From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Mahanta Jambigi <mjambigi@linux.ibm.com>,
Sidraya Jayagond <sidraya@linux.ibm.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.12 46/89] net/smc: fix warning in smc_rx_splice() when calling get_page()
Date: Tue, 30 Sep 2025 16:48:00 +0200 [thread overview]
Message-ID: <20250930143823.829462057@linuxfoundation.org> (raw)
In-Reply-To: <20250930143821.852512002@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sidraya Jayagond <sidraya@linux.ibm.com>
[ Upstream commit a35c04de2565db191726b5741e6b66a35002c652 ]
smc_lo_register_dmb() allocates DMB buffers with kzalloc(), which are
later passed to get_page() in smc_rx_splice(). Since kmalloc memory is
not page-backed, this triggers WARN_ON_ONCE() in get_page() and prevents
holding a refcount on the buffer. This can lead to use-after-free if
the memory is released before splice_to_pipe() completes.
Use folio_alloc() instead, ensuring DMBs are page-backed and safe for
get_page().
WARNING: CPU: 18 PID: 12152 at ./include/linux/mm.h:1330 smc_rx_splice+0xaf8/0xe20 [smc]
CPU: 18 UID: 0 PID: 12152 Comm: smcapp Kdump: loaded Not tainted 6.17.0-rc3-11705-g9cf4672ecfee #10 NONE
Hardware name: IBM 3931 A01 704 (z/VM 7.4.0)
Krnl PSW : 0704e00180000000 000793161032696c (smc_rx_splice+0xafc/0xe20 [smc])
R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:2 PM:0 RI:0 EA:3
Krnl GPRS: 0000000000000000 001cee80007d3001 00077400000000f8 0000000000000005
0000000000000001 001cee80007d3006 0007740000001000 001c000000000000
000000009b0c99e0 0000000000001000 001c0000000000f8 001c000000000000
000003ffcc6f7c88 0007740003e98000 0007931600000005 000792969b2ff7b8
Krnl Code: 0007931610326960: af000000 mc 0,0
0007931610326964: a7f4ff43 brc 15,00079316103267ea
#0007931610326968: af000000 mc 0,0
>000793161032696c: a7f4ff3f brc 15,00079316103267ea
0007931610326970: e320f1000004 lg %r2,256(%r15)
0007931610326976: c0e53fd1b5f5 brasl %r14,000793168fd5d560
000793161032697c: a7f4fbb5 brc 15,00079316103260e6
0007931610326980: b904002b lgr %r2,%r11
Call Trace:
smc_rx_splice+0xafc/0xe20 [smc]
smc_rx_splice+0x756/0xe20 [smc])
smc_rx_recvmsg+0xa74/0xe00 [smc]
smc_splice_read+0x1ce/0x3b0 [smc]
sock_splice_read+0xa2/0xf0
do_splice_read+0x198/0x240
splice_file_to_pipe+0x7e/0x110
do_splice+0x59e/0xde0
__do_splice+0x11a/0x2d0
__s390x_sys_splice+0x140/0x1f0
__do_syscall+0x122/0x280
system_call+0x6e/0x90
Last Breaking-Event-Address:
smc_rx_splice+0x960/0xe20 [smc]
---[ end trace 0000000000000000 ]---
Fixes: f7a22071dbf3 ("net/smc: implement DMB-related operations of loopback-ism")
Reviewed-by: Mahanta Jambigi <mjambigi@linux.ibm.com>
Signed-off-by: Sidraya Jayagond <sidraya@linux.ibm.com>
Link: https://patch.msgid.link/20250917184220.801066-1-sidraya@linux.ibm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/smc/smc_loopback.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/net/smc/smc_loopback.c b/net/smc/smc_loopback.c
index 3c5f64ca41153..85f0b7853b173 100644
--- a/net/smc/smc_loopback.c
+++ b/net/smc/smc_loopback.c
@@ -56,6 +56,7 @@ static int smc_lo_register_dmb(struct smcd_dev *smcd, struct smcd_dmb *dmb,
{
struct smc_lo_dmb_node *dmb_node, *tmp_node;
struct smc_lo_dev *ldev = smcd->priv;
+ struct folio *folio;
int sba_idx, rc;
/* check space for new dmb */
@@ -74,13 +75,16 @@ static int smc_lo_register_dmb(struct smcd_dev *smcd, struct smcd_dmb *dmb,
dmb_node->sba_idx = sba_idx;
dmb_node->len = dmb->dmb_len;
- dmb_node->cpu_addr = kzalloc(dmb_node->len, GFP_KERNEL |
- __GFP_NOWARN | __GFP_NORETRY |
- __GFP_NOMEMALLOC);
- if (!dmb_node->cpu_addr) {
+
+ /* not critical; fail under memory pressure and fallback to TCP */
+ folio = folio_alloc(GFP_KERNEL | __GFP_NOWARN | __GFP_NOMEMALLOC |
+ __GFP_NORETRY | __GFP_ZERO,
+ get_order(dmb_node->len));
+ if (!folio) {
rc = -ENOMEM;
goto err_node;
}
+ dmb_node->cpu_addr = folio_address(folio);
dmb_node->dma_addr = SMC_DMA_ADDR_INVALID;
refcount_set(&dmb_node->refcnt, 1);
@@ -122,7 +126,7 @@ static void __smc_lo_unregister_dmb(struct smc_lo_dev *ldev,
write_unlock_bh(&ldev->dmb_ht_lock);
clear_bit(dmb_node->sba_idx, ldev->sba_idx_mask);
- kvfree(dmb_node->cpu_addr);
+ folio_put(virt_to_folio(dmb_node->cpu_addr));
kfree(dmb_node);
if (atomic_dec_and_test(&ldev->dmb_cnt))
--
2.51.0
next prev parent reply other threads:[~2025-09-30 15:27 UTC|newest]
Thread overview: 105+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-30 14:47 [PATCH 6.12 00/89] 6.12.50-rc1 review Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 01/89] scsi: ufs: mcq: Fix memory allocation checks for SQE and CQE Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 02/89] firewire: core: fix overlooked update of subsystem ABI version Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 03/89] ALSA: usb-audio: Fix code alignment in mixer_quirks Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 04/89] ALSA: usb-audio: Fix block comments " Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 05/89] ALSA: usb-audio: Drop unnecessary parentheses " Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 06/89] ALSA: usb-audio: Avoid multiple assignments " Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 07/89] ALSA: usb-audio: Simplify NULL comparison " Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 08/89] ALSA: usb-audio: Remove unneeded wmb() " Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 09/89] ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5 Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 10/89] HID: multitouch: Get the contact ID from HID_DG_TRANSDUCER_INDEX fields in case of Apple Touch Bar Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 11/89] HID: multitouch: support getting the tip state from HID_DG_TOUCH fields in " Greg Kroah-Hartman
2025-09-30 15:27 ` Aditya Garg
2025-09-30 14:47 ` [PATCH 6.12 12/89] HID: multitouch: take cls->maxcontacts into account for Apple Touch Bar even without a HID_DG_CONTACTMAX field Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 13/89] HID: multitouch: specify that Apple Touch Bar is direct Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 14/89] ALSA: usb-audio: Convert comma to semicolon Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 15/89] ALSA: hda/realtek: Add support for ASUS NUC using CS35L41 HDA Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 16/89] ALSA: usb-audio: Fix build with CONFIG_INPUT=n Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 17/89] usb: core: Add 0x prefix to quirks debug output Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 18/89] net: fec: rename struct fec_devinfo fec_imx6x_info -> fec_imx6sx_info Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 19/89] net: sfp: add quirk for Potron SFP+ XGSPON ONU Stick Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 20/89] mmc: sdhci-cadence: add Mobileye eyeQ support Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 21/89] i2c: designware: Add quirk for Intel Xe Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 22/89] ALSA: usb-audio: Add DSD support for Comtrue USB Audio device Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 23/89] ALSA: usb-audio: move mixer_quirks min_mute into common quirk Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 24/89] ALSA: usb-audio: Add mute TLV for playback volumes on more devices Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 25/89] net: sfp: add quirk for FLYPRO copper SFP+ module Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 26/89] IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 27/89] HID: amd_sfh: Add sync across amd sfh work functions Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 28/89] firmware: imx: Add stub functions for SCMI MISC API Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 29/89] arm64: dts: imx8mp: Correct thermal sensor index Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 30/89] ARM: dts: kirkwood: Fix sound DAI cells for OpenRD clients Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 31/89] cpufreq: Initialize cpufreq-based invariance before subsys Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 32/89] smb: server: dont use delayed_work for post_recv_credits_work Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 33/89] smb: server: use disable_work_sync in transport_rdma.c Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 34/89] bpf: Check the helper function is valid in get_helper_proto Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 35/89] btrfs: dont allow adding block device of less than 1 MB Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 36/89] wifi: virt_wifi: Fix page fault on connect Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 37/89] can: rcar_can: rcar_can_resume(): fix s2ram with PSCI Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 38/89] bpf: Reject bpf_timer for PREEMPT_RT Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 39/89] xfrm: xfrm_alloc_spi shouldnt use 0 as SPI Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 40/89] can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 41/89] can: hi311x: " Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 42/89] can: sun4i_can: " Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 43/89] can: mcba_usb: " Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 44/89] can: peak_usb: fix shift-out-of-bounds issue Greg Kroah-Hartman
2025-09-30 14:47 ` [PATCH 6.12 45/89] net: tun: Update napi->skb after XDP process Greg Kroah-Hartman
2025-09-30 14:48 ` Greg Kroah-Hartman [this message]
2025-09-30 14:48 ` [PATCH 6.12 47/89] ethernet: rvu-af: Remove slash from the driver name Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 48/89] Bluetooth: hci_sync: Fix hci_resume_advertising_sync Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 49/89] Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 50/89] vhost: Take a reference on the task in struct vhost_task Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 51/89] bnxt_en: correct offset handling for IPv6 destination address Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 52/89] net: allow alloc_skb_with_frags() to use MAX_SKB_FRAGS Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 53/89] nexthop: Forbid FDB status change while nexthop is in a group Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 54/89] selftests: fib_nexthops: Fix creation of non-FDB nexthops Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 55/89] net: dsa: lantiq_gswip: move gswip_add_single_port_br() call to port_setup() Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 56/89] net: dsa: lantiq_gswip: suppress -EINVAL errors for bridge FDB entries added to the CPU port Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 57/89] octeontx2-pf: Fix potential use after free in otx2_tc_add_flow() Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 58/89] mm/gup: local lru_add_drain() to avoid lru_add_drain_all() Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 59/89] mm: revert "mm/gup: clear the LRU flag of a page before adding to LRU batch" Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 60/89] mm: folio_may_be_lru_cached() unless folio_test_large() Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 61/89] drm/gma500: Fix null dereference in hdmi teardown Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 62/89] futex: Prevent use-after-free during requeue-PI Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 63/89] drm/panthor: Defer scheduler entitiy destruction to queue release Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 64/89] platform/x86: lg-laptop: Fix WMAB call in fan_mode_store() Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 65/89] smb: client: fix wrong index reference in smb2_compound_op() Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 66/89] HID: asus: add support for missing PX series fn keys Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 67/89] i40e: add validation for ring_len param Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 68/89] i40e: fix idx validation in i40e_validate_queue_map Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 69/89] i40e: fix idx validation in config queues msg Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 70/89] i40e: fix input validation logic for action_meta Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 71/89] i40e: fix validation of VF state in get resources Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 72/89] i40e: add max boundary check for VF filters Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 73/89] i40e: add mask to apply valid bits for itr_idx Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 74/89] i40e: improve VF MAC filters accounting Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 75/89] crypto: af_alg - Fix incorrect boolean values in af_alg_ctx Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 76/89] tracing: dynevent: Add a missing lockdown check on dynevent Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 77/89] ARM: dts: socfpga: sodia: Fix mdio bus probe and PHY address Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 78/89] arm64: dts: marvell: cn9132-clearfog: disable eMMC high-speed modes Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 79/89] arm64: dts: marvell: cn9132-clearfog: fix multi-lane pci x2 and x4 ports Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 80/89] drm/ast: Use msleep instead of mdelay for edid read Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 81/89] afs: Fix potential null pointer dereference in afs_put_server Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 82/89] fs/proc/task_mmu: check p->vec_buf for NULL Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 83/89] gpiolib: Extend software-node support to support secondary software-nodes Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 84/89] kmsan: fix out-of-bounds access to shadow memory Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 85/89] mm/hugetlb: fix folio is still mapped when deleted Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 86/89] fbcon: fix integer overflow in fbcon_do_set_font Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 87/89] fbcon: Fix OOB access in font allocation Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 88/89] iommufd: Fix race during abort for file descriptors Greg Kroah-Hartman
2025-09-30 14:48 ` [PATCH 6.12 89/89] Revert "usb: xhci: remove option to change a default rings TRB cycle bit" Greg Kroah-Hartman
2025-09-30 18:49 ` 6.12.50-rc1 review Brett A C Sheffield
2025-09-30 18:51 ` [PATCH 6.12 00/89] " Florian Fainelli
2025-09-30 19:18 ` Guenter Roeck
2025-10-02 7:15 ` Greg Kroah-Hartman
2025-09-30 20:18 ` Peter Schneider
2025-10-01 2:51 ` Ron Economos
2025-10-01 9:12 ` Jon Hunter
2025-10-01 10:14 ` Mark Brown
2025-10-01 10:15 ` Naresh Kamboju
2025-10-01 13:30 ` Brett Mastbergen
2025-10-01 16:05 ` Shuah Khan
2025-10-01 17:40 ` Miguel Ojeda
2025-10-02 7:06 ` Pascal Ernster
2025-10-03 6:56 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250930143823.829462057@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kuba@kernel.org \
--cc=mjambigi@linux.ibm.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=sidraya@linux.ibm.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.