From 3ca0e841f8c101406325c5afcc0ee768ad04b62b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 3 Dec 2025 14:31:16 +0100 Subject: [PATCH] 5.10-stable patches added patches: bluetooth-add-more-enc-key-size-check.patch fs-writeback-fix-use-after-free-in-__mark_inode_dirty.patch mptcp-fix-proto-fallback-detection-with-bpf.patch netfilter-nf_set_pipapo-fix-initial-map-fill.patch ovl-fix-uaf-in-ovl_dentry_update_reval-by-moving-dput-in-ovl_link_up.patch scsi-pm80xx-set-phy-enable_completion-only-when-we.patch smb-client-fix-memory-leak-in-cifs_construct_tcon.patch usb-renesas_usbhs-fix-synchronous-external-abort-on-unbind.patch usb-typec-ucsi-psy-set-max-current-to-zero-when-disconnected.patch usb-uas-fix-urb-unmapping-issue-when-the-uas-device-is-remove-during-ongoing-data-transfer.patch --- ...luetooth-add-more-enc-key-size-check.patch | 146 ++++++++++++++++++ ...use-after-free-in-__mark_inode_dirty.patch | 104 +++++++++++++ ...ix-proto-fallback-detection-with-bpf.patch | 110 +++++++++++++ ...r-nf_set_pipapo-fix-initial-map-fill.patch | 138 +++++++++++++++++ ..._reval-by-moving-dput-in-ovl_link_up.patch | 70 +++++++++ ...t-phy-enable_completion-only-when-we.patch | 66 ++++++++ queue-5.10/series | 10 ++ ...x-memory-leak-in-cifs_construct_tcon.patch | 70 +++++++++ ...synchronous-external-abort-on-unbind.patch | 146 ++++++++++++++++++ ...ax-current-to-zero-when-disconnected.patch | 50 ++++++ ...-remove-during-ongoing-data-transfer.patch | 86 +++++++++++ 11 files changed, 996 insertions(+) create mode 100644 queue-5.10/bluetooth-add-more-enc-key-size-check.patch create mode 100644 queue-5.10/fs-writeback-fix-use-after-free-in-__mark_inode_dirty.patch create mode 100644 queue-5.10/mptcp-fix-proto-fallback-detection-with-bpf.patch create mode 100644 queue-5.10/netfilter-nf_set_pipapo-fix-initial-map-fill.patch create mode 100644 queue-5.10/ovl-fix-uaf-in-ovl_dentry_update_reval-by-moving-dput-in-ovl_link_up.patch create mode 100644 queue-5.10/scsi-pm80xx-set-phy-enable_completion-only-when-we.patch create mode 100644 queue-5.10/smb-client-fix-memory-leak-in-cifs_construct_tcon.patch create mode 100644 queue-5.10/usb-renesas_usbhs-fix-synchronous-external-abort-on-unbind.patch create mode 100644 queue-5.10/usb-typec-ucsi-psy-set-max-current-to-zero-when-disconnected.patch create mode 100644 queue-5.10/usb-uas-fix-urb-unmapping-issue-when-the-uas-device-is-remove-during-ongoing-data-transfer.patch diff --git a/queue-5.10/bluetooth-add-more-enc-key-size-check.patch b/queue-5.10/bluetooth-add-more-enc-key-size-check.patch new file mode 100644 index 0000000000..cda14e7ec8 --- /dev/null +++ b/queue-5.10/bluetooth-add-more-enc-key-size-check.patch @@ -0,0 +1,146 @@ +From stable+bounces-197599-greg=kroah.com@vger.kernel.org Fri Nov 28 15:45:35 2025 +From: Nazar Kalashnikov +Date: Fri, 28 Nov 2025 17:45:34 +0300 +Subject: Bluetooth: Add more enc key size check +To: stable@vger.kernel.org, Greg Kroah-Hartman +Cc: Nazar Kalashnikov , Marcel Holtmann , Johan Hedberg , "David S. Miller" , Jakub Kicinski , linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, Alex Lu , Max Chou , Luiz Augusto von Dentz +Message-ID: <20251128144535.55357-1-sivartiwe@gmail.com> + +From: Alex Lu + +[ Upstream commit 04a342cc49a8522e99c9b3346371c329d841dcd2 ] + +When we are slave role and receives l2cap conn req when encryption has +started, we should check the enc key size to avoid KNOB attack or BLUFFS +attack. +>From SIG recommendation, implementations are advised to reject +service-level connections on an encrypted baseband link with key +strengths below 7 octets. +A simple and clear way to achieve this is to place the enc key size +check in hci_cc_read_enc_key_size() + +The btmon log below shows the case that lacks enc key size check. + +> HCI Event: Connect Request (0x04) plen 10 + Address: BB:22:33:44:55:99 (OUI BB-22-33) + Class: 0x480104 + Major class: Computer (desktop, notebook, PDA, organizers) + Minor class: Desktop workstation + Capturing (Scanner, Microphone) + Telephony (Cordless telephony, Modem, Headset) + Link type: ACL (0x01) +< HCI Command: Accept Connection Request (0x01|0x0009) plen 7 + Address: BB:22:33:44:55:99 (OUI BB-22-33) + Role: Peripheral (0x01) +> HCI Event: Command Status (0x0f) plen 4 + Accept Connection Request (0x01|0x0009) ncmd 2 + Status: Success (0x00) +> HCI Event: Connect Complete (0x03) plen 11 + Status: Success (0x00) + Handle: 1 + Address: BB:22:33:44:55:99 (OUI BB-22-33) + Link type: ACL (0x01) + Encryption: Disabled (0x00) +... + +> HCI Event: Encryption Change (0x08) plen 4 + Status: Success (0x00) + Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33) + Encryption: Enabled with E0 (0x01) +< HCI Command: Read Encryption Key Size (0x05|0x0008) plen 2 + Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33) +> HCI Event: Command Complete (0x0e) plen 7 + Read Encryption Key Size (0x05|0x0008) ncmd 2 + Status: Success (0x00) + Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33) + Key size: 6 +// We should check the enc key size +... + +> ACL Data RX: Handle 1 flags 0x02 dlen 12 + L2CAP: Connection Request (0x02) ident 3 len 4 + PSM: 25 (0x0019) + Source CID: 64 +< ACL Data TX: Handle 1 flags 0x00 dlen 16 + L2CAP: Connection Response (0x03) ident 3 len 8 + Destination CID: 64 + Source CID: 64 + Result: Connection pending (0x0001) + Status: Authorization pending (0x0002) +> HCI Event: Number of Completed Packets (0x13) plen 5 + Num handles: 1 + Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33) + Count: 1 + #35: len 16 (25 Kb/s) + Latency: 5 msec (2-7 msec ~4 msec) +< ACL Data TX: Handle 1 flags 0x00 dlen 16 + L2CAP: Connection Response (0x03) ident 3 len 8 + Destination CID: 64 + Source CID: 64 + Result: Connection successful (0x0000) + Status: No further information available (0x0000) + +Cc: stable@vger.kernel.org +Signed-off-by: Alex Lu +Signed-off-by: Max Chou +Signed-off-by: Luiz Augusto von Dentz +[ Nazar Kalashnikov: change status to +rp_status due to function parameter conflict ] +Signed-off-by: Nazar Kalashnikov +Signed-off-by: Greg Kroah-Hartman +--- +Backport fix for CVE-2023-24023 + net/bluetooth/hci_event.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -3043,6 +3043,7 @@ static void read_enc_key_size_complete(s + const struct hci_rp_read_enc_key_size *rp; + struct hci_conn *conn; + u16 handle; ++ u8 rp_status; + + BT_DBG("%s status 0x%02x", hdev->name, status); + +@@ -3052,6 +3053,7 @@ static void read_enc_key_size_complete(s + } + + rp = (void *)skb->data; ++ rp_status = rp->status; + handle = le16_to_cpu(rp->handle); + + hci_dev_lock(hdev); +@@ -3064,15 +3066,30 @@ static void read_enc_key_size_complete(s + * secure approach is to then assume the key size is 0 to force a + * disconnection. + */ +- if (rp->status) { ++ if (rp_status) { + bt_dev_err(hdev, "failed to read key size for handle %u", + handle); + conn->enc_key_size = 0; + } else { + conn->enc_key_size = rp->key_size; ++ rp_status = 0; ++ ++ if (conn->enc_key_size < hdev->min_enc_key_size) { ++ /* As slave role, the conn->state has been set to ++ * BT_CONNECTED and l2cap conn req might not be received ++ * yet, at this moment the l2cap layer almost does ++ * nothing with the non-zero status. ++ * So we also clear encrypt related bits, and then the ++ * handler of l2cap conn req will get the right secure ++ * state at a later time. ++ */ ++ rp_status = HCI_ERROR_AUTH_FAILURE; ++ clear_bit(HCI_CONN_ENCRYPT, &conn->flags); ++ clear_bit(HCI_CONN_AES_CCM, &conn->flags); ++ } + } + +- hci_encrypt_cfm(conn, 0); ++ hci_encrypt_cfm(conn, rp_status); + + unlock: + hci_dev_unlock(hdev); diff --git a/queue-5.10/fs-writeback-fix-use-after-free-in-__mark_inode_dirty.patch b/queue-5.10/fs-writeback-fix-use-after-free-in-__mark_inode_dirty.patch new file mode 100644 index 0000000000..1439025019 --- /dev/null +++ b/queue-5.10/fs-writeback-fix-use-after-free-in-__mark_inode_dirty.patch @@ -0,0 +1,104 @@ +From stable+bounces-197598-greg=kroah.com@vger.kernel.org Fri Nov 28 15:41:26 2025 +From: Nazar Kalashnikov +Date: Fri, 28 Nov 2025 17:41:19 +0300 +Subject: fs: writeback: fix use-after-free in __mark_inode_dirty() +To: stable@vger.kernel.org, Greg Kroah-Hartman +Cc: Nazar Kalashnikov , Alexander Viro , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, Jiufei Xue , Jan Kara , Christian Brauner +Message-ID: <20251128144121.54603-1-sivartiwe@gmail.com> + +From: Jiufei Xue + +[ Upstream commit d02d2c98d25793902f65803ab853b592c7a96b29 ] + +An use-after-free issue occurred when __mark_inode_dirty() get the +bdi_writeback that was in the progress of switching. + +CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1 +...... +pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : __mark_inode_dirty+0x124/0x418 +lr : __mark_inode_dirty+0x118/0x418 +sp : ffffffc08c9dbbc0 +........ +Call trace: + __mark_inode_dirty+0x124/0x418 + generic_update_time+0x4c/0x60 + file_modified+0xcc/0xd0 + ext4_buffered_write_iter+0x58/0x124 + ext4_file_write_iter+0x54/0x704 + vfs_write+0x1c0/0x308 + ksys_write+0x74/0x10c + __arm64_sys_write+0x1c/0x28 + invoke_syscall+0x48/0x114 + el0_svc_common.constprop.0+0xc0/0xe0 + do_el0_svc+0x1c/0x28 + el0_svc+0x40/0xe4 + el0t_64_sync_handler+0x120/0x12c + el0t_64_sync+0x194/0x198 + +Root cause is: + +systemd-random-seed kworker +---------------------------------------------------------------------- +___mark_inode_dirty inode_switch_wbs_work_fn + + spin_lock(&inode->i_lock); + inode_attach_wb + locked_inode_to_wb_and_lock_list + get inode->i_wb + spin_unlock(&inode->i_lock); + spin_lock(&wb->list_lock) + spin_lock(&inode->i_lock) + inode_io_list_move_locked + spin_unlock(&wb->list_lock) + spin_unlock(&inode->i_lock) + spin_lock(&old_wb->list_lock) + inode_do_switch_wbs + spin_lock(&inode->i_lock) + inode->i_wb = new_wb + spin_unlock(&inode->i_lock) + spin_unlock(&old_wb->list_lock) + wb_put_many(old_wb, nr_switched) + cgwb_release + old wb released + wb_wakeup_delayed() accesses wb, + then trigger the use-after-free + issue + +Fix this race condition by holding inode spinlock until +wb_wakeup_delayed() finished. + +Signed-off-by: Jiufei Xue +Link: https://lore.kernel.org/20250728100715.3863241-1-jiufei.xue@samsung.com +Reviewed-by: Jan Kara +Signed-off-by: Christian Brauner +Signed-off-by: Nazar Kalashnikov +Signed-off-by: Greg Kroah-Hartman +--- +Backport fix for CVE-2025-39866 + fs/fs-writeback.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -2326,9 +2326,6 @@ void __mark_inode_dirty(struct inode *in + wakeup_bdi = inode_io_list_move_locked(inode, wb, + dirty_list); + +- spin_unlock(&wb->list_lock); +- trace_writeback_dirty_inode_enqueue(inode); +- + /* + * If this is the first dirty inode for this bdi, + * we have to wake-up the corresponding bdi thread +@@ -2338,6 +2335,10 @@ void __mark_inode_dirty(struct inode *in + if (wakeup_bdi && + (wb->bdi->capabilities & BDI_CAP_WRITEBACK)) + wb_wakeup_delayed(wb); ++ ++ spin_unlock(&wb->list_lock); ++ trace_writeback_dirty_inode_enqueue(inode); ++ + return; + } + } diff --git a/queue-5.10/mptcp-fix-proto-fallback-detection-with-bpf.patch b/queue-5.10/mptcp-fix-proto-fallback-detection-with-bpf.patch new file mode 100644 index 0000000000..31f2359cf8 --- /dev/null +++ b/queue-5.10/mptcp-fix-proto-fallback-detection-with-bpf.patch @@ -0,0 +1,110 @@ +From matttbe@kernel.org Mon Dec 1 12:35:16 2025 +From: "Matthieu Baerts (NGI0)" +Date: Mon, 1 Dec 2025 12:34:58 +0100 +Subject: mptcp: Fix proto fallback detection with BPF +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: MPTCP Upstream , Jiayuan Chen , Martin KaFai Lau , Jakub Sitnicki , "Matthieu Baerts (NGI0)" +Message-ID: <20251201113457.3641925-2-matttbe@kernel.org> + +From: Jiayuan Chen + +commit c77b3b79a92e3345aa1ee296180d1af4e7031f8f upstream. + +The sockmap feature allows bpf syscall from userspace, or based +on bpf sockops, replacing the sk_prot of sockets during protocol stack +processing with sockmap's custom read/write interfaces. +''' +tcp_rcv_state_process() + syn_recv_sock()/subflow_syn_recv_sock() + tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) + bpf_skops_established <== sockops + bpf_sock_map_update(sk) <== call bpf helper + tcp_bpf_update_proto() <== update sk_prot +''' + +When the server has MPTCP enabled but the client sends a TCP SYN +without MPTCP, subflow_syn_recv_sock() performs a fallback on the +subflow, replacing the subflow sk's sk_prot with the native sk_prot. +''' +subflow_syn_recv_sock() + subflow_ulp_fallback() + subflow_drop_ctx() + mptcp_subflow_ops_undo_override() +''' + +Then, this subflow can be normally used by sockmap, which replaces the +native sk_prot with sockmap's custom sk_prot. The issue occurs when the +user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops(). +Here, it uses sk->sk_prot to compare with the native sk_prot, but this +is incorrect when sockmap is used, as we may incorrectly set +sk->sk_socket->ops. + +This fix uses the more generic sk_family for the comparison instead. + +Additionally, this also prevents a WARNING from occurring: + +result from ./scripts/decode_stacktrace.sh: +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \ +(net/mptcp/protocol.c:4005) +Modules linked in: +... + +PKRU: 55555554 +Call Trace: + +do_accept (net/socket.c:1989) +__sys_accept4 (net/socket.c:2028 net/socket.c:2057) +__x64_sys_accept (net/socket.c:2067) +x64_sys_call (arch/x86/entry/syscall_64.c:41) +do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) +RIP: 0033:0x7f87ac92b83d + +---[ end trace 0000000000000000 ]--- + +Fixes: 0b4f33def7bb ("mptcp: fix tcp fallback crash") +Signed-off-by: Jiayuan Chen +Signed-off-by: Martin KaFai Lau +Reviewed-by: Jakub Sitnicki +Reviewed-by: Matthieu Baerts (NGI0) +Cc: +Link: https://patch.msgid.link/20251111060307.194196-3-jiayuan.chen@linux.dev +[ Conflicts in protocol.c, because commit 8e2b8a9fa512 ("mptcp: don't + overwrite sock_ops in mptcp_is_tcpsk()") is not in this version. It + changes the logic on how and where the sock_ops is overridden in case + of passive fallback. To fix this, mptcp_is_tcpsk() is modified to use + the family, but first, a check of the protocol is required to continue + returning 'false' in case of MPTCP socket. ] +Signed-off-by: Matthieu Baerts (NGI0) +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/protocol.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -56,8 +56,13 @@ static struct socket *__mptcp_nmpc_socke + static bool mptcp_is_tcpsk(struct sock *sk) + { + struct socket *sock = sk->sk_socket; ++ unsigned short family; + +- if (unlikely(sk->sk_prot == &tcp_prot)) { ++ if (likely(sk->sk_protocol == IPPROTO_MPTCP)) ++ return false; ++ ++ family = READ_ONCE(sk->sk_family); ++ if (unlikely(family == AF_INET)) { + /* we are being invoked after mptcp_accept() has + * accepted a non-mp-capable flow: sk is a tcp_sk, + * not an mptcp one. +@@ -68,7 +73,7 @@ static bool mptcp_is_tcpsk(struct sock * + sock->ops = &inet_stream_ops; + return true; + #if IS_ENABLED(CONFIG_MPTCP_IPV6) +- } else if (unlikely(sk->sk_prot == &tcpv6_prot)) { ++ } else if (unlikely(family == AF_INET6)) { + sock->ops = &inet6_stream_ops; + return true; + #endif diff --git a/queue-5.10/netfilter-nf_set_pipapo-fix-initial-map-fill.patch b/queue-5.10/netfilter-nf_set_pipapo-fix-initial-map-fill.patch new file mode 100644 index 0000000000..96764205d0 --- /dev/null +++ b/queue-5.10/netfilter-nf_set_pipapo-fix-initial-map-fill.patch @@ -0,0 +1,138 @@ +From stable+bounces-197600-greg=kroah.com@vger.kernel.org Fri Nov 28 15:46:25 2025 +From: Nazar Kalashnikov +Date: Fri, 28 Nov 2025 17:46:01 +0300 +Subject: netfilter: nf_set_pipapo: fix initial map fill +To: stable@vger.kernel.org, Greg Kroah-Hartman +Cc: Nazar Kalashnikov , Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , "David S. Miller" , Jakub Kicinski , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, Yi Chen , Stefano Brivio +Message-ID: <20251128144602.55408-1-sivartiwe@gmail.com> + +From: Florian Westphal + +[ Upstream commit 791a615b7ad2258c560f91852be54b0480837c93 ] + +The initial buffer has to be inited to all-ones, but it must restrict +it to the size of the first field, not the total field size. + +After each round in the map search step, the result and the fill map +are swapped, so if we have a set where f->bsize of the first element +is smaller than m->bsize_max, those one-bits are leaked into future +rounds result map. + +This makes pipapo find an incorrect matching results for sets where +first field size is not the largest. + +Followup patch adds a test case to nft_concat_range.sh selftest script. + +Thanks to Stefano Brivio for pointing out that we need to zero out +the remainder explicitly, only correcting memset() argument isn't enough. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Reported-by: Yi Chen +Cc: Stefano Brivio +Signed-off-by: Florian Westphal +Reviewed-by: Stefano Brivio +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Nazar Kalashnikov +Signed-off-by: Greg Kroah-Hartman +--- +Backport fix for CVE-2024-57947 + net/netfilter/nft_set_pipapo.c | 4 ++-- + net/netfilter/nft_set_pipapo.h | 21 +++++++++++++++++++++ + net/netfilter/nft_set_pipapo_avx2.c | 10 ++++++---- + 3 files changed, 29 insertions(+), 6 deletions(-) + +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -432,7 +432,7 @@ bool nft_pipapo_lookup(const struct net + res_map = scratch->map + (map_index ? m->bsize_max : 0); + fill_map = scratch->map + (map_index ? 0 : m->bsize_max); + +- memset(res_map, 0xff, m->bsize_max * sizeof(*res_map)); ++ pipapo_resmap_init(m, res_map); + + nft_pipapo_for_each_field(f, i, m) { + bool last = i == m->field_count - 1; +@@ -536,7 +536,7 @@ static struct nft_pipapo_elem *pipapo_ge + goto out; + } + +- memset(res_map, 0xff, m->bsize_max * sizeof(*res_map)); ++ pipapo_resmap_init(m, res_map); + + nft_pipapo_for_each_field(f, i, m) { + bool last = i == m->field_count - 1; +--- a/net/netfilter/nft_set_pipapo.h ++++ b/net/netfilter/nft_set_pipapo.h +@@ -287,4 +287,25 @@ static u64 pipapo_estimate_size(const st + return size; + } + ++/** ++ * pipapo_resmap_init() - Initialise result map before first use ++ * @m: Matching data, including mapping table ++ * @res_map: Result map ++ * ++ * Initialize all bits covered by the first field to one, so that after ++ * the first step, only the matching bits of the first bit group remain. ++ * ++ * If other fields have a large bitmap, set remainder of res_map to 0. ++ */ ++static inline void pipapo_resmap_init(const struct nft_pipapo_match *m, unsigned long *res_map) ++{ ++ const struct nft_pipapo_field *f = m->f; ++ int i; ++ ++ for (i = 0; i < f->bsize; i++) ++ res_map[i] = ULONG_MAX; ++ ++ for (i = f->bsize; i < m->bsize_max; i++) ++ res_map[i] = 0ul; ++} + #endif /* _NFT_SET_PIPAPO_H */ +--- a/net/netfilter/nft_set_pipapo_avx2.c ++++ b/net/netfilter/nft_set_pipapo_avx2.c +@@ -1028,6 +1028,7 @@ nothing: + + /** + * nft_pipapo_avx2_lookup_slow() - Fallback function for uncommon field sizes ++ * @mdata: Matching data, including mapping table + * @map: Previous match result, used as initial bitmap + * @fill: Destination bitmap to be filled with current match result + * @f: Field, containing lookup and mapping tables +@@ -1043,7 +1044,8 @@ nothing: + * Return: -1 on no match, rule index of match if @last, otherwise first long + * word index to be checked next (i.e. first filled word). + */ +-static int nft_pipapo_avx2_lookup_slow(unsigned long *map, unsigned long *fill, ++static int nft_pipapo_avx2_lookup_slow(const struct nft_pipapo_match *mdata, ++ unsigned long *map, unsigned long *fill, + struct nft_pipapo_field *f, int offset, + const u8 *pkt, bool first, bool last) + { +@@ -1053,7 +1055,7 @@ static int nft_pipapo_avx2_lookup_slow(u + lt += offset * NFT_PIPAPO_LONGS_PER_M256; + + if (first) +- memset(map, 0xff, bsize * sizeof(*map)); ++ pipapo_resmap_init(mdata, map); + + for (i = offset; i < bsize; i++) { + if (f->bb == 8) +@@ -1181,7 +1183,7 @@ next_match: + } else if (f->groups == 16) { + NFT_SET_PIPAPO_AVX2_LOOKUP(8, 16); + } else { +- ret = nft_pipapo_avx2_lookup_slow(res, fill, f, ++ ret = nft_pipapo_avx2_lookup_slow(m, res, fill, f, + ret, rp, + first, last); + } +@@ -1197,7 +1199,7 @@ next_match: + } else if (f->groups == 32) { + NFT_SET_PIPAPO_AVX2_LOOKUP(4, 32); + } else { +- ret = nft_pipapo_avx2_lookup_slow(res, fill, f, ++ ret = nft_pipapo_avx2_lookup_slow(m, res, fill, f, + ret, rp, + first, last); + } diff --git a/queue-5.10/ovl-fix-uaf-in-ovl_dentry_update_reval-by-moving-dput-in-ovl_link_up.patch b/queue-5.10/ovl-fix-uaf-in-ovl_dentry_update_reval-by-moving-dput-in-ovl_link_up.patch new file mode 100644 index 0000000000..c6edfd056b --- /dev/null +++ b/queue-5.10/ovl-fix-uaf-in-ovl_dentry_update_reval-by-moving-dput-in-ovl_link_up.patch @@ -0,0 +1,70 @@ +From stable+bounces-198082-greg=kroah.com@vger.kernel.org Tue Dec 2 13:05:03 2025 +From: lanbincn@qq.com +Date: Tue, 2 Dec 2025 12:03:16 +0000 +Subject: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up +To: stable@vger.kernel.org +Cc: Vasiliy Kovalev , syzbot+316db8a1191938280eb6@syzkaller.appspotmail.com, Amir Goldstein , Christian Brauner , Bin Lan +Message-ID: + +From: Vasiliy Kovalev + +[ Upstream commit c84e125fff2615b4d9c259e762596134eddd2f27 ] + +The issue was caused by dput(upper) being called before +ovl_dentry_update_reval(), while upper->d_flags was still +accessed in ovl_dentry_remote(). + +Move dput(upper) after its last use to prevent use-after-free. + +BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline] +BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 + +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 + print_address_description mm/kasan/report.c:377 [inline] + print_report+0xc3/0x620 mm/kasan/report.c:488 + kasan_report+0xd9/0x110 mm/kasan/report.c:601 + ovl_dentry_remote fs/overlayfs/util.c:162 [inline] + ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 + ovl_link_up fs/overlayfs/copy_up.c:610 [inline] + ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170 + ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223 + ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136 + vfs_rename+0xf84/0x20a0 fs/namei.c:4893 +... + + +Fixes: b07d5cc93e1b ("ovl: update of dentry revalidate flags after copy up") +Reported-by: syzbot+316db8a1191938280eb6@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=316db8a1191938280eb6 +Signed-off-by: Vasiliy Kovalev +Link: https://lore.kernel.org/r/20250214215148.761147-1-kovalev@altlinux.org +Reviewed-by: Amir Goldstein +Signed-off-by: Christian Brauner +[ Minor context change fixed. ] +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + fs/overlayfs/copy_up.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/overlayfs/copy_up.c ++++ b/fs/overlayfs/copy_up.c +@@ -469,7 +469,6 @@ static int ovl_link_up(struct ovl_copy_u + err = PTR_ERR(upper); + if (!IS_ERR(upper)) { + err = ovl_do_link(ovl_dentry_upper(c->dentry), udir, upper); +- dput(upper); + + if (!err) { + /* Restore timestamps on parent (best effort) */ +@@ -477,6 +476,7 @@ static int ovl_link_up(struct ovl_copy_u + ovl_dentry_set_upper_alias(c->dentry); + ovl_dentry_update_reval(c->dentry, upper); + } ++ dput(upper); + } + inode_unlock(udir); + if (err) diff --git a/queue-5.10/scsi-pm80xx-set-phy-enable_completion-only-when-we.patch b/queue-5.10/scsi-pm80xx-set-phy-enable_completion-only-when-we.patch new file mode 100644 index 0000000000..6a4068cf46 --- /dev/null +++ b/queue-5.10/scsi-pm80xx-set-phy-enable_completion-only-when-we.patch @@ -0,0 +1,66 @@ +From stable+bounces-197601-greg=kroah.com@vger.kernel.org Fri Nov 28 15:48:02 2025 +From: Nazar Kalashnikov +Date: Fri, 28 Nov 2025 17:48:15 +0300 +Subject: scsi: pm80xx: Set phy->enable_completion only when we +To: stable@vger.kernel.org, Greg Kroah-Hartman +Cc: Nazar Kalashnikov , Jack Wang , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, Igor Pylypiv , Terrence Adams , Jack Wang +Message-ID: <20251128144816.55522-1-sivartiwe@gmail.com> + +From: Igor Pylypiv + +[ Upstream commit e4f949ef1516c0d74745ee54a0f4882c1f6c7aea ] + +pm8001_phy_control() populates the enable_completion pointer with a stack +address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and +returns. The problem arises when a phy control response comes late. After +300 ms the pm8001_phy_control() function returns and the passed +enable_completion stack address is no longer valid. Late phy control +response invokes complete() on a dangling enable_completion pointer which +leads to a kernel crash. + +Signed-off-by: Igor Pylypiv +Signed-off-by: Terrence Adams +Link: https://lore.kernel.org/r/20240627155924.2361370-2-tadamsjr@google.com +Acked-by: Jack Wang +Signed-off-by: Martin K. Petersen +Signed-off-by: Nazar Kalashnikov +Signed-off-by: Greg Kroah-Hartman +--- +Backport fix for CVE-2024-47666 + drivers/scsi/pm8001/pm8001_sas.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/pm8001/pm8001_sas.c ++++ b/drivers/scsi/pm8001/pm8001_sas.c +@@ -163,7 +163,6 @@ int pm8001_phy_control(struct asd_sas_ph + unsigned long flags; + pm8001_ha = sas_phy->ha->lldd_ha; + phy = &pm8001_ha->phy[phy_id]; +- pm8001_ha->phy[phy_id].enable_completion = &completion; + switch (func) { + case PHY_FUNC_SET_LINK_RATE: + rates = funcdata; +@@ -176,6 +175,7 @@ int pm8001_phy_control(struct asd_sas_ph + rates->maximum_linkrate; + } + if (pm8001_ha->phy[phy_id].phy_state == PHY_LINK_DISABLE) { ++ pm8001_ha->phy[phy_id].enable_completion = &completion; + PM8001_CHIP_DISP->phy_start_req(pm8001_ha, phy_id); + wait_for_completion(&completion); + } +@@ -184,6 +184,7 @@ int pm8001_phy_control(struct asd_sas_ph + break; + case PHY_FUNC_HARD_RESET: + if (pm8001_ha->phy[phy_id].phy_state == PHY_LINK_DISABLE) { ++ pm8001_ha->phy[phy_id].enable_completion = &completion; + PM8001_CHIP_DISP->phy_start_req(pm8001_ha, phy_id); + wait_for_completion(&completion); + } +@@ -192,6 +193,7 @@ int pm8001_phy_control(struct asd_sas_ph + break; + case PHY_FUNC_LINK_RESET: + if (pm8001_ha->phy[phy_id].phy_state == PHY_LINK_DISABLE) { ++ pm8001_ha->phy[phy_id].enable_completion = &completion; + PM8001_CHIP_DISP->phy_start_req(pm8001_ha, phy_id); + wait_for_completion(&completion); + } diff --git a/queue-5.10/series b/queue-5.10/series index a2be7b1d9e..5fd5fdfed3 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -287,3 +287,13 @@ usb-serial-option-add-support-for-rolling-rw101r-gl.patch drm-sti-fix-device-leaks-at-component-probe.patch drm-amd-display-check-null-before-accessing.patch libceph-fix-potential-use-after-free-in-have_mon_and_osd_map.patch +fs-writeback-fix-use-after-free-in-__mark_inode_dirty.patch +bluetooth-add-more-enc-key-size-check.patch +netfilter-nf_set_pipapo-fix-initial-map-fill.patch +scsi-pm80xx-set-phy-enable_completion-only-when-we.patch +mptcp-fix-proto-fallback-detection-with-bpf.patch +smb-client-fix-memory-leak-in-cifs_construct_tcon.patch +usb-typec-ucsi-psy-set-max-current-to-zero-when-disconnected.patch +usb-renesas_usbhs-fix-synchronous-external-abort-on-unbind.patch +usb-uas-fix-urb-unmapping-issue-when-the-uas-device-is-remove-during-ongoing-data-transfer.patch +ovl-fix-uaf-in-ovl_dentry_update_reval-by-moving-dput-in-ovl_link_up.patch diff --git a/queue-5.10/smb-client-fix-memory-leak-in-cifs_construct_tcon.patch b/queue-5.10/smb-client-fix-memory-leak-in-cifs_construct_tcon.patch new file mode 100644 index 0000000000..58577a6189 --- /dev/null +++ b/queue-5.10/smb-client-fix-memory-leak-in-cifs_construct_tcon.patch @@ -0,0 +1,70 @@ +From stable+bounces-198006-greg=kroah.com@vger.kernel.org Mon Dec 1 23:25:06 2025 +From: Sasha Levin +Date: Mon, 1 Dec 2025 17:24:51 -0500 +Subject: smb: client: fix memory leak in cifs_construct_tcon() +To: stable@vger.kernel.org +Cc: Paulo Alcantara , David Howells , Jay Shin , linux-cifs@vger.kernel.org, Steve French , Sasha Levin +Message-ID: <20251201222451.1290758-1-sashal@kernel.org> + +From: Paulo Alcantara + +[ Upstream commit 3184b6a5a24ec9ee74087b2a550476f386df7dc2 ] + +When having a multiuser mount with domain= specified and using +cifscreds, cifs_set_cifscreds() will end up setting @ctx->domainname, +so it needs to be freed before leaving cifs_construct_tcon(). + +This fixes the following memory leak reported by kmemleak: + + mount.cifs //srv/share /mnt -o domain=ZELDA,multiuser,... + su - testuser + cifscreds add -d ZELDA -u testuser + ... + ls /mnt/1 + ... + umount /mnt + echo scan > /sys/kernel/debug/kmemleak + cat /sys/kernel/debug/kmemleak + unreferenced object 0xffff8881203c3f08 (size 8): + comm "ls", pid 5060, jiffies 4307222943 + hex dump (first 8 bytes): + 5a 45 4c 44 41 00 cc cc ZELDA... + backtrace (crc d109a8cf): + __kmalloc_node_track_caller_noprof+0x572/0x710 + kstrdup+0x3a/0x70 + cifs_sb_tlink+0x1209/0x1770 [cifs] + cifs_get_fattr+0xe1/0xf50 [cifs] + cifs_get_inode_info+0xb5/0x240 [cifs] + cifs_revalidate_dentry_attr+0x2d1/0x470 [cifs] + cifs_getattr+0x28e/0x450 [cifs] + vfs_getattr_nosec+0x126/0x180 + vfs_statx+0xf6/0x220 + do_statx+0xab/0x110 + __x64_sys_statx+0xd5/0x130 + do_syscall_64+0xbb/0x380 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Fixes: f2aee329a68f ("cifs: set domainName when a domain-key is used in multiuser") +Signed-off-by: Paulo Alcantara (Red Hat) +Reviewed-by: David Howells +Cc: Jay Shin +Cc: stable@vger.kernel.org +Cc: linux-cifs@vger.kernel.org +Signed-off-by: Steve French +[ Different path + ctx -> vol_info ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/connect.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -5162,6 +5162,7 @@ cifs_construct_tcon(struct cifs_sb_info + + out: + kfree(vol_info->username); ++ kfree(vol_info->domainname); + kfree_sensitive(vol_info->password); + kfree(vol_info); + diff --git a/queue-5.10/usb-renesas_usbhs-fix-synchronous-external-abort-on-unbind.patch b/queue-5.10/usb-renesas_usbhs-fix-synchronous-external-abort-on-unbind.patch new file mode 100644 index 0000000000..341e407286 --- /dev/null +++ b/queue-5.10/usb-renesas_usbhs-fix-synchronous-external-abort-on-unbind.patch @@ -0,0 +1,146 @@ +From stable+bounces-198027-greg=kroah.com@vger.kernel.org Tue Dec 2 02:27:45 2025 +From: Sasha Levin +Date: Mon, 1 Dec 2025 20:27:36 -0500 +Subject: usb: renesas_usbhs: Fix synchronous external abort on unbind +To: stable@vger.kernel.org +Cc: Claudiu Beznea , stable , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20251202012736.1580110-1-sashal@kernel.org> + +From: Claudiu Beznea + +[ Upstream commit eb9ac779830b2235847b72cb15cf07c7e3333c5e ] + +A synchronous external abort occurs on the Renesas RZ/G3S SoC if unbind is +executed after the configuration sequence described above: + +modprobe usb_f_ecm +modprobe libcomposite +modprobe configfs +cd /sys/kernel/config/usb_gadget +mkdir -p g1 +cd g1 +echo "0x1d6b" > idVendor +echo "0x0104" > idProduct +mkdir -p strings/0x409 +echo "0123456789" > strings/0x409/serialnumber +echo "Renesas." > strings/0x409/manufacturer +echo "Ethernet Gadget" > strings/0x409/product +mkdir -p functions/ecm.usb0 +mkdir -p configs/c.1 +mkdir -p configs/c.1/strings/0x409 +echo "ECM" > configs/c.1/strings/0x409/configuration + +if [ ! -L configs/c.1/ecm.usb0 ]; then + ln -s functions/ecm.usb0 configs/c.1 +fi + +echo 11e20000.usb > UDC +echo 11e20000.usb > /sys/bus/platform/drivers/renesas_usbhs/unbind + +The displayed trace is as follows: + + Internal error: synchronous external abort: 0000000096000010 [#1] SMP + CPU: 0 UID: 0 PID: 188 Comm: sh Tainted: G M 6.17.0-rc7-next-20250922-00010-g41050493b2bd #55 PREEMPT + Tainted: [M]=MACHINE_CHECK + Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT) + pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] + lr : usbhsg_update_pullup+0x3c/0x68 [renesas_usbhs] + sp : ffff8000838b3920 + x29: ffff8000838b3920 x28: ffff00000d585780 x27: 0000000000000000 + x26: 0000000000000000 x25: 0000000000000000 x24: ffff00000c3e3810 + x23: ffff00000d5e5c80 x22: ffff00000d5e5d40 x21: 0000000000000000 + x20: 0000000000000000 x19: ffff00000d5e5c80 x18: 0000000000000020 + x17: 2e30303230316531 x16: 312d7968703a7968 x15: 3d454d414e5f4344 + x14: 000000000000002c x13: 0000000000000000 x12: 0000000000000000 + x11: ffff00000f358f38 x10: ffff00000f358db0 x9 : ffff00000b41f418 + x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d + x5 : 8080808000000000 x4 : 000000004b5ccb9d x3 : 0000000000000000 + x2 : 0000000000000000 x1 : ffff800083790000 x0 : ffff00000d5e5c80 + Call trace: + usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] (P) + usbhsg_pullup+0x4c/0x7c [renesas_usbhs] + usb_gadget_disconnect_locked+0x48/0xd4 + gadget_unbind_driver+0x44/0x114 + device_remove+0x4c/0x80 + device_release_driver_internal+0x1c8/0x224 + device_release_driver+0x18/0x24 + bus_remove_device+0xcc/0x10c + device_del+0x14c/0x404 + usb_del_gadget+0x88/0xc0 + usb_del_gadget_udc+0x18/0x30 + usbhs_mod_gadget_remove+0x24/0x44 [renesas_usbhs] + usbhs_mod_remove+0x20/0x30 [renesas_usbhs] + usbhs_remove+0x98/0xdc [renesas_usbhs] + platform_remove+0x20/0x30 + device_remove+0x4c/0x80 + device_release_driver_internal+0x1c8/0x224 + device_driver_detach+0x18/0x24 + unbind_store+0xb4/0xb8 + drv_attr_store+0x24/0x38 + sysfs_kf_write+0x7c/0x94 + kernfs_fop_write_iter+0x128/0x1b8 + vfs_write+0x2ac/0x350 + ksys_write+0x68/0xfc + __arm64_sys_write+0x1c/0x28 + invoke_syscall+0x48/0x110 + el0_svc_common.constprop.0+0xc0/0xe0 + do_el0_svc+0x1c/0x28 + el0_svc+0x34/0xf0 + el0t_64_sync_handler+0xa0/0xe4 + el0t_64_sync+0x198/0x19c + Code: 7100003f 1a9f07e1 531c6c22 f9400001 (79400021) + ---[ end trace 0000000000000000 ]--- + note: sh[188] exited with irqs disabled + note: sh[188] exited with preempt_count 1 + +The issue occurs because usbhs_sys_function_pullup(), which accesses the IP +registers, is executed after the USBHS clocks have been disabled. The +problem is reproducible on the Renesas RZ/G3S SoC starting with the +addition of module stop in the clock enable/disable APIs. With module stop +functionality enabled, a bus error is expected if a master accesses a +module whose clock has been stopped and module stop activated. + +Disable the IP clocks at the end of remove. + +Cc: stable +Fixes: f1407d5c6624 ("usb: renesas_usbhs: Add Renesas USBHS common code") +Signed-off-by: Claudiu Beznea +Link: https://patch.msgid.link/20251027140741.557198-1-claudiu.beznea.uj@bp.renesas.com +Signed-off-by: Greg Kroah-Hartman +[ Adjust context ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/renesas_usbhs/common.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/usb/renesas_usbhs/common.c ++++ b/drivers/usb/renesas_usbhs/common.c +@@ -802,19 +802,19 @@ static int usbhs_remove(struct platform_ + + flush_delayed_work(&priv->notify_hotplug_work); + +- /* power off */ +- if (!usbhs_get_dparam(priv, runtime_pwctrl)) +- usbhsc_power_ctrl(priv, 0); +- +- pm_runtime_disable(&pdev->dev); +- + usbhs_platform_call(priv, hardware_exit, pdev); +- usbhsc_clk_put(priv); + reset_control_assert(priv->rsts); + usbhs_mod_remove(priv); + usbhs_fifo_remove(priv); + usbhs_pipe_remove(priv); + ++ /* power off */ ++ if (!usbhs_get_dparam(priv, runtime_pwctrl)) ++ usbhsc_power_ctrl(priv, 0); ++ ++ usbhsc_clk_put(priv); ++ pm_runtime_disable(&pdev->dev); ++ + return 0; + } + diff --git a/queue-5.10/usb-typec-ucsi-psy-set-max-current-to-zero-when-disconnected.patch b/queue-5.10/usb-typec-ucsi-psy-set-max-current-to-zero-when-disconnected.patch new file mode 100644 index 0000000000..2a47d0cd6e --- /dev/null +++ b/queue-5.10/usb-typec-ucsi-psy-set-max-current-to-zero-when-disconnected.patch @@ -0,0 +1,50 @@ +From stable+bounces-198026-greg=kroah.com@vger.kernel.org Tue Dec 2 02:06:29 2025 +From: Sasha Levin +Date: Mon, 1 Dec 2025 20:06:19 -0500 +Subject: usb: typec: ucsi: psy: Set max current to zero when disconnected +To: stable@vger.kernel.org +Cc: Jameson Thies , Benson Leung , Heikki Krogerus , Sebastian Reichel , "Kenneth R. Crudup" , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20251202010619.1551492-1-sashal@kernel.org> + +From: Jameson Thies + +[ Upstream commit 23379a17334fc24c4a9cbd9967d33dcd9323cc7c ] + +The ucsi_psy_get_current_max function defaults to 0.1A when it is not +clear how much current the partner device can support. But this does +not check the port is connected, and will report 0.1A max current when +nothing is connected. Update ucsi_psy_get_current_max to report 0A when +there is no connection. + +Fixes: af833e7f7db3 ("usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default") +Cc: stable@vger.kernel.org +Signed-off-by: Jameson Thies +Reviewed-by: Benson Leung +Reviewed-by: Heikki Krogerus +Reviewed-by: Sebastian Reichel +Tested-by: Kenneth R. Crudup +Rule: add +Link: https://lore.kernel.org/stable/20251017000051.2094101-1-jthies%40google.com +Link: https://patch.msgid.link/20251106011446.2052583-1-jthies@google.com +Signed-off-by: Greg Kroah-Hartman +[ adapted UCSI_CONSTAT() macro to direct flag access ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/psy.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/typec/ucsi/psy.c ++++ b/drivers/usb/typec/ucsi/psy.c +@@ -123,6 +123,11 @@ static int ucsi_psy_get_current_max(stru + { + u32 pdo; + ++ if (!(con->status.flags & UCSI_CONSTAT_CONNECTED)) { ++ val->intval = 0; ++ return 0; ++ } ++ + switch (UCSI_CONSTAT_PWR_OPMODE(con->status.flags)) { + case UCSI_CONSTAT_PWR_OPMODE_PD: + if (con->num_pdos > 0) { diff --git a/queue-5.10/usb-uas-fix-urb-unmapping-issue-when-the-uas-device-is-remove-during-ongoing-data-transfer.patch b/queue-5.10/usb-uas-fix-urb-unmapping-issue-when-the-uas-device-is-remove-during-ongoing-data-transfer.patch new file mode 100644 index 0000000000..b6cee206ac --- /dev/null +++ b/queue-5.10/usb-uas-fix-urb-unmapping-issue-when-the-uas-device-is-remove-during-ongoing-data-transfer.patch @@ -0,0 +1,86 @@ +From stable+bounces-198030-greg=kroah.com@vger.kernel.org Tue Dec 2 02:48:56 2025 +From: Sasha Levin +Date: Mon, 1 Dec 2025 20:48:40 -0500 +Subject: usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer +To: stable@vger.kernel.org +Cc: Owen Gu , stable , Yu Chen , Oliver Neukum , Greg Kroah-Hartman , Sasha Levin +Message-ID: <20251202014840.1603338-1-sashal@kernel.org> + +From: Owen Gu + +[ Upstream commit 26d56a9fcb2014b99e654127960aa0a48a391e3c ] + +When a UAS device is unplugged during data transfer, there is +a probability of a system panic occurring. The root cause is +an access to an invalid memory address during URB callback handling. +Specifically, this happens when the dma_direct_unmap_sg() function +is called within the usb_hcd_unmap_urb_for_dma() interface, but the +sg->dma_address field is 0 and the sg data structure has already been +freed. + +The SCSI driver sends transfer commands by invoking uas_queuecommand_lck() +in uas.c, using the uas_submit_urbs() function to submit requests to USB. +Within the uas_submit_urbs() implementation, three URBs (sense_urb, +data_urb, and cmd_urb) are sequentially submitted. Device removal may +occur at any point during uas_submit_urbs execution, which may result +in URB submission failure. However, some URBs might have been successfully +submitted before the failure, and uas_submit_urbs will return the -ENODEV +error code in this case. The current error handling directly calls +scsi_done(). In the SCSI driver, this eventually triggers scsi_complete() +to invoke scsi_end_request() for releasing the sgtable. The successfully +submitted URBs, when being unlinked to giveback, call +usb_hcd_unmap_urb_for_dma() in hcd.c, leading to exceptions during sg +unmapping operations since the sg data structure has already been freed. + +This patch modifies the error condition check in the uas_submit_urbs() +function. When a UAS device is removed but one or more URBs have already +been successfully submitted to USB, it avoids immediately invoking +scsi_done() and save the cmnd to devinfo->cmnd array. If the successfully +submitted URBs is completed before devinfo->resetting being set, then +the scsi_done() function will be called within uas_try_complete() after +all pending URB operations are finalized. Otherwise, the scsi_done() +function will be called within uas_zap_pending(), which is executed after +usb_kill_anchored_urbs(). + +The error handling only takes effect when uas_queuecommand_lck() calls +uas_submit_urbs() and returns the error value -ENODEV . In this case, +the device is disconnected, and the flow proceeds to uas_disconnect(), +where uas_zap_pending() is invoked to call uas_try_complete(). + +Fixes: eb2a86ae8c54 ("USB: UAS: fix disconnect by unplugging a hub") +Cc: stable +Signed-off-by: Yu Chen +Signed-off-by: Owen Gu +Acked-by: Oliver Neukum +Link: https://patch.msgid.link/20251120123336.3328-1-guhuinan@xiaomi.com +Signed-off-by: Greg Kroah-Hartman +[ adapted scsi_done(cmnd) helper to older cmnd->scsi_done(cmnd) callback API ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/uas.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -705,7 +705,11 @@ static int uas_queuecommand_lck(struct s + * of queueing, no matter how fatal the error + */ + if (err == -ENODEV) { +- set_host_byte(cmnd, DID_ERROR); ++ if (cmdinfo->state & (COMMAND_INFLIGHT | DATA_IN_URB_INFLIGHT | ++ DATA_OUT_URB_INFLIGHT)) ++ goto out; ++ ++ set_host_byte(cmnd, DID_NO_CONNECT); + cmnd->scsi_done(cmnd); + goto zombie; + } +@@ -718,6 +722,7 @@ static int uas_queuecommand_lck(struct s + uas_add_work(cmdinfo); + } + ++out: + devinfo->cmnd[idx] = cmnd; + zombie: + spin_unlock_irqrestore(&devinfo->lock, flags); -- 2.47.3