From: Greg Kroah-Hartman Date: Thu, 23 Apr 2026 11:55:28 +0000 (+0200) Subject: 5.15-stable patches X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=fb1c2e64f7d34b97cb750eb166f84806f1c38439;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: btrfs-lock-the-inode-in-shared-mode-before-starting-fiemap.patch cpufreq-avoid-a-bad-reference-count-on-cpu-node.patch cpufreq-governor-fix-double-free-in-cpufreq_dbs_governor_init-error-path.patch cpufreq-governor-free-dbs_data-directly-when-gov-init-fails.patch drivers-base-free-devm-resources-when-unregistering-a-device.patch fbdev-efifb-register-sysfs-groups-through-driver-core.patch fs-ntfs3-add-more-attributes-checks-in-mi_enum_attr.patch md-md-bitmap-synchronize-bitmap_get_stats-with-bitmap-lifetime.patch net-clear-the-dst-when-changing-skb-protocol.patch revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch rxrpc-fix-recvmsg-unconditional-requeue.patch --- diff --git a/queue-5.15/btrfs-lock-the-inode-in-shared-mode-before-starting-fiemap.patch b/queue-5.15/btrfs-lock-the-inode-in-shared-mode-before-starting-fiemap.patch new file mode 100644 index 0000000000..728515dfd3 --- /dev/null +++ b/queue-5.15/btrfs-lock-the-inode-in-shared-mode-before-starting-fiemap.patch @@ -0,0 +1,177 @@ +From stable+bounces-240433-greg=kroah.com@vger.kernel.org Thu Apr 23 09:39:57 2026 +From: Robert Garcia +Date: Thu, 23 Apr 2026 15:38:42 +0800 +Subject: btrfs: lock the inode in shared mode before starting fiemap +To: stable@vger.kernel.org, Filipe Manana +Cc: David Sterba , Josef Bacik , Chris Mason , Robert Garcia , linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org +Message-ID: <20260423073842.3827122-1-rob_garcia@163.com> + +From: Filipe Manana + +[ Upstream commit 519b7e13b5ae8dd38da1e52275705343be6bb508 ] + +Currently fiemap does not take the inode's lock (VFS lock), it only locks +a file range in the inode's io tree. This however can lead to a deadlock +if we have a concurrent fsync on the file and fiemap code triggers a fault +when accessing the user space buffer with fiemap_fill_next_extent(). The +deadlock happens on the inode's i_mmap_lock semaphore, which is taken both +by fsync and btrfs_page_mkwrite(). This deadlock was recently reported by +syzbot and triggers a trace like the following: + + task:syz-executor361 state:D stack:20264 pid:5668 ppid:5119 flags:0x00004004 + Call Trace: + + context_switch kernel/sched/core.c:5293 [inline] + __schedule+0x995/0xe20 kernel/sched/core.c:6606 + schedule+0xcb/0x190 kernel/sched/core.c:6682 + wait_on_state fs/btrfs/extent-io-tree.c:707 [inline] + wait_extent_bit+0x577/0x6f0 fs/btrfs/extent-io-tree.c:751 + lock_extent+0x1c2/0x280 fs/btrfs/extent-io-tree.c:1742 + find_lock_delalloc_range+0x4e6/0x9c0 fs/btrfs/extent_io.c:488 + writepage_delalloc+0x1ef/0x540 fs/btrfs/extent_io.c:1863 + __extent_writepage+0x736/0x14e0 fs/btrfs/extent_io.c:2174 + extent_write_cache_pages+0x983/0x1220 fs/btrfs/extent_io.c:3091 + extent_writepages+0x219/0x540 fs/btrfs/extent_io.c:3211 + do_writepages+0x3c3/0x680 mm/page-writeback.c:2581 + filemap_fdatawrite_wbc+0x11e/0x170 mm/filemap.c:388 + __filemap_fdatawrite_range mm/filemap.c:421 [inline] + filemap_fdatawrite_range+0x175/0x200 mm/filemap.c:439 + btrfs_fdatawrite_range fs/btrfs/file.c:3850 [inline] + start_ordered_ops fs/btrfs/file.c:1737 [inline] + btrfs_sync_file+0x4ff/0x1190 fs/btrfs/file.c:1839 + generic_write_sync include/linux/fs.h:2885 [inline] + btrfs_do_write_iter+0xcd3/0x1280 fs/btrfs/file.c:1684 + call_write_iter include/linux/fs.h:2189 [inline] + new_sync_write fs/read_write.c:491 [inline] + vfs_write+0x7dc/0xc50 fs/read_write.c:584 + ksys_write+0x177/0x2a0 fs/read_write.c:637 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + RIP: 0033:0x7f7d4054e9b9 + RSP: 002b:00007f7d404fa2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 + RAX: ffffffffffffffda RBX: 00007f7d405d87a0 RCX: 00007f7d4054e9b9 + RDX: 0000000000000090 RSI: 0000000020000000 RDI: 0000000000000006 + RBP: 00007f7d405a51d0 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000246 R12: 61635f65646f6e69 + R13: 65646f7475616f6e R14: 7261637369646f6e R15: 00007f7d405d87a8 + + INFO: task syz-executor361:5697 blocked for more than 145 seconds. + Not tainted 6.2.0-rc3-syzkaller-00376-g7c6984405241 #0 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + task:syz-executor361 state:D stack:21216 pid:5697 ppid:5119 flags:0x00004004 + Call Trace: + + context_switch kernel/sched/core.c:5293 [inline] + __schedule+0x995/0xe20 kernel/sched/core.c:6606 + schedule+0xcb/0x190 kernel/sched/core.c:6682 + rwsem_down_read_slowpath+0x5f9/0x930 kernel/locking/rwsem.c:1095 + __down_read_common+0x54/0x2a0 kernel/locking/rwsem.c:1260 + btrfs_page_mkwrite+0x417/0xc80 fs/btrfs/inode.c:8526 + do_page_mkwrite+0x19e/0x5e0 mm/memory.c:2947 + wp_page_shared+0x15e/0x380 mm/memory.c:3295 + handle_pte_fault mm/memory.c:4949 [inline] + __handle_mm_fault mm/memory.c:5073 [inline] + handle_mm_fault+0x1b79/0x26b0 mm/memory.c:5219 + do_user_addr_fault+0x69b/0xcb0 arch/x86/mm/fault.c:1428 + handle_page_fault arch/x86/mm/fault.c:1519 [inline] + exc_page_fault+0x7a/0x110 arch/x86/mm/fault.c:1575 + asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:570 + RIP: 0010:copy_user_short_string+0xd/0x40 arch/x86/lib/copy_user_64.S:233 + Code: 74 0a 89 (...) + RSP: 0018:ffffc9000570f330 EFLAGS: 00050202 + RAX: ffffffff843e6601 RBX: 00007fffffffefc8 RCX: 0000000000000007 + RDX: 0000000000000000 RSI: ffffc9000570f3e0 RDI: 0000000020000120 + RBP: ffffc9000570f490 R08: 0000000000000000 R09: fffff52000ae1e83 + R10: fffff52000ae1e83 R11: 1ffff92000ae1e7c R12: 0000000000000038 + R13: ffffc9000570f3e0 R14: 0000000020000120 R15: ffffc9000570f3e0 + copy_user_generic arch/x86/include/asm/uaccess_64.h:37 [inline] + raw_copy_to_user arch/x86/include/asm/uaccess_64.h:58 [inline] + _copy_to_user+0xe9/0x130 lib/usercopy.c:34 + copy_to_user include/linux/uaccess.h:169 [inline] + fiemap_fill_next_extent+0x22e/0x410 fs/ioctl.c:144 + emit_fiemap_extent+0x22d/0x3c0 fs/btrfs/extent_io.c:3458 + fiemap_process_hole+0xa00/0xad0 fs/btrfs/extent_io.c:3716 + extent_fiemap+0xe27/0x2100 fs/btrfs/extent_io.c:3922 + btrfs_fiemap+0x172/0x1e0 fs/btrfs/inode.c:8209 + ioctl_fiemap fs/ioctl.c:219 [inline] + do_vfs_ioctl+0x185b/0x2980 fs/ioctl.c:810 + __do_sys_ioctl fs/ioctl.c:868 [inline] + __se_sys_ioctl+0x83/0x170 fs/ioctl.c:856 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + RIP: 0033:0x7f7d4054e9b9 + RSP: 002b:00007f7d390d92f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + RAX: ffffffffffffffda RBX: 00007f7d405d87b0 RCX: 00007f7d4054e9b9 + RDX: 0000000020000100 RSI: 00000000c020660b RDI: 0000000000000005 + RBP: 00007f7d405a51d0 R08: 00007f7d390d9700 R09: 0000000000000000 + R10: 00007f7d390d9700 R11: 0000000000000246 R12: 61635f65646f6e69 + R13: 65646f7475616f6e R14: 7261637369646f6e R15: 00007f7d405d87b8 + + +What happens is the following: + +1) Task A is doing an fsync, enters btrfs_sync_file() and flushes delalloc + before locking the inode and the i_mmap_lock semaphore, that is, before + calling btrfs_inode_lock(); + +2) After task A flushes delalloc and before it calls btrfs_inode_lock(), + another task dirties a page; + +3) Task B starts a fiemap without FIEMAP_FLAG_SYNC, so the page dirtied + at step 2 remains dirty and unflushed. Then when it enters + extent_fiemap() and it locks a file range that includes the range of + the page dirtied in step 2; + +4) Task A calls btrfs_inode_lock() and locks the inode (VFS lock) and the + inode's i_mmap_lock semaphore in write mode. Then it tries to flush + delalloc by calling start_ordered_ops(), which will block, at + find_lock_delalloc_range(), when trying to lock the range of the page + dirtied at step 2, since this range was locked by the fiemap task (at + step 3); + +5) Task B generates a page fault when accessing the user space fiemap + buffer with a call to fiemap_fill_next_extent(). + + The fault handler needs to call btrfs_page_mkwrite() for some other + page of our inode, and there we deadlock when trying to lock the + inode's i_mmap_lock semaphore in read mode, since the fsync task locked + it in write mode (step 4) and the fsync task can not progress because + it's waiting to lock a file range that is currently locked by us (the + fiemap task, step 3). + +Fix this by taking the inode's lock (VFS lock) in shared mode when +entering fiemap. This effectively serializes fiemap with fsync (except the +most expensive part of fsync, the log sync), preventing this deadlock. + +Reported-by: syzbot+cc35f55c41e34c30dcb5@syzkaller.appspotmail.com +Link: https://lore.kernel.org/linux-btrfs/00000000000032dc7305f2a66f46@google.com/ +CC: stable@vger.kernel.org # 6.1+ +Reviewed-by: Josef Bacik +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Robert Garcia +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent_io.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -5590,6 +5590,7 @@ int extent_fiemap(struct btrfs_inode *in + last_for_get_extent = isize; + } + ++ btrfs_inode_lock(&inode->vfs_inode, BTRFS_ILOCK_SHARED); + lock_extent_bits(&inode->io_tree, start, start + len - 1, + &cached_state); + +@@ -5705,6 +5706,7 @@ out_free: + out: + unlock_extent_cached(&inode->io_tree, start, start + len - 1, + &cached_state); ++ btrfs_inode_unlock(&inode->vfs_inode, BTRFS_ILOCK_SHARED); + + out_free_ulist: + btrfs_free_path(path); diff --git a/queue-5.15/cpufreq-avoid-a-bad-reference-count-on-cpu-node.patch b/queue-5.15/cpufreq-avoid-a-bad-reference-count-on-cpu-node.patch new file mode 100644 index 0000000000..9c7ac25e44 --- /dev/null +++ b/queue-5.15/cpufreq-avoid-a-bad-reference-count-on-cpu-node.patch @@ -0,0 +1,56 @@ +From lanbincn@139.com Tue Mar 24 09:22:43 2026 +From: Bin Lan +Date: Tue, 24 Mar 2026 16:21:13 +0800 +Subject: cpufreq: Avoid a bad reference count on CPU node +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-pm@vger.kernel.org, "Miquel Sabaté Solà" , "Viresh Kumar" , "Rafael J . Wysocki" , "Bin Lan" +Message-ID: <20260324082113.6275-2-lanbincn@139.com> + +From: Miquel Sabaté Solà + +[ Upstream commit c0f02536fffbbec71aced36d52a765f8c4493dc2 ] + +In the parse_perf_domain function, if the call to +of_parse_phandle_with_args returns an error, then the reference to the +CPU device node that was acquired at the start of the function would not +be properly decremented. + +Address this by declaring the variable with the __free(device_node) +cleanup attribute. + +Signed-off-by: Miquel Sabaté Solà +Acked-by: Viresh Kumar +Link: https://patch.msgid.link/20240917134246.584026-1-mikisabate@gmail.com +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +[ Minor context conflict resolved. ] +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/cpufreq.h | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/include/linux/cpufreq.h ++++ b/include/linux/cpufreq.h +@@ -1014,11 +1014,10 @@ static inline int cpufreq_table_count_va + static inline int parse_perf_domain(int cpu, const char *list_name, + const char *cell_name) + { +- struct device_node *cpu_np; + struct of_phandle_args args; + int ret; + +- cpu_np = of_cpu_device_node_get(cpu); ++ struct device_node *cpu_np __free(device_node) = of_cpu_device_node_get(cpu); + if (!cpu_np) + return -ENODEV; + +@@ -1027,8 +1026,6 @@ static inline int parse_perf_domain(int + if (ret < 0) + return ret; + +- of_node_put(cpu_np); +- + return args.args[0]; + } + diff --git a/queue-5.15/cpufreq-governor-fix-double-free-in-cpufreq_dbs_governor_init-error-path.patch b/queue-5.15/cpufreq-governor-fix-double-free-in-cpufreq_dbs_governor_init-error-path.patch new file mode 100644 index 0000000000..451240f38c --- /dev/null +++ b/queue-5.15/cpufreq-governor-fix-double-free-in-cpufreq_dbs_governor_init-error-path.patch @@ -0,0 +1,56 @@ +From stable+bounces-233895-greg=kroah.com@vger.kernel.org Wed Apr 8 14:55:55 2026 +From: Sasha Levin +Date: Wed, 8 Apr 2026 08:55:50 -0400 +Subject: cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path +To: stable@vger.kernel.org +Cc: Guangshuo Li , Zhongqiu Han , Viresh Kumar , "Rafael J. Wysocki" , Sasha Levin +Message-ID: <20260408125550.1049042-2-sashal@kernel.org> + +From: Guangshuo Li + +[ Upstream commit 6dcf9d0064ce2f3e3dfe5755f98b93abe6a98e1e ] + +When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls +kobject_put(&dbs_data->attr_set.kobj). + +The kobject release callback cpufreq_dbs_data_release() calls +gov->exit(dbs_data) and kfree(dbs_data), but the current error path +then calls gov->exit(dbs_data) and kfree(dbs_data) again, causing a +double free. + +Keep the direct kfree(dbs_data) for the gov->init() failure path, but +after kobject_init_and_add() has been called, let kobject_put() handle +the cleanup through cpufreq_dbs_data_release(). + +Fixes: 4ebe36c94aed ("cpufreq: Fix kobject memleak") +Signed-off-by: Guangshuo Li +Reviewed-by: Zhongqiu Han +Acked-by: Viresh Kumar +Cc: All applicable +Link: https://patch.msgid.link/20260401024535.1395801-1-lgs201920130244@gmail.com +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cpufreq_governor.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/cpufreq/cpufreq_governor.c ++++ b/drivers/cpufreq/cpufreq_governor.c +@@ -468,13 +468,13 @@ int cpufreq_dbs_governor_init(struct cpu + /* Failure, so roll back. */ + pr_err("initialization failed (dbs_data kobject init error %d)\n", ret); + +- kobject_put(&dbs_data->attr_set.kobj); +- + policy->governor_data = NULL; + + if (!have_governor_per_policy()) + gov->gdbs_data = NULL; +- gov->exit(dbs_data); ++ ++ kobject_put(&dbs_data->attr_set.kobj); ++ goto free_policy_dbs_info; + + free_dbs_data: + kfree(dbs_data); diff --git a/queue-5.15/cpufreq-governor-free-dbs_data-directly-when-gov-init-fails.patch b/queue-5.15/cpufreq-governor-free-dbs_data-directly-when-gov-init-fails.patch new file mode 100644 index 0000000000..9d376d060a --- /dev/null +++ b/queue-5.15/cpufreq-governor-free-dbs_data-directly-when-gov-init-fails.patch @@ -0,0 +1,46 @@ +From stable+bounces-233894-greg=kroah.com@vger.kernel.org Wed Apr 8 15:00:10 2026 +From: Sasha Levin +Date: Wed, 8 Apr 2026 08:55:49 -0400 +Subject: cpufreq: governor: Free dbs_data directly when gov->init() fails +To: stable@vger.kernel.org +Cc: Liao Chang , Viresh Kumar , "Rafael J. Wysocki" , Sasha Levin +Message-ID: <20260408125550.1049042-1-sashal@kernel.org> + +From: Liao Chang + +[ Upstream commit 916f13884042f615cfbfc0b42cc68dadee826f2a ] + +Due to the kobject embedded in the dbs_data doest not has a release() +method yet, it needs to use kfree() to free dbs_data directly when +governor fails to allocate the tunner field of dbs_data. + +Signed-off-by: Liao Chang +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Stable-dep-of: 6dcf9d0064ce ("cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cpufreq_governor.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/cpufreq/cpufreq_governor.c ++++ b/drivers/cpufreq/cpufreq_governor.c +@@ -440,7 +440,7 @@ int cpufreq_dbs_governor_init(struct cpu + + ret = gov->init(dbs_data); + if (ret) +- goto free_policy_dbs_info; ++ goto free_dbs_data; + + /* + * The sampling interval should not be less than the transition latency +@@ -475,6 +475,8 @@ int cpufreq_dbs_governor_init(struct cpu + if (!have_governor_per_policy()) + gov->gdbs_data = NULL; + gov->exit(dbs_data); ++ ++free_dbs_data: + kfree(dbs_data); + + free_policy_dbs_info: diff --git a/queue-5.15/drivers-base-free-devm-resources-when-unregistering-a-device.patch b/queue-5.15/drivers-base-free-devm-resources-when-unregistering-a-device.patch new file mode 100644 index 0000000000..4af3889f3f --- /dev/null +++ b/queue-5.15/drivers-base-free-devm-resources-when-unregistering-a-device.patch @@ -0,0 +1,67 @@ +From 1468888505@139.com Tue Mar 24 09:14:43 2026 +From: Li hongliang <1468888505@139.com> +Date: Tue, 24 Mar 2026 16:14:38 +0800 +Subject: drivers: base: Free devm resources when unregistering a device +To: gregkh@linuxfoundation.org, stable@vger.kernel.org, davidgow@google.com +Cc: patches@lists.linux.dev, linux-kernel@vger.kernel.org, rafael@kernel.org, tom.leiming@gmail.com, mripard@kernel.org +Message-ID: <20260324081438.1182050-1-1468888505@139.com> + +From: David Gow + +[ Upstream commit 699fb50d99039a50e7494de644f96c889279aca3 ] + +In the current code, devres_release_all() only gets called if the device +has a bus and has been probed. + +This leads to issues when using bus-less or driver-less devices where +the device might never get freed if a managed resource holds a reference +to the device. This is happening in the DRM framework for example. + +We should thus call devres_release_all() in the device_del() function to +make sure that the device-managed actions are properly executed when the +device is unregistered, even if it has neither a bus nor a driver. + +This is effectively the same change than commit 2f8d16a996da ("devres: +release resources on device_del()") that got reverted by commit +a525a3ddeaca ("driver core: free devres in device_release") over +memory leaks concerns. + +This patch effectively combines the two commits mentioned above to +release the resources both on device_del() and device_release() and get +the best of both worlds. + +Fixes: a525a3ddeaca ("driver core: free devres in device_release") +Signed-off-by: David Gow +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20230720-kunit-devm-inconsistencies-test-v3-3-6aa7e074f373@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Li hongliang <1468888505@139.com> +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/core.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -3604,9 +3604,21 @@ void device_del(struct device *dev) + device_remove_properties(dev); + device_links_purge(dev); + ++ /* ++ * If a device does not have a driver attached, we need to clean ++ * up any managed resources. We do this in device_release(), but ++ * it's never called (and we leak the device) if a managed ++ * resource holds a reference to the device. So release all ++ * managed resources here, like we do in driver_detach(). We ++ * still need to do so again in device_release() in case someone ++ * adds a new resource after this point, though. ++ */ ++ devres_release_all(dev); ++ + if (dev->bus) + blocking_notifier_call_chain(&dev->bus->p->bus_notifier, + BUS_NOTIFY_REMOVED_DEVICE, dev); ++ + kobject_uevent(&dev->kobj, KOBJ_REMOVE); + glue_dir = get_glue_dir(dev); + kobject_del(&dev->kobj); diff --git a/queue-5.15/fbdev-efifb-register-sysfs-groups-through-driver-core.patch b/queue-5.15/fbdev-efifb-register-sysfs-groups-through-driver-core.patch new file mode 100644 index 0000000000..e0b7210691 --- /dev/null +++ b/queue-5.15/fbdev-efifb-register-sysfs-groups-through-driver-core.patch @@ -0,0 +1,72 @@ +From alvalan9@foxmail.com Wed Mar 25 06:44:09 2026 +From: Alva Lan +Date: Wed, 25 Mar 2026 13:43:39 +0800 +Subject: fbdev: efifb: Register sysfs groups through driver core +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-fbdev@vger.kernel.org, "Thomas Weißschuh" , "Helge Deller" , "Alva Lan" +Message-ID: + +From: Thomas Weißschuh + +[ Upstream commit 95cdd538e0e5677efbdf8aade04ec098ab98f457 ] + +The driver core can register and cleanup sysfs groups already. +Make use of that functionality to simplify the error handling and +cleanup. + +Also avoid a UAF race during unregistering where the sysctl attributes +were usable after the info struct was freed. + +Signed-off-by: Thomas Weißschuh +Signed-off-by: Helge Deller +[ Minor context conflict resolved. ] +Signed-off-by: Alva Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/efifb.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +--- a/drivers/video/fbdev/efifb.c ++++ b/drivers/video/fbdev/efifb.c +@@ -581,15 +581,10 @@ static int efifb_probe(struct platform_d + break; + } + +- err = sysfs_create_groups(&dev->dev.kobj, efifb_groups); +- if (err) { +- pr_err("efifb: cannot add sysfs attrs\n"); +- goto err_unmap; +- } + err = fb_alloc_cmap(&info->cmap, 256, 0); + if (err < 0) { + pr_err("efifb: cannot allocate colormap\n"); +- goto err_groups; ++ goto err_unmap; + } + + if (efifb_pci_dev) +@@ -608,8 +603,6 @@ err_put_rpm_ref: + pm_runtime_put(&efifb_pci_dev->dev); + + fb_dealloc_cmap(&info->cmap); +-err_groups: +- sysfs_remove_groups(&dev->dev.kobj, efifb_groups); + err_unmap: + if (mem_flags & (EFI_MEMORY_UC | EFI_MEMORY_WC)) + iounmap(info->screen_base); +@@ -629,7 +622,6 @@ static int efifb_remove(struct platform_ + + /* efifb_destroy takes care of info cleanup */ + unregister_framebuffer(info); +- sysfs_remove_groups(&pdev->dev.kobj, efifb_groups); + + return 0; + } +@@ -637,6 +629,7 @@ static int efifb_remove(struct platform_ + static struct platform_driver efifb_driver = { + .driver = { + .name = "efi-framebuffer", ++ .dev_groups = efifb_groups, + }, + .probe = efifb_probe, + .remove = efifb_remove, diff --git a/queue-5.15/fs-ntfs3-add-more-attributes-checks-in-mi_enum_attr.patch b/queue-5.15/fs-ntfs3-add-more-attributes-checks-in-mi_enum_attr.patch new file mode 100644 index 0000000000..abfc9f501e --- /dev/null +++ b/queue-5.15/fs-ntfs3-add-more-attributes-checks-in-mi_enum_attr.patch @@ -0,0 +1,142 @@ +From stable+bounces-240430-greg=kroah.com@vger.kernel.org Thu Apr 23 09:02:46 2026 +From: Robert Garcia +Date: Thu, 23 Apr 2026 15:01:59 +0800 +Subject: fs/ntfs3: Add more attributes checks in mi_enum_attr() +To: stable@vger.kernel.org, Konstantin Komarov +Cc: ntfs3@lists.linux.dev, Robert Garcia , linux-kernel@vger.kernel.org +Message-ID: <20260423070159.3246415-1-rob_garcia@163.com> + +From: Konstantin Komarov + +[ Upstream commit 013ff63b649475f0ee134e2c8d0c8e65284ede50 ] + +Signed-off-by: Konstantin Komarov +[ Overflow check deleted to keep context consistent. ] +Signed-off-by: Robert Garcia +Signed-off-by: Greg Kroah-Hartman +--- + fs/ntfs3/record.c | 63 ++++++++++++++++++++++++++++++++++++++++++------------ + 1 file changed, 50 insertions(+), 13 deletions(-) + +--- a/fs/ntfs3/record.c ++++ b/fs/ntfs3/record.c +@@ -193,8 +193,9 @@ struct ATTRIB *mi_enum_attr(struct mft_i + { + const struct MFT_REC *rec = mi->mrec; + u32 used = le32_to_cpu(rec->used); +- u32 t32, off, asize; ++ u32 t32, off, asize, prev_type; + u16 t16; ++ u64 data_size, alloc_size, tot_size; + + if (!attr) { + u32 total = le32_to_cpu(rec->total); +@@ -213,6 +214,7 @@ struct ATTRIB *mi_enum_attr(struct mft_i + if (!is_rec_inuse(rec)) + return NULL; + ++ prev_type = 0; + attr = Add2Ptr(rec, off); + } else { + /* Check if input attr inside record. */ +@@ -226,6 +228,7 @@ struct ATTRIB *mi_enum_attr(struct mft_i + return NULL; + } + ++ prev_type = le32_to_cpu(attr->type); + attr = Add2Ptr(attr, asize); + off += asize; + } +@@ -245,7 +248,11 @@ struct ATTRIB *mi_enum_attr(struct mft_i + + /* 0x100 is last known attribute for now. */ + t32 = le32_to_cpu(attr->type); +- if ((t32 & 0xf) || (t32 > 0x100)) ++ if (!t32 || (t32 & 0xf) || (t32 > 0x100)) ++ return NULL; ++ ++ /* attributes in record must be ordered by type */ ++ if (t32 < prev_type) + return NULL; + + /* Check overflow and boundary. */ +@@ -254,16 +261,15 @@ struct ATTRIB *mi_enum_attr(struct mft_i + + /* Check size of attribute. */ + if (!attr->non_res) { ++ /* Check resident fields. */ + if (asize < SIZEOF_RESIDENT) + return NULL; + + t16 = le16_to_cpu(attr->res.data_off); +- + if (t16 > asize) + return NULL; + +- t32 = le32_to_cpu(attr->res.data_size); +- if (t16 + t32 > asize) ++ if (t16 + le32_to_cpu(attr->res.data_size) > asize) + return NULL; + + if (attr->name_len && +@@ -274,21 +280,52 @@ struct ATTRIB *mi_enum_attr(struct mft_i + return attr; + } + +- /* Check some nonresident fields. */ +- if (attr->name_len && +- le16_to_cpu(attr->name_off) + sizeof(short) * attr->name_len > +- le16_to_cpu(attr->nres.run_off)) { ++ /* Check nonresident fields. */ ++ if (attr->non_res != 1) ++ return NULL; ++ ++ t16 = le16_to_cpu(attr->nres.run_off); ++ if (t16 > asize) ++ return NULL; ++ ++ t32 = sizeof(short) * attr->name_len; ++ if (t32 && le16_to_cpu(attr->name_off) + t32 > t16) ++ return NULL; ++ ++ /* Check start/end vcn. */ ++ if (le64_to_cpu(attr->nres.svcn) > le64_to_cpu(attr->nres.evcn) + 1) ++ return NULL; ++ ++ data_size = le64_to_cpu(attr->nres.data_size); ++ if (le64_to_cpu(attr->nres.valid_size) > data_size) + return NULL; +- } + +- if (attr->nres.svcn || !is_attr_ext(attr)) { ++ alloc_size = le64_to_cpu(attr->nres.alloc_size); ++ if (data_size > alloc_size) ++ return NULL; ++ ++ t32 = mi->sbi->cluster_mask; ++ if (alloc_size & t32) ++ return NULL; ++ ++ if (!attr->nres.svcn && is_attr_ext(attr)) { ++ /* First segment of sparse/compressed attribute */ ++ if (asize + 8 < SIZEOF_NONRESIDENT_EX) ++ return NULL; ++ ++ tot_size = le64_to_cpu(attr->nres.total_size); ++ if (tot_size & t32) ++ return NULL; ++ ++ if (tot_size > alloc_size) ++ return NULL; ++ } else { + if (asize + 8 < SIZEOF_NONRESIDENT) + return NULL; + + if (attr->nres.c_unit) + return NULL; +- } else if (asize + 8 < SIZEOF_NONRESIDENT_EX) +- return NULL; ++ } + + return attr; + } diff --git a/queue-5.15/md-md-bitmap-synchronize-bitmap_get_stats-with-bitmap-lifetime.patch b/queue-5.15/md-md-bitmap-synchronize-bitmap_get_stats-with-bitmap-lifetime.patch new file mode 100644 index 0000000000..ba42dd58c7 --- /dev/null +++ b/queue-5.15/md-md-bitmap-synchronize-bitmap_get_stats-with-bitmap-lifetime.patch @@ -0,0 +1,87 @@ +From stable+bounces-230271-greg=kroah.com@vger.kernel.org Wed Mar 25 07:29:14 2026 +From: Johnny Hao +Date: Wed, 25 Mar 2026 14:28:24 +0800 +Subject: md/md-bitmap: Synchronize bitmap_get_stats() with bitmap lifetime +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, Yu Kuai , Harshit Mogalapalli , Song Liu , Johnny Hao +Message-ID: <20260325062824.2373999-1-johnny_haocn@sina.com> + +From: Yu Kuai + +[ Upstream commit 8d28d0ddb986f56920ac97ae704cc3340a699a30 ] + +After commit ec6bb299c7c3 ("md/md-bitmap: add 'sync_size' into struct +md_bitmap_stats"), following panic is reported: + +Oops: general protection fault, probably for non-canonical address +RIP: 0010:bitmap_get_stats+0x2b/0xa0 +Call Trace: + + md_seq_show+0x2d2/0x5b0 + seq_read_iter+0x2b9/0x470 + seq_read+0x12f/0x180 + proc_reg_read+0x57/0xb0 + vfs_read+0xf6/0x380 + ksys_read+0x6c/0xf0 + do_syscall_64+0x82/0x170 + entry_SYSCALL_64_after_hwframe+0x76/0x7e + +Root cause is that bitmap_get_stats() can be called at anytime if mddev +is still there, even if bitmap is destroyed, or not fully initialized. +Deferenceing bitmap in this case can crash the kernel. Meanwhile, the +above commit start to deferencing bitmap->storage, make the problem +easier to trigger. + +Fix the problem by protecting bitmap_get_stats() with bitmap_info.mutex. + +Cc: stable@vger.kernel.org # v6.12+ +Fixes: 32a7627cf3a3 ("[PATCH] md: optimised resync using Bitmap based intent logging") +Reported-and-tested-by: Harshit Mogalapalli +Closes: https://lore.kernel.org/linux-raid/ca3a91a2-50ae-4f68-b317-abd9889f3907@oracle.com/T/#m6e5086c95201135e4941fe38f9efa76daf9666c5 +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20250124092055.4050195-1-yukuai1@huaweicloud.com +Signed-off-by: Song Liu +[ The context change is due to the commit 38f287d7e495 +("md/md-bitmap: replace md_bitmap_status() with a new helper md_bitmap_get_stats()") +in v6.12 and the commit f9cfe7e7f96a ("md: Fix md_seq_ops() regressions") in v6.8 +which are irrelevant to the logic of this patch. ] +Signed-off-by: Johnny Hao +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md-bitmap.c | 4 ++++ + drivers/md/md.c | 4 ++++ + 2 files changed, 8 insertions(+) + +--- a/drivers/md/md-bitmap.c ++++ b/drivers/md/md-bitmap.c +@@ -2033,6 +2033,10 @@ void md_bitmap_status(struct seq_file *s + + if (!bitmap) + return; ++ if (bitmap->mddev->bitmap_info.external) ++ return; ++ if (!bitmap->storage.sb_page) /* no superblock */ ++ return; + + counts = &bitmap->counts; + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -8300,6 +8300,9 @@ static int md_seq_show(struct seq_file * + return 0; + } + ++ /* prevent bitmap to be freed after checking */ ++ mutex_lock(&mddev->bitmap_info.mutex); ++ + spin_lock(&mddev->lock); + if (mddev->pers || mddev->raid_disks || !list_empty(&mddev->disks)) { + seq_printf(seq, "%s : %sactive", mdname(mddev), +@@ -8371,6 +8374,7 @@ static int md_seq_show(struct seq_file * + seq_printf(seq, "\n"); + } + spin_unlock(&mddev->lock); ++ mutex_unlock(&mddev->bitmap_info.mutex); + + return 0; + } diff --git a/queue-5.15/net-clear-the-dst-when-changing-skb-protocol.patch b/queue-5.15/net-clear-the-dst-when-changing-skb-protocol.patch new file mode 100644 index 0000000000..ede50ac9ae --- /dev/null +++ b/queue-5.15/net-clear-the-dst-when-changing-skb-protocol.patch @@ -0,0 +1,109 @@ +From johnny_haocn@sina.com Wed Mar 25 02:45:12 2026 +From: Johnny Hao +Date: Wed, 25 Mar 2026 09:45:04 +0800 +Subject: net: clear the dst when changing skb protocol +To: gregkh@linuxfoundation.org, stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org, "Jakub Kicinski" , "Maciej Å»enczykowski" , "Daniel Borkmann" , "Willem de Bruijn" , "Johnny Hao" +Message-ID: <20260325014504.2853667-1-johnny_haocn@sina.com> + +From: Jakub Kicinski + +[ Upstream commit ba9db6f907ac02215e30128770f85fbd7db2fcf9 ] + +A not-so-careful NAT46 BPF program can crash the kernel +if it indiscriminately flips ingress packets from v4 to v6: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + ip6_rcv_core (net/ipv6/ip6_input.c:190:20) + ipv6_rcv (net/ipv6/ip6_input.c:306:8) + process_backlog (net/core/dev.c:6186:4) + napi_poll (net/core/dev.c:6906:9) + net_rx_action (net/core/dev.c:7028:13) + do_softirq (kernel/softirq.c:462:3) + netif_rx (net/core/dev.c:5326:3) + dev_loopback_xmit (net/core/dev.c:4015:2) + ip_mc_finish_output (net/ipv4/ip_output.c:363:8) + NF_HOOK (./include/linux/netfilter.h:314:9) + ip_mc_output (net/ipv4/ip_output.c:400:5) + dst_output (./include/net/dst.h:459:9) + ip_local_out (net/ipv4/ip_output.c:130:9) + ip_send_skb (net/ipv4/ip_output.c:1496:8) + udp_send_skb (net/ipv4/udp.c:1040:8) + udp_sendmsg (net/ipv4/udp.c:1328:10) + +The output interface has a 4->6 program attached at ingress. +We try to loop the multicast skb back to the sending socket. +Ingress BPF runs as part of netif_rx(), pushes a valid v6 hdr +and changes skb->protocol to v6. We enter ip6_rcv_core which +tries to use skb_dst(). But the dst is still an IPv4 one left +after IPv4 mcast output. + +Clear the dst in all BPF helpers which change the protocol. +Try to preserve metadata dsts, those may carry non-routing +metadata. + +Cc: stable@vger.kernel.org +Reviewed-by: Maciej Å»enczykowski +Acked-by: Daniel Borkmann +Fixes: d219df60a70e ("bpf: Add ipip6 and ip6ip decap support for bpf_skb_adjust_room()") +Fixes: 1b00e0dfe7d0 ("bpf: update skb->protocol in bpf_skb_net_grow") +Fixes: 6578171a7ff0 ("bpf: add bpf_skb_change_proto helper") +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/20250610001245.1981782-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +[ The context change is due to the commit d219df60a70e +("bpf: Add ipip6 and ip6ip decap support for bpf_skb_adjust_room()") +in v6.3 which is irrelevant to the logic of this patch. ] +Signed-off-by: Johnny Hao +Signed-off-by: Greg Kroah-Hartman +--- + net/core/filter.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -3219,6 +3219,13 @@ static const struct bpf_func_proto bpf_s + .arg1_type = ARG_PTR_TO_CTX, + }; + ++static void bpf_skb_change_protocol(struct sk_buff *skb, u16 proto) ++{ ++ skb->protocol = htons(proto); ++ if (skb_valid_dst(skb)) ++ skb_dst_drop(skb); ++} ++ + static int bpf_skb_generic_push(struct sk_buff *skb, u32 off, u32 len) + { + /* Caller already did skb_cow() with len as headroom, +@@ -3315,7 +3322,7 @@ static int bpf_skb_proto_4_to_6(struct s + } + } + +- skb->protocol = htons(ETH_P_IPV6); ++ bpf_skb_change_protocol(skb, ETH_P_IPV6); + skb_clear_hash(skb); + + return 0; +@@ -3345,7 +3352,7 @@ static int bpf_skb_proto_6_to_4(struct s + } + } + +- skb->protocol = htons(ETH_P_IP); ++ bpf_skb_change_protocol(skb, ETH_P_IP); + skb_clear_hash(skb); + + return 0; +@@ -3532,10 +3539,10 @@ static int bpf_skb_net_grow(struct sk_bu + /* Match skb->protocol to new outer l3 protocol */ + if (skb->protocol == htons(ETH_P_IP) && + flags & BPF_F_ADJ_ROOM_ENCAP_L3_IPV6) +- skb->protocol = htons(ETH_P_IPV6); ++ bpf_skb_change_protocol(skb, ETH_P_IPV6); + else if (skb->protocol == htons(ETH_P_IPV6) && + flags & BPF_F_ADJ_ROOM_ENCAP_L3_IPV4) +- skb->protocol = htons(ETH_P_IP); ++ bpf_skb_change_protocol(skb, ETH_P_IP); + } + + if (skb_is_gso(skb)) { diff --git a/queue-5.15/revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch b/queue-5.15/revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch new file mode 100644 index 0000000000..7eb5b39659 --- /dev/null +++ b/queue-5.15/revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch @@ -0,0 +1,36 @@ +From prvs=8564c0333c=guocai.he.cn@windriver.com Tue Apr 14 05:20:35 2026 +From: guocai.he.cn@windriver.com +Date: Tue, 14 Apr 2026 11:20:06 +0800 +Subject: Revert "wifi: cfg80211: stop NAN and P2P in cfg80211_leave" +To: gregkh@linuxfoundation.org +Cc: stable@vger.kernel.org, johannes.berg@intel.com, netdev@vger.kernel.org, regressions@lists.linux.dev, miriam.rachel.korenblit@intel.com, linux-kernel@vger.kernel.org +Message-ID: <20260414032006.2887625-1-guocai.he.cn@windriver.com> + +From: Guocai He + +This reverts commit 31344ffecd7a34335ce2b52e8c205bce3cbfca4b which is commit +e1696c8bd0056bc1a5f7766f58ac333adc203e8a upstream. + +The reverted patch introduced a deadlock. The locking situation in mainline is +totally different, so it is incorrect to directly backport the commit from mainline. + +Signed-off-by: Guocai He +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/core.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/net/wireless/core.c ++++ b/net/wireless/core.c +@@ -1300,10 +1300,8 @@ void __cfg80211_leave(struct cfg80211_re + __cfg80211_leave_ocb(rdev, dev); + break; + case NL80211_IFTYPE_P2P_DEVICE: +- cfg80211_stop_p2p_device(rdev, wdev); +- break; + case NL80211_IFTYPE_NAN: +- cfg80211_stop_nan(rdev, wdev); ++ /* cannot happen, has no netdev */ + break; + case NL80211_IFTYPE_AP_VLAN: + case NL80211_IFTYPE_MONITOR: diff --git a/queue-5.15/rxrpc-fix-recvmsg-unconditional-requeue.patch b/queue-5.15/rxrpc-fix-recvmsg-unconditional-requeue.patch new file mode 100644 index 0000000000..4c23c33b12 --- /dev/null +++ b/queue-5.15/rxrpc-fix-recvmsg-unconditional-requeue.patch @@ -0,0 +1,116 @@ +From stable+bounces-240394-greg=kroah.com@vger.kernel.org Thu Apr 23 00:25:52 2026 +From: Jay Wang +Date: Wed, 22 Apr 2026 22:24:32 +0000 +Subject: rxrpc: Fix recvmsg() unconditional requeue +To: +Cc: , , , , , , , , , Faith , Pumpkin Chang +Message-ID: <20260422222432.7211-1-wanjay@amazon.com> + +From: David Howells + +[ Upstream commit 2c28769a51deb6022d7fbd499987e237a01dd63a ] + +If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call +at the front of the recvmsg queue already has its mutex locked, it +requeues the call - whether or not the call is already queued. The call +may be on the queue because MSG_PEEK was also passed and so the call was +not dequeued or because the I/O thread requeued it. + +The unconditional requeue may then corrupt the recvmsg queue, leading to +things like UAFs or refcount underruns. + +Fix this by only requeuing the call if it isn't already on the queue - +and moving it to the front if it is already queued. If we don't queue +it, we have to put the ref we obtained by dequeuing it. + +Also, MSG_PEEK doesn't dequeue the call so shouldn't call +rxrpc_notify_socket() for the call if we didn't use up all the data on +the queue, so fix that also. + +Fixes: 540b1c48c37a ("rxrpc: Fix deadlock between call creation and sendmsg/recvmsg") +Reported-by: Faith +Reported-by: Pumpkin Chang +Signed-off-by: David Howells +Acked-by: Marc Dionne +Signed-off-by: Jakub Kicinski +Cc: stable@vger.kernel.org +[Adapted to 5.15: use write_lock_bh/write_unlock_bh, trace_rxrpc_call + directly for see-call tracing, 5.15 trace enum naming convention, and + added entries to both plain enum and EM() macro list.] +Signed-off-by: Jay Wang +Signed-off-by: Greg Kroah-Hartman +--- + include/trace/events/rxrpc.h | 8 ++++++++ + net/rxrpc/recvmsg.c | 22 ++++++++++++++++++---- + 2 files changed, 26 insertions(+), 4 deletions(-) + +--- a/include/trace/events/rxrpc.h ++++ b/include/trace/events/rxrpc.h +@@ -93,9 +93,13 @@ enum rxrpc_call_trace { + rxrpc_call_put_notimer, + rxrpc_call_put_timer, + rxrpc_call_put_userid, ++ rxrpc_call_put_recvmsg_peek_nowait, + rxrpc_call_queued, + rxrpc_call_queued_ref, + rxrpc_call_release, ++ rxrpc_call_see_recvmsg_requeue, ++ rxrpc_call_see_recvmsg_requeue_first, ++ rxrpc_call_see_recvmsg_requeue_move, + rxrpc_call_seen, + }; + +@@ -291,9 +295,13 @@ enum rxrpc_tx_point { + EM(rxrpc_call_put_notimer, "PnT") \ + EM(rxrpc_call_put_timer, "PTM") \ + EM(rxrpc_call_put_userid, "Pus") \ ++ EM(rxrpc_call_put_recvmsg_peek_nowait, "PpN") \ + EM(rxrpc_call_queued, "QUE") \ + EM(rxrpc_call_queued_ref, "QUR") \ + EM(rxrpc_call_release, "RLS") \ ++ EM(rxrpc_call_see_recvmsg_requeue, "SrQ") \ ++ EM(rxrpc_call_see_recvmsg_requeue_first,"SrF") \ ++ EM(rxrpc_call_see_recvmsg_requeue_move, "SrM") \ + E_(rxrpc_call_seen, "SEE") + + #define rxrpc_transmit_traces \ +--- a/net/rxrpc/recvmsg.c ++++ b/net/rxrpc/recvmsg.c +@@ -607,7 +607,8 @@ try_again: + + if (after(call->rx_top, call->rx_hard_ack) && + call->rxtx_buffer[(call->rx_hard_ack + 1) & RXRPC_RXTX_BUFF_MASK]) +- rxrpc_notify_socket(call); ++ if (!(flags & MSG_PEEK)) ++ rxrpc_notify_socket(call); + break; + default: + ret = 0; +@@ -642,11 +643,24 @@ error_unlock_call: + error_requeue_call: + if (!(flags & MSG_PEEK)) { + write_lock_bh(&rx->recvmsg_lock); +- list_add(&call->recvmsg_link, &rx->recvmsg_q); +- write_unlock_bh(&rx->recvmsg_lock); ++ if (list_empty(&call->recvmsg_link)) { ++ list_add(&call->recvmsg_link, &rx->recvmsg_q); ++ trace_rxrpc_call(call->debug_id, ++ rxrpc_call_see_recvmsg_requeue, ++ refcount_read(&call->ref), ++ __builtin_return_address(0), NULL); ++ write_unlock_bh(&rx->recvmsg_lock); ++ } else if (list_is_first(&call->recvmsg_link, &rx->recvmsg_q)) { ++ write_unlock_bh(&rx->recvmsg_lock); ++ rxrpc_put_call(call, rxrpc_call_see_recvmsg_requeue_first); ++ } else { ++ list_move(&call->recvmsg_link, &rx->recvmsg_q); ++ write_unlock_bh(&rx->recvmsg_lock); ++ rxrpc_put_call(call, rxrpc_call_see_recvmsg_requeue_move); ++ } + trace_rxrpc_recvmsg(call, rxrpc_recvmsg_requeue, 0, 0, 0, 0); + } else { +- rxrpc_put_call(call, rxrpc_call_put); ++ rxrpc_put_call(call, rxrpc_call_put_recvmsg_peek_nowait); + } + error_no_call: + release_sock(&rx->sk); diff --git a/queue-5.15/series b/queue-5.15/series index 2b9a11c2f5..d346bf435e 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -152,3 +152,14 @@ vdpa-add-max-vqp-attr-to-vdpa_nl_policy-for-nlattr-length-check.patch f2fs-fix-to-trigger-foreground-gc-during-f2fs_map_blocks-in-lfs-mode.patch sunrpc-lock-against-sock-changing-during-sysfs-read.patch net-usb-lan78xx-fix-double-free-issue-with-interrupt-buffer-allocation.patch +btrfs-lock-the-inode-in-shared-mode-before-starting-fiemap.patch +fs-ntfs3-add-more-attributes-checks-in-mi_enum_attr.patch +rxrpc-fix-recvmsg-unconditional-requeue.patch +cpufreq-governor-free-dbs_data-directly-when-gov-init-fails.patch +cpufreq-governor-fix-double-free-in-cpufreq_dbs_governor_init-error-path.patch +md-md-bitmap-synchronize-bitmap_get_stats-with-bitmap-lifetime.patch +fbdev-efifb-register-sysfs-groups-through-driver-core.patch +net-clear-the-dst-when-changing-skb-protocol.patch +cpufreq-avoid-a-bad-reference-count-on-cpu-node.patch +drivers-base-free-devm-resources-when-unregistering-a-device.patch +revert-wifi-cfg80211-stop-nan-and-p2p-in-cfg80211_leave.patch