From: Greg Kroah-Hartman Date: Thu, 23 Apr 2026 12:08:43 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.6.136~30 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b1f5882d93de0f83b62f777cf4169a08fb545624;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-to-0.81v.patch arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-up-to-0.85v.patch arm64-dts-imx8mq-librem5-don-t-mark-buck3-as-always-on.patch arm64-dts-imx8mq-librem5-r3-workaround-i2c1-issue-with-1ghz-cpu-voltage.patch arm64-dts-imx8mq-librem5-set-regulators-boot-on.patch arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch blk-mq-use-quiesced-elevator-switch-when-reinitializing-queues.patch drivers-base-free-devm-resources-when-unregistering-a-device.patch fs-ocfs2-fix-comments-mentioning-i_mutex.patch mailbox-prevent-out-of-bounds-access-in-of_mbox_index_xlate.patch mm-blk-cgroup-fix-use-after-free-in-cgwb_release_workfn.patch ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch ocfs2-fix-possible-deadlock-between-unlink-and-dio_end_io_write.patch ocfs2-validate-inline-data-i_size-during-inode-read.patch powerpc64-bpf-do-not-increment-tailcall-count-when-prog-is-null.patch revert-arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch rxrpc-fix-reference-count-leak-in-rxrpc_server_keyring.patch rxrpc-reject-undecryptable-rxkad-response-tickets.patch x86-uprobes-fix-xol-allocation-failure-for-32-bit-tasks.patch xfrm-clear-trailing-padding-in-build_polexpire.patch --- diff --git a/queue-5.10/arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-to-0.81v.patch b/queue-5.10/arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-to-0.81v.patch new file mode 100644 index 0000000000..56a3281128 --- /dev/null +++ b/queue-5.10/arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-to-0.81v.patch @@ -0,0 +1,36 @@ +From stable+bounces-236124-greg=kroah.com@vger.kernel.org Mon Apr 13 17:04:28 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 10:58:02 -0400 +Subject: arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage to 0.81V +To: stable@vger.kernel.org +Cc: Sebastian Krzyszkowiak , Martin Kepplinger , Shawn Guo , Sasha Levin +Message-ID: <20260413145804.2968471-5-sashal@kernel.org> + +From: Sebastian Krzyszkowiak + +[ Upstream commit 94b91e3ca6688fafd6a5dd70bd89fe9d3aee88da ] + +0.8V is outside of the operating voltage specified for imx8mq, see +chapter 3.1.4 "Operating ranges" of the IMX8MDQLQCEC document. + +Signed-off-by: Sebastian Krzyszkowiak +Signed-off-by: Martin Kepplinger +Signed-off-by: Shawn Guo +Stable-dep-of: 511f76bf1dce ("arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi +@@ -653,7 +653,7 @@ + regulator-ramp-delay = <1250>; + rohm,dvs-run-voltage = <880000>; + rohm,dvs-idle-voltage = <820000>; +- rohm,dvs-suspend-voltage = <800000>; ++ rohm,dvs-suspend-voltage = <810000>; + regulator-always-on; + }; + diff --git a/queue-5.10/arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-up-to-0.85v.patch b/queue-5.10/arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-up-to-0.85v.patch new file mode 100644 index 0000000000..1e62c37cf2 --- /dev/null +++ b/queue-5.10/arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-up-to-0.85v.patch @@ -0,0 +1,41 @@ +From stable+bounces-236126-greg=kroah.com@vger.kernel.org Mon Apr 13 17:04:59 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 10:58:04 -0400 +Subject: arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V +To: stable@vger.kernel.org +Cc: Sebastian Krzyszkowiak , Frank Li , Sasha Levin +Message-ID: <20260413145804.2968471-7-sashal@kernel.org> + +From: Sebastian Krzyszkowiak + +[ Upstream commit 511f76bf1dce5acf8907b65a7d1bc8f7e7c0d637 ] + +The minimal voltage of VDD_SOC sourced from BUCK1 is 0.81V, which +is the currently set value. However, BD71837 only guarantees accuracy +of ±0.01V, and this still doesn't factor other reasons for actual +voltage to slightly drop in, resulting in the possibility of running +out of the operational range. + +Bump the voltage up to 0.85V, which should give enough headroom. + +Cc: stable@vger.kernel.org +Fixes: 8f0216b006e5 ("arm64: dts: Add a device tree for the Librem 5 phone") +Signed-off-by: Sebastian Krzyszkowiak +Signed-off-by: Frank Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi +@@ -653,7 +653,7 @@ + regulator-ramp-delay = <1250>; + rohm,dvs-run-voltage = <900000>; + rohm,dvs-idle-voltage = <850000>; +- rohm,dvs-suspend-voltage = <810000>; ++ rohm,dvs-suspend-voltage = <850000>; + regulator-always-on; + }; + diff --git a/queue-5.10/arm64-dts-imx8mq-librem5-don-t-mark-buck3-as-always-on.patch b/queue-5.10/arm64-dts-imx8mq-librem5-don-t-mark-buck3-as-always-on.patch new file mode 100644 index 0000000000..9c7843baa7 --- /dev/null +++ b/queue-5.10/arm64-dts-imx8mq-librem5-don-t-mark-buck3-as-always-on.patch @@ -0,0 +1,34 @@ +From stable+bounces-236121-greg=kroah.com@vger.kernel.org Mon Apr 13 17:03:43 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 10:57:59 -0400 +Subject: arm64: dts: imx8mq-librem5: Don't mark buck3 as always on +To: stable@vger.kernel.org +Cc: "Guido Günther" , "Martin Kepplinger" , "Shawn Guo" , "Sasha Levin" +Message-ID: <20260413145804.2968471-2-sashal@kernel.org> + +From: Guido Günther + +[ Upstream commit 99e71c029213d3cfcc4f39a534c73d1828ffb341 ] + +With the pmic driver fixed we can now shut off the regulator in the gpc. + +Signed-off-by: Guido Günther +Signed-off-by: Martin Kepplinger +Signed-off-by: Shawn Guo +Stable-dep-of: 511f76bf1dce ("arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi +@@ -671,7 +671,6 @@ + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1300000>; + rohm,dvs-run-voltage = <900000>; +- regulator-always-on; + }; + + buck4_reg: BUCK4 { diff --git a/queue-5.10/arm64-dts-imx8mq-librem5-r3-workaround-i2c1-issue-with-1ghz-cpu-voltage.patch b/queue-5.10/arm64-dts-imx8mq-librem5-r3-workaround-i2c1-issue-with-1ghz-cpu-voltage.patch new file mode 100644 index 0000000000..b04b6466a1 --- /dev/null +++ b/queue-5.10/arm64-dts-imx8mq-librem5-r3-workaround-i2c1-issue-with-1ghz-cpu-voltage.patch @@ -0,0 +1,40 @@ +From stable+bounces-236120-greg=kroah.com@vger.kernel.org Mon Apr 13 16:58:10 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 10:57:58 -0400 +Subject: arm64: dts: imx8mq-librem5-r3: workaround i2c1 issue with 1GHz cpu voltage +To: stable@vger.kernel.org +Cc: Martin Kepplinger , Shawn Guo , Sasha Levin +Message-ID: <20260413145804.2968471-1-sashal@kernel.org> + +From: Martin Kepplinger + +[ Upstream commit 1773b8d6697ac8e9380843fe5c13c25e95baa702 ] + +This is a workaround for a hardware bug in the r3 revision that basically would +stop the system due to traffic on the i2c1 bus. A cpu voltage change would +trigger such traffic and that's what is avoided in order to work around it. + +Signed-off-by: Martin Kepplinger +Signed-off-by: Shawn Guo +Stable-dep-of: 511f76bf1dce ("arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts ++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts +@@ -10,6 +10,12 @@ + compatible = "purism,librem5r3", "purism,librem5", "fsl,imx8mq"; + }; + ++&a53_opp_table { ++ opp-1000000000 { ++ opp-microvolt = <1000000>; ++ }; ++}; ++ + &accel_gyro { + mount-matrix = "1", "0", "0", + "0", "1", "0", diff --git a/queue-5.10/arm64-dts-imx8mq-librem5-set-regulators-boot-on.patch b/queue-5.10/arm64-dts-imx8mq-librem5-set-regulators-boot-on.patch new file mode 100644 index 0000000000..0fd34cc912 --- /dev/null +++ b/queue-5.10/arm64-dts-imx8mq-librem5-set-regulators-boot-on.patch @@ -0,0 +1,129 @@ +From stable+bounces-236122-greg=kroah.com@vger.kernel.org Mon Apr 13 16:58:11 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 10:58:00 -0400 +Subject: arm64: dts: imx8mq-librem5: set regulators boot-on +To: stable@vger.kernel.org +Cc: Martin Kepplinger , Shawn Guo , Sasha Levin +Message-ID: <20260413145804.2968471-3-sashal@kernel.org> + +From: Martin Kepplinger + +[ Upstream commit a8bb83c8c7a17e83e04801d0678e93654f9bfaee ] + +Expect all those regulators to be turned on initially. + +Signed-off-by: Martin Kepplinger +Signed-off-by: Shawn Guo +Stable-dep-of: 511f76bf1dce ("arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi +@@ -649,6 +649,7 @@ + regulator-name = "buck1"; + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1300000>; ++ regulator-boot-on; + regulator-ramp-delay = <1250>; + rohm,dvs-run-voltage = <900000>; + rohm,dvs-idle-voltage = <850000>; +@@ -660,6 +661,7 @@ + regulator-name = "buck2"; + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1300000>; ++ regulator-boot-on; + regulator-ramp-delay = <1250>; + rohm,dvs-run-voltage = <1000000>; + rohm,dvs-idle-voltage = <900000>; +@@ -670,6 +672,7 @@ + regulator-name = "buck3"; + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1300000>; ++ regulator-boot-on; + rohm,dvs-run-voltage = <900000>; + }; + +@@ -684,6 +687,7 @@ + regulator-name = "buck5"; + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1350000>; ++ regulator-boot-on; + regulator-always-on; + }; + +@@ -691,6 +695,7 @@ + regulator-name = "buck6"; + regulator-min-microvolt = <3000000>; + regulator-max-microvolt = <3300000>; ++ regulator-boot-on; + regulator-always-on; + }; + +@@ -698,6 +703,7 @@ + regulator-name = "buck7"; + regulator-min-microvolt = <1605000>; + regulator-max-microvolt = <1995000>; ++ regulator-boot-on; + regulator-always-on; + }; + +@@ -705,6 +711,7 @@ + regulator-name = "buck8"; + regulator-min-microvolt = <800000>; + regulator-max-microvolt = <1400000>; ++ regulator-boot-on; + regulator-always-on; + }; + +@@ -712,6 +719,7 @@ + regulator-name = "ldo1"; + regulator-min-microvolt = <3000000>; + regulator-max-microvolt = <3300000>; ++ regulator-boot-on; + /* leave on for snvs power button */ + regulator-always-on; + }; +@@ -720,6 +728,7 @@ + regulator-name = "ldo2"; + regulator-min-microvolt = <900000>; + regulator-max-microvolt = <900000>; ++ regulator-boot-on; + /* leave on for snvs power button */ + regulator-always-on; + }; +@@ -728,6 +737,7 @@ + regulator-name = "ldo3"; + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <3300000>; ++ regulator-boot-on; + regulator-always-on; + }; + +@@ -735,6 +745,7 @@ + regulator-name = "ldo4"; + regulator-min-microvolt = <900000>; + regulator-max-microvolt = <1800000>; ++ regulator-boot-on; + regulator-always-on; + }; + +@@ -751,6 +762,7 @@ + regulator-name = "ldo6"; + regulator-min-microvolt = <900000>; + regulator-max-microvolt = <1800000>; ++ regulator-boot-on; + regulator-always-on; + }; + +@@ -759,6 +771,7 @@ + regulator-name = "ldo7"; + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <3300000>; ++ regulator-boot-on; + regulator-always-on; + }; + }; diff --git a/queue-5.10/arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch b/queue-5.10/arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch new file mode 100644 index 0000000000..080aa220f3 --- /dev/null +++ b/queue-5.10/arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch @@ -0,0 +1,116 @@ +From stable+bounces-236123-greg=kroah.com@vger.kernel.org Mon Apr 13 17:04:09 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 10:58:01 -0400 +Subject: arm64: dts: imx8mq-librem5: Set the DVS voltages lower +To: stable@vger.kernel.org +Cc: Sebastian Krzyszkowiak , Martin Kepplinger , Shawn Guo , Sasha Levin +Message-ID: <20260413145804.2968471-4-sashal@kernel.org> + +From: Sebastian Krzyszkowiak + +[ Upstream commit c24a9b698fb02cd0723fa8375abab07f94b97b10 ] + +They're still in the operating range according to i.MX 8M Quad +datasheet. There's some headroom added over minimal values to +account for voltage drop. + +Operational ranges (min - typ - max [selected]): + - VDD_SOC (BUCK1): 0.81 - 0.9 - 0.99 [0.88] + - VDD_ARM (BUCK2): 0.81 - 0.9 - 1.05 [0.84] (1000MHz) + 0.90 - 1.0 - 1.05 [0.93] (1500MHz) + - VDD_GPU (BUCK3): 0.81 - 0.9 - 1.05 [0.85] (800MHz) + 0.90 - 1.0 - 1.05 [ -- ] (1000MHz) + - VDD_VPU (BUCK4): 0.81 - 0.9 - 1.05 [ -- ] (550/500/588MHz) + 0.90 - 1.0 - 1.05 [0.93] (660/600/800MHz) + +Idle power consumption doesn't appear to be influenced much, +but a simple load test (`cat /dev/urandom | pigz - > /dev/null` +combined with running Animatch) seems to show about 0.3W of +difference. + +Care is advised, as there may be differences between each +units in how low can they be undervolted - in my experience, +reaching that point usually makes the phone fail to boot. +In my case, it appears that my Birch phone can go down the most. + +This is a somewhat conservative set of values that I've seen +working well on all my devices; I haven't tried very hard to +optimize it, so more experiments are welcome. + +Signed-off-by: Sebastian Krzyszkowiak +Signed-off-by: Martin Kepplinger +Signed-off-by: Shawn Guo +Stable-dep-of: 511f76bf1dce ("arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts | 2 - + arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 22 ++++++++++++++------ + 2 files changed, 17 insertions(+), 7 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts ++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts +@@ -12,7 +12,7 @@ + + &a53_opp_table { + opp-1000000000 { +- opp-microvolt = <1000000>; ++ opp-microvolt = <950000>; + }; + }; + +--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi +@@ -651,8 +651,8 @@ + regulator-max-microvolt = <1300000>; + regulator-boot-on; + regulator-ramp-delay = <1250>; +- rohm,dvs-run-voltage = <900000>; +- rohm,dvs-idle-voltage = <850000>; ++ rohm,dvs-run-voltage = <880000>; ++ rohm,dvs-idle-voltage = <820000>; + rohm,dvs-suspend-voltage = <800000>; + regulator-always-on; + }; +@@ -663,8 +663,8 @@ + regulator-max-microvolt = <1300000>; + regulator-boot-on; + regulator-ramp-delay = <1250>; +- rohm,dvs-run-voltage = <1000000>; +- rohm,dvs-idle-voltage = <900000>; ++ rohm,dvs-run-voltage = <950000>; ++ rohm,dvs-idle-voltage = <850000>; + regulator-always-on; + }; + +@@ -673,14 +673,14 @@ + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1300000>; + regulator-boot-on; +- rohm,dvs-run-voltage = <900000>; ++ rohm,dvs-run-voltage = <850000>; + }; + + buck4_reg: BUCK4 { + regulator-name = "buck4"; + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1300000>; +- rohm,dvs-run-voltage = <1000000>; ++ rohm,dvs-run-voltage = <930000>; + }; + + buck5_reg: BUCK5 { +@@ -1117,3 +1117,13 @@ + fsl,ext-reset-output; + status = "okay"; + }; ++ ++&a53_opp_table { ++ opp-1000000000 { ++ opp-microvolt = <850000>; ++ }; ++ ++ opp-1500000000 { ++ opp-microvolt = <950000>; ++ }; ++}; diff --git a/queue-5.10/blk-mq-use-quiesced-elevator-switch-when-reinitializing-queues.patch b/queue-5.10/blk-mq-use-quiesced-elevator-switch-when-reinitializing-queues.patch new file mode 100644 index 0000000000..4c5f6a5911 --- /dev/null +++ b/queue-5.10/blk-mq-use-quiesced-elevator-switch-when-reinitializing-queues.patch @@ -0,0 +1,114 @@ +From stable+bounces-219992-greg=kroah.com@vger.kernel.org Fri Feb 27 19:35:24 2026 +From: Brennan Lamoreaux +Date: Fri, 27 Feb 2026 11:01:50 -0800 +Subject: blk-mq: use quiesced elevator switch when reinitializing queues +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: axboe@kernel.dk, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Keith Busch , Ming Lei , Christoph Hellwig , Sasha Levin , Brennan Lamoreaux +Message-ID: <20260227190150.27445-1-brennan.lamoreaux@broadcom.com> + +From: Keith Busch + +[ Upstream commit 8237c01f1696bc53c470493bf1fe092a107648a6 ] + +The hctx's run_work may be racing with the elevator switch when +reinitializing hardware queues. The queue is merely frozen in this +context, but that only prevents requests from allocating and doesn't +stop the hctx work from running. The work may get an elevator pointer +that's being torn down, and can result in use-after-free errors and +kernel panics (example below). Use the quiesced elevator switch instead, +and make the previous one static since it is now only used locally. + + nvme nvme0: resetting controller + nvme nvme0: 32/0/0 default/read/poll queues + BUG: kernel NULL pointer dereference, address: 0000000000000008 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 80000020c8861067 P4D 80000020c8861067 PUD 250f8c8067 PMD 0 + Oops: 0000 [#1] SMP PTI + Workqueue: kblockd blk_mq_run_work_fn + RIP: 0010:kyber_has_work+0x29/0x70 + +... + + Call Trace: + __blk_mq_do_dispatch_sched+0x83/0x2b0 + __blk_mq_sched_dispatch_requests+0x12e/0x170 + blk_mq_sched_dispatch_requests+0x30/0x60 + __blk_mq_run_hw_queue+0x2b/0x50 + process_one_work+0x1ef/0x380 + worker_thread+0x2d/0x3e0 + +Signed-off-by: Keith Busch +Reviewed-by: Ming Lei +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20220927155652.3260724-1-kbusch@fb.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Brennan Lamoreaux +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq.c | 6 +++--- + block/blk.h | 3 +-- + block/elevator.c | 4 ++-- + 3 files changed, 6 insertions(+), 7 deletions(-) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -3689,14 +3689,14 @@ static bool blk_mq_elv_switch_none(struc + + mutex_lock(&q->sysfs_lock); + /* +- * After elevator_switch_mq, the previous elevator_queue will be ++ * After elevator_switch, the previous elevator_queue will be + * released by elevator_release. The reference of the io scheduler + * module get by elevator_get will also be put. So we need to get + * a reference of the io scheduler module here to prevent it to be + * removed. + */ + __module_get(qe->type->elevator_owner); +- elevator_switch_mq(q, NULL); ++ elevator_switch(q, NULL); + mutex_unlock(&q->sysfs_lock); + + return true; +@@ -3721,7 +3721,7 @@ static void blk_mq_elv_switch_back(struc + kfree(qe); + + mutex_lock(&q->sysfs_lock); +- elevator_switch_mq(q, t); ++ elevator_switch(q, t); + mutex_unlock(&q->sysfs_lock); + } + +--- a/block/blk.h ++++ b/block/blk.h +@@ -202,8 +202,7 @@ void blk_account_io_done(struct request + void blk_insert_flush(struct request *rq); + + void elevator_init_mq(struct request_queue *q); +-int elevator_switch_mq(struct request_queue *q, +- struct elevator_type *new_e); ++int elevator_switch(struct request_queue *q, struct elevator_type *new_e); + void __elevator_exit(struct request_queue *, struct elevator_queue *); + int elv_register_queue(struct request_queue *q, bool uevent); + void elv_unregister_queue(struct request_queue *q); +--- a/block/elevator.c ++++ b/block/elevator.c +@@ -572,7 +572,7 @@ void elv_unregister(struct elevator_type + } + EXPORT_SYMBOL_GPL(elv_unregister); + +-int elevator_switch_mq(struct request_queue *q, ++static int elevator_switch_mq(struct request_queue *q, + struct elevator_type *new_e) + { + int ret; +@@ -701,7 +701,7 @@ void elevator_init_mq(struct request_que + * need for the new one. this way we have a chance of going back to the old + * one, if the new one fails init for some reason. + */ +-static int elevator_switch(struct request_queue *q, struct elevator_type *new_e) ++int elevator_switch(struct request_queue *q, struct elevator_type *new_e) + { + int err; + diff --git a/queue-5.10/drivers-base-free-devm-resources-when-unregistering-a-device.patch b/queue-5.10/drivers-base-free-devm-resources-when-unregistering-a-device.patch new file mode 100644 index 0000000000..36ebf93591 --- /dev/null +++ b/queue-5.10/drivers-base-free-devm-resources-when-unregistering-a-device.patch @@ -0,0 +1,64 @@ +From stable+bounces-219716-greg=kroah.com@vger.kernel.org Wed Feb 25 22:26:46 2026 +From: Brennan Lamoreaux +Date: Wed, 25 Feb 2026 13:04:25 -0800 +Subject: drivers: base: Free devm resources when unregistering a device +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: rafael@kernel.org, tom.leiming@gmail.com, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, David Gow , Maxime Ripard , Sasha Levin , Brennan Lamoreaux +Message-ID: <20260225210425.2006074-1-brennan.lamoreaux@broadcom.com> + +From: David Gow + +[ Upstream commit 699fb50d99039a50e7494de644f96c889279aca3 ] + +In the current code, devres_release_all() only gets called if the device +has a bus and has been probed. + +This leads to issues when using bus-less or driver-less devices where +the device might never get freed if a managed resource holds a reference +to the device. This is happening in the DRM framework for example. + +We should thus call devres_release_all() in the device_del() function to +make sure that the device-managed actions are properly executed when the +device is unregistered, even if it has neither a bus nor a driver. + +This is effectively the same change than commit 2f8d16a996da ("devres: +release resources on device_del()") that got reverted by commit +a525a3ddeaca ("driver core: free devres in device_release") over +memory leaks concerns. + +This patch effectively combines the two commits mentioned above to +release the resources both on device_del() and device_release() and get +the best of both worlds. + +Fixes: a525a3ddeaca ("driver core: free devres in device_release") +Signed-off-by: David Gow +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20230720-kunit-devm-inconsistencies-test-v3-3-6aa7e074f373@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Brennan Lamoreaux +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/core.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -3195,6 +3195,17 @@ void device_del(struct device *dev) + device_remove_properties(dev); + device_links_purge(dev); + ++ /* ++ * If a device does not have a driver attached, we need to clean ++ * up any managed resources. We do this in device_release(), but ++ * it's never called (and we leak the device) if a managed ++ * resource holds a reference to the device. So release all ++ * managed resources here, like we do in driver_detach(). We ++ * still need to do so again in device_release() in case someone ++ * adds a new resource after this point, though. ++ */ ++ devres_release_all(dev); ++ + if (dev->bus) + blocking_notifier_call_chain(&dev->bus->p->bus_notifier, + BUS_NOTIFY_REMOVED_DEVICE, dev); diff --git a/queue-5.10/fs-ocfs2-fix-comments-mentioning-i_mutex.patch b/queue-5.10/fs-ocfs2-fix-comments-mentioning-i_mutex.patch new file mode 100644 index 0000000000..1e9b9d5382 --- /dev/null +++ b/queue-5.10/fs-ocfs2-fix-comments-mentioning-i_mutex.patch @@ -0,0 +1,209 @@ +From stable+bounces-239257-greg=kroah.com@vger.kernel.org Mon Apr 20 18:50:37 2026 +From: Sasha Levin +Date: Mon, 20 Apr 2026 10:58:32 -0400 +Subject: fs/ocfs2: fix comments mentioning i_mutex +To: stable@vger.kernel.org +Cc: hongnanli , Joseph Qi , Mark Fasheh , Joel Becker , Junxiao Bi , Changwei Ge , Gang He , Jun Piao , Andrew Morton , Linus Torvalds , Sasha Levin +Message-ID: <20260420145833.1151197-1-sashal@kernel.org> + +From: hongnanli + +[ Upstream commit 137cebf9432eae024d0334953ed92a2a78619b52 ] + +inode->i_mutex has been replaced with inode->i_rwsem long ago. Fix +comments still mentioning i_mutex. + +Link: https://lkml.kernel.org/r/20220214031314.100094-1-hongnan.li@linux.alibaba.com +Signed-off-by: hongnanli +Acked-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Stable-dep-of: b02da26a992d ("ocfs2: fix possible deadlock between unlink and dio_end_io_write") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/alloc.c | 2 +- + fs/ocfs2/aops.c | 2 +- + fs/ocfs2/cluster/nodemanager.c | 2 +- + fs/ocfs2/dir.c | 4 ++-- + fs/ocfs2/file.c | 4 ++-- + fs/ocfs2/inode.c | 2 +- + fs/ocfs2/localalloc.c | 6 +++--- + fs/ocfs2/namei.c | 2 +- + fs/ocfs2/ocfs2.h | 4 ++-- + fs/ocfs2/quota_global.c | 2 +- + fs/ocfs2/xattr.c | 2 +- + 11 files changed, 16 insertions(+), 16 deletions(-) + +--- a/fs/ocfs2/alloc.c ++++ b/fs/ocfs2/alloc.c +@@ -5988,7 +5988,7 @@ bail: + return status; + } + +-/* Expects you to already be holding tl_inode->i_mutex */ ++/* Expects you to already be holding tl_inode->i_rwsem */ + int __ocfs2_flush_truncate_log(struct ocfs2_super *osb) + { + int status; +--- a/fs/ocfs2/aops.c ++++ b/fs/ocfs2/aops.c +@@ -2327,7 +2327,7 @@ static int ocfs2_dio_end_io_write(struct + + down_write(&oi->ip_alloc_sem); + +- /* Delete orphan before acquire i_mutex. */ ++ /* Delete orphan before acquire i_rwsem. */ + if (dwc->dw_orphaned) { + BUG_ON(dwc->dw_writer_pid != task_pid_nr(current)); + +--- a/fs/ocfs2/cluster/nodemanager.c ++++ b/fs/ocfs2/cluster/nodemanager.c +@@ -691,7 +691,7 @@ static struct config_group *o2nm_cluster + struct o2nm_node_group *ns = NULL; + struct config_group *o2hb_group = NULL, *ret = NULL; + +- /* this runs under the parent dir's i_mutex; there can be only ++ /* this runs under the parent dir's i_rwsem; there can be only + * one caller in here at a time */ + if (o2nm_single_cluster) + return ERR_PTR(-ENOSPC); +--- a/fs/ocfs2/dir.c ++++ b/fs/ocfs2/dir.c +@@ -1981,7 +1981,7 @@ bail_nolock: + } + + /* +- * NOTE: this should always be called with parent dir i_mutex taken. ++ * NOTE: this should always be called with parent dir i_rwsem taken. + */ + int ocfs2_find_files_on_disk(const char *name, + int namelen, +@@ -2028,7 +2028,7 @@ int ocfs2_lookup_ino_from_name(struct in + * Return -EEXIST if the directory contains the name + * Return -EFSCORRUPTED if found corruption + * +- * Callers should have i_mutex + a cluster lock on dir ++ * Callers should have i_rwsem + a cluster lock on dir + */ + int ocfs2_check_dir_for_entry(struct inode *dir, + const char *name, +--- a/fs/ocfs2/file.c ++++ b/fs/ocfs2/file.c +@@ -272,7 +272,7 @@ int ocfs2_update_inode_atime(struct inod + + /* + * Don't use ocfs2_mark_inode_dirty() here as we don't always +- * have i_mutex to guard against concurrent changes to other ++ * have i_rwsem to guard against concurrent changes to other + * inode fields. + */ + inode->i_atime = current_time(inode); +@@ -1070,7 +1070,7 @@ static int ocfs2_extend_file(struct inod + /* + * The alloc sem blocks people in read/write from reading our + * allocation until we're done changing it. We depend on +- * i_mutex to block other extend/truncate calls while we're ++ * i_rwsem to block other extend/truncate calls while we're + * here. We even have to hold it for sparse files because there + * might be some tail zeroing. + */ +--- a/fs/ocfs2/inode.c ++++ b/fs/ocfs2/inode.c +@@ -715,7 +715,7 @@ bail: + /* + * Serialize with orphan dir recovery. If the process doing + * recovery on this orphan dir does an iget() with the dir +- * i_mutex held, we'll deadlock here. Instead we detect this ++ * i_rwsem held, we'll deadlock here. Instead we detect this + * and exit early - recovery will wipe this inode for us. + */ + static int ocfs2_check_orphan_recovery_state(struct ocfs2_super *osb, +--- a/fs/ocfs2/localalloc.c ++++ b/fs/ocfs2/localalloc.c +@@ -608,7 +608,7 @@ out: + + /* + * make sure we've got at least bits_wanted contiguous bits in the +- * local alloc. You lose them when you drop i_mutex. ++ * local alloc. You lose them when you drop i_rwsem. + * + * We will add ourselves to the transaction passed in, but may start + * our own in order to shift windows. +@@ -638,7 +638,7 @@ int ocfs2_reserve_local_alloc_bits(struc + + /* + * We must double check state and allocator bits because +- * another process may have changed them while holding i_mutex. ++ * another process may have changed them while holding i_rwsem. + */ + spin_lock(&osb->osb_lock); + if (!ocfs2_la_state_enabled(osb) || +@@ -1031,7 +1031,7 @@ enum ocfs2_la_event { + /* + * Given an event, calculate the size of our next local alloc window. + * +- * This should always be called under i_mutex of the local alloc inode ++ * This should always be called under i_rwsem of the local alloc inode + * so that local alloc disabling doesn't race with processes trying to + * use the allocator. + * +--- a/fs/ocfs2/namei.c ++++ b/fs/ocfs2/namei.c +@@ -485,7 +485,7 @@ leave: + ocfs2_free_alloc_context(meta_ac); + + /* +- * We should call iput after the i_mutex of the bitmap been ++ * We should call iput after the i_rwsem of the bitmap been + * unlocked in ocfs2_free_alloc_context, or the + * ocfs2_delete_inode will mutex_lock again. + */ +--- a/fs/ocfs2/ocfs2.h ++++ b/fs/ocfs2/ocfs2.h +@@ -371,7 +371,7 @@ struct ocfs2_super + struct delayed_work la_enable_wq; + + /* +- * Must hold local alloc i_mutex and osb->osb_lock to change ++ * Must hold local alloc i_rwsem and osb->osb_lock to change + * local_alloc_bits. Reads can be done under either lock. + */ + unsigned int local_alloc_bits; +@@ -446,7 +446,7 @@ struct ocfs2_super + atomic_t osb_tl_disable; + /* + * How many clusters in our truncate log. +- * It must be protected by osb_tl_inode->i_mutex. ++ * It must be protected by osb_tl_inode->i_rwsem. + */ + unsigned int truncated_clusters; + +--- a/fs/ocfs2/quota_global.c ++++ b/fs/ocfs2/quota_global.c +@@ -36,7 +36,7 @@ + * should be obeyed by all the functions: + * - any write of quota structure (either to local or global file) is protected + * by dqio_sem or dquot->dq_lock. +- * - any modification of global quota file holds inode cluster lock, i_mutex, ++ * - any modification of global quota file holds inode cluster lock, i_rwsem, + * and ip_alloc_sem of the global quota file (achieved by + * ocfs2_lock_global_qf). It also has to hold qinfo_lock. + * - an allocation of new blocks for local quota file is protected by +--- a/fs/ocfs2/xattr.c ++++ b/fs/ocfs2/xattr.c +@@ -7210,7 +7210,7 @@ out: + * Used for reflink a non-preserve-security file. + * + * It uses common api like ocfs2_xattr_set, so the caller +- * must not hold any lock expect i_mutex. ++ * must not hold any lock expect i_rwsem. + */ + int ocfs2_init_security_and_acl(struct inode *dir, + struct inode *inode, diff --git a/queue-5.10/mailbox-prevent-out-of-bounds-access-in-of_mbox_index_xlate.patch b/queue-5.10/mailbox-prevent-out-of-bounds-access-in-of_mbox_index_xlate.patch new file mode 100644 index 0000000000..07f359a3f0 --- /dev/null +++ b/queue-5.10/mailbox-prevent-out-of-bounds-access-in-of_mbox_index_xlate.patch @@ -0,0 +1,47 @@ +From stable+bounces-223007-greg=kroah.com@vger.kernel.org Wed Mar 4 08:37:06 2026 +From: Joonwon Kang +Date: Wed, 4 Mar 2026 07:36:09 +0000 +Subject: mailbox: Prevent out-of-bounds access in of_mbox_index_xlate() +To: stable@vger.kernel.org, jassisinghbrar@gmail.com +Cc: linux-kernel@vger.kernel.org, sashal@kernel.org, Joonwon Kang +Message-ID: <20260304073609.3228532-1-joonwonkang@google.com> + +From: Joonwon Kang + +[ Upstream commit fcd7f96c783626c07ee3ed75fa3739a8a2052310 ] + +Although it is guided that `#mbox-cells` must be at least 1, there are +many instances of `#mbox-cells = <0>;` in the device tree. If that is +the case and the corresponding mailbox controller does not provide +`fw_xlate` and of_xlate` function pointers, `of_mbox_index_xlate()` will +be used by default and out-of-bounds accesses could occur due to lack of +bounds check in that function. + +Cc: stable@vger.kernel.org +Signed-off-by: Joonwon Kang +Signed-off-by: Jassi Brar +[ changed sp->nargs to sp->args_count in the code and +fw_mbox_index_xlate() to of_mbox_index_xlate() in the commit message. ] +Signed-off-by: Joonwon Kang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mailbox/mailbox.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/mailbox/mailbox.c ++++ b/drivers/mailbox/mailbox.c +@@ -468,12 +468,10 @@ static struct mbox_chan * + of_mbox_index_xlate(struct mbox_controller *mbox, + const struct of_phandle_args *sp) + { +- int ind = sp->args[0]; +- +- if (ind >= mbox->num_chans) ++ if (sp->args_count < 1 || sp->args[0] >= mbox->num_chans) + return ERR_PTR(-EINVAL); + +- return &mbox->chans[ind]; ++ return &mbox->chans[sp->args[0]]; + } + + /** diff --git a/queue-5.10/mm-blk-cgroup-fix-use-after-free-in-cgwb_release_workfn.patch b/queue-5.10/mm-blk-cgroup-fix-use-after-free-in-cgwb_release_workfn.patch new file mode 100644 index 0000000000..ffa8276cee --- /dev/null +++ b/queue-5.10/mm-blk-cgroup-fix-use-after-free-in-cgwb_release_workfn.patch @@ -0,0 +1,91 @@ +From stable+bounces-239970-greg=kroah.com@vger.kernel.org Mon Apr 20 20:22:48 2026 +From: Sasha Levin +Date: Mon, 20 Apr 2026 13:37:02 -0400 +Subject: mm: blk-cgroup: fix use-after-free in cgwb_release_workfn() +To: stable@vger.kernel.org +Cc: Breno Leitao , Dennis Zhou , Shakeel Butt , David Hildenbrand , Jens Axboe , Johannes Weiner , Josef Bacik , JP Kobryn , Liam Howlett , "Lorenzo Stoakes (Oracle)" , Martin KaFai Lau , Michal Hocko , Mike Rapoport , Suren Baghdasaryan , Tejun Heo , Andrew Morton , Sasha Levin +Message-ID: <20260420173702.1427727-1-sashal@kernel.org> + +From: Breno Leitao + +[ Upstream commit 8f5857be99f1ed1fa80991c72449541f634626ee ] + +cgwb_release_workfn() calls css_put(wb->blkcg_css) and then later accesses +wb->blkcg_css again via blkcg_unpin_online(). If css_put() drops the last +reference, the blkcg can be freed asynchronously (css_free_rwork_fn -> +blkcg_css_free -> kfree) before blkcg_unpin_online() dereferences the +pointer to access blkcg->online_pin, resulting in a use-after-free: + + BUG: KASAN: slab-use-after-free in blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367) + Write of size 4 at addr ff11000117aa6160 by task kworker/71:1/531 + Workqueue: cgwb_release cgwb_release_workfn + Call Trace: + + blkcg_unpin_online (./include/linux/instrumented.h:112 ./include/linux/atomic/atomic-instrumented.h:400 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 block/blk-cgroup.c:1367) + cgwb_release_workfn (mm/backing-dev.c:629) + process_scheduled_works (kernel/workqueue.c:3278 kernel/workqueue.c:3385) + + Freed by task 1016: + kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6246 mm/slub.c:6561) + css_free_rwork_fn (kernel/cgroup/cgroup.c:5542) + process_scheduled_works (kernel/workqueue.c:3302 kernel/workqueue.c:3385) + +** Stack based on commit 66672af7a095 ("Add linux-next specific files +for 20260410") + +I am seeing this crash sporadically in Meta fleet across multiple kernel +versions. A full reproducer is available at: +https://github.com/leitao/debug/blob/main/reproducers/repro_blkcg_uaf.sh + +(The race window is narrow. To make it easily reproducible, inject a +msleep(100) between css_put() and blkcg_unpin_online() in +cgwb_release_workfn(). With that delay and a KASAN-enabled kernel, the +reproducer triggers the splat reliably in less than a second.) + +Fix this by moving blkcg_unpin_online() before css_put(), so the +cgwb's CSS reference keeps the blkcg alive while blkcg_unpin_online() +accesses it. + +Link: https://lore.kernel.org/20260413-blkcg-v1-1-35b72622d16c@debian.org +Fixes: 59b57717fff8 ("blkcg: delay blkg destruction until after writeback has finished") +Signed-off-by: Breno Leitao +Reviewed-by: Dennis Zhou +Reviewed-by: Shakeel Butt +Cc: David Hildenbrand +Cc: Jens Axboe +Cc: Johannes Weiner +Cc: Josef Bacik +Cc: JP Kobryn +Cc: Liam Howlett +Cc: Lorenzo Stoakes (Oracle) +Cc: Martin KaFai Lau +Cc: Michal Hocko +Cc: Mike Rapoport +Cc: Suren Baghdasaryan +Cc: Tejun Heo +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/backing-dev.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/mm/backing-dev.c ++++ b/mm/backing-dev.c +@@ -397,12 +397,13 @@ static void cgwb_release_workfn(struct w + wb_shutdown(wb); + + css_put(wb->memcg_css); +- css_put(wb->blkcg_css); +- mutex_unlock(&wb->bdi->cgwb_release_mutex); + + /* triggers blkg destruction if no online users left */ + blkcg_unpin_online(blkcg); + ++ css_put(wb->blkcg_css); ++ mutex_unlock(&wb->bdi->cgwb_release_mutex); ++ + fprop_local_destroy_percpu(&wb->memcg_completions); + wb_exit(wb); + call_rcu(&wb->rcu, cgwb_free_rcu); diff --git a/queue-5.10/ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch b/queue-5.10/ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch new file mode 100644 index 0000000000..8786b66cd2 --- /dev/null +++ b/queue-5.10/ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch @@ -0,0 +1,53 @@ +From stable+bounces-236699-greg=kroah.com@vger.kernel.org Mon Apr 13 18:42:32 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 12:26:09 -0400 +Subject: ocfs2: add inline inode consistency check to ocfs2_validate_inode_block() +To: stable@vger.kernel.org +Cc: Dmitry Antipov , syzbot+c16daba279a1161acfb0@syzkaller.appspotmail.com, Joseph Qi , Joseph Qi , Mark Fasheh , Joel Becker , Junxiao Bi , Changwei Ge , Jun Piao , Heming Zhao , Andrew Morton , Sasha Levin +Message-ID: <20260413162611.3289109-1-sashal@kernel.org> + +From: Dmitry Antipov + +[ Upstream commit a2b1c419ff72ec62ff5831684e30cd1d4f0b09ee ] + +In 'ocfs2_validate_inode_block()', add an extra check whether an inode +with inline data (i.e. self-contained) has no clusters, thus preventing +an invalid inode from being passed to 'ocfs2_evict_inode()' and below. + +Link: https://lkml.kernel.org/r/20251023141650.417129-1-dmantipov@yandex.ru +Signed-off-by: Dmitry Antipov +Reported-by: syzbot+c16daba279a1161acfb0@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c16daba279a1161acfb0 +Reviewed-by: Joseph Qi +Cc: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Heming Zhao +Signed-off-by: Andrew Morton +Stable-dep-of: 7bc5da4842be ("ocfs2: fix out-of-bounds write in ocfs2_write_end_inline") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/inode.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/fs/ocfs2/inode.c ++++ b/fs/ocfs2/inode.c +@@ -1418,6 +1418,14 @@ int ocfs2_validate_inode_block(struct su + goto bail; + } + ++ if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) && ++ le32_to_cpu(di->i_clusters)) { ++ rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n", ++ (unsigned long long)bh->b_blocknr, ++ le32_to_cpu(di->i_clusters)); ++ goto bail; ++ } ++ + rc = 0; + + bail: diff --git a/queue-5.10/ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch b/queue-5.10/ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch new file mode 100644 index 0000000000..316a3db7ea --- /dev/null +++ b/queue-5.10/ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch @@ -0,0 +1,77 @@ +From stable+bounces-236702-greg=kroah.com@vger.kernel.org Mon Apr 13 18:27:49 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 12:26:11 -0400 +Subject: ocfs2: fix out-of-bounds write in ocfs2_write_end_inline +To: stable@vger.kernel.org +Cc: Joseph Qi , syzbot+62c1793956716ea8b28a@syzkaller.appspotmail.com, Mark Fasheh , Joel Becker , Junxiao Bi , Changwei Ge , Jun Piao , Heming Zhao , Andrew Morton , Sasha Levin +Message-ID: <20260413162611.3289109-3-sashal@kernel.org> + +From: Joseph Qi + +[ Upstream commit 7bc5da4842bed3252d26e742213741a4d0ac1b14 ] + +KASAN reports a use-after-free write of 4086 bytes in +ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a +copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on +a loop device. The actual bug is an out-of-bounds write past the inode +block buffer, not a true use-after-free. The write overflows into an +adjacent freed page, which KASAN reports as UAF. + +The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk +id_count field to determine whether a write fits in inline data. On a +corrupted filesystem, id_count can exceed the physical maximum inline data +capacity, causing writes to overflow the inode block buffer. + +Call trace (crash path): + + vfs_copy_file_range (fs/read_write.c:1634) + do_splice_direct + splice_direct_to_actor + iter_file_splice_write + ocfs2_file_write_iter + generic_perform_write + ocfs2_write_end + ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949) + ocfs2_write_end_inline (fs/ocfs2/aops.c:1915) + memcpy_from_folio <-- KASAN: write OOB + +So add id_count upper bound check in ocfs2_validate_inode_block() to +alongside the existing i_size check to fix it. + +Link: https://lkml.kernel.org/r/20260403063830.3662739-1-joseph.qi@linux.alibaba.com +Signed-off-by: Joseph Qi +Reported-by: syzbot+62c1793956716ea8b28a@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=62c1793956716ea8b28a +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Heming Zhao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/inode.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/fs/ocfs2/inode.c ++++ b/fs/ocfs2/inode.c +@@ -1429,6 +1429,16 @@ int ocfs2_validate_inode_block(struct su + goto bail; + } + ++ if (le16_to_cpu(data->id_count) > ++ ocfs2_max_inline_data_with_xattr(sb, di)) { ++ rc = ocfs2_error(sb, ++ "Invalid dinode #%llu: inline data id_count %u exceeds max %d\n", ++ (unsigned long long)bh->b_blocknr, ++ le16_to_cpu(data->id_count), ++ ocfs2_max_inline_data_with_xattr(sb, di)); ++ goto bail; ++ } ++ + if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) { + rc = ocfs2_error(sb, + "Invalid dinode #%llu: inline data i_size %llu exceeds id_count %u\n", diff --git a/queue-5.10/ocfs2-fix-possible-deadlock-between-unlink-and-dio_end_io_write.patch b/queue-5.10/ocfs2-fix-possible-deadlock-between-unlink-and-dio_end_io_write.patch new file mode 100644 index 0000000000..e7e003cc2c --- /dev/null +++ b/queue-5.10/ocfs2-fix-possible-deadlock-between-unlink-and-dio_end_io_write.patch @@ -0,0 +1,86 @@ +From stable+bounces-239258-greg=kroah.com@vger.kernel.org Mon Apr 20 18:10:16 2026 +From: Sasha Levin +Date: Mon, 20 Apr 2026 10:58:33 -0400 +Subject: ocfs2: fix possible deadlock between unlink and dio_end_io_write +To: stable@vger.kernel.org +Cc: Joseph Qi , syzbot+67b90111784a3eac8c04@syzkaller.appspotmail.com, Heming Zhao , Mark Fasheh , Joel Becker , Junxiao Bi , Joseph Qi , Changwei Ge , Jun Piao , Andrew Morton , Sasha Levin +Message-ID: <20260420145833.1151197-2-sashal@kernel.org> + +From: Joseph Qi + +[ Upstream commit b02da26a992db0c0e2559acbda0fc48d4a2fd337 ] + +ocfs2_unlink takes orphan dir inode_lock first and then ip_alloc_sem, +while in ocfs2_dio_end_io_write, it acquires these locks in reverse order. +This creates an ABBA lock ordering violation on lock classes +ocfs2_sysfile_lock_key[ORPHAN_DIR_SYSTEM_INODE] and +ocfs2_file_ip_alloc_sem_key. + +Lock Chain #0 (orphan dir inode_lock -> ip_alloc_sem): +ocfs2_unlink + ocfs2_prepare_orphan_dir + ocfs2_lookup_lock_orphan_dir + inode_lock(orphan_dir_inode) <- lock A + __ocfs2_prepare_orphan_dir + ocfs2_prepare_dir_for_insert + ocfs2_extend_dir + ocfs2_expand_inline_dir + down_write(&oi->ip_alloc_sem) <- Lock B + +Lock Chain #1 (ip_alloc_sem -> orphan dir inode_lock): +ocfs2_dio_end_io_write + down_write(&oi->ip_alloc_sem) <- Lock B + ocfs2_del_inode_from_orphan() + inode_lock(orphan_dir_inode) <- Lock A + +Deadlock Scenario: + CPU0 (unlink) CPU1 (dio_end_io_write) + ------ ------ + inode_lock(orphan_dir_inode) + down_write(ip_alloc_sem) + down_write(ip_alloc_sem) + inode_lock(orphan_dir_inode) + +Since ip_alloc_sem is to protect allocation changes, which is unrelated +with operations in ocfs2_del_inode_from_orphan. So move +ocfs2_del_inode_from_orphan out of ip_alloc_sem to fix the deadlock. + +Link: https://lkml.kernel.org/r/20260306032211.1016452-1-joseph.qi@linux.alibaba.com +Reported-by: syzbot+67b90111784a3eac8c04@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=67b90111784a3eac8c04 +Fixes: a86a72a4a4e0 ("ocfs2: take ip_alloc_sem in ocfs2_dio_get_block & ocfs2_dio_end_io_write") +Signed-off-by: Joseph Qi +Reviewed-by: Heming Zhao +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Cc: Changwei Ge +Cc: Jun Piao +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/aops.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/ocfs2/aops.c ++++ b/fs/ocfs2/aops.c +@@ -2325,8 +2325,6 @@ static int ocfs2_dio_end_io_write(struct + goto out; + } + +- down_write(&oi->ip_alloc_sem); +- + /* Delete orphan before acquire i_rwsem. */ + if (dwc->dw_orphaned) { + BUG_ON(dwc->dw_writer_pid != task_pid_nr(current)); +@@ -2339,6 +2337,7 @@ static int ocfs2_dio_end_io_write(struct + mlog_errno(ret); + } + ++ down_write(&oi->ip_alloc_sem); + di = (struct ocfs2_dinode *)di_bh->b_data; + + ocfs2_init_dinode_extent_tree(&et, INODE_CACHE(inode), di_bh); diff --git a/queue-5.10/ocfs2-validate-inline-data-i_size-during-inode-read.patch b/queue-5.10/ocfs2-validate-inline-data-i_size-during-inode-read.patch new file mode 100644 index 0000000000..01106f92df --- /dev/null +++ b/queue-5.10/ocfs2-validate-inline-data-i_size-during-inode-read.patch @@ -0,0 +1,88 @@ +From stable+bounces-236700-greg=kroah.com@vger.kernel.org Mon Apr 13 18:27:45 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 12:26:10 -0400 +Subject: ocfs2: validate inline data i_size during inode read +To: stable@vger.kernel.org +Cc: Deepanshu Kartikey , syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com, Joseph Qi , Mark Fasheh , Joel Becker , Junxiao Bi , Changwei Ge , Jun Piao , Heming Zhao , Andrew Morton , Sasha Levin +Message-ID: <20260413162611.3289109-2-sashal@kernel.org> + +From: Deepanshu Kartikey + +[ Upstream commit 1524af3685b35feac76662cc551cbc37bd14775f ] + +When reading an inode from disk, ocfs2_validate_inode_block() performs +various sanity checks but does not validate the size of inline data. If +the filesystem is corrupted, an inode's i_size can exceed the actual +inline data capacity (id_count). + +This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data +buffer, triggering a use-after-free when accessing directory entries from +freed memory. + +In the syzbot report: + - i_size was 1099511627576 bytes (~1TB) + - Actual inline data capacity (id_count) is typically <256 bytes + - A garbage rec_len (54648) caused ctx->pos to jump out of bounds + - This triggered a UAF in ocfs2_check_dir_entry() + +Fix by adding a validation check in ocfs2_validate_inode_block() to ensure +inodes with inline data have i_size <= id_count. This catches the +corruption early during inode read and prevents all downstream code from +operating on invalid data. + +Link: https://lkml.kernel.org/r/20251212052132.16750-1-kartikey406@gmail.com +Signed-off-by: Deepanshu Kartikey +Reported-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=c897823f699449cc3eb4 +Tested-by: syzbot+c897823f699449cc3eb4@syzkaller.appspotmail.com +Link: https://lore.kernel.org/all/20251211115231.3560028-1-kartikey406@gmail.com/T/ [v1] +Link: https://lore.kernel.org/all/20251212040400.6377-1-kartikey406@gmail.com/T/ [v2] +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Jun Piao +Cc: Heming Zhao +Signed-off-by: Andrew Morton +Stable-dep-of: 7bc5da4842be ("ocfs2: fix out-of-bounds write in ocfs2_write_end_inline") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/inode.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/fs/ocfs2/inode.c ++++ b/fs/ocfs2/inode.c +@@ -1418,12 +1418,25 @@ int ocfs2_validate_inode_block(struct su + goto bail; + } + +- if ((le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) && +- le32_to_cpu(di->i_clusters)) { +- rc = ocfs2_error(sb, "Invalid dinode %llu: %u clusters\n", +- (unsigned long long)bh->b_blocknr, +- le32_to_cpu(di->i_clusters)); +- goto bail; ++ if (le16_to_cpu(di->i_dyn_features) & OCFS2_INLINE_DATA_FL) { ++ struct ocfs2_inline_data *data = &di->id2.i_data; ++ ++ if (le32_to_cpu(di->i_clusters)) { ++ rc = ocfs2_error(sb, ++ "Invalid dinode %llu: %u clusters\n", ++ (unsigned long long)bh->b_blocknr, ++ le32_to_cpu(di->i_clusters)); ++ goto bail; ++ } ++ ++ if (le64_to_cpu(di->i_size) > le16_to_cpu(data->id_count)) { ++ rc = ocfs2_error(sb, ++ "Invalid dinode #%llu: inline data i_size %llu exceeds id_count %u\n", ++ (unsigned long long)bh->b_blocknr, ++ (unsigned long long)le64_to_cpu(di->i_size), ++ le16_to_cpu(data->id_count)); ++ goto bail; ++ } + } + + rc = 0; diff --git a/queue-5.10/powerpc64-bpf-do-not-increment-tailcall-count-when-prog-is-null.patch b/queue-5.10/powerpc64-bpf-do-not-increment-tailcall-count-when-prog-is-null.patch new file mode 100644 index 0000000000..87fec6482f --- /dev/null +++ b/queue-5.10/powerpc64-bpf-do-not-increment-tailcall-count-when-prog-is-null.patch @@ -0,0 +1,74 @@ +From 521bd39d9d28ce54cbfec7f9b89c94ad4fdb8350 Mon Sep 17 00:00:00 2001 +From: Hari Bathini +Date: Tue, 3 Mar 2026 23:40:25 +0530 +Subject: powerpc64/bpf: do not increment tailcall count when prog is NULL + +From: Hari Bathini + +commit 521bd39d9d28ce54cbfec7f9b89c94ad4fdb8350 upstream. + +Do not increment tailcall count, if tailcall did not succeed due to +missing BPF program. + +Fixes: ce0761419fae ("powerpc/bpf: Implement support for tail calls") +Cc: stable@vger.kernel.org +Tested-by: Venkat Rao Bagalkote +Signed-off-by: Hari Bathini +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/20260303181031.390073-2-hbathini@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +[ Conflicts due to missing clean up commits + b10cb163c4b3 ("powerpc64/bpf elfv2: Setup kernel TOC in r2 on entry") + 49c3af43e65f ("powerpc/bpf: Simplify bpf_to_ppc() and adopt it for powerpc64") + 036d559c0bde ("powerpc/bpf: Use _Rn macros for GPRs") + and missing feature commit 2ed2d8f6fb38 ("powerpc64/bpf: Support + tailcalls with subprogs") resolved accordingly. ] +Signed-off-by: Hari Bathini +--- + arch/powerpc/net/bpf_jit_comp64.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +--- a/arch/powerpc/net/bpf_jit_comp64.c ++++ b/arch/powerpc/net/bpf_jit_comp64.c +@@ -257,30 +257,32 @@ static int bpf_jit_emit_tail_call(u32 *i + * tail_call_cnt++; + */ + EMIT(PPC_RAW_ADDI(b2p[TMP_REG_1], b2p[TMP_REG_1], 1)); +- PPC_BPF_STL(b2p[TMP_REG_1], 1, bpf_jit_stack_tailcallcnt(ctx)); + + /* prog = array->ptrs[index]; */ +- EMIT(PPC_RAW_MULI(b2p[TMP_REG_1], b2p_index, 8)); +- EMIT(PPC_RAW_ADD(b2p[TMP_REG_1], b2p[TMP_REG_1], b2p_bpf_array)); +- PPC_BPF_LL(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_array, ptrs)); ++ EMIT(PPC_RAW_MULI(b2p[TMP_REG_2], b2p_index, 8)); ++ EMIT(PPC_RAW_ADD(b2p[TMP_REG_2], b2p[TMP_REG_2], b2p_bpf_array)); ++ PPC_BPF_LL(b2p[TMP_REG_2], b2p[TMP_REG_2], offsetof(struct bpf_array, ptrs)); + + /* + * if (prog == NULL) + * goto out; + */ +- EMIT(PPC_RAW_CMPLDI(b2p[TMP_REG_1], 0)); ++ EMIT(PPC_RAW_CMPLDI(b2p[TMP_REG_2], 0)); + PPC_BCC(COND_EQ, out); + + /* goto *(prog->bpf_func + prologue_size); */ +- PPC_BPF_LL(b2p[TMP_REG_1], b2p[TMP_REG_1], offsetof(struct bpf_prog, bpf_func)); ++ PPC_BPF_LL(b2p[TMP_REG_2], b2p[TMP_REG_2], offsetof(struct bpf_prog, bpf_func)); + #ifdef PPC64_ELF_ABI_v1 + /* skip past the function descriptor */ +- EMIT(PPC_RAW_ADDI(b2p[TMP_REG_1], b2p[TMP_REG_1], ++ EMIT(PPC_RAW_ADDI(b2p[TMP_REG_2], b2p[TMP_REG_2], + FUNCTION_DESCR_SIZE + BPF_TAILCALL_PROLOGUE_SIZE)); + #else +- EMIT(PPC_RAW_ADDI(b2p[TMP_REG_1], b2p[TMP_REG_1], BPF_TAILCALL_PROLOGUE_SIZE)); ++ EMIT(PPC_RAW_ADDI(b2p[TMP_REG_2], b2p[TMP_REG_2], BPF_TAILCALL_PROLOGUE_SIZE)); + #endif +- EMIT(PPC_RAW_MTCTR(b2p[TMP_REG_1])); ++ EMIT(PPC_RAW_MTCTR(b2p[TMP_REG_2])); ++ ++ /* Writeback updated tailcall count */ ++ PPC_BPF_STL(b2p[TMP_REG_1], 1, bpf_jit_stack_tailcallcnt(ctx)); + + /* tear down stack, restore NVRs, ... */ + bpf_jit_emit_common_epilogue(image, ctx); diff --git a/queue-5.10/revert-arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch b/queue-5.10/revert-arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch new file mode 100644 index 0000000000..b8d20dc6a7 --- /dev/null +++ b/queue-5.10/revert-arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch @@ -0,0 +1,97 @@ +From stable+bounces-236125-greg=kroah.com@vger.kernel.org Mon Apr 13 17:04:45 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 10:58:03 -0400 +Subject: Revert "arm64: dts: imx8mq-librem5: Set the DVS voltages lower" +To: stable@vger.kernel.org +Cc: Sebastian Krzyszkowiak , Frank Li , Sasha Levin +Message-ID: <20260413145804.2968471-6-sashal@kernel.org> + +From: Sebastian Krzyszkowiak + +[ Upstream commit 4cd46ea0eb4504f7f4fea92cb4601c5c9a3e545e ] + +This reverts commit c24a9b698fb02cd0723fa8375abab07f94b97b10. + +It's been found that there's a significant per-unit variance in accepted +supply voltages and the current set still makes some units unstable. + +Revert back to nominal values. + +Cc: stable@vger.kernel.org +Fixes: c24a9b698fb0 ("arm64: dts: imx8mq-librem5: Set the DVS voltages lower") +Signed-off-by: Sebastian Krzyszkowiak +Signed-off-by: Frank Li +Stable-dep-of: 511f76bf1dce ("arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts | 2 - + arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 22 +++++--------------- + 2 files changed, 7 insertions(+), 17 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts ++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5-r3.dts +@@ -12,7 +12,7 @@ + + &a53_opp_table { + opp-1000000000 { +- opp-microvolt = <950000>; ++ opp-microvolt = <1000000>; + }; + }; + +--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi +@@ -651,8 +651,8 @@ + regulator-max-microvolt = <1300000>; + regulator-boot-on; + regulator-ramp-delay = <1250>; +- rohm,dvs-run-voltage = <880000>; +- rohm,dvs-idle-voltage = <820000>; ++ rohm,dvs-run-voltage = <900000>; ++ rohm,dvs-idle-voltage = <850000>; + rohm,dvs-suspend-voltage = <810000>; + regulator-always-on; + }; +@@ -663,8 +663,8 @@ + regulator-max-microvolt = <1300000>; + regulator-boot-on; + regulator-ramp-delay = <1250>; +- rohm,dvs-run-voltage = <950000>; +- rohm,dvs-idle-voltage = <850000>; ++ rohm,dvs-run-voltage = <1000000>; ++ rohm,dvs-idle-voltage = <900000>; + regulator-always-on; + }; + +@@ -673,14 +673,14 @@ + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1300000>; + regulator-boot-on; +- rohm,dvs-run-voltage = <850000>; ++ rohm,dvs-run-voltage = <900000>; + }; + + buck4_reg: BUCK4 { + regulator-name = "buck4"; + regulator-min-microvolt = <700000>; + regulator-max-microvolt = <1300000>; +- rohm,dvs-run-voltage = <930000>; ++ rohm,dvs-run-voltage = <1000000>; + }; + + buck5_reg: BUCK5 { +@@ -1117,13 +1117,3 @@ + fsl,ext-reset-output; + status = "okay"; + }; +- +-&a53_opp_table { +- opp-1000000000 { +- opp-microvolt = <850000>; +- }; +- +- opp-1500000000 { +- opp-microvolt = <950000>; +- }; +-}; diff --git a/queue-5.10/revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch b/queue-5.10/revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch new file mode 100644 index 0000000000..bc99344f3b --- /dev/null +++ b/queue-5.10/revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch @@ -0,0 +1,36 @@ +From regressions+bounces-16332-greg=kroah.com@lists.linux.dev Tue Apr 14 06:04:19 2026 +From: guocai.he.cn@windriver.com +Date: Tue, 14 Apr 2026 12:03:49 +0800 +Subject: Revert "wifi: cfg80211: stop NAN and P2P in cfg80211_leave" +To: gregkh@linuxfoundation.org +Cc: stable@vger.kernel.org, johannes.berg@intel.com, netdev@vger.kernel.org, regressions@lists.linux.dev, miriam.rachel.korenblit@intel.com, linux-kernel@vger.kernel.org +Message-ID: <20260414040349.2974854-1-guocai.he.cn@windriver.com> + +From: Guocai He + +This reverts commit d91240f24e831d3bd36954599ada6b456fb1bd0a which is commit +e1696c8bd0056bc1a5f7766f58ac333adc203e8a upstream. + +The reverted patch introduced a deadlock. The locking situation in mainline is +totally different, so it is incorrect to directly backport the commit from mainline. + +Signed-off-by: Guocai He +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/core.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/net/wireless/core.c ++++ b/net/wireless/core.c +@@ -1119,10 +1119,8 @@ static void __cfg80211_unregister_wdev(s + + switch (wdev->iftype) { + case NL80211_IFTYPE_P2P_DEVICE: +- cfg80211_stop_p2p_device(rdev, wdev); +- break; + case NL80211_IFTYPE_NAN: +- cfg80211_stop_nan(rdev, wdev); ++ /* cannot happen, has no netdev */ + break; + default: + break; diff --git a/queue-5.10/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch b/queue-5.10/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch new file mode 100644 index 0000000000..a944604f88 --- /dev/null +++ b/queue-5.10/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch @@ -0,0 +1,63 @@ +From stable+bounces-237688-greg=kroah.com@vger.kernel.org Tue Apr 14 02:30:17 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 20:29:48 -0400 +Subject: rxrpc: Fix key quota calculation for multitoken keys +To: stable@vger.kernel.org +Cc: David Howells , Marc Dionne , Jeffrey Altman , Simon Horman , linux-afs@lists.infradead.org, stable@kernel.org, Jakub Kicinski , Sasha Levin +Message-ID: <20260414002948.3802454-1-sashal@kernel.org> + +From: David Howells + +[ Upstream commit bdbfead6d38979475df0c2f4bad2b19394fe9bdc ] + +In the rxrpc key preparsing, every token extracted sets the proposed quota +value, but for multitoken keys, this will overwrite the previous proposed +quota, losing it. + +Fix this by adding to the proposed quota instead. + +Fixes: 8a7a3eb4ddbe ("KEYS: RxRPC: Use key preparsing") +Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com +Signed-off-by: David Howells +cc: Marc Dionne +cc: Jeffrey Altman +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-2-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +[ dropped hunk for rxrpc_preparse_xdr_yfs_rxgk() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/key.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -108,7 +108,7 @@ static int rxrpc_preparse_xdr_rxkad(stru + return -EKEYREJECTED; + + plen = sizeof(*token) + sizeof(*token->kad) + tktlen; +- prep->quotalen = datalen + plen; ++ prep->quotalen += datalen + plen; + + plen -= sizeof(*token); + token = kzalloc(sizeof(*token), GFP_KERNEL); +@@ -718,6 +718,7 @@ static int rxrpc_preparse(struct key_pre + memcpy(&kver, prep->data, sizeof(kver)); + prep->data += sizeof(kver); + prep->datalen -= sizeof(kver); ++ prep->quotalen = 0; + + _debug("KEY I/F VERSION: %u", kver); + +@@ -755,7 +756,7 @@ static int rxrpc_preparse(struct key_pre + goto error; + + plen = sizeof(*token->kad) + v1->ticket_length; +- prep->quotalen = plen + sizeof(*token); ++ prep->quotalen += plen + sizeof(*token); + + ret = -ENOMEM; + token = kzalloc(sizeof(*token), GFP_KERNEL); diff --git a/queue-5.10/rxrpc-fix-reference-count-leak-in-rxrpc_server_keyring.patch b/queue-5.10/rxrpc-fix-reference-count-leak-in-rxrpc_server_keyring.patch new file mode 100644 index 0000000000..7068d73d1c --- /dev/null +++ b/queue-5.10/rxrpc-fix-reference-count-leak-in-rxrpc_server_keyring.patch @@ -0,0 +1,50 @@ +From stable+bounces-237693-greg=kroah.com@vger.kernel.org Tue Apr 14 03:19:09 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 21:19:03 -0400 +Subject: rxrpc: fix reference count leak in rxrpc_server_keyring() +To: stable@vger.kernel.org +Cc: Luxiao Xu , Yifan Wu , Juefei Pu , Yuan Tan , Xin Liu , Ren Wei , Ren Wei , David Howells , Marc Dionne , Simon Horman , linux-afs@lists.infradead.org, stable@kernel.org, Jakub Kicinski , Sasha Levin +Message-ID: <20260414011903.3831717-1-sashal@kernel.org> + +From: Luxiao Xu + +[ Upstream commit f125846ee79fcae537a964ce66494e96fa54a6de ] + +This patch fixes a reference count leak in rxrpc_server_keyring() +by checking if rx->securities is already set. + +Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Luxiao Xu +Signed-off-by: Ren Wei +Signed-off-by: David Howells +cc: Marc Dionne +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-15-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +[ applied patch to net/rxrpc/key.c instead of net/rxrpc/server_key.c ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/key.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/rxrpc/key.c ++++ b/net/rxrpc/key.c +@@ -933,6 +933,9 @@ int rxrpc_server_keyring(struct rxrpc_so + + _enter(""); + ++ if (rx->securities) ++ return -EINVAL; ++ + if (optlen <= 0 || optlen > PAGE_SIZE - 1) + return -EINVAL; + diff --git a/queue-5.10/rxrpc-reject-undecryptable-rxkad-response-tickets.patch b/queue-5.10/rxrpc-reject-undecryptable-rxkad-response-tickets.patch new file mode 100644 index 0000000000..7ac77ebbef --- /dev/null +++ b/queue-5.10/rxrpc-reject-undecryptable-rxkad-response-tickets.patch @@ -0,0 +1,63 @@ +From stable+bounces-237847-greg=kroah.com@vger.kernel.org Tue Apr 14 14:13:13 2026 +From: Sasha Levin +Date: Tue, 14 Apr 2026 08:05:14 -0400 +Subject: rxrpc: reject undecryptable rxkad response tickets +To: stable@vger.kernel.org +Cc: Yuqi Xu , Yifan Wu , Juefei Pu , Yuan Tan , Xin Liu , Ren Wei , Ren Wei , David Howells , Marc Dionne , Simon Horman , linux-afs@lists.infradead.org, stable@kernel.org, Jakub Kicinski , Sasha Levin +Message-ID: <20260414120514.569478-1-sashal@kernel.org> + +From: Yuqi Xu + +[ Upstream commit fe4447cd95623b1cfacc15f280aab73a6d7340b2 ] + +rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then +parses the buffer as plaintext without checking whether +crypto_skcipher_decrypt() succeeded. + +A malformed RESPONSE can therefore use a non-block-aligned ticket +length, make the decrypt operation fail, and still drive the ticket +parser with attacker-controlled bytes. + +Check the decrypt result and abort the connection with RXKADBADTICKET +when ticket decryption fails. + +Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both") +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Ren Wei +Signed-off-by: Yuqi Xu +Signed-off-by: Ren Wei +Signed-off-by: David Howells +cc: Marc Dionne +cc: Simon Horman +cc: linux-afs@lists.infradead.org +cc: stable@kernel.org +Link: https://patch.msgid.link/20260408121252.2249051-12-dhowells@redhat.com +Signed-off-by: Jakub Kicinski +[ adapted `rxrpc_abort_conn()` call to existing `goto other_error` error-handling pattern ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/rxkad.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/rxrpc/rxkad.c ++++ b/net/rxrpc/rxkad.c +@@ -941,8 +941,13 @@ static int rxkad_decrypt_ticket(struct r + sg_init_one(&sg[0], ticket, ticket_len); + skcipher_request_set_callback(req, 0, NULL, NULL); + skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x); +- crypto_skcipher_decrypt(req); ++ ret = crypto_skcipher_decrypt(req); + skcipher_request_free(req); ++ if (ret < 0) { ++ abort_code = RXKADBADTICKET; ++ ret = -EPROTO; ++ goto other_error; ++ } + + p = ticket; + end = p + ticket_len; diff --git a/queue-5.10/series b/queue-5.10/series index 296a6bc7b2..0fd2ca779b 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -97,3 +97,26 @@ blk-cgroup-reinit-blkg_iostat_set-after-clearing-in-.patch alsa-usb-audio-fix-null-pointer-dereference-on-point.patch scsi-ufs-core-improve-scsi-abort-handling.patch ib-mad-don-t-call-to-function-that-might-sleep-while.patch +powerpc64-bpf-do-not-increment-tailcall-count-when-prog-is-null.patch +mailbox-prevent-out-of-bounds-access-in-of_mbox_index_xlate.patch +rxrpc-fix-reference-count-leak-in-rxrpc_server_keyring.patch +rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch +xfrm-clear-trailing-padding-in-build_polexpire.patch +ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch +ocfs2-validate-inline-data-i_size-during-inode-read.patch +ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch +rxrpc-reject-undecryptable-rxkad-response-tickets.patch +revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch +blk-mq-use-quiesced-elevator-switch-when-reinitializing-queues.patch +drivers-base-free-devm-resources-when-unregistering-a-device.patch +x86-uprobes-fix-xol-allocation-failure-for-32-bit-tasks.patch +fs-ocfs2-fix-comments-mentioning-i_mutex.patch +ocfs2-fix-possible-deadlock-between-unlink-and-dio_end_io_write.patch +mm-blk-cgroup-fix-use-after-free-in-cgwb_release_workfn.patch +arm64-dts-imx8mq-librem5-r3-workaround-i2c1-issue-with-1ghz-cpu-voltage.patch +arm64-dts-imx8mq-librem5-don-t-mark-buck3-as-always-on.patch +arm64-dts-imx8mq-librem5-set-regulators-boot-on.patch +arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch +arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-to-0.81v.patch +revert-arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch +arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-up-to-0.85v.patch diff --git a/queue-5.10/x86-uprobes-fix-xol-allocation-failure-for-32-bit-tasks.patch b/queue-5.10/x86-uprobes-fix-xol-allocation-failure-for-32-bit-tasks.patch new file mode 100644 index 0000000000..5bda73f25b --- /dev/null +++ b/queue-5.10/x86-uprobes-fix-xol-allocation-failure-for-32-bit-tasks.patch @@ -0,0 +1,130 @@ +From stable+bounces-222632-greg=kroah.com@vger.kernel.org Mon Mar 2 16:54:25 2026 +From: Oleg Nesterov +Date: Mon, 2 Mar 2026 16:51:12 +0100 +Subject: x86/uprobes: Fix XOL allocation failure for 32-bit tasks +To: Sasha Levin +Cc: stable@vger.kernel.org, Paulo Andrade , "Peter Zijlstra (Intel)" , linux-trace-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org +Message-ID: +Content-Disposition: inline + +From: Oleg Nesterov + +[ Upstream commit d55c571e4333fac71826e8db3b9753fadfbead6a ] + +This script + + #!/usr/bin/bash + + echo 0 > /proc/sys/kernel/randomize_va_space + + echo 'void main(void) {}' > TEST.c + + # -fcf-protection to ensure that the 1st endbr32 insn can't be emulated + gcc -m32 -fcf-protection=branch TEST.c -o test + + bpftrace -e 'uprobe:./test:main {}' -c ./test + +"hangs", the probed ./test task enters an endless loop. + +The problem is that with randomize_va_space == 0 +get_unmapped_area(TASK_SIZE - PAGE_SIZE) called by xol_add_vma() can not +just return the "addr == TASK_SIZE - PAGE_SIZE" hint, this addr is used +by the stack vma. + +arch_get_unmapped_area_topdown() doesn't take TIF_ADDR32 into account and +in_32bit_syscall() is false, this leads to info.high_limit > TASK_SIZE. +vm_unmapped_area() happily returns the high address > TASK_SIZE and then +get_unmapped_area() returns -ENOMEM after the "if (addr > TASK_SIZE - len)" +check. + +handle_swbp() doesn't report this failure (probably it should) and silently +restarts the probed insn. Endless loop. + +I think that the right fix should change the x86 get_unmapped_area() paths +to rely on TIF_ADDR32 rather than in_32bit_syscall(). Note also that if +CONFIG_X86_X32_ABI=y, in_x32_syscall() falsely returns true in this case +because ->orig_ax = -1. + +But we need a simple fix for -stable, so this patch just sets TS_COMPAT if +the probed task is 32-bit to make in_ia32_syscall() true. + +Fixes: 1b028f784e8c ("x86/mm: Introduce mmap_compat_base() for 32-bit mmap()") +Reported-by: Paulo Andrade +Signed-off-by: Oleg Nesterov +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/all/aV5uldEvV7pb4RA8@redhat.com/ +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/aWO7Fdxn39piQnxu@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/uprobes.c | 24 ++++++++++++++++++++++++ + include/linux/uprobes.h | 1 + + kernel/events/uprobes.c | 10 +++++++--- + 3 files changed, 32 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/uprobes.c ++++ b/arch/x86/kernel/uprobes.c +@@ -1095,3 +1095,27 @@ bool arch_uretprobe_is_alive(struct retu + else + return regs->sp <= ret->stack; + } ++ ++#ifdef CONFIG_IA32_EMULATION ++unsigned long arch_uprobe_get_xol_area(void) ++{ ++ struct thread_info *ti = current_thread_info(); ++ unsigned long vaddr; ++ ++ /* ++ * HACK: we are not in a syscall, but x86 get_unmapped_area() paths ++ * ignore TIF_ADDR32 and rely on in_32bit_syscall() to calculate ++ * vm_unmapped_area_info.high_limit. ++ * ++ * The #ifdef above doesn't cover the CONFIG_X86_X32_ABI=y case, ++ * but in this case in_32bit_syscall() -> in_x32_syscall() always ++ * (falsely) returns true because ->orig_ax == -1. ++ */ ++ if (test_thread_flag(TIF_ADDR32)) ++ ti->status |= TS_COMPAT; ++ vaddr = get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE, PAGE_SIZE, 0, 0); ++ ti->status &= ~TS_COMPAT; ++ ++ return vaddr; ++} ++#endif +--- a/include/linux/uprobes.h ++++ b/include/linux/uprobes.h +@@ -138,6 +138,7 @@ extern bool arch_uretprobe_is_alive(stru + extern bool arch_uprobe_ignore(struct arch_uprobe *aup, struct pt_regs *regs); + extern void arch_uprobe_copy_ixol(struct page *page, unsigned long vaddr, + void *src, unsigned long len); ++extern unsigned long arch_uprobe_get_xol_area(void); + #else /* !CONFIG_UPROBES */ + struct uprobes_state { + }; +--- a/kernel/events/uprobes.c ++++ b/kernel/events/uprobes.c +@@ -1438,6 +1438,12 @@ void uprobe_munmap(struct vm_area_struct + set_bit(MMF_RECALC_UPROBES, &vma->vm_mm->flags); + } + ++unsigned long __weak arch_uprobe_get_xol_area(void) ++{ ++ /* Try to map as high as possible, this is only a hint. */ ++ return get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE, PAGE_SIZE, 0, 0); ++} ++ + /* Slot allocation for XOL */ + static int xol_add_vma(struct mm_struct *mm, struct xol_area *area) + { +@@ -1453,9 +1459,7 @@ static int xol_add_vma(struct mm_struct + } + + if (!area->vaddr) { +- /* Try to map as high as possible, this is only a hint. */ +- area->vaddr = get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE, +- PAGE_SIZE, 0, 0); ++ area->vaddr = arch_uprobe_get_xol_area(); + if (IS_ERR_VALUE(area->vaddr)) { + ret = area->vaddr; + goto fail; diff --git a/queue-5.10/xfrm-clear-trailing-padding-in-build_polexpire.patch b/queue-5.10/xfrm-clear-trailing-padding-in-build_polexpire.patch new file mode 100644 index 0000000000..e58a782b0d --- /dev/null +++ b/queue-5.10/xfrm-clear-trailing-padding-in-build_polexpire.patch @@ -0,0 +1,48 @@ +From stable+bounces-237667-greg=kroah.com@vger.kernel.org Tue Apr 14 00:12:20 2026 +From: Sasha Levin +Date: Mon, 13 Apr 2026 18:12:15 -0400 +Subject: xfrm: clear trailing padding in build_polexpire() +To: stable@vger.kernel.org +Cc: Yasuaki Torimaru , Simon Horman , Breno Leitao , Steffen Klassert , Sasha Levin +Message-ID: <20260413221215.3744762-1-sashal@kernel.org> + +From: Yasuaki Torimaru + +[ Upstream commit 71a98248c63c535eaa4d4c22f099b68d902006d0 ] + +build_expire() clears the trailing padding bytes of struct +xfrm_user_expire after setting the hard field via memset_after(), +but the analogous function build_polexpire() does not do this for +struct xfrm_user_polexpire. + +The padding bytes after the __u8 hard field are left +uninitialized from the heap allocation, and are then sent to +userspace via netlink multicast to XFRMNLGRP_EXPIRE listeners, +leaking kernel heap memory contents. + +Add the missing memset_after() call, matching build_expire(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Yasuaki Torimaru +Reviewed-by: Simon Horman +Reviewed-by: Breno Leitao +Signed-off-by: Steffen Klassert +[ replaced `memset_after()` macro with equivalent manual `memset()` call ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_user.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -3290,6 +3290,8 @@ static int build_polexpire(struct sk_buf + return err; + } + upe->hard = !!hard; ++ /* clear the padding bytes */ ++ memset(&upe->hard + 1, 0, sizeof(*upe) - offsetofend(typeof(*upe), hard)); + + nlmsg_end(skb, nlh); + return 0;