From: Greg Kroah-Hartman Date: Thu, 23 Apr 2026 11:50:41 +0000 (+0200) Subject: 5.15-stable patches X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=437e859bc7cd895df0c87dffb78841ea9891d42f;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: alsa-control-avoid-warn-for-symlink-errors.patch alsa-usb-audio-kill-timer-properly-at-removal.patch binfmt_misc-restore-write-access-before-closing-files-opened-by-open_exec.patch blk-mq-use-quiesced-elevator-switch-when-reinitializing-queues.patch bluetooth-af_bluetooth-fix-deadlock.patch bluetooth-hci_core-fix-use-after-free-in-vhci_flush.patch bpf-do-mark_chain_precision-for-arg_const_alloc_size_or_zero.patch btrfs-do-not-strictly-require-dirty-metadata-threshold-for-metadata-writepages.patch btrfs-send-check-for-inline-extents-in-range_is_hole_in_parent.patch can-gs_usb-gs_usb_xmit_callback-fix-handling-of-failed-transmitted-urbs.patch dlm-fix-possible-lkb_resource-null-dereference.patch dm-verity-disable-recursive-forward-error-correction.patch dmaengine-mmp_pdma-fix-race-condition-in-mmp_pdma_residue.patch drm-amdgpu-unmap-and-remove-csa_va-properly.patch f2fs-fix-null-ptr-deref-in-f2fs_submit_page_bio.patch f2fs-fix-to-trigger-foreground-gc-during-f2fs_map_blocks-in-lfs-mode.patch f2fs-fix-to-wait-on-block-writeback-for-post_read-case.patch fs-dlm-fix-use-after-free-in-midcomms-commit.patch gfs2-no-more-self-recovery.patch ice-add-netif_device_attach-detach-into-pf-reset-flow.patch iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch mailbox-prevent-out-of-bounds-access-in-of_mbox_index_xlate.patch net-add-skb_header_pointer_careful-helper.patch net-sched-cls_u32-use-skb_header_pointer_careful.patch net-stmmac-fix-tso-dma-api-usage-causing-oops.patch net-usb-lan78xx-fix-double-free-issue-with-interrupt-buffer-allocation.patch nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch nvmet-always-initialize-cqe.result.patch pstore-inode-only-d_invalidate-is-needed.patch revert-nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch s390-xor-fix-xor_xc_2-inline-assembly-constraints.patch spi-cadence-quadspi-implement-refcount-to-handle-unbind-during-busy.patch sunrpc-lock-against-sock-changing-during-sysfs-read.patch vdpa-add-max-vqp-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch wifi-iwlwifi-read-txq-read_ptr-under-lock.patch x86-uprobes-fix-xol-allocation-failure-for-32-bit-tasks.patch --- diff --git a/queue-5.15/alsa-control-avoid-warn-for-symlink-errors.patch b/queue-5.15/alsa-control-avoid-warn-for-symlink-errors.patch new file mode 100644 index 0000000000..604d5ec60a --- /dev/null +++ b/queue-5.15/alsa-control-avoid-warn-for-symlink-errors.patch @@ -0,0 +1,54 @@ +From b2e538a9827dd04ab5273bf4be8eb2edb84357b0 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 9 Dec 2024 10:56:12 +0100 +Subject: ALSA: control: Avoid WARN() for symlink errors + +From: Takashi Iwai + +commit b2e538a9827dd04ab5273bf4be8eb2edb84357b0 upstream. + +Using WARN() for showing the error of symlink creations don't give +more information than telling that something goes wrong, since the +usual code path is a lregister callback from each control element +creation. More badly, the use of WARN() rather confuses fuzzer as if +it were serious issues. + +This patch downgrades the warning messages to use the normal dev_err() +instead of WARN(). For making it clearer, add the function name to +the prefix, too. + +Fixes: a135dfb5de15 ("ALSA: led control - add sysfs kcontrol LED marking layer") +Reported-by: syzbot+4e7919b09c67ffd198ae@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/675664c7.050a0220.a30f1.018c.GAE@google.com +Link: https://patch.msgid.link/20241209095614.4273-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +[ Use card->ctl_dev.kobj to keep struct consistent. ] +Signed-off-by: Robert Garcia +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/control_led.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/sound/core/control_led.c ++++ b/sound/core/control_led.c +@@ -693,10 +693,16 @@ static void snd_ctl_led_sysfs_add(struct + goto cerr; + led->cards[card->number] = led_card; + snprintf(link_name, sizeof(link_name), "led-%s", led->name); +- WARN(sysfs_create_link(&card->ctl_dev.kobj, &led_card->dev.kobj, link_name), +- "can't create symlink to controlC%i device\n", card->number); +- WARN(sysfs_create_link(&led_card->dev.kobj, &card->card_dev.kobj, "card"), +- "can't create symlink to card%i\n", card->number); ++ if (sysfs_create_link(&card->ctl_dev.kobj, &led_card->dev.kobj, ++ link_name)) ++ dev_err(card->dev, ++ "%s: can't create symlink to controlC%i device\n", ++ __func__, card->number); ++ if (sysfs_create_link(&led_card->dev.kobj, &card->card_dev.kobj, ++ "card")) ++ dev_err(card->dev, ++ "%s: can't create symlink to card%i\n", ++ __func__, card->number); + + continue; + cerr: diff --git a/queue-5.15/alsa-usb-audio-kill-timer-properly-at-removal.patch b/queue-5.15/alsa-usb-audio-kill-timer-properly-at-removal.patch new file mode 100644 index 0000000000..c1e16f2553 --- /dev/null +++ b/queue-5.15/alsa-usb-audio-kill-timer-properly-at-removal.patch @@ -0,0 +1,56 @@ +From stable+bounces-225743-greg=kroah.com@vger.kernel.org Tue Mar 17 06:57:15 2026 +From: Johnny Hao +Date: Tue, 17 Mar 2026 13:56:04 +0800 +Subject: ALSA: usb-audio: Kill timer properly at removal +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Takashi Iwai , syzbot+d8f72178ab6783a7daea@syzkaller.appspotmail.com, Johnny Hao +Message-ID: <20260317055604.669076-1-johnny_haocn@sina.com> + +From: Takashi Iwai + +[ Upstream commit 0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1 ] + +The USB-audio MIDI code initializes the timer, but in a rare case, the +driver might be freed without the disconnect call. This leaves the +timer in an active state while the assigned object is released via +snd_usbmidi_free(), which ends up with a kernel warning when the debug +configuration is enabled, as spotted by fuzzer. + +For avoiding the problem, put timer_shutdown_sync() at +snd_usbmidi_free(), so that the timer can be killed properly. +While we're at it, replace the existing timer_delete_sync() at the +disconnect callback with timer_shutdown_sync(), too. + +Reported-by: syzbot+d8f72178ab6783a7daea@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/681c70d7.050a0220.a19a9.00c6.GAE@google.com +Cc: +Link: https://patch.msgid.link/20250519212031.14436-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +[ The context change is due to the commit 8fa7292fee5c +("treewide: Switch/rename to timer_delete[_sync]()") +in v6.15 which is irrelevant to the logic of this patch. ] +Signed-off-by: Johnny Hao +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/midi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/usb/midi.c ++++ b/sound/usb/midi.c +@@ -1530,6 +1530,7 @@ static void snd_usbmidi_free(struct snd_ + snd_usbmidi_in_endpoint_delete(ep->in); + } + mutex_destroy(&umidi->mutex); ++ timer_shutdown_sync(&umidi->error_timer); + kfree(umidi); + } + +@@ -1553,7 +1554,7 @@ void snd_usbmidi_disconnect(struct list_ + spin_unlock_irq(&umidi->disc_lock); + up_write(&umidi->disc_rwsem); + +- del_timer_sync(&umidi->error_timer); ++ timer_shutdown_sync(&umidi->error_timer); + + for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) { + struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i]; diff --git a/queue-5.15/binfmt_misc-restore-write-access-before-closing-files-opened-by-open_exec.patch b/queue-5.15/binfmt_misc-restore-write-access-before-closing-files-opened-by-open_exec.patch new file mode 100644 index 0000000000..afd58f61b4 --- /dev/null +++ b/queue-5.15/binfmt_misc-restore-write-access-before-closing-files-opened-by-open_exec.patch @@ -0,0 +1,50 @@ +From stable+bounces-224649-greg=kroah.com@vger.kernel.org Wed Mar 11 09:12:27 2026 +From: Robert Garcia +Date: Wed, 11 Mar 2026 16:10:46 +0800 +Subject: binfmt_misc: restore write access before closing files opened by open_exec() +To: stable@vger.kernel.org, Zilin Guan +Cc: Christian Brauner , Alexander Viro , Robert Garcia , Jan Kara , Eric Biederman , Kees Cook , Andrew Morton , Helge Deller , Lior Ribak , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org +Message-ID: <20260311081046.1668003-1-rob_garcia@163.com> + +From: Zilin Guan + +[ Upstream commit 90f601b497d76f40fa66795c3ecf625b6aced9fd ] + +bm_register_write() opens an executable file using open_exec(), which +internally calls do_open_execat() and denies write access on the file to +avoid modification while it is being executed. + +However, when an error occurs, bm_register_write() closes the file using +filp_close() directly. This does not restore the write permission, which +may cause subsequent write operations on the same file to fail. + +Fix this by calling exe_file_allow_write_access() before filp_close() to +restore the write permission properly. + +Fixes: e7850f4d844e ("binfmt_misc: fix possible deadlock in bm_register_write") +Signed-off-by: Zilin Guan +Link: https://patch.msgid.link/20251105022923.1813587-1-zilin@seu.edu.cn +Signed-off-by: Christian Brauner +[ Use allow_write_access() instead of exe_file_allow_write_access() +according to commit 0357ef03c94ef +("fs: don't block write during exec on pre-content watched files"). ] +Signed-off-by: Robert Garcia +Signed-off-by: Greg Kroah-Hartman +--- + fs/binfmt_misc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/binfmt_misc.c ++++ b/fs/binfmt_misc.c +@@ -816,8 +816,10 @@ out: + inode_unlock(d_inode(root)); + + if (err) { +- if (f) ++ if (f) { ++ allow_write_access(f); + filp_close(f, NULL); ++ } + kfree(e); + return err; + } diff --git a/queue-5.15/blk-mq-use-quiesced-elevator-switch-when-reinitializing-queues.patch b/queue-5.15/blk-mq-use-quiesced-elevator-switch-when-reinitializing-queues.patch new file mode 100644 index 0000000000..038d502402 --- /dev/null +++ b/queue-5.15/blk-mq-use-quiesced-elevator-switch-when-reinitializing-queues.patch @@ -0,0 +1,114 @@ +From alvalan9@foxmail.com Tue Feb 24 08:26:41 2026 +From: alvalan9@foxmail.com +Date: Tue, 24 Feb 2026 07:26:24 +0000 +Subject: blk-mq: use quiesced elevator switch when reinitializing queues +To: stable@vger.kernel.org, gregkh@linuxfoundation.org +Cc: Keith Busch , Ming Lei , Christoph Hellwig , Jens Axboe , Alva Lan +Message-ID: + +From: Keith Busch + +[ Upstream commit 8237c01f1696bc53c470493bf1fe092a107648a6 ] + +The hctx's run_work may be racing with the elevator switch when +reinitializing hardware queues. The queue is merely frozen in this +context, but that only prevents requests from allocating and doesn't +stop the hctx work from running. The work may get an elevator pointer +that's being torn down, and can result in use-after-free errors and +kernel panics (example below). Use the quiesced elevator switch instead, +and make the previous one static since it is now only used locally. + + nvme nvme0: resetting controller + nvme nvme0: 32/0/0 default/read/poll queues + BUG: kernel NULL pointer dereference, address: 0000000000000008 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 80000020c8861067 P4D 80000020c8861067 PUD 250f8c8067 PMD 0 + Oops: 0000 [#1] SMP PTI + Workqueue: kblockd blk_mq_run_work_fn + RIP: 0010:kyber_has_work+0x29/0x70 + +... + + Call Trace: + __blk_mq_do_dispatch_sched+0x83/0x2b0 + __blk_mq_sched_dispatch_requests+0x12e/0x170 + blk_mq_sched_dispatch_requests+0x30/0x60 + __blk_mq_run_hw_queue+0x2b/0x50 + process_one_work+0x1ef/0x380 + worker_thread+0x2d/0x3e0 + +Signed-off-by: Keith Busch +Reviewed-by: Ming Lei +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20220927155652.3260724-1-kbusch@fb.com +Signed-off-by: Jens Axboe +[ Adjust context ] +Signed-off-by: Alva Lan +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq.c | 6 +++--- + block/blk.h | 3 +-- + block/elevator.c | 4 ++-- + 3 files changed, 6 insertions(+), 7 deletions(-) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -3732,14 +3732,14 @@ static bool blk_mq_elv_switch_none(struc + + mutex_lock(&q->sysfs_lock); + /* +- * After elevator_switch_mq, the previous elevator_queue will be ++ * After elevator_switch, the previous elevator_queue will be + * released by elevator_release. The reference of the io scheduler + * module get by elevator_get will also be put. So we need to get + * a reference of the io scheduler module here to prevent it to be + * removed. + */ + __module_get(qe->type->elevator_owner); +- elevator_switch_mq(q, NULL); ++ elevator_switch(q, NULL); + mutex_unlock(&q->sysfs_lock); + + return true; +@@ -3764,7 +3764,7 @@ static void blk_mq_elv_switch_back(struc + kfree(qe); + + mutex_lock(&q->sysfs_lock); +- elevator_switch_mq(q, t); ++ elevator_switch(q, t); + mutex_unlock(&q->sysfs_lock); + } + +--- a/block/blk.h ++++ b/block/blk.h +@@ -189,8 +189,7 @@ void blk_account_io_done(struct request + + void blk_insert_flush(struct request *rq); + +-int elevator_switch_mq(struct request_queue *q, +- struct elevator_type *new_e); ++int elevator_switch(struct request_queue *q, struct elevator_type *new_e); + void __elevator_exit(struct request_queue *, struct elevator_queue *); + int elv_register_queue(struct request_queue *q, bool uevent); + void elv_unregister_queue(struct request_queue *q); +--- a/block/elevator.c ++++ b/block/elevator.c +@@ -581,7 +581,7 @@ void elv_unregister(struct elevator_type + } + EXPORT_SYMBOL_GPL(elv_unregister); + +-int elevator_switch_mq(struct request_queue *q, ++static int elevator_switch_mq(struct request_queue *q, + struct elevator_type *new_e) + { + int ret; +@@ -719,7 +719,7 @@ void elevator_init_mq(struct request_que + * need for the new one. this way we have a chance of going back to the old + * one, if the new one fails init for some reason. + */ +-static int elevator_switch(struct request_queue *q, struct elevator_type *new_e) ++int elevator_switch(struct request_queue *q, struct elevator_type *new_e) + { + int err; + diff --git a/queue-5.15/bluetooth-af_bluetooth-fix-deadlock.patch b/queue-5.15/bluetooth-af_bluetooth-fix-deadlock.patch new file mode 100644 index 0000000000..6c524cf7f9 --- /dev/null +++ b/queue-5.15/bluetooth-af_bluetooth-fix-deadlock.patch @@ -0,0 +1,92 @@ +From stable+bounces-226955-greg=kroah.com@vger.kernel.org Wed Mar 18 05:41:13 2026 +From: Johnny Hao +Date: Wed, 18 Mar 2026 12:40:10 +0800 +Subject: Bluetooth: af_bluetooth: Fix deadlock +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Luiz Augusto von Dentz , Johnny Hao +Message-ID: <20260318044010.3507623-1-johnny_haocn@sina.com> + +From: Luiz Augusto von Dentz + +[ Upstream commit f7b94bdc1ec107c92262716b073b3e816d4784fb ] + +Attemting to do sock_lock on .recvmsg may cause a deadlock as shown +bellow, so instead of using sock_sock this uses sk_receive_queue.lock +on bt_sock_ioctl to avoid the UAF: + +INFO: task kworker/u9:1:121 blocked for more than 30 seconds. + Not tainted 6.7.6-lemon #183 +Workqueue: hci0 hci_rx_work +Call Trace: + + __schedule+0x37d/0xa00 + schedule+0x32/0xe0 + __lock_sock+0x68/0xa0 + ? __pfx_autoremove_wake_function+0x10/0x10 + lock_sock_nested+0x43/0x50 + l2cap_sock_recv_cb+0x21/0xa0 + l2cap_recv_frame+0x55b/0x30a0 + ? psi_task_switch+0xeb/0x270 + ? finish_task_switch.isra.0+0x93/0x2a0 + hci_rx_work+0x33a/0x3f0 + process_one_work+0x13a/0x2f0 + worker_thread+0x2f0/0x410 + ? __pfx_worker_thread+0x10/0x10 + kthread+0xe0/0x110 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x2c/0x50 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1b/0x30 + + +Fixes: 2e07e8348ea4 ("Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg") +Signed-off-by: Luiz Augusto von Dentz +[ The context change is due to the commit f4b41f062c42 +("net: remove noblock parameter from skb_recv_datagram()") +in v5.19 which is irrelevant to the logic of this patch. ] +Signed-off-by: Johnny Hao +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/af_bluetooth.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/net/bluetooth/af_bluetooth.c ++++ b/net/bluetooth/af_bluetooth.c +@@ -285,14 +285,11 @@ int bt_sock_recvmsg(struct socket *sock, + if (flags & MSG_OOB) + return -EOPNOTSUPP; + +- lock_sock(sk); +- + skb = skb_recv_datagram(sk, flags, noblock, &err); + if (!skb) { + if (sk->sk_shutdown & RCV_SHUTDOWN) + err = 0; + +- release_sock(sk); + return err; + } + +@@ -318,8 +315,6 @@ int bt_sock_recvmsg(struct socket *sock, + + skb_free_datagram(sk, skb); + +- release_sock(sk); +- + if (flags & MSG_TRUNC) + copied = skblen; + +@@ -542,10 +537,11 @@ int bt_sock_ioctl(struct socket *sock, u + if (sk->sk_state == BT_LISTEN) + return -EINVAL; + +- lock_sock(sk); ++ spin_lock(&sk->sk_receive_queue.lock); + skb = skb_peek(&sk->sk_receive_queue); + amount = skb ? skb->len : 0; +- release_sock(sk); ++ spin_unlock(&sk->sk_receive_queue.lock); ++ + err = put_user(amount, (int __user *)arg); + break; + diff --git a/queue-5.15/bluetooth-hci_core-fix-use-after-free-in-vhci_flush.patch b/queue-5.15/bluetooth-hci_core-fix-use-after-free-in-vhci_flush.patch new file mode 100644 index 0000000000..48206ac48b --- /dev/null +++ b/queue-5.15/bluetooth-hci_core-fix-use-after-free-in-vhci_flush.patch @@ -0,0 +1,250 @@ +From stable+bounces-223626-greg=kroah.com@vger.kernel.org Mon Mar 9 13:30:32 2026 +From: Ruohan Lan +Date: Mon, 9 Mar 2026 20:29:21 +0800 +Subject: Bluetooth: hci_core: Fix use-after-free in vhci_flush() +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-bluetooth@vger.kernel.org, Kuniyuki Iwashima , syzbot+2faa4825e556199361f9@syzkaller.appspotmail.com, Paul Menzel , Luiz Augusto von Dentz , Ruohan Lan +Message-ID: <20260309122921.628283-1-ruohanlan@aliyun.com> + +From: Kuniyuki Iwashima + +[ Upstream commit 1d6123102e9fbedc8d25bf4731da6d513173e49e ] + +syzbot reported use-after-free in vhci_flush() without repro. [0] + +>From the splat, a thread close()d a vhci file descriptor while +its device was being used by iotcl() on another thread. + +Once the last fd refcnt is released, vhci_release() calls +hci_unregister_dev(), hci_free_dev(), and kfree() for struct +vhci_data, which is set to hci_dev->dev->driver_data. + +The problem is that there is no synchronisation after unlinking +hdev from hci_dev_list in hci_unregister_dev(). There might be +another thread still accessing the hdev which was fetched before +the unlink operation. + +We can use SRCU for such synchronisation. + +Let's run hci_dev_reset() under SRCU and wait for its completion +in hci_unregister_dev(). + +Another option would be to restore hci_dev->destruct(), which was +removed in commit 587ae086f6e4 ("Bluetooth: Remove unused +hci-destruct cb"). However, this would not be a good solution, as +we should not run hci_unregister_dev() while there are in-flight +ioctl() requests, which could lead to another data-race KCSAN splat. + +Note that other drivers seem to have the same problem, for exmaple, +virtbt_remove(). + +[0]: +BUG: KASAN: slab-use-after-free in skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline] +BUG: KASAN: slab-use-after-free in skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937 +Read of size 8 at addr ffff88807cb8d858 by task syz.1.219/6718 + +CPU: 1 UID: 0 PID: 6718 Comm: syz.1.219 Not tainted 6.16.0-rc1-syzkaller-00196-g08207f42d3ff #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 +Call Trace: + + dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:408 [inline] + print_report+0xd2/0x2b0 mm/kasan/report.c:521 + kasan_report+0x118/0x150 mm/kasan/report.c:634 + skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline] + skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937 + skb_queue_purge include/linux/skbuff.h:3368 [inline] + vhci_flush+0x44/0x50 drivers/bluetooth/hci_vhci.c:69 + hci_dev_do_reset net/bluetooth/hci_core.c:552 [inline] + hci_dev_reset+0x420/0x5c0 net/bluetooth/hci_core.c:592 + sock_do_ioctl+0xd9/0x300 net/socket.c:1190 + sock_ioctl+0x576/0x790 net/socket.c:1311 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:907 [inline] + __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fcf5b98e929 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007fcf5c7b9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007fcf5bbb6160 RCX: 00007fcf5b98e929 +RDX: 0000000000000000 RSI: 00000000400448cb RDI: 0000000000000009 +RBP: 00007fcf5ba10b39 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000000000 R14: 00007fcf5bbb6160 R15: 00007ffd6353d528 + + +Allocated by task 6535: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 + poison_kmalloc_redzone mm/kasan/common.c:377 [inline] + __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 + kasan_kmalloc include/linux/kasan.h:260 [inline] + __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359 + kmalloc_noprof include/linux/slab.h:905 [inline] + kzalloc_noprof include/linux/slab.h:1039 [inline] + vhci_open+0x57/0x360 drivers/bluetooth/hci_vhci.c:635 + misc_open+0x2bc/0x330 drivers/char/misc.c:161 + chrdev_open+0x4c9/0x5e0 fs/char_dev.c:414 + do_dentry_open+0xdf0/0x1970 fs/open.c:964 + vfs_open+0x3b/0x340 fs/open.c:1094 + do_open fs/namei.c:3887 [inline] + path_openat+0x2ee5/0x3830 fs/namei.c:4046 + do_filp_open+0x1fa/0x410 fs/namei.c:4073 + do_sys_openat2+0x121/0x1c0 fs/open.c:1437 + do_sys_open fs/open.c:1452 [inline] + __do_sys_openat fs/open.c:1468 [inline] + __se_sys_openat fs/open.c:1463 [inline] + __x64_sys_openat+0x138/0x170 fs/open.c:1463 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Freed by task 6535: + kasan_save_stack mm/kasan/common.c:47 [inline] + kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 + kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 + poison_slab_object mm/kasan/common.c:247 [inline] + __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 + kasan_slab_free include/linux/kasan.h:233 [inline] + slab_free_hook mm/slub.c:2381 [inline] + slab_free mm/slub.c:4643 [inline] + kfree+0x18e/0x440 mm/slub.c:4842 + vhci_release+0xbc/0xd0 drivers/bluetooth/hci_vhci.c:671 + __fput+0x44c/0xa70 fs/file_table.c:465 + task_work_run+0x1d1/0x260 kernel/task_work.c:227 + exit_task_work include/linux/task_work.h:40 [inline] + do_exit+0x6ad/0x22e0 kernel/exit.c:955 + do_group_exit+0x21c/0x2d0 kernel/exit.c:1104 + __do_sys_exit_group kernel/exit.c:1115 [inline] + __se_sys_exit_group kernel/exit.c:1113 [inline] + __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1113 + x64_sys_call+0x21ba/0x21c0 arch/x86/include/generated/asm/syscalls_64.h:232 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +The buggy address belongs to the object at ffff88807cb8d800 + which belongs to the cache kmalloc-1k of size 1024 +The buggy address is located 88 bytes inside of + freed 1024-byte region [ffff88807cb8d800, ffff88807cb8dc00) + +Fixes: bf18c7118cf8 ("Bluetooth: vhci: Free driver_data on file release") +Reported-by: syzbot+2faa4825e556199361f9@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=f62d64848fc4c7c30cd6 +Signed-off-by: Kuniyuki Iwashima +Acked-by: Paul Menzel +Signed-off-by: Luiz Augusto von Dentz +[ Minor context conflict resolved. ] +Signed-off-by: Ruohan Lan +Signed-off-by: Greg Kroah-Hartman +--- + include/net/bluetooth/hci_core.h | 2 ++ + net/bluetooth/hci_core.c | 34 ++++++++++++++++++++++++++++++---- + 2 files changed, 32 insertions(+), 4 deletions(-) + +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -308,6 +309,7 @@ struct amp_assoc { + + struct hci_dev { + struct list_head list; ++ struct srcu_struct srcu; + struct mutex lock; + + const char *name; +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -1048,7 +1048,7 @@ static int hci_linkpol_req(struct hci_re + + /* Get HCI device by index. + * Device is held on return. */ +-struct hci_dev *hci_dev_get(int index) ++static struct hci_dev *__hci_dev_get(int index, int *srcu_index) + { + struct hci_dev *hdev = NULL, *d; + +@@ -1061,6 +1061,8 @@ struct hci_dev *hci_dev_get(int index) + list_for_each_entry(d, &hci_dev_list, list) { + if (d->id == index) { + hdev = hci_dev_hold(d); ++ if (srcu_index) ++ *srcu_index = srcu_read_lock(&d->srcu); + break; + } + } +@@ -1068,6 +1070,22 @@ struct hci_dev *hci_dev_get(int index) + return hdev; + } + ++struct hci_dev *hci_dev_get(int index) ++{ ++ return __hci_dev_get(index, NULL); ++} ++ ++static struct hci_dev *hci_dev_get_srcu(int index, int *srcu_index) ++{ ++ return __hci_dev_get(index, srcu_index); ++} ++ ++static void hci_dev_put_srcu(struct hci_dev *hdev, int srcu_index) ++{ ++ srcu_read_unlock(&hdev->srcu, srcu_index); ++ hci_dev_put(hdev); ++} ++ + /* ---- Inquiry support ---- */ + + bool hci_discovery_active(struct hci_dev *hdev) +@@ -1918,9 +1936,9 @@ static int hci_dev_do_reset(struct hci_d + int hci_dev_reset(__u16 dev) + { + struct hci_dev *hdev; +- int err; ++ int err, srcu_index; + +- hdev = hci_dev_get(dev); ++ hdev = hci_dev_get_srcu(dev, &srcu_index); + if (!hdev) + return -ENODEV; + +@@ -1942,7 +1960,7 @@ int hci_dev_reset(__u16 dev) + err = hci_dev_do_reset(hdev); + + done: +- hci_dev_put(hdev); ++ hci_dev_put_srcu(hdev, srcu_index); + return err; + } + +@@ -3780,6 +3798,11 @@ struct hci_dev *hci_alloc_dev_priv(int s + if (!hdev) + return NULL; + ++ if (init_srcu_struct(&hdev->srcu)) { ++ kfree(hdev); ++ return NULL; ++ } ++ + hdev->pkt_type = (HCI_DM1 | HCI_DH1 | HCI_HV1); + hdev->esco_type = (ESCO_HV1); + hdev->link_mode = (HCI_LM_ACCEPT); +@@ -4029,6 +4052,9 @@ void hci_unregister_dev(struct hci_dev * + list_del(&hdev->list); + write_unlock(&hci_dev_list_lock); + ++ synchronize_srcu(&hdev->srcu); ++ cleanup_srcu_struct(&hdev->srcu); ++ + cancel_work_sync(&hdev->rx_work); + cancel_work_sync(&hdev->cmd_work); + cancel_work_sync(&hdev->tx_work); diff --git a/queue-5.15/bpf-do-mark_chain_precision-for-arg_const_alloc_size_or_zero.patch b/queue-5.15/bpf-do-mark_chain_precision-for-arg_const_alloc_size_or_zero.patch new file mode 100644 index 0000000000..9fed5923bf --- /dev/null +++ b/queue-5.15/bpf-do-mark_chain_precision-for-arg_const_alloc_size_or_zero.patch @@ -0,0 +1,104 @@ +From johnny_haocn@sina.com Tue Mar 10 07:15:37 2026 +From: Johnny Hao +Date: Tue, 10 Mar 2026 14:15:27 +0800 +Subject: bpf: Do mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Kumar Kartikeya Dwivedi , Alexei Starovoitov , Johnny Hao +Message-ID: <20260310061527.1059694-1-johnny_haocn@sina.com> + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit 2fc31465c5373b5ca4edf2e5238558cb62902311 ] + +Precision markers need to be propagated whenever we have an ARG_CONST_* +style argument, as the verifier cannot consider imprecise scalars to be +equivalent for the purposes of states_equal check when such arguments +refine the return value (in this case, set mem_size for PTR_TO_MEM). The +resultant mem_size for the R0 is derived from the constant value, and if +the verifier incorrectly prunes states considering them equivalent where +such arguments exist (by seeing that both registers have reg->precise as +false in regsafe), we can end up with invalid programs passing the +verifier which can do access beyond what should have been the correct +mem_size in that explored state. + +To show a concrete example of the problem: + +0000000000000000 : + 0: r2 = *(u32 *)(r1 + 80) + 1: r1 = *(u32 *)(r1 + 76) + 2: r3 = r1 + 3: r3 += 4 + 4: if r3 > r2 goto +18 + 5: w2 = 0 + 6: *(u32 *)(r1 + 0) = r2 + 7: r1 = *(u32 *)(r1 + 0) + 8: r2 = 1 + 9: if w1 == 0 goto +1 + 10: r2 = -1 + +0000000000000058 : + 11: r1 = 0 ll + 13: r3 = 0 + 14: call bpf_ringbuf_reserve + 15: if r0 == 0 goto +7 + 16: r1 = r0 + 17: r1 += 16777215 + 18: w2 = 0 + 19: *(u8 *)(r1 + 0) = r2 + 20: r1 = r0 + 21: r2 = 0 + 22: call bpf_ringbuf_submit + +00000000000000b8 : + 23: w0 = 0 + 24: exit + +For the first case, the single line execution's exploration will prune +the search at insn 14 for the branch insn 9's second leg as it will be +verified first using r2 = -1 (UINT_MAX), while as w1 at insn 9 will +always be 0 so at runtime we don't get error for being greater than +UINT_MAX/4 from bpf_ringbuf_reserve. The verifier during regsafe just +sees reg->precise as false for both r2 registers in both states, hence +considers them equal for purposes of states_equal. + +If we propagated precise markers using the backtracking support, we +would use the precise marking to then ensure that old r2 (UINT_MAX) was +within the new r2 (1) and this would never be true, so the verification +would rightfully fail. + +The end result is that the out of bounds access at instruction 19 would +be permitted without this fix. + +Note that reg->precise is always set to true when user does not have +CAP_BPF (or when subprog count is greater than 1 (i.e. use of any static +or global functions)), hence this is only a problem when precision marks +need to be explicitly propagated (i.e. privileged users with CAP_BPF). + +A simplified test case has been included in the next patch to prevent +future regressions. + +Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") +Signed-off-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20220823185300.406-2-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +[ The context change is due to the commit 8ab4cdcf03d0 +("bpf: Tidy up verifier check_func_arg()") in v6.0 +which is irrelevant to the logic of this patch. ] +Signed-off-by: Johnny Hao +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -5540,6 +5540,9 @@ skip_type_check: + return -EACCES; + } + meta->mem_size = reg->var_off.value; ++ err = mark_chain_precision(env, regno); ++ if (err) ++ return err; + } else if (arg_type_is_int_ptr(arg_type)) { + int size = int_ptr_type_to_size(arg_type); + diff --git a/queue-5.15/btrfs-do-not-strictly-require-dirty-metadata-threshold-for-metadata-writepages.patch b/queue-5.15/btrfs-do-not-strictly-require-dirty-metadata-threshold-for-metadata-writepages.patch new file mode 100644 index 0000000000..f4d4263e5b --- /dev/null +++ b/queue-5.15/btrfs-do-not-strictly-require-dirty-metadata-threshold-for-metadata-writepages.patch @@ -0,0 +1,168 @@ +From stable+bounces-222795-greg=kroah.com@vger.kernel.org Tue Mar 3 07:01:10 2026 +From: Rahul Sharma +Date: Tue, 3 Mar 2026 14:00:34 +0800 +Subject: btrfs: do not strictly require dirty metadata threshold for metadata writepages +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Qu Wenruo , Jan Kara , Boris Burkov , David Sterba , Rahul Sharma +Message-ID: <20260303060034.3997360-1-black.hawk@163.com> + +From: Qu Wenruo + +[ Upstream commit 4e159150a9a56d66d247f4b5510bed46fe58aa1c ] + +[BUG] +There is an internal report that over 1000 processes are +waiting at the io_schedule_timeout() of balance_dirty_pages(), causing +a system hang and trigger a kernel coredump. + +The kernel is v6.4 kernel based, but the root problem still applies to +any upstream kernel before v6.18. + +[CAUSE] +>From Jan Kara for his wisdom on the dirty page balance behavior first. + + This cgroup dirty limit was what was actually playing the role here + because the cgroup had only a small amount of memory and so the dirty + limit for it was something like 16MB. + + Dirty throttling is responsible for enforcing that nobody can dirty + (significantly) more dirty memory than there's dirty limit. Thus when + a task is dirtying pages it periodically enters into balance_dirty_pages() + and we let it sleep there to slow down the dirtying. + + When the system is over dirty limit already (either globally or within + a cgroup of the running task), we will not let the task exit from + balance_dirty_pages() until the number of dirty pages drops below the + limit. + + So in this particular case, as I already mentioned, there was a cgroup + with relatively small amount of memory and as a result with dirty limit + set at 16MB. A task from that cgroup has dirtied about 28MB worth of + pages in btrfs btree inode and these were practically the only dirty + pages in that cgroup. + +So that means the only way to reduce the dirty pages of that cgroup is +to writeback the dirty pages of btrfs btree inode, and only after that +those processes can exit balance_dirty_pages(). + +Now back to the btrfs part, btree_writepages() is responsible for +writing back dirty btree inode pages. + +The problem here is, there is a btrfs internal threshold that if the +btree inode's dirty bytes are below the 32M threshold, it will not +do any writeback. + +This behavior is to batch as much metadata as possible so we won't write +back those tree blocks and then later re-COW them again for another +modification. + +This internal 32MiB is higher than the existing dirty page size (28MiB), +meaning no writeback will happen, causing a deadlock between btrfs and +cgroup: + +- Btrfs doesn't want to write back btree inode until more dirty pages + +- Cgroup/MM doesn't want more dirty pages for btrfs btree inode + Thus any process touching that btree inode is put into sleep until + the number of dirty pages is reduced. + +Thanks Jan Kara a lot for the analysis of the root cause. + +[ENHANCEMENT] +Since kernel commit b55102826d7d ("btrfs: set AS_KERNEL_FILE on the +btree_inode"), btrfs btree inode pages will only be charged to the root +cgroup which should have a much larger limit than btrfs' 32MiB +threshold. +So it should not affect newer kernels. + +But for all current LTS kernels, they are all affected by this problem, +and backporting the whole AS_KERNEL_FILE may not be a good idea. + +Even for newer kernels I still think it's a good idea to get +rid of the internal threshold at btree_writepages(), since for most cases +cgroup/MM has a better view of full system memory usage than btrfs' fixed +threshold. + +For internal callers using btrfs_btree_balance_dirty() since that +function is already doing internal threshold check, we don't need to +bother them. + +But for external callers of btree_writepages(), just respect their +requests and write back whatever they want, ignoring the internal +btrfs threshold to avoid such deadlock on btree inode dirty page +balancing. + +CC: stable@vger.kernel.org +CC: Jan Kara +Reviewed-by: Boris Burkov +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +[ The context change is due to the commit 41044b41ad2c +("btrfs: add helper to get fs_info from struct inode pointer") +in v6.9 and the commit c66f2afc7148 +("btrfs: remove pointless writepages callback wrapper") +in v6.10 which are irrelevant to the logic of this patch. ] +Signed-off-by: Rahul Sharma +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/disk-io.c | 23 ----------------------- + fs/btrfs/extent_io.c | 3 +-- + fs/btrfs/extent_io.h | 3 +-- + 3 files changed, 2 insertions(+), 27 deletions(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -912,29 +912,6 @@ static int btree_migratepage(struct addr + } + #endif + +- +-static int btree_writepages(struct address_space *mapping, +- struct writeback_control *wbc) +-{ +- struct btrfs_fs_info *fs_info; +- int ret; +- +- if (wbc->sync_mode == WB_SYNC_NONE) { +- +- if (wbc->for_kupdate) +- return 0; +- +- fs_info = BTRFS_I(mapping->host)->root->fs_info; +- /* this is a bit racy, but that's ok */ +- ret = __percpu_counter_compare(&fs_info->dirty_metadata_bytes, +- BTRFS_DIRTY_METADATA_THRESH, +- fs_info->dirty_metadata_batch); +- if (ret < 0) +- return 0; +- } +- return btree_write_cache_pages(mapping, wbc); +-} +- + static int btree_releasepage(struct page *page, gfp_t gfp_flags) + { + if (PageWriteback(page) || PageDirty(page)) +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -4792,8 +4792,7 @@ static int submit_eb_page(struct page *p + return 1; + } + +-int btree_write_cache_pages(struct address_space *mapping, +- struct writeback_control *wbc) ++int btree_writepages(struct address_space *mapping, struct writeback_control *wbc) + { + struct extent_buffer *eb_context = NULL; + struct extent_page_data epd = { +--- a/fs/btrfs/extent_io.h ++++ b/fs/btrfs/extent_io.h +@@ -187,8 +187,7 @@ int extent_write_locked_range(struct ino + int mode); + int extent_writepages(struct address_space *mapping, + struct writeback_control *wbc); +-int btree_write_cache_pages(struct address_space *mapping, +- struct writeback_control *wbc); ++int btree_writepages(struct address_space *mapping, struct writeback_control *wbc); + void extent_readahead(struct readahead_control *rac); + int extent_fiemap(struct btrfs_inode *inode, struct fiemap_extent_info *fieinfo, + u64 start, u64 len); diff --git a/queue-5.15/btrfs-send-check-for-inline-extents-in-range_is_hole_in_parent.patch b/queue-5.15/btrfs-send-check-for-inline-extents-in-range_is_hole_in_parent.patch new file mode 100644 index 0000000000..bf05a2b061 --- /dev/null +++ b/queue-5.15/btrfs-send-check-for-inline-extents-in-range_is_hole_in_parent.patch @@ -0,0 +1,47 @@ +From stable+bounces-222770-greg=kroah.com@vger.kernel.org Tue Mar 3 02:46:08 2026 +From: Alva Lan +Date: Tue, 3 Mar 2026 09:45:22 +0800 +Subject: btrfs: send: check for inline extents in range_is_hole_in_parent() +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-btrfs@vger.kernel.org, Qu Wenruo , Filipe Manana , David Sterba , Alva Lan +Message-ID: + +From: Qu Wenruo + +[ Upstream commit 08b096c1372cd69627f4f559fb47c9fb67a52b39 ] + +Before accessing the disk_bytenr field of a file extent item we need +to check if we are dealing with an inline extent. +This is because for inline extents their data starts at the offset of +the disk_bytenr field. So accessing the disk_bytenr +means we are accessing inline data or in case the inline data is less +than 8 bytes we can actually cause an invalid +memory access if this inline extent item is the first item in the leaf +or access metadata from other items. + +Fixes: 82bfb2e7b645 ("Btrfs: incremental send, fix unnecessary hole writes for sparse files") +Reviewed-by: Filipe Manana +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +[ Avoid leaking the path by using { ret = 0; goto out; } instead of +returning directly. ] +Signed-off-by: Alva Lan +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/send.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -5892,6 +5892,10 @@ static int range_is_hole_in_parent(struc + extent_end = btrfs_file_extent_end(path); + if (extent_end <= start) + goto next; ++ if (btrfs_file_extent_type(leaf, fi) == BTRFS_FILE_EXTENT_INLINE) { ++ ret = 0; ++ goto out; ++ } + if (btrfs_file_extent_disk_bytenr(leaf, fi) == 0) { + search_start = extent_end; + goto next; diff --git a/queue-5.15/can-gs_usb-gs_usb_xmit_callback-fix-handling-of-failed-transmitted-urbs.patch b/queue-5.15/can-gs_usb-gs_usb_xmit_callback-fix-handling-of-failed-transmitted-urbs.patch new file mode 100644 index 0000000000..795f5f2ffd --- /dev/null +++ b/queue-5.15/can-gs_usb-gs_usb_xmit_callback-fix-handling-of-failed-transmitted-urbs.patch @@ -0,0 +1,56 @@ +From stable+bounces-226958-greg=kroah.com@vger.kernel.org Wed Mar 18 06:22:23 2026 +From: Charles Xu +Date: Wed, 18 Mar 2026 13:22:13 +0800 +Subject: can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs +To: mkl@pengutronix.de, stable@vger.kernel.org +Message-ID: <20260318052213.6144-1-charles_xu@189.cn> + +From: Marc Kleine-Budde + +[ Upstream commit 516a0cd1c03fa266bb67dd87940a209fd4e53ce7 ] + +The driver lacks the cleanup of failed transfers of URBs. This reduces the +number of available URBs per error by 1. This leads to reduced performance +and ultimately to a complete stop of the transmission. + +If the sending of a bulk URB fails do proper cleanup: +- increase netdev stats +- mark the echo_sbk as free +- free the driver's context and do accounting +- wake the send queue + +Closes: https://github.com/candle-usb/candleLight_fw/issues/187 +Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Charles Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/usb/gs_usb.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/usb/gs_usb.c ++++ b/drivers/net/can/usb/gs_usb.c +@@ -467,8 +467,21 @@ static void gs_usb_xmit_callback(struct + struct gs_can *dev = txc->dev; + struct net_device *netdev = dev->netdev; + +- if (urb->status) +- netdev_info(netdev, "usb xmit fail %d\n", txc->echo_id); ++ if (!urb->status) ++ return; ++ ++ if (urb->status != -ESHUTDOWN && net_ratelimit()) ++ netdev_info(netdev, "failed to xmit URB %u: %pe\n", ++ txc->echo_id, ERR_PTR(urb->status)); ++ ++ netdev->stats.tx_dropped++; ++ netdev->stats.tx_errors++; ++ ++ can_free_echo_skb(netdev, txc->echo_id, NULL); ++ gs_free_tx_context(txc); ++ atomic_dec(&dev->active_tx_urbs); ++ ++ netif_wake_queue(netdev); + + usb_free_coherent(urb->dev, + urb->transfer_buffer_length, diff --git a/queue-5.15/dlm-fix-possible-lkb_resource-null-dereference.patch b/queue-5.15/dlm-fix-possible-lkb_resource-null-dereference.patch new file mode 100644 index 0000000000..3190785212 --- /dev/null +++ b/queue-5.15/dlm-fix-possible-lkb_resource-null-dereference.patch @@ -0,0 +1,55 @@ +From stable+bounces-223742-greg=kroah.com@vger.kernel.org Tue Mar 10 04:10:40 2026 +From: Johnny Hao +Date: Tue, 10 Mar 2026 11:10:19 +0800 +Subject: dlm: fix possible lkb_resource null dereference +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Alexander Aring , David Teigland , Johnny Hao +Message-ID: <20260310031019.3572626-1-johnny_haocn@sina.com> + +From: Alexander Aring + +[ Upstream commit b98333c67daf887c724cd692e88e2db9418c0861 ] + +This patch fixes a possible null pointer dereference when this function is +called from request_lock() as lkb->lkb_resource is not assigned yet, +only after validate_lock_args() by calling attach_lkb(). Another issue +is that a resource name could be a non printable bytearray and we cannot +assume to be ASCII coded. + +The log functionality is probably never being hit when DLM is used in +normal way and no debug logging is enabled. The null pointer dereference +can only occur on a new created lkb that does not have the resource +assigned yet, it probably never hits the null pointer dereference but we +should be sure that other changes might not change this behaviour and we +actually can hit the mentioned null pointer dereference. + +In this patch we just drop the printout of the resource name, the lkb id +is enough to make a possible connection to a resource name if this +exists. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +[ The context change is due to the commit 9ac8ba46a701 +("fs: dlm: handle -EINVAL as log_error()") in v6.1 +which is irrelevant to the logic of this patch. ] +Signed-off-by: Johnny Hao +Signed-off-by: Greg Kroah-Hartman +--- + fs/dlm/lock.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -2923,10 +2923,9 @@ static int validate_lock_args(struct dlm + rv = 0; + out: + if (rv) +- log_debug(ls, "validate_lock_args %d %x %x %x %d %d %s", ++ log_debug(ls, "validate_lock_args %d %x %x %x %d %d", + rv, lkb->lkb_id, lkb->lkb_flags, args->flags, +- lkb->lkb_status, lkb->lkb_wait_type, +- lkb->lkb_resource->res_name); ++ lkb->lkb_status, lkb->lkb_wait_type); + return rv; + } + diff --git a/queue-5.15/dm-verity-disable-recursive-forward-error-correction.patch b/queue-5.15/dm-verity-disable-recursive-forward-error-correction.patch new file mode 100644 index 0000000000..25132034b6 --- /dev/null +++ b/queue-5.15/dm-verity-disable-recursive-forward-error-correction.patch @@ -0,0 +1,68 @@ +From stable+bounces-219756-greg=kroah.com@vger.kernel.org Thu Feb 26 07:14:34 2026 +From: Rahul Sharma +Date: Thu, 26 Feb 2026 14:12:31 +0800 +Subject: dm-verity: disable recursive forward error correction +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Mikulas Patocka , Guangwu Zhang , Sami Tolvanen , Eric Biggers , Rahul Sharma +Message-ID: <20260226061231.2047105-1-black.hawk@163.com> + +From: Mikulas Patocka + +[ Upstream commit d9f3e47d3fae0c101d9094bc956ed24e7a0ee801 ] + +There are two problems with the recursive correction: + +1. It may cause denial-of-service. In fec_read_bufs, there is a loop that +has 253 iterations. For each iteration, we may call verity_hash_for_block +recursively. There is a limit of 4 nested recursions - that means that +there may be at most 253^4 (4 billion) iterations. Red Hat QE team +actually created an image that pushes dm-verity to this limit - and this +image just makes the udev-worker process get stuck in the 'D' state. + +2. It doesn't work. In fec_read_bufs we store data into the variable +"fio->bufs", but fio bufs is shared between recursive invocations, if +"verity_hash_for_block" invoked correction recursively, it would +overwrite partially filled fio->bufs. + +Signed-off-by: Mikulas Patocka +Reported-by: Guangwu Zhang +Reviewed-by: Sami Tolvanen +Reviewed-by: Eric Biggers +[ The context change is due to the commit bdf253d580d7 +("dm-verity: remove support for asynchronous hashes") +in v6.18 and the commit 9356fcfe0ac4 +("dm verity: set DM_TARGET_SINGLETON feature flag") in v6.9 +which are irrelevant to the logic of this patch. ] +Signed-off-by: Rahul Sharma +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-verity-fec.c | 4 +--- + drivers/md/dm-verity-fec.h | 3 --- + 2 files changed, 1 insertion(+), 6 deletions(-) + +--- a/drivers/md/dm-verity-fec.c ++++ b/drivers/md/dm-verity-fec.c +@@ -423,10 +423,8 @@ int verity_fec_decode(struct dm_verity * + if (!verity_fec_is_enabled(v)) + return -EOPNOTSUPP; + +- if (fio->level >= DM_VERITY_FEC_MAX_RECURSION) { +- DMWARN_LIMIT("%s: FEC: recursion too deep", v->data_dev->name); ++ if (fio->level) + return -EIO; +- } + + fio->level++; + +--- a/drivers/md/dm-verity-fec.h ++++ b/drivers/md/dm-verity-fec.h +@@ -23,9 +23,6 @@ + #define DM_VERITY_FEC_BUF_MAX \ + (1 << (PAGE_SHIFT - DM_VERITY_FEC_BUF_RS_BITS)) + +-/* maximum recursion level for verity_fec_decode */ +-#define DM_VERITY_FEC_MAX_RECURSION 4 +- + #define DM_VERITY_OPT_FEC_DEV "use_fec_from_device" + #define DM_VERITY_OPT_FEC_BLOCKS "fec_blocks" + #define DM_VERITY_OPT_FEC_START "fec_start" diff --git a/queue-5.15/dmaengine-mmp_pdma-fix-race-condition-in-mmp_pdma_residue.patch b/queue-5.15/dmaengine-mmp_pdma-fix-race-condition-in-mmp_pdma_residue.patch new file mode 100644 index 0000000000..e471bde584 --- /dev/null +++ b/queue-5.15/dmaengine-mmp_pdma-fix-race-condition-in-mmp_pdma_residue.patch @@ -0,0 +1,85 @@ +From jetlan9@163.com Sun Mar 1 04:07:20 2026 +From: Wenshan Lan +Date: Sun, 1 Mar 2026 11:06:21 +0800 +Subject: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: Guodong Xu , Juan Li , Vinod Koul , Wenshan Lan +Message-ID: <20260301030621.2448938-1-jetlan9@163.com> + +From: Guodong Xu + +[ Upstream commit a143545855bc2c6e1330f6f57ae375ac44af00a7 ] + +Add proper locking in mmp_pdma_residue() to prevent use-after-free when +accessing descriptor list and descriptor contents. + +The race occurs when multiple threads call tx_status() while the tasklet +on another CPU is freeing completed descriptors: + +CPU 0 CPU 1 +----- ----- +mmp_pdma_tx_status() +mmp_pdma_residue() + -> NO LOCK held + list_for_each_entry(sw, ..) + DMA interrupt + dma_do_tasklet() + -> spin_lock(&desc_lock) + list_move(sw->node, ...) + spin_unlock(&desc_lock) + | dma_pool_free(sw) <- FREED! + -> access sw->desc <- UAF! + +This issue can be reproduced when running dmatest on the same channel with +multiple threads (threads_per_chan > 1). + +Fix by protecting the chain_running list iteration and descriptor access +with the chan->desc_lock spinlock. + +Signed-off-by: Juan Li +Signed-off-by: Guodong Xu +Link: https://patch.msgid.link/20251216-mmp-pdma-race-v1-1-976a224bb622@riscstar.com +Signed-off-by: Vinod Koul +[ Minor context conflict resolved. ] +Signed-off-by: Wenshan Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/mmp_pdma.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/dma/mmp_pdma.c ++++ b/drivers/dma/mmp_pdma.c +@@ -764,6 +764,7 @@ static unsigned int mmp_pdma_residue(str + { + struct mmp_pdma_desc_sw *sw; + u32 curr, residue = 0; ++ unsigned long flags; + bool passed = false; + bool cyclic = chan->cyclic_first != NULL; + +@@ -779,6 +780,8 @@ static unsigned int mmp_pdma_residue(str + else + curr = readl(chan->phy->base + DSADR(chan->phy->idx)); + ++ spin_lock_irqsave(&chan->desc_lock, flags); ++ + list_for_each_entry(sw, &chan->chain_running, node) { + u32 start, end, len; + +@@ -822,6 +825,7 @@ static unsigned int mmp_pdma_residue(str + continue; + + if (sw->async_tx.cookie == cookie) { ++ spin_unlock_irqrestore(&chan->desc_lock, flags); + return residue; + } else { + residue = 0; +@@ -829,6 +833,8 @@ static unsigned int mmp_pdma_residue(str + } + } + ++ spin_unlock_irqrestore(&chan->desc_lock, flags); ++ + /* We should only get here in case of cyclic transactions */ + return residue; + } diff --git a/queue-5.15/drm-amdgpu-unmap-and-remove-csa_va-properly.patch b/queue-5.15/drm-amdgpu-unmap-and-remove-csa_va-properly.patch new file mode 100644 index 0000000000..16bea22336 --- /dev/null +++ b/queue-5.15/drm-amdgpu-unmap-and-remove-csa_va-properly.patch @@ -0,0 +1,124 @@ +From stable+bounces-225497-greg=kroah.com@vger.kernel.org Mon Mar 16 04:29:15 2026 +From: Johnny Hao +Date: Mon, 16 Mar 2026 11:28:51 +0800 +Subject: drm/amdgpu: unmap and remove csa_va properly +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, "Lang Yu" , "Christian König" , "Alex Deucher" , "Johnny Hao" +Message-ID: <20260316032851.3319377-1-johnny_haocn@sina.com> + +From: Lang Yu + +[ Upstream commit 5daff15cd013422bc6d1efcfe82b586800025384 ] + +Root PD BO should be reserved before unmap and remove +a bo_va from VM otherwise lockdep will complain. + +v2: check fpriv->csa_va is not NULL instead of amdgpu_mcbp (christian) + +[14616.936827] WARNING: CPU: 6 PID: 1711 at drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c:1762 amdgpu_vm_bo_del+0x399/0x3f0 [amdgpu] +[14616.937096] Call Trace: +[14616.937097] +[14616.937102] amdgpu_driver_postclose_kms+0x249/0x2f0 [amdgpu] +[14616.937187] drm_file_free+0x1d6/0x300 [drm] +[14616.937207] drm_close_helper.isra.0+0x62/0x70 [drm] +[14616.937220] drm_release+0x5e/0x100 [drm] +[14616.937234] __fput+0x9f/0x280 +[14616.937239] ____fput+0xe/0x20 +[14616.937241] task_work_run+0x61/0x90 +[14616.937246] exit_to_user_mode_prepare+0x215/0x220 +[14616.937251] syscall_exit_to_user_mode+0x2a/0x60 +[14616.937254] do_syscall_64+0x48/0x90 +[14616.937257] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Signed-off-by: Lang Yu +Acked-by: Christian König +Signed-off-by: Alex Deucher +[ The context change is due to the commit e56694f718f0 +("drm/amdgpu: rename amdgpu_vm_bo_rmv to _del") +in v5.18 and the proper adoption is done which +is irrelevant to the logic of this patch. ] +Signed-off-by: Johnny Hao +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c | 38 ++++++++++++++++++++++++++++++++ + drivers/gpu/drm/amd/amdgpu/amdgpu_csa.h | 3 ++ + drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 10 +++----- + 3 files changed, 45 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c +@@ -106,3 +106,41 @@ int amdgpu_map_static_csa(struct amdgpu_ + ttm_eu_backoff_reservation(&ticket, &list); + return 0; + } ++ ++int amdgpu_unmap_static_csa(struct amdgpu_device *adev, struct amdgpu_vm *vm, ++ struct amdgpu_bo *bo, struct amdgpu_bo_va *bo_va, ++ uint64_t csa_addr) ++{ ++ struct ww_acquire_ctx ticket; ++ struct list_head list; ++ struct amdgpu_bo_list_entry pd; ++ struct ttm_validate_buffer csa_tv; ++ int r; ++ ++ INIT_LIST_HEAD(&list); ++ INIT_LIST_HEAD(&csa_tv.head); ++ csa_tv.bo = &bo->tbo; ++ csa_tv.num_shared = 1; ++ ++ list_add(&csa_tv.head, &list); ++ amdgpu_vm_get_pd_bo(vm, &list, &pd); ++ ++ r = ttm_eu_reserve_buffers(&ticket, &list, true, NULL); ++ if (r) { ++ DRM_ERROR("failed to reserve CSA,PD BOs: err=%d\n", r); ++ return r; ++ } ++ ++ r = amdgpu_vm_bo_unmap(adev, bo_va, csa_addr); ++ if (r) { ++ DRM_ERROR("failed to do bo_unmap on static CSA, err=%d\n", r); ++ ttm_eu_backoff_reservation(&ticket, &list); ++ return r; ++ } ++ ++ amdgpu_vm_bo_rmv(adev, bo_va); ++ ++ ttm_eu_backoff_reservation(&ticket, &list); ++ ++ return 0; ++} +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.h +@@ -34,6 +34,9 @@ int amdgpu_allocate_static_csa(struct am + int amdgpu_map_static_csa(struct amdgpu_device *adev, struct amdgpu_vm *vm, + struct amdgpu_bo *bo, struct amdgpu_bo_va **bo_va, + uint64_t csa_addr, uint32_t size); ++int amdgpu_unmap_static_csa(struct amdgpu_device *adev, struct amdgpu_vm *vm, ++ struct amdgpu_bo *bo, struct amdgpu_bo_va *bo_va, ++ uint64_t csa_addr); + void amdgpu_free_static_csa(struct amdgpu_bo **bo); + + #endif +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c +@@ -1273,14 +1273,12 @@ void amdgpu_driver_postclose_kms(struct + if (amdgpu_device_ip_get_ip_block(adev, AMD_IP_BLOCK_TYPE_VCE) != NULL) + amdgpu_vce_free_handles(adev, file_priv); + +- amdgpu_vm_bo_rmv(adev, fpriv->prt_va); ++ if (fpriv->csa_va) { ++ uint64_t csa_addr = amdgpu_csa_vaddr(adev) & AMDGPU_GMC_HOLE_MASK; + +- if (amdgpu_mcbp || amdgpu_sriov_vf(adev)) { +- /* TODO: how to handle reserve failure */ +- BUG_ON(amdgpu_bo_reserve(adev->virt.csa_obj, true)); +- amdgpu_vm_bo_rmv(adev, fpriv->csa_va); ++ WARN_ON(amdgpu_unmap_static_csa(adev, &fpriv->vm, adev->virt.csa_obj, ++ fpriv->csa_va, csa_addr)); + fpriv->csa_va = NULL; +- amdgpu_bo_unreserve(adev->virt.csa_obj); + } + + pasid = fpriv->vm.pasid; diff --git a/queue-5.15/f2fs-fix-null-ptr-deref-in-f2fs_submit_page_bio.patch b/queue-5.15/f2fs-fix-null-ptr-deref-in-f2fs_submit_page_bio.patch new file mode 100644 index 0000000000..38432b431d --- /dev/null +++ b/queue-5.15/f2fs-fix-null-ptr-deref-in-f2fs_submit_page_bio.patch @@ -0,0 +1,92 @@ +From b7d0a97b28083084ebdd8e5c6bccd12e6ec18faa Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Sat, 12 Oct 2024 00:44:50 +0800 +Subject: f2fs: fix null-ptr-deref in f2fs_submit_page_bio() + +From: Ye Bin + +commit b7d0a97b28083084ebdd8e5c6bccd12e6ec18faa upstream. + +There's issue as follows when concurrently installing the f2fs.ko +module and mounting the f2fs file system: +KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027] +RIP: 0010:__bio_alloc+0x2fb/0x6c0 [f2fs] +Call Trace: + + f2fs_submit_page_bio+0x126/0x8b0 [f2fs] + __get_meta_page+0x1d4/0x920 [f2fs] + get_checkpoint_version.constprop.0+0x2b/0x3c0 [f2fs] + validate_checkpoint+0xac/0x290 [f2fs] + f2fs_get_valid_checkpoint+0x207/0x950 [f2fs] + f2fs_fill_super+0x1007/0x39b0 [f2fs] + mount_bdev+0x183/0x250 + legacy_get_tree+0xf4/0x1e0 + vfs_get_tree+0x88/0x340 + do_new_mount+0x283/0x5e0 + path_mount+0x2b2/0x15b0 + __x64_sys_mount+0x1fe/0x270 + do_syscall_64+0x5f/0x170 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Above issue happens as the biset of the f2fs file system is not +initialized before register "f2fs_fs_type". +To address above issue just register "f2fs_fs_type" at the last in +init_f2fs_fs(). Ensure that all f2fs file system resources are +initialized. + +Fixes: f543805fcd60 ("f2fs: introduce private bioset") +Signed-off-by: Ye Bin +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[ Minor context conflict resolved. ] +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/super.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -4634,9 +4634,6 @@ static int __init init_f2fs_fs(void) + err = register_shrinker(&f2fs_shrinker_info); + if (err) + goto free_sysfs; +- err = register_filesystem(&f2fs_fs_type); +- if (err) +- goto free_shrinker; + f2fs_create_root_stats(); + err = f2fs_init_post_read_processing(); + if (err) +@@ -4660,6 +4657,7 @@ static int __init init_f2fs_fs(void) + if (err) + goto free_compress_cache; + err = f2fs_init_xattr_cache(); ++ err = register_filesystem(&f2fs_fs_type); + if (err) + goto free_casefold_cache; + return 0; +@@ -4679,8 +4677,6 @@ free_post_read: + f2fs_destroy_post_read_processing(); + free_root_stats: + f2fs_destroy_root_stats(); +- unregister_filesystem(&f2fs_fs_type); +-free_shrinker: + unregister_shrinker(&f2fs_shrinker_info); + free_sysfs: + f2fs_exit_sysfs(); +@@ -4704,6 +4700,7 @@ fail: + + static void __exit exit_f2fs_fs(void) + { ++ unregister_filesystem(&f2fs_fs_type); + f2fs_destroy_xattr_cache(); + f2fs_destroy_casefold_cache(); + f2fs_destroy_compress_cache(); +@@ -4713,7 +4710,6 @@ static void __exit exit_f2fs_fs(void) + f2fs_destroy_iostat_processing(); + f2fs_destroy_post_read_processing(); + f2fs_destroy_root_stats(); +- unregister_filesystem(&f2fs_fs_type); + unregister_shrinker(&f2fs_shrinker_info); + f2fs_exit_sysfs(); + f2fs_destroy_garbage_collection_cache(); diff --git a/queue-5.15/f2fs-fix-to-trigger-foreground-gc-during-f2fs_map_blocks-in-lfs-mode.patch b/queue-5.15/f2fs-fix-to-trigger-foreground-gc-during-f2fs_map_blocks-in-lfs-mode.patch new file mode 100644 index 0000000000..043149fbc3 --- /dev/null +++ b/queue-5.15/f2fs-fix-to-trigger-foreground-gc-during-f2fs_map_blocks-in-lfs-mode.patch @@ -0,0 +1,68 @@ +From stable+bounces-223307-greg=kroah.com@vger.kernel.org Fri Mar 6 06:05:45 2026 +From: Rahul Sharma +Date: Fri, 6 Mar 2026 13:05:04 +0800 +Subject: f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Chao Yu , Daeho Jeong , Jaegeuk Kim , Rahul Sharma +Message-ID: <20260306050504.1395421-1-black.hawk@163.com> + +From: Chao Yu + +[ Upstream commit 1005a3ca28e90c7a64fa43023f866b960a60f791 ] + +w/ "mode=lfs" mount option, generic/299 will cause system panic as below: + +------------[ cut here ]------------ +kernel BUG at fs/f2fs/segment.c:2835! +Call Trace: + + f2fs_allocate_data_block+0x6f4/0xc50 + f2fs_map_blocks+0x970/0x1550 + f2fs_iomap_begin+0xb2/0x1e0 + iomap_iter+0x1d6/0x430 + __iomap_dio_rw+0x208/0x9a0 + f2fs_file_write_iter+0x6b3/0xfa0 + aio_write+0x15d/0x2e0 + io_submit_one+0x55e/0xab0 + __x64_sys_io_submit+0xa5/0x230 + do_syscall_64+0x84/0x2f0 + entry_SYSCALL_64_after_hwframe+0x76/0x7e +RIP: 0010:new_curseg+0x70f/0x720 + +The root cause of we run out-of-space is: in f2fs_map_blocks(), f2fs may +trigger foreground gc only if it allocates any physical block, it will be +a little bit later when there is multiple threads writing data w/ +aio/dio/bufio method in parallel, since we always use OPU in lfs mode, so +f2fs_map_blocks() does block allocations aggressively. + +In order to fix this issue, let's give a chance to trigger foreground +gc in prior to block allocation in f2fs_map_blocks(). + +Fixes: 36abef4e796d ("f2fs: introduce mode=lfs mount option") +Cc: Daeho Jeong +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[ The context change is due to the commit 2f51ade9524c +("f2fs: f2fs_do_map_lock") in v6.3 which is irrelevant to +the logic of this patch. ] +Signed-off-by: Rahul Sharma +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/data.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -1523,8 +1523,11 @@ int f2fs_map_blocks(struct inode *inode, + } + + next_dnode: +- if (map->m_may_create) ++ if (map->m_may_create) { ++ if (f2fs_lfs_mode(sbi)) ++ f2fs_balance_fs(sbi, true); + f2fs_do_map_lock(sbi, flag, true); ++ } + + /* When reading holes, we need its node page */ + set_new_dnode(&dn, inode, NULL, NULL, 0); diff --git a/queue-5.15/f2fs-fix-to-wait-on-block-writeback-for-post_read-case.patch b/queue-5.15/f2fs-fix-to-wait-on-block-writeback-for-post_read-case.patch new file mode 100644 index 0000000000..5d344aea1e --- /dev/null +++ b/queue-5.15/f2fs-fix-to-wait-on-block-writeback-for-post_read-case.patch @@ -0,0 +1,70 @@ +From stable+bounces-225733-greg=kroah.com@vger.kernel.org Tue Mar 17 03:41:01 2026 +From: Robert Garcia +Date: Tue, 17 Mar 2026 10:39:33 +0800 +Subject: f2fs: fix to wait on block writeback for post_read case +To: stable@vger.kernel.org, Chao Yu +Cc: Jaegeuk Kim , linux-f2fs-devel@lists.sourceforge.net, Robert Garcia , linux-kernel@vger.kernel.org +Message-ID: <20260317023933.1654240-1-rob_garcia@163.com> + +From: Chao Yu + +[ Upstream commit 55fdc1c24a1d6229fe0ecf31335fb9a2eceaaa00 ] + +If inode is compressed, but not encrypted, it missed to call +f2fs_wait_on_block_writeback() to wait for GCed page writeback +in IPU write path. + +Thread A GC-Thread + - f2fs_gc + - do_garbage_collect + - gc_data_segment + - move_data_block + - f2fs_submit_page_write + migrate normal cluster's block via + meta_inode's page cache +- f2fs_write_single_data_page + - f2fs_do_write_data_page + - f2fs_inplace_write_data + - f2fs_submit_page_bio + +IRQ +- f2fs_read_end_io + IRQ + old data overrides new data due to + out-of-order GC and common IO. + - f2fs_read_end_io + +Fixes: 4c8ff7095bef ("f2fs: support data compression") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +[ Minor context change fixed. ] +Signed-off-by: Robert Garcia +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/data.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -2537,9 +2537,6 @@ int f2fs_encrypt_one_page(struct f2fs_io + + page = fio->compressed_page ? fio->compressed_page : fio->page; + +- /* wait for GCed page writeback via META_MAPPING */ +- f2fs_wait_on_block_writeback(inode, fio->old_blkaddr); +- + if (fscrypt_inode_uses_inline_crypto(inode)) + return 0; + +@@ -2718,6 +2715,11 @@ got_it: + err = -EFSCORRUPTED; + goto out_writepage; + } ++ ++ /* wait for GCed page writeback via META_MAPPING */ ++ if (fio->post_read) ++ f2fs_wait_on_block_writeback(inode, fio->old_blkaddr); ++ + /* + * If current allocation needs SSR, + * it had better in-place writes for updated data. diff --git a/queue-5.15/fs-dlm-fix-use-after-free-in-midcomms-commit.patch b/queue-5.15/fs-dlm-fix-use-after-free-in-midcomms-commit.patch new file mode 100644 index 0000000000..0fb63353b6 --- /dev/null +++ b/queue-5.15/fs-dlm-fix-use-after-free-in-midcomms-commit.patch @@ -0,0 +1,183 @@ +From stable+bounces-222516-greg=kroah.com@vger.kernel.org Mon Mar 2 07:15:41 2026 +From: Jianqiang kang +Date: Mon, 2 Mar 2026 14:14:35 +0800 +Subject: fs: dlm: fix use after free in midcomms commit +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, aahringo@redhat.com +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, ccaulfie@redhat.com, teigland@redhat.com, cluster-devel@redhat.com +Message-ID: <20260302061435.2670935-1-jianqkang@sina.cn> + +From: Alexander Aring + +[ Upstream commit 724b6bab0d75f1dc01fdfbf7fe8d4217a5cb90ba ] + +While working on processing dlm message in softirq context I experienced +the following KASAN use-after-free warning: + +[ 151.760477] ================================================================== +[ 151.761803] BUG: KASAN: use-after-free in dlm_midcomms_commit_mhandle+0x19d/0x4b0 +[ 151.763414] Read of size 4 at addr ffff88811a980c60 by task lock_torture/1347 + +[ 151.765284] CPU: 7 PID: 1347 Comm: lock_torture Not tainted 6.1.0-rc4+ #2828 +[ 151.766778] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+16134+e5908aa2 04/01/2014 +[ 151.768726] Call Trace: +[ 151.769277] +[ 151.769748] dump_stack_lvl+0x5b/0x86 +[ 151.770556] print_report+0x180/0x4c8 +[ 151.771378] ? kasan_complete_mode_report_info+0x7c/0x1e0 +[ 151.772241] ? dlm_midcomms_commit_mhandle+0x19d/0x4b0 +[ 151.773069] kasan_report+0x93/0x1a0 +[ 151.773668] ? dlm_midcomms_commit_mhandle+0x19d/0x4b0 +[ 151.774514] __asan_load4+0x7e/0xa0 +[ 151.775089] dlm_midcomms_commit_mhandle+0x19d/0x4b0 +[ 151.775890] ? create_message.isra.29.constprop.64+0x57/0xc0 +[ 151.776770] send_common+0x19f/0x1b0 +[ 151.777342] ? remove_from_waiters+0x60/0x60 +[ 151.778017] ? lock_downgrade+0x410/0x410 +[ 151.778648] ? __this_cpu_preempt_check+0x13/0x20 +[ 151.779421] ? rcu_lockdep_current_cpu_online+0x88/0xc0 +[ 151.780292] _convert_lock+0x46/0x150 +[ 151.780893] convert_lock+0x7b/0xc0 +[ 151.781459] dlm_lock+0x3ac/0x580 +[ 151.781993] ? 0xffffffffc0540000 +[ 151.782522] ? torture_stop+0x120/0x120 [dlm_locktorture] +[ 151.783379] ? dlm_scan_rsbs+0xa70/0xa70 +[ 151.784003] ? preempt_count_sub+0xd6/0x130 +[ 151.784661] ? is_module_address+0x47/0x70 +[ 151.785309] ? torture_stop+0x120/0x120 [dlm_locktorture] +[ 151.786166] ? 0xffffffffc0540000 +[ 151.786693] ? lockdep_init_map_type+0xc3/0x360 +[ 151.787414] ? 0xffffffffc0540000 +[ 151.787947] torture_dlm_lock_sync.isra.3+0xe9/0x150 [dlm_locktorture] +[ 151.789004] ? torture_stop+0x120/0x120 [dlm_locktorture] +[ 151.789858] ? 0xffffffffc0540000 +[ 151.790392] ? lock_torture_cleanup+0x20/0x20 [dlm_locktorture] +[ 151.791347] ? delay_tsc+0x94/0xc0 +[ 151.791898] torture_ex_iter+0xc3/0xea [dlm_locktorture] +[ 151.792735] ? torture_start+0x30/0x30 [dlm_locktorture] +[ 151.793606] lock_torture+0x177/0x270 [dlm_locktorture] +[ 151.794448] ? torture_dlm_lock_sync.isra.3+0x150/0x150 [dlm_locktorture] +[ 151.795539] ? lock_torture_stats+0x80/0x80 [dlm_locktorture] +[ 151.796476] ? do_raw_spin_lock+0x11e/0x1e0 +[ 151.797152] ? mark_held_locks+0x34/0xb0 +[ 151.797784] ? _raw_spin_unlock_irqrestore+0x30/0x70 +[ 151.798581] ? __kthread_parkme+0x79/0x110 +[ 151.799246] ? trace_preempt_on+0x2a/0xf0 +[ 151.799902] ? __kthread_parkme+0x79/0x110 +[ 151.800579] ? preempt_count_sub+0xd6/0x130 +[ 151.801271] ? __kasan_check_read+0x11/0x20 +[ 151.801963] ? __kthread_parkme+0xec/0x110 +[ 151.802630] ? lock_torture_stats+0x80/0x80 [dlm_locktorture] +[ 151.803569] kthread+0x192/0x1d0 +[ 151.804104] ? kthread_complete_and_exit+0x30/0x30 +[ 151.804881] ret_from_fork+0x1f/0x30 +[ 151.805480] + +[ 151.806111] Allocated by task 1347: +[ 151.806681] kasan_save_stack+0x26/0x50 +[ 151.807308] kasan_set_track+0x25/0x30 +[ 151.807920] kasan_save_alloc_info+0x1e/0x30 +[ 151.808609] __kasan_slab_alloc+0x63/0x80 +[ 151.809263] kmem_cache_alloc+0x1ad/0x830 +[ 151.809916] dlm_allocate_mhandle+0x17/0x20 +[ 151.810590] dlm_midcomms_get_mhandle+0x96/0x260 +[ 151.811344] _create_message+0x95/0x180 +[ 151.811994] create_message.isra.29.constprop.64+0x57/0xc0 +[ 151.812880] send_common+0x129/0x1b0 +[ 151.813467] _convert_lock+0x46/0x150 +[ 151.814074] convert_lock+0x7b/0xc0 +[ 151.814648] dlm_lock+0x3ac/0x580 +[ 151.815199] torture_dlm_lock_sync.isra.3+0xe9/0x150 [dlm_locktorture] +[ 151.816258] torture_ex_iter+0xc3/0xea [dlm_locktorture] +[ 151.817129] lock_torture+0x177/0x270 [dlm_locktorture] +[ 151.817986] kthread+0x192/0x1d0 +[ 151.818518] ret_from_fork+0x1f/0x30 + +[ 151.819369] Freed by task 1336: +[ 151.819890] kasan_save_stack+0x26/0x50 +[ 151.820514] kasan_set_track+0x25/0x30 +[ 151.821128] kasan_save_free_info+0x2e/0x50 +[ 151.821812] __kasan_slab_free+0x107/0x1a0 +[ 151.822483] kmem_cache_free+0x204/0x5e0 +[ 151.823152] dlm_free_mhandle+0x18/0x20 +[ 151.823781] dlm_mhandle_release+0x2e/0x40 +[ 151.824454] rcu_core+0x583/0x1330 +[ 151.825047] rcu_core_si+0xe/0x20 +[ 151.825594] __do_softirq+0xf4/0x5c2 + +[ 151.826450] Last potentially related work creation: +[ 151.827238] kasan_save_stack+0x26/0x50 +[ 151.827870] __kasan_record_aux_stack+0xa2/0xc0 +[ 151.828609] kasan_record_aux_stack_noalloc+0xb/0x20 +[ 151.829415] call_rcu+0x4c/0x760 +[ 151.829954] dlm_mhandle_delete+0x97/0xb0 +[ 151.830718] dlm_process_incoming_buffer+0x2fc/0xb30 +[ 151.831524] process_dlm_messages+0x16e/0x470 +[ 151.832245] process_one_work+0x505/0xa10 +[ 151.832905] worker_thread+0x67/0x650 +[ 151.833507] kthread+0x192/0x1d0 +[ 151.834046] ret_from_fork+0x1f/0x30 + +[ 151.834900] The buggy address belongs to the object at ffff88811a980c30 + which belongs to the cache dlm_mhandle of size 88 +[ 151.836894] The buggy address is located 48 bytes inside of + 88-byte region [ffff88811a980c30, ffff88811a980c88) + +[ 151.839007] The buggy address belongs to the physical page: +[ 151.839904] page:0000000076cf5d62 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11a980 +[ 151.841378] flags: 0x8000000000000200(slab|zone=2) +[ 151.842141] raw: 8000000000000200 0000000000000000 dead000000000122 ffff8881089b43c0 +[ 151.843401] raw: 0000000000000000 0000000000220022 00000001ffffffff 0000000000000000 +[ 151.844640] page dumped because: kasan: bad access detected + +[ 151.845822] Memory state around the buggy address: +[ 151.846602] ffff88811a980b00: fb fb fb fb fc fc fc fc fa fb fb fb fb fb fb fb +[ 151.847761] ffff88811a980b80: fb fb fb fc fc fc fc fa fb fb fb fb fb fb fb fb +[ 151.848921] >ffff88811a980c00: fb fb fc fc fc fc fa fb fb fb fb fb fb fb fb fb +[ 151.850076] ^ +[ 151.851085] ffff88811a980c80: fb fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb +[ 151.852269] ffff88811a980d00: fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb fc +[ 151.853428] ================================================================== +[ 151.855618] Disabling lock debugging due to kernel taint + +It is accessing a mhandle in dlm_midcomms_commit_mhandle() and the mhandle +was freed by a call_rcu() call in dlm_process_incoming_buffer(), +dlm_mhandle_delete(). It looks like it was freed because an ack of +this message was received. There is a short race between committing the +dlm message to be transmitted and getting an ack back. If the ack is +faster than returning from dlm_midcomms_commit_msg_3_2(), then we run +into a use-after free because we still need to reference the mhandle when +calling srcu_read_unlock(). + +To avoid that, we don't allow that mhandle to be freed between +dlm_midcomms_commit_msg_3_2() and srcu_read_unlock() by using rcu read +lock. We can do that because mhandle is protected by rcu handling. + +Cc: stable@vger.kernel.org +Fixes: 489d8e559c65 ("fs: dlm: add reliable connection if reconnect") +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +[ Minor conflict resolved. ] +Signed-off-by: Jianqiang kang +Signed-off-by: Greg Kroah-Hartman +--- + fs/dlm/midcomms.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/dlm/midcomms.c ++++ b/fs/dlm/midcomms.c +@@ -1131,8 +1131,15 @@ void dlm_midcomms_commit_mhandle(struct + kfree(mh); + break; + case DLM_VERSION_3_2: ++ /* held rcu read lock here, because we sending the ++ * dlm message out, when we do that we could receive ++ * an ack back which releases the mhandle and we ++ * get a use after free. ++ */ ++ rcu_read_lock(); + dlm_midcomms_commit_msg_3_2(mh); + srcu_read_unlock(&nodes_srcu, mh->idx); ++ rcu_read_unlock(); + break; + default: + srcu_read_unlock(&nodes_srcu, mh->idx); diff --git a/queue-5.15/gfs2-no-more-self-recovery.patch b/queue-5.15/gfs2-no-more-self-recovery.patch new file mode 100644 index 0000000000..460001fa0f --- /dev/null +++ b/queue-5.15/gfs2-no-more-self-recovery.patch @@ -0,0 +1,82 @@ +From stable+bounces-224639-greg=kroah.com@vger.kernel.org Wed Mar 11 04:27:28 2026 +From: Johnny Hao +Date: Wed, 11 Mar 2026 11:26:56 +0800 +Subject: gfs2: No more self recovery +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Andreas Gruenbacher , Chunjie Zhu , Johnny Hao +Message-ID: <20260311032656.2894235-1-johnny_haocn@sina.com> + +From: Andreas Gruenbacher + +[ Upstream commit deb016c1669002e48c431d6fd32ea1c20ef41756 ] + +When a node withdraws and it turns out that it is the only node that has +the filesystem mounted, gfs2 currently tries to replay the local journal +to bring the filesystem back into a consistent state. Not only is that +a very bad idea, it has also never worked because gfs2_recover_func() +will refuse to do anything during a withdraw. + +However, before even getting to this point, gfs2_recover_func() +dereferences sdp->sd_jdesc->jd_inode. This was a use-after-free before +commit 04133b607a78 ("gfs2: Prevent double iput for journal on error") +and is a NULL pointer dereference since then. + +Simply get rid of self recovery to fix that. + +Fixes: 601ef0d52e96 ("gfs2: Force withdraw to replay journals and wait for it to finish") +Reported-by: Chunjie Zhu +Signed-off-by: Andreas Gruenbacher +[ The context change is due to the commit f80d882edcf2 +("gfs2: Get rid of gfs2_glock_queue_put in signal_our_withdraw") +in v6.10 which is irrelevant to the logic of this patch. ] +Signed-off-by: Johnny Hao +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/util.c | 30 +++++++++++------------------- + 1 file changed, 11 insertions(+), 19 deletions(-) + +--- a/fs/gfs2/util.c ++++ b/fs/gfs2/util.c +@@ -234,31 +234,23 @@ static void signal_our_withdraw(struct g + */ + ret = gfs2_glock_nq(&sdp->sd_live_gh); + ++ gfs2_glock_put(live_gl); /* drop extra reference we acquired */ ++ clear_bit(SDF_WITHDRAW_RECOVERY, &sdp->sd_flags); ++ + /* + * If we actually got the "live" lock in EX mode, there are no other +- * nodes available to replay our journal. So we try to replay it +- * ourselves. We hold the "live" glock to prevent other mounters +- * during recovery, then just dequeue it and reacquire it in our +- * normal SH mode. Just in case the problem that caused us to +- * withdraw prevents us from recovering our journal (e.g. io errors +- * and such) we still check if the journal is clean before proceeding +- * but we may wait forever until another mounter does the recovery. ++ * nodes available to replay our journal. + */ + if (ret == 0) { +- fs_warn(sdp, "No other mounters found. Trying to recover our " +- "own journal jid %d.\n", sdp->sd_lockstruct.ls_jid); +- if (gfs2_recover_journal(sdp->sd_jdesc, 1)) +- fs_warn(sdp, "Unable to recover our journal jid %d.\n", +- sdp->sd_lockstruct.ls_jid); +- gfs2_glock_dq_wait(&sdp->sd_live_gh); +- gfs2_holder_reinit(LM_ST_SHARED, LM_FLAG_NOEXP | GL_EXACT, +- &sdp->sd_live_gh); +- gfs2_glock_nq(&sdp->sd_live_gh); ++ fs_warn(sdp, "No other mounters found.\n"); ++ /* ++ * We are about to release the lockspace. By keeping live_gl ++ * locked here, we ensure that the next mounter coming along ++ * will be a "first" mounter which will perform recovery. ++ */ ++ goto skip_recovery; + } + +- gfs2_glock_queue_put(live_gl); /* drop extra reference we acquired */ +- clear_bit(SDF_WITHDRAW_RECOVERY, &sdp->sd_flags); +- + /* + * At this point our journal is evicted, so we need to get a new inode + * for it. Once done, we need to call gfs2_find_jhead which diff --git a/queue-5.15/ice-add-netif_device_attach-detach-into-pf-reset-flow.patch b/queue-5.15/ice-add-netif_device_attach-detach-into-pf-reset-flow.patch new file mode 100644 index 0000000000..c38e317354 --- /dev/null +++ b/queue-5.15/ice-add-netif_device_attach-detach-into-pf-reset-flow.patch @@ -0,0 +1,116 @@ +From stable+bounces-225810-greg=kroah.com@vger.kernel.org Tue Mar 17 11:53:46 2026 +From: Leon Chen +Date: Tue, 17 Mar 2026 18:45:43 +0800 +Subject: ice: Add netif_device_attach/detach into PF reset flow +To: kuba@kernel.org, igor.bagnucki@intel.com, dawid.osuchowski@linux.intel.com, himasekharx.reddy.pucha@intel.com, mschmidt@redhat.com, anthony.l.nguyen@intel.com +Cc: stable@vger.kernel.org +Message-ID: <20260317104543.4367-1-leonchen.oss@139.com> + +From: Dawid Osuchowski + +[ Upstream commit d11a67634227f9f9da51938af085fb41a733848f ] + +Ethtool callbacks can be executed while reset is in progress and try to +access deleted resources, e.g. getting coalesce settings can result in a +NULL pointer dereference seen below. + +Reproduction steps: +Once the driver is fully initialized, trigger reset: + # echo 1 > /sys/class/net//device/reset +when reset is in progress try to get coalesce settings using ethtool: + # ethtool -c + +BUG: kernel NULL pointer dereference, address: 0000000000000020 +PGD 0 P4D 0 +Oops: Oops: 0000 [#1] PREEMPT SMP PTI +CPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7 +RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice] +RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206 +RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000 +R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40 +FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0 +Call Trace: + +ice_get_coalesce+0x17/0x30 [ice] +coalesce_prepare_data+0x61/0x80 +ethnl_default_doit+0xde/0x340 +genl_family_rcv_msg_doit+0xf2/0x150 +genl_rcv_msg+0x1b3/0x2c0 +netlink_rcv_skb+0x5b/0x110 +genl_rcv+0x28/0x40 +netlink_unicast+0x19c/0x290 +netlink_sendmsg+0x222/0x490 +__sys_sendto+0x1df/0x1f0 +__x64_sys_sendto+0x24/0x30 +do_syscall_64+0x82/0x160 +entry_SYSCALL_64_after_hwframe+0x76/0x7e +RIP: 0033:0x7faee60d8e27 + +Calling netif_device_detach() before reset makes the net core not call +the driver when ethtool command is issued, the attempt to execute an +ethtool command during reset will result in the following message: + + netlink error: No such device + +instead of NULL pointer dereference. Once reset is done and +ice_rebuild() is executing, the netif_device_attach() is called to allow +for ethtool operations to occur again in a safe manner. + +Fixes: fcea6f3da546 ("ice: Add stats and ethtool support") +Suggested-by: Jakub Kicinski +Reviewed-by: Igor Bagnucki +Signed-off-by: Dawid Osuchowski +Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) +Reviewed-by: Michal Schmidt +Signed-off-by: Tony Nguyen +[ Minor changed in ice_prepare_for_reset() to make sure vsi available to +access ] +Signed-off-by: Leon Chen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ice/ice_main.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -479,6 +479,7 @@ static void + ice_prepare_for_reset(struct ice_pf *pf) + { + struct ice_hw *hw = &pf->hw; ++ struct ice_vsi *vsi = ice_get_main_vsi(pf); + unsigned int i; + + /* already prepared for reset */ +@@ -495,6 +496,9 @@ ice_prepare_for_reset(struct ice_pf *pf) + ice_for_each_vf(pf, i) + ice_set_vf_state_qs_dis(&pf->vf[i]); + ++ if (vsi && vsi->netdev) ++ netif_device_detach(vsi->netdev); ++ + /* clear SW filtering DB */ + ice_clear_hw_tbls(hw); + /* disable the VSIs and their queues that are not already DOWN */ +@@ -6417,6 +6421,7 @@ static void ice_update_pf_netdev_link(st + */ + static void ice_rebuild(struct ice_pf *pf, enum ice_reset_req reset_type) + { ++ struct ice_vsi *vsi = ice_get_main_vsi(pf); + struct device *dev = ice_pf_to_dev(pf); + struct ice_hw *hw = &pf->hw; + enum ice_status ret; +@@ -6538,6 +6543,9 @@ static void ice_rebuild(struct ice_pf *p + ice_rebuild_arfs(pf); + } + ++ if (vsi && vsi->netdev) ++ netif_device_attach(vsi->netdev); ++ + ice_update_pf_netdev_link(pf); + + /* tell the firmware we are up */ diff --git a/queue-5.15/iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch b/queue-5.15/iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch new file mode 100644 index 0000000000..3a23724b96 --- /dev/null +++ b/queue-5.15/iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch @@ -0,0 +1,48 @@ +From stable+bounces-226578-greg=kroah.com@vger.kernel.org Tue Mar 17 18:23:12 2026 +From: inv.git-commit@tdk.com +Date: Tue, 17 Mar 2026 17:08:08 +0000 +Subject: iio: imu: inv_icm42600: fix odr switch when turning buffer off +To: stable@vger.kernel.org +Cc: Jean-Baptiste Maneyrol , Jonathan Cameron +Message-ID: <20260317170808.746087-1-inv.git-commit@tdk.com> + +From: Jean-Baptiste Maneyrol + +[ Upstream commit ffd32db8263d2d785a2c419486a450dc80693235 ] + +ODR switch is done in 2 steps when FIFO is on : change the ODR register +value and acknowledge change when reading the FIFO ODR change flag. +When we are switching odr and turning buffer off just afterward, we are +losing the FIFO ODR change flag and ODR switch is blocked. + +Fix the issue by force applying any waiting ODR change when turning +buffer off. + +Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping") +Signed-off-by: Jean-Baptiste Maneyrol +Cc: stable@vger.kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c +@@ -377,6 +377,7 @@ out_unlock: + static int inv_icm42600_buffer_postdisable(struct iio_dev *indio_dev) + { + struct inv_icm42600_state *st = iio_device_get_drvdata(indio_dev); ++ struct inv_icm42600_timestamp *ts = iio_priv(indio_dev); + struct device *dev = regmap_get_device(st->map); + unsigned int sensor; + unsigned int *watermark; +@@ -398,6 +399,8 @@ static int inv_icm42600_buffer_postdisab + + mutex_lock(&st->lock); + ++ inv_icm42600_timestamp_apply_odr(ts, 0, 0, 0); ++ + ret = inv_icm42600_buffer_set_fifo_en(st, st->fifo.en & ~sensor); + if (ret) + goto out_unlock; diff --git a/queue-5.15/mailbox-prevent-out-of-bounds-access-in-of_mbox_index_xlate.patch b/queue-5.15/mailbox-prevent-out-of-bounds-access-in-of_mbox_index_xlate.patch new file mode 100644 index 0000000000..eed1f4db54 --- /dev/null +++ b/queue-5.15/mailbox-prevent-out-of-bounds-access-in-of_mbox_index_xlate.patch @@ -0,0 +1,47 @@ +From stable+bounces-223006-greg=kroah.com@vger.kernel.org Wed Mar 4 08:36:35 2026 +From: Joonwon Kang +Date: Wed, 4 Mar 2026 07:35:40 +0000 +Subject: mailbox: Prevent out-of-bounds access in of_mbox_index_xlate() +To: stable@vger.kernel.org, jassisinghbrar@gmail.com +Cc: linux-kernel@vger.kernel.org, sashal@kernel.org, Joonwon Kang +Message-ID: <20260304073540.3227944-1-joonwonkang@google.com> + +From: Joonwon Kang + +[ Upstream commit fcd7f96c783626c07ee3ed75fa3739a8a2052310 ] + +Although it is guided that `#mbox-cells` must be at least 1, there are +many instances of `#mbox-cells = <0>;` in the device tree. If that is +the case and the corresponding mailbox controller does not provide +`fw_xlate` and of_xlate` function pointers, `of_mbox_index_xlate()` will +be used by default and out-of-bounds accesses could occur due to lack of +bounds check in that function. + +Cc: stable@vger.kernel.org +Signed-off-by: Joonwon Kang +Signed-off-by: Jassi Brar +[ changed sp->nargs to sp->args_count in the code and +fw_mbox_index_xlate() to of_mbox_index_xlate() in the commit message. ] +Signed-off-by: Joonwon Kang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mailbox/mailbox.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/mailbox/mailbox.c ++++ b/drivers/mailbox/mailbox.c +@@ -468,12 +468,10 @@ static struct mbox_chan * + of_mbox_index_xlate(struct mbox_controller *mbox, + const struct of_phandle_args *sp) + { +- int ind = sp->args[0]; +- +- if (ind >= mbox->num_chans) ++ if (sp->args_count < 1 || sp->args[0] >= mbox->num_chans) + return ERR_PTR(-EINVAL); + +- return &mbox->chans[ind]; ++ return &mbox->chans[sp->args[0]]; + } + + /** diff --git a/queue-5.15/net-add-skb_header_pointer_careful-helper.patch b/queue-5.15/net-add-skb_header_pointer_careful-helper.patch new file mode 100644 index 0000000000..43938f7463 --- /dev/null +++ b/queue-5.15/net-add-skb_header_pointer_careful-helper.patch @@ -0,0 +1,49 @@ +From lanbincn@139.com Thu Feb 26 12:49:07 2026 +From: Bin Lan +Date: Thu, 26 Feb 2026 19:48:09 +0800 +Subject: net: add skb_header_pointer_careful() helper +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: Eric Dumazet , Jakub Kicinski , Bin Lan +Message-ID: <20260226114810.4142-1-lanbincn@139.com> + +From: Eric Dumazet + +[ Upstream commit 13e00fdc9236bd4d0bff4109d2983171fbcb74c4 ] + +This variant of skb_header_pointer() should be used in contexts +where @offset argument is user-controlled and could be negative. + +Negative offsets are supported, as long as the zone starts +between skb->head and skb->data. + +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260128141539.3404400-2-edumazet@google.com +Signed-off-by: Jakub Kicinski +[ Adjust context ] +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -3869,6 +3869,18 @@ skb_header_pointer(const struct sk_buff + skb_headlen(skb), buffer); + } + ++/* Variant of skb_header_pointer() where @offset is user-controlled ++ * and potentially negative. ++ */ ++static inline void * __must_check ++skb_header_pointer_careful(const struct sk_buff *skb, int offset, ++ int len, void *buffer) ++{ ++ if (unlikely(offset < 0 && -offset > skb_headroom(skb))) ++ return NULL; ++ return skb_header_pointer(skb, offset, len, buffer); ++} ++ + /** + * skb_needs_linearize - check if we need to linearize a given skb + * depending on the given device features. diff --git a/queue-5.15/net-sched-cls_u32-use-skb_header_pointer_careful.patch b/queue-5.15/net-sched-cls_u32-use-skb_header_pointer_careful.patch new file mode 100644 index 0000000000..183bc759c4 --- /dev/null +++ b/queue-5.15/net-sched-cls_u32-use-skb_header_pointer_careful.patch @@ -0,0 +1,69 @@ +From lanbincn@139.com Thu Feb 26 12:49:11 2026 +From: Bin Lan +Date: Thu, 26 Feb 2026 19:48:10 +0800 +Subject: net/sched: cls_u32: use skb_header_pointer_careful() +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: Eric Dumazet , GangMin Kim , Jakub Kicinski , Bin Lan +Message-ID: <20260226114810.4142-2-lanbincn@139.com> + +From: Eric Dumazet + +[ Upstream commit cabd1a976375780dabab888784e356f574bbaed8 ] + +skb_header_pointer() does not fully validate negative @offset values. + +Use skb_header_pointer_careful() instead. + +GangMin Kim provided a report and a repro fooling u32_classify(): + +BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0 +net/sched/cls_u32.c:221 + +Fixes: fbc2e7d9cf49 ("cls_u32: use skb_header_pointer() to dereference data safely") +Reported-by: GangMin Kim +Closes: https://lore.kernel.org/netdev/CANn89iJkyUZ=mAzLzC4GdcAgLuPnUoivdLaOs6B9rq5_erj76w@mail.gmail.com/T/ +Signed-off-by: Eric Dumazet +Link: https://patch.msgid.link/20260128141539.3404400-3-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/cls_u32.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -149,10 +149,8 @@ next_knode: + int toff = off + key->off + (off2 & key->offmask); + __be32 *data, hdata; + +- if (skb_headroom(skb) + toff > INT_MAX) +- goto out; +- +- data = skb_header_pointer(skb, toff, 4, &hdata); ++ data = skb_header_pointer_careful(skb, toff, 4, ++ &hdata); + if (!data) + goto out; + if ((*data ^ key->val) & key->mask) { +@@ -202,8 +200,9 @@ check_terminal: + if (ht->divisor) { + __be32 *data, hdata; + +- data = skb_header_pointer(skb, off + n->sel.hoff, 4, +- &hdata); ++ data = skb_header_pointer_careful(skb, ++ off + n->sel.hoff, ++ 4, &hdata); + if (!data) + goto out; + sel = ht->divisor & u32_hash_fold(*data, &n->sel, +@@ -217,7 +216,7 @@ check_terminal: + if (n->sel.flags & TC_U32_VAROFFSET) { + __be16 *data, hdata; + +- data = skb_header_pointer(skb, ++ data = skb_header_pointer_careful(skb, + off + n->sel.offoff, + 2, &hdata); + if (!data) diff --git a/queue-5.15/net-stmmac-fix-tso-dma-api-usage-causing-oops.patch b/queue-5.15/net-stmmac-fix-tso-dma-api-usage-causing-oops.patch new file mode 100644 index 0000000000..b423c9c9e2 --- /dev/null +++ b/queue-5.15/net-stmmac-fix-tso-dma-api-usage-causing-oops.patch @@ -0,0 +1,86 @@ +From stable+bounces-225502-greg=kroah.com@vger.kernel.org Mon Mar 16 07:06:18 2026 +From: Rahul Sharma +Date: Mon, 16 Mar 2026 14:03:50 +0800 +Subject: net: stmmac: fix TSO DMA API usage causing oops +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, "Russell King (Oracle)" , Jon Hunter , Thierry Reding , Furong Xu <0x1207@gmail.com>, Jakub Kicinski , Rahul Sharma +Message-ID: <20260316060350.2568-1-black.hawk@163.com> + +From: "Russell King (Oracle)" + +[ Upstream commit 4c49f38e20a57f8abaebdf95b369295b153d1f8e ] + +Commit 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap +for non-paged SKB data") moved the assignment of tx_skbuff_dma[]'s +members to be later in stmmac_tso_xmit(). + +The buf (dma cookie) and len stored in this structure are passed to +dma_unmap_single() by stmmac_tx_clean(). The DMA API requires that +the dma cookie passed to dma_unmap_single() is the same as the value +returned from dma_map_single(). However, by moving the assignment +later, this is not the case when priv->dma_cap.addr64 > 32 as "des" +is offset by proto_hdr_len. + +This causes problems such as: + + dwc-eth-dwmac 2490000.ethernet eth0: Tx DMA map failed + +and with DMA_API_DEBUG enabled: + + DMA-API: dwc-eth-dwmac 2490000.ethernet: device driver tries to +free DMA memory it has not allocated [device address=0x000000ffffcf65c0] [size=66 bytes] + +Fix this by maintaining "des" as the original DMA cookie, and use +tso_des to pass the offset DMA cookie to stmmac_tso_allocator(). + +Full details of the crashes can be found at: +https://lore.kernel.org/all/d8112193-0386-4e14-b516-37c2d838171a@nvidia.com/ +https://lore.kernel.org/all/klkzp5yn5kq5efgtrow6wbvnc46bcqfxs65nz3qy77ujr5turc@bwwhelz2l4dw/ + +Reported-by: Jon Hunter +Reported-by: Thierry Reding +Fixes: 66600fac7a98 ("net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data") +Tested-by: Jon Hunter +Signed-off-by: Russell King (Oracle) +Reviewed-by: Furong Xu <0x1207@gmail.com> +Link: https://patch.msgid.link/E1tJXcx-006N4Z-PC@rmk-PC.armlinux.org.uk +Signed-off-by: Jakub Kicinski +[ The context change is due to the commit 041cc86b3653 +("net: stmmac: Enable TSO on VLANs") in v6.11 which is irrelevant to +the logic of this patch. ] +Signed-off-by: Rahul Sharma +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -4034,9 +4034,9 @@ static netdev_tx_t stmmac_tso_xmit(struc + int tmp_pay_len = 0, first_tx; + struct stmmac_tx_queue *tx_q; + bool has_vlan, set_ic; ++ dma_addr_t tso_des, des; + u8 proto_hdr_len, hdr; + u32 pay_len, mss; +- dma_addr_t des; + int i; + + tx_q = &priv->tx_queue[queue]; +@@ -4120,14 +4120,15 @@ static netdev_tx_t stmmac_tso_xmit(struc + + /* If needed take extra descriptors to fill the remaining payload */ + tmp_pay_len = pay_len - TSO_MAX_BUFF_SIZE; ++ tso_des = des; + } else { + stmmac_set_desc_addr(priv, first, des); + tmp_pay_len = pay_len; +- des += proto_hdr_len; ++ tso_des = des + proto_hdr_len; + pay_len = 0; + } + +- stmmac_tso_allocator(priv, des, tmp_pay_len, (nfrags == 0), queue); ++ stmmac_tso_allocator(priv, tso_des, tmp_pay_len, (nfrags == 0), queue); + + /* In case two or more DMA transmit descriptors are allocated for this + * non-paged SKB data, the DMA buffer address should be saved to diff --git a/queue-5.15/net-usb-lan78xx-fix-double-free-issue-with-interrupt-buffer-allocation.patch b/queue-5.15/net-usb-lan78xx-fix-double-free-issue-with-interrupt-buffer-allocation.patch new file mode 100644 index 0000000000..267d3705f6 --- /dev/null +++ b/queue-5.15/net-usb-lan78xx-fix-double-free-issue-with-interrupt-buffer-allocation.patch @@ -0,0 +1,101 @@ +From jetlan9@163.com Mon Mar 23 09:01:18 2026 +From: Wenshan Lan +Date: Mon, 23 Mar 2026 16:00:21 +0800 +Subject: net: usb: lan78xx: Fix double free issue with interrupt buffer allocation +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: netdev@vger.kernel.org, Oleksij Rempel , John Efstathiades , Jakub Kicinski , Wenshan Lan +Message-ID: <20260323080021.1172236-1-jetlan9@163.com> + +From: Oleksij Rempel + +[ Upstream commit 03819abbeb11117dcbba40bfe322b88c0c88a6b6 ] + +In lan78xx_probe(), the buffer `buf` was being freed twice: once +implicitly through `usb_free_urb(dev->urb_intr)` with the +`URB_FREE_BUFFER` flag and again explicitly by `kfree(buf)`. This caused +a double free issue. + +To resolve this, reordered `kmalloc()` and `usb_alloc_urb()` calls to +simplify the initialization sequence and removed the redundant +`kfree(buf)`. Now, `buf` is allocated after `usb_alloc_urb()`, ensuring +it is correctly managed by `usb_fill_int_urb()` and freed by +`usb_free_urb()` as intended. + +Fixes: a6df95cae40b ("lan78xx: Fix memory allocation bug") +Cc: John Efstathiades +Signed-off-by: Oleksij Rempel +Link: https://patch.msgid.link/20241116130558.1352230-1-o.rempel@pengutronix.de +Signed-off-by: Jakub Kicinski +[ Adjust context. Make the function usb_alloc_urb() call before +kmalloc(). ] +Signed-off-by: Wenshan Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/lan78xx.c | 29 ++++++++++++++--------------- + 1 file changed, 14 insertions(+), 15 deletions(-) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -4111,29 +4111,30 @@ static int lan78xx_probe(struct usb_inte + + period = ep_intr->desc.bInterval; + maxp = usb_maxpacket(dev->udev, dev->pipe_intr, 0); +- buf = kmalloc(maxp, GFP_KERNEL); +- if (!buf) { ++ ++ dev->urb_intr = usb_alloc_urb(0, GFP_KERNEL); ++ if (!dev->urb_intr) { + ret = -ENOMEM; + goto out3; + } + +- dev->urb_intr = usb_alloc_urb(0, GFP_KERNEL); +- if (!dev->urb_intr) { ++ buf = kmalloc(maxp, GFP_KERNEL); ++ if (!buf) { + ret = -ENOMEM; +- goto out4; +- } else { +- usb_fill_int_urb(dev->urb_intr, dev->udev, +- dev->pipe_intr, buf, maxp, +- intr_complete, dev, period); +- dev->urb_intr->transfer_flags |= URB_FREE_BUFFER; ++ goto free_urbs; + } + ++ usb_fill_int_urb(dev->urb_intr, dev->udev, ++ dev->pipe_intr, buf, maxp, ++ intr_complete, dev, period); ++ dev->urb_intr->transfer_flags |= URB_FREE_BUFFER; ++ + dev->maxpacket = usb_maxpacket(dev->udev, dev->pipe_out, 1); + + /* Reject broken descriptors. */ + if (dev->maxpacket == 0) { + ret = -ENODEV; +- goto out5; ++ goto free_urbs; + } + + /* driver requires remote-wakeup capability during autosuspend. */ +@@ -4141,7 +4142,7 @@ static int lan78xx_probe(struct usb_inte + + ret = lan78xx_phy_init(dev); + if (ret < 0) +- goto out5; ++ goto free_urbs; + + ret = register_netdev(netdev); + if (ret != 0) { +@@ -4163,10 +4164,8 @@ static int lan78xx_probe(struct usb_inte + + out6: + phy_disconnect(netdev->phydev); +-out5: ++free_urbs: + usb_free_urb(dev->urb_intr); +-out4: +- kfree(buf); + out3: + lan78xx_unbind(dev, intf); + out2: diff --git a/queue-5.15/nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch b/queue-5.15/nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch new file mode 100644 index 0000000000..c13ad968e4 --- /dev/null +++ b/queue-5.15/nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch @@ -0,0 +1,94 @@ +From stable+bounces-217802-greg=kroah.com@vger.kernel.org Mon Feb 23 18:24:30 2026 +From: Jaskaran Singh +Date: Mon, 23 Feb 2026 22:53:32 +0530 +Subject: nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl() +To: stable@vger.kernel.org, james.smart@broadcom.com, kbusch@kernel.org, axboe@fb.com, hch@lst.de, sagi@grimberg.me +Cc: linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org, gregkh@linuxfoundation.org, Jaskaran Singh , Marco Patalano , Justin Tee , "Ewan D . Milne" +Message-ID: <20260223172332.291881-3-jsingh@cloudlinux.com> + +From: Jaskaran Singh + +commit 0a2c5495b6d1ecb0fa18ef6631450f391a888256 upstream. + +nvme_fc_delete_assocation() waits for pending I/O to complete before +returning, and an error can cause ->ioerr_work to be queued after +cancel_work_sync() had been called. Move the call to cancel_work_sync() to +be after nvme_fc_delete_association() to ensure ->ioerr_work is not running +when the nvme_fc_ctrl object is freed. Otherwise the following can occur: + +[ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL +[ 1135.917705] ------------[ cut here ]------------ +[ 1135.922336] kernel BUG at lib/list_debug.c:52! +[ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI +[ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary) +[ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025 +[ 1135.950969] Workqueue: 0x0 (nvme-wq) +[ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f +[ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b +[ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046 +[ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000 +[ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0 +[ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08 +[ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100 +[ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0 +[ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000 +[ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0 +[ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 +[ 1136.055910] PKRU: 55555554 +[ 1136.058623] Call Trace: +[ 1136.061074] +[ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0 +[ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0 +[ 1136.071898] ? move_linked_works+0x4a/0xa0 +[ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f +[ 1136.081744] ? __die_body.cold+0x8/0x12 +[ 1136.085584] ? die+0x2e/0x50 +[ 1136.088469] ? do_trap+0xca/0x110 +[ 1136.091789] ? do_error_trap+0x65/0x80 +[ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f +[ 1136.101289] ? exc_invalid_op+0x50/0x70 +[ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f +[ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20 +[ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f +[ 1136.120806] move_linked_works+0x4a/0xa0 +[ 1136.124733] worker_thread+0x216/0x3a0 +[ 1136.128485] ? __pfx_worker_thread+0x10/0x10 +[ 1136.132758] kthread+0xfa/0x240 +[ 1136.135904] ? __pfx_kthread+0x10/0x10 +[ 1136.139657] ret_from_fork+0x31/0x50 +[ 1136.143236] ? __pfx_kthread+0x10/0x10 +[ 1136.146988] ret_from_fork_asm+0x1a/0x30 +[ 1136.150915] + +Fixes: 19fce0470f05 ("nvme-fc: avoid calling _nvme_fc_abort_outstanding_ios from interrupt context") +Cc: stable@vger.kernel.org +Tested-by: Marco Patalano +Reviewed-by: Justin Tee +Signed-off-by: Ewan D. Milne +Signed-off-by: Keith Busch +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jaskaran Singh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/fc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -3263,13 +3263,13 @@ nvme_fc_delete_ctrl(struct nvme_ctrl *nc + { + struct nvme_fc_ctrl *ctrl = to_fc_ctrl(nctrl); + +- cancel_work_sync(&ctrl->ioerr_work); + cancel_delayed_work_sync(&ctrl->connect_work); + /* + * kill the association on the link side. this will block + * waiting for io to terminate + */ + nvme_fc_delete_association(ctrl); ++ cancel_work_sync(&ctrl->ioerr_work); + } + + static void diff --git a/queue-5.15/nvmet-always-initialize-cqe.result.patch b/queue-5.15/nvmet-always-initialize-cqe.result.patch new file mode 100644 index 0000000000..6db80cd53b --- /dev/null +++ b/queue-5.15/nvmet-always-initialize-cqe.result.patch @@ -0,0 +1,64 @@ +From stable+bounces-225498-greg=kroah.com@vger.kernel.org Mon Mar 16 04:30:32 2026 +From: Leon Chen +Date: Mon, 16 Mar 2026 11:27:06 +0800 +Subject: nvmet: always initialize cqe.result +To: dwagner@suse.de, hch@lst.de, kbusch@kernel.org +Cc: stable@vger.kernel.org +Message-ID: <20260316032706.2924-1-leonchen.oss@139.com> + +From: Daniel Wagner + +[ Upstream commit cd0c1b8e045a8d2785342b385cb2684d9b48e426 ] + +The spec doesn't mandate that the first two double words (aka results) +for the command queue entry need to be set to 0 when they are not +used (not specified). Though, the target implemention returns 0 for TCP +and FC but not for RDMA. + +Let's make RDMA behave the same and thus explicitly initializing the +result field. This prevents leaking any data from the stack. + +Signed-off-by: Daniel Wagner +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +[ Ignored the fabrics-cmd-auth.c, it was introduced in commit:db1312dd9548 +("nvmet: implement basic In-Band Authentication") ] +Signed-off-by: Leon Chen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/core.c | 1 + + drivers/nvme/target/fabrics-cmd.c | 6 ------ + 2 files changed, 1 insertion(+), 6 deletions(-) + +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -932,6 +932,7 @@ bool nvmet_req_init(struct nvmet_req *re + req->metadata_sg_cnt = 0; + req->transfer_len = 0; + req->metadata_len = 0; ++ req->cqe->result.u64 = 0; + req->cqe->status = 0; + req->cqe->sq_head = 0; + req->ns = NULL; +--- a/drivers/nvme/target/fabrics-cmd.c ++++ b/drivers/nvme/target/fabrics-cmd.c +@@ -187,9 +187,6 @@ static void nvmet_execute_admin_connect( + if (status) + goto out; + +- /* zero out initial completion result, assign values as needed */ +- req->cqe->result.u32 = 0; +- + if (c->recfmt != 0) { + pr_warn("invalid connect version (%d).\n", + le16_to_cpu(c->recfmt)); +@@ -255,9 +252,6 @@ static void nvmet_execute_io_connect(str + if (status) + goto out; + +- /* zero out initial completion result, assign values as needed */ +- req->cqe->result.u32 = 0; +- + if (c->recfmt != 0) { + pr_warn("invalid connect version (%d).\n", + le16_to_cpu(c->recfmt)); diff --git a/queue-5.15/pstore-inode-only-d_invalidate-is-needed.patch b/queue-5.15/pstore-inode-only-d_invalidate-is-needed.patch new file mode 100644 index 0000000000..bad025972d --- /dev/null +++ b/queue-5.15/pstore-inode-only-d_invalidate-is-needed.patch @@ -0,0 +1,71 @@ +From stable+bounces-225735-greg=kroah.com@vger.kernel.org Tue Mar 17 03:58:16 2026 +From: Robert Garcia +Date: Tue, 17 Mar 2026 10:55:58 +0800 +Subject: pstore: inode: Only d_invalidate() is needed +To: stable@vger.kernel.org, Kees Cook +Cc: "Guilherme G . Piccoli" , Tony Luck , linux-hardening@vger.kernel.org, Robert Garcia , Anton Vorontsov , Colin Cross , linux-kernel@vger.kernel.org +Message-ID: <20260317025558.1666400-1-rob_garcia@163.com> + +From: Kees Cook + +[ Upstream commit a43e0fc5e9134a46515de2f2f8d4100b74e50de3 ] + +Unloading a modular pstore backend with records in pstorefs would +trigger the dput() double-drop warning: + + WARNING: CPU: 0 PID: 2569 at fs/dcache.c:762 dput.part.0+0x3f3/0x410 + +Using the combo of d_drop()/dput() (as mentioned in +Documentation/filesystems/vfs.rst) isn't the right approach here, and +leads to the reference counting problem seen above. Use d_invalidate() +and update the code to not bother checking for error codes that can +never happen. + +Suggested-by: Alexander Viro +Fixes: 609e28bb139e ("pstore: Remove filesystem records when backend is unregistered") +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman +--- +Cc: "Guilherme G. Piccoli" +Cc: Tony Luck +Cc: linux-hardening@vger.kernel.org +[ Minor context change fixed. ] +Signed-off-by: Robert Garcia +Signed-off-by: Greg Kroah-Hartman +--- + fs/pstore/inode.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/fs/pstore/inode.c ++++ b/fs/pstore/inode.c +@@ -312,7 +312,6 @@ int pstore_put_backend_records(struct ps + { + struct pstore_private *pos, *tmp; + struct dentry *root; +- int rc = 0; + + root = psinfo_lock_root(); + if (!root) +@@ -322,11 +321,8 @@ int pstore_put_backend_records(struct ps + list_for_each_entry_safe(pos, tmp, &records_list, list) { + if (pos->record->psi == psi) { + list_del_init(&pos->list); +- rc = simple_unlink(d_inode(root), pos->dentry); +- if (WARN_ON(rc)) +- break; +- d_drop(pos->dentry); +- dput(pos->dentry); ++ d_invalidate(pos->dentry); ++ simple_unlink(d_inode(root), pos->dentry); + pos->dentry = NULL; + } + } +@@ -334,7 +330,7 @@ int pstore_put_backend_records(struct ps + + inode_unlock(d_inode(root)); + +- return rc; ++ return 0; + } + + /* diff --git a/queue-5.15/revert-nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch b/queue-5.15/revert-nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch new file mode 100644 index 0000000000..93f11bd2dc --- /dev/null +++ b/queue-5.15/revert-nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch @@ -0,0 +1,42 @@ +From stable+bounces-217801-greg=kroah.com@vger.kernel.org Mon Feb 23 18:30:29 2026 +From: Jaskaran Singh +Date: Mon, 23 Feb 2026 22:53:31 +0530 +Subject: Revert "nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()" +To: stable@vger.kernel.org, james.smart@broadcom.com, kbusch@kernel.org, axboe@fb.com, hch@lst.de, sagi@grimberg.me +Cc: linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org, gregkh@linuxfoundation.org, Jaskaran Singh +Message-ID: <20260223172332.291881-2-jsingh@cloudlinux.com> + +From: Jaskaran Singh + +This reverts commit 60ba31330faf5677e2eebef7eac62ea9e42a200d. + +The backport of upstream commit 0a2c5495b6d1 was incorrectly applied. +The cancel_work_sync() call for ->ioerr_work was added to +nvme_fc_reset_ctrl_work() instead of nvme_fc_delete_ctrl(). + +Revert this commit so the correct fix can be applied. + +Signed-off-by: Jaskaran Singh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/fc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvme/host/fc.c ++++ b/drivers/nvme/host/fc.c +@@ -3263,6 +3263,7 @@ nvme_fc_delete_ctrl(struct nvme_ctrl *nc + { + struct nvme_fc_ctrl *ctrl = to_fc_ctrl(nctrl); + ++ cancel_work_sync(&ctrl->ioerr_work); + cancel_delayed_work_sync(&ctrl->connect_work); + /* + * kill the association on the link side. this will block +@@ -3333,7 +3334,6 @@ nvme_fc_reset_ctrl_work(struct work_stru + + /* will block will waiting for io to terminate */ + nvme_fc_delete_association(ctrl); +- cancel_work_sync(&ctrl->ioerr_work); + + if (!nvme_change_ctrl_state(&ctrl->ctrl, NVME_CTRL_CONNECTING)) + dev_err(ctrl->ctrl.device, diff --git a/queue-5.15/s390-xor-fix-xor_xc_2-inline-assembly-constraints.patch b/queue-5.15/s390-xor-fix-xor_xc_2-inline-assembly-constraints.patch new file mode 100644 index 0000000000..759b221271 --- /dev/null +++ b/queue-5.15/s390-xor-fix-xor_xc_2-inline-assembly-constraints.patch @@ -0,0 +1,39 @@ +From f775276edc0c505dc0f782773796c189f31a1123 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Mon, 2 Mar 2026 14:34:58 +0100 +Subject: s390/xor: Fix xor_xc_2() inline assembly constraints + +From: Heiko Carstens + +commit f775276edc0c505dc0f782773796c189f31a1123 upstream. + +The inline assembly constraints for xor_xc_2() are incorrect. "bytes", +"p1", and "p2" are input operands, while all three of them are modified +within the inline assembly. Given that the function consists only of this +inline assembly it seems unlikely that this may cause any problems, however +fix this in any case. + +Fixes: 2cfc5f9ce7f5 ("s390/xor: optimized xor routing using the XC instruction") +Cc: stable@vger.kernel.org +Signed-off-by: Heiko Carstens +Reviewed-by: Vasily Gorbik +Link: https://lore.kernel.org/r/20260302133500.1560531-2-hca@linux.ibm.com +Signed-off-by: Vasily Gorbik +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/lib/xor.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/s390/lib/xor.c ++++ b/arch/s390/lib/xor.c +@@ -28,8 +28,8 @@ static void xor_xc_2(unsigned long bytes + " j 3f\n" + "2: xc 0(1,%1),0(%2)\n" + "3:\n" +- : : "d" (bytes), "a" (p1), "a" (p2) +- : "0", "1", "cc", "memory"); ++ : "+d" (bytes), "+a" (p1), "+a" (p2) ++ : : "0", "1", "cc", "memory"); + } + + static void xor_xc_3(unsigned long bytes, unsigned long *p1, unsigned long *p2, diff --git a/queue-5.15/series b/queue-5.15/series index 5959c2a4c2..2b9a11c2f5 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -114,6 +114,41 @@ fs-ocfs2-fix-comments-mentioning-i_mutex.patch ocfs2-fix-possible-deadlock-between-unlink-and-dio_end_io_write.patch mm-blk-cgroup-fix-use-after-free-in-cgwb_release_workfn.patch mptcp-fix-lock-class-name-family-in-pm_nl_create_listen_socket.patch -xen-netfront-handle-null-returned-by-xdp_convert_buff_to_frame.patch tty-n_gsm-fix-deadlock-and-link-starvation-in-outgoing-data-path.patch netdevsim-fix-memory-leak-of-nsim_dev-fa_cookie.patch +revert-nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch +nvme-nvme-fc-ensure-ioerr_work-is-cancelled-in-nvme_fc_delete_ctrl.patch +alsa-control-avoid-warn-for-symlink-errors.patch +s390-xor-fix-xor_xc_2-inline-assembly-constraints.patch +f2fs-fix-null-ptr-deref-in-f2fs_submit_page_bio.patch +wifi-iwlwifi-read-txq-read_ptr-under-lock.patch +blk-mq-use-quiesced-elevator-switch-when-reinitializing-queues.patch +dm-verity-disable-recursive-forward-error-correction.patch +net-add-skb_header_pointer_careful-helper.patch +net-sched-cls_u32-use-skb_header_pointer_careful.patch +dmaengine-mmp_pdma-fix-race-condition-in-mmp_pdma_residue.patch +fs-dlm-fix-use-after-free-in-midcomms-commit.patch +spi-cadence-quadspi-implement-refcount-to-handle-unbind-during-busy.patch +x86-uprobes-fix-xol-allocation-failure-for-32-bit-tasks.patch +btrfs-send-check-for-inline-extents-in-range_is_hole_in_parent.patch +btrfs-do-not-strictly-require-dirty-metadata-threshold-for-metadata-writepages.patch +mailbox-prevent-out-of-bounds-access-in-of_mbox_index_xlate.patch +bluetooth-hci_core-fix-use-after-free-in-vhci_flush.patch +dlm-fix-possible-lkb_resource-null-dereference.patch +bpf-do-mark_chain_precision-for-arg_const_alloc_size_or_zero.patch +gfs2-no-more-self-recovery.patch +binfmt_misc-restore-write-access-before-closing-files-opened-by-open_exec.patch +drm-amdgpu-unmap-and-remove-csa_va-properly.patch +nvmet-always-initialize-cqe.result.patch +net-stmmac-fix-tso-dma-api-usage-causing-oops.patch +f2fs-fix-to-wait-on-block-writeback-for-post_read-case.patch +pstore-inode-only-d_invalidate-is-needed.patch +alsa-usb-audio-kill-timer-properly-at-removal.patch +ice-add-netif_device_attach-detach-into-pf-reset-flow.patch +iio-imu-inv_icm42600-fix-odr-switch-when-turning-buffer-off.patch +bluetooth-af_bluetooth-fix-deadlock.patch +can-gs_usb-gs_usb_xmit_callback-fix-handling-of-failed-transmitted-urbs.patch +vdpa-add-max-vqp-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch +f2fs-fix-to-trigger-foreground-gc-during-f2fs_map_blocks-in-lfs-mode.patch +sunrpc-lock-against-sock-changing-during-sysfs-read.patch +net-usb-lan78xx-fix-double-free-issue-with-interrupt-buffer-allocation.patch diff --git a/queue-5.15/spi-cadence-quadspi-implement-refcount-to-handle-unbind-during-busy.patch b/queue-5.15/spi-cadence-quadspi-implement-refcount-to-handle-unbind-during-busy.patch new file mode 100644 index 0000000000..81e1d586dd --- /dev/null +++ b/queue-5.15/spi-cadence-quadspi-implement-refcount-to-handle-unbind-during-busy.patch @@ -0,0 +1,117 @@ +From stable+bounces-222519-greg=kroah.com@vger.kernel.org Mon Mar 2 07:48:17 2026 +From: Robert Garcia +Date: Mon, 2 Mar 2026 14:47:39 +0800 +Subject: spi: cadence-quadspi: Implement refcount to handle unbind during busy +To: stable@vger.kernel.org, Khairul Anuar Romli +Cc: Mark Brown , Niravkumar L Rabara , Robert Garcia , linux-spi@vger.kernel.org, linux-kernel@vger.kernel.org +Message-ID: <20260302064739.1924977-1-rob_garcia@163.com> + +From: Khairul Anuar Romli + +[ Upstream commit 7446284023e8ef694fb392348185349c773eefb3 ] + +driver support indirect read and indirect write operation with +assumption no force device removal(unbind) operation. However +force device removal(removal) is still available to root superuser. + +Unbinding driver during operation causes kernel crash. This changes +ensure driver able to handle such operation for indirect read and +indirect write by implementing refcount to track attached devices +to the controller and gracefully wait and until attached devices +remove operation completed before proceed with removal operation. + +Signed-off-by: Khairul Anuar Romli +Reviewed-by: Matthew Gerlach +Reviewed-by: Niravkumar L Rabara +Link: https://patch.msgid.link/8704fd6bd2ff4d37bba4a0eacf5eba3ba001079e.1756168074.git.khairul.anuar.romli@altera.com +Signed-off-by: Mark Brown +[Add cqspi defination in cqspi_exec_mem_op and minor context change fixed.] +Signed-off-by: Robert Garcia +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-cadence-quadspi.c | 34 ++++++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +--- a/drivers/spi/spi-cadence-quadspi.c ++++ b/drivers/spi/spi-cadence-quadspi.c +@@ -85,6 +85,8 @@ struct cqspi_st { + bool use_direct_mode; + struct cqspi_flash_pdata f_pdata[CQSPI_MAX_CHIPSELECT]; + bool wr_completion; ++ refcount_t refcount; ++ refcount_t inflight_ops; + }; + + struct cqspi_driver_platdata { +@@ -684,6 +686,9 @@ static int cqspi_indirect_read_execute(s + u8 *rxbuf_end = rxbuf + n_rx; + int ret = 0; + ++ if (!refcount_read(&cqspi->refcount)) ++ return -ENODEV; ++ + writel(from_addr, reg_base + CQSPI_REG_INDIRECTRDSTARTADDR); + writel(remaining, reg_base + CQSPI_REG_INDIRECTRDBYTES); + +@@ -826,6 +831,9 @@ static int cqspi_indirect_write_execute( + unsigned int write_bytes; + int ret; + ++ if (!refcount_read(&cqspi->refcount)) ++ return -ENODEV; ++ + writel(to_addr, reg_base + CQSPI_REG_INDIRECTWRSTARTADDR); + writel(remaining, reg_base + CQSPI_REG_INDIRECTWRBYTES); + +@@ -1210,11 +1218,29 @@ static int cqspi_mem_process(struct spi_ + static int cqspi_exec_mem_op(struct spi_mem *mem, const struct spi_mem_op *op) + { + int ret; ++ struct cqspi_st *cqspi = spi_controller_get_devdata(mem->spi->controller); ++ ++ if (refcount_read(&cqspi->inflight_ops) == 0) ++ return -ENODEV; ++ ++ if (!refcount_read(&cqspi->refcount)) ++ return -EBUSY; ++ ++ refcount_inc(&cqspi->inflight_ops); ++ ++ if (!refcount_read(&cqspi->refcount)) { ++ if (refcount_read(&cqspi->inflight_ops)) ++ refcount_dec(&cqspi->inflight_ops); ++ return -EBUSY; ++ } + + ret = cqspi_mem_process(mem, op); + if (ret) + dev_err(&mem->spi->dev, "operation failed with %d\n", ret); + ++ if (refcount_read(&cqspi->inflight_ops) > 1) ++ refcount_dec(&cqspi->inflight_ops); ++ + return ret; + } + +@@ -1564,6 +1590,9 @@ static int cqspi_probe(struct platform_d + cqspi->wr_completion = false; + } + ++ refcount_set(&cqspi->refcount, 1); ++ refcount_set(&cqspi->inflight_ops, 1); ++ + ret = devm_request_irq(dev, irq, cqspi_irq_handler, 0, + pdev->name, cqspi); + if (ret) { +@@ -1613,6 +1642,11 @@ static int cqspi_remove(struct platform_ + { + struct cqspi_st *cqspi = platform_get_drvdata(pdev); + ++ refcount_set(&cqspi->refcount, 0); ++ ++ if (!refcount_dec_and_test(&cqspi->inflight_ops)) ++ cqspi_wait_idle(cqspi); ++ + cqspi_controller_enable(cqspi, 0); + + if (cqspi->rx_chan) diff --git a/queue-5.15/sunrpc-lock-against-sock-changing-during-sysfs-read.patch b/queue-5.15/sunrpc-lock-against-sock-changing-during-sysfs-read.patch new file mode 100644 index 0000000000..e0c7bcfea2 --- /dev/null +++ b/queue-5.15/sunrpc-lock-against-sock-changing-during-sysfs-read.patch @@ -0,0 +1,64 @@ +From stable+bounces-226991-greg=kroah.com@vger.kernel.org Wed Mar 18 08:59:04 2026 +From: Robert Garcia +Date: Wed, 18 Mar 2026 15:55:51 +0800 +Subject: SUNRPC: lock against ->sock changing during sysfs read +To: stable@vger.kernel.org, Johannes Berg +Cc: Miri Korenblit , Trond Myklebust , Anna Schumaker , Robert Garcia , "J . Bruce Fields" , Chuck Lever , "David S . Miller" , Jakub Kicinski , Olga Kornievskaia , linux-nfs@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org +Message-ID: <20260318075551.1668418-1-rob_garcia@163.com> + +From: NeilBrown + +[ Upstream commit b49ea673e119f59c71645e2f65b3ccad857c90ee ] + +->sock can be set to NULL asynchronously unless ->recv_mutex is held. +So it is important to hold that mutex. Otherwise a sysfs read can +trigger an oops. +Commit 17f09d3f619a ("SUNRPC: Check if the xprt is connected before +handling sysfs reads") appears to attempt to fix this problem, but it +only narrows the race window. + +Fixes: 17f09d3f619a ("SUNRPC: Check if the xprt is connected before handling sysfs reads") +Fixes: a8482488a7d6 ("SUNRPC query transport's source port") +Signed-off-by: NeilBrown +Signed-off-by: Anna Schumaker +Signed-off-by: Robert Garcia +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/sysfs.c | 5 ++++- + net/sunrpc/xprtsock.c | 7 ++++++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +--- a/net/sunrpc/sysfs.c ++++ b/net/sunrpc/sysfs.c +@@ -113,11 +113,14 @@ static ssize_t rpc_sysfs_xprt_srcaddr_sh + return 0; + + sock = container_of(xprt, struct sock_xprt, xprt); +- if (kernel_getsockname(sock->sock, (struct sockaddr *)&saddr) < 0) ++ mutex_lock(&sock->recv_mutex); ++ if (sock->sock == NULL || ++ kernel_getsockname(sock->sock, (struct sockaddr *)&saddr) < 0) + goto out; + + ret = sprintf(buf, "%pISc\n", &saddr); + out: ++ mutex_unlock(&sock->recv_mutex); + xprt_put(xprt); + return ret + 1; + } +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -1680,7 +1680,12 @@ static int xs_get_srcport(struct sock_xp + unsigned short get_srcport(struct rpc_xprt *xprt) + { + struct sock_xprt *sock = container_of(xprt, struct sock_xprt, xprt); +- return xs_sock_getport(sock->sock); ++ unsigned short ret = 0; ++ mutex_lock(&sock->recv_mutex); ++ if (sock->sock) ++ ret = xs_sock_getport(sock->sock); ++ mutex_unlock(&sock->recv_mutex); ++ return ret; + } + EXPORT_SYMBOL(get_srcport); + diff --git a/queue-5.15/vdpa-add-max-vqp-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch b/queue-5.15/vdpa-add-max-vqp-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch new file mode 100644 index 0000000000..b3005e9eb7 --- /dev/null +++ b/queue-5.15/vdpa-add-max-vqp-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch @@ -0,0 +1,45 @@ +From stable+bounces-223041-greg=kroah.com@vger.kernel.org Wed Mar 4 13:06:17 2026 +From: Alva Lan +Date: Wed, 4 Mar 2026 20:05:20 +0800 +Subject: vdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: mst@redhat.com, jasowang@redhat.com, xuanzhuo@linux.alibaba.com, eperezma@redhat.com, Lin Ma , Alva Lan +Message-ID: + +From: Lin Ma + +[ Upstream commit 5d6ba607d6cb5c58a4ddf33381e18c83dbb4098f ] + +The vdpa_nl_policy structure is used to validate the nlattr when parsing +the incoming nlmsg. It will ensure the attribute being described produces +a valid nlattr pointer in info->attrs before entering into each handler +in vdpa_nl_ops. + +That is to say, the missing part in vdpa_nl_policy may lead to illegal +nlattr after parsing, which could lead to OOB read just like CVE-2023-3773. + +This patch adds the missing nla_policy for vdpa max vqp attr to avoid +such bugs. + +Fixes: ad69dd0bf26b ("vdpa: Introduce query of device config layout") +Signed-off-by: Lin Ma +Cc: stable@vger.kernel.org +Message-Id: <20230727175757.73988-7-dtatulea@nvidia.com> +Signed-off-by: Michael S. Tsirkin +[ Minor context conflict resolved. ] +Signed-off-by: Alva Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vdpa/vdpa.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/vdpa/vdpa.c ++++ b/drivers/vdpa/vdpa.c +@@ -847,6 +847,7 @@ static const struct nla_policy vdpa_nl_p + [VDPA_ATTR_MGMTDEV_BUS_NAME] = { .type = NLA_NUL_STRING }, + [VDPA_ATTR_MGMTDEV_DEV_NAME] = { .type = NLA_STRING }, + [VDPA_ATTR_DEV_NAME] = { .type = NLA_STRING }, ++ [VDPA_ATTR_DEV_NET_CFG_MAX_VQP] = { .type = NLA_U16 }, + }; + + static const struct genl_ops vdpa_nl_ops[] = { diff --git a/queue-5.15/wifi-iwlwifi-read-txq-read_ptr-under-lock.patch b/queue-5.15/wifi-iwlwifi-read-txq-read_ptr-under-lock.patch new file mode 100644 index 0000000000..1d835c33ff --- /dev/null +++ b/queue-5.15/wifi-iwlwifi-read-txq-read_ptr-under-lock.patch @@ -0,0 +1,46 @@ +From c2ace6300600c634553657785dfe5ea0ed688ac2 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 19 Mar 2024 10:10:22 +0200 +Subject: wifi: iwlwifi: read txq->read_ptr under lock + +From: Johannes Berg + +commit c2ace6300600c634553657785dfe5ea0ed688ac2 upstream. + +If we read txq->read_ptr without lock, we can read the same +value twice, then obtain the lock, and reclaim from there +to two different places, but crucially reclaim the same +entry twice, resulting in the WARN_ONCE() a little later. +Fix that by reading txq->read_ptr under lock. + +Signed-off-by: Johannes Berg +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240319100755.bf4c62196504.I978a7ca56c6bd6f1bf42c15aa923ba03366a840b@changeid +Signed-off-by: Johannes Berg +[ Change read_ptr definition according to commit +413be839bfca9("wifi: iwlwifi: add a validity check of queue_id in iwl_txq_reclaim"). ] +Signed-off-by: Robert Garcia +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/queue/tx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/intel/iwlwifi/queue/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/queue/tx.c +@@ -1524,7 +1524,7 @@ void iwl_txq_reclaim(struct iwl_trans *t + { + struct iwl_txq *txq = trans->txqs.txq[txq_id]; + int tfd_num = iwl_txq_get_cmd_index(txq, ssn); +- int read_ptr = iwl_txq_get_cmd_index(txq, txq->read_ptr); ++ int read_ptr; + int last_to_free; + + /* This function is not meant to release cmd queue*/ +@@ -1532,6 +1532,7 @@ void iwl_txq_reclaim(struct iwl_trans *t + return; + + spin_lock_bh(&txq->lock); ++ read_ptr = iwl_txq_get_cmd_index(txq, txq->read_ptr); + + if (!test_bit(txq_id, trans->txqs.queue_used)) { + IWL_DEBUG_TX_QUEUES(trans, "Q %d inactive - ignoring idx %d\n", diff --git a/queue-5.15/x86-uprobes-fix-xol-allocation-failure-for-32-bit-tasks.patch b/queue-5.15/x86-uprobes-fix-xol-allocation-failure-for-32-bit-tasks.patch new file mode 100644 index 0000000000..c33da8f4e1 --- /dev/null +++ b/queue-5.15/x86-uprobes-fix-xol-allocation-failure-for-32-bit-tasks.patch @@ -0,0 +1,130 @@ +From stable+bounces-222631-greg=kroah.com@vger.kernel.org Mon Mar 2 16:48:40 2026 +From: Oleg Nesterov +Date: Mon, 2 Mar 2026 16:42:20 +0100 +Subject: x86/uprobes: Fix XOL allocation failure for 32-bit tasks +To: Sasha Levin +Cc: stable@vger.kernel.org, Paulo Andrade , "Peter Zijlstra (Intel)" , linux-trace-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org +Message-ID: +Content-Disposition: inline + +From: Oleg Nesterov + +[ Upstream commit d55c571e4333fac71826e8db3b9753fadfbead6a ] + +This script + + #!/usr/bin/bash + + echo 0 > /proc/sys/kernel/randomize_va_space + + echo 'void main(void) {}' > TEST.c + + # -fcf-protection to ensure that the 1st endbr32 insn can't be emulated + gcc -m32 -fcf-protection=branch TEST.c -o test + + bpftrace -e 'uprobe:./test:main {}' -c ./test + +"hangs", the probed ./test task enters an endless loop. + +The problem is that with randomize_va_space == 0 +get_unmapped_area(TASK_SIZE - PAGE_SIZE) called by xol_add_vma() can not +just return the "addr == TASK_SIZE - PAGE_SIZE" hint, this addr is used +by the stack vma. + +arch_get_unmapped_area_topdown() doesn't take TIF_ADDR32 into account and +in_32bit_syscall() is false, this leads to info.high_limit > TASK_SIZE. +vm_unmapped_area() happily returns the high address > TASK_SIZE and then +get_unmapped_area() returns -ENOMEM after the "if (addr > TASK_SIZE - len)" +check. + +handle_swbp() doesn't report this failure (probably it should) and silently +restarts the probed insn. Endless loop. + +I think that the right fix should change the x86 get_unmapped_area() paths +to rely on TIF_ADDR32 rather than in_32bit_syscall(). Note also that if +CONFIG_X86_X32_ABI=y, in_x32_syscall() falsely returns true in this case +because ->orig_ax = -1. + +But we need a simple fix for -stable, so this patch just sets TS_COMPAT if +the probed task is 32-bit to make in_ia32_syscall() true. + +Fixes: 1b028f784e8c ("x86/mm: Introduce mmap_compat_base() for 32-bit mmap()") +Reported-by: Paulo Andrade +Signed-off-by: Oleg Nesterov +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/all/aV5uldEvV7pb4RA8@redhat.com/ +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/aWO7Fdxn39piQnxu@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/uprobes.c | 24 ++++++++++++++++++++++++ + include/linux/uprobes.h | 1 + + kernel/events/uprobes.c | 10 +++++++--- + 3 files changed, 32 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/uprobes.c ++++ b/arch/x86/kernel/uprobes.c +@@ -1097,3 +1097,27 @@ bool arch_uretprobe_is_alive(struct retu + else + return regs->sp <= ret->stack; + } ++ ++#ifdef CONFIG_IA32_EMULATION ++unsigned long arch_uprobe_get_xol_area(void) ++{ ++ struct thread_info *ti = current_thread_info(); ++ unsigned long vaddr; ++ ++ /* ++ * HACK: we are not in a syscall, but x86 get_unmapped_area() paths ++ * ignore TIF_ADDR32 and rely on in_32bit_syscall() to calculate ++ * vm_unmapped_area_info.high_limit. ++ * ++ * The #ifdef above doesn't cover the CONFIG_X86_X32_ABI=y case, ++ * but in this case in_32bit_syscall() -> in_x32_syscall() always ++ * (falsely) returns true because ->orig_ax == -1. ++ */ ++ if (test_thread_flag(TIF_ADDR32)) ++ ti->status |= TS_COMPAT; ++ vaddr = get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE, PAGE_SIZE, 0, 0); ++ ti->status &= ~TS_COMPAT; ++ ++ return vaddr; ++} ++#endif +--- a/include/linux/uprobes.h ++++ b/include/linux/uprobes.h +@@ -138,6 +138,7 @@ extern bool arch_uretprobe_is_alive(stru + extern bool arch_uprobe_ignore(struct arch_uprobe *aup, struct pt_regs *regs); + extern void arch_uprobe_copy_ixol(struct page *page, unsigned long vaddr, + void *src, unsigned long len); ++extern unsigned long arch_uprobe_get_xol_area(void); + #else /* !CONFIG_UPROBES */ + struct uprobes_state { + }; +--- a/kernel/events/uprobes.c ++++ b/kernel/events/uprobes.c +@@ -1437,6 +1437,12 @@ void uprobe_munmap(struct vm_area_struct + set_bit(MMF_RECALC_UPROBES, &vma->vm_mm->flags); + } + ++unsigned long __weak arch_uprobe_get_xol_area(void) ++{ ++ /* Try to map as high as possible, this is only a hint. */ ++ return get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE, PAGE_SIZE, 0, 0); ++} ++ + /* Slot allocation for XOL */ + static int xol_add_vma(struct mm_struct *mm, struct xol_area *area) + { +@@ -1452,9 +1458,7 @@ static int xol_add_vma(struct mm_struct + } + + if (!area->vaddr) { +- /* Try to map as high as possible, this is only a hint. */ +- area->vaddr = get_unmapped_area(NULL, TASK_SIZE - PAGE_SIZE, +- PAGE_SIZE, 0, 0); ++ area->vaddr = arch_uprobe_get_xol_area(); + if (IS_ERR_VALUE(area->vaddr)) { + ret = area->vaddr; + goto fail; diff --git a/queue-5.15/xen-netfront-handle-null-returned-by-xdp_convert_buff_to_frame.patch b/queue-5.15/xen-netfront-handle-null-returned-by-xdp_convert_buff_to_frame.patch deleted file mode 100644 index 247086064b..0000000000 --- a/queue-5.15/xen-netfront-handle-null-returned-by-xdp_convert_buff_to_frame.patch +++ /dev/null @@ -1,69 +0,0 @@ -From johnny_haocn@sina.com Fri Mar 27 06:59:57 2026 -From: Johnny Hao -Date: Fri, 27 Mar 2026 13:59:50 +0800 -Subject: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() -To: gregkh@linuxfoundation.org, stable@vger.kernel.org -Cc: linux-kernel@vger.kernel.org, Alexey Nepomnyashih , Jakub Kicinski , Johnny Hao -Message-ID: <20260327055950.2618928-1-johnny_haocn@sina.com> - -From: Alexey Nepomnyashih - -[ Upstream commit cc3628dcd851ddd8d418bf0c897024b4621ddc92 ] - -The function xdp_convert_buff_to_frame() may return NULL if it fails -to correctly convert the XDP buffer into an XDP frame due to memory -constraints, internal errors, or invalid data. Failing to check for NULL -may lead to a NULL pointer dereference if the result is used later in -processing, potentially causing crashes, data corruption, or undefined -behavior. - -On XDP redirect failure, the associated page must be released explicitly -if it was previously retained via get_page(). Failing to do so may result -in a memory leak, as the pages reference count is not decremented. - -Cc: stable@vger.kernel.org # v5.9+ -Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront") -Signed-off-by: Alexey Nepomnyashih -Link: https://patch.msgid.link/20250417122118.1009824-1-sdl@nppct.ru -Signed-off-by: Jakub Kicinski -Signed-off-by: Johnny Hao -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/xen-netfront.c | 17 ++++++++++++----- - 1 file changed, 12 insertions(+), 5 deletions(-) - ---- a/drivers/net/xen-netfront.c -+++ b/drivers/net/xen-netfront.c -@@ -982,20 +982,27 @@ static u32 xennet_run_xdp(struct netfron - act = bpf_prog_run_xdp(prog, xdp); - switch (act) { - case XDP_TX: -- get_page(pdata); - xdpf = xdp_convert_buff_to_frame(xdp); -+ if (unlikely(!xdpf)) { -+ trace_xdp_exception(queue->info->netdev, prog, act); -+ break; -+ } -+ get_page(pdata); - err = xennet_xdp_xmit(queue->info->netdev, 1, &xdpf, 0); -- if (unlikely(!err)) -+ if (unlikely(err <= 0)) { -+ if (err < 0) -+ trace_xdp_exception(queue->info->netdev, prog, act); - xdp_return_frame_rx_napi(xdpf); -- else if (unlikely(err < 0)) -- trace_xdp_exception(queue->info->netdev, prog, act); -+ } - break; - case XDP_REDIRECT: - get_page(pdata); - err = xdp_do_redirect(queue->info->netdev, xdp, prog); - *need_xdp_flush = true; -- if (unlikely(err)) -+ if (unlikely(err)) { - trace_xdp_exception(queue->info->netdev, prog, act); -+ xdp_return_buff(xdp); -+ } - break; - case XDP_PASS: - case XDP_DROP: