From: Greg Kroah-Hartman Date: Mon, 30 Mar 2026 10:04:32 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v6.6.131~40 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6f48e562040bcb4864960e40d157e367fdb8b433;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: alarmtimer-fix-argument-order-in-alarm_timer_forward.patch jbd2-gracefully-abort-on-checkpointing-state-corruptions.patch scsi-ibmvfc-fix-oob-access-in-ibmvfc_discover_targets_done.patch scsi-ses-handle-positive-scsi-error-from-ses_recv_diag.patch xfs-stop-reclaim-before-pushing-ail-during-unmount.patch --- diff --git a/queue-5.15/alarmtimer-fix-argument-order-in-alarm_timer_forward.patch b/queue-5.15/alarmtimer-fix-argument-order-in-alarm_timer_forward.patch new file mode 100644 index 0000000000..95d9831ac9 --- /dev/null +++ b/queue-5.15/alarmtimer-fix-argument-order-in-alarm_timer_forward.patch @@ -0,0 +1,51 @@ +From 5d16467ae56343b9205caedf85e3a131e0914ad8 Mon Sep 17 00:00:00 2001 +From: Zhan Xusheng +Date: Mon, 23 Mar 2026 14:11:30 +0800 +Subject: alarmtimer: Fix argument order in alarm_timer_forward() + +From: Zhan Xusheng + +commit 5d16467ae56343b9205caedf85e3a131e0914ad8 upstream. + +alarm_timer_forward() passes arguments to alarm_forward() in the wrong +order: + + alarm_forward(alarm, timr->it_interval, now); + +However, alarm_forward() is defined as: + + u64 alarm_forward(struct alarm *alarm, ktime_t now, ktime_t interval); + +and uses the second argument as the current time: + + delta = ktime_sub(now, alarm->node.expires); + +Passing the interval as "now" results in incorrect delta computation, +which can lead to missed expirations or incorrect overrun accounting. + +This issue has been present since the introduction of +alarm_timer_forward(). + +Fix this by swapping the arguments. + +Fixes: e7561f1633ac ("alarmtimer: Implement forward callback") +Signed-off-by: Zhan Xusheng +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260323061130.29991-1-zhanxusheng@xiaomi.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/alarmtimer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/time/alarmtimer.c ++++ b/kernel/time/alarmtimer.c +@@ -609,7 +609,7 @@ static s64 alarm_timer_forward(struct k_ + { + struct alarm *alarm = &timr->it.alarm.alarmtimer; + +- return alarm_forward(alarm, timr->it_interval, now); ++ return alarm_forward(alarm, now, timr->it_interval); + } + + /** diff --git a/queue-5.15/jbd2-gracefully-abort-on-checkpointing-state-corruptions.patch b/queue-5.15/jbd2-gracefully-abort-on-checkpointing-state-corruptions.patch new file mode 100644 index 0000000000..7939dfabdf --- /dev/null +++ b/queue-5.15/jbd2-gracefully-abort-on-checkpointing-state-corruptions.patch @@ -0,0 +1,66 @@ +From bac3190a8e79beff6ed221975e0c9b1b5f2a21da Mon Sep 17 00:00:00 2001 +From: Milos Nikic +Date: Tue, 10 Mar 2026 21:15:48 -0700 +Subject: jbd2: gracefully abort on checkpointing state corruptions + +From: Milos Nikic + +commit bac3190a8e79beff6ed221975e0c9b1b5f2a21da upstream. + +This patch targets two internal state machine invariants in checkpoint.c +residing inside functions that natively return integer error codes. + +- In jbd2_cleanup_journal_tail(): A blocknr of 0 indicates a severely +corrupted journal superblock. Replaced the J_ASSERT with a WARN_ON_ONCE +and a graceful journal abort, returning -EFSCORRUPTED. + +- In jbd2_log_do_checkpoint(): Replaced the J_ASSERT_BH checking for +an unexpected buffer_jwrite state. If the warning triggers, we +explicitly drop the just-taken get_bh() reference and call __flush_batch() +to safely clean up any previously queued buffers in the j_chkpt_bhs array, +preventing a memory leak before returning -EFSCORRUPTED. + +Signed-off-by: Milos Nikic +Reviewed-by: Andreas Dilger +Reviewed-by: Zhang Yi +Reviewed-by: Baokun Li +Reviewed-by: Jan Kara +Link: https://patch.msgid.link/20260311041548.159424-1-nikic.milos@gmail.com +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/checkpoint.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/fs/jbd2/checkpoint.c ++++ b/fs/jbd2/checkpoint.c +@@ -279,7 +279,15 @@ restart: + */ + BUFFER_TRACE(bh, "queue"); + get_bh(bh); +- J_ASSERT_BH(bh, !buffer_jwrite(bh)); ++ if (WARN_ON_ONCE(buffer_jwrite(bh))) { ++ put_bh(bh); /* drop the ref we just took */ ++ spin_unlock(&journal->j_list_lock); ++ /* Clean up any previously batched buffers */ ++ if (batch_count) ++ __flush_batch(journal, &batch_count); ++ jbd2_journal_abort(journal, -EFSCORRUPTED); ++ return -EFSCORRUPTED; ++ } + journal->j_chkpt_bhs[batch_count++] = bh; + transaction->t_chp_stats.cs_written++; + transaction->t_checkpoint_list = jh->b_cpnext; +@@ -337,7 +345,10 @@ int jbd2_cleanup_journal_tail(journal_t + + if (!jbd2_journal_get_log_tail(journal, &first_tid, &blocknr)) + return 1; +- J_ASSERT(blocknr != 0); ++ if (WARN_ON_ONCE(blocknr == 0)) { ++ jbd2_journal_abort(journal, -EFSCORRUPTED); ++ return -EFSCORRUPTED; ++ } + + /* + * We need to make sure that any blocks that were recently written out diff --git a/queue-5.15/scsi-ibmvfc-fix-oob-access-in-ibmvfc_discover_targets_done.patch b/queue-5.15/scsi-ibmvfc-fix-oob-access-in-ibmvfc_discover_targets_done.patch new file mode 100644 index 0000000000..77ec97c2f8 --- /dev/null +++ b/queue-5.15/scsi-ibmvfc-fix-oob-access-in-ibmvfc_discover_targets_done.patch @@ -0,0 +1,45 @@ +From 61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f Mon Sep 17 00:00:00 2001 +From: Tyllis Xu +Date: Sat, 14 Mar 2026 12:01:50 -0500 +Subject: scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() + +From: Tyllis Xu + +commit 61d099ac4a7a8fb11ebdb6e2ec8d77f38e77362f upstream. + +A malicious or compromised VIO server can return a num_written value in the +discover targets MAD response that exceeds max_targets. This value is +stored directly in vhost->num_targets without validation, and is then used +as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which +is only allocated for max_targets entries. Indices at or beyond max_targets +access kernel memory outside the DMA-coherent allocation. The +out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI +MADs that are sent back to the VIO server, leaking kernel memory. + +Fix by clamping num_written to max_targets before storing it. + +Fixes: 072b91f9c651 ("[SCSI] ibmvfc: IBM Power Virtual Fibre Channel Adapter Client Driver") +Reported-by: Yuhao Jiang +Cc: stable@vger.kernel.org +Signed-off-by: Tyllis Xu +Reviewed-by: Dave Marquardt +Acked-by: Tyrel Datwyler +Link: https://patch.msgid.link/20260314170151.548614-1-LivelyCarpet87@gmail.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ibmvscsi/ibmvfc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/ibmvscsi/ibmvfc.c ++++ b/drivers/scsi/ibmvscsi/ibmvfc.c +@@ -4926,7 +4926,8 @@ static void ibmvfc_discover_targets_done + switch (mad_status) { + case IBMVFC_MAD_SUCCESS: + ibmvfc_dbg(vhost, "Discover Targets succeeded\n"); +- vhost->num_targets = be32_to_cpu(rsp->num_written); ++ vhost->num_targets = min_t(u32, be32_to_cpu(rsp->num_written), ++ max_targets); + ibmvfc_set_host_action(vhost, IBMVFC_HOST_ACTION_ALLOC_TGTS); + break; + case IBMVFC_MAD_FAILED: diff --git a/queue-5.15/scsi-ses-handle-positive-scsi-error-from-ses_recv_diag.patch b/queue-5.15/scsi-ses-handle-positive-scsi-error-from-ses_recv_diag.patch new file mode 100644 index 0000000000..d87048289f --- /dev/null +++ b/queue-5.15/scsi-ses-handle-positive-scsi-error-from-ses_recv_diag.patch @@ -0,0 +1,36 @@ +From 7a9f448d44127217fabc4065c5ba070d4e0b5d37 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 16:44:59 +0100 +Subject: scsi: ses: Handle positive SCSI error from ses_recv_diag() + +From: Greg Kroah-Hartman + +commit 7a9f448d44127217fabc4065c5ba070d4e0b5d37 upstream. + +ses_recv_diag() can return a positive value, which also means that an +error happened, so do not only test for negative values. + +Cc: James E.J. Bottomley +Cc: Martin K. Petersen +Cc: stable +Assisted-by: gkh_clanker_2000 +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: Hannes Reinecke +Link: https://patch.msgid.link/2026022301-bony-overstock-a07f@gregkh +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ses.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/ses.c ++++ b/drivers/scsi/ses.c +@@ -184,7 +184,7 @@ static unsigned char *ses_get_page2_desc + unsigned char *type_ptr = ses_dev->page1_types; + unsigned char *desc_ptr = ses_dev->page2 + 8; + +- if (ses_recv_diag(sdev, 2, ses_dev->page2, ses_dev->page2_len) < 0) ++ if (ses_recv_diag(sdev, 2, ses_dev->page2, ses_dev->page2_len)) + return NULL; + + for (i = 0; i < ses_dev->page1_num_types; i++, type_ptr += 4) { diff --git a/queue-5.15/series b/queue-5.15/series index b2a29fe4cc..bcfec6b95f 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -372,3 +372,8 @@ cpufreq-conservative-reset-requested_freq-on-limits-change.patch media-mc-v4l2-serialize-reinit-and-reqbufs-with-req_queue_mutex.patch virtio_net-fix-uaf-on-dst_ops-when-iff_xmit_dst_release-is-cleared-and-napi_tx-is-false.patch erofs-add-gfp_noio-in-the-bio-completion-if-needed.patch +alarmtimer-fix-argument-order-in-alarm_timer_forward.patch +scsi-ibmvfc-fix-oob-access-in-ibmvfc_discover_targets_done.patch +scsi-ses-handle-positive-scsi-error-from-ses_recv_diag.patch +jbd2-gracefully-abort-on-checkpointing-state-corruptions.patch +xfs-stop-reclaim-before-pushing-ail-during-unmount.patch diff --git a/queue-5.15/xfs-stop-reclaim-before-pushing-ail-during-unmount.patch b/queue-5.15/xfs-stop-reclaim-before-pushing-ail-during-unmount.patch new file mode 100644 index 0000000000..e457094541 --- /dev/null +++ b/queue-5.15/xfs-stop-reclaim-before-pushing-ail-during-unmount.patch @@ -0,0 +1,58 @@ +From 4f24a767e3d64a5f58c595b5c29b6063a201f1e3 Mon Sep 17 00:00:00 2001 +From: Yuto Ohnuki +Date: Tue, 10 Mar 2026 18:38:37 +0000 +Subject: xfs: stop reclaim before pushing AIL during unmount + +From: Yuto Ohnuki + +commit 4f24a767e3d64a5f58c595b5c29b6063a201f1e3 upstream. + +The unmount sequence in xfs_unmount_flush_inodes() pushed the AIL while +background reclaim and inodegc are still running. This is broken +independently of any use-after-free issues - background reclaim and +inodegc should not be running while the AIL is being pushed during +unmount, as inodegc can dirty and insert inodes into the AIL during the +flush, and background reclaim can race to abort and free dirty inodes. + +Reorder xfs_unmount_flush_inodes() to stop inodegc and cancel background +reclaim before pushing the AIL. Stop inodegc before cancelling +m_reclaim_work because the inodegc worker can re-queue m_reclaim_work +via xfs_inodegc_set_reclaimable. + +Reported-by: syzbot+652af2b3c5569c4ab63c@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=652af2b3c5569c4ab63c +Fixes: 90c60e164012 ("xfs: xfs_iflush() is no longer necessary") +Cc: stable@vger.kernel.org # v5.9 +Signed-off-by: Yuto Ohnuki +Reviewed-by: Darrick J. Wong +Signed-off-by: Carlos Maiolino +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_mount.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/fs/xfs/xfs_mount.c ++++ b/fs/xfs/xfs_mount.c +@@ -535,8 +535,9 @@ xfs_check_summary_counts( + * have been retrying in the background. This will prevent never-ending + * retries in AIL pushing from hanging the unmount. + * +- * Finally, we can push the AIL to clean all the remaining dirty objects, then +- * reclaim the remaining inodes that are still in memory at this point in time. ++ * Stop inodegc and background reclaim before pushing the AIL so that they ++ * are not running while the AIL is being flushed. Then push the AIL to ++ * clean all the remaining dirty objects and reclaim the remaining inodes. + */ + static void + xfs_unmount_flush_inodes( +@@ -548,9 +549,9 @@ xfs_unmount_flush_inodes( + + set_bit(XFS_OPSTATE_UNMOUNTING, &mp->m_opstate); + +- xfs_ail_push_all_sync(mp->m_ail); + xfs_inodegc_stop(mp); + cancel_delayed_work_sync(&mp->m_reclaim_work); ++ xfs_ail_push_all_sync(mp->m_ail); + xfs_reclaim_inodes(mp); + xfs_health_unmount(mp); + }