From: Greg Kroah-Hartman Date: Mon, 15 Jun 2026 16:55:44 +0000 (+0200) Subject: 7.0-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c0374526bc961996dfcff8df4b8dcca5df8fc48e;p=thirdparty%2Fkernel%2Fstable-queue.git 7.0-stable patches added patches: driver-core-faux-fix-root-device-registration.patch driver-core-reject-devices-with-unregistered-buses.patch netfilter-nft_fib-fix-stale-stack-leak-via-the-oifname-register.patch rdma-during-rereg_mr-ensure-that-rereg_access-is-compatible.patch sched_ext-don-t-warn-on-null-cgrp_moving_from-in-scx_cgroup_move_task.patch --- diff --git a/queue-7.0/driver-core-faux-fix-root-device-registration.patch b/queue-7.0/driver-core-faux-fix-root-device-registration.patch new file mode 100644 index 0000000000..2978413e3b --- /dev/null +++ b/queue-7.0/driver-core-faux-fix-root-device-registration.patch @@ -0,0 +1,83 @@ +From 580a795105dae2ef1622df72a27a8fb0605e2f6b Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 24 Apr 2026 17:31:26 +0200 +Subject: driver core: faux: fix root device registration + +From: Johan Hovold + +commit 580a795105dae2ef1622df72a27a8fb0605e2f6b upstream. + +A recent change made the faux bus root device be allocated dynamically +but failed to provide a release function to free the memory when the +last reference is dropped (on theoretical failure to register the device +or bus). + +Fix this by using root_device_register() instead of open coding. + +Also add the missing sanity check when registering faux devices to avoid +use-after-free if the bus failed to register (which would previously +have triggered a bunch of use-after-free warnings). + +Fixes: 61b76d07d2b4 ("driver core: faux: stop using static struct device") +Cc: stable@vger.kernel.org # 7.0 +Cc: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260424153127.2647405-2-johan@kernel.org +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/faux.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +--- a/drivers/base/faux.c ++++ b/drivers/base/faux.c +@@ -133,6 +133,9 @@ struct faux_device *faux_device_create_w + struct device *dev; + int ret; + ++ if (!faux_bus_root) ++ return NULL; ++ + faux_obj = kzalloc_obj(*faux_obj); + if (!faux_obj) + return NULL; +@@ -232,19 +235,12 @@ EXPORT_SYMBOL_GPL(faux_device_destroy); + + int __init faux_bus_init(void) + { ++ struct device *root; + int ret; + +- faux_bus_root = kzalloc_obj(*faux_bus_root); +- if (!faux_bus_root) +- return -ENOMEM; +- +- dev_set_name(faux_bus_root, "faux"); +- +- ret = device_register(faux_bus_root); +- if (ret) { +- put_device(faux_bus_root); +- return ret; +- } ++ root = root_device_register("faux"); ++ if (IS_ERR(root)) ++ return PTR_ERR(root); + + ret = bus_register(&faux_bus_type); + if (ret) +@@ -254,12 +250,14 @@ int __init faux_bus_init(void) + if (ret) + goto error_driver; + ++ faux_bus_root = root; ++ + return ret; + + error_driver: + bus_unregister(&faux_bus_type); + + error_bus: +- device_unregister(faux_bus_root); ++ root_device_unregister(root); + return ret; + } diff --git a/queue-7.0/driver-core-reject-devices-with-unregistered-buses.patch b/queue-7.0/driver-core-reject-devices-with-unregistered-buses.patch new file mode 100644 index 0000000000..3bb7114801 --- /dev/null +++ b/queue-7.0/driver-core-reject-devices-with-unregistered-buses.patch @@ -0,0 +1,62 @@ +From 36f35b8df6972167102a1c3d4361e0afb6a84534 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 30 Apr 2026 11:17:18 +0200 +Subject: driver core: reject devices with unregistered buses + +From: Johan Hovold + +commit 36f35b8df6972167102a1c3d4361e0afb6a84534 upstream. + +Trying to register a device on a bus which has not yet been registered +used to trigger a NULL-pointer dereference, but since the const bus +structure rework registration instead succeeds without the device being +added to the bus. + +This specifically means that the device will never bind to a driver and +that the bus sysfs attributes are not created (i.e. as if the device had +no bus). + +Reject devices with unregistered buses to catch any callers that get +the ordering wrong and to handle bus registration failures more +gracefully. + +Fixes: 5221b82d46f2 ("driver core: bus: bus_add/probe/remove_device() cleanups") +Cc: stable@vger.kernel.org # 6.3 +Cc: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260430091718.230228-1-johan@kernel.org +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/bus.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/base/bus.c ++++ b/drivers/base/bus.c +@@ -544,10 +544,10 @@ static const struct attribute_group driv + */ + int bus_add_device(struct device *dev) + { +- struct subsys_private *sp = bus_to_subsys(dev->bus); ++ struct subsys_private *sp; + int error; + +- if (!sp) { ++ if (!dev->bus) { + /* + * This is a normal operation for many devices that do not + * have a bus assigned to them, just say that all went +@@ -556,6 +556,13 @@ int bus_add_device(struct device *dev) + return 0; + } + ++ sp = bus_to_subsys(dev->bus); ++ if (!sp) { ++ pr_err("%s: cannot add device '%s' to unregistered bus '%s'\n", ++ __func__, dev_name(dev), dev->bus->name); ++ return -EINVAL; ++ } ++ + /* + * Reference in sp is now incremented and will be dropped when + * the device is removed from the bus diff --git a/queue-7.0/netfilter-nft_fib-fix-stale-stack-leak-via-the-oifname-register.patch b/queue-7.0/netfilter-nft_fib-fix-stale-stack-leak-via-the-oifname-register.patch new file mode 100644 index 0000000000..3802a39c8a --- /dev/null +++ b/queue-7.0/netfilter-nft_fib-fix-stale-stack-leak-via-the-oifname-register.patch @@ -0,0 +1,86 @@ +From stable+bounces-263195-greg=kroah.com@vger.kernel.org Mon Jun 15 15:05:11 2026 +From: Sasha Levin +Date: Mon, 15 Jun 2026 09:04:08 -0400 +Subject: netfilter: nft_fib: fix stale stack leak via the OIFNAME register +To: stable@vger.kernel.org +Cc: Davide Ornaghi , Florian Westphal , Pablo Neira Ayuso , Sasha Levin +Message-ID: <20260615130408.2055029-1-sashal@kernel.org> + +From: Davide Ornaghi + +[ Upstream commit ab185e0c4fb82dfba6fb86f8271e06f931d9c64c ] + +For NFT_FIB_RESULT_OIFNAME the destination register is declared with +len = IFNAMSIZ (four 32-bit registers), but on the lookup-fail, +RTN_LOCAL and oif-mismatch paths nft_fib{4,6}_eval() only writes one +register via "*dest = 0". The remaining three registers are left as +whatever was on the stack in nft_do_chain()'s struct nft_regs, and a +downstream expression that loads the register span can leak that +uninitialised kernel stack to userspace. + +The NFTA_FIB_F_PRESENT existence check has the same shape: it is only +meaningful for NFT_FIB_RESULT_OIF, yet it was accepted for any result type +while the eval stores a single byte via nft_reg_store8(), leaving the rest +of the declared span stale. + +Fix both: + + - replace the bare "*dest = 0" in the eval with nft_fib_store_result(), + which strscpy_pad()s the whole IFNAMSIZ for OIFNAME (and is already + used on the other early-return path), and + + - restrict NFTA_FIB_F_PRESENT to NFT_FIB_RESULT_OIF and declare its + destination as a single u8, so the marked span matches the one byte + the eval writes. + +Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression") +Suggested-by: Florian Westphal +Cc: stable@vger.kernel.org +Signed-off-by: Davide Ornaghi +Signed-off-by: Pablo Neira Ayuso +[ kept the tree's older `ip6_route_lookup()`/`rt6_info` IPv6 context and changed only `*dest = 0;` to `nft_fib_store_result(dest, priv, NULL);` ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/netfilter/nft_fib_ipv4.c | 2 +- + net/ipv6/netfilter/nft_fib_ipv6.c | 2 +- + net/netfilter/nft_fib.c | 6 ++++++ + 3 files changed, 8 insertions(+), 2 deletions(-) + +--- a/net/ipv4/netfilter/nft_fib_ipv4.c ++++ b/net/ipv4/netfilter/nft_fib_ipv4.c +@@ -128,7 +128,7 @@ void nft_fib4_eval(const struct nft_expr + fl4.saddr = get_saddr(iph->daddr); + } + +- *dest = 0; ++ nft_fib_store_result(dest, priv, NULL); + + if (fib_lookup(nft_net(pkt), &fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE)) + return; +--- a/net/ipv6/netfilter/nft_fib_ipv6.c ++++ b/net/ipv6/netfilter/nft_fib_ipv6.c +@@ -192,7 +192,7 @@ void nft_fib6_eval(const struct nft_expr + + lookup_flags = nft_fib6_flowi_init(&fl6, priv, pkt, oif, iph); + +- *dest = 0; ++ nft_fib_store_result(dest, priv, NULL); + rt = (void *)ip6_route_lookup(nft_net(pkt), &fl6, pkt->skb, + lookup_flags); + if (rt->dst.error) +--- a/net/netfilter/nft_fib.c ++++ b/net/netfilter/nft_fib.c +@@ -107,6 +107,12 @@ int nft_fib_init(const struct nft_ctx *c + return -EINVAL; + } + ++ if (priv->flags & NFTA_FIB_F_PRESENT) { ++ if (priv->result != NFT_FIB_RESULT_OIF) ++ return -EINVAL; ++ len = sizeof(u8); ++ } ++ + err = nft_parse_register_store(ctx, tb[NFTA_FIB_DREG], &priv->dreg, + NULL, NFT_DATA_VALUE, len); + if (err < 0) diff --git a/queue-7.0/rdma-during-rereg_mr-ensure-that-rereg_access-is-compatible.patch b/queue-7.0/rdma-during-rereg_mr-ensure-that-rereg_access-is-compatible.patch new file mode 100644 index 0000000000..760608a452 --- /dev/null +++ b/queue-7.0/rdma-during-rereg_mr-ensure-that-rereg_access-is-compatible.patch @@ -0,0 +1,153 @@ +From badad6fad60def1b9805559dd81dbab3d97b82aa Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Thu, 4 Jun 2026 15:03:13 -0300 +Subject: RDMA: During rereg_mr ensure that REREG_ACCESS is compatible + +From: Jason Gunthorpe + +commit badad6fad60def1b9805559dd81dbab3d97b82aa upstream. + +If IB_MR_REREG_ACCESS changes from RO to RW then the umem has to be +re-evaluated to ensure it is properly pinned as RW. Since the umem is +hidden inside each driver's mr struct add a ib_umem_check_rereg() function +that each driver has to call before processing IB_MR_REREG_ACCESS. + +mlx4 has to retain its duplicate ib_access_writable check because it +implements IB_MR_REREG_ACCESS | IB_MR_REREG_TRANS by changing both items +in place sequentially while the MR is live, so it will continue to not +support this combination. + +Cc: stable@vger.kernel.org +Fixes: b40656aa7d55 ("RDMA/umem: remove FOLL_FORCE usage") +Link: https://patch.msgid.link/r/0-v1-06fb1a2d6cf5+107-rereg_access_jgg@nvidia.com +Reported-by: Philip Tsukerman +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/umem.c | 16 ++++++++++++++++ + drivers/infiniband/hw/hns/hns_roce_mr.c | 4 ++++ + drivers/infiniband/hw/irdma/verbs.c | 4 ++++ + drivers/infiniband/hw/mlx4/mr.c | 4 ++++ + drivers/infiniband/hw/mlx5/mr.c | 4 ++++ + drivers/infiniband/sw/rxe/rxe_verbs.c | 5 +++++ + include/rdma/ib_umem.h | 8 ++++++++ + 7 files changed, 45 insertions(+) + +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -332,3 +332,19 @@ int ib_umem_copy_from(void *dst, struct + return 0; + } + EXPORT_SYMBOL(ib_umem_copy_from); ++ ++/* ++ * Called during rereg mr if the driver is able to re-use a umem for ++ * IB_MR_REREG_ACCESS. ++ */ ++int ib_umem_check_rereg(struct ib_umem *umem, int flags, int new_access_flags) ++{ ++ if (!umem) ++ return 0; ++ ++ if ((flags & IB_MR_REREG_ACCESS) && !(flags & IB_MR_REREG_TRANS)) ++ if (ib_access_writable(new_access_flags) && !umem->writable) ++ return -EACCES; ++ return 0; ++} ++EXPORT_SYMBOL(ib_umem_check_rereg); +--- a/drivers/infiniband/hw/hns/hns_roce_mr.c ++++ b/drivers/infiniband/hw/hns/hns_roce_mr.c +@@ -300,6 +300,10 @@ struct ib_mr *hns_roce_rereg_user_mr(str + goto err_out; + } + ++ ret = ib_umem_check_rereg(mr->pbl_mtr.umem, flags, mr_access_flags); ++ if (ret) ++ goto err_out; ++ + mailbox = hns_roce_alloc_cmd_mailbox(hr_dev); + ret = PTR_ERR_OR_ZERO(mailbox); + if (ret) +--- a/drivers/infiniband/hw/irdma/verbs.c ++++ b/drivers/infiniband/hw/irdma/verbs.c +@@ -3759,6 +3759,10 @@ static struct ib_mr *irdma_rereg_user_mr + if (flags & ~(IB_MR_REREG_TRANS | IB_MR_REREG_PD | IB_MR_REREG_ACCESS)) + return ERR_PTR(-EOPNOTSUPP); + ++ ret = ib_umem_check_rereg(iwmr->region, flags, new_access); ++ if (ret) ++ return ERR_PTR(ret); ++ + ret = irdma_hwdereg_mr(ib_mr); + if (ret) + return ERR_PTR(ret); +--- a/drivers/infiniband/hw/mlx4/mr.c ++++ b/drivers/infiniband/hw/mlx4/mr.c +@@ -208,6 +208,10 @@ struct ib_mr *mlx4_ib_rereg_user_mr(stru + struct mlx4_mpt_entry **pmpt_entry = &mpt_entry; + int err; + ++ err = ib_umem_check_rereg(mmr->umem, flags, mr_access_flags); ++ if (err) ++ return ERR_PTR(err); ++ + /* Since we synchronize this call and mlx4_ib_dereg_mr via uverbs, + * we assume that the calls can't run concurrently. Otherwise, a + * race exists. +--- a/drivers/infiniband/hw/mlx5/mr.c ++++ b/drivers/infiniband/hw/mlx5/mr.c +@@ -1895,6 +1895,10 @@ struct ib_mr *mlx5_ib_rereg_user_mr(stru + if (flags & ~(IB_MR_REREG_TRANS | IB_MR_REREG_PD | IB_MR_REREG_ACCESS)) + return ERR_PTR(-EOPNOTSUPP); + ++ err = ib_umem_check_rereg(mr->umem, flags, new_access_flags); ++ if (err) ++ return ERR_PTR(err); ++ + if (!(flags & IB_MR_REREG_ACCESS)) + new_access_flags = mr->access_flags; + if (!(flags & IB_MR_REREG_PD)) +--- a/drivers/infiniband/sw/rxe/rxe_verbs.c ++++ b/drivers/infiniband/sw/rxe/rxe_verbs.c +@@ -1332,6 +1332,7 @@ static struct ib_mr *rxe_rereg_user_mr(s + struct rxe_mr *mr = to_rmr(ibmr); + struct rxe_pd *old_pd = to_rpd(ibmr->pd); + struct rxe_pd *pd = to_rpd(ibpd); ++ int err; + + /* for now only support the two easy cases: + * rereg_pd and rereg_access +@@ -1341,6 +1342,10 @@ static struct ib_mr *rxe_rereg_user_mr(s + return ERR_PTR(-EOPNOTSUPP); + } + ++ err = ib_umem_check_rereg(mr->umem, flags, access); ++ if (err) ++ return ERR_PTR(err); ++ + if (flags & IB_MR_REREG_PD) { + rxe_put(old_pd); + rxe_get(pd); +--- a/include/rdma/ib_umem.h ++++ b/include/rdma/ib_umem.h +@@ -179,6 +179,8 @@ void ib_umem_dmabuf_unmap_pages(struct i + void ib_umem_dmabuf_release(struct ib_umem_dmabuf *umem_dmabuf); + void ib_umem_dmabuf_revoke(struct ib_umem_dmabuf *umem_dmabuf); + ++int ib_umem_check_rereg(struct ib_umem *umem, int flags, int new_access_flags); ++ + #else /* CONFIG_INFINIBAND_USER_MEM */ + + #include +@@ -239,5 +241,11 @@ static inline void ib_umem_dmabuf_unmap_ + static inline void ib_umem_dmabuf_release(struct ib_umem_dmabuf *umem_dmabuf) { } + static inline void ib_umem_dmabuf_revoke(struct ib_umem_dmabuf *umem_dmabuf) {} + ++static inline int ib_umem_check_rereg(struct ib_umem *umem, int flags, ++ int new_access_flags) ++{ ++ return -EOPNOTSUPP; ++} ++ + #endif /* CONFIG_INFINIBAND_USER_MEM */ + #endif /* IB_UMEM_H */ diff --git a/queue-7.0/sched_ext-don-t-warn-on-null-cgrp_moving_from-in-scx_cgroup_move_task.patch b/queue-7.0/sched_ext-don-t-warn-on-null-cgrp_moving_from-in-scx_cgroup_move_task.patch new file mode 100644 index 0000000000..6f09d0159a --- /dev/null +++ b/queue-7.0/sched_ext-don-t-warn-on-null-cgrp_moving_from-in-scx_cgroup_move_task.patch @@ -0,0 +1,75 @@ +From stable+bounces-263327-greg=kroah.com@vger.kernel.org Mon Jun 15 17:41:18 2026 +From: Sasha Levin +Date: Mon, 15 Jun 2026 11:37:32 -0400 +Subject: sched_ext: Don't warn on NULL cgrp_moving_from in scx_cgroup_move_task() +To: stable@vger.kernel.org +Cc: Tejun Heo , Matt Fleming , Andrea Righi , Sasha Levin +Message-ID: <20260615153732.2213055-1-sashal@kernel.org> + +From: Tejun Heo + +[ Upstream commit 02e545c4297a26dbbc41df81b831e7f605bcd306 ] + +A WARN fires when systemd's user manager writes "+cpu +memory +pids" to +its own subtree_control while a sched_ext scheduler is loaded: + + WARNING: at kernel/sched/ext.c:3227 scx_cgroup_move_task+0xa8/0xb0 + scx_cgroup_move_task+0xa8/0xb0 + sched_move_task+0x134/0x290 + cpu_cgroup_attach+0x39/0x70 + cgroup_migrate_execute+0x37d/0x450 + cgroup_update_dfl_csses+0x1e3/0x270 + cgroup_subtree_control_write+0x3e7/0x440 + +scx_cgroup_can_attach() arms cgrp_moving_from only when a task's cpu +cgroup changes. It can still be NULL when scx_cgroup_move_task() runs, +through this sequence: + + Step Result + --------------------------------- ---------------------------------- + 1. cpu enabled on cgroup G cpu css = A + 2. cpu toggled off then on for G A killed, B created (same cgroup) + 3. an exiting task keeps A alive migration skips it, A now stale + 4. +memory migrates G stale A vs current B pulls cpu in + 5. cpu attach runs for all tasks hits a live, cpu-unchanged task + 6. scx_cgroup_move_task() on it cgrp_moving_from NULL -> WARN + +The mismatch is that scx_cgroup_can_attach() keys on cgroup identity +while migration drives the move on css identity, so a NULL cgrp_moving_from +here is a legitimate css-only migration, not a missing prep. + +The call is already gated on cgrp_moving_from, so just drop the warning. +ops.cgroup_prep_move() and ops.cgroup_move() stay paired. + +Fixes: 819513666966 ("sched_ext: Add cgroup support") +Cc: stable@vger.kernel.org # v6.12+ +Reported-by: Matt Fleming +Closes: https://lore.kernel.org/all/20260601124156.2205704-1-mfleming@cloudflare.com/ +Signed-off-by: Tejun Heo +Reviewed-by: Andrea Righi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/ext.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -3402,11 +3402,13 @@ void scx_cgroup_move_task(struct task_st + return; + + /* +- * @p must have ops.cgroup_prep_move() called on it and thus +- * cgrp_moving_from set. ++ * scx_cgroup_can_attach() sets cgrp_moving_from only when the task's ++ * cgroup changes. Migration keys off css rather than cgroup identity, ++ * so it can hand an unchanged-cgroup task here with cgrp_moving_from ++ * NULL. Nothing to report to the BPF scheduler then, so skip it and ++ * keep prep_move and move paired. + */ +- if (SCX_HAS_OP(sch, cgroup_move) && +- !WARN_ON_ONCE(!p->scx.cgrp_moving_from)) ++ if (SCX_HAS_OP(sch, cgroup_move) && p->scx.cgrp_moving_from) + SCX_CALL_OP_TASK(sch, SCX_KF_REST, cgroup_move, task_rq(p), + p, p->scx.cgrp_moving_from, + tg_cgrp(task_group(p))); diff --git a/queue-7.0/series b/queue-7.0/series index 82c8c469e9..f7b57e4652 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -357,3 +357,8 @@ drm-amd-display-fix-null-deref-and-buffer-over-read-in-sdp-debugfs.patch drm-amd-display-fix-out-of-bounds-read-in-dp_get_eq_aux_rd_interval.patch drm-amd-display-use-krealloc_array-in-dal_vector_reserve.patch fs-fcntl-fix-softirq-unsafe-lock-order-in-fasync-signaling.patch +driver-core-faux-fix-root-device-registration.patch +driver-core-reject-devices-with-unregistered-buses.patch +rdma-during-rereg_mr-ensure-that-rereg_access-is-compatible.patch +netfilter-nft_fib-fix-stale-stack-leak-via-the-oifname-register.patch +sched_ext-don-t-warn-on-null-cgrp_moving_from-in-scx_cgroup_move_task.patch