diff for duplicates of <20260616145126.267203777@linuxfoundation.org> diff --git a/a/1.txt b/N1/1.txt index a24eb8b..0fa315b 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,66 +1,52 @@ -7.0-stable review patch. If anyone has any objections, please let me know. +6.1-stable review patch. If anyone has any objections, please let me know. ------------------ -From: Usama Arif <usama.arif@linux.dev> +From: Weiming Shi <bestswngs@gmail.com> -commit 0c25b8734367574e21aeb8468c2e522713134da7 upstream. +[ Upstream commit f4feb1e20058e407cb00f45aff47f5b7e19a6bbf ] -mincore_swap() also fields migration/hwpoison entries (and shmem -swapin-error entries), which can exist on !CONFIG_SWAP builds when -CONFIG_MIGRATION or CONFIG_MEMORY_FAILURE is enabled. The -!IS_ENABLED(CONFIG_SWAP) guard ran before the non-swap-entry early return, -so mincore_pte_range() can spuriously WARN and report these pages -nonresident on !CONFIG_SWAP kernels. +tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without +freeing the page that vhost_net_build_xdp() allocated for it. +tun_sendmsg() discards that -EINVAL and still returns total_len, so +vhost_tx_batch() takes the success path and never frees the page; each +short frame in a batch leaks one page-frag chunk. -Move the guard below the non-swap-entry check so only true swap entries -trip the WARN, and migration/hwpoison entries take the existing "uptodate -/ non-shmem" path. +A local process that can open /dev/net/tun and /dev/vhost-net can hit +this path: it attaches a tun/tap device as the vhost-net backend and +feeds TX descriptors whose length minus the virtio-net header is below +ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a +tight submission loop exhausts host memory and triggers an OOM panic. +Free the page before returning -EINVAL, matching the XDP-program error +path in the same function. -Link: https://lore.kernel.org/20260602172247.279421-1-usama.arif@linux.dev -Fixes: 1f2052755c15 ("mm/mincore: use a helper for checking the swap cache") -Signed-off-by: Usama Arif <usama.arif@linux.dev> -Reviewed-by: Pedro Falcato <pfalcato@suse.de> -Reviewed-by: Kairui Song <kasong@tencent.com> -Reviewed-by: Lorenzo Stoakes <ljs@kernel.org> -Acked-by: Johannes Weiner <hannes@cmpxchg.org> -Cc: Baoquan He <baoquan.he@linux.dev> -Cc: Chris Li <chrisl@kernel.org> -Cc: Jann Horn <jannh@google.com> -Cc: Liam R. Howlett <liam@infradead.org> -Cc: Rik van Riel <riel@surriel.com> -Cc: Shakeel Butt <shakeel.butt@linux.dev> -Cc: Vlastimil Babka <vbabka@kernel.org> -Cc: <stable@vger.kernel.org> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Fixes: 049584807f1d ("tun: add missing verification for short frame") +Reported-by: Xiang Mei <xmei5@asu.edu> +Signed-off-by: Weiming Shi <bestswngs@gmail.com> +Reviewed-by: Dongli Zhang <dongli.zhang@oracle.com> +Reviewed-by: Willem de Bruijn <willemb@google.com> +Link: https://patch.msgid.link/20260520160020.375349-2-bestswngs@gmail.com +Signed-off-by: Jakub Kicinski <kuba@kernel.org> +Signed-off-by: Sasha Levin <sashal@kernel.org> --- - mm/mincore.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) + drivers/net/tun.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) ---- a/mm/mincore.c -+++ b/mm/mincore.c -@@ -64,11 +64,6 @@ static unsigned char mincore_swap(swp_en - struct folio *folio = NULL; - unsigned char present = 0; +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 03478ae3ff2448..1ad6af74de7c3f 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -2448,8 +2448,10 @@ static int tun_xdp_one(struct tun_struct *tun, + bool skb_xdp = false; + struct page *page; -- if (!IS_ENABLED(CONFIG_SWAP)) { -- WARN_ON(1); -- return 0; -- } -- - /* - * Shmem mapping may contain swapin error entries, which are - * absent. Page table may contain migration or hwpoison -@@ -77,6 +72,11 @@ static unsigned char mincore_swap(swp_en - if (!softleaf_is_swap(entry)) - return !shmem; - -+ if (!IS_ENABLED(CONFIG_SWAP)) { -+ WARN_ON(1); -+ return 0; +- if (unlikely(datasize < ETH_HLEN)) ++ if (unlikely(datasize < ETH_HLEN)) { ++ put_page(virt_to_head_page(xdp->data)); + return -EINVAL; + } -+ - /* - * Shmem mapping lookup is lockless, so we need to grab the swap - * device. mincore page table walk locks the PTL, and the swap + + xdp_prog = rcu_dereference(tun->xdp_prog); + if (xdp_prog) { +-- +2.53.0 diff --git a/a/content_digest b/N1/content_digest index 197e118..b456574 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,90 +1,69 @@ - "ref\020260616145109.744539446@linuxfoundation.org\0" + "ref\020260616145125.307082728@linuxfoundation.org\0" "From\0Greg Kroah-Hartman <gregkh@linuxfoundation.org>\0" - "Subject\0[PATCH 7.0 306/378] mm/mincore: handle non-swap entries before !CONFIG_SWAP guard\0" - "Date\0Tue, 16 Jun 2026 20:28:57 +0530\0" + "Subject\0[PATCH 6.1 016/522] tun: free page on short-frame rejection in tun_xdp_one()\0" + "Date\0Tue, 16 Jun 2026 20:22:43 +0530\0" "To\0stable@vger.kernel.org\0" "Cc\0Greg Kroah-Hartman <gregkh@linuxfoundation.org>" patches@lists.linux.dev - Usama Arif <usama.arif@linux.dev> - Pedro Falcato <pfalcato@suse.de> - Kairui Song <kasong@tencent.com> - Lorenzo Stoakes <ljs@kernel.org> - Johannes Weiner <hannes@cmpxchg.org> - Baoquan He <baoquan.he@linux.dev> - Chris Li <chrisl@kernel.org> - Jann Horn <jannh@google.com> - Liam R. Howlett <liam@infradead.org> - Rik van Riel <riel@surriel.com> - Shakeel Butt <shakeel.butt@linux.dev> - Vlastimil Babka <vbabka@kernel.org> - " Andrew Morton <akpm@linux-foundation.org>\0" + Xiang Mei <xmei5@asu.edu> + Weiming Shi <bestswngs@gmail.com> + Dongli Zhang <dongli.zhang@oracle.com> + Willem de Bruijn <willemb@google.com> + Jakub Kicinski <kuba@kernel.org> + " Sasha Levin <sashal@kernel.org>\0" "\00:1\0" "b\0" - "7.0-stable review patch. If anyone has any objections, please let me know.\n" + "6.1-stable review patch. If anyone has any objections, please let me know.\n" "\n" "------------------\n" "\n" - "From: Usama Arif <usama.arif@linux.dev>\n" + "From: Weiming Shi <bestswngs@gmail.com>\n" "\n" - "commit 0c25b8734367574e21aeb8468c2e522713134da7 upstream.\n" + "[ Upstream commit f4feb1e20058e407cb00f45aff47f5b7e19a6bbf ]\n" "\n" - "mincore_swap() also fields migration/hwpoison entries (and shmem\n" - "swapin-error entries), which can exist on !CONFIG_SWAP builds when\n" - "CONFIG_MIGRATION or CONFIG_MEMORY_FAILURE is enabled. The\n" - "!IS_ENABLED(CONFIG_SWAP) guard ran before the non-swap-entry early return,\n" - "so mincore_pte_range() can spuriously WARN and report these pages\n" - "nonresident on !CONFIG_SWAP kernels.\n" + "tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without\n" + "freeing the page that vhost_net_build_xdp() allocated for it.\n" + "tun_sendmsg() discards that -EINVAL and still returns total_len, so\n" + "vhost_tx_batch() takes the success path and never frees the page; each\n" + "short frame in a batch leaks one page-frag chunk.\n" "\n" - "Move the guard below the non-swap-entry check so only true swap entries\n" - "trip the WARN, and migration/hwpoison entries take the existing \"uptodate\n" - "/ non-shmem\" path.\n" + "A local process that can open /dev/net/tun and /dev/vhost-net can hit\n" + "this path: it attaches a tun/tap device as the vhost-net backend and\n" + "feeds TX descriptors whose length minus the virtio-net header is below\n" + "ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a\n" + "tight submission loop exhausts host memory and triggers an OOM panic.\n" + "Free the page before returning -EINVAL, matching the XDP-program error\n" + "path in the same function.\n" "\n" - "Link: https://lore.kernel.org/20260602172247.279421-1-usama.arif@linux.dev\n" - "Fixes: 1f2052755c15 (\"mm/mincore: use a helper for checking the swap cache\")\n" - "Signed-off-by: Usama Arif <usama.arif@linux.dev>\n" - "Reviewed-by: Pedro Falcato <pfalcato@suse.de>\n" - "Reviewed-by: Kairui Song <kasong@tencent.com>\n" - "Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>\n" - "Acked-by: Johannes Weiner <hannes@cmpxchg.org>\n" - "Cc: Baoquan He <baoquan.he@linux.dev>\n" - "Cc: Chris Li <chrisl@kernel.org>\n" - "Cc: Jann Horn <jannh@google.com>\n" - "Cc: Liam R. Howlett <liam@infradead.org>\n" - "Cc: Rik van Riel <riel@surriel.com>\n" - "Cc: Shakeel Butt <shakeel.butt@linux.dev>\n" - "Cc: Vlastimil Babka <vbabka@kernel.org>\n" - "Cc: <stable@vger.kernel.org>\n" - "Signed-off-by: Andrew Morton <akpm@linux-foundation.org>\n" - "Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\n" + "Fixes: 049584807f1d (\"tun: add missing verification for short frame\")\n" + "Reported-by: Xiang Mei <xmei5@asu.edu>\n" + "Signed-off-by: Weiming Shi <bestswngs@gmail.com>\n" + "Reviewed-by: Dongli Zhang <dongli.zhang@oracle.com>\n" + "Reviewed-by: Willem de Bruijn <willemb@google.com>\n" + "Link: https://patch.msgid.link/20260520160020.375349-2-bestswngs@gmail.com\n" + "Signed-off-by: Jakub Kicinski <kuba@kernel.org>\n" + "Signed-off-by: Sasha Levin <sashal@kernel.org>\n" "---\n" - " mm/mincore.c | 10 +++++-----\n" - " 1 file changed, 5 insertions(+), 5 deletions(-)\n" + " drivers/net/tun.c | 4 +++-\n" + " 1 file changed, 3 insertions(+), 1 deletion(-)\n" "\n" - "--- a/mm/mincore.c\n" - "+++ b/mm/mincore.c\n" - "@@ -64,11 +64,6 @@ static unsigned char mincore_swap(swp_en\n" - " \tstruct folio *folio = NULL;\n" - " \tunsigned char present = 0;\n" + "diff --git a/drivers/net/tun.c b/drivers/net/tun.c\n" + "index 03478ae3ff2448..1ad6af74de7c3f 100644\n" + "--- a/drivers/net/tun.c\n" + "+++ b/drivers/net/tun.c\n" + "@@ -2448,8 +2448,10 @@ static int tun_xdp_one(struct tun_struct *tun,\n" + " \tbool skb_xdp = false;\n" + " \tstruct page *page;\n" " \n" - "-\tif (!IS_ENABLED(CONFIG_SWAP)) {\n" - "-\t\tWARN_ON(1);\n" - "-\t\treturn 0;\n" - "-\t}\n" - "-\n" - " \t/*\n" - " \t * Shmem mapping may contain swapin error entries, which are\n" - " \t * absent. Page table may contain migration or hwpoison\n" - "@@ -77,6 +72,11 @@ static unsigned char mincore_swap(swp_en\n" - " \tif (!softleaf_is_swap(entry))\n" - " \t\treturn !shmem;\n" - " \n" - "+\tif (!IS_ENABLED(CONFIG_SWAP)) {\n" - "+\t\tWARN_ON(1);\n" - "+\t\treturn 0;\n" + "-\tif (unlikely(datasize < ETH_HLEN))\n" + "+\tif (unlikely(datasize < ETH_HLEN)) {\n" + "+\t\tput_page(virt_to_head_page(xdp->data));\n" + " \t\treturn -EINVAL;\n" "+\t}\n" - "+\n" - " \t/*\n" - " \t * Shmem mapping lookup is lockless, so we need to grab the swap\n" - " \t * device. mincore page table walk locks the PTL, and the swap" + " \n" + " \txdp_prog = rcu_dereference(tun->xdp_prog);\n" + " \tif (xdp_prog) {\n" + "-- \n" + 2.53.0 -d8acdbfdc4747118c4e770ff25135b83158822fecd0af05e307b5d7ca1d06cb1 +b8f6a7cc51c73c4a796b5becdc9caa82ccfc746d9348e7579ee09b7a8dd67263
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.