From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 23 Apr 2026 11:36:49 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=28d7d41467b0eb753674f38dd0e5ff8e473a97bc;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	alsa-control-avoid-warn-for-symlink-errors.patch
	f2fs-fix-null-ptr-deref-in-f2fs_submit_page_bio.patch
---

diff --git a/queue-6.1/alsa-control-avoid-warn-for-symlink-errors.patch b/queue-6.1/alsa-control-avoid-warn-for-symlink-errors.patch
new file mode 100644
index 0000000000..f22052d65d
--- /dev/null
+++ b/queue-6.1/alsa-control-avoid-warn-for-symlink-errors.patch
@@ -0,0 +1,54 @@
+From b2e538a9827dd04ab5273bf4be8eb2edb84357b0 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 9 Dec 2024 10:56:12 +0100
+Subject: ALSA: control: Avoid WARN() for symlink errors
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit b2e538a9827dd04ab5273bf4be8eb2edb84357b0 upstream.
+
+Using WARN() for showing the error of symlink creations don't give
+more information than telling that something goes wrong, since the
+usual code path is a lregister callback from each control element
+creation.  More badly, the use of WARN() rather confuses fuzzer as if
+it were serious issues.
+
+This patch downgrades the warning messages to use the normal dev_err()
+instead of WARN().  For making it clearer, add the function name to
+the prefix, too.
+
+Fixes: a135dfb5de15 ("ALSA: led control - add sysfs kcontrol LED marking layer")
+Reported-by: syzbot+4e7919b09c67ffd198ae@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/675664c7.050a0220.a30f1.018c.GAE@google.com
+Link: https://patch.msgid.link/20241209095614.4273-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+[ Use card->ctl_dev.kobj to keep struct consistent. ]
+Signed-off-by: Robert Garcia <rob_garcia@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/control_led.c |   14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/sound/core/control_led.c
++++ b/sound/core/control_led.c
+@@ -688,10 +688,16 @@ static void snd_ctl_led_sysfs_add(struct
+ 			goto cerr;
+ 		led->cards[card->number] = led_card;
+ 		snprintf(link_name, sizeof(link_name), "led-%s", led->name);
+-		WARN(sysfs_create_link(&card->ctl_dev.kobj, &led_card->dev.kobj, link_name),
+-			"can't create symlink to controlC%i device\n", card->number);
+-		WARN(sysfs_create_link(&led_card->dev.kobj, &card->card_dev.kobj, "card"),
+-			"can't create symlink to card%i\n", card->number);
++		if (sysfs_create_link(&card->ctl_dev.kobj, &led_card->dev.kobj,
++				      link_name))
++			dev_err(card->dev,
++				"%s: can't create symlink to controlC%i device\n",
++				 __func__, card->number);
++		if (sysfs_create_link(&led_card->dev.kobj, &card->card_dev.kobj,
++				      "card"))
++			dev_err(card->dev,
++				"%s: can't create symlink to card%i\n",
++				__func__, card->number);
+ 
+ 		continue;
+ cerr:
diff --git a/queue-6.1/f2fs-fix-null-ptr-deref-in-f2fs_submit_page_bio.patch b/queue-6.1/f2fs-fix-null-ptr-deref-in-f2fs_submit_page_bio.patch
new file mode 100644
index 0000000000..a713c32207
--- /dev/null
+++ b/queue-6.1/f2fs-fix-null-ptr-deref-in-f2fs_submit_page_bio.patch
@@ -0,0 +1,92 @@
+From b7d0a97b28083084ebdd8e5c6bccd12e6ec18faa Mon Sep 17 00:00:00 2001
+From: Ye Bin <yebin10@huawei.com>
+Date: Sat, 12 Oct 2024 00:44:50 +0800
+Subject: f2fs: fix null-ptr-deref in f2fs_submit_page_bio()
+
+From: Ye Bin <yebin10@huawei.com>
+
+commit b7d0a97b28083084ebdd8e5c6bccd12e6ec18faa upstream.
+
+There's issue as follows when concurrently installing the f2fs.ko
+module and mounting the f2fs file system:
+KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
+RIP: 0010:__bio_alloc+0x2fb/0x6c0 [f2fs]
+Call Trace:
+ <TASK>
+ f2fs_submit_page_bio+0x126/0x8b0 [f2fs]
+ __get_meta_page+0x1d4/0x920 [f2fs]
+ get_checkpoint_version.constprop.0+0x2b/0x3c0 [f2fs]
+ validate_checkpoint+0xac/0x290 [f2fs]
+ f2fs_get_valid_checkpoint+0x207/0x950 [f2fs]
+ f2fs_fill_super+0x1007/0x39b0 [f2fs]
+ mount_bdev+0x183/0x250
+ legacy_get_tree+0xf4/0x1e0
+ vfs_get_tree+0x88/0x340
+ do_new_mount+0x283/0x5e0
+ path_mount+0x2b2/0x15b0
+ __x64_sys_mount+0x1fe/0x270
+ do_syscall_64+0x5f/0x170
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Above issue happens as the biset of the f2fs file system is not
+initialized before register "f2fs_fs_type".
+To address above issue just register "f2fs_fs_type" at the last in
+init_f2fs_fs(). Ensure that all f2fs file system resources are
+initialized.
+
+Fixes: f543805fcd60 ("f2fs: introduce private bioset")
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+[ Minor context conflict resolved. ]
+Signed-off-by: Bin Lan <lanbincn@139.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/super.c |    8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -4760,9 +4760,6 @@ static int __init init_f2fs_fs(void)
+ 	err = register_shrinker(&f2fs_shrinker_info, "f2fs-shrinker");
+ 	if (err)
+ 		goto free_sysfs;
+-	err = register_filesystem(&f2fs_fs_type);
+-	if (err)
+-		goto free_shrinker;
+ 	f2fs_create_root_stats();
+ 	err = f2fs_init_post_read_processing();
+ 	if (err)
+@@ -4786,6 +4783,7 @@ static int __init init_f2fs_fs(void)
+ 	if (err)
+ 		goto free_compress_cache;
+ 	err = f2fs_init_xattr_cache();
++	err = register_filesystem(&f2fs_fs_type);
+ 	if (err)
+ 		goto free_casefold_cache;
+ 	return 0;
+@@ -4805,8 +4803,6 @@ free_post_read:
+ 	f2fs_destroy_post_read_processing();
+ free_root_stats:
+ 	f2fs_destroy_root_stats();
+-	unregister_filesystem(&f2fs_fs_type);
+-free_shrinker:
+ 	unregister_shrinker(&f2fs_shrinker_info);
+ free_sysfs:
+ 	f2fs_exit_sysfs();
+@@ -4830,6 +4826,7 @@ fail:
+ 
+ static void __exit exit_f2fs_fs(void)
+ {
++	unregister_filesystem(&f2fs_fs_type);
+ 	f2fs_destroy_xattr_cache();
+ 	f2fs_destroy_casefold_cache();
+ 	f2fs_destroy_compress_cache();
+@@ -4839,7 +4836,6 @@ static void __exit exit_f2fs_fs(void)
+ 	f2fs_destroy_iostat_processing();
+ 	f2fs_destroy_post_read_processing();
+ 	f2fs_destroy_root_stats();
+-	unregister_filesystem(&f2fs_fs_type);
+ 	unregister_shrinker(&f2fs_shrinker_info);
+ 	f2fs_exit_sysfs();
+ 	f2fs_destroy_garbage_collection_cache();
diff --git a/queue-6.1/series b/queue-6.1/series
index e243e1fc24..d7d671c5e1 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -134,3 +134,5 @@ soc-qcom-apr-make-remove-callback-of-apr-driver-void-returned.patch
 asoc-qcom-q6apm-move-component-registration-to-unmanaged-version.patch
 rxrpc-fix-recvmsg-unconditional-requeue.patch
 scsi-ufs-core-fix-use-after-free-in-init-error-and-remove-paths.patch
+alsa-control-avoid-warn-for-symlink-errors.patch
+f2fs-fix-null-ptr-deref-in-f2fs_submit_page_bio.patch