From: Greg Kroah-Hartman Date: Tue, 12 May 2026 14:11:45 +0000 (+0200) Subject: 6.6-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c7d8c194578cc7bae9f6f15240f008bc8f198748;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: asoc-amd-yc-add-hp-omen-gaming-laptop-16-ap0xxx-product-line-in-quirk-table.patch asoc-fsl_easrc-fix-comment-typo.patch asoc-intel-bytcr_wm5102-fix-mclk-leak-on-platform_clock_control-error.patch asoc-qcom-q6apm-dai-reset-queue-ptr-on-trigger-stop.patch asoc-qcom-q6apm-lpass-dai-fix-multiple-graph-opens.patch asoc-qcom-q6apm-remove-child-devices-when-apm-is-removed.patch btrfs-fix-double-free-in-create_space_info-error-path.patch dm-don-t-report-warning-when-doing-deferred-remove.patch dm-fix-a-buffer-overflow-in-ioctl-processing.patch dm-thin-fix-metadata-refcount-underflow.patch dm-verity-fec-correctly-reject-too-small-fec-devices.patch dm-verity-fec-correctly-reject-too-small-hash-devices.patch eventfs-hold-eventfs_mutex-and-srcu-when-remount-walks-events.patch isofs-validate-block-number-from-nfs-file-handle-in-isofs_export_iget.patch isofs-validate-rock-ridge-ce-continuation-extent-against-volume-size.patch kvm-x86-check-for-nept-nnpt-in-slow-flush-hypercalls.patch lib-crypto-mpi-fix-integer-underflow-in-mpi_read_raw_from_sgl.patch lib-scatterlist-fix-length-calculations-in-extract_kvec_to_sg.patch lib-scatterlist-fix-temp-buffer-in-extract_user_to_sg.patch libceph-fix-slab-out-of-bounds-access-in-auth-message-processing.patch md-raid10-fix-divide-by-zero-in-setup_geo-with-zero-far_copies.patch mm-damon-sysfs-schemes-protect-memcg_path-kfree-with-damon_sysfs_lock.patch nvme-apple-drop-invalid-put-of-admin-queue-reference-count.patch nvmet-avoid-recursive-nvmet-wq-flush-in-nvmet_ctrl_free.patch openvswitch-vport-fix-self-deadlock-on-release-of-tunnel-ports.patch rdma-hns-fix-unlocked-call-to-hns_roce_qp_remove.patch riscv-kvm-fix-vector-context-allocation-leak.patch s390-debug-reject-zero-length-input-in-debug_input_flush_fn.patch smb-client-fix-out-of-bounds-read-in-smb2_compound_op.patch smb-client-fix-out-of-bounds-read-in-symlink_data.patch smb-client-validate-dacloffset-before-building-dacl-pointers.patch --- diff --git a/queue-6.6/asoc-amd-yc-add-hp-omen-gaming-laptop-16-ap0xxx-product-line-in-quirk-table.patch b/queue-6.6/asoc-amd-yc-add-hp-omen-gaming-laptop-16-ap0xxx-product-line-in-quirk-table.patch new file mode 100644 index 0000000000..e1423f6545 --- /dev/null +++ b/queue-6.6/asoc-amd-yc-add-hp-omen-gaming-laptop-16-ap0xxx-product-line-in-quirk-table.patch @@ -0,0 +1,51 @@ +From d63c219b7ff39f897da10c160a2edef76320f16c Mon Sep 17 00:00:00 2001 +From: Tommaso Soncin +Date: Wed, 29 Apr 2026 18:08:57 +0200 +Subject: ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table + +From: Tommaso Soncin + +commit d63c219b7ff39f897da10c160a2edef76320f16c upstream. + +Add a DMI quirk for the HP OMEN Gaming Laptop 16-ap0xxx line fixing the +issue where the internal microphone was not detected. + +Cc: stable@vger.kernel.org +Signed-off-by: Tommaso Soncin +Link: https://patch.msgid.link/20260429160858.538986-1-soncintommaso@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/amd/yc/acp6x-mach.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -55,6 +55,13 @@ static const struct dmi_system_id yc_acp + { + .driver_data = &acp6x_card, + .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "HP"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "OMEN Gaming Laptop 16-ap0xxx"), ++ } ++ }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "Dell Inc."), + DMI_MATCH(DMI_PRODUCT_NAME, "Dell G15 5525"), + } +@@ -648,6 +655,13 @@ static const struct dmi_system_id yc_acp + } + }, + { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "HP"), ++ DMI_MATCH(DMI_BOARD_NAME, "8E35"), ++ } ++ }, ++ { + .driver_data = &acp6x_card, + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "MECHREVO"), diff --git a/queue-6.6/asoc-fsl_easrc-fix-comment-typo.patch b/queue-6.6/asoc-fsl_easrc-fix-comment-typo.patch new file mode 100644 index 0000000000..51596540db --- /dev/null +++ b/queue-6.6/asoc-fsl_easrc-fix-comment-typo.patch @@ -0,0 +1,38 @@ +From 804dce6c73fdfa44184ee4e8b09abad7f5da408f Mon Sep 17 00:00:00 2001 +From: Joseph Salisbury +Date: Mon, 16 Mar 2026 14:05:45 -0400 +Subject: ASoC: fsl_easrc: fix comment typo + +From: Joseph Salisbury + +commit 804dce6c73fdfa44184ee4e8b09abad7f5da408f upstream. + +The file contains a spelling error in a source comment (funciton). + +Typos in comments reduce readability and make text searches less reliable +for developers and maintainers. + +Replace 'funciton' with 'function' in the affected comment. This is a +comment-only cleanup and does not change behavior. + +Fixes: 955ac624058f ("ASoC: fsl_easrc: Add EASRC ASoC CPU DAI drivers") +Cc: stable@vger.kernel.org +Signed-off-by: Joseph Salisbury +Link: https://patch.msgid.link/20260316180545.144032-1-joseph.salisbury@oracle.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/fsl/fsl_easrc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/fsl/fsl_easrc.c ++++ b/sound/soc/fsl/fsl_easrc.c +@@ -1286,7 +1286,7 @@ static int fsl_easrc_request_context(int + /* + * Release the context + * +- * This funciton is mainly doing the revert thing in request context ++ * This function is mainly doing the revert thing in request context + */ + static void fsl_easrc_release_context(struct fsl_asrc_pair *ctx) + { diff --git a/queue-6.6/asoc-intel-bytcr_wm5102-fix-mclk-leak-on-platform_clock_control-error.patch b/queue-6.6/asoc-intel-bytcr_wm5102-fix-mclk-leak-on-platform_clock_control-error.patch new file mode 100644 index 0000000000..506e644768 --- /dev/null +++ b/queue-6.6/asoc-intel-bytcr_wm5102-fix-mclk-leak-on-platform_clock_control-error.patch @@ -0,0 +1,42 @@ +From 13d30682e8dee191ac04e93642f0372a723e8b0c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A1ssio=20Gabriel?= +Date: Mon, 27 Apr 2026 23:38:41 -0300 +Subject: ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cássio Gabriel + +commit 13d30682e8dee191ac04e93642f0372a723e8b0c upstream. + +If byt_wm5102_prepare_and_enable_pll1() fails in the +SND_SOC_DAPM_EVENT_ON() path, platform_clock_control() returns after +clk_prepare_enable(priv->mclk) without disabling the clock again. + +This leaks an MCLK enable reference on failed power-up attempts. Add the +missing clk_disable_unprepare() on the error path, matching the unwind +used by the other Intel platform_clock_control() implementations. + +Fixes: 9a87fc1e0619 ("ASoC: Intel: bytcr_wm5102: Add machine driver for BYT/WM5102") +Cc: stable@vger.kernel.org +Signed-off-by: Cássio Gabriel +Reviewed-by: Cezary Rojewski +Reviewed-by: Hans de Goede +Link: https://patch.msgid.link/20260427-bytcr-wm5102-mclk-leak-v1-1-02b96d08e99c@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/intel/boards/bytcr_wm5102.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/soc/intel/boards/bytcr_wm5102.c ++++ b/sound/soc/intel/boards/bytcr_wm5102.c +@@ -111,6 +111,7 @@ static int platform_clock_control(struct + ret = byt_wm5102_prepare_and_enable_pll1(codec_dai, 48000); + if (ret) { + dev_err(card->dev, "Error setting codec sysclk: %d\n", ret); ++ clk_disable_unprepare(priv->mclk); + return ret; + } + } else { diff --git a/queue-6.6/asoc-qcom-q6apm-dai-reset-queue-ptr-on-trigger-stop.patch b/queue-6.6/asoc-qcom-q6apm-dai-reset-queue-ptr-on-trigger-stop.patch new file mode 100644 index 0000000000..5869c80ca3 --- /dev/null +++ b/queue-6.6/asoc-qcom-q6apm-dai-reset-queue-ptr-on-trigger-stop.patch @@ -0,0 +1,47 @@ +From cab45ab95ce7600fc0ff84585c77fd45b7b0d67c Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Thu, 2 Apr 2026 08:11:10 +0000 +Subject: ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop + +From: Srinivas Kandagatla + +commit cab45ab95ce7600fc0ff84585c77fd45b7b0d67c upstream. + +Reset queue pointer on SNDRV_PCM_TRIGGER_STOP event to be inline +with resetting appl_ptr. Without this we will end up with a queue_ptr +out of sync and driver could try to send data that is not ready yet. + +Fix this by resetting the queue_ptr. + +Fixes: 3d4a4411aa8bb ("ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs") +Cc: Stable@vger.kernel.org +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260402081118.348071-6-srinivas.kandagatla@oss.qualcomm.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/q6apm-dai.c | 1 + + sound/soc/qcom/qdsp6/q6apm.c | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/sound/soc/qcom/qdsp6/q6apm-dai.c ++++ b/sound/soc/qcom/qdsp6/q6apm-dai.c +@@ -321,6 +321,7 @@ static int q6apm_dai_trigger(struct snd_ + case SNDRV_PCM_TRIGGER_STOP: + /* TODO support be handled via SoftPause Module */ + prtd->state = Q6APM_STREAM_STOPPED; ++ prtd->queue_ptr = 0; + break; + case SNDRV_PCM_TRIGGER_SUSPEND: + case SNDRV_PCM_TRIGGER_PAUSE_PUSH: +--- a/sound/soc/qcom/qdsp6/q6apm.c ++++ b/sound/soc/qcom/qdsp6/q6apm.c +@@ -225,6 +225,8 @@ int q6apm_map_memory_regions(struct q6ap + + mutex_lock(&graph->lock); + ++ data->dsp_buf = 0; ++ + if (data->buf) { + mutex_unlock(&graph->lock); + return 0; diff --git a/queue-6.6/asoc-qcom-q6apm-lpass-dai-fix-multiple-graph-opens.patch b/queue-6.6/asoc-qcom-q6apm-lpass-dai-fix-multiple-graph-opens.patch new file mode 100644 index 0000000000..3b9069091b --- /dev/null +++ b/queue-6.6/asoc-qcom-q6apm-lpass-dai-fix-multiple-graph-opens.patch @@ -0,0 +1,36 @@ +From 69acc488aaf39d0ddf6c3cf0e47c1873d39919a2 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Thu, 2 Apr 2026 08:11:09 +0000 +Subject: ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens + +From: Srinivas Kandagatla + +commit 69acc488aaf39d0ddf6c3cf0e47c1873d39919a2 upstream. + +As prepare can be called mulitple times, this can result in multiple +graph opens for playback path. + +This will result in a memory leaks, fix this by adding a check before +opening. + +Fixes: be1fae62cf25 ("ASoC: q6apm-lpass-dai: close graph on prepare errors") +Cc: Stable@vger.kernel.org +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260402081118.348071-5-srinivas.kandagatla@oss.qualcomm.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c ++++ b/sound/soc/qcom/qdsp6/q6apm-lpass-dais.c +@@ -175,7 +175,7 @@ static int q6apm_lpass_dai_prepare(struc + * It is recommend to load DSP with source graph first and then sink + * graph, so sequence for playback and capture will be different + */ +- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { ++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK && dai_data->graph[dai->id] == NULL) { + graph = q6apm_graph_open(dai->dev, NULL, dai->dev, graph_id); + if (IS_ERR(graph)) { + dev_err(dai->dev, "Failed to open graph (%d)\n", graph_id); diff --git a/queue-6.6/asoc-qcom-q6apm-remove-child-devices-when-apm-is-removed.patch b/queue-6.6/asoc-qcom-q6apm-remove-child-devices-when-apm-is-removed.patch new file mode 100644 index 0000000000..0ec035870f --- /dev/null +++ b/queue-6.6/asoc-qcom-q6apm-remove-child-devices-when-apm-is-removed.patch @@ -0,0 +1,37 @@ +From 4a0e1bcc98f7281d1605768bd2fe71eacc34f9b7 Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Thu, 2 Apr 2026 08:11:07 +0000 +Subject: ASoC: qcom: q6apm: remove child devices when apm is removed + +From: Srinivas Kandagatla + +commit 4a0e1bcc98f7281d1605768bd2fe71eacc34f9b7 upstream. + +looks like q6apm driver does not remove the child driver q6apm-dai and +q6apm-bedais when the this driver is removed. + +Fix this by depopulating them in remove callback. + +With this change when the dsp is shutdown all the devices associated with +q6apm will now be removed. + +Fixes: 5477518b8a0e ("ASoC: qdsp6: audioreach: add q6apm support") +Cc: Stable@vger.kernel.org +Signed-off-by: Srinivas Kandagatla +Link: https://patch.msgid.link/20260402081118.348071-3-srinivas.kandagatla@oss.qualcomm.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/q6apm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/soc/qcom/qdsp6/q6apm.c ++++ b/sound/soc/qcom/qdsp6/q6apm.c +@@ -781,6 +781,7 @@ static int apm_probe(gpr_device_t *gdev) + + static void apm_remove(gpr_device_t *gdev) + { ++ of_platform_depopulate(&gdev->dev); + snd_soc_unregister_component(&gdev->dev); + } + diff --git a/queue-6.6/btrfs-fix-double-free-in-create_space_info-error-path.patch b/queue-6.6/btrfs-fix-double-free-in-create_space_info-error-path.patch new file mode 100644 index 0000000000..ea08deafcd --- /dev/null +++ b/queue-6.6/btrfs-fix-double-free-in-create_space_info-error-path.patch @@ -0,0 +1,52 @@ +From 3f487be81292702a59ea9dbc4088b3360a50e837 Mon Sep 17 00:00:00 2001 +From: Guangshuo Li +Date: Wed, 1 Apr 2026 18:56:19 +0800 +Subject: btrfs: fix double free in create_space_info() error path + +From: Guangshuo Li + +commit 3f487be81292702a59ea9dbc4088b3360a50e837 upstream. + +When kobject_init_and_add() fails, the call chain is: + +create_space_info() +-> btrfs_sysfs_add_space_info_type() +-> kobject_init_and_add() +-> failure +-> kobject_put(&space_info->kobj) +-> space_info_release() +-> kfree(space_info) + +Then control returns to create_space_info(): + +btrfs_sysfs_add_space_info_type() returns error +-> goto out_free +-> kfree(space_info) + +This causes a double free. + +Keep the direct kfree(space_info) for the earlier failure path, but +after btrfs_sysfs_add_space_info_type() has called kobject_put(), let +the kobject release callback handle the cleanup. + +Fixes: a11224a016d6d ("btrfs: fix memory leaks in create_space_info() error paths") +CC: stable@vger.kernel.org # 6.19+ +Reviewed-by: Qu Wenruo +Signed-off-by: Guangshuo Li +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/space-info.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/space-info.c ++++ b/fs/btrfs/space-info.c +@@ -293,7 +293,7 @@ static int create_space_info(struct btrf + + ret = btrfs_sysfs_add_space_info_type(info, space_info); + if (ret) +- goto out_free; ++ return ret; + + list_add(&space_info->list, &info->space_info); + if (flags & BTRFS_BLOCK_GROUP_DATA) diff --git a/queue-6.6/dm-don-t-report-warning-when-doing-deferred-remove.patch b/queue-6.6/dm-don-t-report-warning-when-doing-deferred-remove.patch new file mode 100644 index 0000000000..1071826385 --- /dev/null +++ b/queue-6.6/dm-don-t-report-warning-when-doing-deferred-remove.patch @@ -0,0 +1,35 @@ +From b7cce3e2cca9cd78418f3c3784474b778e7996fe Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 16 Mar 2026 15:04:15 +0100 +Subject: dm: don't report warning when doing deferred remove + +From: Mikulas Patocka + +commit b7cce3e2cca9cd78418f3c3784474b778e7996fe upstream. + +If dm_hash_remove_all was called from dm_deferred_remove, it would write +a warning "remove_all left %d open device(s)" if there are some other +devices active. + +The warning is bogus, so let's disable it in this case. + +Signed-off-by: Mikulas Patocka +Reported-by: Zdenek Kabelac +Cc: stable@vger.kernel.org +Fixes: 2c140a246dc0 ("dm: allow remove to be deferred") +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -384,7 +384,7 @@ retry: + + up_write(&_hash_lock); + +- if (dev_skipped) ++ if (dev_skipped && !only_deferred) + DMWARN("remove_all left %d open device(s)", dev_skipped); + } + diff --git a/queue-6.6/dm-fix-a-buffer-overflow-in-ioctl-processing.patch b/queue-6.6/dm-fix-a-buffer-overflow-in-ioctl-processing.patch new file mode 100644 index 0000000000..98dae9fc32 --- /dev/null +++ b/queue-6.6/dm-fix-a-buffer-overflow-in-ioctl-processing.patch @@ -0,0 +1,55 @@ +From 2fa49cc884f6496a915c35621ba4da35649bf159 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Thu, 9 Apr 2026 17:49:58 +0200 +Subject: dm: fix a buffer overflow in ioctl processing + +From: Mikulas Patocka + +commit 2fa49cc884f6496a915c35621ba4da35649bf159 upstream. + +Tony Asleson (using Claude) found a buffer overflow in dm-ioctl in the +function retrieve_status: + +1. The code in retrieve_status checks that the output string fits into + the output buffer and writes the output string there +2. Then, the code aligns the "outptr" variable to the next 8-byte + boundary: + outptr = align_ptr(outptr); +3. The alignment doesn't check overflow, so outptr could point past the + buffer end +4. The "for" loop is iterated again, it executes: + remaining = len - (outptr - outbuf); +5. If "outptr" points past "outbuf + len", the arithmetics wraps around + and the variable "remaining" contains unusually high number +6. With "remaining" being high, the code writes more data past the end of + the buffer + +Luckily, this bug has no security implications because: +1. Only root can issue device mapper ioctls +2. The commonly used libraries that communicate with device mapper + (libdevmapper and devicemapper-rs) use buffer size that is aligned to + 8 bytes - thus, "outptr = align_ptr(outptr)" can't overshoot the input + buffer and the bug can't happen accidentally + +Reported-by: Tony Asleson +Signed-off-by: Mikulas Patocka +Reviewed-by: Bryn M. Reeves +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-ioctl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -1341,6 +1341,10 @@ static void retrieve_status(struct dm_ta + used = param->data_start + (outptr - outbuf); + + outptr = align_ptr(outptr); ++ if (!outptr || outptr > outbuf + len) { ++ param->flags |= DM_BUFFER_FULL_FLAG; ++ break; ++ } + spec->next = outptr - outbuf; + } + diff --git a/queue-6.6/dm-thin-fix-metadata-refcount-underflow.patch b/queue-6.6/dm-thin-fix-metadata-refcount-underflow.patch new file mode 100644 index 0000000000..fefc42e906 --- /dev/null +++ b/queue-6.6/dm-thin-fix-metadata-refcount-underflow.patch @@ -0,0 +1,55 @@ +From 09a65adc7d8bbfce06392cb6d375468e2728ead5 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 20 Apr 2026 19:56:44 +0200 +Subject: dm-thin: fix metadata refcount underflow + +From: Mikulas Patocka + +commit 09a65adc7d8bbfce06392cb6d375468e2728ead5 upstream. + +There's a bug in dm-thin in the function rebalance_children. If the +internal btree node has one entry, the code tries to copy all btree +entries from the node's child to the node itself and then decrement the +child's reference count. + +If the child node is shared (it has reference count > 1), we won't free +it, so there would be two pointers to each of the grandchildren nodes. +But the reference counts of the grandchildren is not increased, thus the +reference count doesn't match the number of pointers that point to the +grandchildren. This results in "device mapper: space map common: unable +to decrement block" errors. + +Fix this bug by incrementing reference counts on the grandchildren if the +btree node is shared. + +Signed-off-by: Mikulas Patocka +Fixes: 3241b1d3e0aa ("dm: add persistent data library") +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/persistent-data/dm-btree-remove.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/md/persistent-data/dm-btree-remove.c ++++ b/drivers/md/persistent-data/dm-btree-remove.c +@@ -490,12 +490,20 @@ static int rebalance_children(struct sha + + if (le32_to_cpu(n->header.nr_entries) == 1) { + struct dm_block *child; ++ int is_shared; + dm_block_t b = value64(n, 0); + ++ r = dm_tm_block_is_shared(info->tm, b, &is_shared); ++ if (r) ++ return r; ++ + r = dm_tm_read_lock(info->tm, b, &btree_node_validator, &child); + if (r) + return r; + ++ if (is_shared) ++ inc_children(info->tm, dm_block_data(child), vt); ++ + memcpy(n, dm_block_data(child), + dm_bm_block_size(dm_tm_get_bm(info->tm))); + diff --git a/queue-6.6/dm-verity-fec-correctly-reject-too-small-fec-devices.patch b/queue-6.6/dm-verity-fec-correctly-reject-too-small-fec-devices.patch new file mode 100644 index 0000000000..de5c3aef60 --- /dev/null +++ b/queue-6.6/dm-verity-fec-correctly-reject-too-small-fec-devices.patch @@ -0,0 +1,48 @@ +From 2b14e0bb63cc671120e7791658f5c494fc66d072 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 5 Feb 2026 20:59:20 -0800 +Subject: dm-verity-fec: correctly reject too-small FEC devices + +From: Eric Biggers + +commit 2b14e0bb63cc671120e7791658f5c494fc66d072 upstream. + +Fix verity_fec_ctr() to reject too-small FEC devices by correctly +computing the number of parity blocks as 'f->rounds * f->roots'. +Previously it incorrectly used 'div64_u64(f->rounds * f->roots, +v->fec->roots << SECTOR_SHIFT)' which is a much smaller value. + +Note that the units of 'rounds' are blocks, not bytes. This matches the +units of the value returned by dm_bufio_get_device_size(), which are +also blocks. A later commit will give 'rounds' a clearer name. + +Fixes: a739ff3f543a ("dm verity: add support for forward error correction") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Mikulas Patocka +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-verity-fec.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm-verity-fec.c ++++ b/drivers/md/dm-verity-fec.c +@@ -688,7 +688,7 @@ int verity_fec_ctr(struct dm_verity *v) + { + struct dm_verity_fec *f = v->fec; + struct dm_target *ti = v->ti; +- u64 hash_blocks, fec_blocks; ++ u64 hash_blocks; + int ret; + + if (!verity_fec_is_enabled(v)) { +@@ -769,8 +769,7 @@ int verity_fec_ctr(struct dm_verity *v) + + dm_bufio_set_sector_offset(f->bufio, f->start << (v->data_dev_block_bits - SECTOR_SHIFT)); + +- fec_blocks = div64_u64(f->rounds * f->roots, v->fec->roots << SECTOR_SHIFT); +- if (dm_bufio_get_device_size(f->bufio) < fec_blocks) { ++ if (dm_bufio_get_device_size(f->bufio) < f->rounds * f->roots) { + ti->error = "FEC device is too small"; + return -E2BIG; + } diff --git a/queue-6.6/dm-verity-fec-correctly-reject-too-small-hash-devices.patch b/queue-6.6/dm-verity-fec-correctly-reject-too-small-hash-devices.patch new file mode 100644 index 0000000000..94d699c32c --- /dev/null +++ b/queue-6.6/dm-verity-fec-correctly-reject-too-small-hash-devices.patch @@ -0,0 +1,40 @@ +From 4355142245f7e55336dcc005ec03592df4d546f8 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 5 Feb 2026 20:59:21 -0800 +Subject: dm-verity-fec: correctly reject too-small hash devices + +From: Eric Biggers + +commit 4355142245f7e55336dcc005ec03592df4d546f8 upstream. + +Fix verity_fec_ctr() to reject too-small hash devices by correctly +taking hash_start into account. + +Note that this is necessary because dm-verity doesn't call +dm_bufio_set_sector_offset() on the hash device's bufio client +(v->bufio). Thus, dm_bufio_get_device_size(v->bufio) returns a size +relative to 0 rather than hash_start. An alternative fix would be to +call dm_bufio_set_sector_offset() on v->bufio, but then all the code +that reads from the hash device would have to be adjusted accordingly. + +Fixes: a739ff3f543a ("dm verity: add support for forward error correction") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Mikulas Patocka +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-verity-fec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm-verity-fec.c ++++ b/drivers/md/dm-verity-fec.c +@@ -751,7 +751,8 @@ int verity_fec_ctr(struct dm_verity *v) + * it to be large enough. + */ + f->hash_blocks = f->blocks - v->data_blocks; +- if (dm_bufio_get_device_size(v->bufio) < f->hash_blocks) { ++ if (dm_bufio_get_device_size(v->bufio) < ++ v->hash_start + f->hash_blocks) { + ti->error = "Hash device is too small for " + DM_VERITY_OPT_FEC_BLOCKS; + return -E2BIG; diff --git a/queue-6.6/eventfs-hold-eventfs_mutex-and-srcu-when-remount-walks-events.patch b/queue-6.6/eventfs-hold-eventfs_mutex-and-srcu-when-remount-walks-events.patch new file mode 100644 index 0000000000..8a23fdfe28 --- /dev/null +++ b/queue-6.6/eventfs-hold-eventfs_mutex-and-srcu-when-remount-walks-events.patch @@ -0,0 +1,122 @@ +From 07004a8c4b572171934390148ee48c4175c77eed Mon Sep 17 00:00:00 2001 +From: David Carlier +Date: Sat, 18 Apr 2026 20:17:37 +0100 +Subject: eventfs: Hold eventfs_mutex and SRCU when remount walks events + +From: David Carlier + +commit 07004a8c4b572171934390148ee48c4175c77eed upstream. + +Commit 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the +events descriptor") had eventfs_set_attrs() recurse through ei->children +on remount. The walk only holds the rcu_read_lock() taken by +tracefs_apply_options() over tracefs_inodes, which is wrong: + + - list_for_each_entry over ei->children races with the list_del_rcu() + in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as + d2603279c7d6. + - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...). + rcu_read_lock() does not extend an SRCU grace period, so ti->private + can be reclaimed under the walk. + - The writes to ei->attr race with eventfs_set_attr(), which holds + eventfs_mutex. + +Reproducer: + + while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done & + while :; do + echo "p:kp submit_bio" > /sys/kernel/tracing/kprobe_events + echo > /sys/kernel/tracing/kprobe_events + done + +Wrap the events portion of tracefs_apply_options() in +eventfs_remount_lock()/_unlock() that take eventfs_mutex and +srcu_read_lock(&eventfs_srcu). eventfs_set_attrs() doesn't sleep so the +nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract. + +Comment in tracefs_drop_inode() said "RCU cycle" -- it is SRCU. + +Fixes: 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the events descriptor") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260418191737.10289-1-devnexen@gmail.com +Signed-off-by: David Carlier +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman +--- + fs/tracefs/event_inode.c | 14 ++++++++++++++ + fs/tracefs/inode.c | 5 ++++- + fs/tracefs/internal.h | 3 +++ + 3 files changed, 21 insertions(+), 1 deletion(-) + +--- a/fs/tracefs/event_inode.c ++++ b/fs/tracefs/event_inode.c +@@ -310,6 +310,8 @@ static void eventfs_set_attrs(struct eve + { + struct eventfs_inode *ei_child; + ++ lockdep_assert_held(&eventfs_mutex); ++ + /* Update events// */ + if (WARN_ON_ONCE(level > 3)) + return; +@@ -985,3 +987,15 @@ void eventfs_remove_events_dir(struct ev + d_invalidate(dentry); + dput(dentry); + } ++ ++int eventfs_remount_lock(void) ++{ ++ mutex_lock(&eventfs_mutex); ++ return srcu_read_lock(&eventfs_srcu); ++} ++ ++void eventfs_remount_unlock(int srcu_idx) ++{ ++ srcu_read_unlock(&eventfs_srcu, srcu_idx); ++ mutex_unlock(&eventfs_mutex); ++} +--- a/fs/tracefs/inode.c ++++ b/fs/tracefs/inode.c +@@ -362,6 +362,7 @@ static int tracefs_apply_options(struct + struct tracefs_mount_opts *opts = &fsi->mount_opts; + struct tracefs_inode *ti; + bool update_uid, update_gid; ++ int srcu_idx; + umode_t tmp_mode; + + /* +@@ -386,6 +387,7 @@ static int tracefs_apply_options(struct + update_uid = opts->opts & BIT(Opt_uid); + update_gid = opts->opts & BIT(Opt_gid); + ++ srcu_idx = eventfs_remount_lock(); + rcu_read_lock(); + list_for_each_entry_rcu(ti, &tracefs_inodes, list) { + if (update_uid) +@@ -398,6 +400,7 @@ static int tracefs_apply_options(struct + eventfs_remount(ti, update_uid, update_gid); + } + rcu_read_unlock(); ++ eventfs_remount_unlock(srcu_idx); + } + + return 0; +@@ -444,7 +447,7 @@ static int tracefs_drop_inode(struct ino + * This inode is being freed and cannot be used for + * eventfs. Clear the flag so that it doesn't call into + * eventfs during the remount flag updates. The eventfs_inode +- * gets freed after an RCU cycle, so the content will still ++ * gets freed after an SRCU cycle, so the content will still + * be safe if the iteration is going on now. + */ + ti->flags &= ~TRACEFS_EVENT_INODE; +--- a/fs/tracefs/internal.h ++++ b/fs/tracefs/internal.h +@@ -76,4 +76,7 @@ struct inode *tracefs_get_inode(struct s + void eventfs_remount(struct tracefs_inode *ti, bool update_uid, bool update_gid); + void eventfs_d_release(struct dentry *dentry); + ++int eventfs_remount_lock(void); ++void eventfs_remount_unlock(int srcu_idx); ++ + #endif /* _TRACEFS_INTERNAL_H */ diff --git a/queue-6.6/isofs-validate-block-number-from-nfs-file-handle-in-isofs_export_iget.patch b/queue-6.6/isofs-validate-block-number-from-nfs-file-handle-in-isofs_export_iget.patch new file mode 100644 index 0000000000..3b3dcfeb02 --- /dev/null +++ b/queue-6.6/isofs-validate-block-number-from-nfs-file-handle-in-isofs_export_iget.patch @@ -0,0 +1,54 @@ +From 24376458138387fb251e782e624c7776e9826796 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Sun, 19 Apr 2026 17:21:55 -0400 +Subject: isofs: validate block number from NFS file handle in isofs_export_iget + +From: Michael Bommarito + +commit 24376458138387fb251e782e624c7776e9826796 upstream. + +isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- +controlled block number (ifid->block or ifid->parent_block) from +the NFS file handle to isofs_export_iget(), which only rejects +block == 0 before calling isofs_iget() and ultimately sb_bread(). +A crafted file handle with fh_len sufficient to pass the check +added by commit 0405d4b63d08 ("isofs: Prevent the use of too small +fid") can still drive the server to read any in-range block on the +backing device as if it were an iso_directory_record. That earlier +fix was assigned CVE-2025-37780. + +sb_bread() on an out-of-range block returns NULL cleanly via the +EIO path, so there is no memory-safety violation. For in-range +reads of adjacent-partition data on the same block device, the +unrelated bytes end up in iso_inode_info fields that reach the NFS +client as dentry metadata. The deployment surface (isofs exported +over NFS from loop-mounted images) is narrow and requires an +authenticated NFS peer, but the malformed-file-handle class is +reportable as hardening next to the existing CVE-2025-37780 fix. + +Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so +the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() +call sites with a single line. + +Fixes: 0405d4b63d08 ("isofs: Prevent the use of too small fid") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Michael Bommarito +Link: https://patch.msgid.link/20260419212155.2169382-3-michael.bommarito@gmail.com +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/isofs/export.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/isofs/export.c ++++ b/fs/isofs/export.c +@@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb + { + struct inode *inode; + +- if (block == 0) ++ if (block == 0 || block >= ISOFS_SB(sb)->s_nzones) + return ERR_PTR(-ESTALE); + inode = isofs_iget(sb, block, offset); + if (IS_ERR(inode)) diff --git a/queue-6.6/isofs-validate-rock-ridge-ce-continuation-extent-against-volume-size.patch b/queue-6.6/isofs-validate-rock-ridge-ce-continuation-extent-against-volume-size.patch new file mode 100644 index 0000000000..f696df19f5 --- /dev/null +++ b/queue-6.6/isofs-validate-rock-ridge-ce-continuation-extent-against-volume-size.patch @@ -0,0 +1,64 @@ +From a36d990f591320e9dd379ab30063ebfe91d47e1f Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Sun, 19 Apr 2026 17:21:54 -0400 +Subject: isofs: validate Rock Ridge CE continuation extent against volume size + +From: Michael Bommarito + +commit a36d990f591320e9dd379ab30063ebfe91d47e1f upstream. + +rock_continue() reads rs->cont_extent verbatim from the Rock Ridge CE +record and passes it to sb_bread() without checking that the block +number is within the mounted ISO 9660 volume. commit e595447e177b +("[PATCH] rock.c: handle corrupted directories") added cont_offset +and cont_size rejection for the CE continuation but did not validate +the extent block number itself. commit f54e18f1b831 ("isofs: Fix +infinite looping over CE entries") later capped the CE chain length +at RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked. + +With a crafted ISO mounted via udisks2 (desktop optical auto-mount) +or via CAP_SYS_ADMIN mount, rs->cont_extent can therefore point at +an out-of-range block or at blocks belonging to an adjacent +filesystem on the same block device. sb_bread() on an out-of-range +block returns NULL cleanly via the block layer EIO path, so there +is no memory-safety violation. For in-range reads of adjacent- +filesystem data, the CE buffer is parsed as Rock Ridge records and +only the text of SL sub-records reaches userspace through +readlink(), which makes the info-leak channel narrow and difficult +to exploit; still, rejecting the malformed CE outright matches the +rejection shape already present in the same function for +cont_offset and cont_size. + +Add an ISOFS_SB(sb)->s_nzones bounds check to rock_continue() next +to the existing offset/size rejection, printing the same +corrupted-directory-entry notice. + +Fixes: f54e18f1b831 ("isofs: Fix infinite looping over CE entries") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-7 +Signed-off-by: Michael Bommarito +Link: https://patch.msgid.link/20260419212155.2169382-2-michael.bommarito@gmail.com +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman +--- + fs/isofs/rock.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/isofs/rock.c ++++ b/fs/isofs/rock.c +@@ -101,6 +101,15 @@ static int rock_continue(struct rock_sta + goto out; + } + ++ if ((unsigned)rs->cont_extent >= ISOFS_SB(rs->inode->i_sb)->s_nzones) { ++ printk(KERN_NOTICE "rock: corrupted directory entry. " ++ "extent=%u out of volume (nzones=%lu)\n", ++ (unsigned)rs->cont_extent, ++ ISOFS_SB(rs->inode->i_sb)->s_nzones); ++ ret = -EIO; ++ goto out; ++ } ++ + if (rs->cont_extent) { + struct buffer_head *bh; + diff --git a/queue-6.6/kvm-x86-check-for-nept-nnpt-in-slow-flush-hypercalls.patch b/queue-6.6/kvm-x86-check-for-nept-nnpt-in-slow-flush-hypercalls.patch new file mode 100644 index 0000000000..78de7a5547 --- /dev/null +++ b/queue-6.6/kvm-x86-check-for-nept-nnpt-in-slow-flush-hypercalls.patch @@ -0,0 +1,34 @@ +From 464af6fc2b1dcc74005b7f58ee3812b17777efee Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 27 Apr 2026 14:25:40 +0200 +Subject: KVM: x86: check for nEPT/nNPT in slow flush hypercalls + +From: Paolo Bonzini + +commit 464af6fc2b1dcc74005b7f58ee3812b17777efee upstream. + +Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() +is only valid if an L2 guest is running *with nested EPT/NPT enabled*. +Instead use the same condition as translate_nested_gpa() itself. + +Cc: stable@vger.kernel.org +Reviewed-by: Sean Christopherson +Fixes: aee738236dca ("KVM: x86: Prepare kvm_hv_flush_tlb() to handle L2's GPAs", 2022-11-18) +Link: https://patch.msgid.link/20260503200905.106077-1-pbonzini@redhat.com/ +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/hyperv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/hyperv.c ++++ b/arch/x86/kvm/hyperv.c +@@ -1987,7 +1987,7 @@ static u64 kvm_hv_flush_tlb(struct kvm_v + * flush). Translate the address here so the memory can be uniformly + * read with kvm_read_guest(). + */ +- if (!hc->fast && is_guest_mode(vcpu)) { ++ if (!hc->fast && mmu_is_nested(vcpu)) { + hc->ingpa = translate_nested_gpa(vcpu, hc->ingpa, 0, NULL); + if (unlikely(hc->ingpa == INVALID_GPA)) + return HV_STATUS_INVALID_HYPERCALL_INPUT; diff --git a/queue-6.6/lib-crypto-mpi-fix-integer-underflow-in-mpi_read_raw_from_sgl.patch b/queue-6.6/lib-crypto-mpi-fix-integer-underflow-in-mpi_read_raw_from_sgl.patch new file mode 100644 index 0000000000..d6aacdaadb --- /dev/null +++ b/queue-6.6/lib-crypto-mpi-fix-integer-underflow-in-mpi_read_raw_from_sgl.patch @@ -0,0 +1,70 @@ +From 8c2f1288250a90a4b5cabed5d888d7e3aeed4035 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sun, 12 Apr 2026 16:19:47 +0200 +Subject: lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() + +From: Lukas Wunner + +commit 8c2f1288250a90a4b5cabed5d888d7e3aeed4035 upstream. + +Yiming reports an integer underflow in mpi_read_raw_from_sgl() when +subtracting "lzeros" from the unsigned "nbytes". + +For this to happen, the scatterlist "sgl" needs to occupy more bytes +than the "nbytes" parameter and the first "nbytes + 1" bytes of the +scatterlist must be zero. Under these conditions, the while loop +iterating over the scatterlist will count more zeroes than "nbytes", +subtract the number of zeroes from "nbytes" and cause the underflow. + +When commit 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") originally +introduced the bug, it couldn't be triggered because all callers of +mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to +"nbytes". + +However since commit 63ba4d67594a ("KEYS: asymmetric: Use new crypto +interface without scatterlists"), the underflow can now actually be +triggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with a +larger "out_len" than "in_len" and filling the "in" buffer with zeroes, +crypto_akcipher_sync_prep() will create an all-zero scatterlist used for +both the "src" and "dst" member of struct akcipher_request and thereby +fulfil the conditions to trigger the bug: + + sys_keyctl() + keyctl_pkey_e_d_s() + asymmetric_key_eds_op() + software_key_eds_op() + crypto_akcipher_sync_encrypt() + crypto_akcipher_sync_prep() + crypto_akcipher_encrypt() + rsa_enc() + mpi_read_raw_from_sgl() + +To the user this will be visible as a DoS as the kernel spins forever, +causing soft lockup splats as a side effect. + +Fix it. + +Reported-by: Yiming Qian # off-list +Fixes: 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org # v4.4+ +Reviewed-by: Ignat Korchagin +Reviewed-by: Jarkko Sakkinen +Link: https://lore.kernel.org/r/59eca92ff4f87e2081777f1423a0efaaadcfdb39.1776003111.git.lukas@wunner.de +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + lib/crypto/mpi/mpicoder.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/crypto/mpi/mpicoder.c ++++ b/lib/crypto/mpi/mpicoder.c +@@ -453,7 +453,7 @@ MPI mpi_read_raw_from_sgl(struct scatter + lzeros = 0; + len = 0; + while (nbytes > 0) { +- while (len && !*buff) { ++ while (len && !*buff && lzeros < nbytes) { + lzeros++; + len--; + buff++; diff --git a/queue-6.6/lib-scatterlist-fix-length-calculations-in-extract_kvec_to_sg.patch b/queue-6.6/lib-scatterlist-fix-length-calculations-in-extract_kvec_to_sg.patch new file mode 100644 index 0000000000..05736c87bb --- /dev/null +++ b/queue-6.6/lib-scatterlist-fix-length-calculations-in-extract_kvec_to_sg.patch @@ -0,0 +1,90 @@ +From 07b7d66e65d9cfe6b9c2c34aa22cfcaac37a5c45 Mon Sep 17 00:00:00 2001 +From: "Christian A. Ehrhardt" +Date: Thu, 26 Mar 2026 22:49:01 +0100 +Subject: lib/scatterlist: fix length calculations in extract_kvec_to_sg + +From: Christian A. Ehrhardt + +commit 07b7d66e65d9cfe6b9c2c34aa22cfcaac37a5c45 upstream. + +Patch series "Fix bugs in extract_iter_to_sg()", v3. + +Fix bugs in the kvec and user variants of extract_iter_to_sg. This series +is growing due to useful remarks made by sashiko.dev. + +The main bugs are: +- The length for an sglist entry when extracting from + a kvec can exceed the number of bytes in the page. This + is obviously not intended. +- When extracting a user buffer the sglist is temporarily + used as a scratch buffer for extracted page pointers. + If the sglist already contains some elements this scratch + buffer could overlap with existing entries in the sglist. + +The series adds test cases to the kunit_iov_iter test that demonstrate all +of these bugs. Additionally, there is a memory leak fix for the test +itself. + +The bugs were orignally introduced into kernel v6.3 where the function +lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in +v6.5. Thus the actual fix is only marked for backports to v6.5+. + + +This patch (of 5): + +When extracting from a kvec to a scatterlist, do not cross page +boundaries. The required length was already calculated but not used as +intended. + +Adjust the copied length if the loop runs out of sglist entries without +extracting everything. + +While there, return immediately from extract_iter_to_sg if there are no +sglist entries at all. + +A subsequent commit will add kunit test cases that demonstrate that the +patch is necessary. + +Link: https://lkml.kernel.org/r/20260326214905.818170-1-lk@c--e.de +Link: https://lkml.kernel.org/r/20260326214905.818170-2-lk@c--e.de +Fixes: 018584697533 ("netfs: Add a function to extract an iterator into a scatterlist") +Signed-off-by: Christian A. Ehrhardt +Cc: David Gow +Cc: David Howells +Cc: Kees Cook +Cc: Petr Mladek +Cc: [v6.5+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/scatterlist.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/lib/scatterlist.c ++++ b/lib/scatterlist.c +@@ -1241,7 +1241,7 @@ static ssize_t extract_kvec_to_sg(struct + else + page = virt_to_page((void *)kaddr); + +- sg_set_page(sg, page, len, off); ++ sg_set_page(sg, page, seg, off); + sgtable->nents++; + sg++; + sg_max--; +@@ -1250,6 +1250,7 @@ static ssize_t extract_kvec_to_sg(struct + kaddr += PAGE_SIZE; + off = 0; + } while (len > 0 && sg_max > 0); ++ ret -= len; + + if (maxsize <= 0 || sg_max == 0) + break; +@@ -1342,7 +1343,7 @@ ssize_t extract_iter_to_sg(struct iov_it + struct sg_table *sgtable, unsigned int sg_max, + iov_iter_extraction_t extraction_flags) + { +- if (maxsize == 0) ++ if (maxsize == 0 || sg_max == 0) + return 0; + + switch (iov_iter_type(iter)) { diff --git a/queue-6.6/lib-scatterlist-fix-temp-buffer-in-extract_user_to_sg.patch b/queue-6.6/lib-scatterlist-fix-temp-buffer-in-extract_user_to_sg.patch new file mode 100644 index 0000000000..9194b8f336 --- /dev/null +++ b/queue-6.6/lib-scatterlist-fix-temp-buffer-in-extract_user_to_sg.patch @@ -0,0 +1,49 @@ +From 118cf3f55975352ac357fb194405031458186819 Mon Sep 17 00:00:00 2001 +From: "Christian A. Ehrhardt" +Date: Thu, 26 Mar 2026 22:49:02 +0100 +Subject: lib/scatterlist: fix temp buffer in extract_user_to_sg() + +From: Christian A. Ehrhardt + +commit 118cf3f55975352ac357fb194405031458186819 upstream. + +Instead of allocating a temporary buffer for extracted user pages +extract_user_to_sg() uses the end of the to be filled scatterlist as a +temporary buffer. + +Fix the calculation of the start address if the scatterlist already +contains elements. The unused space starts at sgtable->sgl + +sgtable->nents not directly at sgtable->nents and the temporary buffer is +placed at the end of this unused space. + +A subsequent commit will add kunit test cases that demonstrate that the +patch is necessary. + +Pointed out by sashiko.dev on a previous iteration of this series. + +Link: https://lkml.kernel.org/r/20260326214905.818170-3-lk@c--e.de +Fixes: 018584697533 ("netfs: Add a function to extract an iterator into a scatterlist") +Signed-off-by: Christian A. Ehrhardt +Cc: David Howells +Cc: David Gow +Cc: Kees Cook +Cc: Petr Mladek +Cc: [v6.5+] +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/scatterlist.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/lib/scatterlist.c ++++ b/lib/scatterlist.c +@@ -1117,8 +1117,7 @@ static ssize_t extract_user_to_sg(struct + size_t len, off; + + /* We decant the page list into the tail of the scatterlist */ +- pages = (void *)sgtable->sgl + +- array_size(sg_max, sizeof(struct scatterlist)); ++ pages = (void *)sg + array_size(sg_max, sizeof(struct scatterlist)); + pages -= sg_max; + + do { diff --git a/queue-6.6/libceph-fix-slab-out-of-bounds-access-in-auth-message-processing.patch b/queue-6.6/libceph-fix-slab-out-of-bounds-access-in-auth-message-processing.patch new file mode 100644 index 0000000000..0c72a02912 --- /dev/null +++ b/queue-6.6/libceph-fix-slab-out-of-bounds-access-in-auth-message-processing.patch @@ -0,0 +1,59 @@ +From 1c439de70b1c3eb3c6bffa8245c16b9fc318f114 Mon Sep 17 00:00:00 2001 +From: Raphael Zimmer +Date: Tue, 21 Apr 2026 10:27:01 +0200 +Subject: libceph: Fix slab-out-of-bounds access in auth message processing + +From: Raphael Zimmer + +commit 1c439de70b1c3eb3c6bffa8245c16b9fc318f114 upstream. + +If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY +contains a positive value in its result field, it is treated as an +error code by ceph_handle_auth_reply() and returned to +handle_auth_reply(). Thereafter, an attempt is made to send the +preallocated message of type CEPH_MSG_AUTH, where the returned value is +interpreted as the size of the front segment to send. If the result +value in the message is greater than the size of the memory buffer +allocated for the front segment, an out-of-bounds access occurs, and +the content of the memory region beyond this buffer is sent out. + +This patch fixes the issue by treating only negative values in the +result field as errors. Positive values are therefore treated as success +in the same way as a zero value. Additionally, a BUG_ON is added to +__send_prepared_auth_request() comparing the len parameter to +front_alloc_len to prevent sending the message if it exceeds the bounds +of the allocation and to make it easier to catch any logic flaws leading +to this. + +Cc: stable@vger.kernel.org +Signed-off-by: Raphael Zimmer +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/auth.c | 2 +- + net/ceph/mon_client.c | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ceph/auth.c ++++ b/net/ceph/auth.c +@@ -257,7 +257,7 @@ int ceph_handle_auth_reply(struct ceph_a + ac->negotiating = false; + } + +- if (result) { ++ if (result < 0) { + pr_err("auth protocol '%s' mauth authentication failed: %d\n", + ceph_auth_proto_name(ac->protocol), result); + ret = result; +--- a/net/ceph/mon_client.c ++++ b/net/ceph/mon_client.c +@@ -174,6 +174,8 @@ int ceph_monmap_contains(struct ceph_mon + */ + static void __send_prepared_auth_request(struct ceph_mon_client *monc, int len) + { ++ BUG_ON(len > monc->m_auth->front_alloc_len); ++ + monc->pending_auth = 1; + monc->m_auth->front.iov_len = len; + monc->m_auth->hdr.front_len = cpu_to_le32(len); diff --git a/queue-6.6/md-raid10-fix-divide-by-zero-in-setup_geo-with-zero-far_copies.patch b/queue-6.6/md-raid10-fix-divide-by-zero-in-setup_geo-with-zero-far_copies.patch new file mode 100644 index 0000000000..cb15f9bb1b --- /dev/null +++ b/queue-6.6/md-raid10-fix-divide-by-zero-in-setup_geo-with-zero-far_copies.patch @@ -0,0 +1,38 @@ +From 9aa6d860b0930e2f72795665c42c44252a558a0c Mon Sep 17 00:00:00 2001 +From: Junrui Luo +Date: Thu, 16 Apr 2026 11:39:56 +0800 +Subject: md/raid10: fix divide-by-zero in setup_geo() with zero far_copies + +From: Junrui Luo + +commit 9aa6d860b0930e2f72795665c42c44252a558a0c upstream. + +setup_geo() extracts near_copies (nc) and far_copies (fc) from the +user-provided layout parameter without checking for zero. When fc=0 +with the "improved" far set layout selected, 'geo->far_set_size = +disks / fc' triggers a divide-by-zero. + +Validate nc and fc immediately after extraction, returning -1 if +either is zero. + +Fixes: 475901aff158 ("MD RAID10: Improve redundancy for 'far' and 'offset' algorithms (part 1)") +Cc: stable@vger.kernel.org +Signed-off-by: Junrui Luo +Link: https://lore.kernel.org/linux-raid/SYBPR01MB7881A5E2556806CC1D318582AF232@SYBPR01MB7881.ausprd01.prod.outlook.com +Signed-off-by: Yu Kuai +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid10.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -3986,6 +3986,8 @@ static int setup_geo(struct geom *geo, s + nc = layout & 255; + fc = (layout >> 8) & 255; + fo = layout & (1<<16); ++ if (!nc || !fc) ++ return -1; + geo->raid_disks = disks; + geo->near_copies = nc; + geo->far_copies = fc; diff --git a/queue-6.6/mm-damon-sysfs-schemes-protect-memcg_path-kfree-with-damon_sysfs_lock.patch b/queue-6.6/mm-damon-sysfs-schemes-protect-memcg_path-kfree-with-damon_sysfs_lock.patch new file mode 100644 index 0000000000..048a480e45 --- /dev/null +++ b/queue-6.6/mm-damon-sysfs-schemes-protect-memcg_path-kfree-with-damon_sysfs_lock.patch @@ -0,0 +1,75 @@ +From 1e68eb96e8beb1abefd12dd22c5637795d8a877e Mon Sep 17 00:00:00 2001 +From: SeongJae Park +Date: Thu, 23 Apr 2026 08:02:51 -0700 +Subject: mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock + +From: SeongJae Park + +commit 1e68eb96e8beb1abefd12dd22c5637795d8a877e upstream. + +Patch series "mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path". + +Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race +with their writes, results in use-after-free. Fix those. + + +This patch (of 2): + +damon_sysfs_scheme_filter->mmecg_path can be read and written by users, +via DAMON sysfs memcg_path file. It can also be indirectly read, for the +parameters {on,off}line committing to DAMON. The reads for parameters +committing are protected by damon_sysfs_lock to avoid the sysfs files +being destroyed while any of the parameters are being read. But the +user-driven direct reads and writes are not protected by any lock, while +the write is deallocating the memcg_path-pointing buffer. As a result, +the readers could read the already freed buffer (user-after-free). Note +that the user-reads don't race when the same open file is used by the +writer, due to kernfs's open file locking. Nonetheless, doing the reads +and writes with separate open files would be common. Fix it by protecting +both the user-direct reads and writes with damon_sysfs_lock. + +Link: https://lore.kernel.org/20260423150253.111520-1-sj@kernel.org +Link: https://lore.kernel.org/20260423150253.111520-2-sj@kernel.org +Fixes: 4f489fe6afb3 ("mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write") +Co-developed-by: Junxi Qian +Signed-off-by: Junxi Qian +Signed-off-by: SeongJae Park +Cc: # 6.16.x +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/damon/sysfs-schemes.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/mm/damon/sysfs-schemes.c ++++ b/mm/damon/sysfs-schemes.c +@@ -360,9 +360,14 @@ static ssize_t memcg_path_show(struct ko + { + struct damon_sysfs_scheme_filter *filter = container_of(kobj, + struct damon_sysfs_scheme_filter, kobj); ++ int len; + +- return sysfs_emit(buf, "%s\n", ++ if (!mutex_trylock(&damon_sysfs_lock)) ++ return -EBUSY; ++ len = sysfs_emit(buf, "%s\n", + filter->memcg_path ? filter->memcg_path : ""); ++ mutex_unlock(&damon_sysfs_lock); ++ return len; + } + + static ssize_t memcg_path_store(struct kobject *kobj, +@@ -376,8 +381,13 @@ static ssize_t memcg_path_store(struct k + return -ENOMEM; + + strscpy(path, buf, count + 1); ++ if (!mutex_trylock(&damon_sysfs_lock)) { ++ kfree(path); ++ return -EBUSY; ++ } + kfree(filter->memcg_path); + filter->memcg_path = path; ++ mutex_unlock(&damon_sysfs_lock); + return count; + } + diff --git a/queue-6.6/nvme-apple-drop-invalid-put-of-admin-queue-reference-count.patch b/queue-6.6/nvme-apple-drop-invalid-put-of-admin-queue-reference-count.patch new file mode 100644 index 0000000000..5f96e2de0b --- /dev/null +++ b/queue-6.6/nvme-apple-drop-invalid-put-of-admin-queue-reference-count.patch @@ -0,0 +1,63 @@ +From ba9d308ccd6732dd97ed8080d834a4a89e758e14 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Wed, 8 Apr 2026 17:18:14 +0300 +Subject: nvme-apple: drop invalid put of admin queue reference count + +From: Fedor Pchelkin + +commit ba9d308ccd6732dd97ed8080d834a4a89e758e14 upstream. + +Commit 03b3bcd319b3 ("nvme: fix admin request_queue lifetime") moved the +admin queue reference ->put call into nvme_free_ctrl() - a controller +device release callback performed for every nvme driver doing +nvme_init_ctrl(). + +nvme-apple sets refcount of the admin queue to 1 at allocation during the +probe function and then puts it twice now: + +nvme_free_ctrl() + blk_put_queue(ctrl->admin_q) // #1 + ->free_ctrl() + apple_nvme_free_ctrl() + blk_put_queue(anv->ctrl.admin_q) // #2 + +Note that there is a commit 941f7298c70c ("nvme-apple: remove an extra +queue reference") which intended to drop taking an extra admin queue +reference. Looks like at that moment it accidentally fixed a refcount +leak, which existed since the driver's introduction. There were two ->get +calls at driver's probe function and a single ->put inside +apple_nvme_free_ctrl(). + +However now after commit 03b3bcd319b3 ("nvme: fix admin request_queue +lifetime") the refcount is imbalanced again. Fix it by removing extra +->put call from apple_nvme_free_ctrl(). anv->dev and ctrl->dev point to +the same device, so use ctrl->dev directly for simplification. Compile +tested only. + +Found by Linux Verification Center (linuxtesting.org). + +Fixes: 03b3bcd319b3 ("nvme: fix admin request_queue lifetime") +Cc: stable@vger.kernel.org +Reviewed-by: Christoph Hellwig +Signed-off-by: Fedor Pchelkin +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/apple.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/nvme/host/apple.c ++++ b/drivers/nvme/host/apple.c +@@ -1208,11 +1208,7 @@ static int apple_nvme_get_address(struct + + static void apple_nvme_free_ctrl(struct nvme_ctrl *ctrl) + { +- struct apple_nvme *anv = ctrl_to_apple_nvme(ctrl); +- +- if (anv->ctrl.admin_q) +- blk_put_queue(anv->ctrl.admin_q); +- put_device(anv->dev); ++ put_device(ctrl->dev); + } + + static const struct nvme_ctrl_ops nvme_ctrl_ops = { diff --git a/queue-6.6/nvmet-avoid-recursive-nvmet-wq-flush-in-nvmet_ctrl_free.patch b/queue-6.6/nvmet-avoid-recursive-nvmet-wq-flush-in-nvmet_ctrl_free.patch new file mode 100644 index 0000000000..155dad9996 --- /dev/null +++ b/queue-6.6/nvmet-avoid-recursive-nvmet-wq-flush-in-nvmet_ctrl_free.patch @@ -0,0 +1,137 @@ +From aade8abd8b868b6ffa9697aadaea28ec7f65bee6 Mon Sep 17 00:00:00 2001 +From: Chaitanya Kulkarni +Date: Wed, 8 Apr 2026 17:56:47 -0700 +Subject: nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free + +From: Chaitanya Kulkarni + +commit aade8abd8b868b6ffa9697aadaea28ec7f65bee6 upstream. + +nvmet_tcp_release_queue_work() runs on nvmet-wq and can drop the +final controller reference through nvmet_cq_put(). If that triggers +nvmet_ctrl_free(), the teardown path flushes ctrl->async_event_work on +the same nvmet-wq. + +Call chain: + + nvmet_tcp_schedule_release_queue() + kref_put(&queue->kref, nvmet_tcp_release_queue) + nvmet_tcp_release_queue() + queue_work(nvmet_wq, &queue->release_work) <--- nvmet_wq + process_one_work() + nvmet_tcp_release_queue_work() + nvmet_cq_put(&queue->nvme_cq) + nvmet_cq_destroy() + nvmet_ctrl_put(cq->ctrl) + nvmet_ctrl_free() + flush_work(&ctrl->async_event_work) <--- nvmet_wq + + Previously Scheduled by :- + nvmet_add_async_event + queue_work(nvmet_wq, &ctrl->async_event_work); + +This trips lockdep with a possible recursive locking warning. + +[ 5223.015876] run blktests nvme/003 at 2026-04-07 20:53:55 +[ 5223.061801] loop0: detected capacity change from 0 to 2097152 +[ 5223.072206] nvmet: adding nsid 1 to subsystem blktests-subsystem-1 +[ 5223.088368] nvmet_tcp: enabling port 0 (127.0.0.1:4420) +[ 5223.126086] nvmet: Created discovery controller 1 for subsystem nqn.2014-08.org.nvmexpress.discovery for NQN nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349. +[ 5223.128453] nvme nvme1: new ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery", addr 127.0.0.1:4420, hostnqn: nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349 +[ 5233.199447] nvme nvme1: Removing ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery" + +[ 5233.227718] ============================================ +[ 5233.231283] WARNING: possible recursive locking detected +[ 5233.234696] 7.0.0-rc3nvme+ #20 Tainted: G O N +[ 5233.238434] -------------------------------------------- +[ 5233.241852] kworker/u192:6/2413 is trying to acquire lock: +[ 5233.245429] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90 +[ 5233.251438] + but task is already holding lock: +[ 5233.255254] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0 +[ 5233.261125] + other info that might help us debug this: +[ 5233.265333] Possible unsafe locking scenario: + +[ 5233.269217] CPU0 +[ 5233.270795] ---- +[ 5233.272436] lock((wq_completion)nvmet-wq); +[ 5233.275241] lock((wq_completion)nvmet-wq); +[ 5233.278020] + *** DEADLOCK *** + +[ 5233.281793] May be due to missing lock nesting notation + +[ 5233.286195] 3 locks held by kworker/u192:6/2413: +[ 5233.289192] #0: ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0 +[ 5233.294569] #1: ffffc9000e2a7e40 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x6e0 +[ 5233.300128] #2: ffffffff82d7dc40 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530 +[ 5233.304290] + stack backtrace: +[ 5233.306520] CPU: 4 UID: 0 PID: 2413 Comm: kworker/u192:6 Tainted: G O N 7.0.0-rc3nvme+ #20 PREEMPT(full) +[ 5233.306524] Tainted: [O]=OOT_MODULE, [N]=TEST +[ 5233.306525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 +[ 5233.306527] Workqueue: nvmet-wq nvmet_tcp_release_queue_work [nvmet_tcp] +[ 5233.306532] Call Trace: +[ 5233.306534] +[ 5233.306536] dump_stack_lvl+0x73/0xb0 +[ 5233.306552] print_deadlock_bug+0x225/0x2f0 +[ 5233.306556] __lock_acquire+0x13f0/0x2290 +[ 5233.306563] lock_acquire+0xd0/0x300 +[ 5233.306565] ? touch_wq_lockdep_map+0x26/0x90 +[ 5233.306571] ? __flush_work+0x20b/0x530 +[ 5233.306573] ? touch_wq_lockdep_map+0x26/0x90 +[ 5233.306577] touch_wq_lockdep_map+0x3b/0x90 +[ 5233.306580] ? touch_wq_lockdep_map+0x26/0x90 +[ 5233.306583] ? __flush_work+0x20b/0x530 +[ 5233.306585] __flush_work+0x268/0x530 +[ 5233.306588] ? __pfx_wq_barrier_func+0x10/0x10 +[ 5233.306594] ? xen_error_entry+0x30/0x60 +[ 5233.306600] nvmet_ctrl_free+0x140/0x310 [nvmet] +[ 5233.306617] nvmet_cq_put+0x74/0x90 [nvmet] +[ 5233.306629] nvmet_tcp_release_queue_work+0x19f/0x360 [nvmet_tcp] +[ 5233.306634] process_one_work+0x206/0x6e0 +[ 5233.306640] worker_thread+0x184/0x320 +[ 5233.306643] ? __pfx_worker_thread+0x10/0x10 +[ 5233.306646] kthread+0xf1/0x130 +[ 5233.306648] ? __pfx_kthread+0x10/0x10 +[ 5233.306651] ret_from_fork+0x355/0x450 +[ 5233.306653] ? __pfx_kthread+0x10/0x10 +[ 5233.306656] ret_from_fork_asm+0x1a/0x30 +[ 5233.306664] + +There is also no need to flush async_event_work from controller +teardown. The admin queue teardown already fails outstanding AER +requests before the final controller put :- + + nvmet_sq_destroy(admin sq) + nvmet_async_events_failall(ctrl) + +The controller has already been removed from the subsystem list before +nvmet_ctrl_free() quiesces outstanding work. + +Replace flush_work() with cancel_work_sync() so a pending +async_event_work item is canceled and a running instance is waited on +without recursing into the same workqueue. + +Fixes: 06406d81a2d7 ("nvmet: cancel fatal error and flush async work before free controller") +Cc: stable@vger.kernel.org +Reviewed-by: Christoph Hellwig +Signed-off-by: Chaitanya Kulkarni +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -1497,7 +1497,7 @@ static void nvmet_ctrl_free(struct kref + + nvmet_stop_keep_alive_timer(ctrl); + +- flush_work(&ctrl->async_event_work); ++ cancel_work_sync(&ctrl->async_event_work); + cancel_work_sync(&ctrl->fatal_err_work); + + nvmet_destroy_auth(ctrl); diff --git a/queue-6.6/openvswitch-vport-fix-self-deadlock-on-release-of-tunnel-ports.patch b/queue-6.6/openvswitch-vport-fix-self-deadlock-on-release-of-tunnel-ports.patch new file mode 100644 index 0000000000..e0a7a55352 --- /dev/null +++ b/queue-6.6/openvswitch-vport-fix-self-deadlock-on-release-of-tunnel-ports.patch @@ -0,0 +1,58 @@ +From aa69918bd418e700309fdd08509dba324fb24296 Mon Sep 17 00:00:00 2001 +From: Ilya Maximets +Date: Fri, 1 May 2026 01:38:37 +0200 +Subject: openvswitch: vport: fix self-deadlock on release of tunnel ports + +From: Ilya Maximets + +commit aa69918bd418e700309fdd08509dba324fb24296 upstream. + +vports are used concurrently and protected by RCU, so netdev_put() +must happen after the RCU grace period. So, either in an RCU call or +after the synchronize_net(). The rtnl_delete_link() must happen under +RTNL and so can't be executed in RCU context. Calling synchronize_net() +while holding RTNL is not a good idea for performance and system +stability under load in general, so calling netdev_put() in RCU call +is the right solution here. + +However, +when the device is deleted, rtnl_unlock() will call netdev_run_todo() +and block until all the references are gone. In the current code this +means that we never reach the call_rcu() and the vport is never freed +and the reference is never released, causing a self-deadlock on device +removal. + +Fix that by moving the rcu_call() before the rtnl_unlock(), so the +scheduled RCU callback will be executed when synchronize_net() is +called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself +is already released. + +Fixes: 6931d21f87bc ("openvswitch: defer tunnel netdev_put to RCU release") +Cc: stable@vger.kernel.org +Acked-by: Eelco Chaudron +Signed-off-by: Ilya Maximets +Acked-by: Aaron Conole +Link: https://patch.msgid.link/20260430233848.440994-2-i.maximets@ovn.org +Signed-off-by: Paolo Abeni +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/vport-netdev.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/openvswitch/vport-netdev.c ++++ b/net/openvswitch/vport-netdev.c +@@ -189,9 +189,13 @@ void ovs_netdev_tunnel_destroy(struct vp + */ + if (vport->dev->reg_state == NETREG_REGISTERED) + rtnl_delete_link(vport->dev, 0, NULL); +- rtnl_unlock(); + ++ /* We can't put the device reference yet, since it can still be in ++ * use, but rtnl_unlock()->netdev_run_todo() will block until all ++ * the references are released, so the RCU call must be before it. ++ */ + call_rcu(&vport->rcu, vport_netdev_free); ++ rtnl_unlock(); + } + EXPORT_SYMBOL_GPL(ovs_netdev_tunnel_destroy); + diff --git a/queue-6.6/rdma-hns-fix-unlocked-call-to-hns_roce_qp_remove.patch b/queue-6.6/rdma-hns-fix-unlocked-call-to-hns_roce_qp_remove.patch new file mode 100644 index 0000000000..9563b38289 --- /dev/null +++ b/queue-6.6/rdma-hns-fix-unlocked-call-to-hns_roce_qp_remove.patch @@ -0,0 +1,50 @@ +From 0c99acbc8b6c6dd526ae475a48ee1897b61072fb Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Tue, 28 Apr 2026 13:17:48 -0300 +Subject: RDMA/hns: Fix unlocked call to hns_roce_qp_remove() + +From: Jason Gunthorpe + +commit 0c99acbc8b6c6dd526ae475a48ee1897b61072fb upstream. + +Sashiko points out that hns_roce_qp_remove() requires the caller to hold +locks. The error flow in hns_roce_create_qp_common() doesn't hold those +locks for the error unwind so it risks corrupting memory. + +Grab the same locks the other two callers use. + +Cc: stable@vger.kernel.org +Fixes: e088a685eae9 ("RDMA/hns: Support rq record doorbell for the user space") +Link: https://sashiko.dev/#/patchset/0-v2-1c49eeb88c48%2B91-rdma_udata_rep_jgg%40nvidia.com?part=9 +Link: https://patch.msgid.link/r/15-v1-41f3135e5565+9d2-rdma_ai_fixes1_jgg@nvidia.com +Reviewed-by: Junxian Huang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hns/hns_roce_qp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/infiniband/hw/hns/hns_roce_qp.c ++++ b/drivers/infiniband/hw/hns/hns_roce_qp.c +@@ -1082,6 +1082,7 @@ static int hns_roce_create_qp_common(str + struct hns_roce_ib_create_qp_resp resp = {}; + struct ib_device *ibdev = &hr_dev->ib_dev; + struct hns_roce_ib_create_qp ucmd = {}; ++ unsigned long flags; + int ret; + + mutex_init(&hr_qp->mutex); +@@ -1165,7 +1166,13 @@ static int hns_roce_create_qp_common(str + return 0; + + err_flow_ctrl: ++ spin_lock_irqsave(&hr_dev->qp_list_lock, flags); ++ hns_roce_lock_cqs(init_attr->send_cq ? to_hr_cq(init_attr->send_cq) : NULL, ++ init_attr->recv_cq ? to_hr_cq(init_attr->recv_cq) : NULL); + hns_roce_qp_remove(hr_dev, hr_qp); ++ hns_roce_unlock_cqs(init_attr->send_cq ? to_hr_cq(init_attr->send_cq) : NULL, ++ init_attr->recv_cq ? to_hr_cq(init_attr->recv_cq) : NULL); ++ spin_unlock_irqrestore(&hr_dev->qp_list_lock, flags); + err_store: + free_qpc(hr_dev, hr_qp); + err_qpc: diff --git a/queue-6.6/riscv-kvm-fix-vector-context-allocation-leak.patch b/queue-6.6/riscv-kvm-fix-vector-context-allocation-leak.patch new file mode 100644 index 0000000000..085f5f5e38 --- /dev/null +++ b/queue-6.6/riscv-kvm-fix-vector-context-allocation-leak.patch @@ -0,0 +1,39 @@ +From b7c958d7c1eb1cb9b2be7b5ee4129fcd66cec978 Mon Sep 17 00:00:00 2001 +From: Osama Abdelkader +Date: Mon, 16 Mar 2026 16:16:11 +0100 +Subject: riscv: kvm: fix vector context allocation leak + +From: Osama Abdelkader + +commit b7c958d7c1eb1cb9b2be7b5ee4129fcd66cec978 upstream. + +When the second kzalloc (host_context.vector.datap) fails in +kvm_riscv_vcpu_alloc_vector_context, the first allocation +(guest_context.vector.datap) is leaked. Free it before returning. + +Fixes: 0f4b82579716 ("riscv: KVM: Add vector lazy save/restore support") +Cc: stable@vger.kernel.org +Signed-off-by: Osama Abdelkader +Reviewed-by: Andy Chiu +Link: https://lore.kernel.org/r/20260316151612.13305-1-osama.abdelkader@gmail.com +Signed-off-by: Anup Patel +Signed-off-by: Greg Kroah-Hartman +--- + arch/riscv/kvm/vcpu_vector.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/riscv/kvm/vcpu_vector.c ++++ b/arch/riscv/kvm/vcpu_vector.c +@@ -78,8 +78,11 @@ int kvm_riscv_vcpu_alloc_vector_context( + return -ENOMEM; + + vcpu->arch.host_context.vector.datap = kzalloc(riscv_v_vsize, GFP_KERNEL); +- if (!vcpu->arch.host_context.vector.datap) ++ if (!vcpu->arch.host_context.vector.datap) { ++ kfree(vcpu->arch.guest_context.vector.datap); ++ vcpu->arch.guest_context.vector.datap = NULL; + return -ENOMEM; ++ } + + return 0; + } diff --git a/queue-6.6/s390-debug-reject-zero-length-input-in-debug_input_flush_fn.patch b/queue-6.6/s390-debug-reject-zero-length-input-in-debug_input_flush_fn.patch new file mode 100644 index 0000000000..e85fddf10c --- /dev/null +++ b/queue-6.6/s390-debug-reject-zero-length-input-in-debug_input_flush_fn.patch @@ -0,0 +1,40 @@ +From e14622a7584f9608927c59a7d6ae4a0999dc545e Mon Sep 17 00:00:00 2001 +From: Vasily Gorbik +Date: Fri, 17 Apr 2026 14:33:43 +0200 +Subject: s390/debug: Reject zero-length input in debug_input_flush_fn() + +From: Vasily Gorbik + +commit e14622a7584f9608927c59a7d6ae4a0999dc545e upstream. + +debug_input_flush_fn() always copies one byte from the userspace buffer +with copy_from_user() regardless of the supplied write length. A +zero-length write therefore reads one byte beyond the caller's buffer. +If the stale byte happens to be '-' or a digit the debug log is +silently flushed. With an unmapped buffer the call returns -EFAULT. + +Reject zero-length writes before copying from userspace. + +Cc: stable@vger.kernel.org # v5.10+ +Acked-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Alexander Gordeev +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/debug.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/s390/kernel/debug.c ++++ b/arch/s390/kernel/debug.c +@@ -1434,6 +1434,11 @@ static int debug_input_flush_fn(debug_in + char input_buf[1]; + int rc = user_len; + ++ if (!user_len) { ++ rc = -EINVAL; ++ goto out; ++ } ++ + if (user_len > 0x10000) + user_len = 0x10000; + if (*offset != 0) { diff --git a/queue-6.6/series b/queue-6.6/series index 085b43739e..04d89580ef 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -241,3 +241,34 @@ spi-topcliff-pch-fix-use-after-free-on-unbind.patch clk-imx-imx8-acm-fix-flags-for-acm-clocks.patch clk-microchip-mpfs-ccc-fix-out-of-bounds-access-during-output-registration.patch cpuidle-powerpc-avoid-double-clear-when-breaking-snooze.patch +asoc-amd-yc-add-hp-omen-gaming-laptop-16-ap0xxx-product-line-in-quirk-table.patch +asoc-fsl_easrc-fix-comment-typo.patch +asoc-intel-bytcr_wm5102-fix-mclk-leak-on-platform_clock_control-error.patch +asoc-qcom-q6apm-dai-reset-queue-ptr-on-trigger-stop.patch +asoc-qcom-q6apm-lpass-dai-fix-multiple-graph-opens.patch +asoc-qcom-q6apm-remove-child-devices-when-apm-is-removed.patch +btrfs-fix-double-free-in-create_space_info-error-path.patch +dm-thin-fix-metadata-refcount-underflow.patch +dm-don-t-report-warning-when-doing-deferred-remove.patch +dm-fix-a-buffer-overflow-in-ioctl-processing.patch +eventfs-hold-eventfs_mutex-and-srcu-when-remount-walks-events.patch +dm-verity-fec-correctly-reject-too-small-fec-devices.patch +dm-verity-fec-correctly-reject-too-small-hash-devices.patch +isofs-validate-rock-ridge-ce-continuation-extent-against-volume-size.patch +isofs-validate-block-number-from-nfs-file-handle-in-isofs_export_iget.patch +lib-crypto-mpi-fix-integer-underflow-in-mpi_read_raw_from_sgl.patch +lib-scatterlist-fix-length-calculations-in-extract_kvec_to_sg.patch +lib-scatterlist-fix-temp-buffer-in-extract_user_to_sg.patch +libceph-fix-slab-out-of-bounds-access-in-auth-message-processing.patch +md-raid10-fix-divide-by-zero-in-setup_geo-with-zero-far_copies.patch +nvme-apple-drop-invalid-put-of-admin-queue-reference-count.patch +nvmet-avoid-recursive-nvmet-wq-flush-in-nvmet_ctrl_free.patch +openvswitch-vport-fix-self-deadlock-on-release-of-tunnel-ports.patch +rdma-hns-fix-unlocked-call-to-hns_roce_qp_remove.patch +riscv-kvm-fix-vector-context-allocation-leak.patch +s390-debug-reject-zero-length-input-in-debug_input_flush_fn.patch +smb-client-fix-out-of-bounds-read-in-smb2_compound_op.patch +smb-client-fix-out-of-bounds-read-in-symlink_data.patch +smb-client-validate-dacloffset-before-building-dacl-pointers.patch +kvm-x86-check-for-nept-nnpt-in-slow-flush-hypercalls.patch +mm-damon-sysfs-schemes-protect-memcg_path-kfree-with-damon_sysfs_lock.patch diff --git a/queue-6.6/smb-client-fix-out-of-bounds-read-in-smb2_compound_op.patch b/queue-6.6/smb-client-fix-out-of-bounds-read-in-smb2_compound_op.patch new file mode 100644 index 0000000000..5a5c7e7625 --- /dev/null +++ b/queue-6.6/smb-client-fix-out-of-bounds-read-in-smb2_compound_op.patch @@ -0,0 +1,65 @@ +From 8d09328dfda089675e4c049f3f256064a1d1996b Mon Sep 17 00:00:00 2001 +From: Zisen Ye +Date: Wed, 6 May 2026 11:49:08 +0800 +Subject: smb/client: fix out-of-bounds read in smb2_compound_op() + +From: Zisen Ye + +commit 8d09328dfda089675e4c049f3f256064a1d1996b upstream. + +If a server sends a truncated response but a large OutputBufferLength, and +terminates the EA list early, check_wsl_eas() returns success without +validating that the entire OutputBufferLength fits within iov_len. + +Then smb2_compound_op() does: + memcpy(idata->wsl.eas, data[0], size[0]); + +Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], +memcpy can read beyond the end of the rsp_iov allocation and leak adjacent +kernel heap memory. + +Link: https://lore.kernel.org/linux-cifs/d998240c-aca9-420d-9dbd-f5ba24af19e0@chenxiaosong.com/ +Fixes: ea41367b2a60 ("smb: client: introduce SMB2_OP_QUERY_WSL_EA") +Cc: stable@vger.kernel.org +Signed-off-by: Zisen Ye +Reviewed-by: ChenXiaoSong +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2inode.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/fs/smb/client/smb2inode.c ++++ b/fs/smb/client/smb2inode.c +@@ -108,7 +108,7 @@ static int check_wsl_eas(struct kvec *rs + u32 outlen, next; + u16 vlen; + u8 nlen; +- u8 *end; ++ u8 *ea_end, *iov_end; + + outlen = le32_to_cpu(rsp->OutputBufferLength); + if (outlen < SMB2_WSL_MIN_QUERY_EA_RESP_SIZE || +@@ -117,15 +117,19 @@ static int check_wsl_eas(struct kvec *rs + + ea = (void *)((u8 *)rsp_iov->iov_base + + le16_to_cpu(rsp->OutputBufferOffset)); +- end = (u8 *)rsp_iov->iov_base + rsp_iov->iov_len; ++ ea_end = (u8 *)ea + outlen; ++ iov_end = (u8 *)rsp_iov->iov_base + rsp_iov->iov_len; ++ if (ea_end > iov_end) ++ return -EINVAL; ++ + for (;;) { +- if ((u8 *)ea > end - sizeof(*ea)) ++ if ((u8 *)ea > ea_end - sizeof(*ea)) + return -EINVAL; + + nlen = ea->ea_name_length; + vlen = le16_to_cpu(ea->ea_value_length); + if (nlen != SMB2_WSL_XATTR_NAME_LEN || +- (u8 *)ea->ea_data + nlen + 1 + vlen > end) ++ (u8 *)ea->ea_data + nlen + 1 + vlen > ea_end) + return -EINVAL; + + switch (vlen) { diff --git a/queue-6.6/smb-client-fix-out-of-bounds-read-in-symlink_data.patch b/queue-6.6/smb-client-fix-out-of-bounds-read-in-symlink_data.patch new file mode 100644 index 0000000000..7f160996cf --- /dev/null +++ b/queue-6.6/smb-client-fix-out-of-bounds-read-in-symlink_data.patch @@ -0,0 +1,39 @@ +From d62b8d236fab503c6fec1d3e9a38bea71feaca20 Mon Sep 17 00:00:00 2001 +From: Zisen Ye +Date: Sat, 2 May 2026 18:48:36 +0800 +Subject: smb/client: fix out-of-bounds read in symlink_data() + +From: Zisen Ye + +commit d62b8d236fab503c6fec1d3e9a38bea71feaca20 upstream. + +Since smb2_check_message() returns success without length validation for +the symlink error response, in symlink_data() it is possible for +iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer +only contains the base SMB2 header (64 bytes), accessing +err->ErrorContextCount (at offset 66) or err->ByteCount later in +symlink_data() will cause an out-of-bounds read. + +Link: https://lore.kernel.org/linux-cifs/297d8d9b-adf7-42fd-a1c2-5b1f230032bc@chenxiaosong.com/ +Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+") +Cc: Stable@vger.kernel.org +Signed-off-by: Zisen Ye +Reviewed-by: ChenXiaoSong +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2misc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/smb/client/smb2misc.c ++++ b/fs/smb/client/smb2misc.c +@@ -239,7 +239,8 @@ smb2_check_message(char *buf, unsigned i + if (len != calc_len) { + /* create failed on symlink */ + if (command == SMB2_CREATE_HE && +- shdr->Status == STATUS_STOPPED_ON_SYMLINK) ++ shdr->Status == STATUS_STOPPED_ON_SYMLINK && ++ len > calc_len) + return 0; + /* Windows 7 server returns 24 bytes more */ + if (calc_len + 24 == len && command == SMB2_OPLOCK_BREAK_HE) diff --git a/queue-6.6/smb-client-validate-dacloffset-before-building-dacl-pointers.patch b/queue-6.6/smb-client-validate-dacloffset-before-building-dacl-pointers.patch new file mode 100644 index 0000000000..8f15da4916 --- /dev/null +++ b/queue-6.6/smb-client-validate-dacloffset-before-building-dacl-pointers.patch @@ -0,0 +1,115 @@ +From f98b48151cc502ada59d9778f0112d21f2586ca3 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Mon, 20 Apr 2026 10:47:47 -0400 +Subject: smb: client: validate dacloffset before building DACL pointers + +From: Michael Bommarito + +commit f98b48151cc502ada59d9778f0112d21f2586ca3 upstream. + +parse_sec_desc(), build_sec_desc(), and the chown path in +id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd +before proving a DACL header fits inside the returned security +descriptor. + +On 32-bit builds a malicious server can return dacloffset near +U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip +past the later pointer-based bounds checks. build_sec_desc() and +id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped +pointer in the chmod/chown rewrite paths. + +Validate dacloffset numerically before building any DACL pointer and +reuse the same helper at the three DACL entry points. + +Fixes: bc3e9dd9d104 ("cifs: Change SIDs in ACEs while transferring file ownership.") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4-6 +Signed-off-by: Michael Bommarito +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cifsacl.c | 35 ++++++++++++++++++++++++++++++++--- + 1 file changed, 32 insertions(+), 3 deletions(-) + +--- a/fs/smb/client/cifsacl.c ++++ b/fs/smb/client/cifsacl.c +@@ -1216,6 +1216,17 @@ static int parse_sid(struct smb_sid *psi + return 0; + } + ++static bool dacl_offset_valid(unsigned int acl_len, __u32 dacloffset) ++{ ++ if (acl_len < sizeof(struct smb_acl)) ++ return false; ++ ++ if (dacloffset < sizeof(struct smb_ntsd)) ++ return false; ++ ++ return dacloffset <= acl_len - sizeof(struct smb_acl); ++} ++ + + /* Convert CIFS ACL to POSIX form */ + static int parse_sec_desc(struct cifs_sb_info *cifs_sb, +@@ -1236,7 +1247,6 @@ static int parse_sec_desc(struct cifs_sb + group_sid_ptr = (struct smb_sid *)((char *)pntsd + + le32_to_cpu(pntsd->gsidoffset)); + dacloffset = le32_to_cpu(pntsd->dacloffset); +- dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset); + cifs_dbg(NOISY, "revision %d type 0x%x ooffset 0x%x goffset 0x%x sacloffset 0x%x dacloffset 0x%x\n", + pntsd->revision, pntsd->type, le32_to_cpu(pntsd->osidoffset), + le32_to_cpu(pntsd->gsidoffset), +@@ -1267,11 +1277,18 @@ static int parse_sec_desc(struct cifs_sb + return rc; + } + +- if (dacloffset) ++ if (dacloffset) { ++ if (!dacl_offset_valid(acl_len, dacloffset)) { ++ cifs_dbg(VFS, "Server returned illegal DACL offset\n"); ++ return -EINVAL; ++ } ++ ++ dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset); + parse_dacl(dacl_ptr, end_of_acl, owner_sid_ptr, + group_sid_ptr, fattr, get_mode_from_special_sid); +- else ++ } else { + cifs_dbg(FYI, "no ACL\n"); /* BB grant all or default perms? */ ++ } + + return rc; + } +@@ -1294,6 +1311,11 @@ static int build_sec_desc(struct smb_nts + + dacloffset = le32_to_cpu(pntsd->dacloffset); + if (dacloffset) { ++ if (!dacl_offset_valid(secdesclen, dacloffset)) { ++ cifs_dbg(VFS, "Server returned illegal DACL offset\n"); ++ return -EINVAL; ++ } ++ + dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset); + if (end_of_acl < (char *)dacl_ptr + le16_to_cpu(dacl_ptr->size)) { + cifs_dbg(VFS, "Server returned illegal ACL size\n"); +@@ -1668,6 +1690,12 @@ id_mode_to_cifs_acl(struct inode *inode, + nsecdesclen = sizeof(struct smb_ntsd) + (sizeof(struct smb_sid) * 2); + dacloffset = le32_to_cpu(pntsd->dacloffset); + if (dacloffset) { ++ if (!dacl_offset_valid(secdesclen, dacloffset)) { ++ cifs_dbg(VFS, "Server returned illegal DACL offset\n"); ++ rc = -EINVAL; ++ goto id_mode_to_cifs_acl_exit; ++ } ++ + dacl_ptr = (struct smb_acl *)((char *)pntsd + dacloffset); + if (mode_from_sid) + nsecdesclen += +@@ -1704,6 +1732,7 @@ id_mode_to_cifs_acl(struct inode *inode, + rc = ops->set_acl(pnntsd, nsecdesclen, inode, path, aclflag); + cifs_dbg(NOISY, "set_cifs_acl rc: %d\n", rc); + } ++id_mode_to_cifs_acl_exit: + cifs_put_tlink(tlink); + + kfree(pnntsd);