From df827a340f742ca088047a3998be89fdac531770 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 17 Feb 2026 18:39:49 +0100 Subject: [PATCH] 6.1-stable patches added patches: f2fs-fix-is_checkpointed-flag-inconsistency-issue-caused-by-concurrent-atomic-commit-and-checkpoint-writes.patch f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch --- ...-atomic-commit-and-checkpoint-writes.patch | 103 ++++++++++ ...access-in-sysfs-attribute-read-write.patch | 183 ++++++++++++++++++ ...ix-to-avoid-uaf-in-f2fs_write_end_io.patch | 80 ++++++++ ...qcom-do-not-register-driver-in-probe.patch | 122 ++++++++++++ queue-6.1/series | 4 + 5 files changed, 492 insertions(+) create mode 100644 queue-6.1/f2fs-fix-is_checkpointed-flag-inconsistency-issue-caused-by-concurrent-atomic-commit-and-checkpoint-writes.patch create mode 100644 queue-6.1/f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch create mode 100644 queue-6.1/f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch create mode 100644 queue-6.1/iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch diff --git a/queue-6.1/f2fs-fix-is_checkpointed-flag-inconsistency-issue-caused-by-concurrent-atomic-commit-and-checkpoint-writes.patch b/queue-6.1/f2fs-fix-is_checkpointed-flag-inconsistency-issue-caused-by-concurrent-atomic-commit-and-checkpoint-writes.patch new file mode 100644 index 0000000000..c626eb48c3 --- /dev/null +++ b/queue-6.1/f2fs-fix-is_checkpointed-flag-inconsistency-issue-caused-by-concurrent-atomic-commit-and-checkpoint-writes.patch @@ -0,0 +1,103 @@ +From stable+bounces-216856-greg=kroah.com@vger.kernel.org Tue Feb 17 16:59:22 2026 +From: Sasha Levin +Date: Tue, 17 Feb 2026 10:59:12 -0500 +Subject: f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes +To: stable@vger.kernel.org +Cc: Yongpeng Yang , stable@kernel.org, Sheng Yong , Jinbao Liu , Chao Yu , Jaegeuk Kim , Sasha Levin +Message-ID: <20260217155912.3750384-1-sashal@kernel.org> + +From: Yongpeng Yang + +[ Upstream commit 7633a7387eb4d0259d6bea945e1d3469cd135bbc ] + +During SPO tests, when mounting F2FS, an -EINVAL error was returned from +f2fs_recover_inode_page. The issue occurred under the following scenario + +Thread A Thread B +f2fs_ioc_commit_atomic_write + - f2fs_do_sync_file // atomic = true + - f2fs_fsync_node_pages + : last_folio = inode folio + : schedule before folio_lock(last_folio) f2fs_write_checkpoint + - block_operations// writeback last_folio + - schedule before f2fs_flush_nat_entries + : set_fsync_mark(last_folio, 1) + : set_dentry_mark(last_folio, 1) + : folio_mark_dirty(last_folio) + - __write_node_folio(last_folio) + : f2fs_down_read(&sbi->node_write)//block + - f2fs_flush_nat_entries + : {struct nat_entry}->flag |= BIT(IS_CHECKPOINTED) + - unblock_operations + : f2fs_up_write(&sbi->node_write) + f2fs_write_checkpoint//return + : f2fs_do_write_node_page() +f2fs_ioc_commit_atomic_write//return + SPO + +Thread A calls f2fs_need_dentry_mark(sbi, ino), and the last_folio has +already been written once. However, the {struct nat_entry}->flag did not +have the IS_CHECKPOINTED set, causing set_dentry_mark(last_folio, 1) and +write last_folio again after Thread B finishes f2fs_write_checkpoint. + +After SPO and reboot, it was detected that {struct node_info}->blk_addr +was not NULL_ADDR because Thread B successfully write the checkpoint. + +This issue only occurs in atomic write scenarios. For regular file +fsync operations, the folio must be dirty. If +block_operations->f2fs_sync_node_pages successfully submit the folio +write, this path will not be executed. Otherwise, the +f2fs_write_checkpoint will need to wait for the folio write submission +to complete, as sbi->nr_pages[F2FS_DIRTY_NODES] > 0. Therefore, the +situation where f2fs_need_dentry_mark checks that the {struct +nat_entry}->flag /wo the IS_CHECKPOINTED flag, but the folio write has +already been submitted, will not occur. + +Therefore, for atomic file fsync, sbi->node_write should be acquired +through __write_node_folio to ensure that the IS_CHECKPOINTED flag +correctly indicates that the checkpoint write has been completed. + +Fixes: 608514deba38 ("f2fs: set fsync mark only for the last dnode") +Cc: stable@kernel.org +Signed-off-by: Sheng Yong +Signed-off-by: Jinbao Liu +Signed-off-by: Yongpeng Yang +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[ folio => page ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/node.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -1665,8 +1665,13 @@ static int __write_node_page(struct page + goto redirty_out; + } + +- if (atomic && !test_opt(sbi, NOBARRIER) && !f2fs_sb_has_blkzoned(sbi)) +- fio.op_flags |= REQ_PREFLUSH | REQ_FUA; ++ if (atomic) { ++ if (!test_opt(sbi, NOBARRIER) && !f2fs_sb_has_blkzoned(sbi)) ++ fio.op_flags |= REQ_PREFLUSH | REQ_FUA; ++ if (IS_INODE(page)) ++ set_dentry_mark(page, ++ f2fs_need_dentry_mark(sbi, ino_of_node(page))); ++ } + + /* should add to global list before clearing PAGECACHE status */ + if (f2fs_in_warm_node_list(sbi, page)) { +@@ -1821,8 +1826,9 @@ continue_unlock: + if (is_inode_flag_set(inode, + FI_DIRTY_INODE)) + f2fs_update_inode(inode, page); +- set_dentry_mark(page, +- f2fs_need_dentry_mark(sbi, ino)); ++ if (!atomic) ++ set_dentry_mark(page, ++ f2fs_need_dentry_mark(sbi, ino)); + } + /* may be written by other thread */ + if (!PageDirty(page)) diff --git a/queue-6.1/f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch b/queue-6.1/f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch new file mode 100644 index 0000000000..a3b2e61d15 --- /dev/null +++ b/queue-6.1/f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch @@ -0,0 +1,183 @@ +From stable+bounces-216848-greg=kroah.com@vger.kernel.org Tue Feb 17 16:19:35 2026 +From: Sasha Levin +Date: Tue, 17 Feb 2026 10:19:29 -0500 +Subject: f2fs: fix out-of-bounds access in sysfs attribute read/write +To: stable@vger.kernel.org +Cc: Yongpeng Yang , stable@kernel.org, Jinbao Liu , Chao Yu , Jaegeuk Kim , Sasha Levin +Message-ID: <20260217151929.3676924-1-sashal@kernel.org> + +From: Yongpeng Yang + +[ Upstream commit 98ea0039dbfdd00e5cc1b9a8afa40434476c0955 ] + +Some f2fs sysfs attributes suffer from out-of-bounds memory access and +incorrect handling of integer values whose size is not 4 bytes. + +For example: +vm:~# echo 65537 > /sys/fs/f2fs/vde/carve_out +vm:~# cat /sys/fs/f2fs/vde/carve_out +65537 +vm:~# echo 4294967297 > /sys/fs/f2fs/vde/atgc_age_threshold +vm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold +1 + +carve_out maps to {struct f2fs_sb_info}->carve_out, which is a 8-bit +integer. However, the sysfs interface allows setting it to a value +larger than 255, resulting in an out-of-range update. + +atgc_age_threshold maps to {struct atgc_management}->age_threshold, +which is a 64-bit integer, but its sysfs interface cannot correctly set +values larger than UINT_MAX. + +The root causes are: +1. __sbi_store() treats all default values as unsigned int, which +prevents updating integers larger than 4 bytes and causes out-of-bounds +writes for integers smaller than 4 bytes. + +2. f2fs_sbi_show() also assumes all default values are unsigned int, +leading to out-of-bounds reads and incorrect access to integers larger +than 4 bytes. + +This patch introduces {struct f2fs_attr}->size to record the actual size +of the integer associated with each sysfs attribute. With this +information, sysfs read and write operations can correctly access and +update values according to their real data size, avoiding memory +corruption and truncation. + +Fixes: b59d0bae6ca3 ("f2fs: add sysfs support for controlling the gc_thread") +Cc: stable@kernel.org +Signed-off-by: Jinbao Liu +Signed-off-by: Yongpeng Yang +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[ adapted F2FS_STAT_ATTR macro to include .size field and used sprintf instead of sysfs_emit in the replaced baseline code ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/sysfs.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 53 insertions(+), 8 deletions(-) + +--- a/fs/f2fs/sysfs.c ++++ b/fs/f2fs/sysfs.c +@@ -58,6 +58,7 @@ struct f2fs_attr { + const char *, size_t); + int struct_type; + int offset; ++ int size; + int id; + }; + +@@ -273,11 +274,30 @@ static ssize_t main_blkaddr_show(struct + (unsigned long long)MAIN_BLKADDR(sbi)); + } + ++static ssize_t __sbi_show_value(struct f2fs_attr *a, ++ struct f2fs_sb_info *sbi, char *buf, ++ unsigned char *value) ++{ ++ switch (a->size) { ++ case 1: ++ return sysfs_emit(buf, "%u\n", *(u8 *)value); ++ case 2: ++ return sysfs_emit(buf, "%u\n", *(u16 *)value); ++ case 4: ++ return sysfs_emit(buf, "%u\n", *(u32 *)value); ++ case 8: ++ return sysfs_emit(buf, "%llu\n", *(u64 *)value); ++ default: ++ f2fs_bug_on(sbi, 1); ++ return sysfs_emit(buf, ++ "show sysfs node value with wrong type\n"); ++ } ++} ++ + static ssize_t f2fs_sbi_show(struct f2fs_attr *a, + struct f2fs_sb_info *sbi, char *buf) + { + unsigned char *ptr = NULL; +- unsigned int *ui; + + ptr = __struct_ptr(sbi, a->struct_type); + if (!ptr) +@@ -360,9 +380,30 @@ static ssize_t f2fs_sbi_show(struct f2fs + if (!strcmp(a->attr.name, "revoked_atomic_block")) + return sysfs_emit(buf, "%llu\n", sbi->revoked_atomic_block); + +- ui = (unsigned int *)(ptr + a->offset); ++ return __sbi_show_value(a, sbi, buf, ptr + a->offset); ++} + +- return sprintf(buf, "%u\n", *ui); ++static void __sbi_store_value(struct f2fs_attr *a, ++ struct f2fs_sb_info *sbi, ++ unsigned char *ui, unsigned long value) ++{ ++ switch (a->size) { ++ case 1: ++ *(u8 *)ui = value; ++ break; ++ case 2: ++ *(u16 *)ui = value; ++ break; ++ case 4: ++ *(u32 *)ui = value; ++ break; ++ case 8: ++ *(u64 *)ui = value; ++ break; ++ default: ++ f2fs_bug_on(sbi, 1); ++ f2fs_err(sbi, "store sysfs node value with wrong type"); ++ } + } + + static ssize_t __sbi_store(struct f2fs_attr *a, +@@ -655,7 +696,7 @@ out: + return count; + } + +- *ui = (unsigned int)t; ++ __sbi_store_value(a, sbi, ptr + a->offset, t); + + return count; + } +@@ -751,24 +792,27 @@ static struct f2fs_attr f2fs_attr_sb_##_ + .id = F2FS_FEATURE_##_feat, \ + } + +-#define F2FS_ATTR_OFFSET(_struct_type, _name, _mode, _show, _store, _offset) \ ++#define F2FS_ATTR_OFFSET(_struct_type, _name, _mode, _show, _store, _offset, _size) \ + static struct f2fs_attr f2fs_attr_##_name = { \ + .attr = {.name = __stringify(_name), .mode = _mode }, \ + .show = _show, \ + .store = _store, \ + .struct_type = _struct_type, \ +- .offset = _offset \ ++ .offset = _offset, \ ++ .size = _size \ + } + + #define F2FS_RO_ATTR(struct_type, struct_name, name, elname) \ + F2FS_ATTR_OFFSET(struct_type, name, 0444, \ + f2fs_sbi_show, NULL, \ +- offsetof(struct struct_name, elname)) ++ offsetof(struct struct_name, elname), \ ++ sizeof_field(struct struct_name, elname)) + + #define F2FS_RW_ATTR(struct_type, struct_name, name, elname) \ + F2FS_ATTR_OFFSET(struct_type, name, 0644, \ + f2fs_sbi_show, f2fs_sbi_store, \ +- offsetof(struct struct_name, elname)) ++ offsetof(struct struct_name, elname), \ ++ sizeof_field(struct struct_name, elname)) + + #define F2FS_GENERAL_RO_ATTR(name) \ + static struct f2fs_attr f2fs_attr_##name = __ATTR(name, 0444, name##_show, NULL) +@@ -779,6 +823,7 @@ static struct f2fs_attr f2fs_attr_##_nam + .show = f2fs_sbi_show, \ + .struct_type = _struct_type, \ + .offset = offsetof(struct _struct_name, _elname), \ ++ .size = sizeof_field(struct _struct_name, _elname), \ + } + + F2FS_RW_ATTR(GC_THREAD, f2fs_gc_kthread, gc_urgent_sleep_time, diff --git a/queue-6.1/f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch b/queue-6.1/f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch new file mode 100644 index 0000000000..05a7970da4 --- /dev/null +++ b/queue-6.1/f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch @@ -0,0 +1,80 @@ +From stable+bounces-216857-greg=kroah.com@vger.kernel.org Tue Feb 17 16:59:21 2026 +From: Sasha Levin +Date: Tue, 17 Feb 2026 10:59:15 -0500 +Subject: f2fs: fix to avoid UAF in f2fs_write_end_io() +To: stable@vger.kernel.org +Cc: Chao Yu , stable@kernel.org, syzbot+b4444e3c972a7a124187@syzkaller.appspotmail.com, Jaegeuk Kim , Sasha Levin +Message-ID: <20260217155915.3750486-1-sashal@kernel.org> + +From: Chao Yu + +[ Upstream commit ce2739e482bce8d2c014d76c4531c877f382aa54 ] + +As syzbot reported an use-after-free issue in f2fs_write_end_io(). + +It is caused by below race condition: + +loop device umount +- worker_thread + - loop_process_work + - do_req_filebacked + - lo_rw_aio + - lo_rw_aio_complete + - blk_mq_end_request + - blk_update_request + - f2fs_write_end_io + - dec_page_count + - folio_end_writeback + - kill_f2fs_super + - kill_block_super + - f2fs_put_super + : free(sbi) + : get_pages(, F2FS_WB_CP_DATA) + accessed sbi which is freed + +In kill_f2fs_super(), we will drop all page caches of f2fs inodes before +call free(sbi), it guarantee that all folios should end its writeback, so +it should be safe to access sbi before last folio_end_writeback(). + +Let's relocate ckpt thread wakeup flow before folio_end_writeback() to +resolve this issue. + +Cc: stable@kernel.org +Fixes: e234088758fc ("f2fs: avoid wait if IO end up when do_checkpoint for better performance") +Reported-by: syzbot+b4444e3c972a7a124187@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=b4444e3c972a7a124187 +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[ folio => page ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/data.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -358,14 +358,20 @@ static void f2fs_write_end_io(struct bio + page->index != nid_of_node(page)); + + dec_page_count(sbi, type); ++ ++ /* ++ * we should access sbi before end_page_writeback() to ++ * avoid racing w/ kill_f2fs_super() ++ */ ++ if (type == F2FS_WB_CP_DATA && !get_pages(sbi, type) && ++ wq_has_sleeper(&sbi->cp_wait)) ++ wake_up(&sbi->cp_wait); ++ + if (f2fs_in_warm_node_list(sbi, page)) + f2fs_del_fsync_node_entry(sbi, page); + clear_page_private_gcing(page); + end_page_writeback(page); + } +- if (!get_pages(sbi, F2FS_WB_CP_DATA) && +- wq_has_sleeper(&sbi->cp_wait)) +- wake_up(&sbi->cp_wait); + + bio_put(bio); + } diff --git a/queue-6.1/iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch b/queue-6.1/iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch new file mode 100644 index 0000000000..cb6484c2ba --- /dev/null +++ b/queue-6.1/iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch @@ -0,0 +1,122 @@ +From ed1ac3c977dd6b119405fa36dd41f7151bd5b4de Mon Sep 17 00:00:00 2001 +From: Danilo Krummrich +Date: Wed, 21 Jan 2026 15:12:01 +0100 +Subject: iommu/arm-smmu-qcom: do not register driver in probe() + +From: Danilo Krummrich + +commit ed1ac3c977dd6b119405fa36dd41f7151bd5b4de upstream. + +Commit 0b4eeee2876f ("iommu/arm-smmu-qcom: Register the TBU driver in +qcom_smmu_impl_init") intended to also probe the TBU driver when +CONFIG_ARM_SMMU_QCOM_DEBUG is disabled, but also moved the corresponding +platform_driver_register() call into qcom_smmu_impl_init() which is +called from arm_smmu_device_probe(). + +However, it neither makes sense to register drivers from probe() +callbacks of other drivers, nor does the driver core allow registering +drivers with a device lock already being held. + +The latter was revealed by commit dc23806a7c47 ("driver core: enforce +device_lock for driver_match_device()") leading to a deadlock condition +described in [1]. + +Additionally, it was noted by Robin that the current approach is +potentially racy with async probe [2]. + +Hence, fix this by registering the qcom_smmu_tbu_driver from +module_init(). Unfortunately, due to the vendoring of the driver, this +requires an indirection through arm-smmu-impl.c. + +Reported-by: Mark Brown +Closes: https://lore.kernel.org/lkml/7ae38e31-ef31-43ad-9106-7c76ea0e8596@sirena.org.uk/ +Link: https://lore.kernel.org/lkml/DFU7CEPUSG9A.1KKGVW4HIPMSH@kernel.org/ [1] +Link: https://lore.kernel.org/lkml/0c0d3707-9ea5-44f9-88a1-a65c62e3df8d@arm.com/ [2] +Fixes: dc23806a7c47 ("driver core: enforce device_lock for driver_match_device()") +Fixes: 0b4eeee2876f ("iommu/arm-smmu-qcom: Register the TBU driver in qcom_smmu_impl_init") +Acked-by: Robin Murphy +Tested-by: Bjorn Andersson +Reviewed-by: Bjorn Andersson +Acked-by: Konrad Dybcio +Reviewed-by: Greg Kroah-Hartman +Tested-by: Ioana Ciornei #LX2160ARDB +Tested-by: Wang Jiayue +Reviewed-by: Wang Jiayue +Tested-by: Mark Brown +Acked-by: Joerg Roedel +Link: https://patch.msgid.link/20260121141215.29658-1-dakr@kernel.org +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/arm/arm-smmu/arm-smmu-impl.c | 14 ++++++++++++++ + drivers/iommu/arm/arm-smmu/arm-smmu.c | 24 +++++++++++++++++++++++- + drivers/iommu/arm/arm-smmu/arm-smmu.h | 5 +++++ + 3 files changed, 42 insertions(+), 1 deletion(-) + +--- a/drivers/iommu/arm/arm-smmu/arm-smmu-impl.c ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu-impl.c +@@ -224,3 +224,17 @@ struct arm_smmu_device *arm_smmu_impl_in + + return smmu; + } ++ ++int __init arm_smmu_impl_module_init(void) ++{ ++ if (IS_ENABLED(CONFIG_ARM_SMMU_QCOM)) ++ return qcom_smmu_module_init(); ++ ++ return 0; ++} ++ ++void __exit arm_smmu_impl_module_exit(void) ++{ ++ if (IS_ENABLED(CONFIG_ARM_SMMU_QCOM)) ++ qcom_smmu_module_exit(); ++} +--- a/drivers/iommu/arm/arm-smmu/arm-smmu.c ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu.c +@@ -2311,7 +2311,29 @@ static struct platform_driver arm_smmu_d + .remove_new = arm_smmu_device_remove, + .shutdown = arm_smmu_device_shutdown, + }; +-module_platform_driver(arm_smmu_driver); ++ ++static int __init arm_smmu_init(void) ++{ ++ int ret; ++ ++ ret = platform_driver_register(&arm_smmu_driver); ++ if (ret) ++ return ret; ++ ++ ret = arm_smmu_impl_module_init(); ++ if (ret) ++ platform_driver_unregister(&arm_smmu_driver); ++ ++ return ret; ++} ++module_init(arm_smmu_init); ++ ++static void __exit arm_smmu_exit(void) ++{ ++ arm_smmu_impl_module_exit(); ++ platform_driver_unregister(&arm_smmu_driver); ++} ++module_exit(arm_smmu_exit); + + MODULE_DESCRIPTION("IOMMU API for ARM architected SMMU implementations"); + MODULE_AUTHOR("Will Deacon "); +--- a/drivers/iommu/arm/arm-smmu/arm-smmu.h ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu.h +@@ -528,6 +528,11 @@ struct arm_smmu_device *arm_smmu_impl_in + struct arm_smmu_device *nvidia_smmu_impl_init(struct arm_smmu_device *smmu); + struct arm_smmu_device *qcom_smmu_impl_init(struct arm_smmu_device *smmu); + ++int __init arm_smmu_impl_module_init(void); ++void __exit arm_smmu_impl_module_exit(void); ++int __init qcom_smmu_module_init(void); ++void __exit qcom_smmu_module_exit(void); ++ + void arm_smmu_write_context_bank(struct arm_smmu_device *smmu, int idx); + int arm_mmu500_reset(struct arm_smmu_device *smmu); + diff --git a/queue-6.1/series b/queue-6.1/series index 3da69040cc..fa00d3cf51 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -57,3 +57,7 @@ wifi-cfg80211-add-missing-lock-in-cfg80211_check_and_end_cac.patch cpuset-fix-missing-adaptation-for-cpuset_is_populated.patch fbdev-rivafb-fix-divide-error-in-nv3_arb.patch fbdev-smscufx-properly-copy-ioctl-memory-to-kernelspace.patch +iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch +f2fs-fix-is_checkpointed-flag-inconsistency-issue-caused-by-concurrent-atomic-commit-and-checkpoint-writes.patch +f2fs-fix-to-avoid-uaf-in-f2fs_write_end_io.patch +f2fs-fix-out-of-bounds-access-in-sysfs-attribute-read-write.patch -- 2.47.3