--- /dev/null
+From stable+bounces-197599-greg=kroah.com@vger.kernel.org Fri Nov 28 15:45:35 2025
+From: Nazar Kalashnikov <sivartiwe@gmail.com>
+Date: Fri, 28 Nov 2025 17:45:34 +0300
+Subject: Bluetooth: Add more enc key size check
+To: stable@vger.kernel.org, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Nazar Kalashnikov <sivartiwe@gmail.com>, Marcel Holtmann <marcel@holtmann.org>, Johan Hedberg <johan.hedberg@gmail.com>, "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, Alex Lu <alex_lu@realsil.com.cn>, Max Chou <max.chou@realtek.com>, Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Message-ID: <20251128144535.55357-1-sivartiwe@gmail.com>
+
+From: Alex Lu <alex_lu@realsil.com.cn>
+
+[ Upstream commit 04a342cc49a8522e99c9b3346371c329d841dcd2 ]
+
+When we are slave role and receives l2cap conn req when encryption has
+started, we should check the enc key size to avoid KNOB attack or BLUFFS
+attack.
+>From SIG recommendation, implementations are advised to reject
+service-level connections on an encrypted baseband link with key
+strengths below 7 octets.
+A simple and clear way to achieve this is to place the enc key size
+check in hci_cc_read_enc_key_size()
+
+The btmon log below shows the case that lacks enc key size check.
+
+> HCI Event: Connect Request (0x04) plen 10
+ Address: BB:22:33:44:55:99 (OUI BB-22-33)
+ Class: 0x480104
+ Major class: Computer (desktop, notebook, PDA, organizers)
+ Minor class: Desktop workstation
+ Capturing (Scanner, Microphone)
+ Telephony (Cordless telephony, Modem, Headset)
+ Link type: ACL (0x01)
+< HCI Command: Accept Connection Request (0x01|0x0009) plen 7
+ Address: BB:22:33:44:55:99 (OUI BB-22-33)
+ Role: Peripheral (0x01)
+> HCI Event: Command Status (0x0f) plen 4
+ Accept Connection Request (0x01|0x0009) ncmd 2
+ Status: Success (0x00)
+> HCI Event: Connect Complete (0x03) plen 11
+ Status: Success (0x00)
+ Handle: 1
+ Address: BB:22:33:44:55:99 (OUI BB-22-33)
+ Link type: ACL (0x01)
+ Encryption: Disabled (0x00)
+...
+
+> HCI Event: Encryption Change (0x08) plen 4
+ Status: Success (0x00)
+ Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
+ Encryption: Enabled with E0 (0x01)
+< HCI Command: Read Encryption Key Size (0x05|0x0008) plen 2
+ Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
+> HCI Event: Command Complete (0x0e) plen 7
+ Read Encryption Key Size (0x05|0x0008) ncmd 2
+ Status: Success (0x00)
+ Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
+ Key size: 6
+// We should check the enc key size
+...
+
+> ACL Data RX: Handle 1 flags 0x02 dlen 12
+ L2CAP: Connection Request (0x02) ident 3 len 4
+ PSM: 25 (0x0019)
+ Source CID: 64
+< ACL Data TX: Handle 1 flags 0x00 dlen 16
+ L2CAP: Connection Response (0x03) ident 3 len 8
+ Destination CID: 64
+ Source CID: 64
+ Result: Connection pending (0x0001)
+ Status: Authorization pending (0x0002)
+> HCI Event: Number of Completed Packets (0x13) plen 5
+ Num handles: 1
+ Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
+ Count: 1
+ #35: len 16 (25 Kb/s)
+ Latency: 5 msec (2-7 msec ~4 msec)
+< ACL Data TX: Handle 1 flags 0x00 dlen 16
+ L2CAP: Connection Response (0x03) ident 3 len 8
+ Destination CID: 64
+ Source CID: 64
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Alex Lu <alex_lu@realsil.com.cn>
+Signed-off-by: Max Chou <max.chou@realtek.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+[ Nazar Kalashnikov: change status to
+rp_status due to function parameter conflict ]
+Signed-off-by: Nazar Kalashnikov <sivartiwe@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+Backport fix for CVE-2023-24023
+ net/bluetooth/hci_event.c | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -3043,6 +3043,7 @@ static void read_enc_key_size_complete(s
+ const struct hci_rp_read_enc_key_size *rp;
+ struct hci_conn *conn;
+ u16 handle;
++ u8 rp_status;
+
+ BT_DBG("%s status 0x%02x", hdev->name, status);
+
+@@ -3052,6 +3053,7 @@ static void read_enc_key_size_complete(s
+ }
+
+ rp = (void *)skb->data;
++ rp_status = rp->status;
+ handle = le16_to_cpu(rp->handle);
+
+ hci_dev_lock(hdev);
+@@ -3064,15 +3066,30 @@ static void read_enc_key_size_complete(s
+ * secure approach is to then assume the key size is 0 to force a
+ * disconnection.
+ */
+- if (rp->status) {
++ if (rp_status) {
+ bt_dev_err(hdev, "failed to read key size for handle %u",
+ handle);
+ conn->enc_key_size = 0;
+ } else {
+ conn->enc_key_size = rp->key_size;
++ rp_status = 0;
++
++ if (conn->enc_key_size < hdev->min_enc_key_size) {
++ /* As slave role, the conn->state has been set to
++ * BT_CONNECTED and l2cap conn req might not be received
++ * yet, at this moment the l2cap layer almost does
++ * nothing with the non-zero status.
++ * So we also clear encrypt related bits, and then the
++ * handler of l2cap conn req will get the right secure
++ * state at a later time.
++ */
++ rp_status = HCI_ERROR_AUTH_FAILURE;
++ clear_bit(HCI_CONN_ENCRYPT, &conn->flags);
++ clear_bit(HCI_CONN_AES_CCM, &conn->flags);
++ }
+ }
+
+- hci_encrypt_cfm(conn, 0);
++ hci_encrypt_cfm(conn, rp_status);
+
+ unlock:
+ hci_dev_unlock(hdev);
--- /dev/null
+From stable+bounces-197598-greg=kroah.com@vger.kernel.org Fri Nov 28 15:41:26 2025
+From: Nazar Kalashnikov <sivartiwe@gmail.com>
+Date: Fri, 28 Nov 2025 17:41:19 +0300
+Subject: fs: writeback: fix use-after-free in __mark_inode_dirty()
+To: stable@vger.kernel.org, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Nazar Kalashnikov <sivartiwe@gmail.com>, Alexander Viro <viro@zeniv.linux.org.uk>, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, Jiufei Xue <jiufei.xue@samsung.com>, Jan Kara <jack@suse.cz>, Christian Brauner <brauner@kernel.org>
+Message-ID: <20251128144121.54603-1-sivartiwe@gmail.com>
+
+From: Jiufei Xue <jiufei.xue@samsung.com>
+
+[ Upstream commit d02d2c98d25793902f65803ab853b592c7a96b29 ]
+
+An use-after-free issue occurred when __mark_inode_dirty() get the
+bdi_writeback that was in the progress of switching.
+
+CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1
+......
+pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : __mark_inode_dirty+0x124/0x418
+lr : __mark_inode_dirty+0x118/0x418
+sp : ffffffc08c9dbbc0
+........
+Call trace:
+ __mark_inode_dirty+0x124/0x418
+ generic_update_time+0x4c/0x60
+ file_modified+0xcc/0xd0
+ ext4_buffered_write_iter+0x58/0x124
+ ext4_file_write_iter+0x54/0x704
+ vfs_write+0x1c0/0x308
+ ksys_write+0x74/0x10c
+ __arm64_sys_write+0x1c/0x28
+ invoke_syscall+0x48/0x114
+ el0_svc_common.constprop.0+0xc0/0xe0
+ do_el0_svc+0x1c/0x28
+ el0_svc+0x40/0xe4
+ el0t_64_sync_handler+0x120/0x12c
+ el0t_64_sync+0x194/0x198
+
+Root cause is:
+
+systemd-random-seed kworker
+----------------------------------------------------------------------
+___mark_inode_dirty inode_switch_wbs_work_fn
+
+ spin_lock(&inode->i_lock);
+ inode_attach_wb
+ locked_inode_to_wb_and_lock_list
+ get inode->i_wb
+ spin_unlock(&inode->i_lock);
+ spin_lock(&wb->list_lock)
+ spin_lock(&inode->i_lock)
+ inode_io_list_move_locked
+ spin_unlock(&wb->list_lock)
+ spin_unlock(&inode->i_lock)
+ spin_lock(&old_wb->list_lock)
+ inode_do_switch_wbs
+ spin_lock(&inode->i_lock)
+ inode->i_wb = new_wb
+ spin_unlock(&inode->i_lock)
+ spin_unlock(&old_wb->list_lock)
+ wb_put_many(old_wb, nr_switched)
+ cgwb_release
+ old wb released
+ wb_wakeup_delayed() accesses wb,
+ then trigger the use-after-free
+ issue
+
+Fix this race condition by holding inode spinlock until
+wb_wakeup_delayed() finished.
+
+Signed-off-by: Jiufei Xue <jiufei.xue@samsung.com>
+Link: https://lore.kernel.org/20250728100715.3863241-1-jiufei.xue@samsung.com
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Nazar Kalashnikov <sivartiwe@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+Backport fix for CVE-2025-39866
+ fs/fs-writeback.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/fs-writeback.c
++++ b/fs/fs-writeback.c
+@@ -2326,9 +2326,6 @@ void __mark_inode_dirty(struct inode *in
+ wakeup_bdi = inode_io_list_move_locked(inode, wb,
+ dirty_list);
+
+- spin_unlock(&wb->list_lock);
+- trace_writeback_dirty_inode_enqueue(inode);
+-
+ /*
+ * If this is the first dirty inode for this bdi,
+ * we have to wake-up the corresponding bdi thread
+@@ -2338,6 +2335,10 @@ void __mark_inode_dirty(struct inode *in
+ if (wakeup_bdi &&
+ (wb->bdi->capabilities & BDI_CAP_WRITEBACK))
+ wb_wakeup_delayed(wb);
++
++ spin_unlock(&wb->list_lock);
++ trace_writeback_dirty_inode_enqueue(inode);
++
+ return;
+ }
+ }
--- /dev/null
+From matttbe@kernel.org Mon Dec 1 12:35:16 2025
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Mon, 1 Dec 2025 12:34:58 +0100
+Subject: mptcp: Fix proto fallback detection with BPF
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: MPTCP Upstream <mptcp@lists.linux.dev>, Jiayuan Chen <jiayuan.chen@linux.dev>, Martin KaFai Lau <martin.lau@kernel.org>, Jakub Sitnicki <jakub@cloudflare.com>, "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Message-ID: <20251201113457.3641925-2-matttbe@kernel.org>
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+commit c77b3b79a92e3345aa1ee296180d1af4e7031f8f upstream.
+
+The sockmap feature allows bpf syscall from userspace, or based
+on bpf sockops, replacing the sk_prot of sockets during protocol stack
+processing with sockmap's custom read/write interfaces.
+'''
+tcp_rcv_state_process()
+ syn_recv_sock()/subflow_syn_recv_sock()
+ tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB)
+ bpf_skops_established <== sockops
+ bpf_sock_map_update(sk) <== call bpf helper
+ tcp_bpf_update_proto() <== update sk_prot
+'''
+
+When the server has MPTCP enabled but the client sends a TCP SYN
+without MPTCP, subflow_syn_recv_sock() performs a fallback on the
+subflow, replacing the subflow sk's sk_prot with the native sk_prot.
+'''
+subflow_syn_recv_sock()
+ subflow_ulp_fallback()
+ subflow_drop_ctx()
+ mptcp_subflow_ops_undo_override()
+'''
+
+Then, this subflow can be normally used by sockmap, which replaces the
+native sk_prot with sockmap's custom sk_prot. The issue occurs when the
+user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops().
+Here, it uses sk->sk_prot to compare with the native sk_prot, but this
+is incorrect when sockmap is used, as we may incorrectly set
+sk->sk_socket->ops.
+
+This fix uses the more generic sk_family for the comparison instead.
+
+Additionally, this also prevents a WARNING from occurring:
+
+result from ./scripts/decode_stacktrace.sh:
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \
+(net/mptcp/protocol.c:4005)
+Modules linked in:
+...
+
+PKRU: 55555554
+Call Trace:
+<TASK>
+do_accept (net/socket.c:1989)
+__sys_accept4 (net/socket.c:2028 net/socket.c:2057)
+__x64_sys_accept (net/socket.c:2067)
+x64_sys_call (arch/x86/entry/syscall_64.c:41)
+do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
+entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+RIP: 0033:0x7f87ac92b83d
+
+---[ end trace 0000000000000000 ]---
+
+Fixes: 0b4f33def7bb ("mptcp: fix tcp fallback crash")
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20251111060307.194196-3-jiayuan.chen@linux.dev
+[ Conflicts in protocol.c, because commit 8e2b8a9fa512 ("mptcp: don't
+ overwrite sock_ops in mptcp_is_tcpsk()") is not in this version. It
+ changes the logic on how and where the sock_ops is overridden in case
+ of passive fallback. To fix this, mptcp_is_tcpsk() is modified to use
+ the family, but first, a check of the protocol is required to continue
+ returning 'false' in case of MPTCP socket. ]
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -56,8 +56,13 @@ static struct socket *__mptcp_nmpc_socke
+ static bool mptcp_is_tcpsk(struct sock *sk)
+ {
+ struct socket *sock = sk->sk_socket;
++ unsigned short family;
+
+- if (unlikely(sk->sk_prot == &tcp_prot)) {
++ if (likely(sk->sk_protocol == IPPROTO_MPTCP))
++ return false;
++
++ family = READ_ONCE(sk->sk_family);
++ if (unlikely(family == AF_INET)) {
+ /* we are being invoked after mptcp_accept() has
+ * accepted a non-mp-capable flow: sk is a tcp_sk,
+ * not an mptcp one.
+@@ -68,7 +73,7 @@ static bool mptcp_is_tcpsk(struct sock *
+ sock->ops = &inet_stream_ops;
+ return true;
+ #if IS_ENABLED(CONFIG_MPTCP_IPV6)
+- } else if (unlikely(sk->sk_prot == &tcpv6_prot)) {
++ } else if (unlikely(family == AF_INET6)) {
+ sock->ops = &inet6_stream_ops;
+ return true;
+ #endif
--- /dev/null
+From stable+bounces-197600-greg=kroah.com@vger.kernel.org Fri Nov 28 15:46:25 2025
+From: Nazar Kalashnikov <sivartiwe@gmail.com>
+Date: Fri, 28 Nov 2025 17:46:01 +0300
+Subject: netfilter: nf_set_pipapo: fix initial map fill
+To: stable@vger.kernel.org, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Nazar Kalashnikov <sivartiwe@gmail.com>, Pablo Neira Ayuso <pablo@netfilter.org>, Jozsef Kadlecsik <kadlec@netfilter.org>, Florian Westphal <fw@strlen.de>, "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, Yi Chen <yiche@redhat.com>, Stefano Brivio <sbrivio@redhat.com>
+Message-ID: <20251128144602.55408-1-sivartiwe@gmail.com>
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 791a615b7ad2258c560f91852be54b0480837c93 ]
+
+The initial buffer has to be inited to all-ones, but it must restrict
+it to the size of the first field, not the total field size.
+
+After each round in the map search step, the result and the fill map
+are swapped, so if we have a set where f->bsize of the first element
+is smaller than m->bsize_max, those one-bits are leaked into future
+rounds result map.
+
+This makes pipapo find an incorrect matching results for sets where
+first field size is not the largest.
+
+Followup patch adds a test case to nft_concat_range.sh selftest script.
+
+Thanks to Stefano Brivio for pointing out that we need to zero out
+the remainder explicitly, only correcting memset() argument isn't enough.
+
+Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
+Reported-by: Yi Chen <yiche@redhat.com>
+Cc: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Nazar Kalashnikov <sivartiwe@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+Backport fix for CVE-2024-57947
+ net/netfilter/nft_set_pipapo.c | 4 ++--
+ net/netfilter/nft_set_pipapo.h | 21 +++++++++++++++++++++
+ net/netfilter/nft_set_pipapo_avx2.c | 10 ++++++----
+ 3 files changed, 29 insertions(+), 6 deletions(-)
+
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -432,7 +432,7 @@ bool nft_pipapo_lookup(const struct net
+ res_map = scratch->map + (map_index ? m->bsize_max : 0);
+ fill_map = scratch->map + (map_index ? 0 : m->bsize_max);
+
+- memset(res_map, 0xff, m->bsize_max * sizeof(*res_map));
++ pipapo_resmap_init(m, res_map);
+
+ nft_pipapo_for_each_field(f, i, m) {
+ bool last = i == m->field_count - 1;
+@@ -536,7 +536,7 @@ static struct nft_pipapo_elem *pipapo_ge
+ goto out;
+ }
+
+- memset(res_map, 0xff, m->bsize_max * sizeof(*res_map));
++ pipapo_resmap_init(m, res_map);
+
+ nft_pipapo_for_each_field(f, i, m) {
+ bool last = i == m->field_count - 1;
+--- a/net/netfilter/nft_set_pipapo.h
++++ b/net/netfilter/nft_set_pipapo.h
+@@ -287,4 +287,25 @@ static u64 pipapo_estimate_size(const st
+ return size;
+ }
+
++/**
++ * pipapo_resmap_init() - Initialise result map before first use
++ * @m: Matching data, including mapping table
++ * @res_map: Result map
++ *
++ * Initialize all bits covered by the first field to one, so that after
++ * the first step, only the matching bits of the first bit group remain.
++ *
++ * If other fields have a large bitmap, set remainder of res_map to 0.
++ */
++static inline void pipapo_resmap_init(const struct nft_pipapo_match *m, unsigned long *res_map)
++{
++ const struct nft_pipapo_field *f = m->f;
++ int i;
++
++ for (i = 0; i < f->bsize; i++)
++ res_map[i] = ULONG_MAX;
++
++ for (i = f->bsize; i < m->bsize_max; i++)
++ res_map[i] = 0ul;
++}
+ #endif /* _NFT_SET_PIPAPO_H */
+--- a/net/netfilter/nft_set_pipapo_avx2.c
++++ b/net/netfilter/nft_set_pipapo_avx2.c
+@@ -1028,6 +1028,7 @@ nothing:
+
+ /**
+ * nft_pipapo_avx2_lookup_slow() - Fallback function for uncommon field sizes
++ * @mdata: Matching data, including mapping table
+ * @map: Previous match result, used as initial bitmap
+ * @fill: Destination bitmap to be filled with current match result
+ * @f: Field, containing lookup and mapping tables
+@@ -1043,7 +1044,8 @@ nothing:
+ * Return: -1 on no match, rule index of match if @last, otherwise first long
+ * word index to be checked next (i.e. first filled word).
+ */
+-static int nft_pipapo_avx2_lookup_slow(unsigned long *map, unsigned long *fill,
++static int nft_pipapo_avx2_lookup_slow(const struct nft_pipapo_match *mdata,
++ unsigned long *map, unsigned long *fill,
+ struct nft_pipapo_field *f, int offset,
+ const u8 *pkt, bool first, bool last)
+ {
+@@ -1053,7 +1055,7 @@ static int nft_pipapo_avx2_lookup_slow(u
+ lt += offset * NFT_PIPAPO_LONGS_PER_M256;
+
+ if (first)
+- memset(map, 0xff, bsize * sizeof(*map));
++ pipapo_resmap_init(mdata, map);
+
+ for (i = offset; i < bsize; i++) {
+ if (f->bb == 8)
+@@ -1181,7 +1183,7 @@ next_match:
+ } else if (f->groups == 16) {
+ NFT_SET_PIPAPO_AVX2_LOOKUP(8, 16);
+ } else {
+- ret = nft_pipapo_avx2_lookup_slow(res, fill, f,
++ ret = nft_pipapo_avx2_lookup_slow(m, res, fill, f,
+ ret, rp,
+ first, last);
+ }
+@@ -1197,7 +1199,7 @@ next_match:
+ } else if (f->groups == 32) {
+ NFT_SET_PIPAPO_AVX2_LOOKUP(4, 32);
+ } else {
+- ret = nft_pipapo_avx2_lookup_slow(res, fill, f,
++ ret = nft_pipapo_avx2_lookup_slow(m, res, fill, f,
+ ret, rp,
+ first, last);
+ }
--- /dev/null
+From stable+bounces-198082-greg=kroah.com@vger.kernel.org Tue Dec 2 13:05:03 2025
+From: lanbincn@qq.com
+Date: Tue, 2 Dec 2025 12:03:16 +0000
+Subject: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up
+To: stable@vger.kernel.org
+Cc: Vasiliy Kovalev <kovalev@altlinux.org>, syzbot+316db8a1191938280eb6@syzkaller.appspotmail.com, Amir Goldstein <amir73il@gmail.com>, Christian Brauner <brauner@kernel.org>, Bin Lan <lanbincn@qq.com>
+Message-ID: <tencent_1C06EA434AF2CC3A0A871786BDE18996A505@qq.com>
+
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+
+[ Upstream commit c84e125fff2615b4d9c259e762596134eddd2f27 ]
+
+The issue was caused by dput(upper) being called before
+ovl_dentry_update_reval(), while upper->d_flags was still
+accessed in ovl_dentry_remote().
+
+Move dput(upper) after its last use to prevent use-after-free.
+
+BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline]
+BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167
+
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0xc3/0x620 mm/kasan/report.c:488
+ kasan_report+0xd9/0x110 mm/kasan/report.c:601
+ ovl_dentry_remote fs/overlayfs/util.c:162 [inline]
+ ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167
+ ovl_link_up fs/overlayfs/copy_up.c:610 [inline]
+ ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170
+ ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223
+ ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136
+ vfs_rename+0xf84/0x20a0 fs/namei.c:4893
+...
+ </TASK>
+
+Fixes: b07d5cc93e1b ("ovl: update of dentry revalidate flags after copy up")
+Reported-by: syzbot+316db8a1191938280eb6@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=316db8a1191938280eb6
+Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
+Link: https://lore.kernel.org/r/20250214215148.761147-1-kovalev@altlinux.org
+Reviewed-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+[ Minor context change fixed. ]
+Signed-off-by: Bin Lan <lanbincn@qq.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/copy_up.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -469,7 +469,6 @@ static int ovl_link_up(struct ovl_copy_u
+ err = PTR_ERR(upper);
+ if (!IS_ERR(upper)) {
+ err = ovl_do_link(ovl_dentry_upper(c->dentry), udir, upper);
+- dput(upper);
+
+ if (!err) {
+ /* Restore timestamps on parent (best effort) */
+@@ -477,6 +476,7 @@ static int ovl_link_up(struct ovl_copy_u
+ ovl_dentry_set_upper_alias(c->dentry);
+ ovl_dentry_update_reval(c->dentry, upper);
+ }
++ dput(upper);
+ }
+ inode_unlock(udir);
+ if (err)
--- /dev/null
+From stable+bounces-197601-greg=kroah.com@vger.kernel.org Fri Nov 28 15:48:02 2025
+From: Nazar Kalashnikov <sivartiwe@gmail.com>
+Date: Fri, 28 Nov 2025 17:48:15 +0300
+Subject: scsi: pm80xx: Set phy->enable_completion only when we
+To: stable@vger.kernel.org, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Nazar Kalashnikov <sivartiwe@gmail.com>, Jack Wang <jinpu.wang@cloud.ionos.com>, "James E.J. Bottomley" <jejb@linux.ibm.com>, "Martin K. Petersen" <martin.petersen@oracle.com>, linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, Igor Pylypiv <ipylypiv@google.com>, Terrence Adams <tadamsjr@google.com>, Jack Wang <jinpu.wang@ionos.com>
+Message-ID: <20251128144816.55522-1-sivartiwe@gmail.com>
+
+From: Igor Pylypiv <ipylypiv@google.com>
+
+[ Upstream commit e4f949ef1516c0d74745ee54a0f4882c1f6c7aea ]
+
+pm8001_phy_control() populates the enable_completion pointer with a stack
+address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and
+returns. The problem arises when a phy control response comes late. After
+300 ms the pm8001_phy_control() function returns and the passed
+enable_completion stack address is no longer valid. Late phy control
+response invokes complete() on a dangling enable_completion pointer which
+leads to a kernel crash.
+
+Signed-off-by: Igor Pylypiv <ipylypiv@google.com>
+Signed-off-by: Terrence Adams <tadamsjr@google.com>
+Link: https://lore.kernel.org/r/20240627155924.2361370-2-tadamsjr@google.com
+Acked-by: Jack Wang <jinpu.wang@ionos.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Nazar Kalashnikov <sivartiwe@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+Backport fix for CVE-2024-47666
+ drivers/scsi/pm8001/pm8001_sas.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/pm8001/pm8001_sas.c
++++ b/drivers/scsi/pm8001/pm8001_sas.c
+@@ -163,7 +163,6 @@ int pm8001_phy_control(struct asd_sas_ph
+ unsigned long flags;
+ pm8001_ha = sas_phy->ha->lldd_ha;
+ phy = &pm8001_ha->phy[phy_id];
+- pm8001_ha->phy[phy_id].enable_completion = &completion;
+ switch (func) {
+ case PHY_FUNC_SET_LINK_RATE:
+ rates = funcdata;
+@@ -176,6 +175,7 @@ int pm8001_phy_control(struct asd_sas_ph
+ rates->maximum_linkrate;
+ }
+ if (pm8001_ha->phy[phy_id].phy_state == PHY_LINK_DISABLE) {
++ pm8001_ha->phy[phy_id].enable_completion = &completion;
+ PM8001_CHIP_DISP->phy_start_req(pm8001_ha, phy_id);
+ wait_for_completion(&completion);
+ }
+@@ -184,6 +184,7 @@ int pm8001_phy_control(struct asd_sas_ph
+ break;
+ case PHY_FUNC_HARD_RESET:
+ if (pm8001_ha->phy[phy_id].phy_state == PHY_LINK_DISABLE) {
++ pm8001_ha->phy[phy_id].enable_completion = &completion;
+ PM8001_CHIP_DISP->phy_start_req(pm8001_ha, phy_id);
+ wait_for_completion(&completion);
+ }
+@@ -192,6 +193,7 @@ int pm8001_phy_control(struct asd_sas_ph
+ break;
+ case PHY_FUNC_LINK_RESET:
+ if (pm8001_ha->phy[phy_id].phy_state == PHY_LINK_DISABLE) {
++ pm8001_ha->phy[phy_id].enable_completion = &completion;
+ PM8001_CHIP_DISP->phy_start_req(pm8001_ha, phy_id);
+ wait_for_completion(&completion);
+ }
drm-sti-fix-device-leaks-at-component-probe.patch
drm-amd-display-check-null-before-accessing.patch
libceph-fix-potential-use-after-free-in-have_mon_and_osd_map.patch
+fs-writeback-fix-use-after-free-in-__mark_inode_dirty.patch
+bluetooth-add-more-enc-key-size-check.patch
+netfilter-nf_set_pipapo-fix-initial-map-fill.patch
+scsi-pm80xx-set-phy-enable_completion-only-when-we.patch
+mptcp-fix-proto-fallback-detection-with-bpf.patch
+smb-client-fix-memory-leak-in-cifs_construct_tcon.patch
+usb-typec-ucsi-psy-set-max-current-to-zero-when-disconnected.patch
+usb-renesas_usbhs-fix-synchronous-external-abort-on-unbind.patch
+usb-uas-fix-urb-unmapping-issue-when-the-uas-device-is-remove-during-ongoing-data-transfer.patch
+ovl-fix-uaf-in-ovl_dentry_update_reval-by-moving-dput-in-ovl_link_up.patch
--- /dev/null
+From stable+bounces-198006-greg=kroah.com@vger.kernel.org Mon Dec 1 23:25:06 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Dec 2025 17:24:51 -0500
+Subject: smb: client: fix memory leak in cifs_construct_tcon()
+To: stable@vger.kernel.org
+Cc: Paulo Alcantara <pc@manguebit.org>, David Howells <dhowells@redhat.com>, Jay Shin <jaeshin@redhat.com>, linux-cifs@vger.kernel.org, Steve French <stfrench@microsoft.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251201222451.1290758-1-sashal@kernel.org>
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+[ Upstream commit 3184b6a5a24ec9ee74087b2a550476f386df7dc2 ]
+
+When having a multiuser mount with domain= specified and using
+cifscreds, cifs_set_cifscreds() will end up setting @ctx->domainname,
+so it needs to be freed before leaving cifs_construct_tcon().
+
+This fixes the following memory leak reported by kmemleak:
+
+ mount.cifs //srv/share /mnt -o domain=ZELDA,multiuser,...
+ su - testuser
+ cifscreds add -d ZELDA -u testuser
+ ...
+ ls /mnt/1
+ ...
+ umount /mnt
+ echo scan > /sys/kernel/debug/kmemleak
+ cat /sys/kernel/debug/kmemleak
+ unreferenced object 0xffff8881203c3f08 (size 8):
+ comm "ls", pid 5060, jiffies 4307222943
+ hex dump (first 8 bytes):
+ 5a 45 4c 44 41 00 cc cc ZELDA...
+ backtrace (crc d109a8cf):
+ __kmalloc_node_track_caller_noprof+0x572/0x710
+ kstrdup+0x3a/0x70
+ cifs_sb_tlink+0x1209/0x1770 [cifs]
+ cifs_get_fattr+0xe1/0xf50 [cifs]
+ cifs_get_inode_info+0xb5/0x240 [cifs]
+ cifs_revalidate_dentry_attr+0x2d1/0x470 [cifs]
+ cifs_getattr+0x28e/0x450 [cifs]
+ vfs_getattr_nosec+0x126/0x180
+ vfs_statx+0xf6/0x220
+ do_statx+0xab/0x110
+ __x64_sys_statx+0xd5/0x130
+ do_syscall_64+0xbb/0x380
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: f2aee329a68f ("cifs: set domainName when a domain-key is used in multiuser")
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Reviewed-by: David Howells <dhowells@redhat.com>
+Cc: Jay Shin <jaeshin@redhat.com>
+Cc: stable@vger.kernel.org
+Cc: linux-cifs@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+[ Different path + ctx -> vol_info ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/connect.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -5162,6 +5162,7 @@ cifs_construct_tcon(struct cifs_sb_info
+
+ out:
+ kfree(vol_info->username);
++ kfree(vol_info->domainname);
+ kfree_sensitive(vol_info->password);
+ kfree(vol_info);
+
--- /dev/null
+From stable+bounces-198027-greg=kroah.com@vger.kernel.org Tue Dec 2 02:27:45 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Dec 2025 20:27:36 -0500
+Subject: usb: renesas_usbhs: Fix synchronous external abort on unbind
+To: stable@vger.kernel.org
+Cc: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>, stable <stable@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251202012736.1580110-1-sashal@kernel.org>
+
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+
+[ Upstream commit eb9ac779830b2235847b72cb15cf07c7e3333c5e ]
+
+A synchronous external abort occurs on the Renesas RZ/G3S SoC if unbind is
+executed after the configuration sequence described above:
+
+modprobe usb_f_ecm
+modprobe libcomposite
+modprobe configfs
+cd /sys/kernel/config/usb_gadget
+mkdir -p g1
+cd g1
+echo "0x1d6b" > idVendor
+echo "0x0104" > idProduct
+mkdir -p strings/0x409
+echo "0123456789" > strings/0x409/serialnumber
+echo "Renesas." > strings/0x409/manufacturer
+echo "Ethernet Gadget" > strings/0x409/product
+mkdir -p functions/ecm.usb0
+mkdir -p configs/c.1
+mkdir -p configs/c.1/strings/0x409
+echo "ECM" > configs/c.1/strings/0x409/configuration
+
+if [ ! -L configs/c.1/ecm.usb0 ]; then
+ ln -s functions/ecm.usb0 configs/c.1
+fi
+
+echo 11e20000.usb > UDC
+echo 11e20000.usb > /sys/bus/platform/drivers/renesas_usbhs/unbind
+
+The displayed trace is as follows:
+
+ Internal error: synchronous external abort: 0000000096000010 [#1] SMP
+ CPU: 0 UID: 0 PID: 188 Comm: sh Tainted: G M 6.17.0-rc7-next-20250922-00010-g41050493b2bd #55 PREEMPT
+ Tainted: [M]=MACHINE_CHECK
+ Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT)
+ pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs]
+ lr : usbhsg_update_pullup+0x3c/0x68 [renesas_usbhs]
+ sp : ffff8000838b3920
+ x29: ffff8000838b3920 x28: ffff00000d585780 x27: 0000000000000000
+ x26: 0000000000000000 x25: 0000000000000000 x24: ffff00000c3e3810
+ x23: ffff00000d5e5c80 x22: ffff00000d5e5d40 x21: 0000000000000000
+ x20: 0000000000000000 x19: ffff00000d5e5c80 x18: 0000000000000020
+ x17: 2e30303230316531 x16: 312d7968703a7968 x15: 3d454d414e5f4344
+ x14: 000000000000002c x13: 0000000000000000 x12: 0000000000000000
+ x11: ffff00000f358f38 x10: ffff00000f358db0 x9 : ffff00000b41f418
+ x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d
+ x5 : 8080808000000000 x4 : 000000004b5ccb9d x3 : 0000000000000000
+ x2 : 0000000000000000 x1 : ffff800083790000 x0 : ffff00000d5e5c80
+ Call trace:
+ usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] (P)
+ usbhsg_pullup+0x4c/0x7c [renesas_usbhs]
+ usb_gadget_disconnect_locked+0x48/0xd4
+ gadget_unbind_driver+0x44/0x114
+ device_remove+0x4c/0x80
+ device_release_driver_internal+0x1c8/0x224
+ device_release_driver+0x18/0x24
+ bus_remove_device+0xcc/0x10c
+ device_del+0x14c/0x404
+ usb_del_gadget+0x88/0xc0
+ usb_del_gadget_udc+0x18/0x30
+ usbhs_mod_gadget_remove+0x24/0x44 [renesas_usbhs]
+ usbhs_mod_remove+0x20/0x30 [renesas_usbhs]
+ usbhs_remove+0x98/0xdc [renesas_usbhs]
+ platform_remove+0x20/0x30
+ device_remove+0x4c/0x80
+ device_release_driver_internal+0x1c8/0x224
+ device_driver_detach+0x18/0x24
+ unbind_store+0xb4/0xb8
+ drv_attr_store+0x24/0x38
+ sysfs_kf_write+0x7c/0x94
+ kernfs_fop_write_iter+0x128/0x1b8
+ vfs_write+0x2ac/0x350
+ ksys_write+0x68/0xfc
+ __arm64_sys_write+0x1c/0x28
+ invoke_syscall+0x48/0x110
+ el0_svc_common.constprop.0+0xc0/0xe0
+ do_el0_svc+0x1c/0x28
+ el0_svc+0x34/0xf0
+ el0t_64_sync_handler+0xa0/0xe4
+ el0t_64_sync+0x198/0x19c
+ Code: 7100003f 1a9f07e1 531c6c22 f9400001 (79400021)
+ ---[ end trace 0000000000000000 ]---
+ note: sh[188] exited with irqs disabled
+ note: sh[188] exited with preempt_count 1
+
+The issue occurs because usbhs_sys_function_pullup(), which accesses the IP
+registers, is executed after the USBHS clocks have been disabled. The
+problem is reproducible on the Renesas RZ/G3S SoC starting with the
+addition of module stop in the clock enable/disable APIs. With module stop
+functionality enabled, a bus error is expected if a master accesses a
+module whose clock has been stopped and module stop activated.
+
+Disable the IP clocks at the end of remove.
+
+Cc: stable <stable@kernel.org>
+Fixes: f1407d5c6624 ("usb: renesas_usbhs: Add Renesas USBHS common code")
+Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Link: https://patch.msgid.link/20251027140741.557198-1-claudiu.beznea.uj@bp.renesas.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/renesas_usbhs/common.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/renesas_usbhs/common.c
++++ b/drivers/usb/renesas_usbhs/common.c
+@@ -802,19 +802,19 @@ static int usbhs_remove(struct platform_
+
+ flush_delayed_work(&priv->notify_hotplug_work);
+
+- /* power off */
+- if (!usbhs_get_dparam(priv, runtime_pwctrl))
+- usbhsc_power_ctrl(priv, 0);
+-
+- pm_runtime_disable(&pdev->dev);
+-
+ usbhs_platform_call(priv, hardware_exit, pdev);
+- usbhsc_clk_put(priv);
+ reset_control_assert(priv->rsts);
+ usbhs_mod_remove(priv);
+ usbhs_fifo_remove(priv);
+ usbhs_pipe_remove(priv);
+
++ /* power off */
++ if (!usbhs_get_dparam(priv, runtime_pwctrl))
++ usbhsc_power_ctrl(priv, 0);
++
++ usbhsc_clk_put(priv);
++ pm_runtime_disable(&pdev->dev);
++
+ return 0;
+ }
+
--- /dev/null
+From stable+bounces-198026-greg=kroah.com@vger.kernel.org Tue Dec 2 02:06:29 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Dec 2025 20:06:19 -0500
+Subject: usb: typec: ucsi: psy: Set max current to zero when disconnected
+To: stable@vger.kernel.org
+Cc: Jameson Thies <jthies@google.com>, Benson Leung <bleung@chromium.org>, Heikki Krogerus <heikki.krogerus@linux.intel.com>, Sebastian Reichel <sebastian.reichel@collabora.com>, "Kenneth R. Crudup" <kenny@panix.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251202010619.1551492-1-sashal@kernel.org>
+
+From: Jameson Thies <jthies@google.com>
+
+[ Upstream commit 23379a17334fc24c4a9cbd9967d33dcd9323cc7c ]
+
+The ucsi_psy_get_current_max function defaults to 0.1A when it is not
+clear how much current the partner device can support. But this does
+not check the port is connected, and will report 0.1A max current when
+nothing is connected. Update ucsi_psy_get_current_max to report 0A when
+there is no connection.
+
+Fixes: af833e7f7db3 ("usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jameson Thies <jthies@google.com>
+Reviewed-by: Benson Leung <bleung@chromium.org>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Tested-by: Kenneth R. Crudup <kenny@panix.com>
+Rule: add
+Link: https://lore.kernel.org/stable/20251017000051.2094101-1-jthies%40google.com
+Link: https://patch.msgid.link/20251106011446.2052583-1-jthies@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[ adapted UCSI_CONSTAT() macro to direct flag access ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/ucsi/psy.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/typec/ucsi/psy.c
++++ b/drivers/usb/typec/ucsi/psy.c
+@@ -123,6 +123,11 @@ static int ucsi_psy_get_current_max(stru
+ {
+ u32 pdo;
+
++ if (!(con->status.flags & UCSI_CONSTAT_CONNECTED)) {
++ val->intval = 0;
++ return 0;
++ }
++
+ switch (UCSI_CONSTAT_PWR_OPMODE(con->status.flags)) {
+ case UCSI_CONSTAT_PWR_OPMODE_PD:
+ if (con->num_pdos > 0) {
--- /dev/null
+From stable+bounces-198030-greg=kroah.com@vger.kernel.org Tue Dec 2 02:48:56 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Dec 2025 20:48:40 -0500
+Subject: usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer
+To: stable@vger.kernel.org
+Cc: Owen Gu <guhuinan@xiaomi.com>, stable <stable@kernel.org>, Yu Chen <chenyu45@xiaomi.com>, Oliver Neukum <oneukum@suse.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251202014840.1603338-1-sashal@kernel.org>
+
+From: Owen Gu <guhuinan@xiaomi.com>
+
+[ Upstream commit 26d56a9fcb2014b99e654127960aa0a48a391e3c ]
+
+When a UAS device is unplugged during data transfer, there is
+a probability of a system panic occurring. The root cause is
+an access to an invalid memory address during URB callback handling.
+Specifically, this happens when the dma_direct_unmap_sg() function
+is called within the usb_hcd_unmap_urb_for_dma() interface, but the
+sg->dma_address field is 0 and the sg data structure has already been
+freed.
+
+The SCSI driver sends transfer commands by invoking uas_queuecommand_lck()
+in uas.c, using the uas_submit_urbs() function to submit requests to USB.
+Within the uas_submit_urbs() implementation, three URBs (sense_urb,
+data_urb, and cmd_urb) are sequentially submitted. Device removal may
+occur at any point during uas_submit_urbs execution, which may result
+in URB submission failure. However, some URBs might have been successfully
+submitted before the failure, and uas_submit_urbs will return the -ENODEV
+error code in this case. The current error handling directly calls
+scsi_done(). In the SCSI driver, this eventually triggers scsi_complete()
+to invoke scsi_end_request() for releasing the sgtable. The successfully
+submitted URBs, when being unlinked to giveback, call
+usb_hcd_unmap_urb_for_dma() in hcd.c, leading to exceptions during sg
+unmapping operations since the sg data structure has already been freed.
+
+This patch modifies the error condition check in the uas_submit_urbs()
+function. When a UAS device is removed but one or more URBs have already
+been successfully submitted to USB, it avoids immediately invoking
+scsi_done() and save the cmnd to devinfo->cmnd array. If the successfully
+submitted URBs is completed before devinfo->resetting being set, then
+the scsi_done() function will be called within uas_try_complete() after
+all pending URB operations are finalized. Otherwise, the scsi_done()
+function will be called within uas_zap_pending(), which is executed after
+usb_kill_anchored_urbs().
+
+The error handling only takes effect when uas_queuecommand_lck() calls
+uas_submit_urbs() and returns the error value -ENODEV . In this case,
+the device is disconnected, and the flow proceeds to uas_disconnect(),
+where uas_zap_pending() is invoked to call uas_try_complete().
+
+Fixes: eb2a86ae8c54 ("USB: UAS: fix disconnect by unplugging a hub")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Yu Chen <chenyu45@xiaomi.com>
+Signed-off-by: Owen Gu <guhuinan@xiaomi.com>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Link: https://patch.msgid.link/20251120123336.3328-1-guhuinan@xiaomi.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[ adapted scsi_done(cmnd) helper to older cmnd->scsi_done(cmnd) callback API ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/storage/uas.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/storage/uas.c
++++ b/drivers/usb/storage/uas.c
+@@ -705,7 +705,11 @@ static int uas_queuecommand_lck(struct s
+ * of queueing, no matter how fatal the error
+ */
+ if (err == -ENODEV) {
+- set_host_byte(cmnd, DID_ERROR);
++ if (cmdinfo->state & (COMMAND_INFLIGHT | DATA_IN_URB_INFLIGHT |
++ DATA_OUT_URB_INFLIGHT))
++ goto out;
++
++ set_host_byte(cmnd, DID_NO_CONNECT);
+ cmnd->scsi_done(cmnd);
+ goto zombie;
+ }
+@@ -718,6 +722,7 @@ static int uas_queuecommand_lck(struct s
+ uas_add_work(cmdinfo);
+ }
+
++out:
+ devinfo->cmnd[idx] = cmnd;
+ zombie:
+ spin_unlock_irqrestore(&devinfo->lock, flags);
projects / thirdparty / kernel / stable-queue.git / commitdiff
