-sizes-in-f2fs_acl_from_disk.patch f2fs-validate-compress-cache-inode-only-when-enabled.patch mips-dec-prevent-initial-console-buffer-from-landing-in-xkphys.patch --- diff --git a/queue-6.1/bpf-use-kvfree-for-replaced-sysctl-write-buffer.patch b/queue-6.1/bpf-use-kvfree-for-replaced-sysctl-write-buffer.patch new file mode 100644 index 0000000000..e7ef70fb5a --- /dev/null +++ b/queue-6.1/bpf-use-kvfree-for-replaced-sysctl-write-buffer.patch @@ -0,0 +1,89 @@ +From 4c21b5927d4364bfe7365f2700da5fea0ed0d004 Mon Sep 17 00:00:00 2001 +From: Dawei Feng +Date: Wed, 3 Jun 2026 18:53:16 +0800 +Subject: bpf: use kvfree() for replaced sysctl write buffer + +From: Dawei Feng + +commit 4c21b5927d4364bfe7365f2700da5fea0ed0d004 upstream. + +proc_sys_call_handler() allocates its temporary sysctl buffer with +kvzalloc() and passes it to __cgroup_bpf_run_filter_sysctl(). Since +kvzalloc() may fall back to vmalloc() for large allocations, freeing +that buffer with kfree() is wrong and can corrupt memory. + +Use kvfree() to safely handle both kmalloc and kvzalloc()/vmalloc +allocations. + +The bug was first flagged by an experimental analysis tool we are +developing for kernel memory-management bugs while analyzing +v6.13-rc1. The tool is still under development and is not yet publicly +available. Manual inspection confirms that the bug is still +present in v7.1-rc5. + +Reproduced the bug based on v7.1-rc4 in a QEMU x86_64 guest booted with +KASAN and CONFIG_FAILSLAB enabled. To exercise the replacement path, the +test tree also included the accompanying fix for the stale ret == 1 +check in __cgroup_bpf_run_filter_sysctl(). The reproducer confines +failslab injections to the proc_sys_call_handler() range, uses +stacktrace-depth=32, and injects fail-nth=1 while writing 8191 bytes to +/proc/sys/kernel/domainname from a task in the target cgroup. Under +that setup, fail-nth=1 triggered the fault: + + BUG: unable to handle page fault for address: ffffeb0200024d48 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: Oops: 0000 SMP KASAN NOPTI + CPU: 2 UID: 0 PID: 209 Comm: repro_proc_sys_ Not tainted 7.1.0-rc4-00686-g97625979a5d4 PREEMPT(lazy) + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 + RIP: 0010:kfree+0x6e/0x510 + ... + Call Trace: + + ? __cgroup_bpf_run_filter_sysctl+0x626/0xc30 + __cgroup_bpf_run_filter_sysctl+0x74d/0xc30 + ? __pfx___cgroup_bpf_run_filter_sysctl+0x10/0x10 + ? srso_return_thunk+0x5/0x5f + ? __kvmalloc_node_noprof+0x345/0x870 + ? proc_sys_call_handler+0x250/0x480 + ? srso_return_thunk+0x5/0x5f + proc_sys_call_handler+0x3a2/0x480 + ? __pfx_proc_sys_call_handler+0x10/0x10 + ? srso_return_thunk+0x5/0x5f + ? selinux_file_permission+0x39f/0x500 + ? srso_return_thunk+0x5/0x5f + ? lock_is_held_type+0x9e/0x120 + vfs_write+0x98e/0x1000 + ... + + +With this fix applied on top of the same test setup, rerunning the +reproducer with fail-nth=1 yields no corresponding Oops reports. + +Fixes: 4508943794ef ("proc: use kvzalloc for our kernel buffer") +Cc: stable@vger.kernel.org + +Reviewed-by: Emil Tsalapatis +Reviewed-by: Jiayuan Chen +Acked-by: Yonghong Song +Signed-off-by: Zilin Guan +Signed-off-by: Dawei Feng +Link: https://lore.kernel.org/r/20260603105317.944304-3-dawei.feng@seu.edu.cn +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/cgroup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/bpf/cgroup.c ++++ b/kernel/bpf/cgroup.c +@@ -1745,7 +1745,7 @@ int __cgroup_bpf_run_filter_sysctl(struc + kfree(ctx.cur_val); + + if (ret == 1 && ctx.new_updated) { +- kfree(*buf); ++ kvfree(*buf); + *buf = ctx.new_val; + *pcount = ctx.new_len; + } else { diff --git a/queue-6.1/exfat-fix-potential-use-after-free-in-exfat_find_dir_entry.patch b/queue-6.1/exfat-fix-potential-use-after-free-in-exfat_find_dir_entry.patch new file mode 100644 index 0000000000..4f9b71d962 --- /dev/null +++ b/queue-6.1/exfat-fix-potential-use-after-free-in-exfat_find_dir_entry.patch @@ -0,0 +1,90 @@ +From 3f5f8ee9917cc2b9076ac533492d8a200edcabb8 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Wed, 22 Apr 2026 11:58:44 -0400 +Subject: exfat: fix potential use-after-free in exfat_find_dir_entry() + +From: Michael Bommarito + +commit 3f5f8ee9917cc2b9076ac533492d8a200edcabb8 upstream. + +In exfat_find_dir_entry(), the buffer_head obtained from +exfat_get_dentry() is released with brelse(bh) before the fall-through +TYPE_EXTEND branch reads the directory entry through ep (which points +into bh->b_data): + + brelse(bh); + if (entry_type == TYPE_EXTEND) { + ... + len = exfat_extract_uni_name(ep, entry_uniname); + ... + } + +After brelse() drops our reference, nothing guarantees that the +underlying page backing bh->b_data remains valid for the subsequent +exfat_extract_uni_name() read. This is the same pattern fixed in +commit fc961522ddbd ("exfat: Fix potential use after free in +exfat_load_upcase_table()"). + +Move brelse(bh) so it runs after ep is no longer dereferenced on +each branch. + +Confirmed on QEMU x86_64 with CONFIG_KASAN=y + CONFIG_DEBUG_PAGEALLOC=y ++ CONFIG_PAGE_POISONING=y on linux-next, using a crafted exFAT image +(long filename with same-hash collisions forcing the TYPE_EXTEND path). +With a debug-only invalidate_bdev() inserted between brelse(bh) and +the ep read to make the stale-deref window deterministic, the +unpatched kernel faults: + + BUG: KASAN: use-after-free in exfat_find_dir_entry+0x133b/0x15a0 + BUG: unable to handle page fault for address: ffff88801a5fa0c2 + Oops: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI + RIP: 0010:exfat_find_dir_entry+0x1188/0x15a0 + +With this patch applied, the same instrumented harness completes +cleanly under the same sanitizer stack. I have not reproduced a +crash on an uninstrumented kernel under ordinary reclaim; the +instrumented A/B establishes the lifetime violation and that the +patch closes it, not an unaided triggerability claim. + +Fixes: ca06197382bd ("exfat: add directory operations") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Michael Bommarito +Signed-off-by: Namjae Jeon +Signed-off-by: Greg Kroah-Hartman +--- + fs/exfat/dir.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/exfat/dir.c ++++ b/fs/exfat/dir.c +@@ -1040,12 +1040,12 @@ rewind: + continue; + } + +- brelse(bh); + if (entry_type == TYPE_EXTEND) { + unsigned short entry_uniname[16], unichar; + + if (step != DIRENT_STEP_NAME || + name_len >= MAX_NAME_LENGTH) { ++ brelse(bh); + step = DIRENT_STEP_FILE; + continue; + } +@@ -1056,6 +1056,7 @@ rewind: + uniname += EXFAT_FILE_NAME_LEN; + + len = exfat_extract_uni_name(ep, entry_uniname); ++ brelse(bh); + name_len += len; + + unichar = *(uniname+len); +@@ -1074,6 +1075,7 @@ rewind: + continue; + } + ++ brelse(bh); + if (entry_type & + (TYPE_CRITICAL_SEC | TYPE_BENIGN_SEC)) { + if (step == DIRENT_STEP_SECD) { diff --git a/queue-6.1/f2fs-fix-to-round-down-start-offset-of-fallocate-for-pin-file.patch b/queue-6.1/f2fs-fix-to-round-down-start-offset-of-fallocate-for-pin-file.patch new file mode 100644 index 0000000000..108ae58124 --- /dev/null +++ b/queue-6.1/f2fs-fix-to-round-down-start-offset-of-fallocate-for-pin-file.patch @@ -0,0 +1,71 @@ +From 4275b59673eb60b02eec3997816c83f1f4b909c4 Mon Sep 17 00:00:00 2001 +From: Sunmin Jeong +Date: Mon, 22 Jun 2026 14:28:17 +0900 +Subject: f2fs: fix to round down start offset of fallocate for pin file + +From: Sunmin Jeong + +commit 4275b59673eb60b02eec3997816c83f1f4b909c4 upstream. + +Currently, the length of fallocate for pin file is section-aligned to +keep allocated sections from being selected as victims of GC. However, +for the case that the start offset of fallocate is not aligned in +section, the allocated sections can't be fully utilized. It's because a +new section is allocated by f2fs_allocate_pinning_section() after using +blks_per_sec blocks regardless of the start offset. As a result, several +unexpected dirty segments may be created, including blocks assigned to +the pinned file. + +To address this issue, let's round down the start offset of fallocate +to the length of section. + +The reproducing scenario is as below + +chunk=$(((2<<20)+4096)) # 2MB + 4KB +touch test +f2fs_io pinfile set test +f2fs_io fallocate 0 0 $chunk test +f2fs_io fallocate 0 $chunk $chunk test +f2fs_io fallocate 0 $((chunk*2)) $chunk test +f2fs_io fiemap 0 $((chunk*3)) test + +Fiemap: offset = 0 len = 12288 + logical addr. physical addr. length flags +0 0000000000000000 000000068c600000 0000000000400000 00001088 +1 0000000000400000 000000003d400000 0000000000001000 00001088 +2 0000000000401000 00000003eb200000 0000000000200000 00001088 +3 0000000000601000 00000005e4200000 0000000000001000 00001088 +4 0000000000602000 0000000605400000 0000000000200000 00001089 + +Cc: stable@vger.kernel.org +Fixes: f5a53edcf01e ("f2fs: support aligned pinned file") +Reviewed-by: Yunji Kang +Reviewed-by: Yeongjin Gil +Reviewed-by: Sungjong Seo +Signed-off-by: Sunmin Jeong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/file.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -1786,8 +1786,15 @@ static int expand_inode_data(struct inod + + if (f2fs_is_pinned_file(inode)) { + block_t sec_blks = CAP_BLKS_PER_SEC(sbi); +- block_t sec_len = roundup(map.m_len, sec_blks); ++ block_t sec_len; + ++ if (map.m_lblk % sec_blks) { ++ map.m_lblk = rounddown(map.m_lblk, sec_blks); ++ map.m_len = pg_end - map.m_lblk; ++ if (off_end) ++ map.m_len++; ++ } ++ sec_len = roundup(map.m_len, sec_blks); + map.m_len = sec_blks; + next_alloc: + if (has_not_enough_free_secs(sbi, 0, diff --git a/queue-6.1/f2fs-validate-acl-entry-sizes-in-f2fs_acl_from_disk.patch b/queue-6.1/f2fs-validate-acl-entry-sizes-in-f2fs_acl_from_disk.patch new file mode 100644 index 0000000000..5fea004e31 --- /dev/null +++ b/queue-6.1/f2fs-validate-acl-entry-sizes-in-f2fs_acl_from_disk.patch @@ -0,0 +1,118 @@ +From c4810ada31e80cbe4011467c4f3b1e93f94134f3 Mon Sep 17 00:00:00 2001 +From: Zhang Cen +Date: Mon, 15 Jun 2026 15:19:54 +0800 +Subject: f2fs: validate ACL entry sizes in f2fs_acl_from_disk() + +From: Zhang Cen + +commit c4810ada31e80cbe4011467c4f3b1e93f94134f3 upstream. + +f2fs_acl_count() only validates the aggregate ACL xattr length. A +malformed ACL can still place ACL_USER or ACL_GROUP in a slot that only +contains struct f2fs_acl_entry_short bytes, and f2fs_acl_from_disk() +then reads entry->e_id before verifying that a full entry fits. + +Require a short entry before reading e_tag and e_perm, and require a +full entry before reading e_id for ACL_USER and ACL_GROUP. Return +-EFSCORRUPTED from these new truncated-entry checks, while keeping the +pre-existing -EINVAL paths unchanged. + +Validation reproduced this kernel report: +KASAN slab-out-of-bounds in __f2fs_get_acl+0x6fb/0x7e0 +RIP: 0033:0x7f4b835ea7aa +The buggy address belongs to the object at ffff888114589960 which belongs +to the cache kmalloc-8 of size 8 +The buggy address is located 0 bytes to the right of allocated 8-byte +region [ffff888114589960, ffff888114589968) +Read of size 4 +Call trace: + dump_stack_lvl+0x66/0xa0 (?:?) + print_report+0xce/0x630 (?:?) + __f2fs_get_acl+0x6fb/0x7e0 (fs/f2fs/acl.c:169) + srso_alias_return_thunk+0x5/0xfbef5 (?:?) + __virt_addr_valid+0x224/0x430 (?:?) + kasan_report+0xe0/0x110 (?:?) + __f2fs_get_acl+0x5/0x7e0 (fs/f2fs/acl.c:169) + __get_acl+0x281/0x380 (?:?) + vfs_get_acl+0x10b/0x190 (?:?) + do_get_acl+0x2a/0x410 (?:?) + do_get_acl+0x9/0x410 (?:?) + do_getxattr+0xe8/0x260 (?:?) + filename_getxattr+0xd1/0x140 (?:?) + do_getname+0x2d/0x2d0 (?:?) + path_getxattrat+0x16c/0x200 (?:?) + lock_release+0xc8/0x290 (?:?) + cgroup_update_frozen+0x9d/0x320 (?:?) + lockdep_hardirqs_on_prepare+0xea/0x1a0 (?:?) + trace_hardirqs_on+0x1a/0x170 (?:?) + _raw_spin_unlock_irq+0x28/0x50 (?:?) + do_syscall_64+0x115/0x6a0 (arch/x86/entry/syscall_64.c:87) + entry_SYSCALL_64_after_hwframe+0x77/0x7f (?:?) + +Cc: stable@kernel.org +Fixes: af48b85b8cd3 ("f2fs: add xattr and acl functionalities") +Assisted-by: Codex:gpt-5.5 +Signed-off-by: Zhang Cen +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/acl.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/fs/f2fs/acl.c ++++ b/fs/f2fs/acl.c +@@ -46,6 +46,7 @@ static inline int f2fs_acl_count(size_t + static struct posix_acl *f2fs_acl_from_disk(const char *value, size_t size) + { + int i, count; ++ int err = -EINVAL; + struct posix_acl *acl; + struct f2fs_acl_header *hdr = (struct f2fs_acl_header *)value; + struct f2fs_acl_entry *entry = (struct f2fs_acl_entry *)(hdr + 1); +@@ -69,8 +70,11 @@ static struct posix_acl *f2fs_acl_from_d + + for (i = 0; i < count; i++) { + +- if ((char *)entry > end) ++ if (unlikely((char *)entry + ++ sizeof(struct f2fs_acl_entry_short) > end)) { ++ err = -EFSCORRUPTED; + goto fail; ++ } + + acl->a_entries[i].e_tag = le16_to_cpu(entry->e_tag); + acl->a_entries[i].e_perm = le16_to_cpu(entry->e_perm); +@@ -85,6 +89,11 @@ static struct posix_acl *f2fs_acl_from_d + break; + + case ACL_USER: ++ if (unlikely((char *)entry + ++ sizeof(struct f2fs_acl_entry) > end)) { ++ err = -EFSCORRUPTED; ++ goto fail; ++ } + acl->a_entries[i].e_uid = + make_kuid(&init_user_ns, + le32_to_cpu(entry->e_id)); +@@ -92,6 +101,11 @@ static struct posix_acl *f2fs_acl_from_d + sizeof(struct f2fs_acl_entry)); + break; + case ACL_GROUP: ++ if (unlikely((char *)entry + ++ sizeof(struct f2fs_acl_entry) > end)) { ++ err = -EFSCORRUPTED; ++ goto fail; ++ } + acl->a_entries[i].e_gid = + make_kgid(&init_user_ns, + le32_to_cpu(entry->e_id)); +@@ -107,7 +121,7 @@ static struct posix_acl *f2fs_acl_from_d + return acl; + fail: + posix_acl_release(acl); +- return ERR_PTR(-EINVAL); ++ return ERR_PTR(err); + } + + static void *f2fs_acl_to_disk(struct f2fs_sb_info *sbi, diff --git a/queue-6.1/f2fs-validate-compress-cache-inode-only-when-enabled.patch b/queue-6.1/f2fs-validate-compress-cache-inode-only-when-enabled.patch new file mode 100644 index 0000000000..b7275689e0 --- /dev/null +++ b/queue-6.1/f2fs-validate-compress-cache-inode-only-when-enabled.patch @@ -0,0 +1,53 @@ +From 5073c66a96a9c23c0c2533ed4ed06e42f9021208 Mon Sep 17 00:00:00 2001 +From: Wenjie Qi +Date: Thu, 21 May 2026 11:16:18 +0800 +Subject: f2fs: validate compress cache inode only when enabled + +From: Wenjie Qi + +commit 5073c66a96a9c23c0c2533ed4ed06e42f9021208 upstream. + +F2FS_COMPRESS_INO() uses NM_I(sbi)->max_nid as the synthetic inode +number for the compressed page cache inode. That inode only exists when +the compress_cache mount option is enabled. + +When compress_cache is disabled, max_nid is outside the valid inode +range. A corrupted directory entry that points to ino == max_nid should +therefore be rejected by f2fs_check_nid_range(). However, is_meta_ino() +currently treats F2FS_COMPRESS_INO() as a meta inode unconditionally, +so f2fs_iget() bypasses do_read_inode() and its nid range check, and +instantiates a fake internal inode instead. + +Gate the compressed cache inode case on COMPRESS_CACHE, matching +f2fs_init_compress_inode(). With compress_cache disabled, ino == +max_nid now follows the normal inode path and is rejected as an +out-of-range nid. + +Cc: stable@kernel.org +Fixes: 6ce19aff0b8c ("f2fs: compress: add compress_inode to cache compressed blocks") +Signed-off-by: Wenjie Qi +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/inode.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -476,8 +476,13 @@ static int do_read_inode(struct inode *i + + static bool is_meta_ino(struct f2fs_sb_info *sbi, unsigned int ino) + { +- return ino == F2FS_NODE_INO(sbi) || ino == F2FS_META_INO(sbi) || +- ino == F2FS_COMPRESS_INO(sbi); ++ if (ino == F2FS_NODE_INO(sbi) || ino == F2FS_META_INO(sbi)) ++ return true; ++#ifdef CONFIG_F2FS_FS_COMPRESSION ++ if (test_opt(sbi, COMPRESS_CACHE) && ino == F2FS_COMPRESS_INO(sbi)) ++ return true; ++#endif ++ return false; + } + + struct inode *f2fs_iget(struct super_block *sb, unsigned long ino) diff --git a/queue-6.1/mips-dec-prevent-initial-console-buffer-from-landing-in-xkphys.patch b/queue-6.1/mips-dec-prevent-initial-console-buffer-from-landing-in-xkphys.patch new file mode 100644 index 0000000000..92f4cdabfd --- /dev/null +++ b/queue-6.1/mips-dec-prevent-initial-console-buffer-from-landing-in-xkphys.patch @@ -0,0 +1,116 @@ +From 7fb13fd35110ebe95eb053faf79d018f51144d85 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Wed, 6 May 2026 23:42:27 +0100 +Subject: MIPS: DEC: Prevent initial console buffer from landing in XKPHYS + +From: Maciej W. Rozycki + +commit 7fb13fd35110ebe95eb053faf79d018f51144d85 upstream. + +In 64-bit configurations calling the initial console output handler from +a kernel thread other than the initial one will result in a situation +where the stack has been placed in the XKPHYS 64-bit memory segment and +consequently so has been the buffer allocated there that is used as the +argument corresponding to the `%s' output conversion specifier for the +firmware's printf() entry point. + +This 64-bit address will then be truncated by 32-bit firmware, resulting +in an attempt to access the wrong memory location, which in turn will +cause all kinds of unpredictable behaviour, such as a kernel crash: + + Console: colour dummy device 160x64 + Calibrating delay loop... 49.36 BogoMIPS (lpj=192512) + pid_max: default: 32768 minimum: 301 + CPU 0 Unable to handle kernel paging request at virtual address 000000000203bd00, epc == ffffffffbfc08364, ra == ffffffffbfc08800 + Oops[#1]: + CPU: 0 PID: 0 Comm: swapper Not tainted 5.18.0-rc2-00254-gfb649bda6f56-dirty #121 + $ 0 : 0000000000000000 0000000000000001 0000000000000023 ffffffff80684ba0 + $ 4 : 000000000203bd00 ffffffffbfc0f3b4 ffffffffffffffff 0000000000000073 + $ 8 : 0a303d7469000000 0000000000000000 0000000000000073 ffffffffbfc0f473 + $12 : 0000000000000002 0000000000000000 ffffffff80684c1c 0000000000000000 + $16 : 0000000000000000 ffffffff80596dc9 0000000000000000 ffffffffbfc09240 + $20 : ffffffff80684c40 ffffffffbfc0f400 000000000000002d 000000000000002b + $24 : ffffffffffffffbf 000000000203bd00 + $28 : ffffffff805f0000 ffffffff80684b58 0000000000000030 ffffffffbfc08800 + Hi : 0000000000000000 + Lo : 0000000000000aa8 + epc : ffffffffbfc08364 0xffffffffbfc08364 + ra : ffffffffbfc08800 0xffffffffbfc08800 + Status: 140120e2 KX SX UX KERNEL EXL + Cause : 00000008 (ExcCode 02) + BadVA : 000000000203bd00 + PrId : 00000430 (R4000SC) + Modules linked in: + Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____), tls=0000000000000000) + Stack : 0000000000000000 0000000000000000 0000000000000000 0000004d0000004d + 80684cc0806a2a40 80596dc80000004d 8061000000000000 bfc0850c80684c38 + 0000000000000000 000000000203bd00 0000000000000000 0000000000000000 + 0000000000000000 00000000bfc0f3b4 0000000000000000 0000000000000000 + 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + 0000002500000000 0000000000000000 0000000000000000 802c1a7400000000 + 0203bd0080596dc8 0203bd4d69000000 6c61632000000018 5f746567646e6172 + 6c616320625f6d6f 5f736e5f6d6f7266 206361323778302b 303d74696e726320 + 806a0a38806b0000 806a0a38806b0000 00000000806b0000 80683c58806b0000 + ... + Call Trace: + + Code: a082ffff 03e00008 00601021 <80820000> 00001821 10400005 24840001 80820000 24630001 + + ---[ end trace 0000000000000000 ]--- + Kernel panic - not syncing: Fatal exception in interrupt + + KN04 V2.1k (PC: 0xa0026768, SP: 0x806848e8) + >> + +In this case the pointer in $4 was truncated from 0x980000000203bd00 to +0x000000000203bd00. + +This may happen when no final console driver has been enabled in the +configuration and consequently the initial console continues being used +late into bootstrap or with an upcoming change that will switch the zs +driver to use a platform device, which in turn will make the console +handover happen only after other kernel threads have already been +started. + +Fix the issue by making the buffer static and initdata, and therefore +placed in the CKSEG0 32-bit compatibility segment, observing that the +console output handler is called with the console lock held, implying +no need for this code to be reentrant. Add an assertion to verify the +buffer actually has been placed in a compatibility segment. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Maciej W. Rozycki +Cc: stable@vger.kernel.org # v2.6.12+ +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/dec/prom/console.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/mips/dec/prom/console.c ++++ b/arch/mips/dec/prom/console.c +@@ -2,8 +2,9 @@ + /* + * DECstation PROM-based early console support. + * +- * Copyright (C) 2004, 2007 Maciej W. Rozycki ++ * Copyright (C) 2004, 2007, 2026 Maciej W. Rozycki + */ ++#include + #include + #include + #include +@@ -14,9 +15,11 @@ + static void __init prom_console_write(struct console *con, const char *s, + unsigned int c) + { +- char buf[81]; ++ static char buf[81] __initdata = { 0 }; + unsigned int chunk = sizeof(buf) - 1; + ++ BUG_ON((long)buf != (int)(long)buf); ++ + while (c > 0) { + if (chunk > c) + chunk = c; diff --git a/queue-6.1/series b/queue-6.1/series index 5cab42e43d..1780be9f1a 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -84,3 +84,9 @@ keys-pin-request_key_auth-payload-in-instantiate-paths.patch wifi-mt76-mt76x2u-add-support-for-elecom-wdc-867su3s.patch wifi-ath11k-fix-warning-when-unbinding.patch wifi-rtlwifi-rtl8821ae-fix-c2h-bit-location-in-rx-descriptor.patch +f2fs-validate-compress-cache-inode-only-when-enabled.patch +f2fs-fix-to-round-down-start-offset-of-fallocate-for-pin-file.patch +f2fs-validate-acl-entry-sizes-in-f2fs_acl_from_disk.patch +bpf-use-kvfree-for-replaced-sysctl-write-buffer.patch +mips-dec-prevent-initial-console-buffer-from-landing-in-xkphys.patch +exfat-fix-potential-use-after-free-in-exfat_find_dir_entry.patch