From: Sasha Levin Date: Thu, 23 Apr 2026 14:28:48 +0000 (-0400) Subject: Fixes for all trees X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=d70e7dc61da098190fb88e67e22f8f59659840c2;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/revert-scsi-ufs-core-improve-scsi-abort-handling.patch b/queue-5.10/revert-scsi-ufs-core-improve-scsi-abort-handling.patch new file mode 100644 index 0000000000..ad99171e0c --- /dev/null +++ b/queue-5.10/revert-scsi-ufs-core-improve-scsi-abort-handling.patch @@ -0,0 +1,27 @@ +From 7fe394cba7f757b6636965a9abd1e035cb4c03fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Apr 2026 09:50:40 -0400 +Subject: Revert "scsi: ufs: core: Improve SCSI abort handling" + +This reverts commit 133811fbc1cc171477281c829eb5fd567f013ba7. + +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 1b8072f47e7e8..c7bf0e6bc303d 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -6788,7 +6788,6 @@ static int ufshcd_abort(struct scsi_cmnd *cmd) + __ufshcd_transfer_req_compl(hba, (1UL << tag)); + spin_unlock_irqrestore(host->host_lock, flags); + out: +- lrbp->cmd = NULL; + err = SUCCESS; + } else { + dev_err(hba->dev, "%s: failed with err %d\n", __func__, err); +-- +2.53.0 + diff --git a/queue-5.10/rxrpc-fix-recvmsg-unconditional-requeue.patch b/queue-5.10/rxrpc-fix-recvmsg-unconditional-requeue.patch new file mode 100644 index 0000000000..6b892cf3e1 --- /dev/null +++ b/queue-5.10/rxrpc-fix-recvmsg-unconditional-requeue.patch @@ -0,0 +1,120 @@ +From d3f440424bf18f9b9cc4234b7379b1fc18f77b7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Apr 2026 22:24:32 +0000 +Subject: rxrpc: Fix recvmsg() unconditional requeue + +From: David Howells + +[ Upstream commit 2c28769a51deb6022d7fbd499987e237a01dd63a ] + +If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call +at the front of the recvmsg queue already has its mutex locked, it +requeues the call - whether or not the call is already queued. The call +may be on the queue because MSG_PEEK was also passed and so the call was +not dequeued or because the I/O thread requeued it. + +The unconditional requeue may then corrupt the recvmsg queue, leading to +things like UAFs or refcount underruns. + +Fix this by only requeuing the call if it isn't already on the queue - +and moving it to the front if it is already queued. If we don't queue +it, we have to put the ref we obtained by dequeuing it. + +Also, MSG_PEEK doesn't dequeue the call so shouldn't call +rxrpc_notify_socket() for the call if we didn't use up all the data on +the queue, so fix that also. + +Fixes: 540b1c48c37a ("rxrpc: Fix deadlock between call creation and sendmsg/recvmsg") +Reported-by: Faith +Reported-by: Pumpkin Chang +Signed-off-by: David Howells +Acked-by: Marc Dionne +Signed-off-by: Jakub Kicinski +Cc: stable@vger.kernel.org +[Adapted to 5.10: use write_lock_bh/write_unlock_bh, trace_rxrpc_call + directly for see-call tracing, 5.10 trace enum naming convention, and + added entries to both plain enum and EM() macro list.] +Signed-off-by: Jay Wang +Signed-off-by: Sasha Levin +--- + include/trace/events/rxrpc.h | 8 ++++++++ + net/rxrpc/recvmsg.c | 22 ++++++++++++++++++---- + 2 files changed, 26 insertions(+), 4 deletions(-) + +diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h +index 221856f2d295c..6cde10ae4445d 100644 +--- a/include/trace/events/rxrpc.h ++++ b/include/trace/events/rxrpc.h +@@ -93,9 +93,13 @@ enum rxrpc_call_trace { + rxrpc_call_put_notimer, + rxrpc_call_put_timer, + rxrpc_call_put_userid, ++ rxrpc_call_put_recvmsg_peek_nowait, + rxrpc_call_queued, + rxrpc_call_queued_ref, + rxrpc_call_release, ++ rxrpc_call_see_recvmsg_requeue, ++ rxrpc_call_see_recvmsg_requeue_first, ++ rxrpc_call_see_recvmsg_requeue_move, + rxrpc_call_seen, + }; + +@@ -291,9 +295,13 @@ enum rxrpc_tx_point { + EM(rxrpc_call_put_notimer, "PnT") \ + EM(rxrpc_call_put_timer, "PTM") \ + EM(rxrpc_call_put_userid, "Pus") \ ++ EM(rxrpc_call_put_recvmsg_peek_nowait, "PpN") \ + EM(rxrpc_call_queued, "QUE") \ + EM(rxrpc_call_queued_ref, "QUR") \ + EM(rxrpc_call_release, "RLS") \ ++ EM(rxrpc_call_see_recvmsg_requeue, "SrQ") \ ++ EM(rxrpc_call_see_recvmsg_requeue_first,"SrF") \ ++ EM(rxrpc_call_see_recvmsg_requeue_move, "SrM") \ + E_(rxrpc_call_seen, "SEE") + + #define rxrpc_transmit_traces \ +diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c +index 7878267739378..301b8acf78f55 100644 +--- a/net/rxrpc/recvmsg.c ++++ b/net/rxrpc/recvmsg.c +@@ -607,7 +607,8 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + + if (after(call->rx_top, call->rx_hard_ack) && + call->rxtx_buffer[(call->rx_hard_ack + 1) & RXRPC_RXTX_BUFF_MASK]) +- rxrpc_notify_socket(call); ++ if (!(flags & MSG_PEEK)) ++ rxrpc_notify_socket(call); + break; + default: + ret = 0; +@@ -642,11 +643,24 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + error_requeue_call: + if (!(flags & MSG_PEEK)) { + write_lock_bh(&rx->recvmsg_lock); +- list_add(&call->recvmsg_link, &rx->recvmsg_q); +- write_unlock_bh(&rx->recvmsg_lock); ++ if (list_empty(&call->recvmsg_link)) { ++ list_add(&call->recvmsg_link, &rx->recvmsg_q); ++ trace_rxrpc_call(call->debug_id, ++ rxrpc_call_see_recvmsg_requeue, ++ refcount_read(&call->ref), ++ __builtin_return_address(0), NULL); ++ write_unlock_bh(&rx->recvmsg_lock); ++ } else if (list_is_first(&call->recvmsg_link, &rx->recvmsg_q)) { ++ write_unlock_bh(&rx->recvmsg_lock); ++ rxrpc_put_call(call, rxrpc_call_see_recvmsg_requeue_first); ++ } else { ++ list_move(&call->recvmsg_link, &rx->recvmsg_q); ++ write_unlock_bh(&rx->recvmsg_lock); ++ rxrpc_put_call(call, rxrpc_call_see_recvmsg_requeue_move); ++ } + trace_rxrpc_recvmsg(call, rxrpc_recvmsg_requeue, 0, 0, 0, 0); + } else { +- rxrpc_put_call(call, rxrpc_call_put); ++ rxrpc_put_call(call, rxrpc_call_put_recvmsg_peek_nowait); + } + error_no_call: + release_sock(&rx->sk); +-- +2.53.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 4f7bb112e8..72fdb203b9 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -124,3 +124,5 @@ gfs2-validate-i_depth-for-exhash-directories.patch drm-amd-display-do-not-add-mhard-float-to-calcs-dsc-and-dcn30-fp-files-for-clang.patch scripts-dtc-remove-unused-dts_version-in-dtc-lexer.l.patch i3c-fix-uninitialized-variable-use-in-i2c-setup.patch +revert-scsi-ufs-core-improve-scsi-abort-handling.patch +rxrpc-fix-recvmsg-unconditional-requeue.patch