From: Greg Kroah-Hartman Date: Mon, 4 May 2026 08:58:57 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.12.86~31 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bfc454817f73ef6967f54c5287d84340617055b7;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: crypto-atmel-aes-fix-3-page-memory-leak-in-atmel_aes_buff_cleanup.patch crypto-atmel-ecc-release-client-on-allocation-failure.patch crypto-atmel-tdes-fix-dma-sync-direction.patch crypto-ccree-fix-a-memory-leak-in-cc_mac_digest.patch crypto-hisilicon-fix-dma_unmap_single-direction.patch dm-mirror-fix-integer-overflow-in-create_dirty_log.patch ext4-fix-missing-brelse-in-ext4_xattr_inode_dec_ref_all.patch ib-core-fix-zero-dmac-race-in-neighbor-resolution.patch inotify-fix-watch-count-leak-when-fsnotify_add_inode_mark_locked-fails.patch md-raid5-fix-soft-lockup-in-retry_aligned_read.patch md-raid5-validate-payload-size-before-accessing-journal-metadata.patch taskstats-set-version-in-tgid-exit-notifications.patch --- diff --git a/queue-5.10/crypto-atmel-aes-fix-3-page-memory-leak-in-atmel_aes_buff_cleanup.patch b/queue-5.10/crypto-atmel-aes-fix-3-page-memory-leak-in-atmel_aes_buff_cleanup.patch new file mode 100644 index 0000000000..d112e4a02d --- /dev/null +++ b/queue-5.10/crypto-atmel-aes-fix-3-page-memory-leak-in-atmel_aes_buff_cleanup.patch @@ -0,0 +1,34 @@ +From 3fcfff4ed35f963380a68741bcd52742baff7f76 Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Wed, 11 Mar 2026 03:07:35 +0100 +Subject: crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup + +From: Thorsten Blum + +commit 3fcfff4ed35f963380a68741bcd52742baff7f76 upstream. + +atmel_aes_buff_init() allocates 4 pages using __get_free_pages() with +ATMEL_AES_BUFFER_ORDER, but atmel_aes_buff_cleanup() frees only the +first page using free_page(), leaking the remaining 3 pages. Use +free_pages() with ATMEL_AES_BUFFER_ORDER to fix the memory leak. + +Fixes: bbe628ed897d ("crypto: atmel-aes - improve performances of data transfer") +Cc: stable@vger.kernel.org +Signed-off-by: Thorsten Blum +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/atmel-aes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/atmel-aes.c ++++ b/drivers/crypto/atmel-aes.c +@@ -2265,7 +2265,7 @@ static int atmel_aes_buff_init(struct at + + static void atmel_aes_buff_cleanup(struct atmel_aes_dev *dd) + { +- free_page((unsigned long)dd->buf); ++ free_pages((unsigned long)dd->buf, ATMEL_AES_BUFFER_ORDER); + } + + static int atmel_aes_dma_init(struct atmel_aes_dev *dd) diff --git a/queue-5.10/crypto-atmel-ecc-release-client-on-allocation-failure.patch b/queue-5.10/crypto-atmel-ecc-release-client-on-allocation-failure.patch new file mode 100644 index 0000000000..0e7ff3a7e1 --- /dev/null +++ b/queue-5.10/crypto-atmel-ecc-release-client-on-allocation-failure.patch @@ -0,0 +1,32 @@ +From 095d50008d55d13f8fcf1bbeb7c6eba51779bc85 Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Fri, 20 Feb 2026 15:03:13 +0100 +Subject: crypto: atmel-ecc - Release client on allocation failure + +From: Thorsten Blum + +commit 095d50008d55d13f8fcf1bbeb7c6eba51779bc85 upstream. + +Call atmel_ecc_i2c_client_free() to release the I2C client reserved by +atmel_ecc_i2c_client_alloc() when crypto_alloc_kpp() fails. Otherwise +->tfm_count will be out of sync. + +Fixes: 11105693fa05 ("crypto: atmel-ecc - introduce Microchip / Atmel ECC driver") +Cc: stable@vger.kernel.org +Signed-off-by: Thorsten Blum +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/atmel-ecc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/crypto/atmel-ecc.c ++++ b/drivers/crypto/atmel-ecc.c +@@ -273,6 +273,7 @@ static int atmel_ecdh_init_tfm(struct cr + if (IS_ERR(fallback)) { + dev_err(&ctx->client->dev, "Failed to allocate transformation for '%s': %ld\n", + alg, PTR_ERR(fallback)); ++ atmel_ecc_i2c_client_free(ctx->client); + return PTR_ERR(fallback); + } + diff --git a/queue-5.10/crypto-atmel-tdes-fix-dma-sync-direction.patch b/queue-5.10/crypto-atmel-tdes-fix-dma-sync-direction.patch new file mode 100644 index 0000000000..87b0ac5c90 --- /dev/null +++ b/queue-5.10/crypto-atmel-tdes-fix-dma-sync-direction.patch @@ -0,0 +1,48 @@ +From c8a9a647532f5c2a04180352693215e24e9dba03 Mon Sep 17 00:00:00 2001 +From: Thorsten Blum +Date: Sat, 7 Mar 2026 16:31:10 +0100 +Subject: crypto: atmel-tdes - fix DMA sync direction + +From: Thorsten Blum + +commit c8a9a647532f5c2a04180352693215e24e9dba03 upstream. + +Before DMA output is consumed by the CPU, ->dma_addr_out must be synced +with dma_sync_single_for_cpu() instead of dma_sync_single_for_device(). +Using the wrong direction can return stale cache data on non-coherent +platforms. + +Fixes: 13802005d8f2 ("crypto: atmel - add Atmel DES/TDES driver") +Fixes: 1f858040c2f7 ("crypto: atmel-tdes - add support for latest release of the IP (0x700)") +Cc: stable@vger.kernel.org +Signed-off-by: Thorsten Blum +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/atmel-tdes.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/crypto/atmel-tdes.c ++++ b/drivers/crypto/atmel-tdes.c +@@ -312,8 +312,8 @@ static int atmel_tdes_crypt_pdc_stop(str + dma_unmap_sg(dd->dev, dd->out_sg, 1, DMA_FROM_DEVICE); + dma_unmap_sg(dd->dev, dd->in_sg, 1, DMA_TO_DEVICE); + } else { +- dma_sync_single_for_device(dd->dev, dd->dma_addr_out, +- dd->dma_size, DMA_FROM_DEVICE); ++ dma_sync_single_for_cpu(dd->dev, dd->dma_addr_out, ++ dd->dma_size, DMA_FROM_DEVICE); + + /* copy data */ + count = atmel_tdes_sg_copy(&dd->out_sg, &dd->out_offset, +@@ -671,8 +671,8 @@ static int atmel_tdes_crypt_dma_stop(str + dma_unmap_sg(dd->dev, dd->out_sg, 1, DMA_FROM_DEVICE); + dma_unmap_sg(dd->dev, dd->in_sg, 1, DMA_TO_DEVICE); + } else { +- dma_sync_single_for_device(dd->dev, dd->dma_addr_out, +- dd->dma_size, DMA_FROM_DEVICE); ++ dma_sync_single_for_cpu(dd->dev, dd->dma_addr_out, ++ dd->dma_size, DMA_FROM_DEVICE); + + /* copy data */ + count = atmel_tdes_sg_copy(&dd->out_sg, &dd->out_offset, diff --git a/queue-5.10/crypto-ccree-fix-a-memory-leak-in-cc_mac_digest.patch b/queue-5.10/crypto-ccree-fix-a-memory-leak-in-cc_mac_digest.patch new file mode 100644 index 0000000000..54319aac41 --- /dev/null +++ b/queue-5.10/crypto-ccree-fix-a-memory-leak-in-cc_mac_digest.patch @@ -0,0 +1,31 @@ +From 02c64052fad03699b9c6d1df2f9b444d17e4ac50 Mon Sep 17 00:00:00 2001 +From: Haoxiang Li +Date: Mon, 30 Mar 2026 11:34:02 +0800 +Subject: crypto: ccree - fix a memory leak in cc_mac_digest() + +From: Haoxiang Li + +commit 02c64052fad03699b9c6d1df2f9b444d17e4ac50 upstream. + +Add cc_unmap_result() if cc_map_hash_request_final() +fails to prevent potential memory leak. + +Fixes: 63893811b0fc ("crypto: ccree - add ahash support") +Cc: stable@vger.kernel.org +Signed-off-by: Haoxiang Li +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/ccree/cc_hash.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/crypto/ccree/cc_hash.c ++++ b/drivers/crypto/ccree/cc_hash.c +@@ -1448,6 +1448,7 @@ static int cc_mac_digest(struct ahash_re + if (cc_map_hash_request_final(ctx->drvdata, state, req->src, + req->nbytes, 1, flags)) { + dev_err(dev, "map_ahash_request_final() failed\n"); ++ cc_unmap_result(dev, state, digestsize, req->result); + cc_unmap_req(dev, state, ctx); + return -ENOMEM; + } diff --git a/queue-5.10/crypto-hisilicon-fix-dma_unmap_single-direction.patch b/queue-5.10/crypto-hisilicon-fix-dma_unmap_single-direction.patch new file mode 100644 index 0000000000..f29708540d --- /dev/null +++ b/queue-5.10/crypto-hisilicon-fix-dma_unmap_single-direction.patch @@ -0,0 +1,35 @@ +From 1ee57ab93b75eb59f426aef37b5498a7ffc28278 Mon Sep 17 00:00:00 2001 +From: Thomas Fourier +Date: Mon, 30 Mar 2026 17:19:32 +0200 +Subject: crypto: hisilicon - Fix dma_unmap_single() direction + +From: Thomas Fourier + +commit 1ee57ab93b75eb59f426aef37b5498a7ffc28278 upstream. + +The direction used to map the buffer skreq->iv is DMA_TO_DEVICE but it is +unmapped with direction DMA_BIDIRECTIONAL in the error path. + +Change the unmap to match the mapping. + +Fixes: 915e4e8413da ("crypto: hisilicon - SEC security accelerator driver") +Cc: +Signed-off-by: Thomas Fourier +Reviewed-by: Thorsten Blum +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/hisilicon/sec/sec_algs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/hisilicon/sec/sec_algs.c ++++ b/drivers/crypto/hisilicon/sec/sec_algs.c +@@ -844,7 +844,7 @@ err_free_elements: + if (crypto_skcipher_ivsize(atfm)) + dma_unmap_single(info->dev, sec_req->dma_iv, + crypto_skcipher_ivsize(atfm), +- DMA_BIDIRECTIONAL); ++ DMA_TO_DEVICE); + err_unmap_out_sg: + if (split) + sec_unmap_sg_on_err(skreq->dst, steps, splits_out, diff --git a/queue-5.10/dm-mirror-fix-integer-overflow-in-create_dirty_log.patch b/queue-5.10/dm-mirror-fix-integer-overflow-in-create_dirty_log.patch new file mode 100644 index 0000000000..3ecd090b8a --- /dev/null +++ b/queue-5.10/dm-mirror-fix-integer-overflow-in-create_dirty_log.patch @@ -0,0 +1,53 @@ +From 4c788c6f921b22f9b6c3f316c4a071c05683e7de Mon Sep 17 00:00:00 2001 +From: Junrui Luo +Date: Sun, 1 Mar 2026 21:10:58 +0800 +Subject: dm mirror: fix integer overflow in create_dirty_log() + +From: Junrui Luo + +commit 4c788c6f921b22f9b6c3f316c4a071c05683e7de upstream. + +The argument count calculation in create_dirty_log() performs +`*args_used = 2 + param_count` before validating against argc. When a +user provides a param_count close to UINT_MAX via the device mapper +table string, this unsigned addition wraps around to a small value, +causing the subsequent `argc < *args_used` check to be bypassed. + +The overflowed param_count is then passed as argc to dm_dirty_log_create(), +where it can cause out-of-bounds reads on the argv array. + +Fix by comparing param_count against argc - 2 before performing the +addition, following the same pattern used by parse_features() in the +same file. Since argc >= 2 is already guaranteed, the subtraction is +safe. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Reported-by: Yuhao Jiang +Signed-off-by: Junrui Luo +Reviewed-by: Benjamin Marzinski +Signed-off-by: Mikulas Patocka +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-raid1.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm-raid1.c ++++ b/drivers/md/dm-raid1.c +@@ -981,13 +981,13 @@ static struct dm_dirty_log *create_dirty + return NULL; + } + +- *args_used = 2 + param_count; +- +- if (argc < *args_used) { ++ if (param_count > argc - 2) { + ti->error = "Insufficient mirror log arguments"; + return NULL; + } + ++ *args_used = 2 + param_count; ++ + dl = dm_dirty_log_create(argv[0], ti, mirror_flush, param_count, + argv + 2); + if (!dl) { diff --git a/queue-5.10/ext4-fix-missing-brelse-in-ext4_xattr_inode_dec_ref_all.patch b/queue-5.10/ext4-fix-missing-brelse-in-ext4_xattr_inode_dec_ref_all.patch new file mode 100644 index 0000000000..da0312afff --- /dev/null +++ b/queue-5.10/ext4-fix-missing-brelse-in-ext4_xattr_inode_dec_ref_all.patch @@ -0,0 +1,49 @@ +From 77d059519382bd66283e6a4e83ee186e87e7708f Mon Sep 17 00:00:00 2001 +From: Sohei Koyama +Date: Mon, 6 Apr 2026 16:48:30 +0900 +Subject: ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all() + +From: Sohei Koyama + +commit 77d059519382bd66283e6a4e83ee186e87e7708f upstream. + +The commit c8e008b60492 ("ext4: ignore xattrs past end") +introduced a refcount leak in when block_csum is false. + +ext4_xattr_inode_dec_ref_all() calls ext4_get_inode_loc() to +get iloc.bh, but never releases it with brelse(). + +Fixes: c8e008b60492 ("ext4: ignore xattrs past end") +Signed-off-by: Sohei Koyama +Reviewed-by: Andreas Dilger +Reviewed-by: Ritesh Harjani (IBM) +Cc: stable@vger.kernel.org +Reviewed-by: Zhang Yi +Reviewed-by: Baokun Li +Link: https://patch.msgid.link/20260406074830.8480-1-skoyama@ddn.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1108,7 +1108,7 @@ ext4_xattr_inode_dec_ref_all(handle_t *h + { + struct inode *ea_inode; + struct ext4_xattr_entry *entry; +- struct ext4_iloc iloc; ++ struct ext4_iloc iloc = { .bh = NULL }; + bool dirty = false; + unsigned int ea_ino; + int err; +@@ -1202,6 +1202,8 @@ ext4_xattr_inode_dec_ref_all(handle_t *h + ext4_warning_inode(parent, + "handle dirty metadata err=%d", err); + } ++ ++ brelse(iloc.bh); + } + + /* diff --git a/queue-5.10/ib-core-fix-zero-dmac-race-in-neighbor-resolution.patch b/queue-5.10/ib-core-fix-zero-dmac-race-in-neighbor-resolution.patch new file mode 100644 index 0000000000..fd15eab6ef --- /dev/null +++ b/queue-5.10/ib-core-fix-zero-dmac-race-in-neighbor-resolution.patch @@ -0,0 +1,74 @@ +From 5e6de34d82b49cab9d8a42063e9cd0f22a4f31e5 Mon Sep 17 00:00:00 2001 +From: Chen Zhao +Date: Sun, 5 Apr 2026 18:44:55 +0300 +Subject: IB/core: Fix zero dmac race in neighbor resolution + +From: Chen Zhao + +commit 5e6de34d82b49cab9d8a42063e9cd0f22a4f31e5 upstream. + +dst_fetch_ha() checks nud_state without holding the neighbor lock, then +copies ha under the seqlock. A race in __neigh_update() where nud_state +is set to NUD_REACHABLE before ha is written allows dst_fetch_ha() to +read a zero MAC address while the seqlock reports no concurrent writer. + +netevent_callback amplifies this by waking ALL pending addr_req workers +when ANY neighbor becomes NUD_VALID. At scale (N peers resolving ARP +concurrently), the hit probability scales as N^2, making it near-certain +for large RDMA workloads. + +N(A): neigh_update(A) W(A): addr_resolve(A) + | [sleep] + | write_lock_bh(&A->lock) | + | A->nud_state = NUD_REACHABLE | + | // A->ha is still 0 | + | [woken by netevent_cb() of + | another neighbour] + | | dst_fetch_ha(A) + | | A->nud_state & NUD_VALID + | | read_seqbegin(&A->ha_lock) + | | snapshot = A->ha /* 0 */ + | | read_seqretry(&A->ha_lock) + | | return snapshot + | seqlock(&A->ha_lock) + | A->ha = mac_A /* too late */ + | sequnlock(&A->ha_lock) + | write_unlock_bh(&A->lock) + +The incorrect/zero mac is read and programmed in the device QP while it +was not yet updated. This causes silent packet loss and eventual +RETRY_EXC_ERR. + +Fix by holding the neighbor read lock across the nud_state check and +ha copy in dst_fetch_ha(), ensuring it synchronizes with +__neigh_update() which is updating while holding the write lock. + +Cc: stable@vger.kernel.org +Fixes: 92ebb6a0a13a ("IB/cm: Remove now useless rcu_lock in dst_fetch_ha") +Link: https://patch.msgid.link/r/20260405-fix-dmac-race-v1-1-cfa1ec2ce54a@nvidia.com +Signed-off-by: Chen Zhao +Reviewed-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/addr.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/core/addr.c ++++ b/drivers/infiniband/core/addr.c +@@ -322,11 +322,14 @@ static int dst_fetch_ha(const struct dst + if (!n) + return -ENODATA; + ++ read_lock_bh(&n->lock); + if (!(n->nud_state & NUD_VALID)) { ++ read_unlock_bh(&n->lock); + neigh_event_send(n, NULL); + ret = -ENODATA; + } else { + neigh_ha_snapshot(dev_addr->dst_dev_addr, n, dst->dev); ++ read_unlock_bh(&n->lock); + } + + neigh_release(n); diff --git a/queue-5.10/inotify-fix-watch-count-leak-when-fsnotify_add_inode_mark_locked-fails.patch b/queue-5.10/inotify-fix-watch-count-leak-when-fsnotify_add_inode_mark_locked-fails.patch new file mode 100644 index 0000000000..0b23ee672b --- /dev/null +++ b/queue-5.10/inotify-fix-watch-count-leak-when-fsnotify_add_inode_mark_locked-fails.patch @@ -0,0 +1,45 @@ +From 6a320935fa4293e9e599ec9f85dc9eb3be7029f8 Mon Sep 17 00:00:00 2001 +From: Chia-Ming Chang +Date: Tue, 24 Feb 2026 17:34:42 +0800 +Subject: inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails + +From: Chia-Ming Chang + +commit 6a320935fa4293e9e599ec9f85dc9eb3be7029f8 upstream. + +When fsnotify_add_inode_mark_locked() fails in inotify_new_watch(), +the error path calls inotify_remove_from_idr() but does not call +dec_inotify_watches() to undo the preceding inc_inotify_watches(). +This leaks a watch count, and repeated failures can exhaust the +max_user_watches limit with -ENOSPC even when no watches are active. + +Prior to commit 1cce1eea0aff ("inotify: Convert to using per-namespace +limits"), the watch count was incremented after fsnotify_add_mark_locked() +succeeded, so this path was not affected. The conversion moved +inc_inotify_watches() before the mark insertion without adding the +corresponding rollback. + +Add the missing dec_inotify_watches() call in the error path. + +Fixes: 1cce1eea0aff ("inotify: Convert to using per-namespace limits") +Cc: stable@vger.kernel.org +Signed-off-by: Chia-Ming Chang +Signed-off-by: robbieko +Reviewed-by: Nikolay Borisov +Link: https://patch.msgid.link/20260224093442.3076294-1-chiamingc@synology.com +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/notify/inotify/inotify_user.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/notify/inotify/inotify_user.c ++++ b/fs/notify/inotify/inotify_user.c +@@ -609,6 +609,7 @@ static int inotify_new_watch(struct fsno + if (ret) { + /* we failed to get on the inode, get off the idr */ + inotify_remove_from_idr(group, tmp_i_mark); ++ dec_inotify_watches(group->inotify_data.ucounts); + goto out_err; + } + diff --git a/queue-5.10/md-raid5-fix-soft-lockup-in-retry_aligned_read.patch b/queue-5.10/md-raid5-fix-soft-lockup-in-retry_aligned_read.patch new file mode 100644 index 0000000000..e852ea0f9c --- /dev/null +++ b/queue-5.10/md-raid5-fix-soft-lockup-in-retry_aligned_read.patch @@ -0,0 +1,53 @@ +From 7f9f7c697474268d9ef9479df3ddfe7cdcfbbffc Mon Sep 17 00:00:00 2001 +From: Chia-Ming Chang +Date: Thu, 2 Apr 2026 14:14:06 +0800 +Subject: md/raid5: fix soft lockup in retry_aligned_read() + +From: Chia-Ming Chang + +commit 7f9f7c697474268d9ef9479df3ddfe7cdcfbbffc upstream. + +When retry_aligned_read() encounters an overlapped stripe, it releases +the stripe via raid5_release_stripe() which puts it on the lockless +released_stripes llist. In the next raid5d loop iteration, +release_stripe_list() drains the stripe onto handle_list (since +STRIPE_HANDLE is set by the original IO), but retry_aligned_read() +runs before handle_active_stripes() and removes the stripe from +handle_list via find_get_stripe() -> list_del_init(). This prevents +handle_stripe() from ever processing the stripe to resolve the +overlap, causing an infinite loop and soft lockup. + +Fix this by using __release_stripe() with temp_inactive_list instead +of raid5_release_stripe() in the failure path, so the stripe does not +go through the released_stripes llist. This allows raid5d to break out +of its loop, and the overlap will be resolved when the stripe is +eventually processed by handle_stripe(). + +Fixes: 773ca82fa1ee ("raid5: make release_stripe lockless") +Cc: stable@vger.kernel.org +Signed-off-by: FengWei Shih +Signed-off-by: Chia-Ming Chang +Link: https://lore.kernel.org/linux-raid/20260402061406.455755-1-chiamingc@synology.com/ +Signed-off-by: Yu Kuai +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid5.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -6349,7 +6349,13 @@ static int retry_aligned_read(struct r5 + } + + if (!add_stripe_bio(sh, raid_bio, dd_idx, 0, 0)) { +- raid5_release_stripe(sh); ++ int hash; ++ ++ spin_lock_irq(&conf->device_lock); ++ hash = sh->hash_lock_index; ++ __release_stripe(conf, sh, ++ &conf->temp_inactive_list[hash]); ++ spin_unlock_irq(&conf->device_lock); + conf->retry_read_aligned = raid_bio; + conf->retry_read_offset = scnt; + return handled; diff --git a/queue-5.10/md-raid5-validate-payload-size-before-accessing-journal-metadata.patch b/queue-5.10/md-raid5-validate-payload-size-before-accessing-journal-metadata.patch new file mode 100644 index 0000000000..a83c533c4f --- /dev/null +++ b/queue-5.10/md-raid5-validate-payload-size-before-accessing-journal-metadata.patch @@ -0,0 +1,142 @@ +From b0cc3ae97e893bf54bbce447f4e9fd2e0b88bff9 Mon Sep 17 00:00:00 2001 +From: Junrui Luo +Date: Sat, 4 Apr 2026 15:44:35 +0800 +Subject: md/raid5: validate payload size before accessing journal metadata + +From: Junrui Luo + +commit b0cc3ae97e893bf54bbce447f4e9fd2e0b88bff9 upstream. + +r5c_recovery_analyze_meta_block() and +r5l_recovery_verify_data_checksum_for_mb() iterate over payloads in a +journal metadata block using on-disk payload size fields without +validating them against the remaining space in the metadata block. + +A corrupted journal contains payload sizes extending beyond the PAGE_SIZE +boundary can cause out-of-bounds reads when accessing payload fields or +computing offsets. + +Add bounds validation for each payload type to ensure the full payload +fits within meta_size before processing. + +Fixes: b4c625c67362 ("md/r5cache: r5cache recovery: part 1") +Cc: stable@vger.kernel.org +Signed-off-by: Junrui Luo +Link: https://lore.kernel.org/linux-raid/SYBPR01MB78815E78D829BB86CD7C8015AF5FA@SYBPR01MB7881.ausprd01.prod.outlook.com/ +Signed-off-by: Yu Kuai +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid5-cache.c | 48 ++++++++++++++++++++++++++++++++--------------- + 1 file changed, 33 insertions(+), 15 deletions(-) + +--- a/drivers/md/raid5-cache.c ++++ b/drivers/md/raid5-cache.c +@@ -2017,15 +2017,27 @@ r5l_recovery_verify_data_checksum_for_mb + return -ENOMEM; + + while (mb_offset < le32_to_cpu(mb->meta_size)) { ++ sector_t payload_len; ++ + payload = (void *)mb + mb_offset; + payload_flush = (void *)mb + mb_offset; + + if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_DATA) { ++ payload_len = sizeof(struct r5l_payload_data_parity) + ++ (sector_t)sizeof(__le32) * ++ (le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9)); ++ if (mb_offset + payload_len > le32_to_cpu(mb->meta_size)) ++ goto mismatch; + if (r5l_recovery_verify_data_checksum( + log, ctx, page, log_offset, + payload->checksum[0]) < 0) + goto mismatch; + } else if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_PARITY) { ++ payload_len = sizeof(struct r5l_payload_data_parity) + ++ (sector_t)sizeof(__le32) * ++ (le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9)); ++ if (mb_offset + payload_len > le32_to_cpu(mb->meta_size)) ++ goto mismatch; + if (r5l_recovery_verify_data_checksum( + log, ctx, page, log_offset, + payload->checksum[0]) < 0) +@@ -2038,22 +2050,18 @@ r5l_recovery_verify_data_checksum_for_mb + payload->checksum[1]) < 0) + goto mismatch; + } else if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_FLUSH) { +- /* nothing to do for R5LOG_PAYLOAD_FLUSH here */ ++ payload_len = sizeof(struct r5l_payload_flush) + ++ (sector_t)le32_to_cpu(payload_flush->size); ++ if (mb_offset + payload_len > le32_to_cpu(mb->meta_size)) ++ goto mismatch; + } else /* not R5LOG_PAYLOAD_DATA/PARITY/FLUSH */ + goto mismatch; + +- if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_FLUSH) { +- mb_offset += sizeof(struct r5l_payload_flush) + +- le32_to_cpu(payload_flush->size); +- } else { +- /* DATA or PARITY payload */ ++ if (le16_to_cpu(payload->header.type) != R5LOG_PAYLOAD_FLUSH) { + log_offset = r5l_ring_add(log, log_offset, + le32_to_cpu(payload->size)); +- mb_offset += sizeof(struct r5l_payload_data_parity) + +- sizeof(__le32) * +- (le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9)); + } +- ++ mb_offset += payload_len; + } + + put_page(page); +@@ -2104,6 +2112,7 @@ r5c_recovery_analyze_meta_block(struct r + log_offset = r5l_ring_add(log, ctx->pos, BLOCK_SECTORS); + + while (mb_offset < le32_to_cpu(mb->meta_size)) { ++ sector_t payload_len; + int dd; + + payload = (void *)mb + mb_offset; +@@ -2112,6 +2121,12 @@ r5c_recovery_analyze_meta_block(struct r + if (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_FLUSH) { + int i, count; + ++ payload_len = sizeof(struct r5l_payload_flush) + ++ (sector_t)le32_to_cpu(payload_flush->size); ++ if (mb_offset + payload_len > ++ le32_to_cpu(mb->meta_size)) ++ return -EINVAL; ++ + count = le32_to_cpu(payload_flush->size) / sizeof(__le64); + for (i = 0; i < count; ++i) { + stripe_sect = le64_to_cpu(payload_flush->flush_stripes[i]); +@@ -2125,12 +2140,17 @@ r5c_recovery_analyze_meta_block(struct r + } + } + +- mb_offset += sizeof(struct r5l_payload_flush) + +- le32_to_cpu(payload_flush->size); ++ mb_offset += payload_len; + continue; + } + + /* DATA or PARITY payload */ ++ payload_len = sizeof(struct r5l_payload_data_parity) + ++ (sector_t)sizeof(__le32) * ++ (le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9)); ++ if (mb_offset + payload_len > le32_to_cpu(mb->meta_size)) ++ return -EINVAL; ++ + stripe_sect = (le16_to_cpu(payload->header.type) == R5LOG_PAYLOAD_DATA) ? + raid5_compute_sector( + conf, le64_to_cpu(payload->location), 0, &dd, +@@ -2195,9 +2215,7 @@ r5c_recovery_analyze_meta_block(struct r + log_offset = r5l_ring_add(log, log_offset, + le32_to_cpu(payload->size)); + +- mb_offset += sizeof(struct r5l_payload_data_parity) + +- sizeof(__le32) * +- (le32_to_cpu(payload->size) >> (PAGE_SHIFT - 9)); ++ mb_offset += payload_len; + } + + return 0; diff --git a/queue-5.10/series b/queue-5.10/series index 5c4c3a07e1..ff115d6508 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -185,3 +185,15 @@ revert-io_uring-poll-fix-epoll_uring_wake-sometimes-.patch io_uring-poll-fix-epoll_uring_wake-sometimes-not-bei.patch-12437 io_uring-poll-fix-backport-of-io_poll_add-changes.patch-11453 mtd-docg3-fix-use-after-free-in-docg3_release.patch +ext4-fix-missing-brelse-in-ext4_xattr_inode_dec_ref_all.patch +md-raid5-fix-soft-lockup-in-retry_aligned_read.patch +md-raid5-validate-payload-size-before-accessing-journal-metadata.patch +inotify-fix-watch-count-leak-when-fsnotify_add_inode_mark_locked-fails.patch +taskstats-set-version-in-tgid-exit-notifications.patch +crypto-atmel-aes-fix-3-page-memory-leak-in-atmel_aes_buff_cleanup.patch +crypto-atmel-ecc-release-client-on-allocation-failure.patch +crypto-hisilicon-fix-dma_unmap_single-direction.patch +crypto-ccree-fix-a-memory-leak-in-cc_mac_digest.patch +crypto-atmel-tdes-fix-dma-sync-direction.patch +dm-mirror-fix-integer-overflow-in-create_dirty_log.patch +ib-core-fix-zero-dmac-race-in-neighbor-resolution.patch diff --git a/queue-5.10/taskstats-set-version-in-tgid-exit-notifications.patch b/queue-5.10/taskstats-set-version-in-tgid-exit-notifications.patch new file mode 100644 index 0000000000..8a5d0abd18 --- /dev/null +++ b/queue-5.10/taskstats-set-version-in-tgid-exit-notifications.patch @@ -0,0 +1,74 @@ +From 16c4f0211aaa1ec1422b11b59f64f1abe9009fc0 Mon Sep 17 00:00:00 2001 +From: Yiyang Chen +Date: Mon, 30 Mar 2026 03:00:40 +0800 +Subject: taskstats: set version in TGID exit notifications + +From: Yiyang Chen + +commit 16c4f0211aaa1ec1422b11b59f64f1abe9009fc0 upstream. + +delay accounting started populating taskstats records with a valid version +field via fill_pid() and fill_tgid(). + +Later, commit ad4ecbcba728 ("[PATCH] delay accounting taskstats interface +send tgid once") changed the TGID exit path to send the cached +signal->stats aggregate directly instead of building the outgoing record +through fill_tgid(). Unlike fill_tgid(), fill_tgid_exit() only +accumulates accounting data and never initializes stats->version. + +As a result, TGID exit notifications can reach userspace with version == 0 +even though PID exit notifications and TASKSTATS_CMD_GET replies carry a +valid taskstats version. + +This is easy to reproduce with `tools/accounting/getdelays.c`. + +I have a small follow-up patch for that tool which: + +1. increases the receive buffer/message size so the pid+tgid + combined exit notification is not dropped/truncated + +2. prints `stats->version`. + +With that patch, the reproducer is: + + Terminal 1: + ./getdelays -d -v -l -m 0 + + Terminal 2: + taskset -c 0 python3 -c 'import threading,time; t=threading.Thread(target=time.sleep,args=(0.1,)); t.start(); t.join()' + +That produces both PID and TGID exit notifications for the same +process. The PID exit record reports a valid taskstats version, while +the TGID exit record reports `version 0`. + + +This patch (of 2): + +Set stats->version = TASKSTATS_VERSION after copying the cached TGID +aggregate into the outgoing netlink payload so all taskstats records are +self-describing again. + +Link: https://lkml.kernel.org/r/ba83d934e59edd431b693607de573eb9ca059309.1774810498.git.cyyzero16@gmail.com +Fixes: ad4ecbcba728 ("[PATCH] delay accounting taskstats interface send tgid once") +Signed-off-by: Yiyang Chen +Cc: Balbir Singh +Cc: Dr. Thomas Orgis +Cc: Fan Yu +Cc: Wang Yaxin +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + kernel/taskstats.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/taskstats.c ++++ b/kernel/taskstats.c +@@ -632,6 +632,7 @@ void taskstats_exit(struct task_struct * + goto err; + + memcpy(stats, tsk->signal->stats, sizeof(*stats)); ++ stats->version = TASKSTATS_VERSION; + + send: + send_cpu_listeners(rep_skb, listeners);