From afefff96739d0f94a0c90a0a1eab69531547553e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 22 Feb 2026 06:34:56 +0100 Subject: [PATCH] drop broken 6.6 patches --- ...s2-fix-slab-use-after-free-in-qd_put.patch | 45 ------ ...te-kernel-documentation-to-follow-th.patch | 145 ------------------ queue-6.6/series | 2 - 3 files changed, 192 deletions(-) delete mode 100644 queue-6.6/gfs2-fix-slab-use-after-free-in-qd_put.patch delete mode 100644 queue-6.6/mm-list_lru-update-kernel-documentation-to-follow-th.patch diff --git a/queue-6.6/gfs2-fix-slab-use-after-free-in-qd_put.patch b/queue-6.6/gfs2-fix-slab-use-after-free-in-qd_put.patch deleted file mode 100644 index 9cb441c84d..0000000000 --- a/queue-6.6/gfs2-fix-slab-use-after-free-in-qd_put.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 3d5a984e1acdf1adffa29a8c005e4a3bf2cc9f7a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 14 Dec 2025 16:47:34 +0000 -Subject: gfs2: Fix slab-use-after-free in qd_put - -From: Andreas Gruenbacher - -[ Upstream commit 22150a7d401d9e9169b9b68e05bed95f7f49bf69 ] - -Commit a475c5dd16e5 ("gfs2: Free quota data objects synchronously") -started freeing quota data objects during filesystem shutdown instead of -putting them back onto the LRU list, but it failed to remove these -objects from the LRU list, causing LRU list corruption. This caused -use-after-free when the shrinker (gfs2_qd_shrink_scan) tried to access -already-freed objects on the LRU list. - -Fix this by removing qd objects from the LRU list before freeing them in -qd_put(). - -Initial fix from Deepanshu Kartikey . - -Fixes: a475c5dd16e5 ("gfs2: Free quota data objects synchronously") -Reported-by: syzbot+046b605f01802054bff0@syzkaller.appspotmail.com -Closes: https://syzkaller.appspot.com/bug?extid=046b605f01802054bff0 -Signed-off-by: Andreas Gruenbacher -Signed-off-by: Sasha Levin ---- - fs/gfs2/quota.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c -index c537e1d02cf3a..5b06240a67367 100644 ---- a/fs/gfs2/quota.c -+++ b/fs/gfs2/quota.c -@@ -323,6 +323,7 @@ static void qd_put(struct gfs2_quota_data *qd) - lockref_mark_dead(&qd->qd_lockref); - spin_unlock(&qd->qd_lockref.lock); - -+ list_lru_del_obj(&gfs2_qd_lru, &qd->qd_lru); - gfs2_qd_dispose(qd); - return; - } --- -2.51.0 - diff --git a/queue-6.6/mm-list_lru-update-kernel-documentation-to-follow-th.patch b/queue-6.6/mm-list_lru-update-kernel-documentation-to-follow-th.patch deleted file mode 100644 index 0ce426074c..0000000000 --- a/queue-6.6/mm-list_lru-update-kernel-documentation-to-follow-th.patch +++ /dev/null @@ -1,145 +0,0 @@ -From 60d51bd2b9ea17138ce9886fe3388fa91f126096 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 23 Nov 2023 19:23:17 +0200 -Subject: mm: list_lru: Update kernel documentation to follow the requirements - -From: Andy Shevchenko - -[ Upstream commit 7679e14098c9c3c8118a7130d6e1e9cfe2565c04 ] - -kernel-doc is not happy about documentation in list_lru.h: - -list_lru.h:90: warning: Function parameter or member 'lru' not described in 'list_lru_add' -list_lru.h:90: warning: Excess function parameter 'list_lru' description in 'list_lru_add' -list_lru.h:90: warning: No description found for return value of 'list_lru_add' -list_lru.h:103: warning: Function parameter or member 'lru' not described in 'list_lru_del' -list_lru.h:103: warning: Excess function parameter 'list_lru' description in 'list_lru_del' -list_lru.h:103: warning: No description found for return value of 'list_lru_del' -list_lru.h:116: warning: No description found for return value of 'list_lru_count_one' -list_lru.h:168: warning: No description found for return value of 'list_lru_walk_one' -list_lru.h:185: warning: No description found for return value of 'list_lru_walk_one_irq' - -Fix the documentation accordingly. - -While at it, fix the references to the parameters in functions -inside the long descriptions, on which the above script is not -complaining (yet?). - -Link: https://lkml.kernel.org/r/20231123172320.2434780-1-andriy.shevchenko@linux.intel.com -Signed-off-by: Andy Shevchenko -Cc: Rasmus Villemoes -Signed-off-by: Andrew Morton -Stable-dep-of: 22150a7d401d ("gfs2: Fix slab-use-after-free in qd_put") -Signed-off-by: Sasha Levin ---- - include/linux/list_lru.h | 36 +++++++++++++++++++----------------- - 1 file changed, 19 insertions(+), 17 deletions(-) - -diff --git a/include/linux/list_lru.h b/include/linux/list_lru.h -index b35968ee9fb50..db86ad78d428a 100644 ---- a/include/linux/list_lru.h -+++ b/include/linux/list_lru.h -@@ -73,7 +73,7 @@ void memcg_reparent_list_lrus(struct mem_cgroup *memcg, struct mem_cgroup *paren - - /** - * list_lru_add: add an element to the lru list's tail -- * @list_lru: the lru pointer -+ * @lru: the lru pointer - * @item: the item to be added. - * - * If the element is already part of a list, this function returns doing -@@ -83,22 +83,22 @@ void memcg_reparent_list_lrus(struct mem_cgroup *memcg, struct mem_cgroup *paren - * the caller organize itself in a way that elements can be in more than - * one type of list, it is up to the caller to fully remove the item from - * the previous list (with list_lru_del() for instance) before moving it -- * to @list_lru -+ * to @lru. - * -- * Return value: true if the list was updated, false otherwise -+ * Return: true if the list was updated, false otherwise - */ - bool list_lru_add(struct list_lru *lru, struct list_head *item); - - /** - * list_lru_del: delete an element to the lru list -- * @list_lru: the lru pointer -+ * @lru: the lru pointer - * @item: the item to be deleted. - * -- * This function works analogously as list_lru_add in terms of list -+ * This function works analogously as list_lru_add() in terms of list - * manipulation. The comments about an element already pertaining to -- * a list are also valid for list_lru_del. -+ * a list are also valid for list_lru_del(). - * -- * Return value: true if the list was updated, false otherwise -+ * Return: true if the list was updated, false otherwise - */ - bool list_lru_del(struct list_lru *lru, struct list_head *item); - -@@ -108,9 +108,11 @@ bool list_lru_del(struct list_lru *lru, struct list_head *item); - * @nid: the node id to count from. - * @memcg: the cgroup to count from. - * -- * Always return a non-negative number, 0 for empty lists. There is no -- * guarantee that the list is not updated while the count is being computed. -- * Callers that want such a guarantee need to provide an outer lock. -+ * There is no guarantee that the list is not updated while the count is being -+ * computed. Callers that want such a guarantee need to provide an outer lock. -+ * -+ * Return: 0 for empty lists, otherwise the number of objects -+ * currently held by @lru. - */ - unsigned long list_lru_count_one(struct list_lru *lru, - int nid, struct mem_cgroup *memcg); -@@ -141,7 +143,7 @@ typedef enum lru_status (*list_lru_walk_cb)(struct list_head *item, - struct list_lru_one *list, spinlock_t *lock, void *cb_arg); - - /** -- * list_lru_walk_one: walk a list_lru, isolating and disposing freeable items. -+ * list_lru_walk_one: walk a @lru, isolating and disposing freeable items. - * @lru: the lru pointer. - * @nid: the node id to scan from. - * @memcg: the cgroup to scan from. -@@ -150,24 +152,24 @@ typedef enum lru_status (*list_lru_walk_cb)(struct list_head *item, - * @cb_arg: opaque type that will be passed to @isolate - * @nr_to_walk: how many items to scan. - * -- * This function will scan all elements in a particular list_lru, calling the -+ * This function will scan all elements in a particular @lru, calling the - * @isolate callback for each of those items, along with the current list - * spinlock and a caller-provided opaque. The @isolate callback can choose to - * drop the lock internally, but *must* return with the lock held. The callback -- * will return an enum lru_status telling the list_lru infrastructure what to -+ * will return an enum lru_status telling the @lru infrastructure what to - * do with the object being scanned. - * -- * Please note that nr_to_walk does not mean how many objects will be freed, -+ * Please note that @nr_to_walk does not mean how many objects will be freed, - * just how many objects will be scanned. - * -- * Return value: the number of objects effectively removed from the LRU. -+ * Return: the number of objects effectively removed from the LRU. - */ - unsigned long list_lru_walk_one(struct list_lru *lru, - int nid, struct mem_cgroup *memcg, - list_lru_walk_cb isolate, void *cb_arg, - unsigned long *nr_to_walk); - /** -- * list_lru_walk_one_irq: walk a list_lru, isolating and disposing freeable items. -+ * list_lru_walk_one_irq: walk a @lru, isolating and disposing freeable items. - * @lru: the lru pointer. - * @nid: the node id to scan from. - * @memcg: the cgroup to scan from. -@@ -176,7 +178,7 @@ unsigned long list_lru_walk_one(struct list_lru *lru, - * @cb_arg: opaque type that will be passed to @isolate - * @nr_to_walk: how many items to scan. - * -- * Same as @list_lru_walk_one except that the spinlock is acquired with -+ * Same as list_lru_walk_one() except that the spinlock is acquired with - * spin_lock_irq(). - */ - unsigned long list_lru_walk_one_irq(struct list_lru *lru, --- -2.51.0 - diff --git a/queue-6.6/series b/queue-6.6/series index d0e61999e6..a6cec19a65 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -12,8 +12,6 @@ i3c-move-device-name-assignment-after-i3c_bus_init.patch fs-add-linux-init_task.h-for-init_fs.patch i3c-master-update-hot-join-flag-only-on-success.patch gfs2-retries-missing-in-gfs2_-rename-exchange.patch -mm-list_lru-update-kernel-documentation-to-follow-th.patch -gfs2-fix-slab-use-after-free-in-qd_put.patch gfs2-add-metapath_dibh-helper.patch gfs2-fix-use-after-free-in-iomap-inline-data-write-p.patch i3c-dw-initialize-spinlock-to-avoid-upsetting-lockde.patch -- 2.47.3