From 3168d71f9891080b16caa8ba40561ab78af6986b Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 3 Feb 2026 17:36:45 +0100
Subject: [PATCH] 6.12-stable patches

added patches:
	btrfs-prevent-use-after-free-on-folio-private-data-in-btrfs_subpage_clear_uptodate.patch
	net-sched-act_ife-convert-comma-to-semicolon.patch
---
 ...data-in-btrfs_subpage_clear_uptodate.patch | 95 +++++++++++++++++++
 ...d-act_ife-convert-comma-to-semicolon.patch | 44 +++++++++
 queue-6.12/series                             |  2 +
 3 files changed, 141 insertions(+)
 create mode 100644 queue-6.12/btrfs-prevent-use-after-free-on-folio-private-data-in-btrfs_subpage_clear_uptodate.patch
 create mode 100644 queue-6.12/net-sched-act_ife-convert-comma-to-semicolon.patch

diff --git a/queue-6.12/btrfs-prevent-use-after-free-on-folio-private-data-in-btrfs_subpage_clear_uptodate.patch b/queue-6.12/btrfs-prevent-use-after-free-on-folio-private-data-in-btrfs_subpage_clear_uptodate.patch
new file mode 100644
index 0000000000..dc8bd2e11b
--- /dev/null
+++ b/queue-6.12/btrfs-prevent-use-after-free-on-folio-private-data-in-btrfs_subpage_clear_uptodate.patch
@@ -0,0 +1,95 @@
+From inwardvessel@gmail.com  Tue Feb  3 17:29:41 2026
+From: JP Kobryn <inwardvessel@gmail.com>
+Date: Sat, 31 Jan 2026 23:13:46 -0800
+Subject: btrfs: prevent use-after-free on folio private data in btrfs_subpage_clear_uptodate()
+To: wqu@suse.com, boris@bur.io, clm@fb.com, dsterba@suse.com
+Cc: linux-btrfs@vger.kernel.org, stable@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@meta.com
+Message-ID: <20260201071346.130641-1-inwardvessel@gmail.com>
+
+From: JP Kobryn <inwardvessel@gmail.com>
+
+This is a stable-only patch. The issue was inadvertently fixed in 6.17 [0]
+as part of a refactoring, but this patch serves as a minimal targeted fix
+for prior kernels.
+
+Users of filemap_lock_folio() need to guard against the situation where
+release_folio() has been invoked during reclaim but the folio was
+ultimately not removed from the page cache. This patch covers one location
+that was overlooked.
+
+After acquiring the folio, use set_folio_extent_mapped() to ensure the
+folio private state is valid. This is especially important in the subpage
+case, where the private field is an allocated struct containing bitmap and
+lock data.
+
+Without this protection, the race below is possible:
+
+[mm] page cache reclaim path        [fs] relocation in subpage mode
+shrink_folio_list()
+  folio_trylock() /* lock acquired */
+  filemap_release_folio()
+    mapping->a_ops->release_folio()
+      btrfs_release_folio()
+        __btrfs_release_folio()
+          clear_folio_extent_mapped()
+            btrfs_detach_subpage()
+              subpage = folio_detach_private(folio)
+              btrfs_free_subpage(subpage)
+                kfree(subpage) /* point A */
+
+                                   prealloc_file_extent_cluster()
+                                     filemap_lock_folio()
+                                       folio_try_get() /* inc refcount */
+                                       folio_lock() /* wait for lock */
+
+  if (...)
+    ...
+  else if (!mapping || !__remove_mapping(..))
+    /*
+     * __remove_mapping() returns zero when
+     * folio_ref_freeze(folio, refcount) fails /* point B */
+     */
+    goto keep_locked /* folio remains in cache */
+
+keep_locked:
+  folio_unlock(folio) /* lock released */
+
+                                   /* lock acquired */
+                                   btrfs_subpage_clear_uptodate()
+                                     /* use-after-free */
+                                     subpage = folio_get_private(folio)
+
+[0] 4e346baee95f ("btrfs: reloc: unconditionally invalidate the page cache for each cluster")
+
+Fixes: 9d9ea1e68a05 ("btrfs: subpage: fix relocation potentially overwriting last page data")
+Cc: stable@vger.kernel.org # 6.10-6.16
+Signed-off-by: JP Kobryn <inwardvessel@gmail.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/relocation.c |   14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -2811,6 +2811,20 @@ static noinline_for_stack int prealloc_f
+ 		 * will re-read the whole page anyway.
+ 		 */
+ 		if (!IS_ERR(folio)) {
++			/*
++			 * release_folio() could have cleared the folio private data
++			 * while we were not holding the lock. Reset the mapping if
++			 * needed so subpage operations can access a valid private
++			 * folio state.
++			 */
++			ret = set_folio_extent_mapped(folio);
++			if (ret) {
++				folio_unlock(folio);
++				folio_put(folio);
++
++				return ret;
++			}
++
+ 			btrfs_subpage_clear_uptodate(fs_info, folio, i_size,
+ 					round_up(i_size, PAGE_SIZE) - i_size);
+ 			folio_unlock(folio);
diff --git a/queue-6.12/net-sched-act_ife-convert-comma-to-semicolon.patch b/queue-6.12/net-sched-act_ife-convert-comma-to-semicolon.patch
new file mode 100644
index 0000000000..4a78b18635
--- /dev/null
+++ b/queue-6.12/net-sched-act_ife-convert-comma-to-semicolon.patch
@@ -0,0 +1,44 @@
+From 205305c028ad986d0649b8b100bab6032dcd1bb5 Mon Sep 17 00:00:00 2001
+From: Chen Ni <nichen@iscas.ac.cn>
+Date: Wed, 12 Nov 2025 15:27:09 +0800
+Subject: net/sched: act_ife: convert comma to semicolon
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+commit 205305c028ad986d0649b8b100bab6032dcd1bb5 upstream.
+
+Replace comma between expressions with semicolons.
+
+Using a ',' in place of a ';' can have unintended side effects.
+Although that is not the case here, it is seems best to use ';'
+unless ',' is intended.
+
+Found by inspection.
+No functional change intended.
+Compile tested only.
+
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/20251112072709.73755-1-nichen@iscas.ac.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ife.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/sched/act_ife.c
++++ b/net/sched/act_ife.c
+@@ -649,9 +649,9 @@ static int tcf_ife_dump(struct sk_buff *
+ 
+ 	memset(&opt, 0, sizeof(opt));
+ 
+-	opt.index = ife->tcf_index,
+-	opt.refcnt = refcount_read(&ife->tcf_refcnt) - ref,
+-	opt.bindcnt = atomic_read(&ife->tcf_bindcnt) - bind,
++	opt.index = ife->tcf_index;
++	opt.refcnt = refcount_read(&ife->tcf_refcnt) - ref;
++	opt.bindcnt = atomic_read(&ife->tcf_bindcnt) - bind;
+ 
+ 	spin_lock_bh(&ife->tcf_lock);
+ 	opt.action = ife->tcf_action;
diff --git a/queue-6.12/series b/queue-6.12/series
index 23c1fc69c3..e4b21a29da 100644
--- a/queue-6.12/series
+++ b/queue-6.12/series
@@ -73,3 +73,5 @@ libbpf-fix-wdiscarded-qualifiers-under-c23.patch
 mm-kfence-randomize-the-freelist-on-initialization.patch
 wifi-ath11k-add-srng-lock-for-ath11k_hal_srng_-in-monitor-mode.patch
 revert-drm-nouveau-disp-set-drm_mode_config_funcs.atomic_-check-commit.patch
+btrfs-prevent-use-after-free-on-folio-private-data-in-btrfs_subpage_clear_uptodate.patch
+net-sched-act_ife-convert-comma-to-semicolon.patch
-- 
2.47.3