From: Greg Kroah-Hartman Date: Thu, 28 May 2026 09:30:11 +0000 (+0200) Subject: 7.0-stable patches X-Git-Tag: v5.10.258~40 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=6c3d151a8bff79d2a7f1f57bf731ccb0ca171901;p=thirdparty%2Fkernel%2Fstable-queue.git 7.0-stable patches added patches: acpi-driver-check-acpi_companion-against-null-during-probe.patch net-ethtool-fix-null-pointer-dereference-in-phy_reply_size.patch net-ethtool-phy-avoid-null-deref-when-phy-driver-is-unbound.patch sched_ext-avoid-uaf-in-scx_root_enable_workfn-init-failure-path.patch sched_ext-fix-missing-warning-in-scx_set_task_state-default-case.patch --- diff --git a/queue-7.0/acpi-driver-check-acpi_companion-against-null-during-probe.patch b/queue-7.0/acpi-driver-check-acpi_companion-against-null-during-probe.patch new file mode 100644 index 0000000000..68f379f7cb --- /dev/null +++ b/queue-7.0/acpi-driver-check-acpi_companion-against-null-during-probe.patch @@ -0,0 +1,305 @@ +From stable+bounces-253776-greg=kroah.com@vger.kernel.org Fri May 22 15:11:27 2026 +From: Sasha Levin +Date: Fri, 22 May 2026 08:36:07 -0400 +Subject: ACPI: driver: Check ACPI_COMPANION() against NULL during probe +To: stable@vger.kernel.org +Cc: "Rafael J. Wysocki" , Hans de Goede , Andy Shevchenko , Sasha Levin +Message-ID: <20260522123607.3811753-1-sashal@kernel.org> + +From: "Rafael J. Wysocki" + +[ Upstream commit e4865a56d013e86e46ea6acea15bb6eae01898ff ] + +Since every platform driver can be forced to match a device that doesn't +match its list of device IDs because of device_match_driver_override(), +platform drivers that rely on the existence of a device's ACPI companion +object should verify its presence. + +Accordingly, add requisite ACPI_COMPANION() or ACPI_HANDLE() checks +against NULL to 13 platform drivers handling core ACPI devices. + +Also change the value returned by the ACPI thermal zone driver when +the device's ACPI companion is not present to -ENODEV for consistency +with the other drivers. + +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Link: https://patch.msgid.link/4516068.ejJDZkT8p0@rafael.j.wysocki +Cc: 7.0+ # 7.0+ +[ reordered variable declaration to add NULL check before pre-existing stable-only code that dereferences the pointer ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/ac.c | 6 +++++- + drivers/acpi/acpi_pad.c | 6 +++++- + drivers/acpi/acpi_tad.c | 6 +++++- + drivers/acpi/battery.c | 6 +++++- + drivers/acpi/button.c | 9 +++++++-- + drivers/acpi/ec.c | 6 +++++- + drivers/acpi/hed.c | 6 +++++- + drivers/acpi/nfit/core.c | 6 +++++- + drivers/acpi/pfr_telemetry.c | 6 +++++- + drivers/acpi/pfr_update.c | 6 +++++- + drivers/acpi/sbs.c | 6 +++++- + drivers/acpi/sbshc.c | 6 +++++- + drivers/acpi/thermal.c | 2 +- + drivers/acpi/tiny-power-button.c | 6 +++++- + 14 files changed, 68 insertions(+), 15 deletions(-) + +--- a/drivers/acpi/ac.c ++++ b/drivers/acpi/ac.c +@@ -203,11 +203,15 @@ static const struct dmi_system_id ac_dmi + + static int acpi_ac_probe(struct platform_device *pdev) + { +- struct acpi_device *adev = ACPI_COMPANION(&pdev->dev); + struct power_supply_config psy_cfg = {}; ++ struct acpi_device *adev; + struct acpi_ac *ac; + int result; + ++ adev = ACPI_COMPANION(&pdev->dev); ++ if (!adev) ++ return -ENODEV; ++ + ac = kzalloc_obj(struct acpi_ac); + if (!ac) + return -ENOMEM; +--- a/drivers/acpi/acpi_pad.c ++++ b/drivers/acpi/acpi_pad.c +@@ -426,9 +426,13 @@ static void acpi_pad_notify(acpi_handle + + static int acpi_pad_probe(struct platform_device *pdev) + { +- struct acpi_device *adev = ACPI_COMPANION(&pdev->dev); ++ struct acpi_device *adev; + acpi_status status; + ++ adev = ACPI_COMPANION(&pdev->dev); ++ if (!adev) ++ return -ENODEV; ++ + strscpy(acpi_device_name(adev), ACPI_PROCESSOR_AGGREGATOR_DEVICE_NAME); + strscpy(acpi_device_class(adev), ACPI_PROCESSOR_AGGREGATOR_CLASS); + +--- a/drivers/acpi/acpi_tad.c ++++ b/drivers/acpi/acpi_tad.c +@@ -593,12 +593,16 @@ static void acpi_tad_remove(struct platf + static int acpi_tad_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; +- acpi_handle handle = ACPI_HANDLE(dev); + struct acpi_tad_driver_data *dd; ++ acpi_handle handle; + acpi_status status; + unsigned long long caps; + int ret; + ++ handle = ACPI_HANDLE(dev); ++ if (!handle) ++ return -ENODEV; ++ + ret = acpi_install_cmos_rtc_space_handler(handle); + if (ret < 0) { + dev_info(dev, "Unable to install space handler\n"); +--- a/drivers/acpi/battery.c ++++ b/drivers/acpi/battery.c +@@ -1216,10 +1216,14 @@ static void sysfs_battery_cleanup(struct + + static int acpi_battery_probe(struct platform_device *pdev) + { +- struct acpi_device *device = ACPI_COMPANION(&pdev->dev); + struct acpi_battery *battery; ++ struct acpi_device *device; + int result; + ++ device = ACPI_COMPANION(&pdev->dev); ++ if (!device) ++ return -ENODEV; ++ + if (device->dep_unmet) + return -EPROBE_DEFER; + +--- a/drivers/acpi/button.c ++++ b/drivers/acpi/button.c +@@ -531,15 +531,20 @@ static int acpi_lid_input_open(struct in + + static int acpi_button_probe(struct platform_device *pdev) + { +- struct acpi_device *device = ACPI_COMPANION(&pdev->dev); + acpi_notify_handler handler; ++ struct acpi_device *device; + struct acpi_button *button; + struct input_dev *input; +- const char *hid = acpi_device_hid(device); + acpi_status status; + char *name, *class; ++ const char *hid; + int error = 0; + ++ device = ACPI_COMPANION(&pdev->dev); ++ if (!device) ++ return -ENODEV; ++ ++ hid = acpi_device_hid(device); + if (!strcmp(hid, ACPI_BUTTON_HID_LID) && + lid_init_state == ACPI_BUTTON_LID_INIT_DISABLED) + return -ENODEV; +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -1679,10 +1679,14 @@ static int acpi_ec_setup(struct acpi_ec + + static int acpi_ec_probe(struct platform_device *pdev) + { +- struct acpi_device *device = ACPI_COMPANION(&pdev->dev); ++ struct acpi_device *device; + struct acpi_ec *ec; + int ret; + ++ device = ACPI_COMPANION(&pdev->dev); ++ if (!device) ++ return -ENODEV; ++ + strscpy(acpi_device_name(device), ACPI_EC_DEVICE_NAME); + strscpy(acpi_device_class(device), ACPI_EC_CLASS); + +--- a/drivers/acpi/hed.c ++++ b/drivers/acpi/hed.c +@@ -50,9 +50,13 @@ static void acpi_hed_notify(acpi_handle + + static int acpi_hed_probe(struct platform_device *pdev) + { +- struct acpi_device *device = ACPI_COMPANION(&pdev->dev); ++ struct acpi_device *device; + int err; + ++ device = ACPI_COMPANION(&pdev->dev); ++ if (!device) ++ return -ENODEV; ++ + /* Only one hardware error device */ + if (hed_handle) + return -EINVAL; +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -3341,12 +3341,16 @@ static int acpi_nfit_probe(struct platfo + struct acpi_buffer buf = { ACPI_ALLOCATE_BUFFER, NULL }; + struct acpi_nfit_desc *acpi_desc; + struct device *dev = &pdev->dev; +- struct acpi_device *adev = ACPI_COMPANION(dev); + struct acpi_table_header *tbl; ++ struct acpi_device *adev; + acpi_status status = AE_OK; + acpi_size sz; + int rc = 0; + ++ adev = ACPI_COMPANION(&pdev->dev); ++ if (!adev) ++ return -ENODEV; ++ + rc = acpi_dev_install_notify_handler(adev, ACPI_DEVICE_NOTIFY, + acpi_nfit_notify, dev); + if (rc) +--- a/drivers/acpi/pfr_telemetry.c ++++ b/drivers/acpi/pfr_telemetry.c +@@ -360,10 +360,14 @@ static void pfrt_log_put_idx(void *data) + + static int acpi_pfrt_log_probe(struct platform_device *pdev) + { +- acpi_handle handle = ACPI_HANDLE(&pdev->dev); + struct pfrt_log_device *pfrt_log_dev; ++ acpi_handle handle; + int ret; + ++ handle = ACPI_HANDLE(&pdev->dev); ++ if (!handle) ++ return -ENODEV; ++ + if (!acpi_has_method(handle, "_DSM")) { + dev_dbg(&pdev->dev, "Missing _DSM\n"); + return -ENODEV; +--- a/drivers/acpi/pfr_update.c ++++ b/drivers/acpi/pfr_update.c +@@ -538,10 +538,14 @@ static void pfru_put_idx(void *data) + + static int acpi_pfru_probe(struct platform_device *pdev) + { +- acpi_handle handle = ACPI_HANDLE(&pdev->dev); + struct pfru_device *pfru_dev; ++ acpi_handle handle; + int ret; + ++ handle = ACPI_HANDLE(&pdev->dev); ++ if (!handle) ++ return -ENODEV; ++ + if (!acpi_has_method(handle, "_DSM")) { + dev_dbg(&pdev->dev, "Missing _DSM\n"); + return -ENODEV; +--- a/drivers/acpi/sbs.c ++++ b/drivers/acpi/sbs.c +@@ -631,11 +631,15 @@ static void acpi_sbs_callback(void *cont + + static int acpi_sbs_probe(struct platform_device *pdev) + { +- struct acpi_device *device = ACPI_COMPANION(&pdev->dev); ++ struct acpi_device *device; + struct acpi_sbs *sbs; + int result = 0; + int id; + ++ device = ACPI_COMPANION(&pdev->dev); ++ if (!device) ++ return -ENODEV; ++ + sbs = kzalloc_obj(struct acpi_sbs); + if (!sbs) { + result = -ENOMEM; +--- a/drivers/acpi/sbshc.c ++++ b/drivers/acpi/sbshc.c +@@ -240,11 +240,15 @@ static int smbus_alarm(void *context) + + static int acpi_smbus_hc_probe(struct platform_device *pdev) + { +- struct acpi_device *device = ACPI_COMPANION(&pdev->dev); ++ struct acpi_device *device; + int status; + unsigned long long val; + struct acpi_smb_hc *hc; + ++ device = ACPI_COMPANION(&pdev->dev); ++ if (!device) ++ return -ENODEV; ++ + status = acpi_evaluate_integer(device->handle, "_EC", NULL, &val); + if (ACPI_FAILURE(status)) { + pr_err("error obtaining _EC.\n"); +--- a/drivers/acpi/thermal.c ++++ b/drivers/acpi/thermal.c +@@ -790,7 +790,7 @@ static int acpi_thermal_probe(struct pla + int i; + + if (!device) +- return -EINVAL; ++ return -ENODEV; + + tz = kzalloc_obj(struct acpi_thermal); + if (!tz) +--- a/drivers/acpi/tiny-power-button.c ++++ b/drivers/acpi/tiny-power-button.c +@@ -38,9 +38,13 @@ static u32 acpi_tiny_power_button_event( + + static int acpi_tiny_power_button_probe(struct platform_device *pdev) + { +- struct acpi_device *device = ACPI_COMPANION(&pdev->dev); ++ struct acpi_device *device; + acpi_status status; + ++ device = ACPI_COMPANION(&pdev->dev); ++ if (!device) ++ return -ENODEV; ++ + if (device->device_type == ACPI_BUS_TYPE_POWER_BUTTON) { + status = acpi_install_fixed_event_handler(ACPI_EVENT_POWER_BUTTON, + acpi_tiny_power_button_event, diff --git a/queue-7.0/net-ethtool-fix-null-pointer-dereference-in-phy_reply_size.patch b/queue-7.0/net-ethtool-fix-null-pointer-dereference-in-phy_reply_size.patch new file mode 100644 index 0000000000..2c61d63740 --- /dev/null +++ b/queue-7.0/net-ethtool-fix-null-pointer-dereference-in-phy_reply_size.patch @@ -0,0 +1,106 @@ +From stable+bounces-253779-greg=kroah.com@vger.kernel.org Fri May 22 15:02:51 2026 +From: Sasha Levin +Date: Fri, 22 May 2026 08:50:59 -0400 +Subject: net: ethtool: fix NULL pointer dereference in phy_reply_size +To: stable@vger.kernel.org +Cc: Quan Sun <2022090917019@std.uestc.edu.cn>, Maxime Chevallier , Jakub Kicinski , Sasha Levin +Message-ID: <20260522125100.3837432-1-sashal@kernel.org> + +From: Quan Sun <2022090917019@std.uestc.edu.cn> + +[ Upstream commit 4908f1395fb1b832ceec11584af649874a2732ea ] + +In phy_prepare_data(), several strings such as 'name', 'drvname', +'upstream_sfp_name', and 'downstream_sfp_name' are allocated using +kstrdup(). However, these allocations were not checked for failure. + +If kstrdup() fails for 'name', it returns NULL while the function +continues. This leads to a kernel NULL pointer dereference and panic +later in phy_reply_size() when it unconditionally calls strlen() on +the NULL pointer. + +While other strings like 'upstream_sfp_name' might be checked before +access in certain code paths, failing to handle these allocations +consistently can lead to incomplete data reporting or hidden bugs. + +Fix this by adding proper NULL checks for all kstrdup() calls in +phy_prepare_data() and implement a centralized error handling path +using goto labels to ensure all previously allocated resources are +freed on failure. + +Fixes: 9dd2ad5e92b9 ("net: ethtool: phy: Convert the PHY_GET command to generic phy dump") +Signed-off-by: Quan Sun <2022090917019@std.uestc.edu.cn> +Reviewed-by: Maxime Chevallier +Link: https://patch.msgid.link/20260507131738.1173835-1-2022090917019@std.uestc.edu.cn +Signed-off-by: Jakub Kicinski +Stable-dep-of: e3adf69f8eb1 ("net: ethtool: phy: avoid NULL deref when PHY driver is unbound") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ethtool/phy.c | 32 ++++++++++++++++++++++++++++++-- + 1 file changed, 30 insertions(+), 2 deletions(-) + +--- a/net/ethtool/phy.c ++++ b/net/ethtool/phy.c +@@ -76,6 +76,7 @@ static int phy_prepare_data(const struct + struct nlattr **tb = info->attrs; + struct phy_device_node *pdn; + struct phy_device *phydev; ++ int ret; + + /* RTNL is held by the caller */ + phydev = ethnl_req_get_phydev(req_info, tb, ETHTOOL_A_PHY_HEADER, +@@ -88,8 +89,17 @@ static int phy_prepare_data(const struct + return -EOPNOTSUPP; + + rep_data->phyindex = phydev->phyindex; ++ + rep_data->name = kstrdup(dev_name(&phydev->mdio.dev), GFP_KERNEL); ++ if (!rep_data->name) ++ return -ENOMEM; ++ + rep_data->drvname = kstrdup(phydev->drv->name, GFP_KERNEL); ++ if (!rep_data->drvname) { ++ ret = -ENOMEM; ++ goto err_free_name; ++ } ++ + rep_data->upstream_type = pdn->upstream_type; + + if (pdn->upstream_type == PHY_UPSTREAM_PHY) { +@@ -97,15 +107,33 @@ static int phy_prepare_data(const struct + rep_data->upstream_index = upstream->phyindex; + } + +- if (pdn->parent_sfp_bus) ++ if (pdn->parent_sfp_bus) { + rep_data->upstream_sfp_name = kstrdup(sfp_get_name(pdn->parent_sfp_bus), + GFP_KERNEL); ++ if (!rep_data->upstream_sfp_name) { ++ ret = -ENOMEM; ++ goto err_free_drvname; ++ } ++ } + +- if (phydev->sfp_bus) ++ if (phydev->sfp_bus) { + rep_data->downstream_sfp_name = kstrdup(sfp_get_name(phydev->sfp_bus), + GFP_KERNEL); ++ if (!rep_data->downstream_sfp_name) { ++ ret = -ENOMEM; ++ goto err_free_upstream_sfp; ++ } ++ } + + return 0; ++ ++err_free_upstream_sfp: ++ kfree(rep_data->upstream_sfp_name); ++err_free_drvname: ++ kfree(rep_data->drvname); ++err_free_name: ++ kfree(rep_data->name); ++ return ret; + } + + static int phy_fill_reply(struct sk_buff *skb, diff --git a/queue-7.0/net-ethtool-phy-avoid-null-deref-when-phy-driver-is-unbound.patch b/queue-7.0/net-ethtool-phy-avoid-null-deref-when-phy-driver-is-unbound.patch new file mode 100644 index 0000000000..ffdab89a55 --- /dev/null +++ b/queue-7.0/net-ethtool-phy-avoid-null-deref-when-phy-driver-is-unbound.patch @@ -0,0 +1,59 @@ +From stable+bounces-253780-greg=kroah.com@vger.kernel.org Fri May 22 15:28:56 2026 +From: Sasha Levin +Date: Fri, 22 May 2026 08:51:00 -0400 +Subject: net: ethtool: phy: avoid NULL deref when PHY driver is unbound +To: stable@vger.kernel.org +Cc: David Carlier , Maxime Chevallier , Jakub Kicinski , Sasha Levin +Message-ID: <20260522125100.3837432-2-sashal@kernel.org> + +From: David Carlier + +[ Upstream commit e3adf69f8eb121a9128c2b0029efd050d3649153 ] + +phydev->drv can become NULL while the phy_device is still attached to +its net_device, namely after the PHY driver is unbound via sysfs: + + echo > /sys/bus/mdio_bus/drivers//unbind + +phy_remove() clears phydev->drv but doesn't call phy_detach(), so the +phy_device stays in the link topology xarray and ethnl_req_get_phydev() +still hands it back. ETHTOOL_MSG_PHY_GET then oopses on: + + rep_data->drvname = kstrdup(phydev->drv->name, GFP_KERNEL); + +drvname is already treated as optional by phy_reply_size(), +phy_fill_reply() and phy_cleanup_data(), so just skip the allocation +when there is no driver bound. + +Fixes: 9dd2ad5e92b9 ("net: ethtool: phy: Convert the PHY_GET command to generic phy dump") +Cc: stable@vger.kernel.org # 6.13.x +Signed-off-by: David Carlier +Reviewed-by: Maxime Chevallier +Tested-by: Maxime Chevallier +Link: https://patch.msgid.link/20260509215046.107157-1-devnexen@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ethtool/phy.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/net/ethtool/phy.c ++++ b/net/ethtool/phy.c +@@ -94,10 +94,12 @@ static int phy_prepare_data(const struct + if (!rep_data->name) + return -ENOMEM; + +- rep_data->drvname = kstrdup(phydev->drv->name, GFP_KERNEL); +- if (!rep_data->drvname) { +- ret = -ENOMEM; +- goto err_free_name; ++ if (phydev->drv) { ++ rep_data->drvname = kstrdup(phydev->drv->name, GFP_KERNEL); ++ if (!rep_data->drvname) { ++ ret = -ENOMEM; ++ goto err_free_name; ++ } + } + + rep_data->upstream_type = pdn->upstream_type; diff --git a/queue-7.0/sched_ext-avoid-uaf-in-scx_root_enable_workfn-init-failure-path.patch b/queue-7.0/sched_ext-avoid-uaf-in-scx_root_enable_workfn-init-failure-path.patch new file mode 100644 index 0000000000..6a861fc564 --- /dev/null +++ b/queue-7.0/sched_ext-avoid-uaf-in-scx_root_enable_workfn-init-failure-path.patch @@ -0,0 +1,44 @@ +From stable+bounces-253532-greg=kroah.com@vger.kernel.org Thu May 21 15:10:05 2026 +From: Sasha Levin +Date: Thu, 21 May 2026 08:57:53 -0400 +Subject: sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path +To: stable@vger.kernel.org +Cc: Tejun Heo , Sashiko , Sasha Levin +Message-ID: <20260521125753.1164691-2-sashal@kernel.org> + +From: Tejun Heo + +[ Upstream commit 9a415cc53711f2238e0f0ca8a6bcc796c003b127 ] + +In scx_root_enable_workfn(), put_task_struct(p) is called before scx_error() +dereferences p->comm and p->pid. If the iterator's reference is the last +drop, the task is freed synchronously and the deref becomes a UAF. + +Move put_task_struct() past scx_error(). + +Reported-by: Sashiko +Closes: https://lore.kernel.org/all/20260511214031.AF5E9C2BCB0@smtp.kernel.org/ +Fixes: f0e1a0643a59 ("sched_ext: Implement BPF extensible scheduler class") +Cc: stable@vger.kernel.org # v6.12+ +Signed-off-by: Tejun Heo +[ kept `scx_init_task()` call site instead of `__scx_init_task()`/`task_rq_lock` ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/ext.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -5239,10 +5239,10 @@ static void scx_enable_workfn(struct kth + + ret = scx_init_task(p, task_group(p), false); + if (ret) { +- put_task_struct(p); + scx_task_iter_stop(&sti); + scx_error(sch, "ops.init_task() failed (%d) for %s[%d]", + ret, p->comm, p->pid); ++ put_task_struct(p); + goto err_disable_unlock_all; + } + diff --git a/queue-7.0/sched_ext-fix-missing-warning-in-scx_set_task_state-default-case.patch b/queue-7.0/sched_ext-fix-missing-warning-in-scx_set_task_state-default-case.patch new file mode 100644 index 0000000000..e222a7550f --- /dev/null +++ b/queue-7.0/sched_ext-fix-missing-warning-in-scx_set_task_state-default-case.patch @@ -0,0 +1,57 @@ +From stable+bounces-253531-greg=kroah.com@vger.kernel.org Thu May 21 15:50:27 2026 +From: Sasha Levin +Date: Thu, 21 May 2026 08:57:52 -0400 +Subject: sched_ext: Fix missing warning in scx_set_task_state() default case +To: stable@vger.kernel.org +Cc: Samuele Mariotti , Paolo Valente , Andrea Righi , Tejun Heo , Sasha Levin +Message-ID: <20260521125753.1164691-1-sashal@kernel.org> + +From: Samuele Mariotti + +[ Upstream commit b905ee77d5f557a83a485b4146210f54f13365fc ] + +In scx_set_task_state(), the default case was setting the +warn flag, but then returning immediately. This is problematic +because the only purpose of the warn flag is to trigger +WARN_ONCE, but the early return prevented it from ever firing, +leaving invalid task states undetected and untraced. + +To fix this, a WARN_ONCE call is now added directly in the +default case. + +The fix addresses two aspects: + + - Guarantees the invalid task states are properly logged + and traced. + + - Provides a distinct warning message + ("sched_ext: Invalid task state") specifically for + states outside the defined scx_task_state enum values, + making it easier to distinguish from other transition + warnings. + +This ensures proper detection and reporting of invalid states. + +Signed-off-by: Samuele Mariotti +Signed-off-by: Paolo Valente +Reviewed-by: Andrea Righi +Signed-off-by: Tejun Heo +Stable-dep-of: 9a415cc53711 ("sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/ext.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -2936,7 +2936,8 @@ static void scx_set_task_state(struct ta + warn = prev_state != SCX_TASK_READY; + break; + default: +- warn = true; ++ WARN_ONCE(1, "sched_ext: Invalid task state %d -> %d for %s[%d]", ++ prev_state, state, p->comm, p->pid); + return; + } + diff --git a/queue-7.0/series b/queue-7.0/series index d1ac4a4cb4..2bda4ffcae 100644 --- a/queue-7.0/series +++ b/queue-7.0/series @@ -58,3 +58,8 @@ netfilter-ip6t_hbh-reject-oversized-option-lists.patch netfilter-nf_queue-hold-bridge-skb-dev-while-queued.patch netfilter-ipset-stop-hash-range-iteration-at-end.patch netfilter-nft_inner-fix-ipv6-inner_thoff-desync.patch +net-ethtool-fix-null-pointer-dereference-in-phy_reply_size.patch +net-ethtool-phy-avoid-null-deref-when-phy-driver-is-unbound.patch +acpi-driver-check-acpi_companion-against-null-during-probe.patch +sched_ext-fix-missing-warning-in-scx_set_task_state-default-case.patch +sched_ext-avoid-uaf-in-scx_root_enable_workfn-init-failure-path.patch