--- /dev/null
+From stable+bounces-253786-greg=kroah.com@vger.kernel.org Fri May 22 15:18:48 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 May 2026 09:03:03 -0400
+Subject: cgroup/cpuset: Reset DL migration state on can_attach() failure
+To: stable@vger.kernel.org
+Cc: Guopeng Zhang <zhangguopeng@kylinos.cn>, Tejun Heo <tj@kernel.org>, Chen Ridong <chenridong@huaweicloud.com>, Waiman Long <longman@redhat.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260522130303.3869136-1-sashal@kernel.org>
+
+From: Guopeng Zhang <zhangguopeng@kylinos.cn>
+
+[ Upstream commit 4a39eda5fdd867fc39f3c039714dd432cee00268 ]
+
+cpuset_can_attach() accumulates temporary SCHED_DEADLINE migration
+state in the destination cpuset while walking the taskset.
+
+If a later task_can_attach() or security_task_setscheduler() check
+fails, cgroup_migrate_execute() treats cpuset as the failing subsystem
+and does not call cpuset_cancel_attach() for it. The partially
+accumulated state is then left behind and can be consumed by a later
+attach, corrupting cpuset DL task accounting and pending DL bandwidth
+accounting.
+
+Reset the pending DL migration state from the common error exit when
+ret is non-zero. Successful can_attach() keeps the state for
+cpuset_attach() or cpuset_cancel_attach().
+
+Fixes: 2ef269ef1ac0 ("cgroup/cpuset: Free DL BW in case can_attach() fails")
+Cc: stable@vger.kernel.org # v6.10+
+Signed-off-by: Guopeng Zhang <zhangguopeng@kylinos.cn>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reviewed-by: Chen Ridong <chenridong@huaweicloud.com>
+Reviewed-by: Waiman Long <longman@redhat.com>
+[ omitted upstream context line `cs->dl_bw_cpu = cpu;` ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cgroup/cpuset.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/cgroup/cpuset.c
++++ b/kernel/cgroup/cpuset.c
+@@ -2996,16 +2996,13 @@ static int cpuset_can_attach(struct cgro
+ int cpu = cpumask_any_and(cpu_active_mask, cs->effective_cpus);
+
+ if (unlikely(cpu >= nr_cpu_ids)) {
+- reset_migrate_dl_data(cs);
+ ret = -EINVAL;
+ goto out_unlock;
+ }
+
+ ret = dl_bw_alloc(cpu, cs->sum_migrate_dl_bw);
+- if (ret) {
+- reset_migrate_dl_data(cs);
++ if (ret)
+ goto out_unlock;
+- }
+ }
+
+ out_success:
+@@ -3014,7 +3011,10 @@ out_success:
+ * changes which zero cpus/mems_allowed.
+ */
+ cs->attach_in_progress++;
++
+ out_unlock:
++ if (ret)
++ reset_migrate_dl_data(cs);
+ mutex_unlock(&cpuset_mutex);
+ return ret;
+ }
--- /dev/null
+From lanbincn@139.com Thu May 28 05:23:36 2026
+From: Bin Lan <lanbincn@139.com>
+Date: Thu, 28 May 2026 11:23:27 +0800
+Subject: fs/ntfs3: handle attr_set_size() errors when truncating files
+To: gregkh@linuxfoundation.org, sashal@kernel.org, stable@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org, Konstantin Komarov <almaz.alexandrovich@paragon-software.com>, Bin Lan <lanbincn@139.com>
+Message-ID: <20260528032327.58596-1-lanbincn@139.com>
+
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+
+[ Upstream commit 576248a34b927e93b2fd3fff7df735ba73ad7d01 ]
+
+If attr_set_size() fails while truncating down, the error is silently
+ignored and the inode may be left in an inconsistent state.
+
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+[ Minor context conflict resolved. ]
+Signed-off-by: Bin Lan <lanbincn@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ntfs3/file.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+--- a/fs/ntfs3/file.c
++++ b/fs/ntfs3/file.c
+@@ -500,8 +500,8 @@ static int ntfs_truncate(struct inode *i
+ {
+ struct super_block *sb = inode->i_sb;
+ struct ntfs_inode *ni = ntfs_i(inode);
+- int err, dirty = 0;
+ u64 new_valid;
++ int err;
+
+ if (!S_ISREG(inode->i_mode))
+ return 0;
+@@ -517,7 +517,6 @@ static int ntfs_truncate(struct inode *i
+ }
+
+ new_valid = ntfs_up_block(sb, min_t(u64, ni->i_valid, new_size));
+-
+ truncate_setsize(inode, new_size);
+
+ ni_lock(ni);
+@@ -531,22 +530,19 @@ static int ntfs_truncate(struct inode *i
+ ni->i_valid = new_valid;
+
+ ni_unlock(ni);
++ if (unlikely(err))
++ return err;
+
+ ni->std_fa |= FILE_ATTRIBUTE_ARCHIVE;
+ inode_set_mtime_to_ts(inode, inode_set_ctime_current(inode));
+ if (!IS_DIRSYNC(inode)) {
+- dirty = 1;
++ mark_inode_dirty(inode);
+ } else {
+ err = ntfs_sync_inode(inode);
+ if (err)
+ return err;
+ }
+
+- if (dirty)
+- mark_inode_dirty(inode);
+-
+- /*ntfs_flush_inodes(inode->i_sb, inode, NULL);*/
+-
+ return 0;
+ }
+
--- /dev/null
+From stable+bounces-253589-greg=kroah.com@vger.kernel.org Thu May 21 17:28:04 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2026 10:52:11 -0400
+Subject: sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path
+To: stable@vger.kernel.org
+Cc: Tejun Heo <tj@kernel.org>, Sashiko <sashiko-bot@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260521145211.1316611-2-sashal@kernel.org>
+
+From: Tejun Heo <tj@kernel.org>
+
+[ Upstream commit 9a415cc53711f2238e0f0ca8a6bcc796c003b127 ]
+
+In scx_root_enable_workfn(), put_task_struct(p) is called before scx_error()
+dereferences p->comm and p->pid. If the iterator's reference is the last
+drop, the task is freed synchronously and the deref becomes a UAF.
+
+Move put_task_struct() past scx_error().
+
+Reported-by: Sashiko <sashiko-bot@kernel.org>
+Closes: https://lore.kernel.org/all/20260511214031.AF5E9C2BCB0@smtp.kernel.org/
+Fixes: f0e1a0643a59 ("sched_ext: Implement BPF extensible scheduler class")
+Cc: stable@vger.kernel.org # v6.12+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+[ adapted fix to pre-refactor scx_ops_enable_workfn() with scx_task_iter_relock() instead of upstream scx_root_enable_workfn() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/ext.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/sched/ext.c
++++ b/kernel/sched/ext.c
+@@ -5406,11 +5406,11 @@ static void scx_ops_enable_workfn(struct
+
+ ret = scx_ops_init_task(p, task_group(p), false);
+ if (ret) {
+- put_task_struct(p);
+ scx_task_iter_relock(&sti);
+ scx_task_iter_stop(&sti);
+ scx_ops_error("ops.init_task() failed (%d) for %s[%d]",
+ ret, p->comm, p->pid);
++ put_task_struct(p);
+ goto err_disable_unlock_all;
+ }
+
--- /dev/null
+From stable+bounces-253588-greg=kroah.com@vger.kernel.org Thu May 21 17:56:07 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 May 2026 10:52:10 -0400
+Subject: sched_ext: Fix missing warning in scx_set_task_state() default case
+To: stable@vger.kernel.org
+Cc: Samuele Mariotti <smariotti@disroot.org>, Paolo Valente <paolo.valente@unimore.it>, Andrea Righi <arighi@nvidia.com>, Tejun Heo <tj@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260521145211.1316611-1-sashal@kernel.org>
+
+From: Samuele Mariotti <smariotti@disroot.org>
+
+[ Upstream commit b905ee77d5f557a83a485b4146210f54f13365fc ]
+
+In scx_set_task_state(), the default case was setting the
+warn flag, but then returning immediately. This is problematic
+because the only purpose of the warn flag is to trigger
+WARN_ONCE, but the early return prevented it from ever firing,
+leaving invalid task states undetected and untraced.
+
+To fix this, a WARN_ONCE call is now added directly in the
+default case.
+
+The fix addresses two aspects:
+
+ - Guarantees the invalid task states are properly logged
+ and traced.
+
+ - Provides a distinct warning message
+ ("sched_ext: Invalid task state") specifically for
+ states outside the defined scx_task_state enum values,
+ making it easier to distinguish from other transition
+ warnings.
+
+This ensures proper detection and reporting of invalid states.
+
+Signed-off-by: Samuele Mariotti <smariotti@disroot.org>
+Signed-off-by: Paolo Valente <paolo.valente@unimore.it>
+Reviewed-by: Andrea Righi <arighi@nvidia.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Stable-dep-of: 9a415cc53711 ("sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/ext.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/sched/ext.c
++++ b/kernel/sched/ext.c
+@@ -3637,7 +3637,8 @@ static void scx_set_task_state(struct ta
+ warn = prev_state != SCX_TASK_READY;
+ break;
+ default:
+- warn = true;
++ WARN_ONCE(1, "sched_ext: Invalid task state %d -> %d for %s[%d]",
++ prev_state, state, p->comm, p->pid);
+ return;
+ }
+
netfilter-nf_queue-hold-bridge-skb-dev-while-queued.patch
netfilter-ipset-stop-hash-range-iteration-at-end.patch
netfilter-nft_inner-fix-ipv6-inner_thoff-desync.patch
+sched_ext-fix-missing-warning-in-scx_set_task_state-default-case.patch
+sched_ext-avoid-uaf-in-scx_root_enable_workfn-init-failure-path.patch
+cgroup-cpuset-reset-dl-migration-state-on-can_attach-failure.patch
+fs-ntfs3-handle-attr_set_size-errors-when-truncating-files.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
