--- /dev/null
+From c28f31deeacda307acfee2f18c0ad904e5123aac Mon Sep 17 00:00:00 2001
+From: Angelos Oikonomopoulos <angelos@igalia.com>
+Date: Tue, 1 Apr 2025 10:51:50 +0200
+Subject: arm64: Don't call NULL in do_compat_alignment_fixup()
+
+From: Angelos Oikonomopoulos <angelos@igalia.com>
+
+commit c28f31deeacda307acfee2f18c0ad904e5123aac upstream.
+
+do_alignment_t32_to_handler() only fixes up alignment faults for
+specific instructions; it returns NULL otherwise (e.g. LDREX). When
+that's the case, signal to the caller that it needs to proceed with the
+regular alignment fault handling (i.e. SIGBUS). Without this patch, the
+kernel panics:
+
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
+ Mem abort info:
+ ESR = 0x0000000086000006
+ EC = 0x21: IABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x06: level 2 translation fault
+ user pgtable: 4k pages, 48-bit VAs, pgdp=00000800164aa000
+ [0000000000000000] pgd=0800081fdbd22003, p4d=0800081fdbd22003, pud=08000815d51c6003, pmd=0000000000000000
+ Internal error: Oops: 0000000086000006 [#1] SMP
+ Modules linked in: cfg80211 rfkill xt_nat xt_tcpudp xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack_netlink nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xfrm_user xfrm_algo xt_addrtype nft_compat br_netfilter veth nvme_fa>
+ libcrc32c crc32c_generic raid0 multipath linear dm_mod dax raid1 md_mod xhci_pci nvme xhci_hcd nvme_core t10_pi usbcore igb crc64_rocksoft crc64 crc_t10dif crct10dif_generic crct10dif_ce crct10dif_common usb_common i2c_algo_bit i2c>
+ CPU: 2 PID: 3932954 Comm: WPEWebProcess Not tainted 6.1.0-31-arm64 #1 Debian 6.1.128-1
+ Hardware name: GIGABYTE MP32-AR1-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01/2021
+ pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : 0x0
+ lr : do_compat_alignment_fixup+0xd8/0x3dc
+ sp : ffff80000f973dd0
+ x29: ffff80000f973dd0 x28: ffff081b42526180 x27: 0000000000000000
+ x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
+ x23: 0000000000000004 x22: 0000000000000000 x21: 0000000000000001
+ x20: 00000000e8551f00 x19: ffff80000f973eb0 x18: 0000000000000000
+ x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
+ x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
+ x11: 0000000000000000 x10: 0000000000000000 x9 : ffffaebc949bc488
+ x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
+ x5 : 0000000000400000 x4 : 0000fffffffffffe x3 : 0000000000000000
+ x2 : ffff80000f973eb0 x1 : 00000000e8551f00 x0 : 0000000000000001
+ Call trace:
+ 0x0
+ do_alignment_fault+0x40/0x50
+ do_mem_abort+0x4c/0xa0
+ el0_da+0x48/0xf0
+ el0t_32_sync_handler+0x110/0x140
+ el0t_32_sync+0x190/0x194
+ Code: bad PC value
+ ---[ end trace 0000000000000000 ]---
+
+Signed-off-by: Angelos Oikonomopoulos <angelos@igalia.com>
+Fixes: 3fc24ef32d3b ("arm64: compat: Implement misalignment fixups for multiword loads")
+Cc: <stable@vger.kernel.org> # 6.1.x
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Link: https://lore.kernel.org/r/20250401085150.148313-1-angelos@igalia.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/compat_alignment.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/kernel/compat_alignment.c
++++ b/arch/arm64/kernel/compat_alignment.c
+@@ -368,6 +368,8 @@ int do_compat_alignment_fixup(unsigned l
+ return 1;
+ }
+
++ if (!handler)
++ return 1;
+ type = handler(addr, instr, regs);
+
+ if (type == TYPE_ERROR || type == TYPE_FAULT)
--- /dev/null
+From af7bb0d2ca459f15cb5ca604dab5d9af103643f0 Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Mon, 24 Mar 2025 17:00:03 +0100
+Subject: exec: fix the racy usage of fs_struct->in_exec
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit af7bb0d2ca459f15cb5ca604dab5d9af103643f0 upstream.
+
+check_unsafe_exec() sets fs->in_exec under cred_guard_mutex, then execve()
+paths clear fs->in_exec lockless. This is fine if exec succeeds, but if it
+fails we have the following race:
+
+ T1 sets fs->in_exec = 1, fails, drops cred_guard_mutex
+
+ T2 sets fs->in_exec = 1
+
+ T1 clears fs->in_exec
+
+ T2 continues with fs->in_exec == 0
+
+Change fs/exec.c to clear fs->in_exec with cred_guard_mutex held.
+
+Reported-by: syzbot+1c486d0b62032c82a968@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67dc67f0.050a0220.25ae54.001f.GAE@google.com/
+Cc: stable@vger.kernel.org
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Link: https://lore.kernel.org/r/20250324160003.GA8878@redhat.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/exec.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -1257,13 +1257,12 @@ int begin_new_exec(struct linux_binprm *
+ */
+ bprm->point_of_no_return = true;
+
+- /*
+- * Make this the only thread in the thread group.
+- */
++ /* Make this the only thread in the thread group */
+ retval = de_thread(me);
+ if (retval)
+ goto out;
+-
++ /* see the comment in check_unsafe_exec() */
++ current->fs->in_exec = 0;
+ /*
+ * Cancel any io_uring activity across execve
+ */
+@@ -1516,6 +1515,8 @@ static void free_bprm(struct linux_binpr
+ }
+ free_arg_pages(bprm);
+ if (bprm->cred) {
++ /* in case exec fails before de_thread() succeeds */
++ current->fs->in_exec = 0;
+ mutex_unlock(¤t->signal->cred_guard_mutex);
+ abort_creds(bprm->cred);
+ }
+@@ -1604,6 +1605,10 @@ static void check_unsafe_exec(struct lin
+ * suid exec because the differently privileged task
+ * will be able to manipulate the current directory, etc.
+ * It would be nice to force an unshare instead...
++ *
++ * Otherwise we set fs->in_exec = 1 to deny clone(CLONE_FS)
++ * from another sub-thread until de_thread() succeeds, this
++ * state is protected by cred_guard_mutex we hold.
+ */
+ t = p;
+ n_fs = 1;
+@@ -1890,7 +1895,6 @@ static int bprm_execve(struct linux_binp
+
+ sched_mm_cid_after_execve(current);
+ /* execve succeeded */
+- current->fs->in_exec = 0;
+ current->in_execve = 0;
+ rseq_execve(current);
+ user_events_execve(current);
+@@ -1910,7 +1914,6 @@ out:
+
+ out_unmark:
+ sched_mm_cid_after_execve(current);
+- current->fs->in_exec = 0;
+ current->in_execve = 0;
+
+ return retval;
--- /dev/null
+From f87d3af7419307ae26e705a2b2db36140db367a2 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Fri, 14 Mar 2025 00:38:42 -0400
+Subject: ext4: don't over-report free space or inodes in statvfs
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit f87d3af7419307ae26e705a2b2db36140db367a2 upstream.
+
+This fixes an analogus bug that was fixed in xfs in commit
+4b8d867ca6e2 ("xfs: don't over-report free space or inodes in
+statvfs") where statfs can report misleading / incorrect information
+where project quota is enabled, and the free space is less than the
+remaining quota.
+
+This commit will resolve a test failure in generic/762 which tests for
+this bug.
+
+Cc: stable@kernel.org
+Fixes: 689c958cbe6b ("ext4: add project quota support")
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/super.c | 27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -6808,22 +6808,29 @@ static int ext4_statfs_project(struct su
+ dquot->dq_dqb.dqb_bhardlimit);
+ limit >>= sb->s_blocksize_bits;
+
+- if (limit && buf->f_blocks > limit) {
++ if (limit) {
++ uint64_t remaining = 0;
++
+ curblock = (dquot->dq_dqb.dqb_curspace +
+ dquot->dq_dqb.dqb_rsvspace) >> sb->s_blocksize_bits;
+- buf->f_blocks = limit;
+- buf->f_bfree = buf->f_bavail =
+- (buf->f_blocks > curblock) ?
+- (buf->f_blocks - curblock) : 0;
++ if (limit > curblock)
++ remaining = limit - curblock;
++
++ buf->f_blocks = min(buf->f_blocks, limit);
++ buf->f_bfree = min(buf->f_bfree, remaining);
++ buf->f_bavail = min(buf->f_bavail, remaining);
+ }
+
+ limit = min_not_zero(dquot->dq_dqb.dqb_isoftlimit,
+ dquot->dq_dqb.dqb_ihardlimit);
+- if (limit && buf->f_files > limit) {
+- buf->f_files = limit;
+- buf->f_ffree =
+- (buf->f_files > dquot->dq_dqb.dqb_curinodes) ?
+- (buf->f_files - dquot->dq_dqb.dqb_curinodes) : 0;
++ if (limit) {
++ uint64_t remaining = 0;
++
++ if (limit > dquot->dq_dqb.dqb_curinodes)
++ remaining = limit - dquot->dq_dqb.dqb_curinodes;
++
++ buf->f_files = min(buf->f_files, limit);
++ buf->f_ffree = min(buf->f_ffree, remaining);
+ }
+
+ spin_unlock(&dquot->dq_dqb_lock);
--- /dev/null
+From d5e206778e96e8667d3bde695ad372c296dc9353 Mon Sep 17 00:00:00 2001
+From: "Acs, Jakub" <acsjakub@amazon.de>
+Date: Thu, 20 Mar 2025 15:46:49 +0000
+Subject: ext4: fix OOB read when checking dotdot dir
+
+From: Acs, Jakub <acsjakub@amazon.de>
+
+commit d5e206778e96e8667d3bde695ad372c296dc9353 upstream.
+
+Mounting a corrupted filesystem with directory which contains '.' dir
+entry with rec_len == block size results in out-of-bounds read (later
+on, when the corrupted directory is removed).
+
+ext4_empty_dir() assumes every ext4 directory contains at least '.'
+and '..' as directory entries in the first data block. It first loads
+the '.' dir entry, performs sanity checks by calling ext4_check_dir_entry()
+and then uses its rec_len member to compute the location of '..' dir
+entry (in ext4_next_entry). It assumes the '..' dir entry fits into the
+same data block.
+
+If the rec_len of '.' is precisely one block (4KB), it slips through the
+sanity checks (it is considered the last directory entry in the data
+block) and leaves "struct ext4_dir_entry_2 *de" point exactly past the
+memory slot allocated to the data block. The following call to
+ext4_check_dir_entry() on new value of de then dereferences this pointer
+which results in out-of-bounds mem access.
+
+Fix this by extending __ext4_check_dir_entry() to check for '.' dir
+entries that reach the end of data block. Make sure to ignore the phony
+dir entries for checksum (by checking name_len for non-zero).
+
+Note: This is reported by KASAN as use-after-free in case another
+structure was recently freed from the slot past the bound, but it is
+really an OOB read.
+
+This issue was found by syzkaller tool.
+
+Call Trace:
+[ 38.594108] BUG: KASAN: slab-use-after-free in __ext4_check_dir_entry+0x67e/0x710
+[ 38.594649] Read of size 2 at addr ffff88802b41a004 by task syz-executor/5375
+[ 38.595158]
+[ 38.595288] CPU: 0 UID: 0 PID: 5375 Comm: syz-executor Not tainted 6.14.0-rc7 #1
+[ 38.595298] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
+[ 38.595304] Call Trace:
+[ 38.595308] <TASK>
+[ 38.595311] dump_stack_lvl+0xa7/0xd0
+[ 38.595325] print_address_description.constprop.0+0x2c/0x3f0
+[ 38.595339] ? __ext4_check_dir_entry+0x67e/0x710
+[ 38.595349] print_report+0xaa/0x250
+[ 38.595359] ? __ext4_check_dir_entry+0x67e/0x710
+[ 38.595368] ? kasan_addr_to_slab+0x9/0x90
+[ 38.595378] kasan_report+0xab/0xe0
+[ 38.595389] ? __ext4_check_dir_entry+0x67e/0x710
+[ 38.595400] __ext4_check_dir_entry+0x67e/0x710
+[ 38.595410] ext4_empty_dir+0x465/0x990
+[ 38.595421] ? __pfx_ext4_empty_dir+0x10/0x10
+[ 38.595432] ext4_rmdir.part.0+0x29a/0xd10
+[ 38.595441] ? __dquot_initialize+0x2a7/0xbf0
+[ 38.595455] ? __pfx_ext4_rmdir.part.0+0x10/0x10
+[ 38.595464] ? __pfx___dquot_initialize+0x10/0x10
+[ 38.595478] ? down_write+0xdb/0x140
+[ 38.595487] ? __pfx_down_write+0x10/0x10
+[ 38.595497] ext4_rmdir+0xee/0x140
+[ 38.595506] vfs_rmdir+0x209/0x670
+[ 38.595517] ? lookup_one_qstr_excl+0x3b/0x190
+[ 38.595529] do_rmdir+0x363/0x3c0
+[ 38.595537] ? __pfx_do_rmdir+0x10/0x10
+[ 38.595544] ? strncpy_from_user+0x1ff/0x2e0
+[ 38.595561] __x64_sys_unlinkat+0xf0/0x130
+[ 38.595570] do_syscall_64+0x5b/0x180
+[ 38.595583] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Fixes: ac27a0ec112a0 ("[PATCH] ext4: initial copy of files from ext3")
+Signed-off-by: Jakub Acs <acsjakub@amazon.de>
+Cc: Theodore Ts'o <tytso@mit.edu>
+Cc: Andreas Dilger <adilger.kernel@dilger.ca>
+Cc: linux-ext4@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Cc: Mahmoud Adam <mngyadam@amazon.com>
+Cc: stable@vger.kernel.org
+Cc: security@kernel.org
+Link: https://patch.msgid.link/b3ae36a6794c4a01944c7d70b403db5b@amazon.de
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/dir.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/ext4/dir.c
++++ b/fs/ext4/dir.c
+@@ -104,6 +104,9 @@ int __ext4_check_dir_entry(const char *f
+ else if (unlikely(le32_to_cpu(de->inode) >
+ le32_to_cpu(EXT4_SB(dir->i_sb)->s_es->s_inodes_count)))
+ error_msg = "inode out of bounds";
++ else if (unlikely(next_offset == size && de->name_len == 1 &&
++ de->name[0] == '.'))
++ error_msg = "'.' directory cannot be the last in data block";
+ else
+ return 0;
+
--- /dev/null
+From a8dfb2168906944ea61acfc87846b816eeab882d Mon Sep 17 00:00:00 2001
+From: Roman Smirnov <r.smirnov@omp.ru>
+Date: Wed, 26 Feb 2025 11:25:22 +0300
+Subject: jfs: add index corruption check to DT_GETPAGE()
+
+From: Roman Smirnov <r.smirnov@omp.ru>
+
+commit a8dfb2168906944ea61acfc87846b816eeab882d upstream.
+
+If the file system is corrupted, the header.stblindex variable
+may become greater than 127. Because of this, an array access out
+of bounds may occur:
+
+------------[ cut here ]------------
+UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:3096:10
+index 237 is out of range for type 'struct dtslot[128]'
+CPU: 0 UID: 0 PID: 5822 Comm: syz-executor740 Not tainted 6.13.0-rc4-syzkaller-00110-g4099a71718b0 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
+ ubsan_epilogue lib/ubsan.c:231 [inline]
+ __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
+ dtReadFirst+0x622/0xc50 fs/jfs/jfs_dtree.c:3096
+ dtReadNext fs/jfs/jfs_dtree.c:3147 [inline]
+ jfs_readdir+0x9aa/0x3c50 fs/jfs/jfs_dtree.c:2862
+ wrap_directory_iterator+0x91/0xd0 fs/readdir.c:65
+ iterate_dir+0x571/0x800 fs/readdir.c:108
+ __do_sys_getdents64 fs/readdir.c:403 [inline]
+ __se_sys_getdents64+0x1e2/0x4b0 fs/readdir.c:389
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+---[ end trace ]---
+
+Add a stblindex check for corruption.
+
+Reported-by: syzbot <syzbot+9120834fc227768625ba@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=9120834fc227768625ba
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jfs/jfs_dtree.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/jfs/jfs_dtree.c
++++ b/fs/jfs/jfs_dtree.c
+@@ -117,7 +117,8 @@ do { \
+ if (!(RC)) { \
+ if (((P)->header.nextindex > \
+ (((BN) == 0) ? DTROOTMAXSLOT : (P)->header.maxslot)) || \
+- ((BN) && ((P)->header.maxslot > DTPAGEMAXSLOT))) { \
++ ((BN) && (((P)->header.maxslot > DTPAGEMAXSLOT) || \
++ ((P)->header.stblindex >= DTPAGEMAXSLOT)))) { \
+ BT_PUTPAGE(MP); \
+ jfs_error((IP)->i_sb, \
+ "DT_GETPAGE: dtree page corrupt\n"); \
--- /dev/null
+From fdf480da5837c23b146c4743c18de97202fcab37 Mon Sep 17 00:00:00 2001
+From: Qasim Ijaz <qasdev00@gmail.com>
+Date: Thu, 13 Feb 2025 21:05:53 +0000
+Subject: jfs: fix slab-out-of-bounds read in ea_get()
+
+From: Qasim Ijaz <qasdev00@gmail.com>
+
+commit fdf480da5837c23b146c4743c18de97202fcab37 upstream.
+
+During the "size_check" label in ea_get(), the code checks if the extended
+attribute list (xattr) size matches ea_size. If not, it logs
+"ea_get: invalid extended attribute" and calls print_hex_dump().
+
+Here, EALIST_SIZE(ea_buf->xattr) returns 4110417968, which exceeds
+INT_MAX (2,147,483,647). Then ea_size is clamped:
+
+ int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));
+
+Although clamp_t aims to bound ea_size between 0 and 4110417968, the upper
+limit is treated as an int, causing an overflow above 2^31 - 1. This leads
+"size" to wrap around and become negative (-184549328).
+
+The "size" is then passed to print_hex_dump() (called "len" in
+print_hex_dump()), it is passed as type size_t (an unsigned
+type), this is then stored inside a variable called
+"int remaining", which is then assigned to "int linelen" which
+is then passed to hex_dump_to_buffer(). In print_hex_dump()
+the for loop, iterates through 0 to len-1, where len is
+18446744073525002176, calling hex_dump_to_buffer()
+on each iteration:
+
+ for (i = 0; i < len; i += rowsize) {
+ linelen = min(remaining, rowsize);
+ remaining -= rowsize;
+
+ hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize,
+ linebuf, sizeof(linebuf), ascii);
+
+ ...
+ }
+
+The expected stopping condition (i < len) is effectively broken
+since len is corrupted and very large. This eventually leads to
+the "ptr+i" being passed to hex_dump_to_buffer() to get closer
+to the end of the actual bounds of "ptr", eventually an out of
+bounds access is done in hex_dump_to_buffer() in the following
+for loop:
+
+ for (j = 0; j < len; j++) {
+ if (linebuflen < lx + 2)
+ goto overflow2;
+ ch = ptr[j];
+ ...
+ }
+
+To fix this we should validate "EALIST_SIZE(ea_buf->xattr)"
+before it is utilised.
+
+Reported-by: syzbot <syzbot+4e6e7e4279d046613bc5@syzkaller.appspotmail.com>
+Tested-by: syzbot <syzbot+4e6e7e4279d046613bc5@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=4e6e7e4279d046613bc5
+Fixes: d9f9d96136cb ("jfs: xattr: check invalid xattr size more strictly")
+Cc: stable@vger.kernel.org
+Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jfs/xattr.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/fs/jfs/xattr.c
++++ b/fs/jfs/xattr.c
+@@ -559,11 +559,16 @@ static int ea_get(struct inode *inode, s
+
+ size_check:
+ if (EALIST_SIZE(ea_buf->xattr) != ea_size) {
+- int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));
++ if (unlikely(EALIST_SIZE(ea_buf->xattr) > INT_MAX)) {
++ printk(KERN_ERR "ea_get: extended attribute size too large: %u > INT_MAX\n",
++ EALIST_SIZE(ea_buf->xattr));
++ } else {
++ int size = clamp_t(int, ea_size, 0, EALIST_SIZE(ea_buf->xattr));
+
+- printk(KERN_ERR "ea_get: invalid extended attribute\n");
+- print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1,
+- ea_buf->xattr, size, 1);
++ printk(KERN_ERR "ea_get: invalid extended attribute\n");
++ print_hex_dump(KERN_ERR, "", DUMP_PREFIX_ADDRESS, 16, 1,
++ ea_buf->xattr, size, 1);
++ }
+ ea_release(inode, ea_buf);
+ rc = -EIO;
+ goto clean_up;
--- /dev/null
+From bab703ed8472aa9d109c5f8c1863921533363dae Mon Sep 17 00:00:00 2001
+From: Norbert Szetei <norbert@doyensec.com>
+Date: Sat, 15 Mar 2025 12:19:28 +0900
+Subject: ksmbd: add bounds check for create lease context
+
+From: Norbert Szetei <norbert@doyensec.com>
+
+commit bab703ed8472aa9d109c5f8c1863921533363dae upstream.
+
+Add missing bounds check for create lease context.
+
+Cc: stable@vger.kernel.org
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/oplock.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/smb/server/oplock.c
++++ b/fs/smb/server/oplock.c
+@@ -1505,6 +1505,10 @@ struct lease_ctx_info *parse_lease_state
+ if (sizeof(struct lease_context_v2) == le32_to_cpu(cc->DataLength)) {
+ struct create_lease_v2 *lc = (struct create_lease_v2 *)cc;
+
++ if (le16_to_cpu(cc->DataOffset) + le32_to_cpu(cc->DataLength) <
++ sizeof(struct create_lease_v2) - 4)
++ return NULL;
++
+ memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE);
+ lreq->req_state = lc->lcontext.LeaseState;
+ lreq->flags = lc->lcontext.LeaseFlags;
+@@ -1517,6 +1521,10 @@ struct lease_ctx_info *parse_lease_state
+ } else {
+ struct create_lease *lc = (struct create_lease *)cc;
+
++ if (le16_to_cpu(cc->DataOffset) + le32_to_cpu(cc->DataLength) <
++ sizeof(struct create_lease))
++ return NULL;
++
+ memcpy(lreq->lease_key, lc->lcontext.LeaseKey, SMB2_LEASE_KEY_SIZE);
+ lreq->req_state = lc->lcontext.LeaseState;
+ lreq->flags = lc->lcontext.LeaseFlags;
--- /dev/null
+From 542027e123fc0bfd61dd59e21ae0ee4ef2101b29 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 14 Mar 2025 18:21:47 +0900
+Subject: ksmbd: add bounds check for durable handle context
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 542027e123fc0bfd61dd59e21ae0ee4ef2101b29 upstream.
+
+Add missing bounds check for durable handle context.
+
+Cc: stable@vger.kernel.org
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -2700,6 +2700,13 @@ static int parse_durable_handle_context(
+ goto out;
+ }
+
++ if (le16_to_cpu(context->DataOffset) +
++ le32_to_cpu(context->DataLength) <
++ sizeof(struct create_durable_reconn_v2_req)) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ recon_v2 = (struct create_durable_reconn_v2_req *)context;
+ persistent_id = recon_v2->Fid.PersistentFileId;
+ dh_info->fp = ksmbd_lookup_durable_fd(persistent_id);
+@@ -2733,6 +2740,13 @@ static int parse_durable_handle_context(
+ goto out;
+ }
+
++ if (le16_to_cpu(context->DataOffset) +
++ le32_to_cpu(context->DataLength) <
++ sizeof(struct create_durable_reconn_req)) {
++ err = -EINVAL;
++ goto out;
++ }
++
+ recon = (struct create_durable_reconn_req *)context;
+ persistent_id = recon->Data.Fid.PersistentFileId;
+ dh_info->fp = ksmbd_lookup_durable_fd(persistent_id);
+@@ -2757,6 +2771,13 @@ static int parse_durable_handle_context(
+ err = -EINVAL;
+ goto out;
+ }
++
++ if (le16_to_cpu(context->DataOffset) +
++ le32_to_cpu(context->DataLength) <
++ sizeof(struct create_durable_req_v2)) {
++ err = -EINVAL;
++ goto out;
++ }
+
+ durable_v2_blob =
+ (struct create_durable_req_v2 *)context;
--- /dev/null
+From fa4cdb8cbca7d6cb6aa13e4d8d83d1103f6345db Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Thu, 27 Mar 2025 21:22:51 +0900
+Subject: ksmbd: fix session use-after-free in multichannel connection
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit fa4cdb8cbca7d6cb6aa13e4d8d83d1103f6345db upstream.
+
+There is a race condition between session setup and
+ksmbd_sessions_deregister. The session can be freed before the connection
+is added to channel list of session.
+This patch check reference count of session before freeing it.
+
+Cc: stable@vger.kernel.org
+Reported-by: Sean Heelan <seanheelan@gmail.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/auth.c | 4 ++--
+ fs/smb/server/mgmt/user_session.c | 14 ++++++++------
+ fs/smb/server/smb2pdu.c | 7 ++++---
+ 3 files changed, 14 insertions(+), 11 deletions(-)
+
+--- a/fs/smb/server/auth.c
++++ b/fs/smb/server/auth.c
+@@ -1012,9 +1012,9 @@ static int ksmbd_get_encryption_key(stru
+
+ ses_enc_key = enc ? sess->smb3encryptionkey :
+ sess->smb3decryptionkey;
+- if (enc)
+- ksmbd_user_session_get(sess);
+ memcpy(key, ses_enc_key, SMB3_ENC_DEC_KEY_SIZE);
++ if (!enc)
++ ksmbd_user_session_put(sess);
+
+ return 0;
+ }
+--- a/fs/smb/server/mgmt/user_session.c
++++ b/fs/smb/server/mgmt/user_session.c
+@@ -180,7 +180,7 @@ static void ksmbd_expire_session(struct
+ down_write(&sessions_table_lock);
+ down_write(&conn->session_lock);
+ xa_for_each(&conn->sessions, id, sess) {
+- if (atomic_read(&sess->refcnt) == 0 &&
++ if (atomic_read(&sess->refcnt) <= 1 &&
+ (sess->state != SMB2_SESSION_VALID ||
+ time_after(jiffies,
+ sess->last_active + SMB2_SESSION_TIMEOUT))) {
+@@ -232,7 +232,8 @@ void ksmbd_sessions_deregister(struct ks
+ down_write(&conn->session_lock);
+ xa_erase(&conn->sessions, sess->id);
+ up_write(&conn->session_lock);
+- ksmbd_session_destroy(sess);
++ if (atomic_dec_and_test(&sess->refcnt))
++ ksmbd_session_destroy(sess);
+ }
+ }
+ }
+@@ -251,7 +252,8 @@ void ksmbd_sessions_deregister(struct ks
+ if (xa_empty(&sess->ksmbd_chann_list)) {
+ xa_erase(&conn->sessions, sess->id);
+ hash_del(&sess->hlist);
+- ksmbd_session_destroy(sess);
++ if (atomic_dec_and_test(&sess->refcnt))
++ ksmbd_session_destroy(sess);
+ }
+ }
+ up_write(&conn->session_lock);
+@@ -327,8 +329,8 @@ void ksmbd_user_session_put(struct ksmbd
+
+ if (atomic_read(&sess->refcnt) <= 0)
+ WARN_ON(1);
+- else
+- atomic_dec(&sess->refcnt);
++ else if (atomic_dec_and_test(&sess->refcnt))
++ ksmbd_session_destroy(sess);
+ }
+
+ struct preauth_session *ksmbd_preauth_session_alloc(struct ksmbd_conn *conn,
+@@ -433,7 +435,7 @@ static struct ksmbd_session *__session_c
+ xa_init(&sess->rpc_handle_list);
+ sess->sequence_number = 1;
+ rwlock_init(&sess->tree_conns_lock);
+- atomic_set(&sess->refcnt, 1);
++ atomic_set(&sess->refcnt, 2);
+
+ ret = __init_smb2_session(sess);
+ if (ret)
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -2231,13 +2231,14 @@ int smb2_session_logoff(struct ksmbd_wor
+ return -ENOENT;
+ }
+
+- ksmbd_destroy_file_table(&sess->file_table);
+ down_write(&conn->session_lock);
+ sess->state = SMB2_SESSION_EXPIRED;
+ up_write(&conn->session_lock);
+
+- ksmbd_free_user(sess->user);
+- sess->user = NULL;
++ if (sess->user) {
++ ksmbd_free_user(sess->user);
++ sess->user = NULL;
++ }
+ ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_NEGOTIATE);
+
+ rsp->StructureSize = cpu_to_le16(4);
--- /dev/null
+From 15a9605f8d69dc85005b1a00c31a050b8625e1aa Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Sat, 22 Mar 2025 09:20:19 +0900
+Subject: ksmbd: fix use-after-free in ksmbd_sessions_deregister()
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 15a9605f8d69dc85005b1a00c31a050b8625e1aa upstream.
+
+In multichannel mode, UAF issue can occur in session_deregister
+when the second channel sets up a session through the connection of
+the first channel. session that is freed through the global session
+table can be accessed again through ->sessions of connection.
+
+Cc: stable@vger.kernel.org
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/mgmt/user_session.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/smb/server/mgmt/user_session.c
++++ b/fs/smb/server/mgmt/user_session.c
+@@ -229,6 +229,9 @@ void ksmbd_sessions_deregister(struct ks
+ if (!ksmbd_chann_del(conn, sess) &&
+ xa_empty(&sess->ksmbd_chann_list)) {
+ hash_del(&sess->hlist);
++ down_write(&conn->session_lock);
++ xa_erase(&conn->sessions, sess->id);
++ up_write(&conn->session_lock);
+ ksmbd_session_destroy(sess);
+ }
+ }
--- /dev/null
+From bf21e29d78cd2c2371023953d9c82dfef82ebb36 Mon Sep 17 00:00:00 2001
+From: Norbert Szetei <norbert@doyensec.com>
+Date: Sat, 29 Mar 2025 16:06:01 +0000
+Subject: ksmbd: validate zero num_subauth before sub_auth is accessed
+
+From: Norbert Szetei <norbert@doyensec.com>
+
+commit bf21e29d78cd2c2371023953d9c82dfef82ebb36 upstream.
+
+Access psid->sub_auth[psid->num_subauth - 1] without checking
+if num_subauth is non-zero leads to an out-of-bounds read.
+This patch adds a validation step to ensure num_subauth != 0
+before sub_auth is accessed.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Norbert Szetei <norbert@doyensec.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smbacl.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/smb/server/smbacl.c
++++ b/fs/smb/server/smbacl.c
+@@ -270,6 +270,11 @@ static int sid_to_id(struct mnt_idmap *i
+ return -EIO;
+ }
+
++ if (psid->num_subauth == 0) {
++ pr_err("%s: zero subauthorities!\n", __func__);
++ return -EIO;
++ }
++
+ if (sidtype == SIDOWNER) {
+ kuid_t uid;
+ uid_t id;
--- /dev/null
+From f656cfbc7a293a039d6a0c7100e1c846845148c1 Mon Sep 17 00:00:00 2001
+From: Murad Masimov <m.masimov@mt-integration.ru>
+Date: Mon, 13 Jan 2025 13:51:30 +0300
+Subject: media: streamzap: fix race between device disconnection and urb callback
+
+From: Murad Masimov <m.masimov@mt-integration.ru>
+
+commit f656cfbc7a293a039d6a0c7100e1c846845148c1 upstream.
+
+Syzkaller has reported a general protection fault at function
+ir_raw_event_store_with_filter(). This crash is caused by a NULL pointer
+dereference of dev->raw pointer, even though it is checked for NULL in
+the same function, which means there is a race condition. It occurs due
+to the incorrect order of actions in the streamzap_disconnect() function:
+rc_unregister_device() is called before usb_kill_urb(). The dev->raw
+pointer is freed and set to NULL in rc_unregister_device(), and only
+after that usb_kill_urb() waits for in-progress requests to finish.
+
+If rc_unregister_device() is called while streamzap_callback() handler is
+not finished, this can lead to accessing freed resources. Thus
+rc_unregister_device() should be called after usb_kill_urb().
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 8e9e60640067 ("V4L/DVB: staging/lirc: port lirc_streamzap to ir-core")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+34008406ee9a31b13c73@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=34008406ee9a31b13c73
+Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/rc/streamzap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/rc/streamzap.c
++++ b/drivers/media/rc/streamzap.c
+@@ -385,8 +385,8 @@ static void streamzap_disconnect(struct
+ if (!sz)
+ return;
+
+- rc_unregister_device(sz->rdev);
+ usb_kill_urb(sz->urb_in);
++ rc_unregister_device(sz->rdev);
+ usb_free_urb(sz->urb_in);
+ usb_free_coherent(usbdev, sz->buf_in_len, sz->buf_in, sz->dma_in);
+
--- /dev/null
+From 1b0449544c6482179ac84530b61fc192a6527bfd Mon Sep 17 00:00:00 2001
+From: Jinjiang Tu <tujinjiang@huawei.com>
+Date: Tue, 18 Mar 2025 16:39:39 +0800
+Subject: mm/vmscan: don't try to reclaim hwpoison folio
+
+From: Jinjiang Tu <tujinjiang@huawei.com>
+
+commit 1b0449544c6482179ac84530b61fc192a6527bfd upstream.
+
+Syzkaller reports a bug as follows:
+
+Injecting memory failure for pfn 0x18b00e at process virtual address 0x20ffd000
+Memory failure: 0x18b00e: dirty swapcache page still referenced by 2 users
+Memory failure: 0x18b00e: recovery action for dirty swapcache page: Failed
+page: refcount:2 mapcount:0 mapping:0000000000000000 index:0x20ffd pfn:0x18b00e
+memcg:ffff0000dd6d9000
+anon flags: 0x5ffffe00482011(locked|dirty|arch_1|swapbacked|hwpoison|node=0|zone=2|lastcpupid=0xfffff)
+raw: 005ffffe00482011 dead000000000100 dead000000000122 ffff0000e232a7c9
+raw: 0000000000020ffd 0000000000000000 00000002ffffffff ffff0000dd6d9000
+page dumped because: VM_BUG_ON_FOLIO(!folio_test_uptodate(folio))
+------------[ cut here ]------------
+kernel BUG at mm/swap_state.c:184!
+Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
+Modules linked in:
+CPU: 0 PID: 60 Comm: kswapd0 Not tainted 6.6.0-gcb097e7de84e #3
+Hardware name: linux,dummy-virt (DT)
+pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : add_to_swap+0xbc/0x158
+lr : add_to_swap+0xbc/0x158
+sp : ffff800087f37340
+x29: ffff800087f37340 x28: fffffc00052c0380 x27: ffff800087f37780
+x26: ffff800087f37490 x25: ffff800087f37c78 x24: ffff800087f377a0
+x23: ffff800087f37c50 x22: 0000000000000000 x21: fffffc00052c03b4
+x20: 0000000000000000 x19: fffffc00052c0380 x18: 0000000000000000
+x17: 296f696c6f662865 x16: 7461646f7470755f x15: 747365745f6f696c
+x14: 6f6621284f494c4f x13: 0000000000000001 x12: ffff600036d8b97b
+x11: 1fffe00036d8b97a x10: ffff600036d8b97a x9 : dfff800000000000
+x8 : 00009fffc9274686 x7 : ffff0001b6c5cbd3 x6 : 0000000000000001
+x5 : ffff0000c25896c0 x4 : 0000000000000000 x3 : 0000000000000000
+x2 : 0000000000000000 x1 : ffff0000c25896c0 x0 : 0000000000000000
+Call trace:
+ add_to_swap+0xbc/0x158
+ shrink_folio_list+0x12ac/0x2648
+ shrink_inactive_list+0x318/0x948
+ shrink_lruvec+0x450/0x720
+ shrink_node_memcgs+0x280/0x4a8
+ shrink_node+0x128/0x978
+ balance_pgdat+0x4f0/0xb20
+ kswapd+0x228/0x438
+ kthread+0x214/0x230
+ ret_from_fork+0x10/0x20
+
+I can reproduce this issue with the following steps:
+
+1) When a dirty swapcache page is isolated by reclaim process and the
+ page isn't locked, inject memory failure for the page.
+ me_swapcache_dirty() clears uptodate flag and tries to delete from lru,
+ but fails. Reclaim process will put the hwpoisoned page back to lru.
+
+2) The process that maps the hwpoisoned page exits, the page is deleted
+ the page will never be freed and will be in the lru forever.
+
+3) If we trigger a reclaim again and tries to reclaim the page,
+ add_to_swap() will trigger VM_BUG_ON_FOLIO due to the uptodate flag is
+ cleared.
+
+To fix it, skip the hwpoisoned page in shrink_folio_list(). Besides, the
+hwpoison folio may not be unmapped by hwpoison_user_mappings() yet, unmap
+it in shrink_folio_list(), otherwise the folio will fail to be unmaped by
+hwpoison_user_mappings() since the folio isn't in lru list.
+
+Link: https://lkml.kernel.org/r/20250318083939.987651-3-tujinjiang@huawei.com
+Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com>
+Acked-by: Miaohe Lin <linmiaohe@huawei.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: Nanyong Sun <sunnanyong@huawei.com>
+Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
+Cc: <stable@vger,kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/vmscan.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -1741,6 +1741,13 @@ retry:
+ if (!folio_trylock(folio))
+ goto keep;
+
++ if (folio_contain_hwpoisoned_page(folio)) {
++ unmap_poisoned_folio(folio, folio_pfn(folio), false);
++ folio_unlock(folio);
++ folio_put(folio);
++ continue;
++ }
++
+ VM_BUG_ON_FOLIO(folio_test_active(folio), folio);
+
+ nr_pages = folio_nr_pages(folio);
--- /dev/null
+From 3834a759afb817e23a7a2f09c2c9911b0ce5c588 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Tue, 18 Mar 2025 22:02:25 +0800
+Subject: mmc: omap: Fix memory leak in mmc_omap_new_slot
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit 3834a759afb817e23a7a2f09c2c9911b0ce5c588 upstream.
+
+Add err_free_host label to properly pair mmc_alloc_host() with
+mmc_free_host() in GPIO error paths. The allocated host memory was
+leaked when GPIO lookups failed.
+
+Fixes: e519f0bb64ef ("ARM/mmc: Convert old mmci-omap to GPIO descriptors")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250318140226.19650-1-linmq006@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/omap.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+--- a/drivers/mmc/host/omap.c
++++ b/drivers/mmc/host/omap.c
+@@ -1276,19 +1276,25 @@ static int mmc_omap_new_slot(struct mmc_
+ /* Check for some optional GPIO controls */
+ slot->vsd = devm_gpiod_get_index_optional(host->dev, "vsd",
+ id, GPIOD_OUT_LOW);
+- if (IS_ERR(slot->vsd))
+- return dev_err_probe(host->dev, PTR_ERR(slot->vsd),
++ if (IS_ERR(slot->vsd)) {
++ r = dev_err_probe(host->dev, PTR_ERR(slot->vsd),
+ "error looking up VSD GPIO\n");
++ goto err_free_host;
++ }
+ slot->vio = devm_gpiod_get_index_optional(host->dev, "vio",
+ id, GPIOD_OUT_LOW);
+- if (IS_ERR(slot->vio))
+- return dev_err_probe(host->dev, PTR_ERR(slot->vio),
++ if (IS_ERR(slot->vio)) {
++ r = dev_err_probe(host->dev, PTR_ERR(slot->vio),
+ "error looking up VIO GPIO\n");
++ goto err_free_host;
++ }
+ slot->cover = devm_gpiod_get_index_optional(host->dev, "cover",
+ id, GPIOD_IN);
+- if (IS_ERR(slot->cover))
+- return dev_err_probe(host->dev, PTR_ERR(slot->cover),
++ if (IS_ERR(slot->cover)) {
++ r = dev_err_probe(host->dev, PTR_ERR(slot->cover),
+ "error looking up cover switch GPIO\n");
++ goto err_free_host;
++ }
+
+ host->slots[id] = slot;
+
+@@ -1348,6 +1354,7 @@ err_remove_slot_name:
+ device_remove_file(&mmc->class_dev, &dev_attr_slot_name);
+ err_remove_host:
+ mmc_remove_host(mmc);
++err_free_host:
+ mmc_free_host(mmc);
+ return r;
+ }
--- /dev/null
+From 49d162635151d0dd04935070d7cf67137ab863aa Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Wed, 12 Mar 2025 13:17:12 +0100
+Subject: mmc: sdhci-omap: Disable MMC_CAP_AGGRESSIVE_PM for eMMC/SD
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit 49d162635151d0dd04935070d7cf67137ab863aa upstream.
+
+We have received reports about cards can become corrupt related to the
+aggressive PM support. Let's make a partial revert of the change that
+enabled the feature.
+
+Reported-by: David Owens <daowens01@gmail.com>
+Reported-by: Romain Naour <romain.naour@smile.fr>
+Reported-by: Robert Nelson <robertcnelson@gmail.com>
+Tested-by: Robert Nelson <robertcnelson@gmail.com>
+Fixes: 3edf588e7fe0 ("mmc: sdhci-omap: Allow SDIO card power off and enable aggressive PM")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Reviewed-by: Tony Lindgren <tony@atomide.com>
+Link: https://lore.kernel.org/r/20250312121712.1168007-1-ulf.hansson@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-omap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/sdhci-omap.c
++++ b/drivers/mmc/host/sdhci-omap.c
+@@ -1339,8 +1339,8 @@ static int sdhci_omap_probe(struct platf
+ /* R1B responses is required to properly manage HW busy detection. */
+ mmc->caps |= MMC_CAP_NEED_RSP_BUSY;
+
+- /* Allow card power off and runtime PM for eMMC/SD card devices */
+- mmc->caps |= MMC_CAP_POWER_OFF_CARD | MMC_CAP_AGGRESSIVE_PM;
++ /* Enable SDIO card power off. */
++ mmc->caps |= MMC_CAP_POWER_OFF_CARD;
+
+ ret = sdhci_setup_host(host);
+ if (ret)
--- /dev/null
+From a41fcca4b342811b473bbaa4b44f1d34d87fcce6 Mon Sep 17 00:00:00 2001
+From: Karel Balej <balejk@matfyz.cz>
+Date: Mon, 10 Mar 2025 15:07:04 +0100
+Subject: mmc: sdhci-pxav3: set NEED_RSP_BUSY capability
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Karel Balej <balejk@matfyz.cz>
+
+commit a41fcca4b342811b473bbaa4b44f1d34d87fcce6 upstream.
+
+Set the MMC_CAP_NEED_RSP_BUSY capability for the sdhci-pxav3 host to
+prevent conversion of R1B responses to R1. Without this, the eMMC card
+in the samsung,coreprimevelte smartphone using the Marvell PXA1908 SoC
+with this mmc host doesn't probe with the ETIMEDOUT error originating in
+__mmc_poll_for_busy.
+
+Note that the other issues reported for this phone and host, namely
+floods of "Tuning failed, falling back to fixed sampling clock" dmesg
+messages for the eMMC and unstable SDIO are not mitigated by this
+change.
+
+Link: https://lore.kernel.org/r/20200310153340.5593-1-ulf.hansson@linaro.org/
+Link: https://lore.kernel.org/r/D7204PWIGQGI.1FRFQPPIEE2P9@matfyz.cz/
+Link: https://lore.kernel.org/r/20250115-pxa1908-lkml-v14-0-847d24f3665a@skole.hr/
+Cc: stable@vger.kernel.org
+Signed-off-by: Karel Balej <balejk@matfyz.cz>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Tested-by: Duje Mihanović <duje.mihanovic@skole.hr>
+Link: https://lore.kernel.org/r/20250310140707.23459-1-balejk@matfyz.cz
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-pxav3.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/sdhci-pxav3.c
++++ b/drivers/mmc/host/sdhci-pxav3.c
+@@ -399,6 +399,7 @@ static int sdhci_pxav3_probe(struct plat
+ if (!IS_ERR(pxa->clk_core))
+ clk_prepare_enable(pxa->clk_core);
+
++ host->mmc->caps |= MMC_CAP_NEED_RSP_BUSY;
+ /* enable 1/8V DDR capable */
+ host->mmc->caps |= MMC_CAP_1_8V_DDR;
+
--- /dev/null
+From 230ca758453c63bd38e4d9f4a21db698f7abada8 Mon Sep 17 00:00:00 2001
+From: Li Lingfeng <lilingfeng3@huawei.com>
+Date: Thu, 13 Feb 2025 22:42:20 +0800
+Subject: nfsd: put dl_stid if fail to queue dl_recall
+
+From: Li Lingfeng <lilingfeng3@huawei.com>
+
+commit 230ca758453c63bd38e4d9f4a21db698f7abada8 upstream.
+
+Before calling nfsd4_run_cb to queue dl_recall to the callback_wq, we
+increment the reference count of dl_stid.
+We expect that after the corresponding work_struct is processed, the
+reference count of dl_stid will be decremented through the callback
+function nfsd4_cb_recall_release.
+However, if the call to nfsd4_run_cb fails, the incremented reference
+count of dl_stid will not be decremented correspondingly, leading to the
+following nfs4_stid leak:
+unreferenced object 0xffff88812067b578 (size 344):
+ comm "nfsd", pid 2761, jiffies 4295044002 (age 5541.241s)
+ hex dump (first 32 bytes):
+ 01 00 00 00 6b 6b 6b 6b b8 02 c0 e2 81 88 ff ff ....kkkk........
+ 00 6b 6b 6b 6b 6b 6b 6b 00 00 00 00 ad 4e ad de .kkkkkkk.....N..
+ backtrace:
+ kmem_cache_alloc+0x4b9/0x700
+ nfsd4_process_open1+0x34/0x300
+ nfsd4_open+0x2d1/0x9d0
+ nfsd4_proc_compound+0x7a2/0xe30
+ nfsd_dispatch+0x241/0x3e0
+ svc_process_common+0x5d3/0xcc0
+ svc_process+0x2a3/0x320
+ nfsd+0x180/0x2e0
+ kthread+0x199/0x1d0
+ ret_from_fork+0x30/0x50
+ ret_from_fork_asm+0x1b/0x30
+unreferenced object 0xffff8881499f4d28 (size 368):
+ comm "nfsd", pid 2761, jiffies 4295044005 (age 5541.239s)
+ hex dump (first 32 bytes):
+ 01 00 00 00 00 00 00 00 30 4d 9f 49 81 88 ff ff ........0M.I....
+ 30 4d 9f 49 81 88 ff ff 20 00 00 00 01 00 00 00 0M.I.... .......
+ backtrace:
+ kmem_cache_alloc+0x4b9/0x700
+ nfs4_alloc_stid+0x29/0x210
+ alloc_init_deleg+0x92/0x2e0
+ nfs4_set_delegation+0x284/0xc00
+ nfs4_open_delegation+0x216/0x3f0
+ nfsd4_process_open2+0x2b3/0xee0
+ nfsd4_open+0x770/0x9d0
+ nfsd4_proc_compound+0x7a2/0xe30
+ nfsd_dispatch+0x241/0x3e0
+ svc_process_common+0x5d3/0xcc0
+ svc_process+0x2a3/0x320
+ nfsd+0x180/0x2e0
+ kthread+0x199/0x1d0
+ ret_from_fork+0x30/0x50
+ ret_from_fork_asm+0x1b/0x30
+Fix it by checking the result of nfsd4_run_cb and call nfs4_put_stid if
+fail to queue dl_recall.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -1066,6 +1066,12 @@ static struct nfs4_ol_stateid * nfs4_all
+ return openlockstateid(stid);
+ }
+
++/*
++ * As the sc_free callback of deleg, this may be called by nfs4_put_stid
++ * in nfsd_break_one_deleg.
++ * Considering nfsd_break_one_deleg is called with the flc->flc_lock held,
++ * this function mustn't ever sleep.
++ */
+ static void nfs4_free_deleg(struct nfs4_stid *stid)
+ {
+ struct nfs4_delegation *dp = delegstateid(stid);
+@@ -4920,6 +4926,7 @@ static const struct nfsd4_callback_ops n
+
+ static void nfsd_break_one_deleg(struct nfs4_delegation *dp)
+ {
++ bool queued;
+ /*
+ * We're assuming the state code never drops its reference
+ * without first removing the lease. Since we're in this lease
+@@ -4928,7 +4935,10 @@ static void nfsd_break_one_deleg(struct
+ * we know it's safe to take a reference.
+ */
+ refcount_inc(&dp->dl_stid.sc_count);
+- WARN_ON_ONCE(!nfsd4_run_cb(&dp->dl_recall));
++ queued = nfsd4_run_cb(&dp->dl_recall);
++ WARN_ON_ONCE(!queued);
++ if (!queued)
++ nfs4_put_stid(&dp->dl_stid);
+ }
+
+ /* Called from break_lease() with flc_lock held. */
--- /dev/null
+From 8a388c1fabeb6606e16467b23242416c0dbeffad Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Tue, 14 Jan 2025 17:09:24 -0500
+Subject: NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 8a388c1fabeb6606e16467b23242416c0dbeffad upstream.
+
+NFSD sends CB_RECALL_ANY to clients when the server is low on
+memory or that client has a large number of delegations outstanding.
+
+We've seen cases where NFSD attempts to send CB_RECALL_ANY requests
+to disconnected clients, and gets confused. These calls never go
+anywhere if a backchannel transport to the target client isn't
+available. Before the server can send any backchannel operation, the
+client has to connect first and then do a BIND_CONN_TO_SESSION.
+
+This patch doesn't address the root cause of the confusion, but
+there's no need to queue up these optional operations if they can't
+go anywhere.
+
+Fixes: 44df6f439a17 ("NFSD: add delegation reaper to react to low memory condition")
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -6289,14 +6289,19 @@ deleg_reaper(struct nfsd_net *nn)
+ spin_lock(&nn->client_lock);
+ list_for_each_safe(pos, next, &nn->client_lru) {
+ clp = list_entry(pos, struct nfs4_client, cl_lru);
+- if (clp->cl_state != NFSD4_ACTIVE ||
+- list_empty(&clp->cl_delegations) ||
+- atomic_read(&clp->cl_delegs_in_recall) ||
+- test_bit(NFSD4_CLIENT_CB_RECALL_ANY, &clp->cl_flags) ||
+- (ktime_get_boottime_seconds() -
+- clp->cl_ra_time < 5)) {
++
++ if (clp->cl_state != NFSD4_ACTIVE)
++ continue;
++ if (list_empty(&clp->cl_delegations))
++ continue;
++ if (atomic_read(&clp->cl_delegs_in_recall))
++ continue;
++ if (test_bit(NFSD4_CLIENT_CB_RECALL_ANY, &clp->cl_flags))
++ continue;
++ if (ktime_get_boottime_seconds() - clp->cl_ra_time < 5)
++ continue;
++ if (clp->cl_cb_state != NFSD4_CB_UP)
+ continue;
+- }
+ list_add(&clp->cl_ra_cblist, &cblist);
+
+ /* release in nfsd4_cb_recall_any_release */
x86-mm-fix-flush_tlb_range-when-used-for-zapping-normal-pmds.patch
acpi-nfit-fix-narrowing-conversion-in-acpi_nfit_ctl.patch
acpi-resource-skip-irq-override-on-asus-vivobook-14-x1404vap.patch
+mmc-omap-fix-memory-leak-in-mmc_omap_new_slot.patch
+mmc-sdhci-pxav3-set-need_rsp_busy-capability.patch
+mmc-sdhci-omap-disable-mmc_cap_aggressive_pm-for-emmc-sd.patch
+ksmbd-add-bounds-check-for-durable-handle-context.patch
+ksmbd-add-bounds-check-for-create-lease-context.patch
+ksmbd-fix-use-after-free-in-ksmbd_sessions_deregister.patch
+ksmbd-fix-session-use-after-free-in-multichannel-connection.patch
+ksmbd-validate-zero-num_subauth-before-sub_auth-is-accessed.patch
+tracing-fix-use-after-free-in-print_graph_function_flags-during-tracer-switching.patch
+tracing-ensure-module-defining-synth-event-cannot-be-unloaded-while-tracing.patch
+tracing-fix-synth-event-printk-format-for-str-fields.patch
+tracing-osnoise-fix-possible-recursive-locking-for-cpus_read_lock.patch
+mm-vmscan-don-t-try-to-reclaim-hwpoison-folio.patch
+arm64-don-t-call-null-in-do_compat_alignment_fixup.patch
+ext4-don-t-over-report-free-space-or-inodes-in-statvfs.patch
+ext4-fix-oob-read-when-checking-dotdot-dir.patch
+jfs-fix-slab-out-of-bounds-read-in-ea_get.patch
+jfs-add-index-corruption-check-to-dt_getpage.patch
+exec-fix-the-racy-usage-of-fs_struct-in_exec.patch
+media-streamzap-fix-race-between-device-disconnection-and-urb-callback.patch
+nfsd-put-dl_stid-if-fail-to-queue-dl_recall.patch
+nfsd-skip-sending-cb_recall_any-when-the-backchannel-isn-t-up.patch
--- /dev/null
+From 21581dd4e7ff6c07d0ab577e3c32b13a74b31522 Mon Sep 17 00:00:00 2001
+From: Douglas Raillard <douglas.raillard@arm.com>
+Date: Tue, 18 Mar 2025 18:09:05 +0000
+Subject: tracing: Ensure module defining synth event cannot be unloaded while tracing
+
+From: Douglas Raillard <douglas.raillard@arm.com>
+
+commit 21581dd4e7ff6c07d0ab577e3c32b13a74b31522 upstream.
+
+Currently, using synth_event_delete() will fail if the event is being
+used (tracing in progress), but that is normally done in the module exit
+function. At that stage, failing is problematic as returning a non-zero
+status means the module will become locked (impossible to unload or
+reload again).
+
+Instead, ensure the module exit function does not get called in the
+first place by increasing the module refcnt when the event is enabled.
+
+Cc: stable@vger.kernel.org
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Fixes: 35ca5207c2d11 ("tracing: Add synthetic event command generation functions")
+Link: https://lore.kernel.org/20250318180906.226841-1-douglas.raillard@arm.com
+Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events_synth.c | 30 +++++++++++++++++++++++++++++-
+ 1 file changed, 29 insertions(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_events_synth.c
++++ b/kernel/trace/trace_events_synth.c
+@@ -859,6 +859,34 @@ static struct trace_event_fields synth_e
+ {}
+ };
+
++static int synth_event_reg(struct trace_event_call *call,
++ enum trace_reg type, void *data)
++{
++ struct synth_event *event = container_of(call, struct synth_event, call);
++
++ switch (type) {
++ case TRACE_REG_REGISTER:
++ case TRACE_REG_PERF_REGISTER:
++ if (!try_module_get(event->mod))
++ return -EBUSY;
++ break;
++ default:
++ break;
++ }
++
++ int ret = trace_event_reg(call, type, data);
++
++ switch (type) {
++ case TRACE_REG_UNREGISTER:
++ case TRACE_REG_PERF_UNREGISTER:
++ module_put(event->mod);
++ break;
++ default:
++ break;
++ }
++ return ret;
++}
++
+ static int register_synth_event(struct synth_event *event)
+ {
+ struct trace_event_call *call = &event->call;
+@@ -888,7 +916,7 @@ static int register_synth_event(struct s
+ goto out;
+ }
+ call->flags = TRACE_EVENT_FL_TRACEPOINT;
+- call->class->reg = trace_event_reg;
++ call->class->reg = synth_event_reg;
+ call->class->probe = trace_event_raw_event_synth;
+ call->data = event;
+ call->tp = event->tp;
--- /dev/null
+From 4d38328eb442dc06aec4350fd9594ffa6488af02 Mon Sep 17 00:00:00 2001
+From: Douglas Raillard <douglas.raillard@arm.com>
+Date: Tue, 25 Mar 2025 16:52:02 +0000
+Subject: tracing: Fix synth event printk format for str fields
+
+From: Douglas Raillard <douglas.raillard@arm.com>
+
+commit 4d38328eb442dc06aec4350fd9594ffa6488af02 upstream.
+
+The printk format for synth event uses "%.*s" to print string fields,
+but then only passes the pointer part as var arg.
+
+Replace %.*s with %s as the C string is guaranteed to be null-terminated.
+
+The output in print fmt should never have been updated as __get_str()
+handles the string limit because it can access the length of the string in
+the string meta data that is saved in the ring buffer.
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Fixes: 8db4d6bfbbf92 ("tracing: Change synthetic event string format to limit printed length")
+Link: https://lore.kernel.org/20250325165202.541088-1-douglas.raillard@arm.com
+Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events_synth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_events_synth.c
++++ b/kernel/trace/trace_events_synth.c
+@@ -312,7 +312,7 @@ static const char *synth_field_fmt(char
+ else if (strcmp(type, "gfp_t") == 0)
+ fmt = "%x";
+ else if (synth_field_is_string(type))
+- fmt = "%.*s";
++ fmt = "%s";
+ else if (synth_field_is_stack(type))
+ fmt = "%s";
+
--- /dev/null
+From 7f81f27b1093e4895e87b74143c59c055c3b1906 Mon Sep 17 00:00:00 2001
+From: Tengda Wu <wutengda@huaweicloud.com>
+Date: Thu, 20 Mar 2025 12:21:37 +0000
+Subject: tracing: Fix use-after-free in print_graph_function_flags during tracer switching
+
+From: Tengda Wu <wutengda@huaweicloud.com>
+
+commit 7f81f27b1093e4895e87b74143c59c055c3b1906 upstream.
+
+Kairui reported a UAF issue in print_graph_function_flags() during
+ftrace stress testing [1]. This issue can be reproduced if puting a
+'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(),
+and executing the following script:
+
+ $ echo function_graph > current_tracer
+ $ cat trace > /dev/null &
+ $ sleep 5 # Ensure the 'cat' reaches the 'mdelay(10)' point
+ $ echo timerlat > current_tracer
+
+The root cause lies in the two calls to print_graph_function_flags
+within print_trace_line during each s_show():
+
+ * One through 'iter->trace->print_line()';
+ * Another through 'event->funcs->trace()', which is hidden in
+ print_trace_fmt() before print_trace_line returns.
+
+Tracer switching only updates the former, while the latter continues
+to use the print_line function of the old tracer, which in the script
+above is print_graph_function_flags.
+
+Moreover, when switching from the 'function_graph' tracer to the
+'timerlat' tracer, s_start only calls graph_trace_close of the
+'function_graph' tracer to free 'iter->private', but does not set
+it to NULL. This provides an opportunity for 'event->funcs->trace()'
+to use an invalid 'iter->private'.
+
+To fix this issue, set 'iter->private' to NULL immediately after
+freeing it in graph_trace_close(), ensuring that an invalid pointer
+is not passed to other tracers. Additionally, clean up the unnecessary
+'iter->private = NULL' during each 'cat trace' when using wakeup and
+irqsoff tracers.
+
+ [1] https://lore.kernel.org/all/20231112150030.84609-1-ryncsn@gmail.com/
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Zheng Yejian <zhengyejian1@huawei.com>
+Link: https://lore.kernel.org/20250320122137.23635-1-wutengda@huaweicloud.com
+Fixes: eecb91b9f98d ("tracing: Fix memleak due to race between current_tracer and trace")
+Closes: https://lore.kernel.org/all/CAMgjq7BW79KDSCyp+tZHjShSzHsScSiJxn5ffskp-QzVM06fxw@mail.gmail.com/
+Reported-by: Kairui Song <kasong@tencent.com>
+Signed-off-by: Tengda Wu <wutengda@huaweicloud.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_functions_graph.c | 1 +
+ kernel/trace/trace_irqsoff.c | 2 --
+ kernel/trace/trace_sched_wakeup.c | 2 --
+ 3 files changed, 1 insertion(+), 4 deletions(-)
+
+--- a/kernel/trace/trace_functions_graph.c
++++ b/kernel/trace/trace_functions_graph.c
+@@ -1317,6 +1317,7 @@ void graph_trace_close(struct trace_iter
+ if (data) {
+ free_percpu(data->cpu_data);
+ kfree(data);
++ iter->private = NULL;
+ }
+ }
+
+--- a/kernel/trace/trace_irqsoff.c
++++ b/kernel/trace/trace_irqsoff.c
+@@ -231,8 +231,6 @@ static void irqsoff_trace_open(struct tr
+ {
+ if (is_graph(iter->tr))
+ graph_trace_open(iter);
+- else
+- iter->private = NULL;
+ }
+
+ static void irqsoff_trace_close(struct trace_iterator *iter)
+--- a/kernel/trace/trace_sched_wakeup.c
++++ b/kernel/trace/trace_sched_wakeup.c
+@@ -168,8 +168,6 @@ static void wakeup_trace_open(struct tra
+ {
+ if (is_graph(iter->tr))
+ graph_trace_open(iter);
+- else
+- iter->private = NULL;
+ }
+
+ static void wakeup_trace_close(struct trace_iterator *iter)
--- /dev/null
+From 7e6b3fcc9c5294aeafed0dbe1a09a1bc899bd0f2 Mon Sep 17 00:00:00 2001
+From: Ran Xiaokai <ran.xiaokai@zte.com.cn>
+Date: Fri, 21 Mar 2025 09:52:49 +0000
+Subject: tracing/osnoise: Fix possible recursive locking for cpus_read_lock()
+
+From: Ran Xiaokai <ran.xiaokai@zte.com.cn>
+
+commit 7e6b3fcc9c5294aeafed0dbe1a09a1bc899bd0f2 upstream.
+
+Lockdep reports this deadlock log:
+
+osnoise: could not start sampling thread
+============================================
+WARNING: possible recursive locking detected
+--------------------------------------------
+ CPU0
+ ----
+ lock(cpu_hotplug_lock);
+ lock(cpu_hotplug_lock);
+
+ Call Trace:
+ <TASK>
+ print_deadlock_bug+0x282/0x3c0
+ __lock_acquire+0x1610/0x29a0
+ lock_acquire+0xcb/0x2d0
+ cpus_read_lock+0x49/0x120
+ stop_per_cpu_kthreads+0x7/0x60
+ start_kthread+0x103/0x120
+ osnoise_hotplug_workfn+0x5e/0x90
+ process_one_work+0x44f/0xb30
+ worker_thread+0x33e/0x5e0
+ kthread+0x206/0x3b0
+ ret_from_fork+0x31/0x50
+ ret_from_fork_asm+0x11/0x20
+ </TASK>
+
+This is the deadlock scenario:
+osnoise_hotplug_workfn()
+ guard(cpus_read_lock)(); // first lock call
+ start_kthread(cpu)
+ if (IS_ERR(kthread)) {
+ stop_per_cpu_kthreads(); {
+ cpus_read_lock(); // second lock call. Cause the AA deadlock
+ }
+ }
+
+It is not necessary to call stop_per_cpu_kthreads() which stops osnoise
+kthread for every other CPUs in the system if a failure occurs during
+hotplug of a certain CPU.
+For start_per_cpu_kthreads(), if the start_kthread() call fails,
+this function calls stop_per_cpu_kthreads() to handle the error.
+Therefore, similarly, there is no need to call stop_per_cpu_kthreads()
+again within start_kthread().
+So just remove stop_per_cpu_kthreads() from start_kthread to solve this issue.
+
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/20250321095249.2739397-1-ranxiaokai627@163.com
+Fixes: c8895e271f79 ("trace/osnoise: Support hotplug operations")
+Signed-off-by: Ran Xiaokai <ran.xiaokai@zte.com.cn>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_osnoise.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/kernel/trace/trace_osnoise.c
++++ b/kernel/trace/trace_osnoise.c
+@@ -2038,7 +2038,6 @@ static int start_kthread(unsigned int cp
+
+ if (IS_ERR(kthread)) {
+ pr_err(BANNER "could not start sampling thread\n");
+- stop_per_cpu_kthreads();
+ return -ENOMEM;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
