From: Greg Kroah-Hartman Date: Thu, 28 May 2026 09:51:29 +0000 (+0200) Subject: 6.12-stable patches X-Git-Tag: v5.10.258~38 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=049e682496e9d59a4524e14ef20f139660fd15ba;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: cgroup-cpuset-reset-dl-migration-state-on-can_attach-failure.patch fs-ntfs3-handle-attr_set_size-errors-when-truncating-files.patch sched_ext-avoid-uaf-in-scx_root_enable_workfn-init-failure-path.patch sched_ext-fix-missing-warning-in-scx_set_task_state-default-case.patch --- diff --git a/queue-6.12/cgroup-cpuset-reset-dl-migration-state-on-can_attach-failure.patch b/queue-6.12/cgroup-cpuset-reset-dl-migration-state-on-can_attach-failure.patch new file mode 100644 index 0000000000..3faf4d97c4 --- /dev/null +++ b/queue-6.12/cgroup-cpuset-reset-dl-migration-state-on-can_attach-failure.patch @@ -0,0 +1,70 @@ +From stable+bounces-253786-greg=kroah.com@vger.kernel.org Fri May 22 15:18:48 2026 +From: Sasha Levin +Date: Fri, 22 May 2026 09:03:03 -0400 +Subject: cgroup/cpuset: Reset DL migration state on can_attach() failure +To: stable@vger.kernel.org +Cc: Guopeng Zhang , Tejun Heo , Chen Ridong , Waiman Long , Sasha Levin +Message-ID: <20260522130303.3869136-1-sashal@kernel.org> + +From: Guopeng Zhang + +[ Upstream commit 4a39eda5fdd867fc39f3c039714dd432cee00268 ] + +cpuset_can_attach() accumulates temporary SCHED_DEADLINE migration +state in the destination cpuset while walking the taskset. + +If a later task_can_attach() or security_task_setscheduler() check +fails, cgroup_migrate_execute() treats cpuset as the failing subsystem +and does not call cpuset_cancel_attach() for it. The partially +accumulated state is then left behind and can be consumed by a later +attach, corrupting cpuset DL task accounting and pending DL bandwidth +accounting. + +Reset the pending DL migration state from the common error exit when +ret is non-zero. Successful can_attach() keeps the state for +cpuset_attach() or cpuset_cancel_attach(). + +Fixes: 2ef269ef1ac0 ("cgroup/cpuset: Free DL BW in case can_attach() fails") +Cc: stable@vger.kernel.org # v6.10+ +Signed-off-by: Guopeng Zhang +Signed-off-by: Tejun Heo +Reviewed-by: Chen Ridong +Reviewed-by: Waiman Long +[ omitted upstream context line `cs->dl_bw_cpu = cpu;` ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup/cpuset.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -2996,16 +2996,13 @@ static int cpuset_can_attach(struct cgro + int cpu = cpumask_any_and(cpu_active_mask, cs->effective_cpus); + + if (unlikely(cpu >= nr_cpu_ids)) { +- reset_migrate_dl_data(cs); + ret = -EINVAL; + goto out_unlock; + } + + ret = dl_bw_alloc(cpu, cs->sum_migrate_dl_bw); +- if (ret) { +- reset_migrate_dl_data(cs); ++ if (ret) + goto out_unlock; +- } + } + + out_success: +@@ -3014,7 +3011,10 @@ out_success: + * changes which zero cpus/mems_allowed. + */ + cs->attach_in_progress++; ++ + out_unlock: ++ if (ret) ++ reset_migrate_dl_data(cs); + mutex_unlock(&cpuset_mutex); + return ret; + } diff --git a/queue-6.12/fs-ntfs3-handle-attr_set_size-errors-when-truncating-files.patch b/queue-6.12/fs-ntfs3-handle-attr_set_size-errors-when-truncating-files.patch new file mode 100644 index 0000000000..22d4521675 --- /dev/null +++ b/queue-6.12/fs-ntfs3-handle-attr_set_size-errors-when-truncating-files.patch @@ -0,0 +1,69 @@ +From lanbincn@139.com Thu May 28 05:23:36 2026 +From: Bin Lan +Date: Thu, 28 May 2026 11:23:27 +0800 +Subject: fs/ntfs3: handle attr_set_size() errors when truncating files +To: gregkh@linuxfoundation.org, sashal@kernel.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Konstantin Komarov , Bin Lan +Message-ID: <20260528032327.58596-1-lanbincn@139.com> + +From: Konstantin Komarov + +[ Upstream commit 576248a34b927e93b2fd3fff7df735ba73ad7d01 ] + +If attr_set_size() fails while truncating down, the error is silently +ignored and the inode may be left in an inconsistent state. + +Signed-off-by: Konstantin Komarov +[ Minor context conflict resolved. ] +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/file.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +--- a/fs/ntfs3/file.c ++++ b/fs/ntfs3/file.c +@@ -500,8 +500,8 @@ static int ntfs_truncate(struct inode *i + { + struct super_block *sb = inode->i_sb; + struct ntfs_inode *ni = ntfs_i(inode); +- int err, dirty = 0; + u64 new_valid; ++ int err; + + if (!S_ISREG(inode->i_mode)) + return 0; +@@ -517,7 +517,6 @@ static int ntfs_truncate(struct inode *i + } + + new_valid = ntfs_up_block(sb, min_t(u64, ni->i_valid, new_size)); +- + truncate_setsize(inode, new_size); + + ni_lock(ni); +@@ -531,22 +530,19 @@ static int ntfs_truncate(struct inode *i + ni->i_valid = new_valid; + + ni_unlock(ni); ++ if (unlikely(err)) ++ return err; + + ni->std_fa |= FILE_ATTRIBUTE_ARCHIVE; + inode_set_mtime_to_ts(inode, inode_set_ctime_current(inode)); + if (!IS_DIRSYNC(inode)) { +- dirty = 1; ++ mark_inode_dirty(inode); + } else { + err = ntfs_sync_inode(inode); + if (err) + return err; + } + +- if (dirty) +- mark_inode_dirty(inode); +- +- /*ntfs_flush_inodes(inode->i_sb, inode, NULL);*/ +- + return 0; + } + diff --git a/queue-6.12/sched_ext-avoid-uaf-in-scx_root_enable_workfn-init-failure-path.patch b/queue-6.12/sched_ext-avoid-uaf-in-scx_root_enable_workfn-init-failure-path.patch new file mode 100644 index 0000000000..582679fede --- /dev/null +++ b/queue-6.12/sched_ext-avoid-uaf-in-scx_root_enable_workfn-init-failure-path.patch @@ -0,0 +1,45 @@ +From stable+bounces-253589-greg=kroah.com@vger.kernel.org Thu May 21 17:28:04 2026 +From: Sasha Levin +Date: Thu, 21 May 2026 10:52:11 -0400 +Subject: sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path +To: stable@vger.kernel.org +Cc: Tejun Heo , Sashiko , Sasha Levin +Message-ID: <20260521145211.1316611-2-sashal@kernel.org> + +From: Tejun Heo + +[ Upstream commit 9a415cc53711f2238e0f0ca8a6bcc796c003b127 ] + +In scx_root_enable_workfn(), put_task_struct(p) is called before scx_error() +dereferences p->comm and p->pid. If the iterator's reference is the last +drop, the task is freed synchronously and the deref becomes a UAF. + +Move put_task_struct() past scx_error(). + +Reported-by: Sashiko +Closes: https://lore.kernel.org/all/20260511214031.AF5E9C2BCB0@smtp.kernel.org/ +Fixes: f0e1a0643a59 ("sched_ext: Implement BPF extensible scheduler class") +Cc: stable@vger.kernel.org # v6.12+ +Signed-off-by: Tejun Heo +[ adapted fix to pre-refactor scx_ops_enable_workfn() with scx_task_iter_relock() instead of upstream scx_root_enable_workfn() ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/ext.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -5406,11 +5406,11 @@ static void scx_ops_enable_workfn(struct + + ret = scx_ops_init_task(p, task_group(p), false); + if (ret) { +- put_task_struct(p); + scx_task_iter_relock(&sti); + scx_task_iter_stop(&sti); + scx_ops_error("ops.init_task() failed (%d) for %s[%d]", + ret, p->comm, p->pid); ++ put_task_struct(p); + goto err_disable_unlock_all; + } + diff --git a/queue-6.12/sched_ext-fix-missing-warning-in-scx_set_task_state-default-case.patch b/queue-6.12/sched_ext-fix-missing-warning-in-scx_set_task_state-default-case.patch new file mode 100644 index 0000000000..1e6ee528cb --- /dev/null +++ b/queue-6.12/sched_ext-fix-missing-warning-in-scx_set_task_state-default-case.patch @@ -0,0 +1,57 @@ +From stable+bounces-253588-greg=kroah.com@vger.kernel.org Thu May 21 17:56:07 2026 +From: Sasha Levin +Date: Thu, 21 May 2026 10:52:10 -0400 +Subject: sched_ext: Fix missing warning in scx_set_task_state() default case +To: stable@vger.kernel.org +Cc: Samuele Mariotti , Paolo Valente , Andrea Righi , Tejun Heo , Sasha Levin +Message-ID: <20260521145211.1316611-1-sashal@kernel.org> + +From: Samuele Mariotti + +[ Upstream commit b905ee77d5f557a83a485b4146210f54f13365fc ] + +In scx_set_task_state(), the default case was setting the +warn flag, but then returning immediately. This is problematic +because the only purpose of the warn flag is to trigger +WARN_ONCE, but the early return prevented it from ever firing, +leaving invalid task states undetected and untraced. + +To fix this, a WARN_ONCE call is now added directly in the +default case. + +The fix addresses two aspects: + + - Guarantees the invalid task states are properly logged + and traced. + + - Provides a distinct warning message + ("sched_ext: Invalid task state") specifically for + states outside the defined scx_task_state enum values, + making it easier to distinguish from other transition + warnings. + +This ensures proper detection and reporting of invalid states. + +Signed-off-by: Samuele Mariotti +Signed-off-by: Paolo Valente +Reviewed-by: Andrea Righi +Signed-off-by: Tejun Heo +Stable-dep-of: 9a415cc53711 ("sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/ext.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -3637,7 +3637,8 @@ static void scx_set_task_state(struct ta + warn = prev_state != SCX_TASK_READY; + break; + default: +- warn = true; ++ WARN_ONCE(1, "sched_ext: Invalid task state %d -> %d for %s[%d]", ++ prev_state, state, p->comm, p->pid); + return; + } + diff --git a/queue-6.12/series b/queue-6.12/series index 6de5135af1..5b70e717d1 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -74,3 +74,7 @@ netfilter-ip6t_hbh-reject-oversized-option-lists.patch netfilter-nf_queue-hold-bridge-skb-dev-while-queued.patch netfilter-ipset-stop-hash-range-iteration-at-end.patch netfilter-nft_inner-fix-ipv6-inner_thoff-desync.patch +sched_ext-fix-missing-warning-in-scx_set_task_state-default-case.patch +sched_ext-avoid-uaf-in-scx_root_enable_workfn-init-failure-path.patch +cgroup-cpuset-reset-dl-migration-state-on-can_attach-failure.patch +fs-ntfs3-handle-attr_set_size-errors-when-truncating-files.patch