--- /dev/null
+From 580a795105dae2ef1622df72a27a8fb0605e2f6b Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 24 Apr 2026 17:31:26 +0200
+Subject: driver core: faux: fix root device registration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 580a795105dae2ef1622df72a27a8fb0605e2f6b upstream.
+
+A recent change made the faux bus root device be allocated dynamically
+but failed to provide a release function to free the memory when the
+last reference is dropped (on theoretical failure to register the device
+or bus).
+
+Fix this by using root_device_register() instead of open coding.
+
+Also add the missing sanity check when registering faux devices to avoid
+use-after-free if the bus failed to register (which would previously
+have triggered a bunch of use-after-free warnings).
+
+Fixes: 61b76d07d2b4 ("driver core: faux: stop using static struct device")
+Cc: stable@vger.kernel.org # 7.0
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260424153127.2647405-2-johan@kernel.org
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/faux.c | 22 ++++++++++------------
+ 1 file changed, 10 insertions(+), 12 deletions(-)
+
+--- a/drivers/base/faux.c
++++ b/drivers/base/faux.c
+@@ -133,6 +133,9 @@ struct faux_device *faux_device_create_w
+ struct device *dev;
+ int ret;
+
++ if (!faux_bus_root)
++ return NULL;
++
+ faux_obj = kzalloc_obj(*faux_obj);
+ if (!faux_obj)
+ return NULL;
+@@ -232,19 +235,12 @@ EXPORT_SYMBOL_GPL(faux_device_destroy);
+
+ int __init faux_bus_init(void)
+ {
++ struct device *root;
+ int ret;
+
+- faux_bus_root = kzalloc_obj(*faux_bus_root);
+- if (!faux_bus_root)
+- return -ENOMEM;
+-
+- dev_set_name(faux_bus_root, "faux");
+-
+- ret = device_register(faux_bus_root);
+- if (ret) {
+- put_device(faux_bus_root);
+- return ret;
+- }
++ root = root_device_register("faux");
++ if (IS_ERR(root))
++ return PTR_ERR(root);
+
+ ret = bus_register(&faux_bus_type);
+ if (ret)
+@@ -254,12 +250,14 @@ int __init faux_bus_init(void)
+ if (ret)
+ goto error_driver;
+
++ faux_bus_root = root;
++
+ return ret;
+
+ error_driver:
+ bus_unregister(&faux_bus_type);
+
+ error_bus:
+- device_unregister(faux_bus_root);
++ root_device_unregister(root);
+ return ret;
+ }
--- /dev/null
+From 36f35b8df6972167102a1c3d4361e0afb6a84534 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 30 Apr 2026 11:17:18 +0200
+Subject: driver core: reject devices with unregistered buses
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 36f35b8df6972167102a1c3d4361e0afb6a84534 upstream.
+
+Trying to register a device on a bus which has not yet been registered
+used to trigger a NULL-pointer dereference, but since the const bus
+structure rework registration instead succeeds without the device being
+added to the bus.
+
+This specifically means that the device will never bind to a driver and
+that the bus sysfs attributes are not created (i.e. as if the device had
+no bus).
+
+Reject devices with unregistered buses to catch any callers that get
+the ordering wrong and to handle bus registration failures more
+gracefully.
+
+Fixes: 5221b82d46f2 ("driver core: bus: bus_add/probe/remove_device() cleanups")
+Cc: stable@vger.kernel.org # 6.3
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260430091718.230228-1-johan@kernel.org
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/bus.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/base/bus.c
++++ b/drivers/base/bus.c
+@@ -544,10 +544,10 @@ static const struct attribute_group driv
+ */
+ int bus_add_device(struct device *dev)
+ {
+- struct subsys_private *sp = bus_to_subsys(dev->bus);
++ struct subsys_private *sp;
+ int error;
+
+- if (!sp) {
++ if (!dev->bus) {
+ /*
+ * This is a normal operation for many devices that do not
+ * have a bus assigned to them, just say that all went
+@@ -556,6 +556,13 @@ int bus_add_device(struct device *dev)
+ return 0;
+ }
+
++ sp = bus_to_subsys(dev->bus);
++ if (!sp) {
++ pr_err("%s: cannot add device '%s' to unregistered bus '%s'\n",
++ __func__, dev_name(dev), dev->bus->name);
++ return -EINVAL;
++ }
++
+ /*
+ * Reference in sp is now incremented and will be dropped when
+ * the device is removed from the bus
--- /dev/null
+From stable+bounces-263195-greg=kroah.com@vger.kernel.org Mon Jun 15 15:05:11 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Jun 2026 09:04:08 -0400
+Subject: netfilter: nft_fib: fix stale stack leak via the OIFNAME register
+To: stable@vger.kernel.org
+Cc: Davide Ornaghi <d.ornaghi97@gmail.com>, Florian Westphal <fw@strlen.de>, Pablo Neira Ayuso <pablo@netfilter.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260615130408.2055029-1-sashal@kernel.org>
+
+From: Davide Ornaghi <d.ornaghi97@gmail.com>
+
+[ Upstream commit ab185e0c4fb82dfba6fb86f8271e06f931d9c64c ]
+
+For NFT_FIB_RESULT_OIFNAME the destination register is declared with
+len = IFNAMSIZ (four 32-bit registers), but on the lookup-fail,
+RTN_LOCAL and oif-mismatch paths nft_fib{4,6}_eval() only writes one
+register via "*dest = 0". The remaining three registers are left as
+whatever was on the stack in nft_do_chain()'s struct nft_regs, and a
+downstream expression that loads the register span can leak that
+uninitialised kernel stack to userspace.
+
+The NFTA_FIB_F_PRESENT existence check has the same shape: it is only
+meaningful for NFT_FIB_RESULT_OIF, yet it was accepted for any result type
+while the eval stores a single byte via nft_reg_store8(), leaving the rest
+of the declared span stale.
+
+Fix both:
+
+ - replace the bare "*dest = 0" in the eval with nft_fib_store_result(),
+ which strscpy_pad()s the whole IFNAMSIZ for OIFNAME (and is already
+ used on the other early-return path), and
+
+ - restrict NFTA_FIB_F_PRESENT to NFT_FIB_RESULT_OIF and declare its
+ destination as a single u8, so the marked span matches the one byte
+ the eval writes.
+
+Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression")
+Suggested-by: Florian Westphal <fw@strlen.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Davide Ornaghi <d.ornaghi97@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+[ kept the tree's older `ip6_route_lookup()`/`rt6_info` IPv6 context and changed only `*dest = 0;` to `nft_fib_store_result(dest, priv, NULL);` ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/netfilter/nft_fib_ipv4.c | 2 +-
+ net/ipv6/netfilter/nft_fib_ipv6.c | 2 +-
+ net/netfilter/nft_fib.c | 6 ++++++
+ 3 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/netfilter/nft_fib_ipv4.c
++++ b/net/ipv4/netfilter/nft_fib_ipv4.c
+@@ -128,7 +128,7 @@ void nft_fib4_eval(const struct nft_expr
+ fl4.saddr = get_saddr(iph->daddr);
+ }
+
+- *dest = 0;
++ nft_fib_store_result(dest, priv, NULL);
+
+ if (fib_lookup(nft_net(pkt), &fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE))
+ return;
+--- a/net/ipv6/netfilter/nft_fib_ipv6.c
++++ b/net/ipv6/netfilter/nft_fib_ipv6.c
+@@ -192,7 +192,7 @@ void nft_fib6_eval(const struct nft_expr
+
+ lookup_flags = nft_fib6_flowi_init(&fl6, priv, pkt, oif, iph);
+
+- *dest = 0;
++ nft_fib_store_result(dest, priv, NULL);
+ rt = (void *)ip6_route_lookup(nft_net(pkt), &fl6, pkt->skb,
+ lookup_flags);
+ if (rt->dst.error)
+--- a/net/netfilter/nft_fib.c
++++ b/net/netfilter/nft_fib.c
+@@ -107,6 +107,12 @@ int nft_fib_init(const struct nft_ctx *c
+ return -EINVAL;
+ }
+
++ if (priv->flags & NFTA_FIB_F_PRESENT) {
++ if (priv->result != NFT_FIB_RESULT_OIF)
++ return -EINVAL;
++ len = sizeof(u8);
++ }
++
+ err = nft_parse_register_store(ctx, tb[NFTA_FIB_DREG], &priv->dreg,
+ NULL, NFT_DATA_VALUE, len);
+ if (err < 0)
--- /dev/null
+From badad6fad60def1b9805559dd81dbab3d97b82aa Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@nvidia.com>
+Date: Thu, 4 Jun 2026 15:03:13 -0300
+Subject: RDMA: During rereg_mr ensure that REREG_ACCESS is compatible
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+commit badad6fad60def1b9805559dd81dbab3d97b82aa upstream.
+
+If IB_MR_REREG_ACCESS changes from RO to RW then the umem has to be
+re-evaluated to ensure it is properly pinned as RW. Since the umem is
+hidden inside each driver's mr struct add a ib_umem_check_rereg() function
+that each driver has to call before processing IB_MR_REREG_ACCESS.
+
+mlx4 has to retain its duplicate ib_access_writable check because it
+implements IB_MR_REREG_ACCESS | IB_MR_REREG_TRANS by changing both items
+in place sequentially while the MR is live, so it will continue to not
+support this combination.
+
+Cc: stable@vger.kernel.org
+Fixes: b40656aa7d55 ("RDMA/umem: remove FOLL_FORCE usage")
+Link: https://patch.msgid.link/r/0-v1-06fb1a2d6cf5+107-rereg_access_jgg@nvidia.com
+Reported-by: Philip Tsukerman <philiptsukerman@gmail.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/umem.c | 16 ++++++++++++++++
+ drivers/infiniband/hw/hns/hns_roce_mr.c | 4 ++++
+ drivers/infiniband/hw/irdma/verbs.c | 4 ++++
+ drivers/infiniband/hw/mlx4/mr.c | 4 ++++
+ drivers/infiniband/hw/mlx5/mr.c | 4 ++++
+ drivers/infiniband/sw/rxe/rxe_verbs.c | 5 +++++
+ include/rdma/ib_umem.h | 8 ++++++++
+ 7 files changed, 45 insertions(+)
+
+--- a/drivers/infiniband/core/umem.c
++++ b/drivers/infiniband/core/umem.c
+@@ -332,3 +332,19 @@ int ib_umem_copy_from(void *dst, struct
+ return 0;
+ }
+ EXPORT_SYMBOL(ib_umem_copy_from);
++
++/*
++ * Called during rereg mr if the driver is able to re-use a umem for
++ * IB_MR_REREG_ACCESS.
++ */
++int ib_umem_check_rereg(struct ib_umem *umem, int flags, int new_access_flags)
++{
++ if (!umem)
++ return 0;
++
++ if ((flags & IB_MR_REREG_ACCESS) && !(flags & IB_MR_REREG_TRANS))
++ if (ib_access_writable(new_access_flags) && !umem->writable)
++ return -EACCES;
++ return 0;
++}
++EXPORT_SYMBOL(ib_umem_check_rereg);
+--- a/drivers/infiniband/hw/hns/hns_roce_mr.c
++++ b/drivers/infiniband/hw/hns/hns_roce_mr.c
+@@ -300,6 +300,10 @@ struct ib_mr *hns_roce_rereg_user_mr(str
+ goto err_out;
+ }
+
++ ret = ib_umem_check_rereg(mr->pbl_mtr.umem, flags, mr_access_flags);
++ if (ret)
++ goto err_out;
++
+ mailbox = hns_roce_alloc_cmd_mailbox(hr_dev);
+ ret = PTR_ERR_OR_ZERO(mailbox);
+ if (ret)
+--- a/drivers/infiniband/hw/irdma/verbs.c
++++ b/drivers/infiniband/hw/irdma/verbs.c
+@@ -3759,6 +3759,10 @@ static struct ib_mr *irdma_rereg_user_mr
+ if (flags & ~(IB_MR_REREG_TRANS | IB_MR_REREG_PD | IB_MR_REREG_ACCESS))
+ return ERR_PTR(-EOPNOTSUPP);
+
++ ret = ib_umem_check_rereg(iwmr->region, flags, new_access);
++ if (ret)
++ return ERR_PTR(ret);
++
+ ret = irdma_hwdereg_mr(ib_mr);
+ if (ret)
+ return ERR_PTR(ret);
+--- a/drivers/infiniband/hw/mlx4/mr.c
++++ b/drivers/infiniband/hw/mlx4/mr.c
+@@ -208,6 +208,10 @@ struct ib_mr *mlx4_ib_rereg_user_mr(stru
+ struct mlx4_mpt_entry **pmpt_entry = &mpt_entry;
+ int err;
+
++ err = ib_umem_check_rereg(mmr->umem, flags, mr_access_flags);
++ if (err)
++ return ERR_PTR(err);
++
+ /* Since we synchronize this call and mlx4_ib_dereg_mr via uverbs,
+ * we assume that the calls can't run concurrently. Otherwise, a
+ * race exists.
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -1895,6 +1895,10 @@ struct ib_mr *mlx5_ib_rereg_user_mr(stru
+ if (flags & ~(IB_MR_REREG_TRANS | IB_MR_REREG_PD | IB_MR_REREG_ACCESS))
+ return ERR_PTR(-EOPNOTSUPP);
+
++ err = ib_umem_check_rereg(mr->umem, flags, new_access_flags);
++ if (err)
++ return ERR_PTR(err);
++
+ if (!(flags & IB_MR_REREG_ACCESS))
+ new_access_flags = mr->access_flags;
+ if (!(flags & IB_MR_REREG_PD))
+--- a/drivers/infiniband/sw/rxe/rxe_verbs.c
++++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
+@@ -1332,6 +1332,7 @@ static struct ib_mr *rxe_rereg_user_mr(s
+ struct rxe_mr *mr = to_rmr(ibmr);
+ struct rxe_pd *old_pd = to_rpd(ibmr->pd);
+ struct rxe_pd *pd = to_rpd(ibpd);
++ int err;
+
+ /* for now only support the two easy cases:
+ * rereg_pd and rereg_access
+@@ -1341,6 +1342,10 @@ static struct ib_mr *rxe_rereg_user_mr(s
+ return ERR_PTR(-EOPNOTSUPP);
+ }
+
++ err = ib_umem_check_rereg(mr->umem, flags, access);
++ if (err)
++ return ERR_PTR(err);
++
+ if (flags & IB_MR_REREG_PD) {
+ rxe_put(old_pd);
+ rxe_get(pd);
+--- a/include/rdma/ib_umem.h
++++ b/include/rdma/ib_umem.h
+@@ -179,6 +179,8 @@ void ib_umem_dmabuf_unmap_pages(struct i
+ void ib_umem_dmabuf_release(struct ib_umem_dmabuf *umem_dmabuf);
+ void ib_umem_dmabuf_revoke(struct ib_umem_dmabuf *umem_dmabuf);
+
++int ib_umem_check_rereg(struct ib_umem *umem, int flags, int new_access_flags);
++
+ #else /* CONFIG_INFINIBAND_USER_MEM */
+
+ #include <linux/err.h>
+@@ -239,5 +241,11 @@ static inline void ib_umem_dmabuf_unmap_
+ static inline void ib_umem_dmabuf_release(struct ib_umem_dmabuf *umem_dmabuf) { }
+ static inline void ib_umem_dmabuf_revoke(struct ib_umem_dmabuf *umem_dmabuf) {}
+
++static inline int ib_umem_check_rereg(struct ib_umem *umem, int flags,
++ int new_access_flags)
++{
++ return -EOPNOTSUPP;
++}
++
+ #endif /* CONFIG_INFINIBAND_USER_MEM */
+ #endif /* IB_UMEM_H */
--- /dev/null
+From stable+bounces-263327-greg=kroah.com@vger.kernel.org Mon Jun 15 17:41:18 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Jun 2026 11:37:32 -0400
+Subject: sched_ext: Don't warn on NULL cgrp_moving_from in scx_cgroup_move_task()
+To: stable@vger.kernel.org
+Cc: Tejun Heo <tj@kernel.org>, Matt Fleming <mfleming@cloudflare.com>, Andrea Righi <arighi@nvidia.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260615153732.2213055-1-sashal@kernel.org>
+
+From: Tejun Heo <tj@kernel.org>
+
+[ Upstream commit 02e545c4297a26dbbc41df81b831e7f605bcd306 ]
+
+A WARN fires when systemd's user manager writes "+cpu +memory +pids" to
+its own subtree_control while a sched_ext scheduler is loaded:
+
+ WARNING: at kernel/sched/ext.c:3227 scx_cgroup_move_task+0xa8/0xb0
+ scx_cgroup_move_task+0xa8/0xb0
+ sched_move_task+0x134/0x290
+ cpu_cgroup_attach+0x39/0x70
+ cgroup_migrate_execute+0x37d/0x450
+ cgroup_update_dfl_csses+0x1e3/0x270
+ cgroup_subtree_control_write+0x3e7/0x440
+
+scx_cgroup_can_attach() arms cgrp_moving_from only when a task's cpu
+cgroup changes. It can still be NULL when scx_cgroup_move_task() runs,
+through this sequence:
+
+ Step Result
+ --------------------------------- ----------------------------------
+ 1. cpu enabled on cgroup G cpu css = A
+ 2. cpu toggled off then on for G A killed, B created (same cgroup)
+ 3. an exiting task keeps A alive migration skips it, A now stale
+ 4. +memory migrates G stale A vs current B pulls cpu in
+ 5. cpu attach runs for all tasks hits a live, cpu-unchanged task
+ 6. scx_cgroup_move_task() on it cgrp_moving_from NULL -> WARN
+
+The mismatch is that scx_cgroup_can_attach() keys on cgroup identity
+while migration drives the move on css identity, so a NULL cgrp_moving_from
+here is a legitimate css-only migration, not a missing prep.
+
+The call is already gated on cgrp_moving_from, so just drop the warning.
+ops.cgroup_prep_move() and ops.cgroup_move() stay paired.
+
+Fixes: 819513666966 ("sched_ext: Add cgroup support")
+Cc: stable@vger.kernel.org # v6.12+
+Reported-by: Matt Fleming <mfleming@cloudflare.com>
+Closes: https://lore.kernel.org/all/20260601124156.2205704-1-mfleming@cloudflare.com/
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reviewed-by: Andrea Righi <arighi@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/ext.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/kernel/sched/ext.c
++++ b/kernel/sched/ext.c
+@@ -3402,11 +3402,13 @@ void scx_cgroup_move_task(struct task_st
+ return;
+
+ /*
+- * @p must have ops.cgroup_prep_move() called on it and thus
+- * cgrp_moving_from set.
++ * scx_cgroup_can_attach() sets cgrp_moving_from only when the task's
++ * cgroup changes. Migration keys off css rather than cgroup identity,
++ * so it can hand an unchanged-cgroup task here with cgrp_moving_from
++ * NULL. Nothing to report to the BPF scheduler then, so skip it and
++ * keep prep_move and move paired.
+ */
+- if (SCX_HAS_OP(sch, cgroup_move) &&
+- !WARN_ON_ONCE(!p->scx.cgrp_moving_from))
++ if (SCX_HAS_OP(sch, cgroup_move) && p->scx.cgrp_moving_from)
+ SCX_CALL_OP_TASK(sch, SCX_KF_REST, cgroup_move, task_rq(p),
+ p, p->scx.cgrp_moving_from,
+ tg_cgrp(task_group(p)));
drm-amd-display-fix-out-of-bounds-read-in-dp_get_eq_aux_rd_interval.patch
drm-amd-display-use-krealloc_array-in-dal_vector_reserve.patch
fs-fcntl-fix-softirq-unsafe-lock-order-in-fasync-signaling.patch
+driver-core-faux-fix-root-device-registration.patch
+driver-core-reject-devices-with-unregistered-buses.patch
+rdma-during-rereg_mr-ensure-that-rereg_access-is-compatible.patch
+netfilter-nft_fib-fix-stale-stack-leak-via-the-oifname-register.patch
+sched_ext-don-t-warn-on-null-cgrp_moving_from-in-scx_cgroup_move_task.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
