From 8bf97ae7a311ac13b26c73a2bda633e4a3a4ad5d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 19 Jan 2026 12:09:58 +0100 Subject: [PATCH] more patches dropped --- ...ix-filename-leak-in-__io_openat_prep.patch | 2 + .../reset-fix-bit-macro-reference.patch | 40 -------------- queue-5.10/series | 2 - ...n-delayed-work-during-device-removal.patch | 52 ------------------- ...ix-filename-leak-in-__io_openat_prep.patch | 2 + .../reset-fix-bit-macro-reference.patch | 40 -------------- queue-5.15/series | 2 - ...n-delayed-work-during-device-removal.patch | 52 ------------------- 8 files changed, 4 insertions(+), 188 deletions(-) delete mode 100644 queue-5.10/reset-fix-bit-macro-reference.patch delete mode 100644 queue-5.10/usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch delete mode 100644 queue-5.15/reset-fix-bit-macro-reference.patch delete mode 100644 queue-5.15/usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch diff --git a/queue-5.10/io_uring-fix-filename-leak-in-__io_openat_prep.patch b/queue-5.10/io_uring-fix-filename-leak-in-__io_openat_prep.patch index 930b7500f3..f8bacb977b 100644 --- a/queue-5.10/io_uring-fix-filename-leak-in-__io_openat_prep.patch +++ b/queue-5.10/io_uring-fix-filename-leak-in-__io_openat_prep.patch @@ -5,6 +5,8 @@ Subject: io_uring: fix filename leak in __io_openat_prep() From: Prithvi Tambewagh +commit b14fad555302a2104948feaff70503b64c80ac01 upstream. + __io_openat_prep() allocates a struct filename using getname(). However, for the condition of the file being installed in the fixed file table as well as having O_CLOEXEC flag set, the function returns early. At that diff --git a/queue-5.10/reset-fix-bit-macro-reference.patch b/queue-5.10/reset-fix-bit-macro-reference.patch deleted file mode 100644 index e5ecdea2d1..0000000000 --- a/queue-5.10/reset-fix-bit-macro-reference.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 3a6ea1951fb1117950678a61c103c8867281c31f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 10 Nov 2025 14:10:37 +0800 -Subject: reset: fix BIT macro reference - -From: Encrow Thorne - -[ Upstream commit f3d8b64ee46c9b4b0b82b1a4642027728bac95b8 ] - -RESET_CONTROL_FLAGS_BIT_* macros use BIT(), but reset.h does not -include bits.h. This causes compilation errors when including -reset.h standalone. - -Include bits.h to make reset.h self-contained. - -Suggested-by: Troy Mitchell -Reviewed-by: Troy Mitchell -Reviewed-by: Philipp Zabel -Signed-off-by: Encrow Thorne -Signed-off-by: Philipp Zabel -Signed-off-by: Sasha Levin ---- - include/linux/reset.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/include/linux/reset.h b/include/linux/reset.h -index 05aa9f440f48..f27026f52104 100644 ---- a/include/linux/reset.h -+++ b/include/linux/reset.h -@@ -2,6 +2,7 @@ - #ifndef _LINUX_RESET_H_ - #define _LINUX_RESET_H_ - -+#include - #include - #include - #include --- -2.51.0 - diff --git a/queue-5.10/series b/queue-5.10/series index 36e662526a..4245cf678e 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -201,7 +201,6 @@ powerpc-addnote-fix-overflow-on-32-bit-builds.patch scsi-qla2xxx-fix-initiator-mode-with-qlini_mode-excl.patch scsi-qla2xxx-use-reinit_completion-on-mbx_intr_comp.patch via_wdt-fix-critical-boot-hang-due-to-unnamed-resour.patch -reset-fix-bit-macro-reference.patch exfat-fix-remount-failure-in-different-process-envir.patch usbip-fix-locking-bug-in-rt-enabled-kernels.patch usb-typec-ucsi-handle-incorrect-num_connectors-capab.patch @@ -223,7 +222,6 @@ media-dvb-usb-dtv5100-fix-out-of-bounds-in-dtv5100_i2c_msg.patch media-pvrusb2-fix-incorrect-variable-used-in-trace-message.patch phy-broadcom-bcm63xx-usbh-fix-section-mismatches.patch usb-lpc32xx_udc-fix-error-handling-in-probe.patch -usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch usb-dwc3-of-simple-fix-clock-resource-leak-in-dwc3_of_simple_probe.patch usb-renesas_usbhs-fix-a-resource-leak-in-usbhs_pipe_malloc.patch char-applicom-fix-null-pointer-dereference-in-ac_ioctl.patch diff --git a/queue-5.10/usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch b/queue-5.10/usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch deleted file mode 100644 index ed10f49dfc..0000000000 --- a/queue-5.10/usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f Mon Sep 17 00:00:00 2001 -From: Duoming Zhou -Date: Fri, 5 Dec 2025 11:48:31 +0800 -Subject: usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal - -From: Duoming Zhou - -commit 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f upstream. - -The delayed work item otg_event is initialized in fsl_otg_conf() and -scheduled under two conditions: -1. When a host controller binds to the OTG controller. -2. When the USB ID pin state changes (cable insertion/removal). - -A race condition occurs when the device is removed via fsl_otg_remove(): -the fsl_otg instance may be freed while the delayed work is still pending -or executing. This leads to use-after-free when the work function -fsl_otg_event() accesses the already freed memory. - -The problematic scenario: - -(detach thread) | (delayed work) -fsl_otg_remove() | - kfree(fsl_otg_dev) //FREE| fsl_otg_event() - | og = container_of(...) //USE - | og-> //USE - -Fix this by calling disable_delayed_work_sync() in fsl_otg_remove() -before deallocating the fsl_otg structure. This ensures the delayed work -is properly canceled and completes execution prior to memory deallocation. - -This bug was identified through static analysis. - -Fixes: 0807c500a1a6 ("USB: add Freescale USB OTG Transceiver driver") -Cc: stable -Signed-off-by: Duoming Zhou -Link: https://patch.msgid.link/20251205034831.12846-1-duoming@zju.edu.cn -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/phy/phy-fsl-usb.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/usb/phy/phy-fsl-usb.c -+++ b/drivers/usb/phy/phy-fsl-usb.c -@@ -987,6 +987,7 @@ static int fsl_otg_remove(struct platfor - { - struct fsl_usb2_platform_data *pdata = dev_get_platdata(&pdev->dev); - -+ disable_delayed_work_sync(&fsl_otg_dev->otg_event); - usb_remove_phy(&fsl_otg_dev->phy); - free_irq(fsl_otg_dev->irq, fsl_otg_dev); - diff --git a/queue-5.15/io_uring-fix-filename-leak-in-__io_openat_prep.patch b/queue-5.15/io_uring-fix-filename-leak-in-__io_openat_prep.patch index 4013420b1b..4628ea22c4 100644 --- a/queue-5.15/io_uring-fix-filename-leak-in-__io_openat_prep.patch +++ b/queue-5.15/io_uring-fix-filename-leak-in-__io_openat_prep.patch @@ -5,6 +5,8 @@ Subject: io_uring: fix filename leak in __io_openat_prep() From: Prithvi Tambewagh +commit b14fad555302a2104948feaff70503b64c80ac01 upstream. + __io_openat_prep() allocates a struct filename using getname(). However, for the condition of the file being installed in the fixed file table as well as having O_CLOEXEC flag set, the function returns early. At that diff --git a/queue-5.15/reset-fix-bit-macro-reference.patch b/queue-5.15/reset-fix-bit-macro-reference.patch deleted file mode 100644 index b8dd745cd3..0000000000 --- a/queue-5.15/reset-fix-bit-macro-reference.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 01a30ff6a74d145704cf532d1450febb2febc167 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 10 Nov 2025 14:10:37 +0800 -Subject: reset: fix BIT macro reference - -From: Encrow Thorne - -[ Upstream commit f3d8b64ee46c9b4b0b82b1a4642027728bac95b8 ] - -RESET_CONTROL_FLAGS_BIT_* macros use BIT(), but reset.h does not -include bits.h. This causes compilation errors when including -reset.h standalone. - -Include bits.h to make reset.h self-contained. - -Suggested-by: Troy Mitchell -Reviewed-by: Troy Mitchell -Reviewed-by: Philipp Zabel -Signed-off-by: Encrow Thorne -Signed-off-by: Philipp Zabel -Signed-off-by: Sasha Levin ---- - include/linux/reset.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/include/linux/reset.h b/include/linux/reset.h -index 7bb583737528..23abb90398ad 100644 ---- a/include/linux/reset.h -+++ b/include/linux/reset.h -@@ -2,6 +2,7 @@ - #ifndef _LINUX_RESET_H_ - #define _LINUX_RESET_H_ - -+#include - #include - #include - #include --- -2.51.0 - diff --git a/queue-5.15/series b/queue-5.15/series index c0a0b9bed2..b38b217f8a 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -255,7 +255,6 @@ scsi-qla2xxx-fix-lost-interrupts-with-qlini_mode-dis.patch scsi-qla2xxx-fix-initiator-mode-with-qlini_mode-excl.patch scsi-qla2xxx-use-reinit_completion-on-mbx_intr_comp.patch via_wdt-fix-critical-boot-hang-due-to-unnamed-resour.patch -reset-fix-bit-macro-reference.patch exfat-fix-remount-failure-in-different-process-envir.patch usbip-fix-locking-bug-in-rt-enabled-kernels.patch usb-typec-ucsi-handle-incorrect-num_connectors-capab.patch @@ -283,7 +282,6 @@ media-dvb-usb-dtv5100-fix-out-of-bounds-in-dtv5100_i2c_msg.patch media-pvrusb2-fix-incorrect-variable-used-in-trace-message.patch phy-broadcom-bcm63xx-usbh-fix-section-mismatches.patch usb-lpc32xx_udc-fix-error-handling-in-probe.patch -usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch usb-phy-isp1301-fix-non-of-device-reference-imbalance.patch usb-dwc3-of-simple-fix-clock-resource-leak-in-dwc3_of_simple_probe.patch usb-renesas_usbhs-fix-a-resource-leak-in-usbhs_pipe_malloc.patch diff --git a/queue-5.15/usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch b/queue-5.15/usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch deleted file mode 100644 index ed10f49dfc..0000000000 --- a/queue-5.15/usb-phy-fsl-usb-fix-use-after-free-in-delayed-work-during-device-removal.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f Mon Sep 17 00:00:00 2001 -From: Duoming Zhou -Date: Fri, 5 Dec 2025 11:48:31 +0800 -Subject: usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal - -From: Duoming Zhou - -commit 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f upstream. - -The delayed work item otg_event is initialized in fsl_otg_conf() and -scheduled under two conditions: -1. When a host controller binds to the OTG controller. -2. When the USB ID pin state changes (cable insertion/removal). - -A race condition occurs when the device is removed via fsl_otg_remove(): -the fsl_otg instance may be freed while the delayed work is still pending -or executing. This leads to use-after-free when the work function -fsl_otg_event() accesses the already freed memory. - -The problematic scenario: - -(detach thread) | (delayed work) -fsl_otg_remove() | - kfree(fsl_otg_dev) //FREE| fsl_otg_event() - | og = container_of(...) //USE - | og-> //USE - -Fix this by calling disable_delayed_work_sync() in fsl_otg_remove() -before deallocating the fsl_otg structure. This ensures the delayed work -is properly canceled and completes execution prior to memory deallocation. - -This bug was identified through static analysis. - -Fixes: 0807c500a1a6 ("USB: add Freescale USB OTG Transceiver driver") -Cc: stable -Signed-off-by: Duoming Zhou -Link: https://patch.msgid.link/20251205034831.12846-1-duoming@zju.edu.cn -Signed-off-by: Greg Kroah-Hartman ---- - drivers/usb/phy/phy-fsl-usb.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/usb/phy/phy-fsl-usb.c -+++ b/drivers/usb/phy/phy-fsl-usb.c -@@ -987,6 +987,7 @@ static int fsl_otg_remove(struct platfor - { - struct fsl_usb2_platform_data *pdata = dev_get_platdata(&pdev->dev); - -+ disable_delayed_work_sync(&fsl_otg_dev->otg_event); - usb_remove_phy(&fsl_otg_dev->phy); - free_irq(fsl_otg_dev->irq, fsl_otg_dev); - -- 2.47.3