From: Sasha Levin Date: Wed, 15 Apr 2026 12:40:27 +0000 (-0400) Subject: drop 2 patches from queue-5.15 and queue-5.10 based on RC review feedback X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d82c687462d31dab99467e832919e269ff45e54d;p=thirdparty%2Fkernel%2Fstable-queue.git drop 2 patches from queue-5.15 and queue-5.10 based on RC review feedback Dropped patches: - "bus: fsl-mc: fix use-after-free in driver_override_show()" Queues: 5.10 Reason: missing prerequisite commit 5688f212e98a ("fsl-mc: Use driver_set_override() instead of open-coding") — without it driver_override_store() lacks device_lock(), the race remains and may trigger a double free Report: https://lore.kernel.org/stable/CALbr=LaxfRiP8totK7_K_ErH8EbYcBxTTZ5dYaXZeo2UCVNSMQ@mail.gmail.com/ - "bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show functions" [dependency] Queues: 5.10 Reason: Stable-dep-of 148891e95014 which was dropped above - "netfilter: nf_conntrack_expect: skip expectations in other netns via proc" Queues: 5.15, 5.10 Reason: missing prerequisite commit 02a3231b6d82 ("netfilter: nf_conntrack_expect: store netns and zone in expectation") — without it nf_ct_exp_net() derives netns from exp->master which may be a dying conntrack under RCU Report: https://lore.kernel.org/stable/18260c94-4eca-434d-8a54-e556bc2057c9@oracle.com/ Report: https://lore.kernel.org/stable/ad90kM0wXIrO6aqu@chamomile/ --- diff --git a/queue-5.10/bus-fsl-mc-fix-use-after-free-in-driver_override_sho.patch b/queue-5.10/bus-fsl-mc-fix-use-after-free-in-driver_override_sho.patch deleted file mode 100644 index 11c59088af..0000000000 --- a/queue-5.10/bus-fsl-mc-fix-use-after-free-in-driver_override_sho.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 09d8eb1f3a01b0d27891a7964da1126b4cba842e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 3 Dec 2025 01:44:38 +0800 -Subject: bus: fsl-mc: fix use-after-free in driver_override_show() - -From: Gui-Dong Han - -[ Upstream commit 148891e95014b5dc5878acefa57f1940c281c431 ] - -The driver_override_show() function reads the driver_override string -without holding the device_lock. However, driver_override_store() uses -driver_set_override(), which modifies and frees the string while holding -the device_lock. - -This can result in a concurrent use-after-free if the string is freed -by the store function while being read by the show function. - -Fix this by holding the device_lock around the read operation. - -Fixes: 1f86a00c1159 ("bus/fsl-mc: add support for 'driver_override' in the mc-bus") -Cc: stable@vger.kernel.org -Signed-off-by: Gui-Dong Han -Reviewed-by: Ioana Ciornei -Link: https://lore.kernel.org/r/20251202174438.12658-1-hanguidong02@gmail.com -Signed-off-by: Christophe Leroy (CS GROUP) -Signed-off-by: Sasha Levin ---- - drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/drivers/bus/fsl-mc/fsl-mc-bus.c b/drivers/bus/fsl-mc/fsl-mc-bus.c -index 8f7448da9258d..49eaf5bddd5ad 100644 ---- a/drivers/bus/fsl-mc/fsl-mc-bus.c -+++ b/drivers/bus/fsl-mc/fsl-mc-bus.c -@@ -194,8 +194,12 @@ static ssize_t driver_override_show(struct device *dev, - struct device_attribute *attr, char *buf) - { - struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); -+ ssize_t len; - -- return sysfs_emit(buf, "%s\n", mc_dev->driver_override); -+ device_lock(dev); -+ len = sysfs_emit(buf, "%s\n", mc_dev->driver_override); -+ device_unlock(dev); -+ return len; - } - static DEVICE_ATTR_RW(driver_override); - --- -2.51.0 - diff --git a/queue-5.10/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_e.patch b/queue-5.10/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_e.patch deleted file mode 100644 index 471b5b4e89..0000000000 --- a/queue-5.10/bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_e.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 86bec1d7af7118ee1d70fad681aa2d3a799dd84c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 22 Aug 2025 05:43:39 -0700 -Subject: bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs - show functions - -From: Chelsy Ratnawat - -[ Upstream commit a50522c805a6c575c80f41b04706e084d814e116 ] - -Use sysfs_emit() instead of snprintf()/sprintf() when writing -to sysfs buffers, as recommended by the kernel documentation. - -Signed-off-by: Chelsy Ratnawat -Acked-by: Ioana Ciornei -Link: https://lore.kernel.org/r/20250822124339.1739290-1-chelsyratnawat2001@gmail.com -Signed-off-by: Christophe Leroy -Stable-dep-of: 148891e95014 ("bus: fsl-mc: fix use-after-free in driver_override_show()") -Signed-off-by: Sasha Levin ---- - drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/drivers/bus/fsl-mc/fsl-mc-bus.c b/drivers/bus/fsl-mc/fsl-mc-bus.c -index 4471cd1606424..8f7448da9258d 100644 ---- a/drivers/bus/fsl-mc/fsl-mc-bus.c -+++ b/drivers/bus/fsl-mc/fsl-mc-bus.c -@@ -151,8 +151,8 @@ static ssize_t modalias_show(struct device *dev, struct device_attribute *attr, - { - struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); - -- return sprintf(buf, "fsl-mc:v%08Xd%s\n", mc_dev->obj_desc.vendor, -- mc_dev->obj_desc.type); -+ return sysfs_emit(buf, "fsl-mc:v%08Xd%s\n", mc_dev->obj_desc.vendor, -+ mc_dev->obj_desc.type); - } - static DEVICE_ATTR_RO(modalias); - -@@ -195,7 +195,7 @@ static ssize_t driver_override_show(struct device *dev, - { - struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); - -- return snprintf(buf, PAGE_SIZE, "%s\n", mc_dev->driver_override); -+ return sysfs_emit(buf, "%s\n", mc_dev->driver_override); - } - static DEVICE_ATTR_RW(driver_override); - --- -2.51.0 - diff --git a/queue-5.10/netfilter-nf_conntrack_expect-skip-expectations-in-o.patch b/queue-5.10/netfilter-nf_conntrack_expect-skip-expectations-in-o.patch deleted file mode 100644 index eebf02fc52..0000000000 --- a/queue-5.10/netfilter-nf_conntrack_expect-skip-expectations-in-o.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 4b99857c12a81b147701463652f9186b56917778 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 25 Mar 2026 14:11:06 +0100 -Subject: netfilter: nf_conntrack_expect: skip expectations in other netns via - proc - -From: Pablo Neira Ayuso - -[ Upstream commit 3db5647984de03d9cae0dcddb509b058351f0ee4 ] - -Skip expectations that do not reside in this netns. - -Similar to e77e6ff502ea ("netfilter: conntrack: do not dump other netns's -conntrack entries via proc"). - -Fixes: 9b03f38d0487 ("netfilter: netns nf_conntrack: per-netns expectations") -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Sasha Levin ---- - net/netfilter/nf_conntrack_expect.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c -index 516a9f05a87a7..e53e225d9489f 100644 ---- a/net/netfilter/nf_conntrack_expect.c -+++ b/net/netfilter/nf_conntrack_expect.c -@@ -607,11 +607,15 @@ static int exp_seq_show(struct seq_file *s, void *v) - { - struct nf_conntrack_expect *expect; - struct nf_conntrack_helper *helper; -+ struct net *net = seq_file_net(s); - struct hlist_node *n = v; - char *delim = ""; - - expect = hlist_entry(n, struct nf_conntrack_expect, hnode); - -+ if (!net_eq(nf_ct_exp_net(expect), net)) -+ return 0; -+ - if (expect->timeout.function) - seq_printf(s, "%ld ", timer_pending(&expect->timeout) - ? (long)(expect->timeout.expires - jiffies)/HZ : 0); --- -2.51.0 - diff --git a/queue-5.10/series b/queue-5.10/series index 435427e015..b5d28df026 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -6,8 +6,6 @@ alsa-usb-audio-cap-the-packet-size-pre-calculations.patch btrfs-fix-incorrect-key-offset-in-error-message-in-c.patch arm-omap2-add-missing-of_node_put-before-break-and-r.patch arm-omap2-fix-reference-count-leaks-in-omap_control_.patch -bus-fsl-mc-replace-snprintf-and-sprintf-with-sysfs_e.patch -bus-fsl-mc-fix-use-after-free-in-driver_override_sho.patch drm-tegra-dsi-fix-device-leak-on-probe.patch clk-tegra-tegra124-emc-fix-device-leak-on-set_rate.patch alsa-hda-conexant-add-quirk-for-hp-zbook-studio-g4.patch @@ -263,7 +261,6 @@ bluetooth-l2cap-fix-ertm-re-init-and-zero-pdu_len-in.patch bluetooth-btusb-clamp-sco-altsetting-table-indices.patch netfilter-nfnetlink_log-fix-uninitialized-padding-le.patch netfilter-ip6t_rt-reject-oversized-addrnr-in-rt_mt6_.patch -netfilter-nf_conntrack_expect-skip-expectations-in-o.patch netfilter-nf_conntrack_sip-fix-use-of-uninitialized-.patch netlink-introduce-nla_policy_max_be.patch netfilter-nft_payload-reject-out-of-range-attributes.patch diff --git a/queue-5.15/netfilter-nf_conntrack_expect-skip-expectations-in-o.patch b/queue-5.15/netfilter-nf_conntrack_expect-skip-expectations-in-o.patch deleted file mode 100644 index f71628fa4d..0000000000 --- a/queue-5.15/netfilter-nf_conntrack_expect-skip-expectations-in-o.patch +++ /dev/null @@ -1,46 +0,0 @@ -From c16b7514cdbda2899d4e9faa849ed394f1dd0748 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 25 Mar 2026 14:11:06 +0100 -Subject: netfilter: nf_conntrack_expect: skip expectations in other netns via - proc - -From: Pablo Neira Ayuso - -[ Upstream commit 3db5647984de03d9cae0dcddb509b058351f0ee4 ] - -Skip expectations that do not reside in this netns. - -Similar to e77e6ff502ea ("netfilter: conntrack: do not dump other netns's -conntrack entries via proc"). - -Fixes: 9b03f38d0487 ("netfilter: netns nf_conntrack: per-netns expectations") -Signed-off-by: Florian Westphal -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Sasha Levin ---- - net/netfilter/nf_conntrack_expect.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c -index 6d056ebba57c6..10d4dfbdde226 100644 ---- a/net/netfilter/nf_conntrack_expect.c -+++ b/net/netfilter/nf_conntrack_expect.c -@@ -627,11 +627,15 @@ static int exp_seq_show(struct seq_file *s, void *v) - { - struct nf_conntrack_expect *expect; - struct nf_conntrack_helper *helper; -+ struct net *net = seq_file_net(s); - struct hlist_node *n = v; - char *delim = ""; - - expect = hlist_entry(n, struct nf_conntrack_expect, hnode); - -+ if (!net_eq(nf_ct_exp_net(expect), net)) -+ return 0; -+ - if (expect->timeout.function) - seq_printf(s, "%ld ", timer_pending(&expect->timeout) - ? (long)(expect->timeout.expires - jiffies)/HZ : 0); --- -2.51.0 - diff --git a/queue-5.15/series b/queue-5.15/series index 38f2689f05..aab2db463d 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -325,7 +325,6 @@ bluetooth-l2cap-fix-ertm-re-init-and-zero-pdu_len-in.patch bluetooth-btusb-clamp-sco-altsetting-table-indices.patch netfilter-nfnetlink_log-fix-uninitialized-padding-le.patch netfilter-ip6t_rt-reject-oversized-addrnr-in-rt_mt6_.patch -netfilter-nf_conntrack_expect-skip-expectations-in-o.patch netfilter-nf_conntrack_sip-fix-use-of-uninitialized-.patch netlink-introduce-nla_policy_max_be.patch netfilter-nft_payload-reject-out-of-range-attributes.patch