From: Greg Kroah-Hartman Date: Thu, 16 Oct 2025 12:06:08 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v5.15.195~85 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6eadece6656028e06353c0333e7e47297afddcfc;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: blk-crypto-fix-missing-blktrace-bio-split-events.patch btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch --- diff --git a/queue-6.1/blk-crypto-fix-missing-blktrace-bio-split-events.patch b/queue-6.1/blk-crypto-fix-missing-blktrace-bio-split-events.patch new file mode 100644 index 0000000000..40ad6f87e6 --- /dev/null +++ b/queue-6.1/blk-crypto-fix-missing-blktrace-bio-split-events.patch @@ -0,0 +1,43 @@ +From 06d712d297649f48ebf1381d19bd24e942813b37 Mon Sep 17 00:00:00 2001 +From: Yu Kuai +Date: Wed, 10 Sep 2025 14:30:45 +0800 +Subject: blk-crypto: fix missing blktrace bio split events + +From: Yu Kuai + +commit 06d712d297649f48ebf1381d19bd24e942813b37 upstream. + +trace_block_split() is missing, resulting in blktrace inability to catch +BIO split events and making it harder to analyze the BIO sequence. + +Cc: stable@vger.kernel.org +Fixes: 488f6682c832 ("block: blk-crypto-fallback for Inline Encryption") +Signed-off-by: Yu Kuai +Reviewed-by: Bart Van Assche +Reviewed-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-crypto-fallback.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/block/blk-crypto-fallback.c ++++ b/block/blk-crypto-fallback.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + #include "blk-cgroup.h" + #include "blk-crypto-internal.h" +@@ -229,7 +230,9 @@ static bool blk_crypto_fallback_split_bi + bio->bi_status = BLK_STS_RESOURCE; + return false; + } ++ + bio_chain(split_bio, bio); ++ trace_block_split(split_bio, bio->bi_iter.bi_sector); + submit_bio_noacct(bio); + *bio_ptr = split_bio; + } diff --git a/queue-6.1/btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch b/queue-6.1/btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch new file mode 100644 index 0000000000..ba5e52234c --- /dev/null +++ b/queue-6.1/btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch @@ -0,0 +1,71 @@ +From dff4f9ff5d7f289e4545cc936362e01ed3252742 Mon Sep 17 00:00:00 2001 +From: Anderson Nascimento +Date: Mon, 8 Sep 2025 09:49:02 -0300 +Subject: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() + +From: Anderson Nascimento + +commit dff4f9ff5d7f289e4545cc936362e01ed3252742 upstream. + +The function btrfs_encode_fh() does not properly account for the three +cases it handles. + +Before writing to the file handle (fh), the function only returns to the +user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or +BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). + +However, when a parent exists and the root ID of the parent and the +inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT +(10 dwords, 40 bytes). + +If *max_len is not large enough, this write goes out of bounds because +BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than +BTRFS_FID_SIZE_CONNECTABLE originally returned. + +This results in an 8-byte out-of-bounds write at +fid->parent_root_objectid = parent_root_id. + +A previous attempt to fix this issue was made but was lost. + +https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/ + +Although this issue does not seem to be easily triggerable, it is a +potential memory corruption bug that should be fixed. This patch +resolves the issue by ensuring the function returns the appropriate size +for all three cases and validates that *max_len is large enough before +writing any data. + +Fixes: be6e8dc0ba84 ("NFS support for btrfs - v3") +CC: stable@vger.kernel.org # 3.0+ +Signed-off-by: Anderson Nascimento +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/export.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/export.c ++++ b/fs/btrfs/export.c +@@ -22,7 +22,11 @@ static int btrfs_encode_fh(struct inode + int type; + + if (parent && (len < BTRFS_FID_SIZE_CONNECTABLE)) { +- *max_len = BTRFS_FID_SIZE_CONNECTABLE; ++ if (btrfs_root_id(BTRFS_I(inode)->root) != ++ btrfs_root_id(BTRFS_I(parent)->root)) ++ *max_len = BTRFS_FID_SIZE_CONNECTABLE_ROOT; ++ else ++ *max_len = BTRFS_FID_SIZE_CONNECTABLE; + return FILEID_INVALID; + } else if (len < BTRFS_FID_SIZE_NON_CONNECTABLE) { + *max_len = BTRFS_FID_SIZE_NON_CONNECTABLE; +@@ -44,6 +48,8 @@ static int btrfs_encode_fh(struct inode + parent_root_id = BTRFS_I(parent)->root->root_key.objectid; + + if (parent_root_id != fid->root_objectid) { ++ if (*max_len < BTRFS_FID_SIZE_CONNECTABLE_ROOT) ++ return FILEID_INVALID; + fid->parent_root_objectid = parent_root_id; + len = BTRFS_FID_SIZE_CONNECTABLE_ROOT; + type = FILEID_BTRFS_WITH_PARENT_ROOT; diff --git a/queue-6.1/bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch b/queue-6.1/bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch new file mode 100644 index 0000000000..1c04792496 --- /dev/null +++ b/queue-6.1/bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch @@ -0,0 +1,53 @@ +From d0856a6dff57f95cc5d2d74e50880f01697d0cc4 Mon Sep 17 00:00:00 2001 +From: Adam Xue +Date: Fri, 5 Sep 2025 10:41:18 -0700 +Subject: bus: mhi: host: Do not use uninitialized 'dev' pointer in mhi_init_irq_setup() + +From: Adam Xue + +commit d0856a6dff57f95cc5d2d74e50880f01697d0cc4 upstream. + +In mhi_init_irq_setup, the device pointer used for dev_err() was not +initialized. Use the pointer from mhi_cntrl instead. + +Fixes: b0fc0167f254 ("bus: mhi: core: Allow shared IRQ for event rings") +Fixes: 3000f85b8f47 ("bus: mhi: core: Add support for basic PM operations") +Signed-off-by: Adam Xue +[mani: reworded subject/description and CCed stable] +Signed-off-by: Manivannan Sadhasivam +Reviewed-by: Krishna Chaitanya Chundru +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20250905174118.38512-1-zxue@semtech.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/mhi/host/init.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/bus/mhi/host/init.c ++++ b/drivers/bus/mhi/host/init.c +@@ -164,7 +164,6 @@ void mhi_deinit_free_irq(struct mhi_cont + int mhi_init_irq_setup(struct mhi_controller *mhi_cntrl) + { + struct mhi_event *mhi_event = mhi_cntrl->mhi_event; +- struct device *dev = &mhi_cntrl->mhi_dev->dev; + unsigned long irq_flags = IRQF_SHARED | IRQF_NO_SUSPEND; + int i, ret; + +@@ -191,7 +190,7 @@ int mhi_init_irq_setup(struct mhi_contro + continue; + + if (mhi_event->irq >= mhi_cntrl->nr_irqs) { +- dev_err(dev, "irq %d not available for event ring\n", ++ dev_err(mhi_cntrl->cntrl_dev, "irq %d not available for event ring\n", + mhi_event->irq); + ret = -EINVAL; + goto error_request; +@@ -202,7 +201,7 @@ int mhi_init_irq_setup(struct mhi_contro + irq_flags, + "mhi", mhi_event); + if (ret) { +- dev_err(dev, "Error requesting irq:%d for ev:%d\n", ++ dev_err(mhi_cntrl->cntrl_dev, "Error requesting irq:%d for ev:%d\n", + mhi_cntrl->irq[mhi_event->irq], i); + goto error_request; + } diff --git a/queue-6.1/series b/queue-6.1/series index b96e02b219..0450d3c6e4 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -67,3 +67,6 @@ media-mc-fix-must_connect-handling-for-pads-with-no-links.patch media-pci-ivtv-add-missing-check-after-dma-map.patch media-lirc-fix-error-handling-in-lirc_register.patch drm-nouveau-fix-bad-ret-code-in-nouveau_bo_move_prep.patch +blk-crypto-fix-missing-blktrace-bio-split-events.patch +btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch +bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch