* [PATCH 7.1 000/120] 7.1.3-rc1 review
@ 2026-07-02 16:19 Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 7.1 001/120] KVM: x86: Fix shadow paging use-after-free due to unexpected role Greg Kroah-Hartman
` (125 more replies)
0 siblings, 126 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 7.1.3 release.
There are 120 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat, 04 Jul 2026 15:50:58 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v7.x/stable-review/patch-7.1.3-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-7.1.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 7.1.3-rc1
John Johansen <john.johansen@canonical.com>
apparmor: advertise the tcp fast open fix is applied
HanQuan <eilaimemedsnaimel@gmail.com>
net/tcp-ao: fix use-after-free of key in del_async path
Hem Parekh <hemparekh1596@gmail.com>
ksmbd: fix out-of-bounds read in smb_check_perm_dacl()
Markus Elfring <elfring@users.sourceforge.net>
NFS: Prevent resource leak in nfs_alloc_server()
Igor Raits <igor.raits@gmail.com>
NFSv4: clear exception state on successful mkdir retry
Michael Bommarito <michael.bommarito@gmail.com>
NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr
Michael Bommarito <michael.bommarito@gmail.com>
NFSv4/flexfiles: reject zero filehandle version count
Jeff Layton <jlayton@kernel.org>
nfsd: reset write verifier on deferred writeback errors
Jeff Layton <jlayton@kernel.org>
nfsd: avoid leaking pre-allocated openowner on unconfirmed retry race
Jeff Layton <jlayton@kernel.org>
nfsd: fix dead ACL conflict guard in nfsd4_create
Dominik Woźniak <stalion@gmail.com>
nfsd: check get_user() return when reading princhashlen
Jeff Layton <jlayton@kernel.org>
nfsd: fix posix_acl leak and ignored error in nfsd4_create_file
Jeff Layton <jlayton@kernel.org>
nfsd: fix inverted cp_ttl check in async copy reaper
Jeff Layton <jlayton@kernel.org>
nfsd: fix posix_acl leak on SETACL decode failure
Guannan Wang <wgnbuaa@gmail.com>
NFSD: Fix SECINFO_NO_NAME decode error cleanup
Chris Mason <clm@meta.com>
nfsd: release layout stid on setlease failure
Johan Hovold <johan@kernel.org>
i2c: core: fix adapter registration race
Steffen Persvold <spersvold@gmail.com>
fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode
Tuo Li <islituo@gmail.com>
fbdev: modedb: fix a possible UAF in fb_find_mode()
Hongling Zeng <zenghongling@kylinos.cn>
fbdev: omap2: fix use-after-free in omapfb_mmap
Mingyu Wang <25181214217@stu.xidian.edu.cn>
fbdev: fbcon: fix out-of-bounds read in err_out of fbcon_do_set_font()
Ian Bridges <icb@fastmail.org>
fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var
Hyunchul Lee <hyc.lee@gmail.com>
ntfs: serialize volume label accesses
Vivian Wang <wangruikang@iscas.ac.cn>
riscv: kfence: Call mark_new_valid_map() for kfence_unprotect()
Wentao Liang <vulab@iscas.ac.cn>
power: reset: linkstation-poweroff: fix use-after-free in the linkstation_poweroff_init()
Ashutosh Desai <ashutoshdesai993@gmail.com>
KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path
Hyunwoo Kim <imv4bel@gmail.com>
KVM: x86: hyper-v: Bound the bank index when querying sparse banks
Jonas Jelonek <jelonek.jonas@gmail.com>
MIPS: smp: report dying CPU to RCU in stop_this_cpu()
Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
9p: avoid putting oldfid in p9_client_walk() error path
Zhang Cen <rollkingzzc@gmail.com>
ocfs2: reject oversized group bitmap descriptors
Yuho Choi <dbgh9129@gmail.com>
rpmsg: char: Fix use-after-free on probe error path
Wentao Liang <vulab@iscas.ac.cn>
fpga: region: fix use-after-free in child_regions_with_firmware()
Qingshuang Fu <fuqingshuang@kylinos.cn>
irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove
Rik van Riel <riel@surriel.com>
sched/mmcid: Fix OOB clear_bit when CID is MM_CID_UNSET in fixup path
Wentao Liang <vulab@iscas.ac.cn>
pNFS: Fix use-after-free in pnfs_update_layout()
Huacai Chen <chenhuacai@kernel.org>
LoongArch: Report dying CPU to RCU in stop_this_cpu()
Doruk Tan Ozturk <doruk@0sec.ai>
tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done
Michal Koutný <mkoutny@suse.com>
blk-cgroup: fix UAF in __blkcg_rstat_flush()
Fan Wu <fanwu01@zju.edu.cn>
hdlc_ppp: sync per-proto timers before freeing hdlc state
Wentao Liang <vulab@iscas.ac.cn>
pwrseq: core: fix use-after-free in pwrseq_debugfs_seq_next()
Tristan Madani <tristan@talencesecurity.com>
gfs2: fix use-after-free in gfs2_qd_dealloc
Sam James <sam@gentoo.org>
crypto: nx - fix nx_crypto_ctx_exit argument
Sean Christopherson <seanjc@google.com>
KVM: Replace guest-triggerable BUG_ON() in ioeventfd datamatch with get_unaligned()
Sean Christopherson <seanjc@google.com>
KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level
Michael Bommarito <michael.bommarito@gmail.com>
exfat: fix potential use-after-free in exfat_find_dir_entry()
Maciej W. Rozycki <macro@orcam.me.uk>
MIPS: DEC: Prevent initial console buffer from landing in XKPHYS
Dawei Feng <dawei.feng@seu.edu.cn>
bpf: use kvfree() for replaced sysctl write buffer
Denis Arefev <arefev@swemel.ru>
block: Avoid mounting the bdev pseudo-filesystem in userspace
Mikhail Lobanov <m.lobanov@rosa.ru>
f2fs: read COW data with the original inode during atomic write
Wenjie Qi <qwjhust@gmail.com>
f2fs: keep atomic write retry from zeroing original data
Yongpeng Yang <yangyongpeng@xiaomi.com>
f2fs: fix incorrect FI_NO_EXTENT handling in __destroy_extent_node()
Zhaoyang Huang <zhaoyang.huang@unisoc.com>
Revert "f2fs: remove non-uptodate folio from the page cache in move_data_block"
Zhang Cen <rollkingzzc@gmail.com>
f2fs: validate ACL entry sizes in f2fs_acl_from_disk()
Bryam Vargas <hexlabsecurity@proton.me>
f2fs: bound i_inline_xattr_size for non-inline-xattr inodes
Sunmin Jeong <s_min.jeong@samsung.com>
f2fs: fix to round down start offset of fallocate for pin file
Chao Yu <chao@kernel.org>
f2fs: atomic: fix UAF issue on f2fs_inode_info.atomic_inode
Wenjie Qi <qwjhust@gmail.com>
f2fs: validate compress cache inode only when enabled
Wenjie Qi <qwjhust@gmail.com>
f2fs: validate orphan inode entry count
Chao Yu <chao@kernel.org>
f2fs: fix to do sanity check on f2fs_get_node_folio_ra()
Wenjie Qi <qwjhust@gmail.com>
f2fs: reject setattr size changes on large folio files
Wenjie Qi <qwjhust@gmail.com>
f2fs: pass correct iostat type for single node writes
Wenjie Qi <qiwenjie@xiaomi.com>
f2fs: fix missing read bio submission on large folio error
Junrui Luo <moonafterrain@outlook.com>
wifi: iwlwifi: mld: validate sta_mask before ffs() in BA session handlers
Junjie Cao <junjie.cao@intel.com>
wifi: iwlwifi: mld: fix race condition in PTP removal
Junjie Cao <junjie.cao@intel.com>
wifi: iwlwifi: mvm: fix race condition in PTP removal
Luka Gejak <luka.gejak@linux.dev>
wifi: rtw88: usb: fix memory leaks on USB write failures
Luka Gejak <luka.gejak@linux.dev>
wifi: rtw88: increase TX report timeout to fix race condition
Bitterblue Smith <rtl8821cerfe2@gmail.com>
wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor
Bitterblue Smith <rtl8821cerfe2@gmail.com>
wifi: rtl8xxxu: Detect the maximum supported channel width
Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
wifi: ath11k: fix warning when unbinding
ElXreno <elxreno@gmail.com>
wifi: mt76: mt7925: don't disable AP BSS when removing TDLS peer
Zenm Chen <zenmchen@gmail.com>
wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S
Kiryl Shutsemau (Meta) <kas@kernel.org>
userfaultfd: build __VMA_UFFD_FLAGS from config-gated masks
Mike Rapoport (Microsoft) <rppt@kernel.org>
userfaultfd: ensure mremap_userfaultfd_fail() releases mmap_changing
Shaomin Chen <eeesssooo020@gmail.com>
keys: Pin request_key_auth payload in instantiate paths
Jarkko Sakkinen <jarkko@kernel.org>
KEYS: fix overflow in keyctl_pkey_params_get_2()
Konstantin Khorenko <khorenko@virtuozzo.com>
gcov: use atomic counter updates to fix concurrent access crashes
Arnd Bergmann <arnd@arndb.de>
err.h: use __always_inline on all error pointer helpers
Ard Biesheuvel <ardb@kernel.org>
KVM: arm64: Omit tag sync on stage-2 mappings of the zero page
Usama Arif <usama.arif@linux.dev>
block: invalidate cached plug timestamp after task switch
Eric Biggers <ebiggers@kernel.org>
fscrypt: Fix key setup in edge case with multiple data unit sizes
Ian Bridges <icb@fastmail.org>
fbdev: fix use-after-free in store_modes()
Koichiro Den <den@valinux.co.jp>
NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR
Ruslan Valiyev <linuxoid@gmail.com>
apparmor: fix use-after-free in rawdata dedup loop
Bryam Vargas <hexlabsecurity@proton.me>
apparmor: mediate the implicit connect of TCP fast open sendmsg
Lukas Wunner <lukas@wunner.de>
PCI/P2PDMA: Add Intel QAT, DSA, IAA devices to whitelist
Maoyi Xie <maoyixie.tju@gmail.com>
net: ip_gre: require CAP_NET_ADMIN in the device netns for changelink
Yiming Qian <yimingqian591@gmail.com>
net: skmsg: preserve sg.copy across SG transforms
Doruk Tan Ozturk <doruk@0sec.ai>
mac802154: llsec: add skb_cow_data() before in-place crypto
Jiajia Liu <liujiajia@kylinos.cn>
wifi: mt76: add wcid publish check in mt76_sta_add
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
ntfs3: reject direct userspace writes to reserved $LX* xattrs
Wongi Lee <qw3rtyp0@gmail.com>
ipv4: account for fraggap on the paged allocation path
Wongi Lee <qw3rtyp0@gmail.com>
ipv6: account for fraggap on the paged allocation path
Sven Eckelmann <sven@narfation.org>
batman-adv: tvlv: avoid race of cifsnotfound handler state
Sven Eckelmann <sven@narfation.org>
batman-adv: tvlv: enforce 2-byte alignment
Sven Eckelmann <sven@narfation.org>
batman-adv: dat: prevent false sharing between VLANs
Sven Eckelmann <sven@narfation.org>
batman-adv: tt: track roam count per VID
Sven Eckelmann <sven@narfation.org>
batman-adv: tt: don't merge change entries with different VIDs
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: handle overlapping packets
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: prevent parallel modifications of last_recv
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: restrict number of unacked list entries
Sven Eckelmann <sven@narfation.org>
batman-adv: v: prevent OGM aggregation on disabled hardif
Sven Eckelmann <sven@narfation.org>
batman-adv: frag: avoid underflow of TTL
Sven Eckelmann <sven@narfation.org>
batman-adv: frag: ensure fragment is writable before modifying TTL
Sven Eckelmann <sven@narfation.org>
batman-adv: fix (m|b)cast csum after decrementing TTL
Sven Eckelmann <sven@narfation.org>
batman-adv: ensure bcast is writable before modifying TTL
Sven Eckelmann <sven@narfation.org>
batman-adv: gw: don't deselect gateway with active hardif
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: initialize last_recv_time during init
Sven Eckelmann <sven@narfation.org>
batman-adv: prevent ELP transmission interval underflow
Sven Eckelmann <sven@narfation.org>
batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: add only finished tp_vars to lists
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: fix fast recovery precondition
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: avoid window underflow
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: initialize dec_cwnd explicitly
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: initialize dup_acks explicitly
Sven Eckelmann <sven@narfation.org>
batman-adv: tp_meter: keep unacked list in ascending ordered
Paolo Bonzini <pbonzini@redhat.com>
KVM: x86: Fix shadow paging use-after-free due to unexpected role
-------------
Diffstat:
Makefile | 31 ++++--
arch/arm64/kvm/mmu.c | 5 +
arch/loongarch/kernel/smp.c | 1 +
arch/mips/dec/prom/console.c | 7 +-
arch/mips/kernel/smp.c | 2 +
arch/riscv/include/asm/kfence.h | 7 +-
arch/riscv/kernel/entry.S | 6 +-
arch/x86/kvm/hyperv.c | 5 +
arch/x86/kvm/mmu/mmu.c | 28 +++--
arch/x86/kvm/svm/sev.c | 1 +
block/bdev.c | 5 -
block/blk-cgroup.c | 21 ++--
.../intel/qat/qat_common/adf_accel_devices.h | 5 -
drivers/crypto/nx/nx.c | 6 +-
drivers/crypto/nx/nx.h | 2 +-
drivers/dma/idxd/registers.h | 3 -
drivers/fpga/of-fpga-region.c | 3 +-
drivers/i2c/i2c-core-base.c | 8 +-
drivers/irqchip/irq-imgpdc.c | 6 ++
drivers/net/wan/hdlc_ppp.c | 15 ++-
drivers/net/wireless/ath/ath11k/dp.c | 1 +
drivers/net/wireless/intel/iwlwifi/mld/agg.c | 9 ++
drivers/net/wireless/intel/iwlwifi/mld/ptp.c | 2 +-
drivers/net/wireless/intel/iwlwifi/mvm/ptp.c | 2 +-
drivers/net/wireless/mediatek/mt76/mac80211.c | 15 ++-
drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 +
drivers/net/wireless/mediatek/mt76/mt7925/main.c | 3 +
drivers/net/wireless/realtek/rtl8xxxu/8188e.c | 1 +
drivers/net/wireless/realtek/rtl8xxxu/8188f.c | 1 +
drivers/net/wireless/realtek/rtl8xxxu/8192c.c | 1 +
drivers/net/wireless/realtek/rtl8xxxu/8192e.c | 1 +
drivers/net/wireless/realtek/rtl8xxxu/8192f.c | 1 +
drivers/net/wireless/realtek/rtl8xxxu/8710b.c | 1 +
drivers/net/wireless/realtek/rtl8xxxu/8723a.c | 1 +
drivers/net/wireless/realtek/rtl8xxxu/8723b.c | 1 +
drivers/net/wireless/realtek/rtl8xxxu/core.c | 64 ++++++++++-
drivers/net/wireless/realtek/rtl8xxxu/regs.h | 2 +
drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 7 ++
.../net/wireless/realtek/rtlwifi/rtl8821ae/trx.h | 2 +-
drivers/net/wireless/realtek/rtw88/tx.c | 7 +-
drivers/net/wireless/realtek/rtw88/usb.c | 13 ++-
drivers/ntb/hw/epf/ntb_hw_epf.c | 3 +-
drivers/pci/p2pdma.c | 10 ++
drivers/power/reset/linkstation-poweroff.c | 2 +-
drivers/power/sequencing/core.c | 14 ++-
drivers/rpmsg/rpmsg_char.c | 15 ++-
drivers/video/fbdev/core/fbcon.c | 7 ++
drivers/video/fbdev/core/fbmem.c | 12 +++
drivers/video/fbdev/core/fbsysfs.c | 10 +-
drivers/video/fbdev/core/modedb.c | 5 +-
drivers/video/fbdev/omap2/omapfb/omapfb-main.c | 9 +-
fs/crypto/fscrypt_private.h | 52 +++++----
fs/crypto/inline_crypt.c | 8 +-
fs/crypto/keyring.c | 23 ++--
fs/crypto/keysetup.c | 118 +++++++++++++--------
fs/exfat/dir.c | 4 +-
fs/f2fs/acl.c | 18 +++-
fs/f2fs/checkpoint.c | 14 ++-
fs/f2fs/data.c | 49 +++++----
fs/f2fs/extent_cache.c | 19 ++--
fs/f2fs/f2fs.h | 1 +
fs/f2fs/file.c | 11 +-
fs/f2fs/gc.c | 56 +++++++---
fs/f2fs/inode.c | 26 +++--
fs/f2fs/node.c | 8 +-
fs/gfs2/super.c | 1 +
fs/nfs/client.c | 1 +
fs/nfs/flexfilelayout/flexfilelayout.c | 4 +
fs/nfs/nfs4proc.c | 5 +-
fs/nfs/pnfs.c | 2 +-
fs/nfs/pnfs_nfs.c | 4 +-
fs/nfsd/nfs2acl.c | 17 ++-
fs/nfsd/nfs3acl.c | 17 ++-
fs/nfsd/nfs4layouts.c | 12 +--
fs/nfsd/nfs4proc.c | 19 ++--
fs/nfsd/nfs4recover.c | 3 +-
fs/nfsd/nfs4state.c | 1 +
fs/nfsd/nfs4xdr.c | 3 +-
fs/nfsd/vfs.c | 6 +-
fs/ntfs/file.c | 17 ++-
fs/ntfs/super.c | 21 ++--
fs/ntfs/volume.h | 2 +
fs/ntfs3/xattr.c | 12 +++
fs/ocfs2/suballoc.c | 22 ++++
fs/smb/server/smbacl.c | 4 +-
fs/userfaultfd.c | 2 +
include/keys/request_key_auth-type.h | 2 +
include/linux/blkdev.h | 16 ++-
include/linux/err.h | 12 +--
include/linux/f2fs_fs.h | 1 +
include/linux/kvm_host.h | 7 +-
include/linux/mm.h | 39 +++++++
include/linux/pci_ids.h | 8 ++
include/linux/skmsg.h | 15 ++-
include/linux/userfaultfd_k.h | 4 +-
include/net/rtnetlink.h | 2 +
kernel/bpf/cgroup.c | 2 +-
kernel/sched/core.c | 27 +++--
net/9p/client.c | 3 +-
net/batman-adv/bat_iv_ogm.c | 11 +-
net/batman-adv/bat_v.c | 1 +
net/batman-adv/bat_v_ogm.c | 23 +++-
net/batman-adv/bridge_loop_avoidance.c | 28 ++---
net/batman-adv/distributed-arp-table.c | 12 ++-
net/batman-adv/fragmentation.c | 22 +++-
net/batman-adv/fragmentation.h | 3 +-
net/batman-adv/hard-interface.c | 28 +----
net/batman-adv/netlink.c | 10 +-
net/batman-adv/routing.c | 73 ++++++++++++-
net/batman-adv/tp_meter.c | 115 +++++++++++++-------
net/batman-adv/translation-table.c | 12 ++-
net/batman-adv/tvlv.c | 69 ++++++++++--
net/batman-adv/types.h | 21 ++--
net/core/filter.c | 27 +++++
net/core/rtnetlink.c | 8 ++
net/core/skmsg.c | 2 +
net/ipv4/ip_gre.c | 6 ++
net/ipv4/ip_output.c | 7 +-
net/ipv4/tcp_ao.c | 4 +
net/ipv6/ip6_output.c | 9 +-
net/mac802154/llsec.c | 14 +++
net/tipc/crypto.c | 9 ++
net/tls/tls_sw.c | 4 +
security/apparmor/include/policy_unpack.h | 19 ++++
security/apparmor/lsm.c | 16 ++-
security/apparmor/net.c | 2 +
security/apparmor/policy.c | 8 +-
security/keys/internal.h | 2 +
security/keys/keyctl.c | 24 +++--
security/keys/keyctl_pkey.c | 9 +-
security/keys/request_key_auth.c | 33 +++++-
virt/kvm/eventfd.c | 12 +--
132 files changed, 1312 insertions(+), 441 deletions(-)
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 001/120] KVM: x86: Fix shadow paging use-after-free due to unexpected role
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 7.1 002/120] batman-adv: tp_meter: keep unacked list in ascending ordered Greg Kroah-Hartman
` (124 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Paolo Bonzini,
Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit 81ccda30b4e83d8f5cc4fd50503c44e3a33abfeb upstream.
Commit 0cb2af2ea66ad ("KVM: x86: Fix shadow paging use-after-free due
to unexpected GFN") fixed a shadow paging mismatch between stored and
computed GFNs; the bug could be triggered by changing a PDE mapping from
outside the guest, and then deleting a memslot. The rmap_remove()
call would miss entries created after the PDE change because the GFN
of the leaf SPTE does not match the GFN of the struct kvm_mmu_page.
A similar hole however remains if the modified PDE points to a non-leaf
page. In this case the gfn can be made to match, but the role does not
match: the original large 2MB page creates a kvm_mmu_page with direct=1,
while the new 4KB needs a kvm_mmu_page with direct=0. However,
kvm_mmu_get_child_sp() does not compare the role, and therefore reuses
the page.
The next step is installing a leaf (4KB) SPTE on the new path which
records an rmap entry under the gfn resolved by the walk. But when
that child is zapped its parent kvm_mmu_page has direct=1 and
kvm_mmu_page_get_gfn() computes the gfn for the 4KB page as
sp->gfn + index instead of using sp->shadowed_translation[] (or sp->gfns[]
in older kernels). It therefore fails to remove the recorded entry.
When the memslot is dropped the shadow page is freed but the rmap
entry survives, as in the scenario that was already fixed. Code that
later walks that gfn (dirty logging, MMU notifier invalidation, and
so on) dereferences an sptep that lies in the freed page, causing the
use-after-free.
Fixes: 2032a93d66fa ("KVM: MMU: Don't allocate gfns page for direct mmu pages")
Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/mmu/mmu.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index f0144ae8d891d3..bb204d3c66b7e9 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -2453,13 +2453,15 @@ static struct kvm_mmu_page *kvm_mmu_get_child_sp(struct kvm_vcpu *vcpu,
u64 *sptep, gfn_t gfn,
bool direct, unsigned int access)
{
- union kvm_mmu_page_role role;
+ union kvm_mmu_page_role role = kvm_mmu_child_role(sptep, direct, access);
- if (is_shadow_present_pte(*sptep) && !is_large_pte(*sptep) &&
- spte_to_child_sp(*sptep) && spte_to_child_sp(*sptep)->gfn == gfn)
+ if (is_shadow_present_pte(*sptep) &&
+ !is_large_pte(*sptep) &&
+ spte_to_child_sp(*sptep) &&
+ spte_to_child_sp(*sptep)->gfn == gfn &&
+ spte_to_child_sp(*sptep)->role.word == role.word)
return ERR_PTR(-EEXIST);
- role = kvm_mmu_child_role(sptep, direct, access);
return kvm_mmu_get_shadow_page(vcpu, gfn, role);
}
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 002/120] batman-adv: tp_meter: keep unacked list in ascending ordered
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 7.1 001/120] KVM: x86: Fix shadow paging use-after-free due to unexpected role Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 7.1 003/120] batman-adv: tp_meter: initialize dup_acks explicitly Greg Kroah-Hartman
` (123 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 5aa8651527ea0b610e7a09fb3b8204c1398b9525 upstream.
When batadv_tp_handle_out_of_order inserts a new entry in the list of
unacked (out of order) packets, it searches from the entry with the newest
sequence number towards oldest sequence number. If an entry is found which
is older than the newly entry, the new entry has to be added after the
found one to keep the ascending order.
But for this operation list_add_tail() was used. But this function adds an
entry _before_ another one. As result, the list would contain a lot of
swapped sequence numbers. The consumer of this list
(batadv_tp_ack_unordered()) would then fail to correctly ack packets.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 0fc4ca78e84ebe..e8941f753a9697 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -1325,7 +1325,7 @@ static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars,
* one is attached _after_ it. In this way the list is kept in
* ascending order
*/
- list_add_tail(&new->list, &un->list);
+ list_add(&new->list, &un->list);
added = true;
break;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 003/120] batman-adv: tp_meter: initialize dup_acks explicitly
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 7.1 001/120] KVM: x86: Fix shadow paging use-after-free due to unexpected role Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 7.1 002/120] batman-adv: tp_meter: keep unacked list in ascending ordered Greg Kroah-Hartman
@ 2026-07-02 16:19 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 004/120] batman-adv: tp_meter: initialize dec_cwnd explicitly Greg Kroah-Hartman
` (122 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:19 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit b2b68b32a715e0328662801576974aa37b942b00 upstream.
When an ack with a sequence number equal to the last_acked is received, the
dup_acks counter is increased to decide whether fast retransmit should be
performed. Only when the sequence numbers are not equal, the dup_acks is
set to the initial value (0).
But if the initial packet would have the sequence number
BATADV_TP_FIRST_SEQ, dup_acks would not be initialized and atomic_inc would
operate on an undefined starting value. It is therefore required to have it
explicitly initialized during the start of the sender session.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index e8941f753a9697..0325b951ff8a8e 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -1045,6 +1045,7 @@ void batadv_tp_start(struct batadv_priv *bat_priv, const u8 *dst,
tp_vars->icmp_uid = icmp_uid;
tp_vars->last_sent = BATADV_TP_FIRST_SEQ;
+ atomic_set(&tp_vars->dup_acks, 0);
atomic_set(&tp_vars->last_acked, BATADV_TP_FIRST_SEQ);
tp_vars->fast_recovery = false;
tp_vars->recover = BATADV_TP_FIRST_SEQ;
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 004/120] batman-adv: tp_meter: initialize dec_cwnd explicitly
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-07-02 16:19 ` [PATCH 7.1 003/120] batman-adv: tp_meter: initialize dup_acks explicitly Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 005/120] batman-adv: tp_meter: avoid window underflow Greg Kroah-Hartman
` (121 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit febfb1b86224489535312296ecfa3d4bf467f339 upstream.
When batadv_tp_update_cwnd() is called, dec_cwnd is increased. But dec_cwnd
is only initialixed (to 0) when a duplicate Ack was received or when cwnd
is below the ss_threshold.
Just initialize the cwnd during the initialization to avoid any potential
access of uninitialized data.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 0325b951ff8a8e..2ff7aa5ed19fb3 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -1055,6 +1055,8 @@ void batadv_tp_start(struct batadv_priv *bat_priv, const u8 *dst,
* mesh_interface, hence its MTU
*/
tp_vars->cwnd = BATADV_TP_PLEN * 3;
+ tp_vars->dec_cwnd = 0;
+
/* at the beginning initialise the SS threshold to the biggest possible
* window size, hence the AWND size
*/
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 005/120] batman-adv: tp_meter: avoid window underflow
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 004/120] batman-adv: tp_meter: initialize dec_cwnd explicitly Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 006/120] batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd Greg Kroah-Hartman
` (120 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 765947b81fb54b6ebb0bc1cfe55c0fa399e002b8 upstream.
In batadv_tp_avail(), win_left is calculated with 32-bit unsigned
arithmetic: win_left = win_limit - tp_vars->last_sent;
During Fast Recovery, cwnd is inflated and last_sent advances rapidly. When
Fast Recovery ends, cwnd drops abruptly back to ss_threshold. If the newly
shrunk win_limit is less than last_sent, the unsigned subtraction will
underflow, wrapping to a massive positive value. Instead of returning that
the window is full (unavailable), it returns that the sender can continue
sending.
To handle this situation, it must be checked whether the windows end
sequence number (win_limit) has to be compared with the last sent sequence
number. If it would be before the last sent sequence number, then more acks
are needed before the transmission can be started again.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 2ff7aa5ed19fb3..d3b8f02ca08b14 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -817,10 +817,15 @@ static void batadv_tp_recv_ack(struct batadv_priv *bat_priv,
static bool batadv_tp_avail(struct batadv_tp_vars *tp_vars,
size_t payload_len)
{
+ u32 last_sent = READ_ONCE(tp_vars->last_sent);
u32 win_left, win_limit;
win_limit = atomic_read(&tp_vars->last_acked) + tp_vars->cwnd;
- win_left = win_limit - tp_vars->last_sent;
+
+ if (batadv_seq_before(last_sent, win_limit))
+ win_left = win_limit - last_sent;
+ else
+ win_left = 0;
return win_left >= payload_len;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 006/120] batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 005/120] batman-adv: tp_meter: avoid window underflow Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 007/120] batman-adv: tp_meter: fix fast recovery precondition Greg Kroah-Hartman
` (119 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 33ccd52f3cc9ed46ce395199f89aa3234dc83314 upstream.
The cwnd is always MSS <= cwnd <= 0x20000000. But the calculation in
batadv_tp_update_cwnd() assumes unsigned 32 bit arithmetics.
((mss * 8) ** 2) / (cwnd * 8)
In case cwnd is actually 0x20000000, it will be shifted by 3 bit to the
left end up at 0x100000000 or U32_MAX + 1. It will therefore wrap around
and be 0 - resulting in:
((mss * 8) ** 2) / 0
This is of course invalid and cannot be calculated. The calculation should
must be simplified to avoid this overflow:
(mss ** 2) * 8 / cwnd
It will keep the precision enhancement from the scaling (by 8) but avoid
the overflow in the divisor.
In theory, there could still be an overflow in the dividend. It is at the
moment fixed to BATADV_TP_PLEN in batadv_tp_recv_ack() - so it is not an
imminent problem. But allowing it to use the whole u32 bit range, would
mean that it can still use up to 67 bits. To keep this calculation safe for
32 bit arithmetic, mss must never use more than floor((32 - 3) / 2) bits -
or in other words: must never be larger than 16383.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index d3b8f02ca08b14..e4f76c141af3e2 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -154,9 +154,12 @@ static void batadv_tp_update_cwnd(struct batadv_tp_vars *tp_vars, u32 mss)
return;
}
+ /* prevent overflow in (mss * mss) << 3 */
+ mss = min_t(u32, mss, (1U << 14) - 1);
+
/* increment CWND at least of 1 (section 3.1 of RFC5681) */
tp_vars->dec_cwnd += max_t(u32, 1U << 3,
- ((mss * mss) << 6) / (tp_vars->cwnd << 3));
+ ((mss * mss) << 3) / tp_vars->cwnd);
if (tp_vars->dec_cwnd < (mss << 3)) {
spin_unlock_bh(&tp_vars->cwnd_lock);
return;
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 007/120] batman-adv: tp_meter: fix fast recovery precondition
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 006/120] batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 008/120] batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection Greg Kroah-Hartman
` (118 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 2b0d08f08ed3b2174f05c43089ec65f3543a025b upstream.
The fast recovery precondition checks if the recover (initialized to
BATADV_TP_FIRST_SEQ) is bigger than the received ack. But since recover is
only updated when this check is successful, it will never enter the fast
recovery mode.
According to RFC6582 Section 3.2 step 2, the check should actually be
different:
> When the third duplicate ACK is received, the TCP sender first
> checks the value of recover to see if the Cumulative
> Acknowledgment field covers more than recover
The precondition must therefore check if recover is smaller than the
received ack - basically swapping the operands of the current check.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index e4f76c141af3e2..77bc69573a5624 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -733,7 +733,7 @@ static void batadv_tp_recv_ack(struct batadv_priv *bat_priv,
if (atomic_read(&tp_vars->dup_acks) != 3)
goto out;
- if (recv_ack >= tp_vars->recover)
+ if (tp_vars->recover >= recv_ack)
goto out;
/* if this is the third duplicate ACK do Fast Retransmit */
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 008/120] batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 007/120] batman-adv: tp_meter: fix fast recovery precondition Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 009/120] batman-adv: tp_meter: add only finished tp_vars to lists Greg Kroah-Hartman
` (117 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit f54c85ed42a1b27a516cf2a4728f5a612b799e07 upstream.
The recover variable and the last_sent sequence number are initialized on
purpose as a really high value which will wrap-around after the first 2000
bytes. The fast recovery precondition must therefore not use simple integer
comparisons but use helpers which are aware of the sequence number
wrap-arounds.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 77bc69573a5624..0801dcf93540ac 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -733,7 +733,7 @@ static void batadv_tp_recv_ack(struct batadv_priv *bat_priv,
if (atomic_read(&tp_vars->dup_acks) != 3)
goto out;
- if (tp_vars->recover >= recv_ack)
+ if (!batadv_seq_before(tp_vars->recover, recv_ack))
goto out;
/* if this is the third duplicate ACK do Fast Retransmit */
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 009/120] batman-adv: tp_meter: add only finished tp_vars to lists
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 008/120] batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 010/120] batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE Greg Kroah-Hartman
` (116 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 15ccbf685222274f5add1387af58c2a41a95f81e upstream.
When the receiver variables (aka "session") are initialized, then they are
added to the list of sessions before the timer is set up. A RCU protected
reader could therefore find the entry and run mod_setup before
batadv_tp_init_recv() finished the timer initialization.
The same is true for batadv_tp_start(), which must first initialize the
finish_work and the test_length to avoid a similar problem.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 0801dcf93540ac..7bfad65c862e9a 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -1096,21 +1096,21 @@ void batadv_tp_start(struct batadv_priv *bat_priv, const u8 *dst,
tp_vars->prerandom_offset = 0;
spin_lock_init(&tp_vars->prerandom_lock);
- kref_get(&tp_vars->refcount);
- hlist_add_head_rcu(&tp_vars->list, &bat_priv->tp_list);
- spin_unlock_bh(&bat_priv->tp_list_lock);
-
tp_vars->test_length = test_length;
if (!tp_vars->test_length)
tp_vars->test_length = BATADV_TP_DEF_TEST_LENGTH;
+ /* init work item for finished tp tests */
+ INIT_DELAYED_WORK(&tp_vars->finish_work, batadv_tp_sender_finish);
+
+ kref_get(&tp_vars->refcount);
+ hlist_add_head_rcu(&tp_vars->list, &bat_priv->tp_list);
+ spin_unlock_bh(&bat_priv->tp_list_lock);
+
batadv_dbg(BATADV_DBG_TP_METER, bat_priv,
"Meter: starting throughput meter towards %pM (length=%ums)\n",
dst, test_length);
- /* init work item for finished tp tests */
- INIT_DELAYED_WORK(&tp_vars->finish_work, batadv_tp_sender_finish);
-
/* start tp kthread. This way the write() call issued from userspace can
* happily return and avoid to block
*/
@@ -1430,10 +1430,10 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv,
INIT_LIST_HEAD(&tp_vars->unacked_list);
kref_get(&tp_vars->refcount);
- hlist_add_head_rcu(&tp_vars->list, &bat_priv->tp_list);
+ timer_setup(&tp_vars->timer, batadv_tp_receiver_shutdown, 0);
kref_get(&tp_vars->refcount);
- timer_setup(&tp_vars->timer, batadv_tp_receiver_shutdown, 0);
+ hlist_add_head_rcu(&tp_vars->list, &bat_priv->tp_list);
batadv_tp_reset_receiver_timer(tp_vars);
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 010/120] batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 009/120] batman-adv: tp_meter: add only finished tp_vars to lists Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 011/120] batman-adv: prevent ELP transmission interval underflow Greg Kroah-Hartman
` (115 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 98b0fb191c878a64cbaebfe231d96d57576acf8c upstream.
The lasttime field for claim, backbone_gw, and loopdetect tracks the
jiffies value of the most recent activity and is used to detect timeouts.
These accesses are not consistently protected by a lock, so
READ_ONCE/WRITE_ONCE must be used to prevent data races caused by compiler
optimizations.
Cc: stable@kernel.org
Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bridge_loop_avoidance.c | 28 +++++++++++++-------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index ffe854018bd3a5..7f643de42579df 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -512,7 +512,7 @@ batadv_bla_get_backbone_gw(struct batadv_priv *bat_priv, const u8 *orig,
return NULL;
entry->vid = vid;
- entry->lasttime = jiffies;
+ WRITE_ONCE(entry->lasttime, jiffies);
entry->crc = BATADV_BLA_CRC_INIT;
entry->bat_priv = bat_priv;
spin_lock_init(&entry->crc_lock);
@@ -580,7 +580,7 @@ batadv_bla_update_own_backbone_gw(struct batadv_priv *bat_priv,
if (unlikely(!backbone_gw))
return;
- backbone_gw->lasttime = jiffies;
+ WRITE_ONCE(backbone_gw->lasttime, jiffies);
batadv_backbone_gw_put(backbone_gw);
}
@@ -714,7 +714,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv,
ether_addr_copy(claim->addr, mac);
spin_lock_init(&claim->backbone_lock);
claim->vid = vid;
- claim->lasttime = jiffies;
+ WRITE_ONCE(claim->lasttime, jiffies);
kref_get(&backbone_gw->refcount);
claim->backbone_gw = backbone_gw;
kref_init(&claim->refcount);
@@ -736,7 +736,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv,
return;
}
} else {
- claim->lasttime = jiffies;
+ WRITE_ONCE(claim->lasttime, jiffies);
if (claim->backbone_gw == backbone_gw)
/* no need to register a new backbone */
goto claim_free_ref;
@@ -769,7 +769,7 @@ static void batadv_bla_add_claim(struct batadv_priv *bat_priv,
spin_lock_bh(&backbone_gw->crc_lock);
backbone_gw->crc ^= crc16(0, claim->addr, ETH_ALEN);
spin_unlock_bh(&backbone_gw->crc_lock);
- backbone_gw->lasttime = jiffies;
+ WRITE_ONCE(backbone_gw->lasttime, jiffies);
claim_free_ref:
batadv_claim_put(claim);
@@ -858,7 +858,7 @@ static bool batadv_handle_announce(struct batadv_priv *bat_priv, u8 *an_addr,
return true;
/* handle as ANNOUNCE frame */
- backbone_gw->lasttime = jiffies;
+ WRITE_ONCE(backbone_gw->lasttime, jiffies);
crc = ntohs(*((__force __be16 *)(&an_addr[4])));
batadv_dbg(BATADV_DBG_BLA, bat_priv,
@@ -1253,7 +1253,7 @@ static void batadv_bla_purge_backbone_gw(struct batadv_priv *bat_priv, int now)
head, hash_entry) {
if (now)
goto purge_now;
- if (!batadv_has_timed_out(backbone_gw->lasttime,
+ if (!batadv_has_timed_out(READ_ONCE(backbone_gw->lasttime),
BATADV_BLA_BACKBONE_TIMEOUT))
continue;
@@ -1334,7 +1334,7 @@ static void batadv_bla_purge_claims(struct batadv_priv *bat_priv,
primary_if->net_dev->dev_addr))
goto skip;
- if (!batadv_has_timed_out(claim->lasttime,
+ if (!batadv_has_timed_out(READ_ONCE(claim->lasttime),
BATADV_BLA_CLAIM_TIMEOUT))
goto skip;
@@ -1494,7 +1494,7 @@ static void batadv_bla_periodic_work(struct work_struct *work)
eth_random_addr(bat_priv->bla.loopdetect_addr);
bat_priv->bla.loopdetect_addr[0] = 0xba;
bat_priv->bla.loopdetect_addr[1] = 0xbe;
- bat_priv->bla.loopdetect_lasttime = jiffies;
+ WRITE_ONCE(bat_priv->bla.loopdetect_lasttime, jiffies);
atomic_set(&bat_priv->bla.loopdetect_next,
BATADV_BLA_LOOPDETECT_PERIODS);
@@ -1515,7 +1515,7 @@ static void batadv_bla_periodic_work(struct work_struct *work)
primary_if->net_dev->dev_addr))
continue;
- backbone_gw->lasttime = jiffies;
+ WRITE_ONCE(backbone_gw->lasttime, jiffies);
batadv_bla_send_announce(bat_priv, backbone_gw);
if (send_loopdetect)
@@ -1899,7 +1899,7 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb,
/* If the packet came too late, don't forward it on the mesh
* but don't consider that as loop. It might be a coincidence.
*/
- if (batadv_has_timed_out(bat_priv->bla.loopdetect_lasttime,
+ if (batadv_has_timed_out(READ_ONCE(bat_priv->bla.loopdetect_lasttime),
BATADV_BLA_LOOPDETECT_TIMEOUT))
return true;
@@ -2014,7 +2014,7 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb,
if (own_claim) {
/* ... allow it in any case */
- claim->lasttime = jiffies;
+ WRITE_ONCE(claim->lasttime, jiffies);
goto allow;
}
@@ -2116,7 +2116,7 @@ bool batadv_bla_tx(struct batadv_priv *bat_priv, struct sk_buff *skb,
/* if yes, the client has roamed and we have
* to unclaim it.
*/
- if (batadv_has_timed_out(claim->lasttime, 100)) {
+ if (batadv_has_timed_out(READ_ONCE(claim->lasttime), 100)) {
/* only unclaim if the last claim entry is
* older than 100 ms to make sure we really
* have a roaming client here.
@@ -2361,7 +2361,7 @@ batadv_bla_backbone_dump_entry(struct sk_buff *msg, u32 portid,
backbone_crc = backbone_gw->crc;
spin_unlock_bh(&backbone_gw->crc_lock);
- msecs = jiffies_to_msecs(jiffies - backbone_gw->lasttime);
+ msecs = jiffies_to_msecs(jiffies - READ_ONCE(backbone_gw->lasttime));
if (is_own)
if (nla_put_flag(msg, BATADV_ATTR_BLA_OWN)) {
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 011/120] batman-adv: prevent ELP transmission interval underflow
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 010/120] batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 012/120] batman-adv: tp_meter: initialize last_recv_time during init Greg Kroah-Hartman
` (114 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 5e50d4b8ae3ea622122d3c6a38d7f6fe68dfddca upstream.
batadv_v_elp_start_timer() enqeues a delayed work. The time when it starts
is randomly chosen between (elp_interval - BATADV_JITTER) and
(elp_interval + BATADV_JITTER). The configured elp_interval must therefore
be larger or equal to BATADV_JITTER to avoid that it causes an underflow of
the unsigned integer. If this would happen, then a "fast" ELP interval
would turn into a "day long" delay.
At the same time, it must not be larger than the maximum value the variable
can store.
Cc: stable@kernel.org
Fixes: a10800829040 ("batman-adv: Add elp_interval hardif genl configuration")
[ Context ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/netlink.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/batman-adv/netlink.c b/net/batman-adv/netlink.c
index 78c651f634cd39..1d144d8cc0928e 100644
--- a/net/batman-adv/netlink.c
+++ b/net/batman-adv/netlink.c
@@ -917,9 +917,15 @@ static int batadv_netlink_set_hardif(struct sk_buff *skb,
#ifdef CONFIG_BATMAN_ADV_BATMAN_V
if (info->attrs[BATADV_ATTR_ELP_INTERVAL]) {
+ u32 elp_interval;
+
attr = info->attrs[BATADV_ATTR_ELP_INTERVAL];
+ elp_interval = nla_get_u32(attr);
+
+ elp_interval = min_t(u32, elp_interval, INT_MAX);
+ elp_interval = max_t(u32, elp_interval, BATADV_JITTER);
- atomic_set(&hard_iface->bat_v.elp_interval, nla_get_u32(attr));
+ atomic_set(&hard_iface->bat_v.elp_interval, elp_interval);
}
if (info->attrs[BATADV_ATTR_THROUGHPUT_OVERRIDE]) {
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 012/120] batman-adv: tp_meter: initialize last_recv_time during init
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 011/120] batman-adv: prevent ELP transmission interval underflow Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 013/120] batman-adv: gw: dont deselect gateway with active hardif Greg Kroah-Hartman
` (113 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 811cb00fa8cdc3f0a7f6eefc000a6888367c8c8f upstream.
The last_recv_time is the most important indicator for a receiver session
to figure out whether a session timed out or not. But this information was
only initialized after the session was added to the tp_receiver_list and
after the timer was started.
In the worst case, the timer (function) could have tried to access this
information before the actual initialization was reached. Like rest of the
variables of the tp_meter receiver session, this field has to be filled out
before any other (parallel running) context has the chance to access it.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
[ Context ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 7bfad65c862e9a..397b9456353568 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -1403,8 +1403,10 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv,
tp_vars = batadv_tp_list_find_session(bat_priv, icmp->orig,
icmp->session, BATADV_TP_RECEIVER);
- if (tp_vars)
+ if (tp_vars) {
+ tp_vars->last_recv_time = jiffies;
goto out_unlock;
+ }
if (!atomic_add_unless(&bat_priv->tp_num, 1, BATADV_TP_MAX_NUM)) {
batadv_dbg(BATADV_DBG_TP_METER, bat_priv,
@@ -1432,6 +1434,8 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv,
kref_get(&tp_vars->refcount);
timer_setup(&tp_vars->timer, batadv_tp_receiver_shutdown, 0);
+ tp_vars->last_recv_time = jiffies;
+
kref_get(&tp_vars->refcount);
hlist_add_head_rcu(&tp_vars->list, &bat_priv->tp_list);
@@ -1480,9 +1484,9 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
icmp->orig);
goto out;
}
- }
- tp_vars->last_recv_time = jiffies;
+ tp_vars->last_recv_time = jiffies;
+ }
/* if the packet is a duplicate, it may be the case that an ACK has been
* lost. Resend the ACK
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 013/120] batman-adv: gw: dont deselect gateway with active hardif
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 012/120] batman-adv: tp_meter: initialize last_recv_time during init Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 014/120] batman-adv: ensure bcast is writable before modifying TTL Greg Kroah-Hartman
` (112 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Nora Schiffer,
Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit df97a7107b16375a10a36d7a63e9b4291a8ac680 upstream.
The batadv_hardif_cnt() was previously checking if there is an
batadv_hard_iface->mesh_iface which is has the same mesh_iface. And since
batadv_hardif_disable_interface() was resetting the
batadv_hard_iface->mesh_iface after this check, it had to verify whether
*1* interface was still part of the mesh_iface before it started the
gateway deselection.
But after batadv_hardif_cnt() is now checking the lower interfaces of
mesh_iface and batadv_hardif_disable_interface() already removed the
interface via netdev_upper_dev_unlink() earlier in this function, the check
must now make sure that *0* interfaces can be found by batadv_hardif_cnt()
before selected gateway must be deselected. Otherwise the deselection would
already happen one batadv_hard_iface too early.
Because a 0 hardif count from batadv_hardif_cnt() is equal to an empty
list, it is possible to replace the counting with a simple list_empty().
Cc: stable@kernel.org
Fixes: 7dc284702bcd ("batman-adv: store hard_iface as iflink private data")
Reviewed-by: Nora Schiffer <neocturne@universe-factory.net>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/hard-interface.c | 28 ++--------------------------
1 file changed, 2 insertions(+), 26 deletions(-)
diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
index d6732c34aeafc8..c7dbd24ea19985 100644
--- a/net/batman-adv/hard-interface.c
+++ b/net/batman-adv/hard-interface.c
@@ -786,30 +786,6 @@ int batadv_hardif_enable_interface(struct batadv_hard_iface *hard_iface,
return ret;
}
-/**
- * batadv_hardif_cnt() - get number of interfaces enslaved to mesh interface
- * @mesh_iface: mesh interface to check
- *
- * This function is only using RCU for locking - the result can therefore be
- * off when another function is modifying the list at the same time. The
- * caller can use the rtnl_lock to make sure that the count is accurate.
- *
- * Return: number of connected/enslaved hard interfaces
- */
-static size_t batadv_hardif_cnt(struct net_device *mesh_iface)
-{
- struct batadv_hard_iface *hard_iface;
- struct list_head *iter;
- size_t count = 0;
-
- rcu_read_lock();
- netdev_for_each_lower_private_rcu(mesh_iface, hard_iface, iter)
- count++;
- rcu_read_unlock();
-
- return count;
-}
-
/**
* batadv_hardif_disable_interface() - Remove hard interface from mesh interface
* @hard_iface: hard interface to be removed
@@ -850,8 +826,8 @@ void batadv_hardif_disable_interface(struct batadv_hard_iface *hard_iface)
netdev_upper_dev_unlink(hard_iface->net_dev, hard_iface->mesh_iface);
batadv_hardif_recalc_extra_skbroom(hard_iface->mesh_iface);
- /* nobody uses this interface anymore */
- if (batadv_hardif_cnt(hard_iface->mesh_iface) <= 1)
+ /* nobody uses this mesh interface anymore */
+ if (list_empty(&hard_iface->mesh_iface->adj_list.lower))
batadv_gw_check_client_stop(bat_priv);
hard_iface->mesh_iface = NULL;
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 014/120] batman-adv: ensure bcast is writable before modifying TTL
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 013/120] batman-adv: gw: dont deselect gateway with active hardif Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 015/120] batman-adv: fix (m|b)cast csum after decrementing TTL Greg Kroah-Hartman
` (111 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 4cd6d3a4b96a8576f1fed8f9f9f17c2dc2978e0c upstream.
Before batman-adv is allowed to write to an skb, it either has to have its
own copy of the skb or used skb_cow() to ensure that the data part is not
shared.
The old implementation used a shared queue and created copies before
attempting to write to it. But with the new implementation, the broadcast
packet is already modified when it gets received. Potentially writing to
shared buffers in this process.
Adding a skb_cow() right before this operation avoids this and can at the
same time prepare it for the modifications required to rebroadcast the
packet.
Cc: stable@kernel.org
Fixes: 3f69339068f9 ("batman-adv: bcast: queue per interface, if needed")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/routing.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index 12c16f81cc51df..0672dc30bed3b1 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -1191,6 +1191,12 @@ int batadv_recv_bcast_packet(struct sk_buff *skb,
if (batadv_is_my_mac(bat_priv, bcast_packet->orig))
goto free_skb;
+ /* create a copy of the skb, if needed, to modify it. */
+ if (skb_cow(skb, ETH_HLEN) < 0)
+ goto free_skb;
+
+ bcast_packet = (struct batadv_bcast_packet *)skb->data;
+
if (bcast_packet->ttl-- < 2)
goto free_skb;
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 015/120] batman-adv: fix (m|b)cast csum after decrementing TTL
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 014/120] batman-adv: ensure bcast is writable before modifying TTL Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 016/120] batman-adv: frag: ensure fragment is writable before modifying TTL Greg Kroah-Hartman
` (110 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit e728bbdf32660c8f32b8f5e8d09427a2c131ad60 upstream.
The broadcast and multicast packets can be received at the same time by the
local system and forwarded to other nodes. Both are simply decrementing the
TTL at the beginning of the receive path - independent of chosen paths
(receive/forward). But such a modification of the data conflicts with the
hw csum. This is not a problem when the packet is directly forwarded but
can cause errors in the local receive path.
Such a problem can then trigger a "hw csum failure". The receiver path must
therefore ensure that the csum is fixed for each modification of the
payload before batadv_interface_rx() is reached.
Since all batman-adv packet types with a ttl have it as u8 at offset 2, a
helper can be used for all of them. But it is only used at the moment for
batadv_bcast_packet and batadv_mcast_packet because they are the only ones
which deliver the packet locally but unconditionally modify the TTL.
Cc: stable@kernel.org
Fixes: 3f69339068f9 ("batman-adv: bcast: queue per interface, if needed")
Fixes: 07afe1ba288c ("batman-adv: mcast: implement multicast packet reception and forwarding")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/routing.c | 58 ++++++++++++++++++++++++++++++++++++++--
1 file changed, 56 insertions(+), 2 deletions(-)
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index 0672dc30bed3b1..cdcea90db61235 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -8,6 +8,7 @@
#include "main.h"
#include <linux/atomic.h>
+#include <linux/build_bug.h>
#include <linux/byteorder/generic.h>
#include <linux/compiler.h>
#include <linux/errno.h>
@@ -204,6 +205,59 @@ bool batadv_check_management_packet(struct sk_buff *skb,
return true;
}
+/**
+ * batadv_skb_decrement_ttl() - decrement ttl in a batman-adv header, csum-safe
+ * @skb: the received packet with @skb->data pointing to the batman-adv header
+ *
+ * Supports the following packet types, all of which carry the TTL at offset 2:
+ *
+ * - batadv_ogm_packet
+ * - batadv_ogm2_packet
+ * - batadv_icmp_header
+ * - batadv_icmp_packet
+ * - batadv_icmp_tp_packet
+ * - batadv_icmp_packet_rr
+ * - batadv_unicast_packet
+ * - batadv_frag_packet
+ * - batadv_bcast_packet
+ * - batadv_mcast_packet
+ * - batadv_coded_packet
+ * - batadv_unicast_tvlv_packet
+ *
+ * Return: true if the packet may be forwarded (ttl decremented),
+ * false if it must be dropped (ttl would expire)
+ */
+static bool batadv_skb_decrement_ttl(struct sk_buff *skb)
+{
+ static const size_t ttl_offset = 2;
+ u8 *ttl_pos;
+
+ BUILD_BUG_ON(offsetof(struct batadv_ogm_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_ogm2_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_icmp_header, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_icmp_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_icmp_tp_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_icmp_packet_rr, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_unicast_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_frag_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_bcast_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_mcast_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_coded_packet, ttl) != ttl_offset);
+ BUILD_BUG_ON(offsetof(struct batadv_unicast_tvlv_packet, ttl) != ttl_offset);
+
+ ttl_pos = skb->data + ttl_offset;
+
+ /* would expire on this hop -> drop, leave header + csum untouched */
+ if (*ttl_pos < 2)
+ return false;
+
+ skb_postpull_rcsum(skb, ttl_pos, 1);
+ (*ttl_pos)--;
+ skb_postpush_rcsum(skb, ttl_pos, 1);
+
+ return true;
+}
+
/**
* batadv_recv_my_icmp_packet() - receive an icmp packet locally
* @bat_priv: the bat priv with all the mesh interface information
@@ -1197,7 +1251,7 @@ int batadv_recv_bcast_packet(struct sk_buff *skb,
bcast_packet = (struct batadv_bcast_packet *)skb->data;
- if (bcast_packet->ttl-- < 2)
+ if (!batadv_skb_decrement_ttl(skb))
goto free_skb;
orig_node = batadv_orig_hash_find(bat_priv, bcast_packet->orig);
@@ -1304,7 +1358,7 @@ int batadv_recv_mcast_packet(struct sk_buff *skb,
goto free_skb;
mcast_packet = (struct batadv_mcast_packet *)skb->data;
- if (mcast_packet->ttl-- < 2)
+ if (!batadv_skb_decrement_ttl(skb))
goto free_skb;
tvlv_buff = (unsigned char *)(skb->data + hdr_size);
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 016/120] batman-adv: frag: ensure fragment is writable before modifying TTL
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 015/120] batman-adv: fix (m|b)cast csum after decrementing TTL Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 017/120] batman-adv: frag: avoid underflow of TTL Greg Kroah-Hartman
` (109 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit b7293c6e8c15b2db77809b25cf8389e35331b27a upstream.
Before batman-adv is allowed to write to an skb, it either has to have its
own copy of the skb or use skb_cow() to ensure that the data part is not
shared. But batadv_frag_skb_fwd() modifies the TTL even when it is shared.
Adding a skb_cow() right before this operation avoids this and can at the
same time prepare it for the modifications required to forward the
fragment.
Cc: stable@kernel.org
Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/fragmentation.c | 15 ++++++++++++++-
net/batman-adv/fragmentation.h | 3 ++-
net/batman-adv/routing.c | 3 +--
3 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
index e9553db423491a..5c2a7629e4e09d 100644
--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
@@ -384,6 +384,8 @@ bool batadv_frag_skb_buffer(struct sk_buff **skb,
* @skb: skb to forward
* @recv_if: interface that the skb is received on
* @orig_node_src: originator that the skb is received from
+ * @rx_result: set to NET_RX_SUCCESS when the fragment was forwarded and
+ * NET_RX_DROP when it was dropped; only valid when true is returned
*
* Look up the next-hop of the fragments payload and check if the merged packet
* will exceed the MTU towards the next-hop. If so, the fragment is forwarded
@@ -393,7 +395,8 @@ bool batadv_frag_skb_buffer(struct sk_buff **skb,
*/
bool batadv_frag_skb_fwd(struct sk_buff *skb,
struct batadv_hard_iface *recv_if,
- struct batadv_orig_node *orig_node_src)
+ struct batadv_orig_node *orig_node_src,
+ int *rx_result)
{
struct batadv_priv *bat_priv = netdev_priv(recv_if->mesh_iface);
struct batadv_neigh_node *neigh_node = NULL;
@@ -412,12 +415,22 @@ bool batadv_frag_skb_fwd(struct sk_buff *skb,
*/
total_size = ntohs(packet->total_size);
if (total_size > neigh_node->if_incoming->net_dev->mtu) {
+ if (skb_cow(skb, ETH_HLEN) < 0) {
+ kfree_skb(skb);
+ *rx_result = NET_RX_DROP;
+ ret = true;
+ goto out;
+ }
+
+ packet = (struct batadv_frag_packet *)skb->data;
+
batadv_inc_counter(bat_priv, BATADV_CNT_FRAG_FWD);
batadv_add_counter(bat_priv, BATADV_CNT_FRAG_FWD_BYTES,
skb->len + ETH_HLEN);
packet->ttl--;
batadv_send_unicast_skb(skb, neigh_node);
+ *rx_result = NET_RX_SUCCESS;
ret = true;
}
diff --git a/net/batman-adv/fragmentation.h b/net/batman-adv/fragmentation.h
index dbf0871f870303..51e281027ab630 100644
--- a/net/batman-adv/fragmentation.h
+++ b/net/batman-adv/fragmentation.h
@@ -19,7 +19,8 @@ void batadv_frag_purge_orig(struct batadv_orig_node *orig,
bool (*check_cb)(struct batadv_frag_table_entry *));
bool batadv_frag_skb_fwd(struct sk_buff *skb,
struct batadv_hard_iface *recv_if,
- struct batadv_orig_node *orig_node_src);
+ struct batadv_orig_node *orig_node_src,
+ int *rx_result);
bool batadv_frag_skb_buffer(struct sk_buff **skb,
struct batadv_orig_node *orig_node);
int batadv_frag_send_packet(struct sk_buff *skb,
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index cdcea90db61235..4483f8d9c75831 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -1168,10 +1168,9 @@ int batadv_recv_frag_packet(struct sk_buff *skb,
/* Route the fragment if it is not for us and too big to be merged. */
if (!batadv_is_my_mac(bat_priv, frag_packet->dest) &&
- batadv_frag_skb_fwd(skb, recv_if, orig_node_src)) {
+ batadv_frag_skb_fwd(skb, recv_if, orig_node_src, &ret)) {
/* skb was consumed */
skb = NULL;
- ret = NET_RX_SUCCESS;
goto put_orig_node;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 017/120] batman-adv: frag: avoid underflow of TTL
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 016/120] batman-adv: frag: ensure fragment is writable before modifying TTL Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 018/120] batman-adv: v: prevent OGM aggregation on disabled hardif Greg Kroah-Hartman
` (108 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 493d9d2528e1a09b090e4b37f0f553def7bd5ce9 upstream.
Packets with a TTL are using it to limit the amount of time this packet can
be forwarded. But for batadv_frag_packet, the TTL was always only reduced
but it was never evaluated. It could even underflow without any effect.
Check the TTL in batadv_frag_skb_fwd() before attempting to prepare it for
forwarding. This keeps it in sync with the not fragmented unicast packet.
Cc: stable@kernel.org
Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/fragmentation.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
index 5c2a7629e4e09d..9a5927ecc4746f 100644
--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
@@ -415,6 +415,13 @@ bool batadv_frag_skb_fwd(struct sk_buff *skb,
*/
total_size = ntohs(packet->total_size);
if (total_size > neigh_node->if_incoming->net_dev->mtu) {
+ if (packet->ttl < 2) {
+ kfree_skb(skb);
+ *rx_result = NET_RX_DROP;
+ ret = true;
+ goto out;
+ }
+
if (skb_cow(skb, ETH_HLEN) < 0) {
kfree_skb(skb);
*rx_result = NET_RX_DROP;
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 018/120] batman-adv: v: prevent OGM aggregation on disabled hardif
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 017/120] batman-adv: frag: avoid underflow of TTL Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 019/120] batman-adv: tp_meter: restrict number of unacked list entries Greg Kroah-Hartman
` (107 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit d11c00b95b2a3b3934007fc003dccc6fdcc061ad upstream.
When an interface gets disabled, the worker is correctly disabled by
batadv_hardif_disable_interface() -> ... -> batadv_v_ogm_iface_disable().
In this process, the skb aggr_list is also freed.
But batadv_v_ogm_send_meshif() can still queue new skbs (via
batadv_v_ogm_queue_on_if()) to the aggr_list. This will only stop after all
cores can no longer find the RCU protected list of hard interfaces. These
queued skbs will never be freed or consumed by batadv_v_ogm_aggr_work.
The batadv_v_ogm_iface_disable() function must block
batadv_v_ogm_queue_on_if() to avoid leak of skbs.
Cc: stable@kernel.org
Fixes: f89255a02f1d ("batman-adv: BATMAN_V: introduce per hard-iface OGMv2 queues")
[ Context ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bat_v.c | 1 +
net/batman-adv/bat_v_ogm.c | 12 ++++++++++++
net/batman-adv/types.h | 6 ++++++
3 files changed, 19 insertions(+)
diff --git a/net/batman-adv/bat_v.c b/net/batman-adv/bat_v.c
index de94447142642e..17d2a1ccdce67a 100644
--- a/net/batman-adv/bat_v.c
+++ b/net/batman-adv/bat_v.c
@@ -817,6 +817,7 @@ void batadv_v_hardif_init(struct batadv_hard_iface *hard_iface)
hard_iface->bat_v.aggr_len = 0;
skb_queue_head_init(&hard_iface->bat_v.aggr_list);
+ hard_iface->bat_v.aggr_list_enabled = false;
INIT_DELAYED_WORK(&hard_iface->bat_v.aggr_wq,
batadv_v_ogm_aggr_work);
}
diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c
index d66ca77b1aaa3c..6852bf5da8c558 100644
--- a/net/batman-adv/bat_v_ogm.c
+++ b/net/batman-adv/bat_v_ogm.c
@@ -252,11 +252,18 @@ static void batadv_v_ogm_queue_on_if(struct batadv_priv *bat_priv,
}
spin_lock_bh(&hard_iface->bat_v.aggr_list.lock);
+ if (!hard_iface->bat_v.aggr_list_enabled) {
+ kfree_skb(skb);
+ goto unlock;
+ }
+
if (!batadv_v_ogm_queue_left(skb, hard_iface))
batadv_v_ogm_aggr_send(bat_priv, hard_iface);
hard_iface->bat_v.aggr_len += batadv_v_ogm_len(skb);
__skb_queue_tail(&hard_iface->bat_v.aggr_list, skb);
+
+unlock:
spin_unlock_bh(&hard_iface->bat_v.aggr_list.lock);
}
@@ -417,6 +424,10 @@ int batadv_v_ogm_iface_enable(struct batadv_hard_iface *hard_iface)
{
struct batadv_priv *bat_priv = netdev_priv(hard_iface->mesh_iface);
+ spin_lock_bh(&hard_iface->bat_v.aggr_list.lock);
+ hard_iface->bat_v.aggr_list_enabled = true;
+ spin_unlock_bh(&hard_iface->bat_v.aggr_list.lock);
+
batadv_v_ogm_start_queue_timer(hard_iface);
batadv_v_ogm_start_timer(bat_priv);
@@ -432,6 +443,7 @@ void batadv_v_ogm_iface_disable(struct batadv_hard_iface *hard_iface)
cancel_delayed_work_sync(&hard_iface->bat_v.aggr_wq);
spin_lock_bh(&hard_iface->bat_v.aggr_list.lock);
+ hard_iface->bat_v.aggr_list_enabled = false;
batadv_v_ogm_aggr_list_free(hard_iface);
spin_unlock_bh(&hard_iface->bat_v.aggr_list.lock);
}
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index a01ee46d97f34f..765ba71fe8c69f 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -130,6 +130,12 @@ struct batadv_hard_iface_bat_v {
/** @aggr_list: queue for to be aggregated OGM packets */
struct sk_buff_head aggr_list;
+ /**
+ * @aggr_list_enabled: aggr_list is active and new skbs can be
+ * enqueued. Protected by aggr_list.lock after initialization
+ */
+ bool aggr_list_enabled:1;
+
/** @aggr_len: size of the OGM aggregate (excluding ethernet header) */
unsigned int aggr_len;
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 019/120] batman-adv: tp_meter: restrict number of unacked list entries
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 018/120] batman-adv: v: prevent OGM aggregation on disabled hardif Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 020/120] batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE Greg Kroah-Hartman
` (106 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit e7c775110e1858e5a7471a23a9c9658c0af9df89 upstream.
When the unacked_list is unbound, an attacker could send messages with
small lengths and appropriated seqno + gaps to force the receiver to
allocate more and more unacked_list entries. And the end either causing an
out-of-memory situation or increase the management overhead for the (large)
list that significant portions of CPU cycles are wasted in searching
through the list.
When limiting the list to a specific number, it is important to still
correctly add a new entry to the list. But if the list became larger than
the limit, the last entry of the list (with the highest seqno) must be
dropped to still allow the earlier seqnos to finish and therefore to
continue the process. Otherwise, the process might get stuck with too high
seqnos which are not handled by batadv_tp_ack_unordered().
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
[ Switch to pre-splitted tp_vars structure names ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 23 ++++++++++++++++++++++-
net/batman-adv/types.h | 3 +++
2 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 397b9456353568..4f8af909893ab9 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -87,6 +87,11 @@
#define BATADV_TP_PLEN (BATADV_TP_PACKET_LEN - ETH_HLEN - \
sizeof(struct batadv_unicast_packet))
+/**
+ * BATADV_TP_MAX_UNACKED - maximum number of packets a receiver didn't yet ack
+ */
+#define BATADV_TP_MAX_UNACKED 100
+
static u8 batadv_tp_prerandom[4096] __read_mostly;
/**
@@ -1195,6 +1200,7 @@ static void batadv_tp_receiver_shutdown(struct timer_list *t)
list_for_each_entry_safe(un, safe, &tp_vars->unacked_list, list) {
list_del(&un->list);
kfree(un);
+ tp_vars->unacked_count--;
}
spin_unlock_bh(&tp_vars->unacked_lock);
@@ -1308,6 +1314,7 @@ static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars,
/* if the list is empty immediately attach this new object */
if (list_empty(&tp_vars->unacked_list)) {
list_add(&new->list, &tp_vars->unacked_list);
+ tp_vars->unacked_count++;
goto out;
}
@@ -1338,12 +1345,24 @@ static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars,
*/
list_add(&new->list, &un->list);
added = true;
+ tp_vars->unacked_count++;
break;
}
/* received packet with smallest seqno out of order; add it to front */
- if (!added)
+ if (!added) {
list_add(&new->list, &tp_vars->unacked_list);
+ tp_vars->unacked_count++;
+ }
+
+ /* remove the last (biggest) unacked seqno when list is too large */
+ if (tp_vars->unacked_count > BATADV_TP_MAX_UNACKED) {
+ un = list_last_entry(&tp_vars->unacked_list,
+ struct batadv_tp_unacked, list);
+ list_del(&un->list);
+ kfree(un);
+ tp_vars->unacked_count--;
+ }
out:
spin_unlock_bh(&tp_vars->unacked_lock);
@@ -1380,6 +1399,7 @@ static void batadv_tp_ack_unordered(struct batadv_tp_vars *tp_vars)
list_del(&un->list);
kfree(un);
+ tp_vars->unacked_count--;
}
spin_unlock_bh(&tp_vars->unacked_lock);
}
@@ -1430,6 +1450,7 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv,
spin_lock_init(&tp_vars->unacked_lock);
INIT_LIST_HEAD(&tp_vars->unacked_list);
+ tp_vars->unacked_count = 0;
kref_get(&tp_vars->refcount);
timer_setup(&tp_vars->timer, batadv_tp_receiver_shutdown, 0);
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index 765ba71fe8c69f..4f9f1820e3a92a 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -1426,6 +1426,9 @@ struct batadv_tp_vars {
/** @unacked_lock: protect unacked_list */
spinlock_t unacked_lock;
+ /** @unacked_count: number of unacked entries */
+ size_t unacked_count;
+
/** @last_recv_time: time (jiffies) a msg was received */
unsigned long last_recv_time;
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 020/120] batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 019/120] batman-adv: tp_meter: restrict number of unacked list entries Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 021/120] batman-adv: tp_meter: prevent parallel modifications of last_recv Greg Kroah-Hartman
` (105 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit d67c728f07fca2ee6ffdc6dd4421cf2e8691f4d1 upstream.
The last_recv_time field for batadv_tp_receiver tracks the jiffies value of
the most recent activity and is used to detect timeouts. These accesses are
not consistently protected by a lock, so READ_ONCE/WRITE_ONCE must be used
to prevent data races caused by compiler optimizations.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 4f8af909893ab9..e23b75846ebe1a 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -1183,7 +1183,7 @@ static void batadv_tp_receiver_shutdown(struct timer_list *t)
bat_priv = tp_vars->bat_priv;
/* if there is recent activity rearm the timer */
- if (!batadv_has_timed_out(tp_vars->last_recv_time,
+ if (!batadv_has_timed_out(READ_ONCE(tp_vars->last_recv_time),
BATADV_TP_RECV_TIMEOUT)) {
/* reset the receiver shutdown timer */
batadv_tp_reset_receiver_timer(tp_vars);
@@ -1424,7 +1424,7 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv,
tp_vars = batadv_tp_list_find_session(bat_priv, icmp->orig,
icmp->session, BATADV_TP_RECEIVER);
if (tp_vars) {
- tp_vars->last_recv_time = jiffies;
+ WRITE_ONCE(tp_vars->last_recv_time, jiffies);
goto out_unlock;
}
@@ -1455,7 +1455,7 @@ batadv_tp_init_recv(struct batadv_priv *bat_priv,
kref_get(&tp_vars->refcount);
timer_setup(&tp_vars->timer, batadv_tp_receiver_shutdown, 0);
- tp_vars->last_recv_time = jiffies;
+ WRITE_ONCE(tp_vars->last_recv_time, jiffies);
kref_get(&tp_vars->refcount);
hlist_add_head_rcu(&tp_vars->list, &bat_priv->tp_list);
@@ -1506,7 +1506,7 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
goto out;
}
- tp_vars->last_recv_time = jiffies;
+ WRITE_ONCE(tp_vars->last_recv_time, jiffies);
}
/* if the packet is a duplicate, it may be the case that an ACK has been
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 021/120] batman-adv: tp_meter: prevent parallel modifications of last_recv
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 020/120] batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 022/120] batman-adv: tp_meter: handle overlapping packets Greg Kroah-Hartman
` (104 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 6dde0cfcb36e4d5b3de35b75696937478441eed4 upstream.
When last_recv is updated to store the last receive sequence number, it is
assuming that nothing is modifying in parallel while:
* check for outdated packets is done
* out of order check is performed (and packets are stored in out-of-order
queue)
* the out-of-order queue was searched for closed gaps
* sequence number for next ack is calculated
Nothing of that was actually protected. It could therefore happen that the
last_recv was updated multiple times in parallel and the final sequence
number was calculated with deltas which had no connection to the sequence
number they were added to.
Lock this whole region with the same lock which was already used to protect
the unacked (out-of-order) list.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
[ Switch to pre-splitted tp_vars structure names ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 22 +++++++++++++---------
net/batman-adv/types.h | 2 +-
2 files changed, 14 insertions(+), 10 deletions(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index e23b75846ebe1a..6a23050f03d89e 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -1294,6 +1294,7 @@ static int batadv_tp_send_ack(struct batadv_priv *bat_priv, const u8 *dst,
*/
static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars,
const struct sk_buff *skb)
+ __must_hold(&tp_vars->unacked_lock)
{
const struct batadv_icmp_tp_packet *icmp;
struct batadv_tp_unacked *un, *new;
@@ -1310,12 +1311,11 @@ static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars,
payload_len = skb->len - sizeof(struct batadv_unicast_packet);
new->len = payload_len;
- spin_lock_bh(&tp_vars->unacked_lock);
/* if the list is empty immediately attach this new object */
if (list_empty(&tp_vars->unacked_list)) {
list_add(&new->list, &tp_vars->unacked_list);
tp_vars->unacked_count++;
- goto out;
+ return true;
}
/* otherwise loop over the list and either drop the packet because this
@@ -1364,9 +1364,6 @@ static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars,
tp_vars->unacked_count--;
}
-out:
- spin_unlock_bh(&tp_vars->unacked_lock);
-
return true;
}
@@ -1376,6 +1373,7 @@ static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars,
* @tp_vars: the private data of the current TP meter session
*/
static void batadv_tp_ack_unordered(struct batadv_tp_vars *tp_vars)
+ __must_hold(&tp_vars->unacked_lock)
{
struct batadv_tp_unacked *un, *safe;
u32 to_ack;
@@ -1383,7 +1381,6 @@ static void batadv_tp_ack_unordered(struct batadv_tp_vars *tp_vars)
/* go through the unacked packet list and possibly ACK them as
* well
*/
- spin_lock_bh(&tp_vars->unacked_lock);
list_for_each_entry_safe(un, safe, &tp_vars->unacked_list, list) {
/* the list is ordered, therefore it is possible to stop as soon
* there is a gap between the last acked seqno and the seqno of
@@ -1401,7 +1398,6 @@ static void batadv_tp_ack_unordered(struct batadv_tp_vars *tp_vars)
kfree(un);
tp_vars->unacked_count--;
}
- spin_unlock_bh(&tp_vars->unacked_lock);
}
/**
@@ -1481,6 +1477,7 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
const struct batadv_icmp_tp_packet *icmp;
struct batadv_tp_vars *tp_vars;
size_t packet_size;
+ u32 to_ack;
u32 seqno;
icmp = (struct batadv_icmp_tp_packet *)skb->data;
@@ -1509,6 +1506,8 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
WRITE_ONCE(tp_vars->last_recv_time, jiffies);
}
+ spin_lock_bh(&tp_vars->unacked_lock);
+
/* if the packet is a duplicate, it may be the case that an ACK has been
* lost. Resend the ACK
*/
@@ -1520,8 +1519,10 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
/* exit immediately (and do not send any ACK) if the packet has
* not been enqueued correctly
*/
- if (!batadv_tp_handle_out_of_order(tp_vars, skb))
+ if (!batadv_tp_handle_out_of_order(tp_vars, skb)) {
+ spin_unlock_bh(&tp_vars->unacked_lock);
goto out;
+ }
/* send a duplicate ACK */
goto send_ack;
@@ -1535,11 +1536,14 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
batadv_tp_ack_unordered(tp_vars);
send_ack:
+ to_ack = tp_vars->last_recv;
+ spin_unlock_bh(&tp_vars->unacked_lock);
+
/* send the ACK. If the received packet was out of order, the ACK that
* is going to be sent is a duplicate (the sender will count them and
* possibly enter Fast Retransmit as soon as it has reached 3)
*/
- batadv_tp_send_ack(bat_priv, icmp->orig, tp_vars->last_recv,
+ batadv_tp_send_ack(bat_priv, icmp->orig, to_ack,
icmp->timestamp, icmp->session, icmp->uid);
out:
batadv_tp_vars_put(tp_vars);
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index 4f9f1820e3a92a..3f940a201cdf84 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -1423,7 +1423,7 @@ struct batadv_tp_vars {
/** @unacked_list: list of unacked packets (meta-info only) */
struct list_head unacked_list;
- /** @unacked_lock: protect unacked_list */
+ /** @unacked_lock: protect unacked_list + &batadv_tp_receiver.last_recv */
spinlock_t unacked_lock;
/** @unacked_count: number of unacked entries */
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 022/120] batman-adv: tp_meter: handle overlapping packets
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 021/120] batman-adv: tp_meter: prevent parallel modifications of last_recv Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 023/120] batman-adv: tt: dont merge change entries with different VIDs Greg Kroah-Hartman
` (103 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit cbde75c38b21f022891525078622587ad557b7c1 upstream.
If the size of the packets would change during the transmission, it could
happen that some retries of packets are overlapping. In this case, precise
comparisons of sequence numbers by the receiver would be wrong. It is then
necessary to check if the start sequence number to the end sequence number
("seqno + length") would contain a new range.
If this is the case then this is enough to accept this packet. In all other
cases, the packet still has to be dropped (and not acked).
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
[ Switch to pre-splitted tp_vars structure names ]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tp_meter.c | 25 +++++++++++--------------
1 file changed, 11 insertions(+), 14 deletions(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 6a23050f03d89e..dbaae33db0f1f8 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -1284,7 +1284,8 @@ static int batadv_tp_send_ack(struct batadv_priv *bat_priv, const u8 *dst,
/**
* batadv_tp_handle_out_of_order() - store an out of order packet
* @tp_vars: the private data of the current TP meter session
- * @skb: the buffer containing the received packet
+ * @seqno: sequence number of new received packet
+ * @payload_len: length of the received packet
*
* Store the out of order packet in the unacked list for late processing. This
* packets are kept in this list so that they can be ACKed at once as soon as
@@ -1293,22 +1294,17 @@ static int batadv_tp_send_ack(struct batadv_priv *bat_priv, const u8 *dst,
* Return: true if the packed has been successfully processed, false otherwise
*/
static bool batadv_tp_handle_out_of_order(struct batadv_tp_vars *tp_vars,
- const struct sk_buff *skb)
+ u32 seqno, u32 payload_len)
__must_hold(&tp_vars->unacked_lock)
{
- const struct batadv_icmp_tp_packet *icmp;
struct batadv_tp_unacked *un, *new;
- u32 payload_len;
bool added = false;
new = kmalloc_obj(*new, GFP_ATOMIC);
if (unlikely(!new))
return false;
- icmp = (struct batadv_icmp_tp_packet *)skb->data;
-
- new->seqno = ntohl(icmp->seqno);
- payload_len = skb->len - sizeof(struct batadv_unicast_packet);
+ new->seqno = seqno;
new->len = payload_len;
/* if the list is empty immediately attach this new object */
@@ -1476,7 +1472,7 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
{
const struct batadv_icmp_tp_packet *icmp;
struct batadv_tp_vars *tp_vars;
- size_t packet_size;
+ u32 payload_len;
u32 to_ack;
u32 seqno;
@@ -1511,15 +1507,17 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
/* if the packet is a duplicate, it may be the case that an ACK has been
* lost. Resend the ACK
*/
- if (batadv_seq_before(seqno, tp_vars->last_recv))
+ payload_len = skb->len - sizeof(struct batadv_unicast_packet);
+ to_ack = seqno + payload_len;
+ if (batadv_seq_before(to_ack, tp_vars->last_recv))
goto send_ack;
/* if the packet is out of order enqueue it */
- if (ntohl(icmp->seqno) != tp_vars->last_recv) {
+ if (batadv_seq_before(tp_vars->last_recv, seqno)) {
/* exit immediately (and do not send any ACK) if the packet has
* not been enqueued correctly
*/
- if (!batadv_tp_handle_out_of_order(tp_vars, skb)) {
+ if (!batadv_tp_handle_out_of_order(tp_vars, seqno, payload_len)) {
spin_unlock_bh(&tp_vars->unacked_lock);
goto out;
}
@@ -1529,8 +1527,7 @@ static void batadv_tp_recv_msg(struct batadv_priv *bat_priv,
}
/* if everything was fine count the ACKed bytes */
- packet_size = skb->len - sizeof(struct batadv_unicast_packet);
- tp_vars->last_recv += packet_size;
+ tp_vars->last_recv = to_ack;
/* check if this ordered message filled a gap.... */
batadv_tp_ack_unordered(tp_vars);
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 023/120] batman-adv: tt: dont merge change entries with different VIDs
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 022/120] batman-adv: tp_meter: handle overlapping packets Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 024/120] batman-adv: tt: track roam count per VID Greg Kroah-Hartman
` (102 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit f08e06c2d5c3e2434e7c773f2213f4a7dce6bc1e upstream.
batadv_tt_local_event() merges/cancels events for the same client which
would conflict or be duplicates. The matching of the queued events only
compares the MAC address - the VLAN ID stored in each event is ignored.
If a MAC would now appear on multiple VID, the two ADD change events (for
VID 1 and VID 2) would be merged to a single vid event. The remote can
therefore not calculate the correct TT table and desync. A full translation
table exchange is required to recover from this state.
A check of VID is therefore necessary to avoid such wrong merges/cancels.
Cc: stable@kernel.org
Fixes: c018ad3de61a ("batman-adv: add the VLAN ID attribute to the TT entry")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/translation-table.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index 9f6e67771ffa80..acd8af4446671f 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -446,6 +446,9 @@ static void batadv_tt_local_event(struct batadv_priv *bat_priv,
if (!batadv_compare_eth(entry->change.addr, common->addr))
continue;
+ if (entry->change.vid != tt_change_node->change.vid)
+ continue;
+
del_op_entry = entry->change.flags & BATADV_TT_CLIENT_DEL;
if (del_op_requested != del_op_entry) {
/* DEL+ADD in the same orig interval have no effect and
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 024/120] batman-adv: tt: track roam count per VID
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 023/120] batman-adv: tt: dont merge change entries with different VIDs Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 025/120] batman-adv: dat: prevent false sharing between VLANs Greg Kroah-Hartman
` (101 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 12407d5f61c2653a64f2ff4b22f3c267f8420ef1 upstream.
batadv_tt_check_roam_count() is supposed to track roaming of a TT entry.
But TT entries are for a MAC + VID. The VID was completely missed and thus
leads to incorrect detection of ROAM counts when a client MAC exists in
multiple VLANs.
Cc: stable@kernel.org
Fixes: c018ad3de61a ("batman-adv: add the VLAN ID attribute to the TT entry")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/translation-table.c | 9 +++++++--
net/batman-adv/types.h | 3 +++
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index acd8af4446671f..83dfd804a143ab 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -3442,6 +3442,7 @@ static void batadv_tt_roam_purge(struct batadv_priv *bat_priv)
* batadv_tt_check_roam_count() - check if a client has roamed too frequently
* @bat_priv: the bat priv with all the mesh interface information
* @client: mac address of the roaming client
+ * @vid: VLAN identifier
*
* This function checks whether the client already reached the
* maximum number of possible roaming phases. In this case the ROAMING_ADV
@@ -3449,7 +3450,7 @@ static void batadv_tt_roam_purge(struct batadv_priv *bat_priv)
*
* Return: true if the ROAMING_ADV can be sent, false otherwise
*/
-static bool batadv_tt_check_roam_count(struct batadv_priv *bat_priv, u8 *client)
+static bool batadv_tt_check_roam_count(struct batadv_priv *bat_priv, u8 *client, u16 vid)
{
struct batadv_tt_roam_node *tt_roam_node;
bool ret = false;
@@ -3462,6 +3463,9 @@ static bool batadv_tt_check_roam_count(struct batadv_priv *bat_priv, u8 *client)
if (!batadv_compare_eth(tt_roam_node->addr, client))
continue;
+ if (tt_roam_node->vid != vid)
+ continue;
+
if (batadv_has_timed_out(tt_roam_node->first_time,
BATADV_ROAMING_MAX_TIME))
continue;
@@ -3483,6 +3487,7 @@ static bool batadv_tt_check_roam_count(struct batadv_priv *bat_priv, u8 *client)
atomic_set(&tt_roam_node->counter,
BATADV_ROAMING_MAX_COUNT - 1);
ether_addr_copy(tt_roam_node->addr, client);
+ tt_roam_node->vid = vid;
list_add(&tt_roam_node->list, &bat_priv->tt.roam_list);
ret = true;
@@ -3519,7 +3524,7 @@ static void batadv_send_roam_adv(struct batadv_priv *bat_priv, u8 *client,
/* before going on we have to check whether the client has
* already roamed to us too many times
*/
- if (!batadv_tt_check_roam_count(bat_priv, client))
+ if (!batadv_tt_check_roam_count(bat_priv, client, vid))
goto out;
batadv_dbg(BATADV_DBG_TT, bat_priv,
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index 3f940a201cdf84..4dce996f01ccea 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -1912,6 +1912,9 @@ struct batadv_tt_roam_node {
/** @addr: mac address of the client in the roaming phase */
u8 addr[ETH_ALEN];
+ /** @vid: VLAN identifier */
+ u16 vid;
+
/**
* @counter: number of allowed roaming events per client within a single
* OGM interval (changes are committed with each OGM)
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 025/120] batman-adv: dat: prevent false sharing between VLANs
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 024/120] batman-adv: tt: track roam count per VID Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 026/120] batman-adv: tvlv: enforce 2-byte alignment Greg Kroah-Hartman
` (100 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 20d7658b74169f86d4ac01b9185b3eadddf71f28 upstream.
The local hash of DAT entries is supposed to be VLAN (VID) aware. But
the adding to the hash and the search in the hash were not checking the VID
information of the hash entries. The entries would therefore only be
correctly separated when batadv_hash_dat() didn't select the same buckets
for different VIDs.
Cc: stable@kernel.org
Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/distributed-arp-table.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
index 0a8bd95e2f99e8..86fb5de5022aca 100644
--- a/net/batman-adv/distributed-arp-table.c
+++ b/net/batman-adv/distributed-arp-table.c
@@ -214,10 +214,13 @@ static void batadv_dat_purge(struct work_struct *work)
*/
static bool batadv_compare_dat(const struct hlist_node *node, const void *data2)
{
- const void *data1 = container_of(node, struct batadv_dat_entry,
- hash_entry);
+ const struct batadv_dat_entry *entry1;
+ const struct batadv_dat_entry *entry2;
- return memcmp(data1, data2, sizeof(__be32)) == 0;
+ entry1 = container_of(node, struct batadv_dat_entry, hash_entry);
+ entry2 = data2;
+
+ return entry1->ip == entry2->ip && entry1->vid == entry2->vid;
}
/**
@@ -344,6 +347,9 @@ batadv_dat_entry_hash_find(struct batadv_priv *bat_priv, __be32 ip,
if (dat_entry->ip != ip)
continue;
+ if (dat_entry->vid != vid)
+ continue;
+
if (!kref_get_unless_zero(&dat_entry->refcount))
continue;
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 026/120] batman-adv: tvlv: enforce 2-byte alignment
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 025/120] batman-adv: dat: prevent false sharing between VLANs Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 027/120] batman-adv: tvlv: avoid race of cifsnotfound handler state Greg Kroah-Hartman
` (99 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit 32a6799255525d6ea4da0f7e9e0e521ad9560a46 upstream.
The fields of an aggregated OGM(v2) are accessed assuming (at least) 2-byte
alignment, so a following OGM must start at an even offset. As the header
length is even, an odd tvlv_len would misalign it and trigger unaligned
accesses on strict-alignment architectures.
Such a misaligned TVLV/OGM/OGMv2 is not created by a normal participant in
the mesh. Therefore, reject such malformed packets.
Cc: stable@kernel.org
Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bat_iv_ogm.c | 11 ++++++++++-
net/batman-adv/bat_v_ogm.c | 11 ++++++++++-
net/batman-adv/routing.c | 6 ++++++
net/batman-adv/tvlv.c | 6 ++++++
4 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index b8b1b997960a96..6e79f69c2fedec 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -311,14 +311,23 @@ batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len,
const struct batadv_ogm_packet *ogm_packet)
{
int next_buff_pos = 0;
+ u16 tvlv_len;
/* check if there is enough space for the header */
next_buff_pos += buff_pos + sizeof(*ogm_packet);
if (next_buff_pos > packet_len)
return false;
+ tvlv_len = ntohs(ogm_packet->tvlv_len);
+
+ /* the fields of an aggregated OGM are accessed assuming (at least)
+ * 2-byte alignment, so a following OGM must start at an even offset.
+ */
+ if (tvlv_len & 1)
+ return false;
+
/* check if there is enough space for the optional TVLV */
- next_buff_pos += ntohs(ogm_packet->tvlv_len);
+ next_buff_pos += tvlv_len;
return next_buff_pos <= packet_len;
}
diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c
index 6852bf5da8c558..1f9b2d2b4831ce 100644
--- a/net/batman-adv/bat_v_ogm.c
+++ b/net/batman-adv/bat_v_ogm.c
@@ -849,14 +849,23 @@ batadv_v_ogm_aggr_packet(int buff_pos, int packet_len,
const struct batadv_ogm2_packet *ogm2_packet)
{
int next_buff_pos = 0;
+ u16 tvlv_len;
/* check if there is enough space for the header */
next_buff_pos += buff_pos + sizeof(*ogm2_packet);
if (next_buff_pos > packet_len)
return false;
+ tvlv_len = ntohs(ogm2_packet->tvlv_len);
+
+ /* the fields of an aggregated OGMv2 are accessed assuming (at least)
+ * 2-byte alignment, so a following OGMv2 must start at an even offset.
+ */
+ if (tvlv_len & 1)
+ return false;
+
/* check if there is enough space for the optional TVLV */
- next_buff_pos += ntohs(ogm2_packet->tvlv_len);
+ next_buff_pos += tvlv_len;
return next_buff_pos <= packet_len;
}
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index 4483f8d9c75831..41951c7a1c50b2 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -1366,6 +1366,12 @@ int batadv_recv_mcast_packet(struct sk_buff *skb,
if (tvlv_buff_len > skb->len - hdr_size)
goto free_skb;
+ /* the fields of an multicast payload are accessed assuming (at least)
+ * 2-byte alignment, so a following packet must start at an even offset.
+ */
+ if (tvlv_buff_len & 1)
+ goto free_skb;
+
ret = batadv_tvlv_containers_process(bat_priv, BATADV_MCAST, NULL, skb,
tvlv_buff, tvlv_buff_len);
if (ret >= 0) {
diff --git a/net/batman-adv/tvlv.c b/net/batman-adv/tvlv.c
index cc6ac580c62085..baadf97f98e5f0 100644
--- a/net/batman-adv/tvlv.c
+++ b/net/batman-adv/tvlv.c
@@ -464,6 +464,12 @@ int batadv_tvlv_containers_process(struct batadv_priv *bat_priv,
if (tvlv_value_cont_len > tvlv_value_len)
break;
+ /* the next tvlv header is accessed assuming (at least) 2-byte
+ * alignment, so it must start at an even offset.
+ */
+ if (tvlv_value_cont_len & 1)
+ break;
+
tvlv_handler = batadv_tvlv_handler_get(bat_priv,
tvlv_hdr->type,
tvlv_hdr->version);
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 027/120] batman-adv: tvlv: avoid race of cifsnotfound handler state
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 026/120] batman-adv: tvlv: enforce 2-byte alignment Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 028/120] ipv6: account for fraggap on the paged allocation path Greg Kroah-Hartman
` (98 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Sven Eckelmann, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit edb557b2ba38fea2c5eb710cf366c797e187218c upstream.
TVLV handlers can have the flag BATADV_TVLV_HANDLER_OGM_CIFNOTFND set to
signal that the OGM handler should be called (with NULL for data) when the
specific TVLV container was not found in the OGM. This is used by:
* DAT
* GW
* Multicast (OGM + Tracker)
The state whether the handler was executed was stored in the struct
batadv_tvlv_handler. But the TVLV processing is started without any lock.
Multiple parallel contexts processing TVLVs would therefore overwrite each
others BATADV_TVLV_HANDLER_OGM_CALLED flag in the shared
batadv_tvlv_handler.
Drop the shared BATADV_TVLV_HANDLER_OGM_CALLED flag and instead determine,
per TVLV buffer, whether a matching container was present by scanning the
packet's buffer.
Cc: stable@kernel.org
Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/tvlv.c | 63 ++++++++++++++++++++++++++++++++++++++----
net/batman-adv/types.h | 7 -----
2 files changed, 57 insertions(+), 13 deletions(-)
diff --git a/net/batman-adv/tvlv.c b/net/batman-adv/tvlv.c
index baadf97f98e5f0..afb61a46d7a67c 100644
--- a/net/batman-adv/tvlv.c
+++ b/net/batman-adv/tvlv.c
@@ -398,7 +398,6 @@ static int batadv_tvlv_call_handler(struct batadv_priv *bat_priv,
tvlv_handler->ogm_handler(bat_priv, orig_node,
BATADV_NO_FLAGS,
tvlv_value, tvlv_value_len);
- tvlv_handler->flags |= BATADV_TVLV_HANDLER_OGM_CALLED;
break;
case BATADV_UNICAST_TVLV:
if (!skb)
@@ -430,6 +429,48 @@ static int batadv_tvlv_call_handler(struct batadv_priv *bat_priv,
return NET_RX_SUCCESS;
}
+/**
+ * batadv_tvlv_containers_contain() - check if a tvlv buffer holds a container
+ * @tvlv_value: tvlv content
+ * @tvlv_value_len: tvlv content length
+ * @type: tvlv container type to look for
+ * @version: tvlv container version to look for
+ *
+ * Return: true if a container of the given type and version is present in the
+ * tvlv buffer, false otherwise.
+ */
+static bool batadv_tvlv_containers_contain(void *tvlv_value,
+ u16 tvlv_value_len, u8 type,
+ u8 version)
+{
+ struct batadv_tvlv_hdr *tvlv_hdr;
+ u16 tvlv_value_cont_len;
+
+ while (tvlv_value_len >= sizeof(*tvlv_hdr)) {
+ tvlv_hdr = tvlv_value;
+ tvlv_value_cont_len = ntohs(tvlv_hdr->len);
+ tvlv_value = tvlv_hdr + 1;
+ tvlv_value_len -= sizeof(*tvlv_hdr);
+
+ if (tvlv_value_cont_len > tvlv_value_len)
+ break;
+
+ /* the next tvlv header is accessed assuming (at least) 2-byte
+ * alignment, so it must start at an even offset.
+ */
+ if (tvlv_value_cont_len & 1)
+ break;
+
+ if (tvlv_hdr->type == type && tvlv_hdr->version == version)
+ return true;
+
+ tvlv_value = (u8 *)tvlv_value + tvlv_value_cont_len;
+ tvlv_value_len -= tvlv_value_cont_len;
+ }
+
+ return false;
+}
+
/**
* batadv_tvlv_containers_process() - parse the given tvlv buffer to call the
* appropriate handlers
@@ -449,7 +490,9 @@ int batadv_tvlv_containers_process(struct batadv_priv *bat_priv,
struct sk_buff *skb, void *tvlv_value,
u16 tvlv_value_len)
{
+ u16 tvlv_value_start_len = tvlv_value_len;
struct batadv_tvlv_handler *tvlv_handler;
+ void *tvlv_value_start = tvlv_value;
struct batadv_tvlv_hdr *tvlv_hdr;
u16 tvlv_value_cont_len;
u8 cifnotfound = BATADV_TVLV_HANDLER_OGM_CIFNOTFND;
@@ -493,12 +536,20 @@ int batadv_tvlv_containers_process(struct batadv_priv *bat_priv,
if (!tvlv_handler->ogm_handler)
continue;
- if ((tvlv_handler->flags & BATADV_TVLV_HANDLER_OGM_CIFNOTFND) &&
- !(tvlv_handler->flags & BATADV_TVLV_HANDLER_OGM_CALLED))
- tvlv_handler->ogm_handler(bat_priv, orig_node,
- cifnotfound, NULL, 0);
+ if (!(tvlv_handler->flags & BATADV_TVLV_HANDLER_OGM_CIFNOTFND))
+ continue;
- tvlv_handler->flags &= ~BATADV_TVLV_HANDLER_OGM_CALLED;
+ /* if the corresponding container was present then the handler
+ * was already called from the loop above
+ */
+ if (batadv_tvlv_containers_contain(tvlv_value_start,
+ tvlv_value_start_len,
+ tvlv_handler->type,
+ tvlv_handler->version))
+ continue;
+
+ tvlv_handler->ogm_handler(bat_priv, orig_node,
+ cifnotfound, NULL, 0);
}
rcu_read_unlock();
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index 4dce996f01ccea..30c870cacf4374 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -2245,13 +2245,6 @@ enum batadv_tvlv_handler_flags {
* will call this handler even if its type was not found (with no data)
*/
BATADV_TVLV_HANDLER_OGM_CIFNOTFND = BIT(1),
-
- /**
- * @BATADV_TVLV_HANDLER_OGM_CALLED: interval tvlv handling flag - the
- * API marks a handler as being called, so it won't be called if the
- * BATADV_TVLV_HANDLER_OGM_CIFNOTFND flag was set
- */
- BATADV_TVLV_HANDLER_OGM_CALLED = BIT(2),
};
#endif /* _NET_BATMAN_ADV_TYPES_H_ */
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 028/120] ipv6: account for fraggap on the paged allocation path
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 027/120] batman-adv: tvlv: avoid race of cifsnotfound handler state Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 029/120] ipv4: " Greg Kroah-Hartman
` (97 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jungwoo Lee, Wongi Lee, Ido Schimmel,
Jakub Kicinski
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wongi Lee <qw3rtyp0@gmail.com>
commit 736b380e28d0480c7bc3e022f1950f31fe53a7c5 upstream.
In __ip6_append_data(), when the paged-allocation branch is taken
(MSG_MORE / NETIF_F_SG / large fraglen), alloclen and pagedlen are
computed as
alloclen = fragheaderlen + transhdrlen;
pagedlen = datalen - transhdrlen;
datalen already includes fraggap (datalen = length + fraggap). When
fraggap is non-zero, this is not the first skb and transhdrlen is zero.
The fraggap bytes carried over from the previous skb are copied just past
the fragment headers in the new skb's linear area. The linear area is
therefore undersized by fraggap bytes while pagedlen is overstated by the
same amount, and the copy writes past skb->end into the trailing
skb_shared_info.
An unprivileged user can trigger this via a UDPv6 socket using
MSG_MORE together with MSG_SPLICE_PAGES.
The bad accounting was introduced by commit 773ba4fe9104 ("ipv6:
avoid partial copy for zc"). Before commit ce650a166335 ("udp6: Fix
__ip6_append_data()'s handling of MSG_SPLICE_PAGES"), the negative
copy value caused -EINVAL to be returned. That later commit allowed
MSG_SPLICE_PAGES to proceed in this case, making the corruption
triggerable.
The non-paged branch sets alloclen to fraglen, which already accounts
for fraggap because datalen does. Bring the paged branch in line by
adding fraggap to alloclen and subtracting it from pagedlen.
After this adjustment, copy no longer collapses to -fraggap on the
paged path, so remove the stale comment describing that old arithmetic.
Since a negative copy is no longer expected for a valid MSG_SPLICE_PAGES
case, remove the MSG_SPLICE_PAGES exception from the negative copy check.
Fixes: 773ba4fe9104 ("ipv6: avoid partial copy for zc")
Signed-off-by: Jungwoo Lee <jwlee2217@gmail.com>
Signed-off-by: Wongi Lee <qw3rtyp0@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/ajFTqRljatR17fFy@DESKTOP-19IMU7U.localdomain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_output.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1668,8 +1668,8 @@ alloc_new_skb:
!(rt->dst.dev->features & NETIF_F_SG)))
alloclen = fraglen;
else {
- alloclen = fragheaderlen + transhdrlen;
- pagedlen = datalen - transhdrlen;
+ alloclen = fragheaderlen + transhdrlen + fraggap;
+ pagedlen = datalen - transhdrlen - fraggap;
}
alloclen += alloc_extra;
@@ -1684,10 +1684,7 @@ alloc_new_skb:
fraglen = datalen + fragheaderlen;
copy = datalen - transhdrlen - fraggap - pagedlen;
- /* [!] NOTE: copy may be negative if pagedlen>0
- * because then the equation may reduces to -fraggap.
- */
- if (copy < 0 && !(flags & MSG_SPLICE_PAGES)) {
+ if (copy < 0) {
err = -EINVAL;
goto error;
}
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 029/120] ipv4: account for fraggap on the paged allocation path
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 028/120] ipv6: account for fraggap on the paged allocation path Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 030/120] ntfs3: reject direct userspace writes to reserved $LX* xattrs Greg Kroah-Hartman
` (96 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jungwoo Lee, Wongi Lee, Ido Schimmel,
Jakub Kicinski, Sasha Levin
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wongi Lee <qw3rtyp0@gmail.com>
[ Upstream commit eca856950f7cb1a221e02b99d758409f2c5cec42 ]
In __ip_append_data(), when the paged-allocation branch is taken,
alloclen and pagedlen are computed as
alloclen = fragheaderlen + transhdrlen;
pagedlen = datalen - transhdrlen;
datalen already includes fraggap, but the fraggap bytes carried over
from the previous skb are copied into the new skb's linear area at
offset transhdrlen by the subsequent skb_copy_and_csum_bits(). The
linear area is therefore undersized by fraggap bytes while pagedlen is
overstated by the same amount.
The non-paged branch sets alloclen to fraglen, which already accounts
for fraggap because datalen does. Bring the paged branch in line by
adding fraggap to alloclen and subtracting it from pagedlen.
After this adjustment, copy no longer collapses to -fraggap on the
paged path, so remove the stale comment describing that old arithmetic.
Fixes: 8eb77cc73977 ("ipv4: avoid partial copy for zc")
Signed-off-by: Jungwoo Lee <jwlee2217@gmail.com>
Signed-off-by: Wongi Lee <qw3rtyp0@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/ajFR1eLAIs42TN3g@DESKTOP-19IMU7U.localdomain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ip_output.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 5bcd73cbdb41c0..ec790bad1679a6 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1117,8 +1117,8 @@ static int __ip_append_data(struct sock *sk,
!(rt->dst.dev->features & NETIF_F_SG)))
alloclen = fraglen;
else {
- alloclen = fragheaderlen + transhdrlen;
- pagedlen = datalen - transhdrlen;
+ alloclen = fragheaderlen + transhdrlen + fraggap;
+ pagedlen = datalen - transhdrlen - fraggap;
}
alloclen += alloc_extra;
@@ -1165,9 +1165,6 @@ static int __ip_append_data(struct sock *sk,
}
copy = datalen - transhdrlen - fraggap - pagedlen;
- /* [!] NOTE: copy will be negative if pagedlen>0
- * because then the equation reduces to -fraggap.
- */
if (copy > 0 &&
INDIRECT_CALL_1(getfrag, ip_generic_getfrag,
from, data + transhdrlen, offset,
--
2.53.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 030/120] ntfs3: reject direct userspace writes to reserved $LX* xattrs
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 029/120] ipv4: " Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 031/120] wifi: mt76: add wcid publish check in mt76_sta_add Greg Kroah-Hartman
` (95 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhen Yan, Konstantin Komarov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
commit 5b08dccecf825cbf905f348bc6ccb497507e28e2 upstream.
NTFS3 uses $LXUID, $LXGID, $LXMOD and $LXDEV as internal WSL
permission metadata and reloads them into i_uid, i_gid and i_mode
from ntfs_get_wsl_perm().
Because the empty-prefix xattr handler also lets file owners call
setxattr() on these names directly, an unprivileged writer on a
writable ntfs3 mount can plant root ownership and S_ISUID on their own
file and gain euid 0 after inode reload.
Reject direct userspace writes to the reserved $LX* names. Internal
ntfs3 metadata updates are unchanged because ntfs_save_wsl_perm()
writes them via ntfs_set_ea() directly.
Signed-off-by: Zhen Yan <sdjasjbuaa@gmail.com>
[almaz.alexandrovich@paragon-software.com: added an additional check for non privileged users]
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/xattr.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/fs/ntfs3/xattr.c
+++ b/fs/ntfs3/xattr.c
@@ -851,6 +851,12 @@ out:
return err;
}
+static bool ntfs_is_reserved_lxattr(const char *name)
+{
+ return !strcmp(name, "$LXUID") || !strcmp(name, "$LXGID") ||
+ !strcmp(name, "$LXMOD") || !strcmp(name, "$LXDEV");
+}
+
/*
* ntfs_setxattr - inode_operations::setxattr
*/
@@ -955,6 +961,12 @@ set_new_fa:
goto out;
}
+ /* Do not allow non privileged users to change $LXUID/$LXGID... */
+ if (ntfs_is_reserved_lxattr(name) && !capable(CAP_SYS_ADMIN)) {
+ err = -EPERM;
+ goto out;
+ }
+
/* Deal with NTFS extended attribute. */
err = ntfs_set_ea(inode, name, strlen(name), value, size, flags, 0,
NULL);
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 031/120] wifi: mt76: add wcid publish check in mt76_sta_add
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 030/120] ntfs3: reject direct userspace writes to reserved $LX* xattrs Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 032/120] mac802154: llsec: add skb_cow_data() before in-place crypto Greg Kroah-Hartman
` (94 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiajia Liu, Felix Fietkau
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiajia Liu <liujiajia@kylinos.cn>
commit 20b126920a259df4d7dcae19fcfe2c57a74d6b2e upstream.
Since mt7925_mac_sta_add publishes wcid, add publish check in mt76_sta_add
to avoid reinitializing the wcid->poll_list.
Found dev->sta_poll_list corruption when using mt7925 and 7.1-rc4.
According to the corruption information, prev->next was changed to itself.
wlan0: disconnect from AP 90:fb:5d:94:8b:e3 for new auth to 90:fb:5d:94:8b:e2
wlan0: authenticate with 90:fb:5d:94:8b:e2 (local address=84:9e:56:9c:7e:6b)
wlan0: send auth to 90:fb:5d:94:8b:e2 (try 1/3)
slab kmalloc-8k start ffff8c80958a6000 pointer offset 4160 size 8192
list_add corruption. prev->next should be next (ffff8c808a7488f8), but was ffff8c80958a7040. (prev=ffff8c80958a7040).
mt76_wcid_add_poll+0x95/0xd0 [mt76]
mt7925_mac_add_txs.part.0+0xa5/0xe0 [mt7925_common]
mt7925_rx_check+0xa7/0xc0 [mt7925_common]
mt76_dma_rx_poll+0x50d/0x790 [mt76]
mt792x_poll_rx+0x52/0xe0 [mt792x_lib]
Signed-off-by: Jiajia Liu <liujiajia@kylinos.cn>
Link: https://patch.msgid.link/20260528033814.46418-1-liujiajia@kylinos.cn
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mac80211.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/drivers/net/wireless/mediatek/mt76/mac80211.c
+++ b/drivers/net/wireless/mediatek/mt76/mac80211.c
@@ -1576,6 +1576,7 @@ mt76_sta_add(struct mt76_phy *phy, struc
{
struct mt76_wcid *wcid = (struct mt76_wcid *)sta->drv_priv;
struct mt76_dev *dev = phy->dev;
+ struct mt76_wcid *published;
int ret;
int i;
@@ -1595,11 +1596,19 @@ mt76_sta_add(struct mt76_phy *phy, struc
mtxq->wcid = wcid->idx;
}
- ewma_signal_init(&wcid->rssi);
- rcu_assign_pointer(dev->wcid[wcid->idx], wcid);
+ published = rcu_dereference_protected(dev->wcid[wcid->idx],
+ lockdep_is_held(&dev->mutex));
+ if (published != wcid) {
+ WARN_ON_ONCE(published);
+ ewma_signal_init(&wcid->rssi);
+ rcu_assign_pointer(dev->wcid[wcid->idx], wcid);
+ mt76_wcid_init(wcid, phy->band_idx);
+ } else {
+ wcid->phy_idx = phy->band_idx;
+ }
+
phy->num_sta++;
- mt76_wcid_init(wcid, phy->band_idx);
out:
mutex_unlock(&dev->mutex);
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 032/120] mac802154: llsec: add skb_cow_data() before in-place crypto
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 031/120] wifi: mt76: add wcid publish check in mt76_sta_add Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 033/120] net: skmsg: preserve sg.copy across SG transforms Greg Kroah-Hartman
` (93 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doruk Tan Ozturk, Alexander Lobakin,
Stefan Schmidt
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Doruk Tan Ozturk <doruk@0sec.ai>
commit 84a04eb5b210643bd67aab81ff805d32f62aa865 upstream.
llsec_do_encrypt_unauth(), llsec_do_encrypt_auth(),
llsec_do_decrypt_unauth(), and llsec_do_decrypt_auth() all perform
in-place cryptographic transformations on skb data. They build a
scatterlist with sg_init_one() pointing into the skb's linear data area
and then pass the same scatterlist as both src and dst to the crypto API
(e.g. crypto_skcipher_encrypt/decrypt, crypto_aead_encrypt/decrypt).
On the RX path, __ieee802154_rx_handle_packet() clones the received skb
before handing it to each subscriber via ieee802154_subif_frame(). The
cloned skb shares the same underlying data buffer via reference
counting. When llsec_do_decrypt() subsequently modifies this shared
buffer in place, it corrupts data that other clones -- potentially
belonging to other sockets or subsystems -- still reference.
On the TX path, similar data sharing can occur when an skb's head has
been cloned (skb_cloned() returns true).
The fix is to call skb_cow_data() before performing any in-place crypto
operation. skb_cow_data() ensures that the skb's data area is not
shared: if the skb head is cloned or the data spans multiple fragments,
it copies the data into a private buffer that can be safely modified in
place. This is the same pattern used by:
- ESP (net/ipv4/esp4.c, net/ipv6/esp6.c)
- MACsec (drivers/net/macsec.c)
- WireGuard (drivers/net/wireguard/receive.c)
- TIPC (net/tipc/crypto.c)
Without this guard, in-place crypto on shared skb data leads to:
- Silent data corruption of other skb clones
- Use-after-free when the crypto API scatterwalk writes through a
page that has already been freed by another clone's kfree_skb()
- Kernel crashes under concurrent 802.15.4 traffic with security
enabled (KASAN/KMSAN reports slab-use-after-free)
Found by 0sec (https://0sec.ai) using automated source analysis.
Fixes: 4c14a2fb5d14 ("mac802154: add llsec decryption method")
Fixes: 03556e4d0dbb ("mac802154: add llsec encryption method")
Cc: stable@vger.kernel.org
Reported-by: Doruk Tan Ozturk <doruk@0sec.ai>
Closes: https://lore.kernel.org/linux-wpan/20260525161806.96158-1-doruk@0sec.ai/
Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
Closes: <link to your mail on lore>
Link: https://lore.kernel.org/20260526183726.56100-1-doruk@0sec.ai
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac802154/llsec.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/net/mac802154/llsec.c
+++ b/net/mac802154/llsec.c
@@ -710,6 +710,7 @@ int mac802154_llsec_encrypt(struct mac80
{
struct ieee802154_hdr hdr;
int rc, authlen, hlen;
+ struct sk_buff *trailer;
struct mac802154_llsec_key *key;
u32 frame_ctr;
@@ -769,6 +770,12 @@ int mac802154_llsec_encrypt(struct mac80
skb->mac_len = ieee802154_hdr_push(skb, &hdr);
skb_reset_mac_header(skb);
+ rc = skb_cow_data(skb, 0, &trailer);
+ if (rc < 0) {
+ llsec_key_put(key);
+ return rc;
+ }
+
rc = llsec_do_encrypt(skb, sec, &hdr, key);
llsec_key_put(key);
@@ -908,6 +915,13 @@ llsec_do_decrypt(struct sk_buff *skb, co
const struct ieee802154_hdr *hdr,
struct mac802154_llsec_key *key, __le64 dev_addr)
{
+ struct sk_buff *trailer;
+ int err;
+
+ err = skb_cow_data(skb, 0, &trailer);
+ if (err < 0)
+ return err;
+
if (hdr->sec.level == IEEE802154_SCF_SECLEVEL_ENC)
return llsec_do_decrypt_unauth(skb, sec, hdr, key, dev_addr);
else
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 033/120] net: skmsg: preserve sg.copy across SG transforms
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 032/120] mac802154: llsec: add skb_cow_data() before in-place crypto Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 034/120] net: ip_gre: require CAP_NET_ADMIN in the device netns for changelink Greg Kroah-Hartman
` (92 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yiming Qian, Keenan Dong,
Jakub Kicinski
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yiming Qian <yimingqian591@gmail.com>
commit 406e8a651a7b854c41fecd5117bb282b3a6c2c6b upstream.
The sk_msg sg.copy bitmap is part of the scatterlist entry ownership
state. A set bit tells sk_msg_compute_data_pointers() not to expose the
entry through writable BPF ctx->data. This protects entries backed by
pages that are not private to the sk_msg, such as splice-backed file
page-cache pages.
Several sk_msg transform paths move, copy, split, or compact
msg->sg.data[] entries without moving the matching sg.copy bit. This can
make an externally backed entry arrive at a new slot with a clear copy
bit. A later SK_MSG verdict can then expose sg_virt(sge) as writable
ctx->data and BPF stores can modify the original page cache.
Keep sg.copy synchronized with sg.data[] whenever entries are
transferred, shifted, split, or copied into a new sk_msg. Clear the bit
when an entry is replaced by a newly allocated private page or freed.
This covers the BPF pull/push/pop helpers, sk_msg_shift_left/right(),
sk_msg_xfer(), and tls_split_open_record(), including the partial tail
entry created during TLS open-record splitting.
Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
Cc: stable@vger.kernel.org
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Reported-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Yiming Qian <yimingqian591@gmail.com>
Link: https://patch.msgid.link/20260610062137.49075-1-yimingqian591@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/skmsg.h | 15 +++++++++++----
net/core/filter.c | 27 +++++++++++++++++++++++++++
net/core/skmsg.c | 2 ++
net/tls/tls_sw.c | 4 ++++
4 files changed, 44 insertions(+), 4 deletions(-)
--- a/include/linux/skmsg.h
+++ b/include/linux/skmsg.h
@@ -4,6 +4,7 @@
#ifndef _LINUX_SKMSG_H
#define _LINUX_SKMSG_H
+#include <linux/bitops.h>
#include <linux/bpf.h>
#include <linux/filter.h>
#include <linux/scatterlist.h>
@@ -199,11 +200,14 @@ static inline void sk_msg_xfer(struct sk
int which, u32 size)
{
dst->sg.data[which] = src->sg.data[which];
+ __assign_bit(which, dst->sg.copy, test_bit(which, src->sg.copy));
dst->sg.data[which].length = size;
dst->sg.size += size;
src->sg.size -= size;
src->sg.data[which].length -= size;
src->sg.data[which].offset += size;
+ if (!src->sg.data[which].length)
+ __clear_bit(which, src->sg.copy);
}
static inline void sk_msg_xfer_full(struct sk_msg *dst, struct sk_msg *src)
@@ -273,16 +277,19 @@ static inline void sk_msg_page_add(struc
static inline void sk_msg_sg_copy(struct sk_msg *msg, u32 i, bool copy_state)
{
do {
- if (copy_state)
- __set_bit(i, msg->sg.copy);
- else
- __clear_bit(i, msg->sg.copy);
+ __assign_bit(i, msg->sg.copy, copy_state);
sk_msg_iter_var_next(i);
if (i == msg->sg.end)
break;
} while (1);
}
+static inline void sk_msg_sg_copy_assign(struct sk_msg *dst, u32 dst_i,
+ const struct sk_msg *src, u32 src_i)
+{
+ __assign_bit(dst_i, dst->sg.copy, test_bit(src_i, src->sg.copy));
+}
+
static inline void sk_msg_sg_copy_set(struct sk_msg *msg, u32 start)
{
sk_msg_sg_copy(msg, start, true);
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2733,11 +2733,13 @@ BPF_CALL_4(bpf_msg_pull_data, struct sk_
poffset += len;
sge->length = 0;
put_page(sg_page(sge));
+ __clear_bit(i, msg->sg.copy);
sk_msg_iter_var_next(i);
} while (i != last_sge);
sg_set_page(&msg->sg.data[first_sge], page, copy, 0);
+ __clear_bit(first_sge, msg->sg.copy);
/* To repair sg ring we need to shift entries. If we only
* had a single entry though we can just replace it and
@@ -2763,9 +2765,11 @@ BPF_CALL_4(bpf_msg_pull_data, struct sk_
break;
msg->sg.data[i] = msg->sg.data[move_from];
+ sk_msg_sg_copy_assign(msg, i, msg, move_from);
msg->sg.data[move_from].length = 0;
msg->sg.data[move_from].page_link = 0;
msg->sg.data[move_from].offset = 0;
+ __clear_bit(move_from, msg->sg.copy);
sk_msg_iter_var_next(i);
} while (1);
@@ -2794,6 +2798,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_
{
struct scatterlist sge, nsge, nnsge, rsge = {0}, *psge;
u32 new, i = 0, l = 0, space, copy = 0, offset = 0;
+ bool sge_copy, nsge_copy, nnsge_copy, rsge_copy = false;
u8 *raw, *to, *from;
struct page *page;
@@ -2866,6 +2871,7 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_
sk_msg_iter_var_prev(i);
psge = sk_msg_elem(msg, i);
rsge = sk_msg_elem_cpy(msg, i);
+ rsge_copy = test_bit(i, msg->sg.copy);
psge->length = start - offset;
rsge.length -= psge->length;
@@ -2890,24 +2896,32 @@ BPF_CALL_4(bpf_msg_push_data, struct sk_
/* Shift one or two slots as needed */
sge = sk_msg_elem_cpy(msg, new);
+ sge_copy = test_bit(new, msg->sg.copy);
sg_unmark_end(&sge);
nsge = sk_msg_elem_cpy(msg, i);
+ nsge_copy = test_bit(i, msg->sg.copy);
if (rsge.length) {
sk_msg_iter_var_next(i);
nnsge = sk_msg_elem_cpy(msg, i);
+ nnsge_copy = test_bit(i, msg->sg.copy);
sk_msg_iter_next(msg, end);
}
while (i != msg->sg.end) {
msg->sg.data[i] = sge;
+ __assign_bit(i, msg->sg.copy, sge_copy);
sge = nsge;
+ sge_copy = nsge_copy;
sk_msg_iter_var_next(i);
if (rsge.length) {
nsge = nnsge;
+ nsge_copy = nnsge_copy;
nnsge = sk_msg_elem_cpy(msg, i);
+ nnsge_copy = test_bit(i, msg->sg.copy);
} else {
nsge = sk_msg_elem_cpy(msg, i);
+ nsge_copy = test_bit(i, msg->sg.copy);
}
}
@@ -2921,6 +2935,7 @@ place_new:
get_page(sg_page(&rsge));
sk_msg_iter_var_next(new);
msg->sg.data[new] = rsge;
+ __assign_bit(new, msg->sg.copy, rsge_copy);
}
sk_msg_reset_curr(msg);
@@ -2948,25 +2963,33 @@ static void sk_msg_shift_left(struct sk_
prev = i;
sk_msg_iter_var_next(i);
msg->sg.data[prev] = msg->sg.data[i];
+ sk_msg_sg_copy_assign(msg, prev, msg, i);
} while (i != msg->sg.end);
sk_msg_iter_prev(msg, end);
+ __clear_bit(msg->sg.end, msg->sg.copy);
}
static void sk_msg_shift_right(struct sk_msg *msg, int i)
{
struct scatterlist tmp, sge;
+ bool tmp_copy, sge_copy;
sk_msg_iter_next(msg, end);
sge = sk_msg_elem_cpy(msg, i);
+ sge_copy = test_bit(i, msg->sg.copy);
sk_msg_iter_var_next(i);
tmp = sk_msg_elem_cpy(msg, i);
+ tmp_copy = test_bit(i, msg->sg.copy);
while (i != msg->sg.end) {
msg->sg.data[i] = sge;
+ __assign_bit(i, msg->sg.copy, sge_copy);
sk_msg_iter_var_next(i);
sge = tmp;
+ sge_copy = tmp_copy;
tmp = sk_msg_elem_cpy(msg, i);
+ tmp_copy = test_bit(i, msg->sg.copy);
}
}
@@ -3026,6 +3049,8 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_m
struct scatterlist *nsge, *sge = sk_msg_elem(msg, i);
int a = start - offset;
int b = sge->length - pop - a;
+ u32 sge_i = i;
+ bool sge_copy = test_bit(i, msg->sg.copy);
sk_msg_iter_var_next(i);
@@ -3038,6 +3063,7 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_m
sg_set_page(nsge,
sg_page(sge),
b, sge->offset + pop + a);
+ __assign_bit(i, msg->sg.copy, sge_copy);
} else {
struct page *page, *orig;
u8 *to, *from;
@@ -3054,6 +3080,7 @@ BPF_CALL_4(bpf_msg_pop_data, struct sk_m
memcpy(to, from, a);
memcpy(to + a, from + a + pop, b);
sg_set_page(sge, page, a + b, 0);
+ __clear_bit(sge_i, msg->sg.copy);
put_page(orig);
}
pop = 0;
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -66,6 +66,7 @@ int sk_msg_alloc(struct sock *sk, struct
sge = &msg->sg.data[msg->sg.end];
sg_unmark_end(sge);
sg_set_page(sge, pfrag->page, use, orig_offset);
+ __clear_bit(msg->sg.end, msg->sg.copy);
get_page(pfrag->page);
sk_msg_iter_next(msg, end);
}
@@ -186,6 +187,7 @@ static int sk_msg_free_elem(struct sock
sk_mem_uncharge(sk, len);
put_page(sg_page(sge));
}
+ __clear_bit(i, msg->sg.copy);
memset(sge, 0, sizeof(*sge));
return len;
}
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -623,6 +623,7 @@ static int tls_split_open_record(struct
struct scatterlist *sge, *osge, *nsge;
u32 orig_size = msg_opl->sg.size;
struct scatterlist tmp = { };
+ u32 tmp_i = 0;
struct sk_msg *msg_npl;
struct tls_rec *new;
int ret;
@@ -644,6 +645,7 @@ static int tls_split_open_record(struct
if (sge->length > apply) {
u32 len = sge->length - apply;
+ tmp_i = i;
get_page(sg_page(sge));
sg_set_page(&tmp, sg_page(sge), len,
sge->offset + apply);
@@ -675,6 +677,7 @@ static int tls_split_open_record(struct
nsge = sk_msg_elem(msg_npl, j);
if (tmp.length) {
memcpy(nsge, &tmp, sizeof(*nsge));
+ sk_msg_sg_copy_assign(msg_npl, j, msg_opl, tmp_i);
sk_msg_iter_var_next(j);
nsge = sk_msg_elem(msg_npl, j);
}
@@ -682,6 +685,7 @@ static int tls_split_open_record(struct
osge = sk_msg_elem(msg_opl, i);
while (osge->length) {
memcpy(nsge, osge, sizeof(*nsge));
+ sk_msg_sg_copy_assign(msg_npl, j, msg_opl, i);
sg_unmark_end(nsge);
sk_msg_iter_var_next(i);
sk_msg_iter_var_next(j);
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 034/120] net: ip_gre: require CAP_NET_ADMIN in the device netns for changelink
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 033/120] net: skmsg: preserve sg.copy across SG transforms Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 035/120] PCI/P2PDMA: Add Intel QAT, DSA, IAA devices to whitelist Greg Kroah-Hartman
` (91 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiao Liang, Maoyi Xie,
Kuniyuki Iwashima, Jakub Kicinski
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maoyi Xie <maoyixie.tju@gmail.com>
commit 8165f7ff57d9667d2bb477ef6af83ede7fed4ad7 upstream.
A tunnel changelink() operates on at most two netns, dev_net(dev) and
the tunnel link netns t->net. They differ once the device is created in
or moved to a netns other than the one the request runs in. The rtnl
changelink path checks CAP_NET_ADMIN only against dev_net(dev), so a
caller privileged there but not in t->net can rewrite a tunnel that
lives in t->net.
Add rtnl_dev_link_net_capable() next to rtnl_get_net_ns_capable() in
net/core/rtnetlink.c. It requires CAP_NET_ADMIN in the link netns and is
skipped when the link netns is dev_net(dev), where the rtnl path already
checked it. The other patches in this series use the same helper.
Gate ipgre_changelink() and erspan_changelink() with it, at the top of
the op before any attribute is parsed, because the parsers update live
tunnel fields first. ipgre_netlink_parms() sets t->collect_md before
ip_tunnel_changelink() runs.
Commit 8b484efd5cb4 ("ip6: vti: Use ip6_tnl.net in
vti6_siocdevprivate().") added the same check on the ioctl path. This
adds it on RTM_NEWLINK.
Reported-by: Xiao Liang <shaw.leon@gmail.com>
Closes: https://lore.kernel.org/netdev/CABAhCOSzP1vaThGV35_VnsRCb=87_CPjPVsTHbq905k8A+BuUg@mail.gmail.com/
Fixes: b57708add314 ("gre: add x-netns support")
Cc: stable@vger.kernel.org
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260612085941.3158249-2-maoyixie.tju@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/rtnetlink.h | 2 ++
net/core/rtnetlink.c | 8 ++++++++
net/ipv4/ip_gre.c | 6 ++++++
3 files changed, 16 insertions(+)
--- a/include/net/rtnetlink.h
+++ b/include/net/rtnetlink.h
@@ -256,6 +256,8 @@ int rtnl_configure_link(struct net_devic
int rtnl_nla_parse_ifinfomsg(struct nlattr **tb, const struct nlattr *nla_peer,
struct netlink_ext_ack *exterr);
struct net *rtnl_get_net_ns_capable(struct sock *sk, int netnsid);
+bool rtnl_dev_link_net_capable(const struct net_device *dev,
+ const struct net *link_net);
#define MODULE_ALIAS_RTNL_LINK(kind) MODULE_ALIAS("rtnl-link-" kind)
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2421,6 +2421,14 @@ struct net *rtnl_get_net_ns_capable(stru
}
EXPORT_SYMBOL_GPL(rtnl_get_net_ns_capable);
+bool rtnl_dev_link_net_capable(const struct net_device *dev,
+ const struct net *link_net)
+{
+ return net_eq(link_net, dev_net(dev)) ||
+ ns_capable(link_net->user_ns, CAP_NET_ADMIN);
+}
+EXPORT_SYMBOL_GPL(rtnl_dev_link_net_capable);
+
static int rtnl_valid_dump_ifinfo_req(const struct nlmsghdr *nlh,
bool strict_check, struct nlattr **tb,
struct netlink_ext_ack *extack)
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -1457,6 +1457,9 @@ static int ipgre_changelink(struct net_d
__u32 fwmark = t->fwmark;
int err;
+ if (!rtnl_dev_link_net_capable(dev, t->net))
+ return -EPERM;
+
err = ipgre_newlink_encap_setup(dev, data);
if (err)
return err;
@@ -1486,6 +1489,9 @@ static int erspan_changelink(struct net_
__u32 fwmark = t->fwmark;
int err;
+ if (!rtnl_dev_link_net_capable(dev, t->net))
+ return -EPERM;
+
err = ipgre_newlink_encap_setup(dev, data);
if (err)
return err;
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 035/120] PCI/P2PDMA: Add Intel QAT, DSA, IAA devices to whitelist
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 034/120] net: ip_gre: require CAP_NET_ADMIN in the device netns for changelink Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 036/120] apparmor: mediate the implicit connect of TCP fast open sendmsg Greg Kroah-Hartman
` (90 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Bjorn Helgaas,
Vinicius Costa Gomes, Giovanni Cabiddu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 0ba76b19fd4c7256787eab0283c759b18eb76876 upstream.
The first device on a PCI root bus determines whether the host bridge is
whitelisted for P2PDMA. All Intel Xeon chips since Ice Lake (ICX, 2021)
expose a device with ID 0x09a2 as first device. It is loosely associated
with the IOMMU. All these Xeon chips support P2PDMA, so since the addition
of the device with commit feaea1fe8b36 ("PCI/P2PDMA: Add Intel 3rd Gen
Intel Xeon Scalable Processors to whitelist"), P2PDMA has been allowed on
all new Xeons without the need to amend the whitelist:
Xeons with Performance Cores:
Sapphire Rapids (SPR, 2023)
Emerald Rapids (EMR, 2023)
Granite Rapids (GNR, 2024)
Diamond Rapids (DMR, 2026)
Xeons with Efficiency Cores:
Sierra Forest (SRF, 2024)
Clearwater Forest (CWF, 2026)
However these Xeons also expose accelerators as first device on a root bus
of its own:
QuickAssist Technology (QAT, crypto & compression accelerator)
Data Streaming Accelerator (DSA, dma engine)
In-Memory Analytics Accelerator (IAA, compression accelerator)
Whitelist them for P2PDMA as well. Move their Device ID macros from the
accelerator drivers to <linux/pci_ids.h> for reuse by P2PDMA code.
Unfortunately the Device IDs vary across Xeon generations as additional
features were added to the accelerators. This currently necessitates an
amendment for each new Xeon chip.
For future chips, this need shall be avoided by an ongoing effort to extend
ACPI HMAT with PCIe P2PDMA characteristics (latency, bandwidth, ordering
constraints). The PCI core will be able look up in this BIOS-provided ACPI
table whether P2PDMA is supported, instead of relying on a whitelist that
needs to be amended continuously.
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Acked-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> # QAT
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/6aac4922b5fe7070b11874427a9285e42ddd05a4.1780585518.git.lukas@wunner.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/intel/qat/qat_common/adf_accel_devices.h | 5 -----
drivers/dma/idxd/registers.h | 3 ---
drivers/pci/p2pdma.c | 10 ++++++++++
include/linux/pci_ids.h | 8 ++++++++
4 files changed, 18 insertions(+), 8 deletions(-)
--- a/drivers/crypto/intel/qat/qat_common/adf_accel_devices.h
+++ b/drivers/crypto/intel/qat/qat_common/adf_accel_devices.h
@@ -28,15 +28,10 @@
#define ADF_4XXX_DEVICE_NAME "4xxx"
#define ADF_420XX_DEVICE_NAME "420xx"
#define ADF_6XXX_DEVICE_NAME "6xxx"
-#define PCI_DEVICE_ID_INTEL_QAT_4XXX 0x4940
#define PCI_DEVICE_ID_INTEL_QAT_4XXXIOV 0x4941
-#define PCI_DEVICE_ID_INTEL_QAT_401XX 0x4942
#define PCI_DEVICE_ID_INTEL_QAT_401XXIOV 0x4943
-#define PCI_DEVICE_ID_INTEL_QAT_402XX 0x4944
#define PCI_DEVICE_ID_INTEL_QAT_402XXIOV 0x4945
-#define PCI_DEVICE_ID_INTEL_QAT_420XX 0x4946
#define PCI_DEVICE_ID_INTEL_QAT_420XXIOV 0x4947
-#define PCI_DEVICE_ID_INTEL_QAT_6XXX 0x4948
#define PCI_DEVICE_ID_INTEL_QAT_6XXX_IOV 0x4949
#define ADF_DEVICE_FUSECTL_OFFSET 0x40
--- a/drivers/dma/idxd/registers.h
+++ b/drivers/dma/idxd/registers.h
@@ -10,9 +10,6 @@
#endif
/* PCI Config */
-#define PCI_DEVICE_ID_INTEL_DSA_GNRD 0x11fb
-#define PCI_DEVICE_ID_INTEL_DSA_DMR 0x1212
-#define PCI_DEVICE_ID_INTEL_IAA_DMR 0x1216
#define PCI_DEVICE_ID_INTEL_IAA_PTL 0xb02d
#define PCI_DEVICE_ID_INTEL_IAA_WCL 0xfd2d
--- a/drivers/pci/p2pdma.c
+++ b/drivers/pci/p2pdma.c
@@ -548,6 +548,16 @@ static const struct pci_p2pdma_whitelist
{PCI_VENDOR_ID_INTEL, 0x2033, 0},
{PCI_VENDOR_ID_INTEL, 0x2020, 0},
{PCI_VENDOR_ID_INTEL, 0x09a2, 0},
+ {PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_DSA_SPR0, 0},
+ {PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_IAX_SPR0, 0},
+ {PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_DSA_GNRD, 0},
+ {PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_DSA_DMR, 0},
+ {PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_IAA_DMR, 0},
+ {PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_QAT_4XXX, 0},
+ {PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_QAT_401XX, 0},
+ {PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_QAT_402XX, 0},
+ {PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_QAT_420XX, 0},
+ {PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_QAT_6XXX, 0},
/* Google SoCs. */
{PCI_VENDOR_ID_GOOGLE, PCI_ANY_ID, 0},
{}
--- a/include/linux/pci_ids.h
+++ b/include/linux/pci_ids.h
@@ -2732,6 +2732,9 @@
#define PCI_DEVICE_ID_INTEL_82815_MC 0x1130
#define PCI_DEVICE_ID_INTEL_82815_CGC 0x1132
#define PCI_DEVICE_ID_INTEL_SST_TNG 0x119a
+#define PCI_DEVICE_ID_INTEL_DSA_GNRD 0x11fb
+#define PCI_DEVICE_ID_INTEL_DSA_DMR 0x1212
+#define PCI_DEVICE_ID_INTEL_IAA_DMR 0x1216
#define PCI_DEVICE_ID_INTEL_82092AA_0 0x1221
#define PCI_DEVICE_ID_INTEL_82437 0x122d
#define PCI_DEVICE_ID_INTEL_82371FB_0 0x122e
@@ -3052,6 +3055,11 @@
#define PCI_DEVICE_ID_INTEL_5400_FBD1 0x4036
#define PCI_DEVICE_ID_INTEL_HDA_TGL_H 0x43c8
#define PCI_DEVICE_ID_INTEL_HDA_DG1 0x490d
+#define PCI_DEVICE_ID_INTEL_QAT_4XXX 0x4940
+#define PCI_DEVICE_ID_INTEL_QAT_401XX 0x4942
+#define PCI_DEVICE_ID_INTEL_QAT_402XX 0x4944
+#define PCI_DEVICE_ID_INTEL_QAT_420XX 0x4946
+#define PCI_DEVICE_ID_INTEL_QAT_6XXX 0x4948
#define PCI_DEVICE_ID_INTEL_HDA_EHL_0 0x4b55
#define PCI_DEVICE_ID_INTEL_HDA_EHL_3 0x4b58
#define PCI_DEVICE_ID_INTEL_HDA_WCL 0x4d28
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 036/120] apparmor: mediate the implicit connect of TCP fast open sendmsg
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 035/120] PCI/P2PDMA: Add Intel QAT, DSA, IAA devices to whitelist Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 037/120] apparmor: fix use-after-free in rawdata dedup loop Greg Kroah-Hartman
` (89 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bryam Vargas, John Johansen
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryam Vargas <hexlabsecurity@proton.me>
commit 4d587cd8a72155089a627130bbd4716ec0856e21 upstream.
sendmsg()/sendto() with MSG_FASTOPEN is a combination of connect(2) and
write(2): it opens the connection in the SYN. apparmor_socket_sendmsg()
only checks AA_MAY_SEND, so a profile that grants send but denies connect
lets a confined task open an outbound TCP/MPTCP connection that connect(2)
would have refused, bypassing connect mediation.
Mediate the implicit connect when MSG_FASTOPEN is set and a destination
is supplied. Add it to apparmor_socket_sendmsg() (not the shared
aa_sock_msg_perm() helper, which recvmsg also uses) and call aa_sk_perm()
directly, mirroring the selinux and tomoyo fixes. sk_is_tcp() does not
cover MPTCP fast open, so the SOCK_STREAM/IPPROTO_MPTCP arm is explicit.
Fixes: cf60af03ca4e ("net-tcp: Fast Open client - sendmsg(MSG_FASTOPEN)")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/lsm.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1422,7 +1422,21 @@ static int aa_sock_msg_perm(const char *
static int apparmor_socket_sendmsg(struct socket *sock,
struct msghdr *msg, int size)
{
- return aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size);
+ int error = aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size);
+
+ if (error)
+ return error;
+
+ /* TCP fast open carries connect() semantics in sendmsg(); mediate
+ * the implicit connect so it cannot bypass the connect permission.
+ */
+ if ((msg->msg_flags & MSG_FASTOPEN) && msg->msg_name &&
+ (sk_is_tcp(sock->sk) ||
+ (sk_is_inet(sock->sk) && sock->sk->sk_type == SOCK_STREAM &&
+ sock->sk->sk_protocol == IPPROTO_MPTCP)))
+ error = aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk);
+
+ return error;
}
static int apparmor_socket_recvmsg(struct socket *sock,
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 037/120] apparmor: fix use-after-free in rawdata dedup loop
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 036/120] apparmor: mediate the implicit connect of TCP fast open sendmsg Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 038/120] NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR Greg Kroah-Hartman
` (88 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Colin Ian King, Ruslan Valiyev,
John Johansen
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruslan Valiyev <linuxoid@gmail.com>
commit 6f060496d03e4dc560a40f73770bd08335cb7a27 upstream.
aa_replace_profiles() walks ns->rawdata_list to dedup the incoming
policy blob against entries already attached to existing profiles.
Per the kernel-doc on struct aa_loaddata, list membership does not
hold a reference: profiles hold pcount, and when the last pcount
drops, do_ploaddata_rmfs() is queued on a workqueue that takes
ns->lock and removes the entry. Between dropping the last pcount
and the workqueue running, an entry remains on the list with
pcount == 0.
aa_get_profile_loaddata() is an unconditional kref_get() on
pcount, so when the dedup loop hits such an entry, refcount
hardening reports
refcount_t: addition on 0; use-after-free.
inside aa_replace_profiles(), and the poisoned counter then
trips "saturated" and "underflow" warnings on the subsequent
uses of the same loaddata.
Before commit a0b7091c4de4 ("apparmor: fix race on rawdata
dereference") the dedup path used a get_unless_zero-style helper
on a single counter, so the existing "if (tmp)" guard was
meaningful. The split-refcount refactor introduced
aa_get_profile_loaddata(), which has plain kref_get() semantics,
and the guard quietly became a no-op.
Introduce aa_get_profile_loaddata_not0(), matching the existing
_not0 convention used by aa_get_profile_not0(), and use it for
the rawdata_list dedup lookup so dying entries are skipped.
Reproduced on x86_64 with v7.1-rc5 in QEMU+KVM running Ubuntu
24.04 + stress-ng 0.17.06:
stress-ng --apparmor 1 --klog-check --timeout 60s
Without this patch the three refcount_t warnings fire within a
few seconds. With it the same 60 s run is clean. Coverage is a
smoke-test only; a longer soak with CONFIG_KASAN, CONFIG_KCSAN
and CONFIG_PROVE_LOCKING would be welcome from anyone with the
cycles.
Fixes: a0b7091c4de4 ("apparmor: fix race on rawdata dereference")
Reported-by: Colin Ian King <colin.i.king@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221513
Cc: stable@vger.kernel.org
Signed-off-by: Ruslan Valiyev <linuxoid@gmail.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/include/policy_unpack.h | 19 +++++++++++++++++++
security/apparmor/policy.c | 8 ++++++--
2 files changed, 25 insertions(+), 2 deletions(-)
--- a/security/apparmor/include/policy_unpack.h
+++ b/security/apparmor/include/policy_unpack.h
@@ -163,6 +163,25 @@ aa_get_profile_loaddata(struct aa_loadda
return data;
}
+/**
+ * aa_get_profile_loaddata_not0 - get a profile reference count if not zero
+ * @data: reference to get a count on
+ *
+ * Like aa_get_profile_loaddata(), but safe to call on an entry that may
+ * be on a list (e.g. ns->rawdata_list) where the last pcount has already
+ * dropped and the deferred cleanup has not yet run.
+ *
+ * Returns: pointer to reference, or %NULL if @data is NULL or its
+ * profile refcount has already reached zero.
+ */
+static inline struct aa_loaddata *
+aa_get_profile_loaddata_not0(struct aa_loaddata *data)
+{
+ if (data && kref_get_unless_zero(&data->pcount))
+ return data;
+ return NULL;
+}
+
void __aa_loaddata_update(struct aa_loaddata *data, long revision);
bool aa_rawdata_eq(struct aa_loaddata *l, struct aa_loaddata *r);
void aa_loaddata_kref(struct kref *kref);
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1223,8 +1223,12 @@ ssize_t aa_replace_profiles(struct aa_ns
if (aa_rawdata_eq(rawdata_ent, udata)) {
struct aa_loaddata *tmp;
- tmp = aa_get_profile_loaddata(rawdata_ent);
- /* check we didn't fail the race */
+ /*
+ * Entries remain on rawdata_list with
+ * pcount == 0 until do_ploaddata_rmfs()
+ * runs; only take a live profile ref.
+ */
+ tmp = aa_get_profile_loaddata_not0(rawdata_ent);
if (tmp) {
aa_put_profile_loaddata(udata);
udata = tmp;
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 038/120] NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 037/120] apparmor: fix use-after-free in rawdata dedup loop Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 039/120] fbdev: fix use-after-free in store_modes() Greg Kroah-Hartman
` (87 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frank Li, Koichiro Den, Dave Jiang,
Jon Mason
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Koichiro Den <den@valinux.co.jp>
commit d876153680e3d721d385e554def919bce3d18c74 upstream.
When BAR_PEER_SPAD and BAR_CONFIG share one PCI BAR, the module teardown
path ends up calling pci_iounmap() on the same iomem with some offset,
which is unnecessary and triggers a kernel warning like the following:
Trying to vunmap() nonexistent vm area (0000000069a5ffe8)
WARNING: mm/vmalloc.c:3470 at vunmap+0x58/0x68, CPU#5: modprobe/2937
[...]
Call trace:
vunmap+0x58/0x68 (P)
iounmap+0x34/0x48
pci_iounmap+0x2c/0x40
ntb_epf_pci_remove+0x44/0x80 [ntb_hw_epf]
pci_device_remove+0x48/0xf8
device_remove+0x50/0x88
device_release_driver_internal+0x1c8/0x228
driver_detach+0x50/0xb0
bus_remove_driver+0x74/0x100
driver_unregister+0x34/0x68
pci_unregister_driver+0x34/0xa0
ntb_epf_pci_driver_exit+0x14/0xfe0 [ntb_hw_epf]
[...]
Fix it by unmapping only when PEER_SPAD and CONFIG use difference bars.
Cc: stable@vger.kernel.org
Fixes: e75d5ae8ab88 ("NTB: epf: Allow more flexibility in the memory BAR map method")
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Koichiro Den <den@valinux.co.jp>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ntb/hw/epf/ntb_hw_epf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/ntb/hw/epf/ntb_hw_epf.c
+++ b/drivers/ntb/hw/epf/ntb_hw_epf.c
@@ -646,7 +646,8 @@ static void ntb_epf_deinit_pci(struct nt
struct pci_dev *pdev = ndev->ntb.pdev;
pci_iounmap(pdev, ndev->ctrl_reg);
- pci_iounmap(pdev, ndev->peer_spad_reg);
+ if (ndev->barno_map[BAR_PEER_SPAD] != ndev->barno_map[BAR_CONFIG])
+ pci_iounmap(pdev, ndev->peer_spad_reg);
pci_iounmap(pdev, ndev->db_reg);
pci_release_regions(pdev);
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 039/120] fbdev: fix use-after-free in store_modes()
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 038/120] NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 040/120] fscrypt: Fix key setup in edge case with multiple data unit sizes Greg Kroah-Hartman
` (86 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+81c7c6b52649fd07299d,
Ian Bridges, Helge Deller
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Bridges <icb@fastmail.org>
commit 2c1c805c65fb7dc7524e20376d6987721e73a0b1 upstream.
store_modes() replaces a framebuffer's modelist with modes from userspace.
On success it frees the old modelist with fb_destroy_modelist(). Two
fields still point into that freed list.
One pointer is fb_display[i].mode, the mode a console is using.
fbcon_new_modelist() moves these pointers to the new list. It only does so
for consoles still mapped to the framebuffer. An unmapped console is
skipped and keeps its stale pointer. Unbinding fbcon, for example, sets
con2fb_map[i] to -1 but leaves fb_display[i].mode set. An
FBIOPUT_VSCREENINFO ioctl with FB_ACTIVATE_INV_MODE later reaches
fbcon_mode_deleted(). That function reads the stale fb_display[i].mode
through fb_mode_is_equal(). The read is a use-after-free.
The other pointer is fb_info->mode, the current mode. It is set through
the mode sysfs attribute. store_modes() does not update fb_info->mode, so
it is left pointing into the freed list. show_mode(), the attribute's read
handler, dereferences the stale fb_info->mode through mode_string(). The
read is a use-after-free.
Clear both pointers before freeing the list. Commit a1f305893074 ("fbcon:
Set fb_display[i]->mode to NULL when the mode is released") added the
helper fbcon_delete_modelist(). It clears every fb_display[i].mode that
points into a given list. So far it is called only from the unregister
path. Call it from store_modes() too, and set fb_info->mode to NULL.
Reported-by: syzbot+81c7c6b52649fd07299d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=81c7c6b52649fd07299d
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/ajjoDhAi2y4ArSlz@dev/
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Ian Bridges <icb@fastmail.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/core/fbsysfs.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/video/fbdev/core/fbsysfs.c
+++ b/drivers/video/fbdev/core/fbsysfs.c
@@ -11,6 +11,7 @@
#include <linux/major.h>
#include "fb_internal.h"
+#include "fbcon.h"
static int activate(struct fb_info *fb_info, struct fb_var_screeninfo *var)
{
@@ -111,8 +112,15 @@ static ssize_t store_modes(struct device
if (fb_new_modelist(fb_info)) {
fb_destroy_modelist(&fb_info->modelist);
list_splice(&old_list, &fb_info->modelist);
- } else
+ } else {
+ /*
+ * fb_display[i].mode and fb_info->mode both point into the old
+ * list. Clear them before it is freed.
+ */
+ fbcon_delete_modelist(&old_list);
+ fb_info->mode = NULL;
fb_destroy_modelist(&old_list);
+ }
unlock_fb_info(fb_info);
console_unlock();
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 040/120] fscrypt: Fix key setup in edge case with multiple data unit sizes
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 039/120] fbdev: fix use-after-free in store_modes() Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 041/120] block: invalidate cached plug timestamp after task switch Greg Kroah-Hartman
` (85 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit dd015b566d505d698386103e9c80b739c7336eb8 upstream.
The addition of support for customizable data unit sizes introduced an
edge case where a file's contents can be en/decrypted with the wrong
data unit size. It occurs when there are multiple v2 policies that:
- Have *different* data unit sizes, via the log2_data_unit_size field
- Share the same master_key_identifier, contents_encryption_mode, and
either FSCRYPT_POLICY_FLAG_DIRECT_KEY,
FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32, or
FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64
- Are being used on the same filesystem, which also must be mounted with
the "inlinecrypt" mount option.
Fortunately this edge case doesn't actually occur in practice. I just
found it via code review. But it needs to be fixed regardless.
The bug is caused by the data unit size not being fully considered when
blk_crypto_keys are cached in mk_direct_keys, mk_iv_ino_lblk_32_keys,
and mk_iv_ino_lblk_64_keys. They're differentiated only by master key,
encryption mode, and flag. However, each one actually has a data unit
size too. Only the first data unit size that is cached is used.
To fix this, start using the data unit size to differentiate the cached
keys. For several reasons, including avoiding increasing the size of
struct fscrypt_master_key, just replace all three arrays with a single
linked list instead of changing them into two-dimensional arrays. This
works well when considering that in practice at most 2 entries are used
across all three arrays, so it was already mostly wasted space.
For simplicity, make the list also take over the publish/subscribe of
the prepared key itself. That is, create separate list nodes for
blk_crypto_keys vs crypto_skciphers, and add nodes to the list only when
their key is actually prepared. (Note that the legacy
fscrypt_direct_keys table in fs/crypto/keysetup_v1.c already works this
way.) This eliminates the need for the additional memory barriers when
reading and writing the fields of struct fscrypt_prepared_key.
Note that I technically should have included the data unit size in the
HKDF info string as well. But it's too late to change that.
Fixes: 5b1188847180 ("fscrypt: support crypto data unit size less than filesystem block size")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260618180652.52742-1-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/crypto/fscrypt_private.h | 52 +++++++++++-------
fs/crypto/inline_crypt.c | 8 --
fs/crypto/keyring.c | 23 +++++---
fs/crypto/keysetup.c | 122 +++++++++++++++++++++++++++-----------------
4 files changed, 122 insertions(+), 83 deletions(-)
--- a/fs/crypto/fscrypt_private.h
+++ b/fs/crypto/fscrypt_private.h
@@ -236,7 +236,7 @@ struct fscrypt_symlink_data {
* @tfm: crypto API transform object
* @blk_key: key for blk-crypto
*
- * Normally only one of the fields will be non-NULL.
+ * Only one of the fields is non-NULL.
*/
struct fscrypt_prepared_key {
struct crypto_sync_skcipher *tfm;
@@ -245,6 +245,15 @@ struct fscrypt_prepared_key {
#endif
};
+/* An entry in the linked list ->mk_mode_keys */
+struct fscrypt_mode_key {
+ struct fscrypt_prepared_key key;
+ struct list_head link;
+ u8 hkdf_context;
+ u8 mode_num;
+ u8 data_unit_bits;
+};
+
/*
* fscrypt_inode_info - the "encryption key" for an inode
*
@@ -430,20 +439,12 @@ int fscrypt_derive_sw_secret(struct supe
* @prep_key, depending on which encryption implementation the file will use.
*/
static inline bool
-fscrypt_is_key_prepared(struct fscrypt_prepared_key *prep_key,
+fscrypt_is_key_prepared(const struct fscrypt_prepared_key *prep_key,
const struct fscrypt_inode_info *ci)
{
- /*
- * The two smp_load_acquire()'s here pair with the smp_store_release()'s
- * in fscrypt_prepare_inline_crypt_key() and fscrypt_prepare_key().
- * I.e., in some cases (namely, if this prep_key is a per-mode
- * encryption key) another task can publish blk_key or tfm concurrently,
- * executing a RELEASE barrier. We need to use smp_load_acquire() here
- * to safely ACQUIRE the memory the other task published.
- */
if (fscrypt_using_inline_encryption(ci))
- return smp_load_acquire(&prep_key->blk_key) != NULL;
- return smp_load_acquire(&prep_key->tfm) != NULL;
+ return prep_key->blk_key != NULL;
+ return prep_key->tfm != NULL;
}
#else /* CONFIG_FS_ENCRYPTION_INLINE_CRYPT */
@@ -486,10 +487,10 @@ fscrypt_derive_sw_secret(struct super_bl
}
static inline bool
-fscrypt_is_key_prepared(struct fscrypt_prepared_key *prep_key,
+fscrypt_is_key_prepared(const struct fscrypt_prepared_key *prep_key,
const struct fscrypt_inode_info *ci)
{
- return smp_load_acquire(&prep_key->tfm) != NULL;
+ return prep_key->tfm != NULL;
}
#endif /* !CONFIG_FS_ENCRYPTION_INLINE_CRYPT */
@@ -577,8 +578,8 @@ struct fscrypt_master_key {
/*
* Active and structural reference counts. An active ref guarantees
* that the struct continues to exist, continues to be in the keyring
- * ->s_master_keys, and that any embedded subkeys (e.g.
- * ->mk_direct_keys) that have been prepared continue to exist.
+ * ->s_master_keys, and that any non-file-scoped subkeys (e.g.
+ * ->mk_mode_keys) that have been prepared continue to exist.
* A structural ref only guarantees that the struct continues to exist.
*
* There is one active ref associated with ->mk_present being true, and
@@ -632,12 +633,21 @@ struct fscrypt_master_key {
spinlock_t mk_decrypted_inodes_lock;
/*
- * Per-mode encryption keys for the various types of encryption policies
- * that use them. Allocated and derived on-demand.
+ * A list of 'struct fscrypt_mode_key' for the (hkdf_context, mode_num,
+ * data_unit_bits, inlinecrypt) combinations that are in use for this
+ * master key, for hkdf_context in [HKDF_CONTEXT_DIRECT_KEY,
+ * HKDF_CONTEXT_IV_INO_LBLK_32_KEY, HKDF_CONTEXT_IV_INO_LBLK_64_KEY].
+ *
+ * This is a linked list and not a hash table because in practice
+ * there's just a single encryption policy per master key, using
+ * _at most_ 2 nodes in this list. Per-file keys don't use this at all.
+ *
+ * This list is append-only until the master key is fully removed, at
+ * which time the list is cleared. Before then,
+ * fscrypt_mode_key_setup_mutex synchronizes appends, and searches use
+ * the RCU read lock together with ->mk_sem held for read.
*/
- struct fscrypt_prepared_key mk_direct_keys[FSCRYPT_MODE_MAX + 1];
- struct fscrypt_prepared_key mk_iv_ino_lblk_64_keys[FSCRYPT_MODE_MAX + 1];
- struct fscrypt_prepared_key mk_iv_ino_lblk_32_keys[FSCRYPT_MODE_MAX + 1];
+ struct list_head mk_mode_keys;
/* Hash key for inode numbers. Initialized only when needed. */
siphash_key_t mk_ino_hash_key;
--- a/fs/crypto/inline_crypt.c
+++ b/fs/crypto/inline_crypt.c
@@ -198,13 +198,7 @@ int fscrypt_prepare_inline_crypt_key(str
goto fail;
}
- /*
- * Pairs with the smp_load_acquire() in fscrypt_is_key_prepared().
- * I.e., here we publish ->blk_key with a RELEASE barrier so that
- * concurrent tasks can ACQUIRE it. Note that this concurrency is only
- * possible for per-mode keys, not for per-file keys.
- */
- smp_store_release(&prep_key->blk_key, blk_key);
+ prep_key->blk_key = blk_key;
return 0;
fail:
--- a/fs/crypto/keyring.c
+++ b/fs/crypto/keyring.c
@@ -87,14 +87,14 @@ void fscrypt_put_master_key(struct fscry
void fscrypt_put_master_key_activeref(struct super_block *sb,
struct fscrypt_master_key *mk)
{
- size_t i;
+ struct fscrypt_mode_key *node, *tmp;
if (!refcount_dec_and_test(&mk->mk_active_refs))
return;
/*
* No active references left, so complete the full removal of this
* fscrypt_master_key struct by removing it from the keyring and
- * destroying any subkeys embedded in it.
+ * destroying any non-file-scoped subkeys.
*/
if (WARN_ON_ONCE(!sb->s_master_keys))
@@ -110,13 +110,16 @@ void fscrypt_put_master_key_activeref(st
WARN_ON_ONCE(mk->mk_present);
WARN_ON_ONCE(!list_empty(&mk->mk_decrypted_inodes));
- for (i = 0; i <= FSCRYPT_MODE_MAX; i++) {
- fscrypt_destroy_prepared_key(
- sb, &mk->mk_direct_keys[i]);
- fscrypt_destroy_prepared_key(
- sb, &mk->mk_iv_ino_lblk_64_keys[i]);
- fscrypt_destroy_prepared_key(
- sb, &mk->mk_iv_ino_lblk_32_keys[i]);
+ /*
+ * Destroy any non-file-scoped subkeys. Since ->mk_active_refs == 0,
+ * they're no longer referenced by any inodes. Nor can key setup run
+ * and use them again. So they're no longer needed. (This implies no
+ * concurrent readers, so we don't need list_del_rcu() for example.)
+ */
+ list_for_each_entry_safe(node, tmp, &mk->mk_mode_keys, link) {
+ fscrypt_destroy_prepared_key(sb, &node->key);
+ list_del(&node->link);
+ kfree(node);
}
memzero_explicit(&mk->mk_ino_hash_key,
sizeof(mk->mk_ino_hash_key));
@@ -445,6 +448,8 @@ static int add_new_master_key(struct sup
INIT_LIST_HEAD(&mk->mk_decrypted_inodes);
spin_lock_init(&mk->mk_decrypted_inodes_lock);
+ INIT_LIST_HEAD(&mk->mk_mode_keys);
+
if (mk_spec->type == FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER) {
err = allocate_master_key_users_keyring(mk);
if (err)
--- a/fs/crypto/keysetup.c
+++ b/fs/crypto/keysetup.c
@@ -163,13 +163,7 @@ int fscrypt_prepare_key(struct fscrypt_p
tfm = fscrypt_allocate_skcipher(ci->ci_mode, raw_key, ci->ci_inode);
if (IS_ERR(tfm))
return PTR_ERR(tfm);
- /*
- * Pairs with the smp_load_acquire() in fscrypt_is_key_prepared().
- * I.e., here we publish ->tfm with a RELEASE barrier so that
- * concurrent tasks can ACQUIRE it. Note that this concurrency is only
- * possible for per-mode keys, not for per-file keys.
- */
- smp_store_release(&prep_key->tfm, tfm);
+ prep_key->tfm = tfm;
return 0;
}
@@ -190,9 +184,37 @@ int fscrypt_set_per_file_enc_key(struct
return fscrypt_prepare_key(&ci->ci_enc_key, raw_key, ci);
}
+/*
+ * Find the fscrypt_prepared_key (if any) for a particular (mk, hkdf_context,
+ * mode_num, data_unit_bits, inlinecrypt) combination.
+ *
+ * The caller must hold ->mk_sem for reading and ->mk_present must be true,
+ * ensuring that ->mk_mode_keys is still append-only.
+ */
+static struct fscrypt_prepared_key *
+fscrypt_find_mode_key(struct fscrypt_master_key *mk, u8 hkdf_context,
+ u8 mode_num, const struct fscrypt_inode_info *ci)
+{
+ struct fscrypt_mode_key *node;
+
+ /*
+ * The RCU read lock here is used only to synchronize with concurrent
+ * list_add_tail_rcu(). Concurrent deletions are impossible here, so
+ * returning a pointer to a node without taking any refcount is safe.
+ */
+ guard(rcu)();
+ list_for_each_entry_rcu(node, &mk->mk_mode_keys, link) {
+ if (node->hkdf_context == hkdf_context &&
+ node->mode_num == mode_num &&
+ node->data_unit_bits == ci->ci_data_unit_bits &&
+ fscrypt_is_key_prepared(&node->key, ci))
+ return &node->key;
+ }
+ return NULL;
+}
+
static int setup_per_mode_enc_key(struct fscrypt_inode_info *ci,
struct fscrypt_master_key *mk,
- struct fscrypt_prepared_key *keys,
u8 hkdf_context, bool include_fs_uuid)
{
const struct inode *inode = ci->ci_inode;
@@ -200,7 +222,8 @@ static int setup_per_mode_enc_key(struct
struct fscrypt_mode *mode = ci->ci_mode;
const u8 mode_num = mode - fscrypt_modes;
struct fscrypt_prepared_key *prep_key;
- u8 mode_key[FSCRYPT_MAX_RAW_KEY_SIZE];
+ struct fscrypt_mode_key *new_node;
+ u8 raw_mode_key[FSCRYPT_MAX_RAW_KEY_SIZE];
u8 hkdf_info[sizeof(mode_num) + sizeof(sb->s_uuid)];
unsigned int hkdf_infolen = 0;
bool use_hw_wrapped_key = false;
@@ -223,48 +246,56 @@ static int setup_per_mode_enc_key(struct
use_hw_wrapped_key = true;
}
- prep_key = &keys[mode_num];
- if (fscrypt_is_key_prepared(prep_key, ci)) {
+ prep_key = fscrypt_find_mode_key(mk, hkdf_context, mode_num, ci);
+ if (prep_key) {
ci->ci_enc_key = *prep_key;
return 0;
}
- mutex_lock(&fscrypt_mode_key_setup_mutex);
+ guard(mutex)(&fscrypt_mode_key_setup_mutex);
+
+ prep_key = fscrypt_find_mode_key(mk, hkdf_context, mode_num, ci);
+ if (prep_key) {
+ ci->ci_enc_key = *prep_key;
+ return 0;
+ }
- if (fscrypt_is_key_prepared(prep_key, ci))
- goto done_unlock;
+ new_node = kzalloc_obj(*new_node);
+ if (!new_node)
+ return -ENOMEM;
+ new_node->hkdf_context = hkdf_context;
+ new_node->mode_num = mode_num;
+ new_node->data_unit_bits = ci->ci_data_unit_bits;
+ prep_key = &new_node->key;
if (use_hw_wrapped_key) {
err = fscrypt_prepare_inline_crypt_key(prep_key,
mk->mk_secret.bytes,
mk->mk_secret.size, true,
ci);
- if (err)
- goto out_unlock;
- goto done_unlock;
- }
-
- BUILD_BUG_ON(sizeof(mode_num) != 1);
- BUILD_BUG_ON(sizeof(sb->s_uuid) != 16);
- BUILD_BUG_ON(sizeof(hkdf_info) != 17);
- hkdf_info[hkdf_infolen++] = mode_num;
- if (include_fs_uuid) {
- memcpy(&hkdf_info[hkdf_infolen], &sb->s_uuid,
- sizeof(sb->s_uuid));
- hkdf_infolen += sizeof(sb->s_uuid);
- }
- fscrypt_hkdf_expand(&mk->mk_secret.hkdf, hkdf_context, hkdf_info,
- hkdf_infolen, mode_key, mode->keysize);
- err = fscrypt_prepare_key(prep_key, mode_key, ci);
- memzero_explicit(mode_key, mode->keysize);
- if (err)
- goto out_unlock;
-done_unlock:
+ } else {
+ static_assert(sizeof(mode_num) == 1);
+ static_assert(sizeof(sb->s_uuid) == 16);
+ static_assert(sizeof(hkdf_info) == 17);
+ hkdf_info[hkdf_infolen++] = mode_num;
+ if (include_fs_uuid) {
+ memcpy(&hkdf_info[hkdf_infolen], &sb->s_uuid,
+ sizeof(sb->s_uuid));
+ hkdf_infolen += sizeof(sb->s_uuid);
+ }
+ fscrypt_hkdf_expand(&mk->mk_secret.hkdf, hkdf_context,
+ hkdf_info, hkdf_infolen, raw_mode_key,
+ mode->keysize);
+ err = fscrypt_prepare_key(prep_key, raw_mode_key, ci);
+ memzero_explicit(raw_mode_key, mode->keysize);
+ }
+ if (err) {
+ kfree(new_node);
+ return err;
+ }
+ list_add_tail_rcu(&new_node->link, &mk->mk_mode_keys);
ci->ci_enc_key = *prep_key;
- err = 0;
-out_unlock:
- mutex_unlock(&fscrypt_mode_key_setup_mutex);
- return err;
+ return 0;
}
/*
@@ -311,8 +342,8 @@ static int fscrypt_setup_iv_ino_lblk_32_
{
int err;
- err = setup_per_mode_enc_key(ci, mk, mk->mk_iv_ino_lblk_32_keys,
- HKDF_CONTEXT_IV_INO_LBLK_32_KEY, true);
+ err = setup_per_mode_enc_key(ci, mk, HKDF_CONTEXT_IV_INO_LBLK_32_KEY,
+ true);
if (err)
return err;
@@ -364,8 +395,8 @@ static int fscrypt_setup_v2_file_key(str
* encryption key. This ensures that the master key is
* consistently used only for HKDF, avoiding key reuse issues.
*/
- err = setup_per_mode_enc_key(ci, mk, mk->mk_direct_keys,
- HKDF_CONTEXT_DIRECT_KEY, false);
+ err = setup_per_mode_enc_key(ci, mk, HKDF_CONTEXT_DIRECT_KEY,
+ false);
} else if (ci->ci_policy.v2.flags &
FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64) {
/*
@@ -374,9 +405,8 @@ static int fscrypt_setup_v2_file_key(str
* the IVs. This format is optimized for use with inline
* encryption hardware compliant with the UFS standard.
*/
- err = setup_per_mode_enc_key(ci, mk, mk->mk_iv_ino_lblk_64_keys,
- HKDF_CONTEXT_IV_INO_LBLK_64_KEY,
- true);
+ err = setup_per_mode_enc_key(
+ ci, mk, HKDF_CONTEXT_IV_INO_LBLK_64_KEY, true);
} else if (ci->ci_policy.v2.flags &
FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) {
err = fscrypt_setup_iv_ino_lblk_32_key(ci, mk);
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 041/120] block: invalidate cached plug timestamp after task switch
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 040/120] fscrypt: Fix key setup in edge case with multiple data unit sizes Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 042/120] KVM: arm64: Omit tag sync on stage-2 mappings of the zero page Greg Kroah-Hartman
` (84 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Usama Arif, Jens Axboe
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Usama Arif <usama.arif@linux.dev>
commit fad156c2af227f42ca796cbb20ddc354a6dd9932 upstream.
blk_time_get_ns() caches ktime_get_ns() in current->plug->cur_ktime
and marks the task with PF_BLOCK_TS. That cache is only valid while the
task keeps running; if the task is switched out, wall-clock time
advances and the cached value must not be reused when the task runs again.
The existing invalidation covers explicit plug flushes through
__blk_flush_plug(), and the schedule() / rtmutex paths through
sched_update_worker(). It does not cover in-kernel preemption paths such
as preempt_schedule(), preempt_schedule_notrace(), and
preempt_schedule_irq(), which enter __schedule(SM_PREEMPT) directly and
return without calling sched_update_worker().
As a result, a task preempted while holding a plug with PF_BLOCK_TS set
can reuse a stale plug->cur_ktime after it is scheduled back in. blk-iocost
then consumes that stale timestamp through ioc_now(), producing stale vnow
values for throttle decisions, and through ioc_rqos_done(), inflating
on-queue time and feeding false missed-QoS samples into vrate
adjustment.
Move the schedule-side invalidation to finish_task_switch(), which runs
for the scheduled-in task after every actual context switch regardless
of which schedule entry point was used. Keep __blk_flush_plug() as the
explicit flush/finish-plug invalidation path, and remove only the
PF_BLOCK_TS handling from sched_update_worker().
Fixes: 06b23f92af87 ("block: update cached timestamp post schedule/preemption")
Cc: stable@vger.kernel.org
Signed-off-by: Usama Arif <usama.arif@linux.dev>
Link: https://patch.msgid.link/20260616141604.328820-3-usama.arif@linux.dev
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/blkdev.h | 18 +++++++-----------
kernel/sched/core.c | 12 ++++++++----
2 files changed, 15 insertions(+), 15 deletions(-)
--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -1214,16 +1214,12 @@ static inline void blk_flush_plug(struct
__blk_flush_plug(plug, async);
}
-/*
- * tsk == current here
- */
-static inline void blk_plug_invalidate_ts(struct task_struct *tsk)
-{
- struct blk_plug *plug = tsk->plug;
-
- if (plug)
- plug->cur_ktime = 0;
- current->flags &= ~PF_BLOCK_TS;
+static __always_inline void blk_plug_invalidate_ts(void)
+{
+ if (unlikely(current->flags & PF_BLOCK_TS)) {
+ current->plug->cur_ktime = 0;
+ current->flags &= ~PF_BLOCK_TS;
+ }
}
int blkdev_issue_flush(struct block_device *bdev);
@@ -1249,7 +1245,7 @@ static inline void blk_flush_plug(struct
{
}
-static inline void blk_plug_invalidate_ts(struct task_struct *tsk)
+static inline void blk_plug_invalidate_ts(void)
{
}
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -5252,6 +5252,12 @@ static struct rq *finish_task_switch(str
*/
kmap_local_sched_in();
+ /*
+ * Any cached block-layer timestamp (plug->cur_ktime) is stale now,
+ * invalidate it.
+ */
+ blk_plug_invalidate_ts();
+
fire_sched_in_preempt_notifiers(current);
/*
* When switching through a kernel thread, the loop in
@@ -7251,12 +7257,10 @@ static inline void sched_submit_work(str
static void sched_update_worker(struct task_struct *tsk)
{
- if (tsk->flags & (PF_WQ_WORKER | PF_IO_WORKER | PF_BLOCK_TS)) {
- if (tsk->flags & PF_BLOCK_TS)
- blk_plug_invalidate_ts(tsk);
+ if (tsk->flags & (PF_WQ_WORKER | PF_IO_WORKER)) {
if (tsk->flags & PF_WQ_WORKER)
wq_worker_running(tsk);
- else if (tsk->flags & PF_IO_WORKER)
+ else
io_wq_worker_running(tsk);
}
}
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 042/120] KVM: arm64: Omit tag sync on stage-2 mappings of the zero page
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 041/120] block: invalidate cached plug timestamp after task switch Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 043/120] err.h: use __always_inline on all error pointer helpers Greg Kroah-Hartman
` (83 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Catalin Marinas, Ard Biesheuvel,
Will Deacon
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ardb@kernel.org>
commit 2986a625740599fe6e7635b0586fed2a95bcd1f7 upstream.
Commit
f620d66af316 ("arm64: mte: Do not flag the zero page as PG_mte_tagged")
removed the PG_mte_tagged flag from the zero page, but missed a KVM code
path that may set this flag on the zero page when it is used in a
stage-2 CoW mapping of anonymous memory.
So disregard the zero page explicitly in sanitise_mte_tags().
Fixes: f620d66af316 ("arm64: mte: Do not flag the zero page as PG_mte_tagged")
Cc: stable@vger.kernel.org # 5.10.x
Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/mmu.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/arch/arm64/kvm/mmu.c
+++ b/arch/arm64/kvm/mmu.c
@@ -1479,6 +1479,11 @@ static void sanitise_mte_tags(struct kvm
if (!kvm_has_mte(kvm))
return;
+ if (is_zero_pfn(pfn)) {
+ WARN_ON_ONCE(nr_pages != 1);
+ return;
+ }
+
if (folio_test_hugetlb(folio)) {
/* Hugetlb has MTE flags set on head page only */
if (folio_try_hugetlb_mte_tagging(folio)) {
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 043/120] err.h: use __always_inline on all error pointer helpers
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 042/120] KVM: arm64: Omit tag sync on stage-2 mappings of the zero page Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 044/120] gcov: use atomic counter updates to fix concurrent access crashes Greg Kroah-Hartman
` (82 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Alexander Lobakin,
Nathan Chancellor, Tamir Duberstein, Alexander Gordeev,
Andriy Shevchenko, Ansuel Smith, Bjorn Andersson, Heiko Carstens,
Vasily Gorbik, Andrew Morton
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 94bfc7f3b0c7c33331ba4ff6cc64ff309dfcbce8 upstream.
While testing randconfig builds on s390, I came across a link failure with
CONFIG_DMA_SHARED_BUFFER disabled:
ERROR: modpost: "dma_buf_put" [drivers/iommu/iommufd/iommufd.ko] undefined!
The problem here is that IS_ERR() is not inlined and dead code elimination
fails as a consequence.
The err.h helpers all turn into a trivial assignment of a bit mask and
should never result in a function call, so force them to always be inline.
This should generally result in better object code aside from avoiding
the link failure above.
Link: https://lore.kernel.org/20260526101851.2495110-1-arnd@kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Tamir Duberstein <tamird@kernel.org>
Cc: Alexander Gordeev <agordeev@linux.ibm.com>
Cc: Andriy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Ansuel Smith <ansuelsmth@gmail.com>
Cc: Bjorn Andersson <andersson@kernel.org>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/err.h | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/include/linux/err.h
+++ b/include/linux/err.h
@@ -36,7 +36,7 @@
*
* Return: A pointer with @error encoded within its value.
*/
-static inline void * __must_check ERR_PTR(long error)
+static __always_inline void * __must_check ERR_PTR(long error)
{
return (void *) error;
}
@@ -60,7 +60,7 @@ static inline void * __must_check ERR_PT
* @ptr: An error pointer.
* Return: The error code within @ptr.
*/
-static inline long __must_check PTR_ERR(__force const void *ptr)
+static __always_inline long __must_check PTR_ERR(__force const void *ptr)
{
return (long) ptr;
}
@@ -73,7 +73,7 @@ static inline long __must_check PTR_ERR(
* @ptr: The pointer to check.
* Return: true if @ptr is an error pointer, false otherwise.
*/
-static inline bool __must_check IS_ERR(__force const void *ptr)
+static __always_inline bool __must_check IS_ERR(__force const void *ptr)
{
return IS_ERR_VALUE((unsigned long)ptr);
}
@@ -87,7 +87,7 @@ static inline bool __must_check IS_ERR(_
*
* Like IS_ERR(), but also returns true for a null pointer.
*/
-static inline bool __must_check IS_ERR_OR_NULL(__force const void *ptr)
+static __always_inline bool __must_check IS_ERR_OR_NULL(__force const void *ptr)
{
return unlikely(!ptr) || IS_ERR_VALUE((unsigned long)ptr);
}
@@ -99,7 +99,7 @@ static inline bool __must_check IS_ERR_O
* Explicitly cast an error-valued pointer to another pointer type in such a
* way as to make it clear that's what's going on.
*/
-static inline void * __must_check ERR_CAST(__force const void *ptr)
+static __always_inline void * __must_check ERR_CAST(__force const void *ptr)
{
/* cast away the const */
return (void *) ptr;
@@ -122,7 +122,7 @@ static inline void * __must_check ERR_CA
*
* Return: The error code within @ptr if it is an error pointer; 0 otherwise.
*/
-static inline int __must_check PTR_ERR_OR_ZERO(__force const void *ptr)
+static __always_inline int __must_check PTR_ERR_OR_ZERO(__force const void *ptr)
{
if (IS_ERR(ptr))
return PTR_ERR(ptr);
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 044/120] gcov: use atomic counter updates to fix concurrent access crashes
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 043/120] err.h: use __always_inline on all error pointer helpers Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 045/120] KEYS: fix overflow in keyctl_pkey_params_get_2() Greg Kroah-Hartman
` (81 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konstantin Khorenko, Arnd Bergmann,
Peter Oberparleiter, Masahiro Yamada, Miguel Ojeda,
Mikhail Zaslonko, Nathan Chancellor, Pavel Tikhomirov,
Thomas Weißschuh, Andrew Morton
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Khorenko <khorenko@virtuozzo.com>
commit 56cb9b7d96b28a1173a510ab25354b6599ad3a33 upstream.
GCC's GCOV instrumentation can merge global branch counters with loop
induction variables as an optimization. In inflate_fast(), the inner copy
loops get transformed so that the GCOV counter value is loaded multiple
times to compute the loop base address, start index, and end bound. Since
GCOV counters are global (not per-CPU), concurrent execution on different
CPUs causes the counter to change between loads, producing inconsistent
values and out-of-bounds memory writes.
The crash manifests during IPComp (IP Payload Compression) processing when
inflate_fast() runs concurrently on multiple CPUs:
BUG: unable to handle page fault for address: ffffd0a3c0902ffa
RIP: inflate_fast+1431
Call Trace:
zlib_inflate
__deflate_decompress
crypto_comp_decompress
ipcomp_decompress [xfrm_ipcomp]
ipcomp_input [xfrm_ipcomp]
xfrm_input
At the crash point, the compiler generated three loads from the same
global GCOV counter (__gcov0.inflate_fast+216) to compute base, start, and
end for an indexed loop. Another CPU modified the counter between loads,
making the values inconsistent - the write went 3.4 MB past a 65 KB
buffer.
Add -fprofile-update=prefer-atomic to CFLAGS_GCOV at the global level in
the top-level Makefile, guarded by a try-run compile test. The test
compiles a minimal program with and without -fprofile-update=prefer-atomic
using the full KBUILD_CFLAGS, then compares undefined symbols in the
resulting object files. If prefer-atomic introduces new undefined
references (such as __atomic_fetch_add_8 on i386 or __aarch64_ldadd8_relax
on arm64 with outline-atomics), the flag is not added -- the kernel does
not link against libatomic.
On architectures where GCC inlines 64-bit atomic counter updates (x86_64,
s390, ...) the test passes and the flag is enabled, preventing the
compiler from merging counters with loop induction variables and fixing
the observed concurrent-access crash.
On architectures where the flag would introduce libatomic dependencies, it
is silently omitted and behaviour is no worse than before this patch.
Move the CFLAGS_GCOV block from its original position (before the arch
Makefile include) to after the core KBUILD_CFLAGS assignments but before
the scripts/Makefile.gcc-plugins include. This placement ensures the
try-run test sees arch-specific flags (-m32, -march=,
-mno-outline-atomics) while avoiding GCC plugin flags (-fplugin=) that
would break the test on clean builds when plugin shared objects do not yet
exist.
Link: https://lore.kernel.org/20260511105052.417187-2-khorenko@virtuozzo.com
Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
Tested-by: Arnd Bergmann <arnd@arndb.de>
Tested-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Mikhail Zaslonko <zaslonko@linux.ibm.com>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Cc: Thomas Weißschuh <linux@weissschuh.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Makefile | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)
--- a/Makefile
+++ b/Makefile
@@ -827,12 +827,6 @@ endif # KBUILD_EXTMOD
# Defaults to vmlinux, but the arch makefile usually adds further targets
all: vmlinux
-CFLAGS_GCOV := -fprofile-arcs -ftest-coverage
-ifdef CONFIG_CC_IS_GCC
-CFLAGS_GCOV += -fno-tree-loop-im
-endif
-export CFLAGS_GCOV
-
# The arch Makefiles can override CC_FLAGS_FTRACE. We may also append it later.
ifdef CONFIG_FUNCTION_TRACER
CC_FLAGS_FTRACE := -pg
@@ -1150,6 +1144,27 @@ endif
# Ensure compilers do not transform certain loops into calls to wcslen()
KBUILD_CFLAGS += -fno-builtin-wcslen
+CFLAGS_GCOV := -fprofile-arcs -ftest-coverage
+ifdef CONFIG_CC_IS_GCC
+CFLAGS_GCOV += -fno-tree-loop-im
+# Use atomic counter updates to avoid concurrent-access crashes in GCOV.
+# Only enable if -fprofile-update=prefer-atomic does not introduce new
+# undefined symbols (e.g. libatomic calls that the kernel cannot link).
+CFLAGS_GCOV += $(call try-run,\
+ echo 'long long x; void f(void){x++;}' | \
+ $(CC) $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS) -w -fprofile-arcs \
+ -ftest-coverage -x c - -c -o "$$TMP.base" && \
+ echo 'long long x; void f(void){x++;}' | \
+ $(CC) $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS) -w -fprofile-arcs \
+ -ftest-coverage -fprofile-update=prefer-atomic \
+ -x c - -c -o "$$TMP" && \
+ $(NM) "$$TMP.base" | grep ' U ' > "$$TMP.ubase" || true ; \
+ $(NM) "$$TMP" | grep ' U ' > "$$TMP.utest" || true ; \
+ cmp -s "$$TMP.ubase" "$$TMP.utest",\
+ -fprofile-update=prefer-atomic)
+endif
+export CFLAGS_GCOV
+
# change __FILE__ to the relative path to the source directory
ifdef building_out_of_srctree
KBUILD_CPPFLAGS += -fmacro-prefix-map=$(srcroot)/=
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 045/120] KEYS: fix overflow in keyctl_pkey_params_get_2()
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 044/120] gcov: use atomic counter updates to fix concurrent access crashes Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 046/120] keys: Pin request_key_auth payload in instantiate paths Greg Kroah-Hartman
` (80 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alessandro Groppo, Jarkko Sakkinen
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jarkko Sakkinen <jarkko@kernel.org>
commit cb481e59ea6cae3b7796ac1d7a22b6b24c3f3c0b upstream.
The length for the internal output buffer is calculated incorrectly, which
can result overflow when a too small buffer is provided.
Fix the bug by allocating internal output with the size of the maximum
length of the cryptographic primitive instead of caller provided size.
Link: https://lore.kernel.org/keyrings/20260531024914.3712130-1-jarkko@kernel.org/
Cc: stable@vger.kernel.org # v4.20+
Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]")
Reported-by: Alessandro Groppo <ale.grpp@gmail.com>
Tested-by: Alessandro Groppo <ale.grpp@gmail.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/keys/keyctl_pkey.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/security/keys/keyctl_pkey.c
+++ b/security/keys/keyctl_pkey.c
@@ -138,28 +138,35 @@ static int keyctl_pkey_params_get_2(cons
if (uparams.in_len > info.max_dec_size ||
uparams.out_len > info.max_enc_size)
return -EINVAL;
+
+ params->out_len = info.max_enc_size;
break;
case KEYCTL_PKEY_DECRYPT:
if (uparams.in_len > info.max_enc_size ||
uparams.out_len > info.max_dec_size)
return -EINVAL;
+
+ params->out_len = info.max_dec_size;
break;
case KEYCTL_PKEY_SIGN:
if (uparams.in_len > info.max_data_size ||
uparams.out_len > info.max_sig_size)
return -EINVAL;
+
+ params->out_len = info.max_sig_size;
break;
case KEYCTL_PKEY_VERIFY:
if (uparams.in_len > info.max_data_size ||
uparams.in2_len > info.max_sig_size)
return -EINVAL;
+
+ params->out_len = info.max_sig_size;
break;
default:
BUG();
}
params->in_len = uparams.in_len;
- params->out_len = uparams.out_len; /* Note: same as in2_len */
return 0;
}
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 046/120] keys: Pin request_key_auth payload in instantiate paths
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 045/120] KEYS: fix overflow in keyctl_pkey_params_get_2() Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 047/120] userfaultfd: ensure mremap_userfaultfd_fail() releases mmap_changing Greg Kroah-Hartman
` (79 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shaomin Chen, Jarkko Sakkinen
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shaomin Chen <eeesssooo020@gmail.com>
commit fd15b457a86939c38aa12116adabd8ff686c5e51 upstream.
A: request_key() B: KEYCTL_INSTANTIATE_IOV
================ =========================
create auth key
store rka in auth key
wait for helper
get auth key
load rka from auth key
copy user payload
sleep on #PF
helper completed
detach and free rka
destroy auth key
wake up
use rka->target_key
**USE-AFTER-FREE**
Give request_key_auth payloads a refcount. Take a payload reference while
authkey->sem stabilizes the payload and revocation state. Hold that
reference across the instantiate and reject paths. Drop the auth key
owning reference from revoke and destroy.
[jarkko: Replaced the first two paragraphs of text with an actual
concurrency scenario.]
Cc: stable@vger.kernel.org # v5.10+
Fixes: b5f545c880a2 ("[PATCH] keys: Permit running process to instantiate keys")
Reported-by: Shaomin Chen <eeesssooo020@gmail.com>
Closes: https://lore.kernel.org/r/20260519144403.436694-1-eeesssooo020@gmail.com
Signed-off-by: Shaomin Chen <eeesssooo020@gmail.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/keys/request_key_auth-type.h | 2 ++
security/keys/internal.h | 2 ++
security/keys/keyctl.c | 24 ++++++++++++++++++------
security/keys/request_key_auth.c | 33 +++++++++++++++++++++++++++++++--
4 files changed, 53 insertions(+), 8 deletions(-)
--- a/include/keys/request_key_auth-type.h
+++ b/include/keys/request_key_auth-type.h
@@ -9,12 +9,14 @@
#define _KEYS_REQUEST_KEY_AUTH_TYPE_H
#include <linux/key.h>
+#include <linux/refcount.h>
/*
* Authorisation record for request_key().
*/
struct request_key_auth {
struct rcu_head rcu;
+ refcount_t usage;
struct key *target_key;
struct key *dest_keyring;
const struct cred *cred;
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -208,6 +208,8 @@ extern struct key *request_key_auth_new(
const void *callout_info,
size_t callout_len,
struct key *dest_keyring);
+struct request_key_auth *request_key_auth_get(struct key *authkey);
+void request_key_auth_put(struct request_key_auth *rka);
extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -1197,9 +1197,13 @@ static long keyctl_instantiate_key_commo
if (!instkey)
goto error;
- rka = instkey->payload.data[0];
- if (rka->target_key->serial != id)
+ rka = request_key_auth_get(instkey);
+ if (!rka) {
+ ret = -EKEYREVOKED;
goto error;
+ }
+ if (rka->target_key->serial != id)
+ goto error_put_rka;
/* pull the payload in if one was supplied */
payload = NULL;
@@ -1208,7 +1212,7 @@ static long keyctl_instantiate_key_commo
ret = -ENOMEM;
payload = kvmalloc(plen, GFP_KERNEL);
if (!payload)
- goto error;
+ goto error_put_rka;
ret = -EFAULT;
if (!copy_from_iter_full(payload, plen, from))
@@ -1234,6 +1238,8 @@ static long keyctl_instantiate_key_commo
error2:
kvfree_sensitive(payload, plen);
+error_put_rka:
+ request_key_auth_put(rka);
error:
return ret;
}
@@ -1358,15 +1364,19 @@ long keyctl_reject_key(key_serial_t id,
if (!instkey)
goto error;
- rka = instkey->payload.data[0];
- if (rka->target_key->serial != id)
+ rka = request_key_auth_get(instkey);
+ if (!rka) {
+ ret = -EKEYREVOKED;
goto error;
+ }
+ if (rka->target_key->serial != id)
+ goto error_put_rka;
/* find the destination keyring if present (which must also be
* writable) */
ret = get_instantiation_keyring(ringid, rka, &dest_keyring);
if (ret < 0)
- goto error;
+ goto error_put_rka;
/* instantiate the key and link it into a keyring */
ret = key_reject_and_link(rka->target_key, timeout, error,
@@ -1379,6 +1389,8 @@ long keyctl_reject_key(key_serial_t id,
if (ret == 0)
keyctl_change_reqkey_auth(NULL);
+error_put_rka:
+ request_key_auth_put(rka);
error:
return ret;
}
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -23,6 +23,7 @@ static void request_key_auth_describe(co
static void request_key_auth_revoke(struct key *);
static void request_key_auth_destroy(struct key *);
static long request_key_auth_read(const struct key *, char *, size_t);
+static void request_key_auth_rcu_disposal(struct rcu_head *);
/*
* The request-key authorisation key type definition.
@@ -116,6 +117,31 @@ static void free_request_key_auth(struct
}
/*
+ * Take a reference to the request-key authorisation payload so callers can
+ * drop authkey->sem before doing operations that may sleep.
+ */
+struct request_key_auth *request_key_auth_get(struct key *authkey)
+{
+ struct request_key_auth *rka;
+
+ down_read(&authkey->sem);
+ rka = dereference_key_locked(authkey);
+ if (rka && !test_bit(KEY_FLAG_REVOKED, &authkey->flags))
+ refcount_inc(&rka->usage);
+ else
+ rka = NULL;
+ up_read(&authkey->sem);
+
+ return rka;
+}
+
+void request_key_auth_put(struct request_key_auth *rka)
+{
+ if (rka && refcount_dec_and_test(&rka->usage))
+ call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
+}
+
+/*
* Dispose of the request_key_auth record under RCU conditions
*/
static void request_key_auth_rcu_disposal(struct rcu_head *rcu)
@@ -136,8 +162,10 @@ static void request_key_auth_revoke(stru
struct request_key_auth *rka = dereference_key_locked(key);
kenter("{%d}", key->serial);
+ if (!rka)
+ return;
rcu_assign_keypointer(key, NULL);
- call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
+ request_key_auth_put(rka);
}
/*
@@ -150,7 +178,7 @@ static void request_key_auth_destroy(str
kenter("{%d}", key->serial);
if (rka) {
rcu_assign_keypointer(key, NULL);
- call_rcu(&rka->rcu, request_key_auth_rcu_disposal);
+ request_key_auth_put(rka);
}
}
@@ -174,6 +202,7 @@ struct key *request_key_auth_new(struct
rka = kzalloc_obj(*rka);
if (!rka)
goto error;
+ refcount_set(&rka->usage, 1);
rka->callout_info = kmemdup(callout_info, callout_len, GFP_KERNEL);
if (!rka->callout_info)
goto error_free_rka;
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 047/120] userfaultfd: ensure mremap_userfaultfd_fail() releases mmap_changing
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 046/120] keys: Pin request_key_auth payload in instantiate paths Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 048/120] userfaultfd: build __VMA_UFFD_FLAGS from config-gated masks Greg Kroah-Hartman
` (78 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mike Rapoport (Microsoft),
David Hildenbrand (Arm), Al Viro, Christian Brauner, Jan Kara,
Peter Xu, Andrew Morton
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Rapoport (Microsoft) <rppt@kernel.org>
commit 0496a59745b0723ea74274db16fd5c8b1379b9a9 upstream.
Sashiko says:
mremap_userfaultfd_prep() increments ctx->mmap_changing to stall
concurrent operations, but mremap_userfaultfd_fail() does not
decrement it before dropping the context reference.
If an mremap operation fails, ctx->mmap_changing remains elevated. This
will causes subsequent userfaultfd operations like a UFFDIO_COPY to fail
with -EAGAIN.
Decrement ctx->mmap_changing in mremap_userfaultfd_fail().
Link: https://sashiko.dev/#/patchset/20260430113512.115938-1-rppt@kernel.org
Link: https://lore.kernel.org/20260513081416.495963-1-rppt@kernel.org
Fixes: df2cc96e7701 ("userfaultfd: prevent non-cooperative events vs mcopy_atomic races")
Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Reviewed-by: David Hildenbrand (Arm) <david@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: Peter Xu <peterx@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/userfaultfd.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -786,6 +786,8 @@ void mremap_userfaultfd_fail(struct vm_u
if (!ctx)
return;
+ atomic_dec(&ctx->mmap_changing);
+ VM_WARN_ON_ONCE(atomic_read(&ctx->mmap_changing) < 0);
userfaultfd_ctx_put(ctx);
}
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 048/120] userfaultfd: build __VMA_UFFD_FLAGS from config-gated masks
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 047/120] userfaultfd: ensure mremap_userfaultfd_fail() releases mmap_changing Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 049/120] wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S Greg Kroah-Hartman
` (77 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kiryl Shutsemau, Sashiko AI review,
Lorenzo Stoakes, David Hildenbrand, Michal Hocko, Mike Rapoport,
Peter Xu, Suren Baghdasaryan, Vlastimil Babka, Balbir Singh,
Andrew Morton
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kiryl Shutsemau (Meta) <kas@kernel.org>
commit cc7a9f6e57c4f71e8e1fee3274b1ae8770f2a743 upstream.
The VMA flags bitmap is a single word today: NUM_VMA_FLAG_BITS is
BITS_PER_LONG, so on 32-bit vma_flags_t holds only 32 bits. (The bitmap
type exists so this can grow past BITS_PER_LONG later; until it does,
anything declared above the first word is out of range on 32-bit.) The bit
enum nevertheless declares some bits unconditionally above BITS_PER_LONG
-- VMA_UFFD_MINOR_BIT is 41, with VM_UFFD_MINOR == VM_NONE on 32-bit so no
VMA actually carries the bit.
__VMA_UFFD_FLAGS feeds VMA_UFFD_MINOR_BIT to mk_vma_flags()
unconditionally. On 32-bit that becomes __set_bit(41, &one_long), a write
one word past the end of the single-word bitmap. The compiler folds the
out-of-bounds store with wraparound (1UL << (41 % 32) == bit 9) into the
first word; bit 9 is already in __VMA_UFFD_FLAGS so the mask happens to
come out right today, but it is an out-of-bounds write all the same, and
any high-numbered bit whose mod-BITS_PER_LONG position is otherwise unused
would silently OR an extra bit into the mask.
Rather than feed bit numbers that may not exist on the current build to
mk_vma_flags(), build the mask from whole per-mode masks that collapse to
EMPTY_VMA_FLAGS when their feature is unavailable. Add
mk_vma_flags_from_masks() for that, and define VMA_UFFD_MISSING / _WP /
_MINOR alongside the VM_UFFD_* flags, gating VMA_UFFD_MINOR on the same
config as VM_UFFD_MINOR (which implies 64BIT, where bit 41 fits). An
out-of-range bit is then never materialised, on any arch, and the in-range
fast path stays a compile-time constant.
Link: https://lore.kernel.org/20260529172331.356655-7-kas@kernel.org
Fixes: 9ea35a25d51b ("mm: introduce VMA flags bitmap type")
Signed-off-by: Kiryl Shutsemau <kas@kernel.org>
Reported-by: Sashiko AI review <sashiko-bot@kernel.org>
Suggested-by: Lorenzo Stoakes <ljs@kernel.org>
Reviewed-by: Lorenzo Stoakes <ljs@kernel.org>
Assisted-by: Claude:claude-opus-4-8
Cc: David Hildenbrand <david@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Peter Xu <peterx@redhat.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: Balbir Singh <balbirs@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/mm.h | 39 +++++++++++++++++++++++++++++++++++++++
include/linux/userfaultfd_k.h | 4 ++--
2 files changed, 41 insertions(+), 2 deletions(-)
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -496,6 +496,21 @@ enum {
#else
#define VM_UFFD_MINOR VM_NONE
#endif
+
+/*
+ * vma_flags_t masks for the userfaultfd VMA flags. VMA_UFFD_MINOR is gated on
+ * the same config as VM_UFFD_MINOR -- which implies 64BIT, where the bit fits
+ * -- so an out-of-range bit is never fed to mk_vma_flags() on a build whose
+ * bitmap cannot hold it.
+ */
+#define VMA_UFFD_MISSING mk_vma_flags(VMA_UFFD_MISSING_BIT)
+#define VMA_UFFD_WP mk_vma_flags(VMA_UFFD_WP_BIT)
+#ifdef CONFIG_HAVE_ARCH_USERFAULTFD_MINOR
+#define VMA_UFFD_MINOR mk_vma_flags(VMA_UFFD_MINOR_BIT)
+#else
+#define VMA_UFFD_MINOR EMPTY_VMA_FLAGS
+#endif
+
#ifdef CONFIG_64BIT
#define VM_ALLOW_ANY_UNCACHED INIT_VM_FLAG(ALLOW_ANY_UNCACHED)
#define VM_SEALED INIT_VM_FLAG(SEALED)
@@ -1238,6 +1253,30 @@ static __always_inline void vma_flags_se
#define vma_flags_set(flags, ...) \
vma_flags_set_mask(flags, mk_vma_flags(__VA_ARGS__))
+static __always_inline vma_flags_t __mk_vma_flags_from_masks(size_t count,
+ const vma_flags_t *masks)
+{
+ vma_flags_t flags = EMPTY_VMA_FLAGS;
+ size_t i;
+
+ for (i = 0; i < count; i++)
+ vma_flags_set_mask(&flags, masks[i]);
+ return flags;
+}
+
+/*
+ * Combine pre-computed vma_flags_t masks into one value, e.g.:
+ *
+ * vma_flags_t flags = mk_vma_flags_from_masks(VMA_UFFD_WP, VMA_UFFD_MINOR);
+ *
+ * Unlike mk_vma_flags(), which takes bit numbers, this takes whole masks --
+ * each of which may be EMPTY_VMA_FLAGS when its feature is unavailable -- so a
+ * bit that does not exist on the current build is never materialised.
+ */
+#define mk_vma_flags_from_masks(...) \
+ __mk_vma_flags_from_masks(COUNT_ARGS(__VA_ARGS__), \
+ (const vma_flags_t []){__VA_ARGS__})
+
/* Clear all of the to-clear flags in flags, non-atomically. */
static __always_inline void vma_flags_clear_mask(vma_flags_t *flags,
vma_flags_t to_clear)
--- a/include/linux/userfaultfd_k.h
+++ b/include/linux/userfaultfd_k.h
@@ -23,8 +23,8 @@
/* The set of all possible UFFD-related VM flags. */
#define __VM_UFFD_FLAGS (VM_UFFD_MISSING | VM_UFFD_WP | VM_UFFD_MINOR)
-#define __VMA_UFFD_FLAGS mk_vma_flags(VMA_UFFD_MISSING_BIT, VMA_UFFD_WP_BIT, \
- VMA_UFFD_MINOR_BIT)
+#define __VMA_UFFD_FLAGS mk_vma_flags_from_masks(VMA_UFFD_MISSING, VMA_UFFD_WP, \
+ VMA_UFFD_MINOR)
/*
* CAREFUL: Check include/uapi/asm-generic/fcntl.h when defining
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 049/120] wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 048/120] userfaultfd: build __VMA_UFFD_FLAGS from config-gated masks Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 050/120] wifi: mt76: mt7925: dont disable AP BSS when removing TDLS peer Greg Kroah-Hartman
` (76 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zenm Chen, Lorenzo Bianconi,
Felix Fietkau
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zenm Chen <zenmchen@gmail.com>
commit f4ce0664e9f0387873b181777891741c33e19465 upstream.
Add the ID 056e:400a to the table to support an additional MT7612U
adapter: ELECOM WDC-867SU3S.
Compile tested only.
Cc: stable@vger.kernel.org # 5.10.x
Signed-off-by: Zenm Chen <zenmchen@gmail.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260407154430.9184-1-zenmchen@gmail.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c
@@ -16,6 +16,7 @@ static const struct usb_device_id mt76x2
{ USB_DEVICE(0x0e8d, 0x7612) }, /* Aukey USBAC1200 - Alfa AWUS036ACM */
{ USB_DEVICE(0x057c, 0x8503) }, /* Avm FRITZ!WLAN AC860 */
{ USB_DEVICE(0x7392, 0xb711) }, /* Edimax EW 7722 UAC */
+ { USB_DEVICE(0x056e, 0x400a) }, /* ELECOM WDC-867SU3S */
{ USB_DEVICE(0x0e8d, 0x7632) }, /* HC-M7662BU1 */
{ USB_DEVICE(0x0471, 0x2126) }, /* LiteOn WN4516R module, nonstandard USB connector */
{ USB_DEVICE(0x0471, 0x7600) }, /* LiteOn WN4519R module, nonstandard USB connector */
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 050/120] wifi: mt76: mt7925: dont disable AP BSS when removing TDLS peer
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 049/120] wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 051/120] wifi: ath11k: fix warning when unbinding Greg Kroah-Hartman
` (75 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ElXreno, Felix Fietkau
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: ElXreno <elxreno@gmail.com>
commit 37d65384aa6f9cbe45f4052b13b378af1aab3e95 upstream.
On a STATION vif, removing a TDLS peer takes the mt7925_mac_sta_remove
-> mt7925_mac_sta_remove_links path. The first loop in that function
calls mt7925_mcu_add_bss_info(..., enable=false) for every link of the
station being removed. For a non-MLO STATION vif there is exactly one
link, link 0, whose bss_conf is the AP's. TDLS peers do not have their
own bss_conf - they share the AP's BSS.
The result is that every TDLS peer teardown sends a BSS_INFO_UPDATE
with enable=0 for the AP's BSS to the firmware, which wipes the AP-side
rate-control context. The connection stays associated and TX from the
host still works at the negotiated rate, but the AP's downlink to us
collapses to the lowest mandatory OFDM rate (HE-MCS 0 / 6 Mbit/s OFDM)
and only slowly recovers as rate adaptation re-learns under sustained
traffic. With brief or bursty traffic the link can stay at 6-72 Mbit/s
indefinitely, requiring a manual reconnect.
mt7925_mac_link_sta_remove() already guards its own
mt7925_mcu_add_bss_info(..., false) call with
"vif->type == NL80211_IFTYPE_STATION && !link_sta->sta->tdls".
Add the equivalent guard at the top of the cleanup loop in
mt7925_mac_sta_remove_links(), above the link_sta / link_conf /
mlink / mconf lookups, so TDLS peer teardown skips the loop body
entirely without doing the per-link work that would just be thrown
away.
Verified on mt7925e by triggering Samsung-S938B auto-TDLS via iperf3
and watching iw rx bitrate after teardown:
Before: rx bitrate collapses to 6.0-72.0 Mbit/s, oscillates 17/72/
137/288/432 Mbit/s for 30+ seconds, no full recovery without
a manual reassoc.
After: rx bitrate stays at 1200.9 Mbit/s HE-MCS 11 NSS 2 80 MHz
across the entire TDLS lifecycle.
bpftrace confirms a single mt7925_mcu_add_bss_info(enable=0) call per
teardown before the fix; zero such calls after.
Fixes: 3878b4333602 ("wifi: mt76: mt7925: update mt7925_mac_link_sta_[add, assoc, remove] for MLO")
Cc: stable@vger.kernel.org
Signed-off-by: ElXreno <elxreno@gmail.com>
Assisted-by: Claude:claude-opus-4-7 bpftrace
Link: https://patch.msgid.link/20260506-mt7925-tdls-fixes-v2-2-46aa826ba8bb@gmail.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7925/main.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
@@ -1265,6 +1265,9 @@ mt7925_mac_sta_remove_links(struct mt792
if (vif->type == NL80211_IFTYPE_AP)
break;
+ if (vif->type == NL80211_IFTYPE_STATION && sta->tdls)
+ continue;
+
link_sta = mt792x_sta_to_link_sta(vif, sta, link_id);
if (!link_sta)
continue;
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 051/120] wifi: ath11k: fix warning when unbinding
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 050/120] wifi: mt76: mt7925: dont disable AP BSS when removing TDLS peer Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 052/120] wifi: rtl8xxxu: Detect the maximum supported channel width Greg Kroah-Hartman
` (74 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jose Ignacio Tornos Martinez,
Baochen Qiang, Rameshkumar Sundaram, Jeff Johnson
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
commit 8b7a26b6681922a38cd5a7829ace61f8e54df9b7 upstream.
If there is an error during some initialization related to firmware,
the buffers dp->tx_ring[i].tx_status are released.
However this is released again when the device is unbinded (ath11k_pci),
and we get:
WARNING: CPU: 0 PID: 6231 at mm/slub.c:4368 free_large_kmalloc+0x57/0x90
Call Trace:
free_large_kmalloc
ath11k_dp_free
ath11k_core_deinit
ath11k_pci_remove
...
The issue is always reproducible from a VM because the MSI addressing
initialization is failing.
In order to fix the issue, just set the buffers to NULL after releasing in
order to avoid the double free.
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Cc: stable@vger.kernel.org
Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Reviewed-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
Link: https://patch.msgid.link/20260420110130.509670-1-jtornosm@redhat.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath11k/dp.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/wireless/ath/ath11k/dp.c
+++ b/drivers/net/wireless/ath/ath11k/dp.c
@@ -1040,6 +1040,7 @@ void ath11k_dp_free(struct ath11k_base *
idr_destroy(&dp->tx_ring[i].txbuf_idr);
spin_unlock_bh(&dp->tx_ring[i].tx_idr_lock);
kfree(dp->tx_ring[i].tx_status);
+ dp->tx_ring[i].tx_status = NULL;
}
/* Deinit any SOC level resource */
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 052/120] wifi: rtl8xxxu: Detect the maximum supported channel width
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 051/120] wifi: ath11k: fix warning when unbinding Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 053/120] wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor Greg Kroah-Hartman
` (73 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bitterblue Smith, Ping-Ke Shih
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
commit ef771eabc79d5f21b63689cca0e0fa5493fa0a8a upstream.
Some devices malfunction when connected to a network with 40 MHz channel
width, because they don't support that.
RTL8188FU, RTL8192FU, and RTL8710BU (RTL8188GU) have a way to signal
this (and some other capabilities) to the driver. Get this information
from the hardware and advertise 40 MHz support only when the hardware
can handle it. We assume the other chips can always handle it.
RTL8710BU needs a different way to retrieve this information, which will
be implemented some other time.
Fixes: dbf9b7bb0edf ("wifi: rtl8xxxu: Enable 40 MHz width by default")
Cc: stable@vger.kernel.org
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221394
Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/c57de68e-5d57-4c26-898f-8a284bb25381@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/realtek/rtl8xxxu/8188e.c | 1
drivers/net/wireless/realtek/rtl8xxxu/8188f.c | 1
drivers/net/wireless/realtek/rtl8xxxu/8192c.c | 1
drivers/net/wireless/realtek/rtl8xxxu/8192e.c | 1
drivers/net/wireless/realtek/rtl8xxxu/8192f.c | 1
drivers/net/wireless/realtek/rtl8xxxu/8710b.c | 1
drivers/net/wireless/realtek/rtl8xxxu/8723a.c | 1
drivers/net/wireless/realtek/rtl8xxxu/8723b.c | 1
drivers/net/wireless/realtek/rtl8xxxu/core.c | 64 +++++++++++++++++++++--
drivers/net/wireless/realtek/rtl8xxxu/regs.h | 2
drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 7 ++
11 files changed, 76 insertions(+), 5 deletions(-)
--- a/drivers/net/wireless/realtek/rtl8xxxu/8188e.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/8188e.c
@@ -1866,6 +1866,7 @@ struct rtl8xxxu_fileops rtl8188eu_fops =
.has_tx_report = 1,
.init_reg_pkt_life_time = 1,
.gen2_thermal_meter = 1,
+ .hw_feature_report = 0,
.max_sec_cam_num = 32,
.adda_1t_init = 0x0b1b25a0,
.adda_1t_path_on = 0x0bdb25a0,
--- a/drivers/net/wireless/realtek/rtl8xxxu/8188f.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/8188f.c
@@ -1745,6 +1745,7 @@ struct rtl8xxxu_fileops rtl8188fu_fops =
.init_reg_rxfltmap = 1,
.init_reg_pkt_life_time = 1,
.init_reg_hmtfr = 1,
+ .hw_feature_report = 1,
.ampdu_max_time = 0x70,
.ustime_tsf_edca = 0x28,
.max_aggr_num = 0x0c14,
--- a/drivers/net/wireless/realtek/rtl8xxxu/8192c.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/8192c.c
@@ -723,6 +723,7 @@ struct rtl8xxxu_fileops rtl8192cu_fops =
.tx_desc_size = sizeof(struct rtl8xxxu_txdesc32),
.rx_desc_size = sizeof(struct rtl8xxxu_rxdesc16),
.supports_ap = 1,
+ .hw_feature_report = 0,
.max_macid_num = 32,
.max_sec_cam_num = 32,
.adda_1t_init = 0x0b1b25a0,
--- a/drivers/net/wireless/realtek/rtl8xxxu/8192e.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/8192e.c
@@ -1751,6 +1751,7 @@ struct rtl8xxxu_fileops rtl8192eu_fops =
.has_s0s1 = 0,
.gen2_thermal_meter = 1,
.needs_full_init = 1,
+ .hw_feature_report = 0,
.supports_ap = 1,
.max_macid_num = 128,
.max_sec_cam_num = 64,
--- a/drivers/net/wireless/realtek/rtl8xxxu/8192f.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/8192f.c
@@ -2074,6 +2074,7 @@ struct rtl8xxxu_fileops rtl8192fu_fops =
.init_reg_rxfltmap = 1,
.init_reg_pkt_life_time = 1,
.init_reg_hmtfr = 1,
+ .hw_feature_report = 1,
.ampdu_max_time = 0x5e,
.ustime_tsf_edca = 0x50,
.max_aggr_num = 0x1f1f,
--- a/drivers/net/wireless/realtek/rtl8xxxu/8710b.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/8710b.c
@@ -1852,6 +1852,7 @@ struct rtl8xxxu_fileops rtl8710bu_fops =
.init_reg_rxfltmap = 1,
.init_reg_pkt_life_time = 1,
.init_reg_hmtfr = 1,
+ .hw_feature_report = 0, /* TODO, it's different */
.ampdu_max_time = 0x5e,
/*
* The RTL8710BU vendor driver uses 0x50 here and it works fine,
--- a/drivers/net/wireless/realtek/rtl8xxxu/8723a.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/8723a.c
@@ -632,6 +632,7 @@ struct rtl8xxxu_fileops rtl8723au_fops =
.rx_agg_buf_size = 16000,
.tx_desc_size = sizeof(struct rtl8xxxu_txdesc32),
.rx_desc_size = sizeof(struct rtl8xxxu_rxdesc16),
+ .hw_feature_report = 0,
.max_sec_cam_num = 32,
.adda_1t_init = 0x0b1b25a0,
.adda_1t_path_on = 0x0bdb25a0,
--- a/drivers/net/wireless/realtek/rtl8xxxu/8723b.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/8723b.c
@@ -1746,6 +1746,7 @@ struct rtl8xxxu_fileops rtl8723bu_fops =
.gen2_thermal_meter = 1,
.needs_full_init = 1,
.init_reg_hmtfr = 1,
+ .hw_feature_report = 0,
.ampdu_max_time = 0x5e,
.ustime_tsf_edca = 0x50,
.max_aggr_num = 0x0c14,
--- a/drivers/net/wireless/realtek/rtl8xxxu/core.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/core.c
@@ -14,6 +14,7 @@
*/
#include <linux/firmware.h>
+#include <linux/iopoll.h>
#include "regs.h"
#include "rtl8xxxu.h"
@@ -3915,6 +3916,46 @@ static inline u8 rtl8xxxu_get_macid(stru
return sta_info->macid;
}
+static void rtl8xxxu_request_hw_feature(struct rtl8xxxu_priv *priv)
+{
+ if (!priv->fops->hw_feature_report)
+ return;
+
+ rtl8xxxu_write8(priv, REG_C2HEVT_MSG_NORMAL, C2H_HW_FEATURE_DUMP);
+}
+
+static int rtl8xxxu_dump_hw_feature(struct rtl8xxxu_priv *priv)
+{
+ static const u8 bw_map[8] = { 0, 0, 160, 5, 10, 20, 40, 80 };
+ struct rtl8xxxu_hw_feature *hw_feature = &priv->hw_feature;
+ u8 feature[13];
+ int i, ret;
+ u8 id, bw;
+
+ if (!priv->fops->hw_feature_report) {
+ hw_feature->max_bw = 40;
+ return 0;
+ }
+
+ ret = read_poll_timeout(rtl8xxxu_read8, id,
+ id == C2H_HW_FEATURE_REPORT,
+ 10000, 800000, false,
+ priv, REG_C2HEVT_MSG_NORMAL);
+ if (ret)
+ return ret;
+
+ for (i = 0; i < ARRAY_SIZE(feature); i++)
+ feature[i] = rtl8xxxu_read8(priv, REG_C2HEVT_MSG_NORMAL + 2 + i);
+
+ rtl8xxxu_write8(priv, REG_C2HEVT_MSG_NORMAL, 0);
+
+ bw = u8_get_bits(feature[6], GENMASK(2, 0));
+
+ hw_feature->max_bw = bw_map[bw];
+
+ return 0;
+}
+
static int rtl8xxxu_init_device(struct ieee80211_hw *hw)
{
struct rtl8xxxu_priv *priv = hw->priv;
@@ -3961,6 +4002,8 @@ static int rtl8xxxu_init_device(struct i
*/
rtl8xxxu_write16(priv, REG_TRXFF_BNDY + 2, fops->trxff_boundary);
+ rtl8xxxu_request_hw_feature(priv);
+
for (int retry = 5; retry >= 0 ; retry--) {
ret = rtl8xxxu_download_firmware(priv);
dev_dbg(dev, "%s: download_firmware %i\n", __func__, ret);
@@ -3976,6 +4019,12 @@ static int rtl8xxxu_init_device(struct i
if (ret)
goto exit;
+ ret = rtl8xxxu_dump_hw_feature(priv);
+ if (ret) {
+ dev_err(dev, "failed to dump hw feature\n");
+ goto exit;
+ }
+
if (fops->phy_init_antenna_selection)
fops->phy_init_antenna_selection(priv);
@@ -7835,15 +7884,20 @@ static int rtl8xxxu_probe(struct usb_int
sband->ht_cap.ht_supported = true;
sband->ht_cap.ampdu_factor = IEEE80211_HT_MAX_AMPDU_64K;
sband->ht_cap.ampdu_density = IEEE80211_HT_MPDU_DENSITY_16;
- sband->ht_cap.cap = IEEE80211_HT_CAP_SGI_20 | IEEE80211_HT_CAP_SGI_40 |
- IEEE80211_HT_CAP_SUP_WIDTH_20_40;
+ sband->ht_cap.cap = IEEE80211_HT_CAP_SGI_20;
+
+ if (priv->hw_feature.max_bw >= 40) {
+ sband->ht_cap.cap |= IEEE80211_HT_CAP_SGI_40;
+ sband->ht_cap.cap |= IEEE80211_HT_CAP_SUP_WIDTH_20_40;
+ } else {
+ dev_info(&udev->dev, "hardware doesn't support HT40\n");
+ }
+
memset(&sband->ht_cap.mcs, 0, sizeof(sband->ht_cap.mcs));
sband->ht_cap.mcs.rx_mask[0] = 0xff;
sband->ht_cap.mcs.rx_mask[4] = 0x01;
- if (priv->rf_paths > 1) {
+ if (priv->rf_paths > 1)
sband->ht_cap.mcs.rx_mask[1] = 0xff;
- sband->ht_cap.cap |= IEEE80211_HT_CAP_SGI_40;
- }
sband->ht_cap.mcs.tx_params = IEEE80211_HT_MCS_TX_DEFINED;
hw->wiphy->bands[NL80211_BAND_2GHZ] = sband;
--- a/drivers/net/wireless/realtek/rtl8xxxu/regs.h
+++ b/drivers/net/wireless/realtek/rtl8xxxu/regs.h
@@ -447,6 +447,8 @@
/* 8188EU */
#define REG_32K_CTRL 0x0194
#define REG_C2HEVT_MSG_NORMAL 0x01a0
+#define C2H_HW_FEATURE_REPORT 0x19
+#define C2H_HW_FEATURE_DUMP 0xfd
/* 8192EU/8723BU/8812 */
#define REG_C2HEVT_CMD_ID_8723B 0x01ae
#define REG_C2HEVT_CLEAR 0x01af
--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
+++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
@@ -1789,11 +1789,17 @@ struct rtl8xxxu_cfo_tracking {
#define RTL8XXXU_BC_MC_MACID1 1
#define RTL8XXXU_MAX_SEC_CAM_NUM 64
+struct rtl8xxxu_hw_feature {
+ u8 max_bw;
+};
+
struct rtl8xxxu_priv {
struct ieee80211_hw *hw;
struct usb_device *udev;
struct rtl8xxxu_fileops *fops;
+ struct rtl8xxxu_hw_feature hw_feature;
+
spinlock_t tx_urb_lock;
struct list_head tx_urb_free_list;
int tx_urb_free_count;
@@ -2009,6 +2015,7 @@ struct rtl8xxxu_fileops {
u8 init_reg_pkt_life_time:1;
u8 init_reg_hmtfr:1;
u8 supports_concurrent:1;
+ u8 hw_feature_report:1;
u8 ampdu_max_time;
u8 ustime_tsf_edca;
u16 max_aggr_num;
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 053/120] wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 052/120] wifi: rtl8xxxu: Detect the maximum supported channel width Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 054/120] wifi: rtw88: increase TX report timeout to fix race condition Greg Kroah-Hartman
` (72 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bitterblue Smith, Ping-Ke Shih
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
commit 83d38df6929118c3f996b9e3351c2d5014073d87 upstream.
Bit 28 of double word 2 in the RX descriptor indicates if the packet is
a normal 802.11 frame, or a message from the wifi firmware to the
driver (Card 2 Host).
Commit f5678bfe1cdc ("rtlwifi: rtl8821ae: Replace local bit manipulation
macros") mistakenly made the driver look for this bit in double word 1,
causing packet loss and Bluetooth coexistence problems.
Fixes: f5678bfe1cdc ("rtlwifi: rtl8821ae: Replace local bit manipulation macros")
Cc: <stable@vger.kernel.org>
Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/04da7398-cedb-425a-a810-5772ab10139d@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/realtek/rtlwifi/rtl8821ae/trx.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/trx.h
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/trx.h
@@ -291,7 +291,7 @@ static inline int get_rx_desc_paggr(__le
static inline int get_rx_status_desc_rpt_sel(__le32 *__pdesc)
{
- return le32_get_bits(*(__pdesc + 1), BIT(28));
+ return le32_get_bits(*(__pdesc + 2), BIT(28));
}
static inline int get_rx_desc_rxmcs(__le32 *__pdesc)
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 054/120] wifi: rtw88: increase TX report timeout to fix race condition
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 053/120] wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 055/120] wifi: rtw88: usb: fix memory leaks on USB write failures Greg Kroah-Hartman
` (71 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ping-Ke Shih, Luka Gejak
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luka Gejak <luka.gejak@linux.dev>
commit c80788f7c5aed8d420366b821f867a8a353d83a5 upstream.
The driver expects the firmware to report TX status within 500ms.
However, a timeout can be triggered when the hardware performs
background scans while under TX load. During these scans, the firmware
stays off-channel for periods exceeding 500ms, delaying the delivery of
TX reports back to the driver.
When this occurs, the purge timer fires prematurely and drops the
tracking skbs from the queue. This results in the host stack
interpreting the missing status as packet loss, leading to TCP window
collapse. In testing with iperf3, this causes throughput to drop from
~90 Mbps to near-zero for approximately 2 seconds until the connection
recovers.
Increase RTW_TX_PROBE_TIMEOUT to 2500ms for RTL8723DU. This duration is
sufficient to accommodate off-channel dwell time during full background
scans, ensuring the purge timer only trips during genuine firmware
lockups and preventing unnecessary TCP retransmission cycles.
Fixes: a82dfd33d123 ("wifi: rtw88: Add common USB chip support")
Cc: stable@vger.kernel.org
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Tested-by: Luka Gejak <luka.gejak@linux.dev>
Signed-off-by: Luka Gejak <luka.gejak@linux.dev>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260518142311.10328-1-luka.gejak@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/realtek/rtw88/tx.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/realtek/rtw88/tx.c
+++ b/drivers/net/wireless/realtek/rtw88/tx.c
@@ -196,6 +196,7 @@ void rtw_tx_report_purge_timer(struct ti
void rtw_tx_report_enqueue(struct rtw_dev *rtwdev, struct sk_buff *skb, u8 sn)
{
struct rtw_tx_report *tx_report = &rtwdev->tx_report;
+ unsigned long timeout = RTW_TX_PROBE_TIMEOUT;
unsigned long flags;
u8 *drv_data;
@@ -207,7 +208,11 @@ void rtw_tx_report_enqueue(struct rtw_de
__skb_queue_tail(&tx_report->queue, skb);
spin_unlock_irqrestore(&tx_report->q_lock, flags);
- mod_timer(&tx_report->purge_timer, jiffies + RTW_TX_PROBE_TIMEOUT);
+ if (rtwdev->chip->id == RTW_CHIP_TYPE_8723D &&
+ rtwdev->hci.type == RTW_HCI_TYPE_USB)
+ timeout = msecs_to_jiffies(2500);
+
+ mod_timer(&tx_report->purge_timer, jiffies + timeout);
}
EXPORT_SYMBOL(rtw_tx_report_enqueue);
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 055/120] wifi: rtw88: usb: fix memory leaks on USB write failures
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 054/120] wifi: rtw88: increase TX report timeout to fix race condition Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 056/120] wifi: iwlwifi: mvm: fix race condition in PTP removal Greg Kroah-Hartman
` (70 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ping-Ke Shih, Luka Gejak
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luka Gejak <luka.gejak@linux.dev>
commit 6b964941bbfe6e0f18b1a5e008486dbb62df440a upstream.
When rtw_usb_write_port() fails to submit a USB Request Block (URB)
(e.g., due to device disconnect or ENOMEM), the completion callback is
never executed.
Currently, the driver ignores the return value of rtw_usb_write_port()
in rtw_usb_write_data() and rtw_usb_tx_agg_skb(). Because these
functions rely on the completion callback to free the socket buffers
(skbs) and the transaction control block (txcb), a submission failure
results in:
1. A memory leak of the allocated skb in rtw_usb_write_data().
2. A memory leak of the txcb structure and all aggregated skbs in
rtw_usb_tx_agg_skb().
Fix this by checking the return value of rtw_usb_write_port(). If it
fails, explicitly free the skb in rtw_usb_write_data(), and properly
purge the tx_ack_queue and free the txcb in rtw_usb_tx_agg_skb().
The issue was discovered in practice during device disconnect/reconnect
scenarios and memory pressure conditions. Tested by verifying normal TX
operation continues after the fix without regressions.
Fixes: a82dfd33d123 ("wifi: rtw88: Add common USB chip support")
Cc: stable@vger.kernel.org
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Tested-by: Luka Gejak <luka.gejak@linux.dev>
Signed-off-by: Luka Gejak <luka.gejak@linux.dev>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260518142311.10328-2-luka.gejak@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/realtek/rtw88/usb.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/realtek/rtw88/usb.c
+++ b/drivers/net/wireless/realtek/rtw88/usb.c
@@ -399,6 +399,7 @@ static bool rtw_usb_tx_agg_skb(struct rt
int agg_num = 0;
unsigned int align_next = 0;
u8 qsel;
+ int ret;
if (skb_queue_empty(list))
return false;
@@ -456,7 +457,13 @@ queue:
tx_desc = (struct rtw_tx_desc *)skb_head->data;
qsel = le32_get_bits(tx_desc->w1, RTW_TX_DESC_W1_QSEL);
- rtw_usb_write_port(rtwdev, qsel, skb_head, rtw_usb_write_port_tx_complete, txcb);
+ ret = rtw_usb_write_port(rtwdev, qsel, skb_head,
+ rtw_usb_write_port_tx_complete, txcb);
+ if (ret) {
+ ieee80211_purge_tx_queue(rtwdev->hw, &txcb->tx_ack_queue);
+ kfree(txcb);
+ return false;
+ }
return true;
}
@@ -518,8 +525,10 @@ static int rtw_usb_write_data(struct rtw
ret = rtw_usb_write_port(rtwdev, qsel, skb,
rtw_usb_write_port_complete, skb);
- if (unlikely(ret))
+ if (unlikely(ret)) {
rtw_err(rtwdev, "failed to do USB write, ret=%d\n", ret);
+ dev_kfree_skb_any(skb);
+ }
return ret;
}
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 056/120] wifi: iwlwifi: mvm: fix race condition in PTP removal
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 055/120] wifi: rtw88: usb: fix memory leaks on USB write failures Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 057/120] wifi: iwlwifi: mld: " Greg Kroah-Hartman
` (69 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Vadim Fedorenko,
Junjie Cao, Miri Korenblit
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junjie Cao <junjie.cao@intel.com>
commit 65150c9cc3e06ab54bc4e8134a47f6f5d095a4e3 upstream.
iwl_mvm_ptp_remove() calls cancel_delayed_work_sync() only after
ptp_clock_unregister() and clearing ptp_data state (ptp_clock,
ptp_clock_info, last_gp2).
This creates a race where the delayed work iwl_mvm_ptp_work() can
execute between ptp_clock_unregister() and cancel_delayed_work_sync(),
observing partially cleared PTP state.
Move cancel_delayed_work_sync() before ptp_clock_unregister() to
ensure the delayed work is fully stopped before any PTP cleanup
begins.
Cc: stable@vger.kernel.org
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Signed-off-by: Junjie Cao <junjie.cao@intel.com>
Link: https://patch.msgid.link/20260212125035.1345718-1-junjie.cao@intel.com
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/ptp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/ptp.c
@@ -325,11 +325,11 @@ void iwl_mvm_ptp_remove(struct iwl_mvm *
mvm->ptp_data.ptp_clock_info.name,
ptp_clock_index(mvm->ptp_data.ptp_clock));
+ cancel_delayed_work_sync(&mvm->ptp_data.dwork);
ptp_clock_unregister(mvm->ptp_data.ptp_clock);
mvm->ptp_data.ptp_clock = NULL;
memset(&mvm->ptp_data.ptp_clock_info, 0,
sizeof(mvm->ptp_data.ptp_clock_info));
mvm->ptp_data.last_gp2 = 0;
- cancel_delayed_work_sync(&mvm->ptp_data.dwork);
}
}
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 057/120] wifi: iwlwifi: mld: fix race condition in PTP removal
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 056/120] wifi: iwlwifi: mvm: fix race condition in PTP removal Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 058/120] wifi: iwlwifi: mld: validate sta_mask before ffs() in BA session handlers Greg Kroah-Hartman
` (68 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Vadim Fedorenko,
Junjie Cao, Miri Korenblit
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junjie Cao <junjie.cao@intel.com>
commit e1fc08598aa34b28359831e768076f56632720c1 upstream.
iwl_mld_ptp_remove() calls cancel_delayed_work_sync() only after
ptp_clock_unregister() and clearing ptp_data state (ptp_clock,
last_gp2, wrap_counter).
This creates a race where the delayed work iwl_mld_ptp_work() can
execute between ptp_clock_unregister() and cancel_delayed_work_sync(),
observing partially cleared PTP state.
Move cancel_delayed_work_sync() before ptp_clock_unregister() to
ensure the delayed work is fully stopped before any PTP cleanup
begins.
Cc: stable@vger.kernel.org
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Signed-off-by: Junjie Cao <junjie.cao@intel.com>
Link: https://patch.msgid.link/20260212125035.1345718-2-junjie.cao@intel.com
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/intel/iwlwifi/mld/ptp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
+++ b/drivers/net/wireless/intel/iwlwifi/mld/ptp.c
@@ -321,10 +321,10 @@ void iwl_mld_ptp_remove(struct iwl_mld *
mld->ptp_data.ptp_clock_info.name,
ptp_clock_index(mld->ptp_data.ptp_clock));
+ cancel_delayed_work_sync(&mld->ptp_data.dwork);
ptp_clock_unregister(mld->ptp_data.ptp_clock);
mld->ptp_data.ptp_clock = NULL;
mld->ptp_data.last_gp2 = 0;
mld->ptp_data.wrap_counter = 0;
- cancel_delayed_work_sync(&mld->ptp_data.dwork);
}
}
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 058/120] wifi: iwlwifi: mld: validate sta_mask before ffs() in BA session handlers
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 057/120] wifi: iwlwifi: mld: " Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 059/120] f2fs: fix missing read bio submission on large folio error Greg Kroah-Hartman
` (67 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Miri Korenblit
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit f056fc2b927448d37eca6b6cacc3d1b0f67b20d2 upstream.
Three BA session handlers use ffs(ba_data->sta_mask) - 1 to derive a
station ID without checking that sta_mask is non-zero. When sta_mask is
zero, ffs() returns 0 and the subtraction wraps to 0xFFFFFFFF, causing
an out-of-bounds access on fw_id_to_link_sta[].
Add WARN_ON_ONCE(!ba_data->sta_mask) guards before each ffs() call,
consistent with the existing check in iwl_mld_ampdu_rx_start().
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB788115C6CE873271A9A15A25AF51A@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/intel/iwlwifi/mld/agg.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/net/wireless/intel/iwlwifi/mld/agg.c
+++ b/drivers/net/wireless/intel/iwlwifi/mld/agg.c
@@ -64,6 +64,9 @@ static void iwl_mld_release_frames_from_
}
/* pick any STA ID to find the pointer */
+ if (WARN_ON_ONCE(!ba_data->sta_mask))
+ goto out_unlock;
+
sta_id = ffs(ba_data->sta_mask) - 1;
link_sta = rcu_dereference(mld->fw_id_to_link_sta[sta_id]);
if (WARN_ON_ONCE(IS_ERR_OR_NULL(link_sta) || !link_sta->sta))
@@ -166,6 +169,9 @@ void iwl_mld_del_ba(struct iwl_mld *mld,
goto out_unlock;
/* pick any STA ID to find the pointer */
+ if (WARN_ON_ONCE(!ba_data->sta_mask))
+ goto out_unlock;
+
sta_id = ffs(ba_data->sta_mask) - 1;
link_sta = rcu_dereference(mld->fw_id_to_link_sta[sta_id]);
if (WARN_ON_ONCE(IS_ERR_OR_NULL(link_sta) || !link_sta->sta))
@@ -347,6 +353,9 @@ static void iwl_mld_rx_agg_session_expir
}
/* timer expired, pick any STA ID to find the pointer */
+ if (WARN_ON_ONCE(!ba_data->sta_mask))
+ goto unlock;
+
sta_id = ffs(ba_data->sta_mask) - 1;
link_sta = rcu_dereference(ba_data->mld->fw_id_to_link_sta[sta_id]);
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 059/120] f2fs: fix missing read bio submission on large folio error
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 058/120] wifi: iwlwifi: mld: validate sta_mask before ffs() in BA session handlers Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 060/120] f2fs: pass correct iostat type for single node writes Greg Kroah-Hartman
` (66 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Wenjie Qi, Chao Yu,
Jaegeuk Kim
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenjie Qi <qiwenjie@xiaomi.com>
commit 74c8d2ec95c59a5651ecd975c466998af1961fd4 upstream.
f2fs_read_data_large_folio() can keep a read bio across multiple
readahead folios. If a later folio hits an error before any of its
blocks are added to the bio, folio_in_bio is false and the current error
path returns immediately after ending that folio.
This can leave the bio accumulated for earlier folios unsubmitted. Those
folios then never receive read completion, and readers can wait
indefinitely on the locked folios.
Route errors through the common out path so any pending bio is submitted
before returning. Stop consuming more readahead folios once an error is
seen, and only wait on and clear the current folio when it was actually
added to the bio.
Cc: stable@kernel.org
Fixes: a5d8b9d94e18 ("f2fs: fix to unlock folio in f2fs_read_data_large_folio()")
Signed-off-by: Wenjie Qi <qiwenjie@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/data.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -2495,7 +2495,7 @@ static int f2fs_read_data_large_folio(st
unsigned nrpages;
struct f2fs_folio_state *ffs;
int ret = 0;
- bool folio_in_bio;
+ bool folio_in_bio = false;
if (!IS_IMMUTABLE(inode) || f2fs_compressed_file(inode)) {
if (folio)
@@ -2611,18 +2611,17 @@ submit_and_realloc:
}
trace_f2fs_read_folio(folio, DATA);
err_out:
- if (!folio_in_bio) {
+ if (!folio_in_bio)
folio_end_read(folio, !ret);
- if (ret)
- return ret;
- }
+ if (ret)
+ goto out;
if (rac) {
folio = readahead_folio(rac);
goto next_folio;
}
out:
f2fs_submit_read_bio(F2FS_I_SB(inode), bio, DATA);
- if (ret) {
+ if (ret && folio_in_bio) {
/* Wait bios and clear uptodate. */
folio_lock(folio);
folio_clear_uptodate(folio);
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 060/120] f2fs: pass correct iostat type for single node writes
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 059/120] f2fs: fix missing read bio submission on large folio error Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 061/120] f2fs: reject setattr size changes on large folio files Greg Kroah-Hartman
` (65 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Wenjie Qi, Chao Yu,
Jaegeuk Kim
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenjie Qi <qwjhust@gmail.com>
commit fcb05c26c2a67953b420739b85f49386efc9b6c0 upstream.
f2fs_write_single_node_folio() takes an io_type argument, but still
passes FS_GC_NODE_IO to __write_node_folio() unconditionally.
This was harmless while the helper was only used by
f2fs_move_node_folio(), whose caller passes FS_GC_NODE_IO. However,
commit fe9b8b30b971 ("f2fs: fix inline data not being written to disk
in writeback path") made f2fs_inline_data_fiemap() call the helper with
FS_NODE_IO for FIEMAP_FLAG_SYNC.
Honor the caller supplied io_type so inline-data FIEMAP sync writeback is
accounted as normal node IO instead of GC node IO, while the GC path
continues to pass FS_GC_NODE_IO explicitly.
Cc: stable@kernel.org
Fixes: fe9b8b30b971 ("f2fs: fix inline data not being written to disk in writeback path")
Signed-off-by: Wenjie Qi <qiwenjie@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/node.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -1875,7 +1875,7 @@ int f2fs_write_single_node_folio(struct
}
if (!__write_node_folio(node_folio, false, false, NULL,
- &wbc, false, FS_GC_NODE_IO, NULL))
+ &wbc, false, io_type, NULL))
err = -EAGAIN;
goto release_folio;
out_folio:
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 061/120] f2fs: reject setattr size changes on large folio files
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 060/120] f2fs: pass correct iostat type for single node writes Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 062/120] f2fs: fix to do sanity check on f2fs_get_node_folio_ra() Greg Kroah-Hartman
` (64 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Wenjie Qi, Chao Yu,
Jaegeuk Kim
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenjie Qi <qwjhust@gmail.com>
commit 242d30bfc0a84b8b5de0a88821b53c9ad7fd31c4 upstream.
F2FS large folios are only enabled for immutable non-compressed files.
Writable open and writable mmap reject such mappings, but truncate(2)
through f2fs_setattr() misses the same guard.
If FS_IMMUTABLE_FL is cleared while the inode is still cached, the mapping
can keep large-folio support and ATTR_SIZE can change i_size. Reject size
changes in that state.
Cc: stable@kernel.org
Fixes: 05e65c14ea59 ("f2fs: support large folio for immutable non-compressed case")
Signed-off-by: Wenjie Qi <qiwenjie@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/file.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index 69aad1060c48..d240ca78a31f 100644
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -1098,6 +1098,8 @@ int f2fs_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
return -EPERM;
if ((attr->ia_valid & ATTR_SIZE)) {
+ if (mapping_large_folio_support(inode->i_mapping))
+ return -EOPNOTSUPP;
if (!f2fs_is_compress_backend_ready(inode) ||
IS_DEVICE_ALIASING(inode))
return -EOPNOTSUPP;
--
2.55.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 062/120] f2fs: fix to do sanity check on f2fs_get_node_folio_ra()
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 061/120] f2fs: reject setattr size changes on large folio files Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 063/120] f2fs: validate orphan inode entry count Greg Kroah-Hartman
` (63 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzbot+2488d8d751b27f7ce268,
Chao Yu, Jaegeuk Kim
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
commit 8712353ed80f87271d732297567dcdbe4b84e8c7 upstream.
kernel BUG at fs/f2fs/file.c:845!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:f2fs_do_truncate_blocks+0x1115/0x1140 fs/f2fs/file.c:845
Code: fc fc 90 0f 0b e8 8b 9d 9a fd 90 0f 0b e8 83 9d 9a fd 48 89 df 48 c7 c6 60 d1 1a 8c e8 54 f1 fc fc 90 0f 0b e8 6c 9d 9a fd 90 <0f> 0b e8 64 9d 9a fd 90 0f 0b 90 e9 93 fd ff ff e8 56 9d 9a fd 90
RSP: 0018:ffffc9000e4474c0 EFLAGS: 00010283
RAX: ffffffff842b1d34 RBX: 0000000000000003 RCX: 0000000000100000
RDX: ffffc9000f03a000 RSI: 0000000000035503 RDI: 0000000000035504
RBP: ffffc9000e447608 R08: ffff8880123b0000 R09: 0000000000000002
R10: 00000000fffffffe R11: 0000000000000002 R12: 0000000000000001
R13: 0000000000000000 R14: 1ffff92001c88ea0 R15: 00000000ffff039c
FS: 00007f7e02ee36c0(0000) GS:ffff88808c887000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff0305c4000 CR3: 0000000012d4c000 CR4: 0000000000352ef0
Call Trace:
<TASK>
f2fs_truncate_blocks+0x10a/0x300 fs/f2fs/file.c:882
f2fs_truncate+0x471/0x7c0 fs/f2fs/file.c:940
f2fs_evict_inode+0xa3f/0x1ac0 fs/f2fs/inode.c:907
evict+0x61e/0xb10 fs/inode.c:841
f2fs_fill_super+0x5f43/0x78f0 fs/f2fs/super.c:5224
get_tree_bdev_flags+0x431/0x4f0 fs/super.c:1694
vfs_get_tree+0x92/0x2a0 fs/super.c:1754
fc_mount fs/namespace.c:1193 [inline]
do_new_mount_fc fs/namespace.c:3758 [inline]
do_new_mount+0x341/0xd30 fs/namespace.c:3834
do_mount fs/namespace.c:4167 [inline]
__do_sys_mount fs/namespace.c:4383 [inline]
__se_sys_mount+0x31d/0x420 fs/namespace.c:4360
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
count = ADDRS_PER_PAGE(dn.node_folio, inode);
count -= dn.ofs_in_node;
f2fs_bug_on(sbi, count < 0);
The fuzz test will trigger above bug_on in f2fs.
The root cause should be: in the corrupted inode, there is a direct node
which has the same ino and nid in its footer, so in f2fs_do_truncate_blocks(),
after f2fs_get_dnode_of_data() finds such dnode:
1) ADDRS_PER_PAGE(dn.node_folio, inode) will return 923
2) once dn.ofs_in_node points to addr[923, 1017]
Then it will trigger the system panic.
Let's introduce NODE_TYPE_NON_IXNODE to indicate current node should
not be an inode or xattr node, and then use it in below path to detect
inconsistent node chain in inode mapping table:
- f2fs_do_truncate_blocks
- f2fs_get_dnode_of_data
- f2fs_get_node_folio_ra
- __get_node_folio
- f2fs_sanity_check_node_footer
- case NODE_TYPE_NON_IXNODE -> check whether it is inode|xnode
Cc: stable@kernel.org
Reported-by: syzbot+2488d8d751b27f7ce268@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69fa3697.170a0220.59368.0018.GAE@google.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/f2fs.h | 1 +
fs/f2fs/node.c | 6 +++++-
2 files changed, 6 insertions(+), 1 deletion(-)
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -1583,6 +1583,7 @@ enum node_type {
NODE_TYPE_INODE,
NODE_TYPE_XATTR,
NODE_TYPE_NON_INODE,
+ NODE_TYPE_NON_IXNODE, /* non inode and xnode */
};
/* a threshold of maximum elapsed time in critical region to print tracepoint */
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -1541,6 +1541,10 @@ int f2fs_sanity_check_node_footer(struct
if (is_inode)
goto out_err;
break;
+ case NODE_TYPE_NON_IXNODE:
+ if (is_inode || is_xnode)
+ goto out_err;
+ break;
default:
break;
}
@@ -1634,7 +1638,7 @@ static struct folio *f2fs_get_node_folio
struct f2fs_sb_info *sbi = F2FS_F_SB(parent);
nid_t nid = get_nid(parent, start, false);
- return __get_node_folio(sbi, nid, parent, start, NODE_TYPE_REGULAR);
+ return __get_node_folio(sbi, nid, parent, start, NODE_TYPE_NON_IXNODE);
}
static void flush_inline_data(struct f2fs_sb_info *sbi, nid_t ino)
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 063/120] f2fs: validate orphan inode entry count
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 062/120] f2fs: fix to do sanity check on f2fs_get_node_folio_ra() Greg Kroah-Hartman
@ 2026-07-02 16:20 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 064/120] f2fs: validate compress cache inode only when enabled Greg Kroah-Hartman
` (62 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:20 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Wenjie Qi, Chao Yu,
Jaegeuk Kim
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenjie Qi <qwjhust@gmail.com>
commit 846c499a65816d13f1186e3090e825e8bb8bcb8b upstream.
f2fs_recover_orphan_inodes() trusts the orphan block entry_count when
replaying orphan inodes from the checkpoint pack. A corrupted entry_count
larger than F2FS_ORPHANS_PER_BLOCK makes the recovery loop read past the
ino[] array and interpret footer or following data as inode numbers.
On a crafted image, mounting an unpatched kernel can drive orphan recovery
into f2fs_bug_on() and panic the kernel. Validate entry_count before
consuming entries so corrupted checkpoint data fails the mount with
-EFSCORRUPTED and requests fsck instead.
Set ERROR_INCONSISTENT_ORPHAN as well, so the corruption reason can be
recorded in the superblock s_errors[] field. This gives fsck a persistent
hint even though mount-time orphan recovery failure may leave no chance to
persist SBI_NEED_FSCK through a checkpoint.
Cc: stable@kernel.org
Fixes: 127e670abfa7 ("f2fs: add checkpoint operations")
Signed-off-by: Wenjie Qi <qiwenjie@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/checkpoint.c | 14 +++++++++++++-
include/linux/f2fs_fs.h | 1 +
2 files changed, 14 insertions(+), 1 deletion(-)
--- a/fs/f2fs/checkpoint.c
+++ b/fs/f2fs/checkpoint.c
@@ -943,6 +943,7 @@ int f2fs_recover_orphan_inodes(struct f2
for (i = 0; i < orphan_blocks; i++) {
struct folio *folio;
struct f2fs_orphan_block *orphan_blk;
+ unsigned int entry_count;
folio = f2fs_get_meta_folio(sbi, start_blk + i);
if (IS_ERR(folio)) {
@@ -951,7 +952,18 @@ int f2fs_recover_orphan_inodes(struct f2
}
orphan_blk = folio_address(folio);
- for (j = 0; j < le32_to_cpu(orphan_blk->entry_count); j++) {
+ entry_count = le32_to_cpu(orphan_blk->entry_count);
+ if (entry_count > F2FS_ORPHANS_PER_BLOCK) {
+ f2fs_err(sbi, "invalid orphan inode entry count %u",
+ entry_count);
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ f2fs_handle_error(sbi, ERROR_INCONSISTENT_ORPHAN);
+ err = -EFSCORRUPTED;
+ f2fs_folio_put(folio, true);
+ goto out;
+ }
+
+ for (j = 0; j < entry_count; j++) {
nid_t ino = le32_to_cpu(orphan_blk->ino[j]);
err = recover_orphan_inode(sbi, ino);
--- a/include/linux/f2fs_fs.h
+++ b/include/linux/f2fs_fs.h
@@ -107,6 +107,7 @@ enum f2fs_error {
ERROR_CORRUPTED_XATTR,
ERROR_INVALID_NODE_REFERENCE,
ERROR_INCONSISTENT_NAT,
+ ERROR_INCONSISTENT_ORPHAN,
ERROR_MAX,
};
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 064/120] f2fs: validate compress cache inode only when enabled
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-07-02 16:20 ` [PATCH 7.1 063/120] f2fs: validate orphan inode entry count Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 065/120] f2fs: atomic: fix UAF issue on f2fs_inode_info.atomic_inode Greg Kroah-Hartman
` (61 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Wenjie Qi, Chao Yu,
Jaegeuk Kim
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenjie Qi <qwjhust@gmail.com>
commit 5073c66a96a9c23c0c2533ed4ed06e42f9021208 upstream.
F2FS_COMPRESS_INO() uses NM_I(sbi)->max_nid as the synthetic inode
number for the compressed page cache inode. That inode only exists when
the compress_cache mount option is enabled.
When compress_cache is disabled, max_nid is outside the valid inode
range. A corrupted directory entry that points to ino == max_nid should
therefore be rejected by f2fs_check_nid_range(). However, is_meta_ino()
currently treats F2FS_COMPRESS_INO() as a meta inode unconditionally,
so f2fs_iget() bypasses do_read_inode() and its nid range check, and
instantiates a fake internal inode instead.
Gate the compressed cache inode case on COMPRESS_CACHE, matching
f2fs_init_compress_inode(). With compress_cache disabled, ino ==
max_nid now follows the normal inode path and is rejected as an
out-of-range nid.
Cc: stable@kernel.org
Fixes: 6ce19aff0b8c ("f2fs: compress: add compress_inode to cache compressed blocks")
Signed-off-by: Wenjie Qi <qiwenjie@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/inode.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -561,8 +561,13 @@ static int do_read_inode(struct inode *i
static bool is_meta_ino(struct f2fs_sb_info *sbi, unsigned int ino)
{
- return ino == F2FS_NODE_INO(sbi) || ino == F2FS_META_INO(sbi) ||
- ino == F2FS_COMPRESS_INO(sbi);
+ if (ino == F2FS_NODE_INO(sbi) || ino == F2FS_META_INO(sbi))
+ return true;
+#ifdef CONFIG_F2FS_FS_COMPRESSION
+ if (test_opt(sbi, COMPRESS_CACHE) && ino == F2FS_COMPRESS_INO(sbi))
+ return true;
+#endif
+ return false;
}
struct inode *f2fs_iget(struct super_block *sb, unsigned long ino)
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 065/120] f2fs: atomic: fix UAF issue on f2fs_inode_info.atomic_inode
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 064/120] f2fs: validate compress cache inode only when enabled Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 066/120] f2fs: fix to round down start offset of fallocate for pin file Greg Kroah-Hartman
` (60 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Daeho Jeong, Sunmin Jeong,
Chao Yu, Jaegeuk Kim
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
commit e0288584baa5dc41df4a829a023c4c1b33fe53d7 upstream.
- ioctl(F2FS_IOC_GARBAGE_COLLECT_RANGE) - shrink
- f2fs_gc
- gc_data_segment
- ra_data_block(cow_inode)
- mapping = F2FS_I(inode)->atomic_inode->i_mapping
: f2fs_is_cow_file(cow_inode) is true
- f2fs_evict_inode(atomic_inode)
- clear_inode_flag(fi->cow_inode, FI_COW_FILE)
- F2FS_I(fi->cow_inode)->atomic_inode = NULL
...
- truncate_inode_pages_final(atomic_inode)
- f2fs_grab_cache_folio(mapping)
: create folio in atomic_inode->mapping
- clear_inode(atomic_inode)
- BUG_ON(atomic_inode->i_data.nrpages)
We need to add a reference on fi->atomic_inode before using its mapping
field during garbage collection, otherwise, it will cause UAF issue.
Cc: stable@kernel.org
Cc: Daeho Jeong <daehojeong@google.com>
Cc: Sunmin Jeong <s_min.jeong@samsung.com>
Fixes: 3db1de0e582c ("f2fs: change the current atomic write way")
Fixes: f18d00769336 ("f2fs: use meta inode for GC of COW file")
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/gc.c | 50 ++++++++++++++++++++++++++++++++++++++++++--------
fs/f2fs/inode.c | 11 ++++++++---
2 files changed, 50 insertions(+), 11 deletions(-)
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -1220,8 +1220,8 @@ static bool is_alive(struct f2fs_sb_info
static int ra_data_block(struct inode *inode, pgoff_t index)
{
struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
- struct address_space *mapping = f2fs_is_cow_file(inode) ?
- F2FS_I(inode)->atomic_inode->i_mapping : inode->i_mapping;
+ struct address_space *mapping = inode->i_mapping;
+ struct inode *atomic_inode = NULL;
struct dnode_of_data dn;
struct folio *folio, *efolio;
struct f2fs_io_info fio = {
@@ -1236,9 +1236,22 @@ static int ra_data_block(struct inode *i
};
int err = 0;
+ f2fs_down_read(&F2FS_I(inode)->i_sem);
+ if (f2fs_is_cow_file(inode)) {
+ atomic_inode = igrab(F2FS_I(inode)->atomic_inode);
+ if (!atomic_inode) {
+ f2fs_up_read(&F2FS_I(inode)->i_sem);
+ return -EBUSY;
+ }
+ mapping = atomic_inode->i_mapping;
+ }
+ f2fs_up_read(&F2FS_I(inode)->i_sem);
+
folio = f2fs_grab_cache_folio(mapping, index, true);
- if (IS_ERR(folio))
- return PTR_ERR(folio);
+ if (IS_ERR(folio)) {
+ err = PTR_ERR(folio);
+ goto out_iput;
+ }
if (f2fs_lookup_read_extent_cache_block(inode, index,
&dn.data_blkaddr)) {
@@ -1299,11 +1312,16 @@ got_it:
f2fs_update_iostat(sbi, inode, FS_DATA_READ_IO, F2FS_BLKSIZE);
f2fs_update_iostat(sbi, NULL, FS_GDATA_READ_IO, F2FS_BLKSIZE);
+ if (atomic_inode)
+ iput(atomic_inode);
return 0;
put_encrypted_page:
f2fs_put_page(fio.encrypted_page, true);
put_folio:
f2fs_folio_put(folio, true);
+out_iput:
+ if (atomic_inode)
+ iput(atomic_inode);
return err;
}
@@ -1314,8 +1332,8 @@ put_folio:
static int move_data_block(struct inode *inode, block_t bidx,
int gc_type, unsigned int segno, int off)
{
- struct address_space *mapping = f2fs_is_cow_file(inode) ?
- F2FS_I(inode)->atomic_inode->i_mapping : inode->i_mapping;
+ struct address_space *mapping = inode->i_mapping;
+ struct inode *atomic_inode = NULL;
struct f2fs_io_info fio = {
.sbi = F2FS_I_SB(inode),
.ino = inode->i_ino,
@@ -1337,10 +1355,23 @@ static int move_data_block(struct inode
(fio.sbi->gc_mode != GC_URGENT_HIGH) ?
CURSEG_ALL_DATA_ATGC : CURSEG_COLD_DATA;
+ f2fs_down_read(&F2FS_I(inode)->i_sem);
+ if (f2fs_is_cow_file(inode)) {
+ atomic_inode = igrab(F2FS_I(inode)->atomic_inode);
+ if (!atomic_inode) {
+ f2fs_up_read(&F2FS_I(inode)->i_sem);
+ return -EBUSY;
+ }
+ mapping = atomic_inode->i_mapping;
+ }
+ f2fs_up_read(&F2FS_I(inode)->i_sem);
+
/* do not read out */
folio = f2fs_grab_cache_folio(mapping, bidx, false);
- if (IS_ERR(folio))
- return PTR_ERR(folio);
+ if (IS_ERR(folio)) {
+ err = PTR_ERR(folio);
+ goto out_iput;
+ }
if (!check_valid_map(F2FS_I_SB(inode), segno, off)) {
err = -ENOENT;
@@ -1473,6 +1504,9 @@ out:
folio_unlock(folio);
folio_end_dropbehind(folio);
folio_put(folio);
+out_iput:
+ if (atomic_inode)
+ iput(atomic_inode);
return err;
}
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -863,10 +863,15 @@ void f2fs_evict_inode(struct inode *inod
f2fs_abort_atomic_write(inode, true);
if (fi->cow_inode && f2fs_is_cow_file(fi->cow_inode)) {
- clear_inode_flag(fi->cow_inode, FI_COW_FILE);
- F2FS_I(fi->cow_inode)->atomic_inode = NULL;
- iput(fi->cow_inode);
+ struct inode *cow_inode = fi->cow_inode;
+
+ f2fs_down_write(&F2FS_I(cow_inode)->i_sem);
+ clear_inode_flag(cow_inode, FI_COW_FILE);
+ F2FS_I(cow_inode)->atomic_inode = NULL;
fi->cow_inode = NULL;
+ f2fs_up_write(&F2FS_I(cow_inode)->i_sem);
+
+ iput(cow_inode);
}
trace_f2fs_evict_inode(inode);
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 066/120] f2fs: fix to round down start offset of fallocate for pin file
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 065/120] f2fs: atomic: fix UAF issue on f2fs_inode_info.atomic_inode Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 067/120] f2fs: bound i_inline_xattr_size for non-inline-xattr inodes Greg Kroah-Hartman
` (59 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yunji Kang, Yeongjin Gil,
Sungjong Seo, Sunmin Jeong, Chao Yu, Jaegeuk Kim
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sunmin Jeong <s_min.jeong@samsung.com>
commit 4275b59673eb60b02eec3997816c83f1f4b909c4 upstream.
Currently, the length of fallocate for pin file is section-aligned to
keep allocated sections from being selected as victims of GC. However,
for the case that the start offset of fallocate is not aligned in
section, the allocated sections can't be fully utilized. It's because a
new section is allocated by f2fs_allocate_pinning_section() after using
blks_per_sec blocks regardless of the start offset. As a result, several
unexpected dirty segments may be created, including blocks assigned to
the pinned file.
To address this issue, let's round down the start offset of fallocate
to the length of section.
The reproducing scenario is as below
chunk=$(((2<<20)+4096)) # 2MB + 4KB
touch test
f2fs_io pinfile set test
f2fs_io fallocate 0 0 $chunk test
f2fs_io fallocate 0 $chunk $chunk test
f2fs_io fallocate 0 $((chunk*2)) $chunk test
f2fs_io fiemap 0 $((chunk*3)) test
Fiemap: offset = 0 len = 12288
logical addr. physical addr. length flags
0 0000000000000000 000000068c600000 0000000000400000 00001088
1 0000000000400000 000000003d400000 0000000000001000 00001088
2 0000000000401000 00000003eb200000 0000000000200000 00001088
3 0000000000601000 00000005e4200000 0000000000001000 00001088
4 0000000000602000 0000000605400000 0000000000200000 00001089
Cc: stable@vger.kernel.org
Fixes: f5a53edcf01e ("f2fs: support aligned pinned file")
Reviewed-by: Yunji Kang <yunji0.kang@samsung.com>
Reviewed-by: Yeongjin Gil <youngjin.gil@samsung.com>
Reviewed-by: Sungjong Seo <sj1557.seo@samsung.com>
Signed-off-by: Sunmin Jeong <s_min.jeong@samsung.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/file.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -1916,8 +1916,15 @@ static int f2fs_expand_inode_data(struct
if (f2fs_is_pinned_file(inode)) {
block_t sec_blks = CAP_BLKS_PER_SEC(sbi);
- block_t sec_len = roundup(map.m_len, sec_blks);
+ block_t sec_len;
+ if (map.m_lblk % sec_blks) {
+ map.m_lblk = rounddown(map.m_lblk, sec_blks);
+ map.m_len = pg_end - map.m_lblk;
+ if (off_end)
+ map.m_len++;
+ }
+ sec_len = roundup(map.m_len, sec_blks);
map.m_len = sec_blks;
next_alloc:
f2fs_down_write(&sbi->pin_sem);
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 067/120] f2fs: bound i_inline_xattr_size for non-inline-xattr inodes
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 066/120] f2fs: fix to round down start offset of fallocate for pin file Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 068/120] f2fs: validate ACL entry sizes in f2fs_acl_from_disk() Greg Kroah-Hartman
` (58 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bryam Vargas, Chao Yu, Jaegeuk Kim
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryam Vargas <hexlabsecurity@proton.me>
commit 378acf3cf19b6af6cba55e8dd1154c4e1504bae8 upstream.
When the flexible_inline_xattr feature is enabled, do_read_inode() loads
the on-disk i_inline_xattr_size unconditionally:
if (f2fs_sb_has_flexible_inline_xattr(sbi))
fi->i_inline_xattr_size = le16_to_cpu(ri->i_inline_xattr_size);
but sanity_check_inode() only range-checks it when the inode also has the
FI_INLINE_XATTR flag set. An inode that carries an inline dentry or inline
data but not FI_INLINE_XATTR -- the normal layout for an inline
directory -- therefore keeps a fully attacker-controlled
i_inline_xattr_size from a crafted image.
get_inline_xattr_addrs() returns that value with no flag gating, so it
feeds the inode geometry:
MAX_INLINE_DATA() = 4 * (CUR_ADDRS_PER_INODE - i_inline_xattr_size - 1)
NR_INLINE_DENTRY() = MAX_INLINE_DATA() * BITS_PER_BYTE / (...)
addrs_per_page() = CUR_ADDRS_PER_INODE - i_inline_xattr_size
A large i_inline_xattr_size drives MAX_INLINE_DATA() and NR_INLINE_DENTRY()
negative, so make_dentry_ptr_inline() sets d->max (int) to a negative
value. The inline directory walk then compares an unsigned long bit_pos
against that negative d->max, which is promoted to a huge unsigned bound,
and reads far past the inline area:
while (bit_pos < d->max) /* fs/f2fs/dir.c */
... test_bit_le(bit_pos, d->bitmap) / d->dentry[bit_pos] ...
Mounting a crafted image and reading such a directory triggers an
out-of-bounds read in f2fs_fill_dentries(); the same underflow also
corrupts ADDRS_PER_INODE for regular files.
Validate i_inline_xattr_size against MAX_INLINE_XATTR_SIZE whenever the
flexible_inline_xattr feature is enabled -- i.e. whenever the value is
loaded from disk and consumed -- and keep the lower MIN_INLINE_XATTR_SIZE
bound gated on inodes that actually carry an inline xattr, so legitimate
inodes with i_inline_xattr_size == 0 are still accepted.
Cc: stable@vger.kernel.org
Fixes: 6afc662e68b5 ("f2fs: support flexible inline xattr size")
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/inode.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -324,9 +324,9 @@ static bool sanity_check_inode(struct in
}
if (f2fs_sb_has_flexible_inline_xattr(sbi) &&
- f2fs_has_inline_xattr(inode) &&
- (fi->i_inline_xattr_size < MIN_INLINE_XATTR_SIZE ||
- fi->i_inline_xattr_size > MAX_INLINE_XATTR_SIZE)) {
+ (fi->i_inline_xattr_size > MAX_INLINE_XATTR_SIZE ||
+ (f2fs_has_inline_xattr(inode) &&
+ fi->i_inline_xattr_size < MIN_INLINE_XATTR_SIZE))) {
f2fs_warn(sbi, "%s: inode (ino=%llx) has corrupted i_inline_xattr_size: %d, min: %zu, max: %lu",
__func__, inode->i_ino, fi->i_inline_xattr_size,
MIN_INLINE_XATTR_SIZE, MAX_INLINE_XATTR_SIZE);
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 068/120] f2fs: validate ACL entry sizes in f2fs_acl_from_disk()
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 067/120] f2fs: bound i_inline_xattr_size for non-inline-xattr inodes Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 069/120] Revert "f2fs: remove non-uptodate folio from the page cache in move_data_block" Greg Kroah-Hartman
` (57 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Zhang Cen, Chao Yu,
Jaegeuk Kim
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
commit c4810ada31e80cbe4011467c4f3b1e93f94134f3 upstream.
f2fs_acl_count() only validates the aggregate ACL xattr length. A
malformed ACL can still place ACL_USER or ACL_GROUP in a slot that only
contains struct f2fs_acl_entry_short bytes, and f2fs_acl_from_disk()
then reads entry->e_id before verifying that a full entry fits.
Require a short entry before reading e_tag and e_perm, and require a
full entry before reading e_id for ACL_USER and ACL_GROUP. Return
-EFSCORRUPTED from these new truncated-entry checks, while keeping the
pre-existing -EINVAL paths unchanged.
Validation reproduced this kernel report:
KASAN slab-out-of-bounds in __f2fs_get_acl+0x6fb/0x7e0
RIP: 0033:0x7f4b835ea7aa
The buggy address belongs to the object at ffff888114589960 which belongs
to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes to the right of allocated 8-byte
region [ffff888114589960, ffff888114589968)
Read of size 4
Call trace:
dump_stack_lvl+0x66/0xa0 (?:?)
print_report+0xce/0x630 (?:?)
__f2fs_get_acl+0x6fb/0x7e0 (fs/f2fs/acl.c:169)
srso_alias_return_thunk+0x5/0xfbef5 (?:?)
__virt_addr_valid+0x224/0x430 (?:?)
kasan_report+0xe0/0x110 (?:?)
__f2fs_get_acl+0x5/0x7e0 (fs/f2fs/acl.c:169)
__get_acl+0x281/0x380 (?:?)
vfs_get_acl+0x10b/0x190 (?:?)
do_get_acl+0x2a/0x410 (?:?)
do_get_acl+0x9/0x410 (?:?)
do_getxattr+0xe8/0x260 (?:?)
filename_getxattr+0xd1/0x140 (?:?)
do_getname+0x2d/0x2d0 (?:?)
path_getxattrat+0x16c/0x200 (?:?)
lock_release+0xc8/0x290 (?:?)
cgroup_update_frozen+0x9d/0x320 (?:?)
lockdep_hardirqs_on_prepare+0xea/0x1a0 (?:?)
trace_hardirqs_on+0x1a/0x170 (?:?)
_raw_spin_unlock_irq+0x28/0x50 (?:?)
do_syscall_64+0x115/0x6a0 (arch/x86/entry/syscall_64.c:87)
entry_SYSCALL_64_after_hwframe+0x77/0x7f (?:?)
Cc: stable@kernel.org
Fixes: af48b85b8cd3 ("f2fs: add xattr and acl functionalities")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/acl.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
--- a/fs/f2fs/acl.c
+++ b/fs/f2fs/acl.c
@@ -47,6 +47,7 @@ static inline int f2fs_acl_count(size_t
static struct posix_acl *f2fs_acl_from_disk(const char *value, size_t size)
{
int i, count;
+ int err = -EINVAL;
struct posix_acl *acl;
struct f2fs_acl_header *hdr = (struct f2fs_acl_header *)value;
struct f2fs_acl_entry *entry = (struct f2fs_acl_entry *)(hdr + 1);
@@ -70,8 +71,11 @@ static struct posix_acl *f2fs_acl_from_d
for (i = 0; i < count; i++) {
- if ((char *)entry > end)
+ if (unlikely((char *)entry +
+ sizeof(struct f2fs_acl_entry_short) > end)) {
+ err = -EFSCORRUPTED;
goto fail;
+ }
acl->a_entries[i].e_tag = le16_to_cpu(entry->e_tag);
acl->a_entries[i].e_perm = le16_to_cpu(entry->e_perm);
@@ -86,6 +90,11 @@ static struct posix_acl *f2fs_acl_from_d
break;
case ACL_USER:
+ if (unlikely((char *)entry +
+ sizeof(struct f2fs_acl_entry) > end)) {
+ err = -EFSCORRUPTED;
+ goto fail;
+ }
acl->a_entries[i].e_uid =
make_kuid(&init_user_ns,
le32_to_cpu(entry->e_id));
@@ -93,6 +102,11 @@ static struct posix_acl *f2fs_acl_from_d
sizeof(struct f2fs_acl_entry));
break;
case ACL_GROUP:
+ if (unlikely((char *)entry +
+ sizeof(struct f2fs_acl_entry) > end)) {
+ err = -EFSCORRUPTED;
+ goto fail;
+ }
acl->a_entries[i].e_gid =
make_kgid(&init_user_ns,
le32_to_cpu(entry->e_id));
@@ -108,7 +122,7 @@ static struct posix_acl *f2fs_acl_from_d
return acl;
fail:
posix_acl_release(acl);
- return ERR_PTR(-EINVAL);
+ return ERR_PTR(err);
}
static void *f2fs_acl_to_disk(struct f2fs_sb_info *sbi,
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 069/120] Revert "f2fs: remove non-uptodate folio from the page cache in move_data_block"
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 068/120] f2fs: validate ACL entry sizes in f2fs_acl_from_disk() Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 070/120] f2fs: fix incorrect FI_NO_EXTENT handling in __destroy_extent_node() Greg Kroah-Hartman
` (56 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhaoyang Huang, Chao Yu, Jaegeuk Kim
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhaoyang Huang <zhaoyang.huang@unisoc.com>
commit ccaba785821970f422c47770331c7e3271763f17 upstream.
This reverts commit 9609dd704725a40cd63d915f2ab6c44248a44598.
The kernel panics are keeping to be reported especially when the f2fs
partition get almost full. By investigation, we find that the reason is
one f2fs page got freed to buddy without being deleted from LRU and the
root cause is the race happened in [2] which is enrolled by this commit.
There are 3 race processes in this scenario, please find below for their
main activities.
The changed code in move_data_block() lets the GC path evict the tail-end
folio from the page cache through folio_end_dropbehind(). Once
folio_unmap_invalidate() removes the folio from mapping->i_pages, the
page-cache references for all pages in the folio are dropped. The folio
is then kept alive only by temporary external references, which allows a
later split to operate on a folio whose subpages are no longer protected
by page-cache references.
After the page-cache references are gone, split_folio_to_order() can
split the big folio into individual pages and put the resulting subpages
back on the LRU. For tail pages beyond EOF, split removes them from the
page cache and drops their page-cache references. A tail page can then
remain on the LRU with PG_lru set while holding only the split caller's
temporary reference. When free_folio_and_swap_cache() drops that final
reference, the page enters the final folio_put() release path.
In parallel, folio_isolate_lru() can observe the same tail page with a
non-zero refcount and PG_lru set. It clears PG_lru before taking its own
reference. If this races with the final folio_put() from the split path,
__folio_put() sees PG_lru already cleared and skips lruvec_del_folio().
The page is then freed back to the allocator while its lru links are
still present in the LRU list. A later LRU operation on a neighboring
page detects the stale link and reports list corruption.
[1]
[ 22.486082] list_del corruption. next->prev should be fffffffec10e0ac8, but was dead000000000122. (next=fffffffec10e0a88)
[ 22.486130] ------------[ cut here ]------------
[ 22.486134] kernel BUG at lib/list_debug.c:67!
[ 22.486141] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
[ 22.488502] Tainted: [W]=WARN, [O]=OOT_MODULE
[ 22.488506] Hardware name: Spreadtrum UMS9230 1H10 SoC (DT)
[ 22.488511] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 22.488517] pc : __list_del_entry_valid_or_report+0x14c/0x154
[ 22.488531] lr : __list_del_entry_valid_or_report+0x14c/0x154
[ 22.488539] sp : ffffffc08006b830
[ 22.488542] x29: ffffffc08006b868 x28: 0000000000003020 x27: 0000000000000000
[ 22.488553] x26: 0000000000000000 x25: 0000000000000004 x24: fffffffec10e0ac0
[ 22.488564] x23: 00000000000000e8 x22: 0000000000000024 x21: dead000000000122
[ 22.488574] x20: fffffffec10e0a88 x19: fffffffec10e0ac8 x18: ffffffc080061060
[ 22.488585] x17: 20747562202c3863 x16: 6130653031636566 x15: 0000000000000058
[ 22.488595] x14: 0000000000000004 x13: ffffff80f91e0000 x12: 0000000000000003
[ 22.488605] x11: 0000000000000003 x10: 0000000000000001 x9 : ffe85721f0e25f00
[ 22.488615] x8 : ffe85721f0e25f00 x7 : 0000000000000000 x6 : 6c65645f7473696c
[ 22.488625] x5 : ffffffed39b23026 x4 : 0000000000000000 x3 : 0000000000000010
[ 22.488636] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 000000000000006d
[ 22.488647] Call trace:
[ 22.488651] __list_del_entry_valid_or_report+0x14c/0x154 (P)
[ 22.488661] __folio_put+0x2bc/0x434
[ 22.488670] folio_put+0x28/0x58
[ 22.488678] do_garbage_collect+0x1a34/0x2584
[ 22.488689] f2fs_gc+0x230/0x9b4
[ 22.488697] f2fs_fallocate+0xb90/0xdf4
[ 22.488706] vfs_fallocate+0x1b4/0x2bc
[ 22.488716] __arm64_sys_fallocate+0x44/0x78
[ 22.488725] invoke_syscall+0x58/0xe4
[ 22.488732] do_el0_svc+0x48/0xdc
[ 22.488739] el0_svc+0x3c/0x98
[ 22.488747] el0t_64_sync_handler+0x20/0x130
[ 22.488754] el0t_64_sync+0x1c4/0x1c8
[2]
CPU0 (f2fs GC) CPU1 (split_folio_to_order) CPU2 (folio_isolate_lru)
F: pagecache refs = n
F: extra refs = GC + split
F: PG_lru set
move_data_block()
folio = f2fs_grab_cache_folio(F)
...
__folio_set_dropbehind(F)
folio_unlock(F)
folio_end_dropbehind(F)
folio_unmap_invalidate(F)
__filemap_remove_folio(F)
folio_put_refs(F, n)
folio_put(F)
split_folio_to_order(F)
folio_ref_freeze(F, 1)
...
lru_add_split_folio(T)
list_add_tail(&T->lru, &F->lru)
folio_set_lru(T)
__filemap_remove_folio(T)
folio_put_refs(T, 1)
/* T refcount == 1, PageLRU set */
folio_isolate_lru(T)
folio_test_clear_lru(T)
free_folio_and_swap_cache(T)
folio_put(T)
/* refcount: 1 -> 0 */
__folio_put(T)
__page_cache_release(T)
folio_test_lru(T) == false
/* skip lruvec_del_folio(T) */
free_frozen_pages(T)
folio_get(T)
lruvec_del_folio(T)
later:
list_del(adjacent->lru)
next == &T->lru
next->prev == LIST_POISON / PCP freelist
BUG
Cc: stable@vger.kernel.org
Fixes: 9609dd704725 ("f2fs: remove non-uptodate folio from the page cache in move_data_block")
Signed-off-by: Zhaoyang Huang <zhaoyang.huang@unisoc.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/gc.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
index 69e0a867219d..56a1c0547d76 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -1499,11 +1499,7 @@ static int move_data_block(struct inode *inode, block_t bidx,
put_out:
f2fs_put_dnode(&dn);
out:
- if (!folio_test_uptodate(folio))
- __folio_set_dropbehind(folio);
- folio_unlock(folio);
- folio_end_dropbehind(folio);
- folio_put(folio);
+ f2fs_folio_put(folio, true);
out_iput:
if (atomic_inode)
iput(atomic_inode);
--
2.55.0
^ permalink raw reply related [flat|nested] 134+ messages in thread
* [PATCH 7.1 070/120] f2fs: fix incorrect FI_NO_EXTENT handling in __destroy_extent_node()
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 069/120] Revert "f2fs: remove non-uptodate folio from the page cache in move_data_block" Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 071/120] f2fs: keep atomic write retry from zeroing original data Greg Kroah-Hartman
` (55 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Yongpeng Yang, Jaegeuk Kim
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
commit 1f70ddb28a3c71df124da5fa4040c808116d6bb9 upstream.
When __destroy_extent_node() sets the inode flag FI_NO_EXTENT, it does
not reset the length of the largest extent to 0 and update the inode
folio. Since modifications to the extent tree are disallowed afterward,
the cached largest extent may become stale. This can trigger the
following error in xfstests generic/388:
F2FS-fs (dm-0): sanity_check_extent_cache: inode (ino=1761) extent info [220057, 57, 6] is incorrect, run fsck to fix
In the f2fs_drop_inode path, __destroy_extent_node() does not need to
guarantee that et->node_cnt is 0, because concurrency with writeback
is expected in this path, and writeback may update the extent cache.
This patch reverts commit ed78aeebef05 ("f2fs: fix node_cnt race between
extent node destroy and writeback"), and remove the unnecessary zero
check of et->node_cnt.
Fixes: ed78aeebef05 ("f2fs: fix node_cnt race between extent node destroy and writeback")
Cc: stable@vger.kernel.org
Reported-by: Chao Yu <chao@kernel.org>
Suggested-by: Chao Yu <chao@kernel.org>
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/extent_cache.c | 19 +++++++------------
1 file changed, 7 insertions(+), 12 deletions(-)
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
@@ -119,10 +119,9 @@ static bool __may_extent_tree(struct ino
if (!__init_may_extent_tree(inode, type))
return false;
- if (is_inode_flag_set(inode, FI_NO_EXTENT))
- return false;
-
if (type == EX_READ) {
+ if (is_inode_flag_set(inode, FI_NO_EXTENT))
+ return false;
if (is_inode_flag_set(inode, FI_COMPRESSED_FILE) &&
!f2fs_sb_has_readonly(F2FS_I_SB(inode)))
return false;
@@ -645,14 +644,10 @@ static unsigned int __destroy_extent_nod
while (atomic_read(&et->node_cnt)) {
write_lock(&et->lock);
- if (!is_inode_flag_set(inode, FI_NO_EXTENT))
- set_inode_flag(inode, FI_NO_EXTENT);
node_cnt += __free_extent_tree(sbi, et, nr_shrink);
write_unlock(&et->lock);
}
- f2fs_bug_on(sbi, atomic_read(&et->node_cnt));
-
return node_cnt;
}
@@ -691,12 +686,12 @@ static void __update_extent_tree_range(s
write_lock(&et->lock);
- if (is_inode_flag_set(inode, FI_NO_EXTENT)) {
- write_unlock(&et->lock);
- return;
- }
-
if (type == EX_READ) {
+ if (is_inode_flag_set(inode, FI_NO_EXTENT)) {
+ write_unlock(&et->lock);
+ return;
+ }
+
prev = et->largest;
dei.len = 0;
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 071/120] f2fs: keep atomic write retry from zeroing original data
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 070/120] f2fs: fix incorrect FI_NO_EXTENT handling in __destroy_extent_node() Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 072/120] f2fs: read COW data with the original inode during atomic write Greg Kroah-Hartman
` (54 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Wenjie Qi, Chao Yu,
Jaegeuk Kim
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenjie Qi <qwjhust@gmail.com>
commit 6d874b65aadce56ac78f76129dbcfc2599b638f8 upstream.
A partial atomic write reserves a block in the COW inode before reading the
original data page for the untouched bytes in that page.
If that read fails, write_begin returns an error but leaves the COW inode
entry as NEW_ADDR. A retry of the same partial write then finds the COW
entry, treats it as existing COW data, and f2fs_write_begin() zeroes the
whole folio because blkaddr is NEW_ADDR.
If the retry is committed, the bytes outside the retried write range are
committed as zeroes instead of preserving the original file contents.
Only use the COW inode as the read source when it already has a real data
block. If the COW entry is still NEW_ADDR, treat it as a reservation to
reuse: keep reading the old data from the original inode and avoid
reserving or accounting the same atomic block again.
Cc: stable@kernel.org
Fixes: 3db1de0e582c ("f2fs: change the current atomic write way")
Signed-off-by: Wenjie Qi <qiwenjie@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/data.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -3828,6 +3828,7 @@ static int prepare_atomic_write_begin(st
pgoff_t index = folio->index;
int err = 0;
block_t ori_blk_addr = NULL_ADDR;
+ bool cow_has_reserved_block = false;
/* If pos is beyond the end of file, reserve a new block in COW inode */
if ((pos & PAGE_MASK) >= i_size_read(inode))
@@ -3837,9 +3838,11 @@ static int prepare_atomic_write_begin(st
err = __find_data_block(cow_inode, index, blk_addr);
if (err) {
return err;
- } else if (*blk_addr != NULL_ADDR) {
+ } else if (__is_valid_data_blkaddr(*blk_addr)) {
*use_cow = true;
return 0;
+ } else if (*blk_addr == NEW_ADDR) {
+ cow_has_reserved_block = true;
}
if (is_inode_flag_set(inode, FI_ATOMIC_REPLACE))
@@ -3852,10 +3855,13 @@ static int prepare_atomic_write_begin(st
reserve_block:
/* Finally, we should reserve a new block in COW inode for the update */
- err = __reserve_data_block(cow_inode, index, blk_addr, node_changed);
- if (err)
- return err;
- inc_atomic_write_cnt(inode);
+ if (!cow_has_reserved_block) {
+ err = __reserve_data_block(cow_inode, index, blk_addr,
+ node_changed);
+ if (err)
+ return err;
+ inc_atomic_write_cnt(inode);
+ }
if (ori_blk_addr != NULL_ADDR)
*blk_addr = ori_blk_addr;
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 072/120] f2fs: read COW data with the original inode during atomic write
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 071/120] f2fs: keep atomic write retry from zeroing original data Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 073/120] block: Avoid mounting the bdev pseudo-filesystem in userspace Greg Kroah-Hartman
` (53 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikhail Lobanov, Chao Yu,
Jaegeuk Kim
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikhail Lobanov <m.lobanov@rosa.ru>
commit a41075acde0124d2f8a5f563068a5d63e8ffd57b upstream.
When updating an atomic-write file, f2fs_write_begin() may read the
previously written data back from the COW inode:
prepare_atomic_write_begin() locates the block in the COW inode and sets
use_cow, and the read bio is then built with the COW inode:
f2fs_submit_page_read(use_cow ? F2FS_I(inode)->cow_inode : inode,
...);
and f2fs_grab_read_bio() decides whether to schedule fs-layer decryption
(STEP_DECRYPT) for the bio based on that inode via
fscrypt_inode_uses_fs_layer_crypto().
However, the folio being filled belongs to the original inode
(folio->mapping->host == inode), and the data stored in the COW block was
encrypted (or left as plaintext) using the original inode's context, not
the COW inode's -- see f2fs_encrypt_one_page(), which keys off
fio->page->mapping->host. fscrypt_decrypt_pagecache_blocks() likewise
operates on folio->mapping->host.
The COW inode is created as a tmpfile in the parent directory and inherits
its encryption policy from there. With test_dummy_encryption the newly
created COW inode gets the dummy policy and becomes encrypted, while a
pre-existing regular file -- created before the policy applied, e.g.
already present in the on-disk image -- stays unencrypted. The read
path then sets STEP_DECRYPT based on the encrypted COW inode and calls
fscrypt_decrypt_pagecache_blocks() on a folio whose host (the unencrypted
original inode) has a NULL ->i_crypt_info, dereferencing it:
Oops: general protection fault, probably for non-canonical address ...
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
RIP: 0010:fscrypt_decrypt_pagecache_blocks+0xa0/0x310
Workqueue: f2fs_post_read_wq f2fs_post_read_work
Call Trace:
fscrypt_decrypt_bio+0x1eb/0x340
f2fs_post_read_work+0xba/0x140
process_one_work+0x91c/0x1a40
worker_thread+0x677/0xe90
kthread+0x2bc/0x3a0
The COW inode is only needed to locate the on-disk block, and that block
address is already resolved into @blkaddr by prepare_atomic_write_begin()
via __find_data_block(cow_inode, ...); f2fs_submit_page_read() then reads
from that physical @blkaddr directly, so the inode argument only selects
the post-read crypto context, not which block is fetched. Reading with
@inode therefore returns the same (latest, not-yet-committed) COW data,
while making both the fs-layer decryption decision and the inline crypto
path use the correct (original inode's) key.
With the COW inode no longer used at the read site, the use_cow flag has no
remaining consumer; drop it from f2fs_write_begin() and
prepare_atomic_write_begin().
Fixes: 591fc34e1f98 ("f2fs: use cow inode data when updating atomic write")
Cc: stable@vger.kernel.org
Signed-off-by: Mikhail Lobanov <m.lobanov@rosa.ru>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/data.c | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -3821,7 +3821,7 @@ unlock_out:
static int prepare_atomic_write_begin(struct f2fs_sb_info *sbi,
struct folio *folio, loff_t pos, unsigned int len,
- block_t *blk_addr, bool *node_changed, bool *use_cow)
+ block_t *blk_addr, bool *node_changed)
{
struct inode *inode = folio->mapping->host;
struct inode *cow_inode = F2FS_I(inode)->cow_inode;
@@ -3836,14 +3836,14 @@ static int prepare_atomic_write_begin(st
/* Look for the block in COW inode first */
err = __find_data_block(cow_inode, index, blk_addr);
- if (err) {
+ if (err)
return err;
- } else if (__is_valid_data_blkaddr(*blk_addr)) {
- *use_cow = true;
+
+ if (__is_valid_data_blkaddr(*blk_addr))
return 0;
- } else if (*blk_addr == NEW_ADDR) {
+
+ if (*blk_addr == NEW_ADDR)
cow_has_reserved_block = true;
- }
if (is_inode_flag_set(inode, FI_ATOMIC_REPLACE))
goto reserve_block;
@@ -3878,7 +3878,6 @@ static int f2fs_write_begin(const struct
struct folio *folio;
pgoff_t index = pos >> PAGE_SHIFT;
bool need_balance = false;
- bool use_cow = false;
block_t blkaddr = NULL_ADDR;
int err = 0;
@@ -3941,7 +3940,7 @@ repeat:
if (f2fs_is_atomic_file(inode))
err = prepare_atomic_write_begin(sbi, folio, pos, len,
- &blkaddr, &need_balance, &use_cow);
+ &blkaddr, &need_balance);
else
err = prepare_write_begin(sbi, folio, pos, len,
&blkaddr, &need_balance);
@@ -3981,8 +3980,15 @@ repeat:
err = -EFSCORRUPTED;
goto put_folio;
}
- f2fs_submit_page_read(use_cow ? F2FS_I(inode)->cow_inode :
- inode,
+ /*
+ * Although the block may be stored in the COW inode, the folio
+ * belongs to @inode and its data was encrypted (or not) using
+ * @inode's context (see f2fs_encrypt_one_page()). Read with
+ * @inode so the post-read decryption decision matches the
+ * folio's owner; otherwise an unencrypted @inode whose COW inode
+ * is encrypted hits a NULL ->i_crypt_info on decryption.
+ */
+ f2fs_submit_page_read(inode,
NULL, /* can't write to fsverity files */
folio, blkaddr, 0, true);
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 073/120] block: Avoid mounting the bdev pseudo-filesystem in userspace
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 072/120] f2fs: read COW data with the original inode during atomic write Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 074/120] bpf: use kvfree() for replaced sysctl write buffer Greg Kroah-Hartman
` (52 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Denis Arefev, Christoph Hellwig,
Jens Axboe
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Arefev <arefev@swemel.ru>
commit f73aa66dffcb8e61e78f01b56163ec16a15d06d2 upstream.
The bdev pseudo-filesystem is an internal kernel filesystem with which
userspace should not interfere. Unregister it so that userspace cannot
even attempt to mount it.
This fixes a bug [1] that occurs when attempting to access files,
because the system call move_mount() uses pointers declared in the
inode_operations structure, which for the bdev pseudo-filesystem
are always equal to 0. `inode->i_op = &empty_iops;`
[1]
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 23380067 P4D 23380067 PUD 23381067 PMD 0
Oops: 0010 [#1] PREEMPT SMP KASAN NOPTI
CPU: 2 PID: 17125 Comm: syz-executor.0 Not tainted 6.1.155-syzkaller-00350-g84221fde2681 #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:0x0
Call Trace:
<TASK>
lookup_open.isra.0+0x700/0x1180 fs/namei.c:3460
open_last_lookups fs/namei.c:3550 [inline]
path_openat+0x953/0x2700 fs/namei.c:3780
do_filp_open+0x1c5/0x410 fs/namei.c:3810
do_sys_openat2+0x171/0x4d0 fs/open.c:1318
do_sys_open fs/open.c:1334 [inline]
__do_sys_openat fs/open.c:1350 [inline]
__se_sys_openat fs/open.c:1345 [inline]
__x64_sys_openat+0x13c/0x1f0 fs/open.c:1345
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Link: https://lore.kernel.org/all/20131010004732.GJ13318@ZenIV.linux.org.uk/T/#
Cc: stable@vger.kernel.org
Signed-off-by: Denis Arefev <arefev@swemel.ru>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://patch.msgid.link/20260521072857.5078-1-arefev@swemel.ru
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/bdev.c | 5 -----
1 file changed, 5 deletions(-)
--- a/block/bdev.c
+++ b/block/bdev.c
@@ -446,15 +446,10 @@ EXPORT_SYMBOL_GPL(blockdev_superblock);
void __init bdev_cache_init(void)
{
- int err;
-
bdev_cachep = kmem_cache_create("bdev_cache", sizeof(struct bdev_inode),
0, (SLAB_HWCACHE_ALIGN|SLAB_RECLAIM_ACCOUNT|
SLAB_ACCOUNT|SLAB_PANIC),
init_once);
- err = register_filesystem(&bd_type);
- if (err)
- panic("Cannot register bdev pseudo-fs");
blockdev_mnt = kern_mount(&bd_type);
if (IS_ERR(blockdev_mnt))
panic("Cannot create bdev pseudo-fs");
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 074/120] bpf: use kvfree() for replaced sysctl write buffer
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 073/120] block: Avoid mounting the bdev pseudo-filesystem in userspace Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 075/120] MIPS: DEC: Prevent initial console buffer from landing in XKPHYS Greg Kroah-Hartman
` (51 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Emil Tsalapatis, Jiayuan Chen,
Yonghong Song, Zilin Guan, Dawei Feng, Alexei Starovoitov
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dawei Feng <dawei.feng@seu.edu.cn>
commit 4c21b5927d4364bfe7365f2700da5fea0ed0d004 upstream.
proc_sys_call_handler() allocates its temporary sysctl buffer with
kvzalloc() and passes it to __cgroup_bpf_run_filter_sysctl(). Since
kvzalloc() may fall back to vmalloc() for large allocations, freeing
that buffer with kfree() is wrong and can corrupt memory.
Use kvfree() to safely handle both kmalloc and kvzalloc()/vmalloc
allocations.
The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still
present in v7.1-rc5.
Reproduced the bug based on v7.1-rc4 in a QEMU x86_64 guest booted with
KASAN and CONFIG_FAILSLAB enabled. To exercise the replacement path, the
test tree also included the accompanying fix for the stale ret == 1
check in __cgroup_bpf_run_filter_sysctl(). The reproducer confines
failslab injections to the proc_sys_call_handler() range, uses
stacktrace-depth=32, and injects fail-nth=1 while writing 8191 bytes to
/proc/sys/kernel/domainname from a task in the target cgroup. Under
that setup, fail-nth=1 triggered the fault:
BUG: unable to handle page fault for address: ffffeb0200024d48
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 SMP KASAN NOPTI
CPU: 2 UID: 0 PID: 209 Comm: repro_proc_sys_ Not tainted 7.1.0-rc4-00686-g97625979a5d4 PREEMPT(lazy)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
RIP: 0010:kfree+0x6e/0x510
...
Call Trace:
<TASK>
? __cgroup_bpf_run_filter_sysctl+0x626/0xc30
__cgroup_bpf_run_filter_sysctl+0x74d/0xc30
? __pfx___cgroup_bpf_run_filter_sysctl+0x10/0x10
? srso_return_thunk+0x5/0x5f
? __kvmalloc_node_noprof+0x345/0x870
? proc_sys_call_handler+0x250/0x480
? srso_return_thunk+0x5/0x5f
proc_sys_call_handler+0x3a2/0x480
? __pfx_proc_sys_call_handler+0x10/0x10
? srso_return_thunk+0x5/0x5f
? selinux_file_permission+0x39f/0x500
? srso_return_thunk+0x5/0x5f
? lock_is_held_type+0x9e/0x120
vfs_write+0x98e/0x1000
...
</TASK>
With this fix applied on top of the same test setup, rerunning the
reproducer with fail-nth=1 yields no corresponding Oops reports.
Fixes: 4508943794ef ("proc: use kvzalloc for our kernel buffer")
Cc: stable@vger.kernel.org
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
Link: https://lore.kernel.org/r/20260603105317.944304-3-dawei.feng@seu.edu.cn
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/cgroup.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -1936,7 +1936,7 @@ int __cgroup_bpf_run_filter_sysctl(struc
kfree(ctx.cur_val);
if (ret == 1 && ctx.new_updated) {
- kfree(*buf);
+ kvfree(*buf);
*buf = ctx.new_val;
*pcount = ctx.new_len;
} else {
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 075/120] MIPS: DEC: Prevent initial console buffer from landing in XKPHYS
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 074/120] bpf: use kvfree() for replaced sysctl write buffer Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 076/120] exfat: fix potential use-after-free in exfat_find_dir_entry() Greg Kroah-Hartman
` (50 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maciej W. Rozycki,
Thomas Bogendoerfer
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 7fb13fd35110ebe95eb053faf79d018f51144d85 upstream.
In 64-bit configurations calling the initial console output handler from
a kernel thread other than the initial one will result in a situation
where the stack has been placed in the XKPHYS 64-bit memory segment and
consequently so has been the buffer allocated there that is used as the
argument corresponding to the `%s' output conversion specifier for the
firmware's printf() entry point.
This 64-bit address will then be truncated by 32-bit firmware, resulting
in an attempt to access the wrong memory location, which in turn will
cause all kinds of unpredictable behaviour, such as a kernel crash:
Console: colour dummy device 160x64
Calibrating delay loop... 49.36 BogoMIPS (lpj=192512)
pid_max: default: 32768 minimum: 301
CPU 0 Unable to handle kernel paging request at virtual address 000000000203bd00, epc == ffffffffbfc08364, ra == ffffffffbfc08800
Oops[#1]:
CPU: 0 PID: 0 Comm: swapper Not tainted 5.18.0-rc2-00254-gfb649bda6f56-dirty #121
$ 0 : 0000000000000000 0000000000000001 0000000000000023 ffffffff80684ba0
$ 4 : 000000000203bd00 ffffffffbfc0f3b4 ffffffffffffffff 0000000000000073
$ 8 : 0a303d7469000000 0000000000000000 0000000000000073 ffffffffbfc0f473
$12 : 0000000000000002 0000000000000000 ffffffff80684c1c 0000000000000000
$16 : 0000000000000000 ffffffff80596dc9 0000000000000000 ffffffffbfc09240
$20 : ffffffff80684c40 ffffffffbfc0f400 000000000000002d 000000000000002b
$24 : ffffffffffffffbf 000000000203bd00
$28 : ffffffff805f0000 ffffffff80684b58 0000000000000030 ffffffffbfc08800
Hi : 0000000000000000
Lo : 0000000000000aa8
epc : ffffffffbfc08364 0xffffffffbfc08364
ra : ffffffffbfc08800 0xffffffffbfc08800
Status: 140120e2 KX SX UX KERNEL EXL
Cause : 00000008 (ExcCode 02)
BadVA : 000000000203bd00
PrId : 00000430 (R4000SC)
Modules linked in:
Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____), tls=0000000000000000)
Stack : 0000000000000000 0000000000000000 0000000000000000 0000004d0000004d
80684cc0806a2a40 80596dc80000004d 8061000000000000 bfc0850c80684c38
0000000000000000 000000000203bd00 0000000000000000 0000000000000000
0000000000000000 00000000bfc0f3b4 0000000000000000 0000000000000000
0000000000000000 0000000000000000 0000000000000000 0000000000000000
0000000000000000 0000000000000000 0000000000000000 0000000000000000
0000002500000000 0000000000000000 0000000000000000 802c1a7400000000
0203bd0080596dc8 0203bd4d69000000 6c61632000000018 5f746567646e6172
6c616320625f6d6f 5f736e5f6d6f7266 206361323778302b 303d74696e726320
806a0a38806b0000 806a0a38806b0000 00000000806b0000 80683c58806b0000
...
Call Trace:
Code: a082ffff 03e00008 00601021 <80820000> 00001821 10400005 24840001 80820000 24630001
---[ end trace 0000000000000000 ]---
Kernel panic - not syncing: Fatal exception in interrupt
KN04 V2.1k (PC: 0xa0026768, SP: 0x806848e8)
>>
In this case the pointer in $4 was truncated from 0x980000000203bd00 to
0x000000000203bd00.
This may happen when no final console driver has been enabled in the
configuration and consequently the initial console continues being used
late into bootstrap or with an upcoming change that will switch the zs
driver to use a platform device, which in turn will make the console
handover happen only after other kernel threads have already been
started.
Fix the issue by making the buffer static and initdata, and therefore
placed in the CKSEG0 32-bit compatibility segment, observing that the
console output handler is called with the console lock held, implying
no need for this code to be reentrant. Add an assertion to verify the
buffer actually has been placed in a compatibility segment.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # v2.6.12+
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/dec/prom/console.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/arch/mips/dec/prom/console.c
+++ b/arch/mips/dec/prom/console.c
@@ -2,8 +2,9 @@
/*
* DECstation PROM-based early console support.
*
- * Copyright (C) 2004, 2007 Maciej W. Rozycki
+ * Copyright (C) 2004, 2007, 2026 Maciej W. Rozycki
*/
+#include <linux/bug.h>
#include <linux/console.h>
#include <linux/init.h>
#include <linux/kernel.h>
@@ -14,9 +15,11 @@
static void __init prom_console_write(struct console *con, const char *s,
unsigned int c)
{
- char buf[81];
+ static char buf[81] __initdata = { 0 };
unsigned int chunk = sizeof(buf) - 1;
+ BUG_ON((long)buf != (int)(long)buf);
+
while (c > 0) {
if (chunk > c)
chunk = c;
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 076/120] exfat: fix potential use-after-free in exfat_find_dir_entry()
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 075/120] MIPS: DEC: Prevent initial console buffer from landing in XKPHYS Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 077/120] KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level Greg Kroah-Hartman
` (49 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Namjae Jeon
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 3f5f8ee9917cc2b9076ac533492d8a200edcabb8 upstream.
In exfat_find_dir_entry(), the buffer_head obtained from
exfat_get_dentry() is released with brelse(bh) before the fall-through
TYPE_EXTEND branch reads the directory entry through ep (which points
into bh->b_data):
brelse(bh);
if (entry_type == TYPE_EXTEND) {
...
len = exfat_extract_uni_name(ep, entry_uniname);
...
}
After brelse() drops our reference, nothing guarantees that the
underlying page backing bh->b_data remains valid for the subsequent
exfat_extract_uni_name() read. This is the same pattern fixed in
commit fc961522ddbd ("exfat: Fix potential use after free in
exfat_load_upcase_table()").
Move brelse(bh) so it runs after ep is no longer dereferenced on
each branch.
Confirmed on QEMU x86_64 with CONFIG_KASAN=y + CONFIG_DEBUG_PAGEALLOC=y
+ CONFIG_PAGE_POISONING=y on linux-next, using a crafted exFAT image
(long filename with same-hash collisions forcing the TYPE_EXTEND path).
With a debug-only invalidate_bdev() inserted between brelse(bh) and
the ep read to make the stale-deref window deterministic, the
unpatched kernel faults:
BUG: KASAN: use-after-free in exfat_find_dir_entry+0x133b/0x15a0
BUG: unable to handle page fault for address: ffff88801a5fa0c2
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI
RIP: 0010:exfat_find_dir_entry+0x1188/0x15a0
With this patch applied, the same instrumented harness completes
cleanly under the same sanitizer stack. I have not reproduced a
crash on an uninstrumented kernel under ordinary reclaim; the
instrumented A/B establishes the lifetime violation and that the
patch closes it, not an unaided triggerability claim.
Fixes: ca06197382bd ("exfat: add directory operations")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/exfat/dir.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/exfat/dir.c
+++ b/fs/exfat/dir.c
@@ -1027,12 +1027,12 @@ rewind:
continue;
}
- brelse(bh);
if (entry_type == TYPE_EXTEND) {
unsigned short entry_uniname[16], unichar;
if (step != DIRENT_STEP_NAME ||
name_len >= MAX_NAME_LENGTH) {
+ brelse(bh);
step = DIRENT_STEP_FILE;
continue;
}
@@ -1043,6 +1043,7 @@ rewind:
uniname += EXFAT_FILE_NAME_LEN;
len = exfat_extract_uni_name(ep, entry_uniname);
+ brelse(bh);
name_len += len;
unichar = *(uniname+len);
@@ -1061,6 +1062,7 @@ rewind:
continue;
}
+ brelse(bh);
if (entry_type &
(TYPE_CRITICAL_SEC | TYPE_BENIGN_SEC)) {
if (step == DIRENT_STEP_SECD) {
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 077/120] KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 076/120] exfat: fix potential use-after-free in exfat_find_dir_entry() Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 078/120] KVM: Replace guest-triggerable BUG_ON() in ioeventfd datamatch with get_unaligned() Greg Kroah-Hartman
` (48 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Matlack, James Houghton,
Alexander Bulekov, Fred Griffoul, Alexander Graf, David Woodhouse,
Filippo Sironi, Ivan Orlov, Sean Christopherson, Paolo Bonzini
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit ef057cbf825e03b63f6edf5980f96abf3c53089d upstream.
When recovering hugepages in the shadow MMU, verify that the base gfn of
the shadow page is actually contained within the target memslot, *before*
querying the max mapping level given the shadow page's gfn. Failure to
pre-check the validity of the gfn can lead to an out-of-bounds access to
the slot's lpage_info (which typically manifests as a host #PF because the
lpage_info is vmalloc'd) if the guest creates a hugepage mapping (in its
PTEs) that extends "below" the bounds of a memslot.
When faulting in memory for a guest, and the size of the guest mapping is
greater than KVM's (current) max mapping, then KVM will create a "direct"
shadow page (direct in that there are no gPTEs to shadow, and so the target
gfn is a direct calculation given the base gfn of the shadow page). The
hugepage recovery flow looks for such direct shadow pages, as forcing 4KiB
mappings when dirty logging generates the guest > host mapping size case.
When the 4KiB restriction is lifted, then KVM can replace the shadow page
with a hugepage.
But if KVM originally used a smaller mapping than the guest because the
range of memory covered by the guest hugepage exceeds the bounds of a
memslot, then KVM will link a direct shadow page with a gfn that is outside
the bounds of the memslot being used to fault in memory. The rmap entry
added for the leaf mapping is correct and within bounds, but the gfn of the
leaf SPTE's parent shadow page will be out of bounds.
BUG: unable to handle page fault for address: ffffc90000806ffc
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 100000067 P4D 100000067 PUD 1002a7067 PMD 10612f067 PTE 0
Oops: Oops: 0000 [#1] SMP
CPU: 13 UID: 1000 PID: 757 Comm: mmu_stress_test Not tainted 7.1.0-rc1-48ce1e26eace-x86_pir_to_irr_comments-vm #341 PREEMPT
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:kvm_mmu_max_mapping_level+0x79/0x2b0 [kvm]
Call Trace:
<TASK>
kvm_mmu_recover_huge_pages+0x21b/0x320 [kvm]
kvm_set_memslot+0x1ee/0x590 [kvm]
kvm_set_memory_region.part.0+0x3a1/0x4d0 [kvm]
kvm_vm_ioctl+0x9bf/0x15d0 [kvm]
__x64_sys_ioctl+0x8a/0xd0
do_syscall_64+0xb7/0xbb0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f21c0f1a9bf
</TASK>
Don't bother pre-checking the bounds of the potential hugepage, i.e. don't
check that e.g. sp->gfn + KVM_PAGES_PER_HPAGE(sp->role.level + 1) is also
within the memslot, as the checks performed by kvm_mmu_max_mapping_level()
are a superset of the basic bounds checks. I.e. pre-checking the full
range would be a dubious micro-optimization.
Fixes: 9eba50f8d7fc ("KVM: x86/mmu: Consult max mapping level when zapping collapsible SPTEs")
Cc: stable@vger.kernel.org
Cc: David Matlack <dmatlack@google.com>
Cc: James Houghton <jthoughton@google.com>
Cc: Alexander Bulekov <bkov@amazon.com>
Cc: Fred Griffoul <fgriffo@amazon.co.uk>
Cc: Alexander Graf <graf@amazon.de>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: Filippo Sironi <sironi@amazon.de>
Cc: Ivan Orlov <iorlov@amazon.co.uk>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/mmu/mmu.c | 18 ++++++++++++------
include/linux/kvm_host.h | 7 ++++++-
2 files changed, 18 insertions(+), 7 deletions(-)
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -7288,13 +7288,19 @@ restart:
sp = sptep_to_sp(sptep);
/*
- * We cannot do huge page mapping for indirect shadow pages,
- * which are found on the last rmap (level = 1) when not using
- * tdp; such shadow pages are synced with the page table in
- * the guest, and the guest page table is using 4K page size
- * mapping if the indirect sp has level = 1.
+ * Direct shadow page can be replaced by a hugepage if the host
+ * mapping level allows it and the memslot maps all of the host
+ * hugepage. Note! If the memslot maps only part of the
+ * hugepage, sp->gfn may be below slot->base_gfn, and querying
+ * the max mapping level would cause an out-of-bounds lpage_info
+ * access. So the gfn bounds check *must* be done first.
+ *
+ * Indirect shadow pages are created when the guest page tables
+ * are using 4K pages. Since the host mapping is always
+ * constrained by the page size in the guest, indirect shadow
+ * pages are never collapsible.
*/
- if (sp->role.direct &&
+ if (sp->role.direct && is_gfn_in_memslot(slot, sp->gfn) &&
sp->role.level < kvm_mmu_max_mapping_level(kvm, NULL, slot, sp->gfn)) {
kvm_zap_one_rmap_spte(kvm, rmap_head, sptep);
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -1815,6 +1815,11 @@ void kvm_unregister_irq_ack_notifier(str
struct kvm_irq_ack_notifier *kian);
bool kvm_arch_irqfd_allowed(struct kvm *kvm, struct kvm_irqfd *args);
+static inline bool is_gfn_in_memslot(const struct kvm_memory_slot *slot, gfn_t gfn)
+{
+ return gfn >= slot->base_gfn && gfn < slot->base_gfn + slot->npages;
+}
+
/*
* Returns a pointer to the memslot if it contains gfn.
* Otherwise returns NULL.
@@ -1825,7 +1830,7 @@ try_get_memslot(struct kvm_memory_slot *
if (!slot)
return NULL;
- if (gfn >= slot->base_gfn && gfn < slot->base_gfn + slot->npages)
+ if (is_gfn_in_memslot(slot, gfn))
return slot;
else
return NULL;
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 078/120] KVM: Replace guest-triggerable BUG_ON() in ioeventfd datamatch with get_unaligned()
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 077/120] KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 079/120] crypto: nx - fix nx_crypto_ctx_exit argument Greg Kroah-Hartman
` (47 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Paolo Bonzini
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit f1edbed787ba67988ed34e0132ca128b052b6ce8 upstream.
Drop a BUG_ON() that has been reachable since it was first added, way back
in 2009, and instead use get_unaligned() to perform potentially-unaligned
accesses.
For a given store, KVM x86's emulator tracks the entire value in the
destination operand, x86_emulate_ctxt.dst. If the destination is memory,
and the target splits multiple pages and/or is emulated MMIO, then KVM
handles each fragment independently. E.g. on a page split starting at page
offset 0xffc, KVM writes 4 bytes to the first page, then the remaining
bytes to the second page, using ctxt->dst as the source for both (with
appropriate offsets).
If the destination splits a page *and* hits emulated MMIO on the second
page, then KVM will complete the write to the first page, then emulate the
MMIO access to the second page. If there is a datamatch-enabled ioeventfd
at offset 0 of the second page, then KVM will process the remainder of the
store as a potential ioeventfd signal.
Putting it all together, if the guest emits a store that splits a page
starting at page offset N, and the second page has a datamatch-enabled
ioeventfd at offset 0, then KVM will check for datamatch using
&dst.valptr[N] as the source. Due to dst (and thus dst.valptr) being
32-byte aligned, if N is not aligned to @len, the BUG_ON() fires.
E.g. with a 16-byte store at page offset 0xffc, to an ioeventfd of len 8,
all initial checks in ioeventfd_in_range() will succeed, and the BUG_ON()
fires due to @val being 4-byte aligned, but not 8-byte aligned.
------------[ cut here ]------------
kernel BUG at arch/x86/kvm/../../../virt/kvm/eventfd.c:783!
Oops: invalid opcode: 0000 [#1] SMP
CPU: 0 UID: 1000 PID: 615 Comm: repro Not tainted 7.1.0-rc2-ff238429d1ea #365 PREEMPT
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:ioeventfd_write+0x6c/0x70 [kvm]
Call Trace:
<TASK>
__kvm_io_bus_write+0x85/0xb0 [kvm]
kvm_io_bus_write+0x53/0x80 [kvm]
vcpu_mmio_write+0x66/0xf0 [kvm]
emulator_read_write_onepage+0x12a/0x540 [kvm]
emulator_read_write+0x109/0x2b0 [kvm]
x86_emulate_insn+0x4f8/0xfb0 [kvm]
x86_emulate_instruction+0x181/0x790 [kvm]
kvm_mmu_page_fault+0x313/0x630 [kvm]
vmx_handle_exit+0x18a/0x590 [kvm_intel]
kvm_arch_vcpu_ioctl_run+0xc81/0x1c90 [kvm]
kvm_vcpu_ioctl+0x2d5/0x970 [kvm]
__x64_sys_ioctl+0x8a/0xd0
do_syscall_64+0xb7/0x890
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f19c931a9bf
</TASK>
Modules linked in: kvm_intel kvm irqbypass
---[ end trace 0000000000000000 ]---
In a perfect world, the fix would be to simply delete the BUG_ON(), as KVM
x86 doesn't perform alignment checks on "normal" memory accesses at CPL0.
Sadly, C99 ruins all the fun; while the x86 architecture plays nice,
dereferencing an unaligned pointer directly is undefined behavior in C,
e.g. triggers splats when running with CONFIG_UBSAN_ALIGNMENT=y.
Fixes: d34e6b175e61 ("KVM: add ioeventfd support")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20260612225241.678509-1-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
virt/kvm/eventfd.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
--- a/virt/kvm/eventfd.c
+++ b/virt/kvm/eventfd.c
@@ -24,6 +24,7 @@
#include <linux/slab.h>
#include <linux/seqlock.h>
#include <linux/irqbypass.h>
+#include <linux/unaligned.h>
#include <trace/events/kvm.h>
#include <kvm/iodev.h>
@@ -779,21 +780,18 @@ ioeventfd_in_range(struct _ioeventfd *p,
return true;
/* otherwise, we have to actually compare the data */
-
- BUG_ON(!IS_ALIGNED((unsigned long)val, len));
-
switch (len) {
case 1:
- _val = *(u8 *)val;
+ _val = get_unaligned((u8 *)val);
break;
case 2:
- _val = *(u16 *)val;
+ _val = get_unaligned((u16 *)val);
break;
case 4:
- _val = *(u32 *)val;
+ _val = get_unaligned((u32 *)val);
break;
case 8:
- _val = *(u64 *)val;
+ _val = get_unaligned((u64 *)val);
break;
default:
return false;
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 079/120] crypto: nx - fix nx_crypto_ctx_exit argument
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 078/120] KVM: Replace guest-triggerable BUG_ON() in ioeventfd datamatch with get_unaligned() Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 080/120] gfs2: fix use-after-free in gfs2_qd_dealloc Greg Kroah-Hartman
` (46 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Biggers, Breno Leitao,
Calvin Buckley, Brad Spengler, Sam James, Herbert Xu
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam James <sam@gentoo.org>
commit 4e67f504ee9ded15e256b64f4fde150e917381d7 upstream.
nx_crypto_ctx_shash_exit calls nx_crypto_ctx_exit with crypto_shash_ctx(...)
but crypto_shash_ctx gives a nx_crypto_ctx *, not a crypto_tfm *.
Fix the type in nx_crypto_ctx_exit and drop the bogus crypto_tfm_ctx
call.
This fixes the following oops:
BUG: Unable to handle kernel data access at 0xc0403effffffffc8
Faulting instruction address: 0xc000000000396cb4
Oops: Kernel access of bad area, sig: 11 [#15]
Call Trace:
nx_crypto_ctx_shash_exit+0x24/0x60
crypto_shash_exit_tfm+0x28/0x40
crypto_destroy_tfm+0x98/0x140
crypto_exit_ahash_using_shash+0x20/0x40
crypto_destroy_tfm+0x98/0x140
hash_release+0x1c/0x30
alg_sock_destruct+0x38/0x60
__sk_destruct+0x48/0x2b0
af_alg_release+0x58/0xb0
__sock_release+0x68/0x150
sock_close+0x20/0x40
__fput+0x110/0x3a0
sys_close+0x48/0xa0
system_call_exception+0x140/0x2d0
system_call_common+0xf4/0x258
.. which came from hardlink(1) opportunistically using AF_ALG.
The same problem exists with nx_crypto_ctx_skcipher_exit getting a context
it wasn't expecting, but apparently nobody hit that for years.
Cc: Eric Biggers <ebiggers@kernel.org>
Cc: stable@vger.kernel.org
Fixes: bfd9efddf990 ("crypto: nx - convert AES-ECB to skcipher API")
Fixes: 9420e628e7d8 ("crypto: nx - Use API partial block handling")
Acked-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Reported-by: Calvin Buckley <calvin@cmpct.info>
Tested-by: Calvin Buckley <calvin@cmpct.info>
Suggested-by: Brad Spengler <brad.spengler@opensrcsec.com>
Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/nx/nx.c | 6 ++----
drivers/crypto/nx/nx.h | 2 +-
2 files changed, 3 insertions(+), 5 deletions(-)
--- a/drivers/crypto/nx/nx.c
+++ b/drivers/crypto/nx/nx.c
@@ -714,15 +714,13 @@ int nx_crypto_ctx_aes_xcbc_init(struct c
/**
* nx_crypto_ctx_exit - destroy a crypto api context
*
- * @tfm: the crypto transform pointer for the context
+ * @nx_ctx: the crypto api context
*
* As crypto API contexts are destroyed, this exit hook is called to free the
* memory associated with it.
*/
-void nx_crypto_ctx_exit(struct crypto_tfm *tfm)
+void nx_crypto_ctx_exit(struct nx_crypto_ctx *nx_ctx)
{
- struct nx_crypto_ctx *nx_ctx = crypto_tfm_ctx(tfm);
-
kfree_sensitive(nx_ctx->kmem);
nx_ctx->csbcpb = NULL;
nx_ctx->csbcpb_aead = NULL;
--- a/drivers/crypto/nx/nx.h
+++ b/drivers/crypto/nx/nx.h
@@ -153,7 +153,7 @@ int nx_crypto_ctx_aes_ctr_init(struct cr
int nx_crypto_ctx_aes_cbc_init(struct crypto_skcipher *tfm);
int nx_crypto_ctx_aes_ecb_init(struct crypto_skcipher *tfm);
int nx_crypto_ctx_sha_init(struct crypto_shash *tfm);
-void nx_crypto_ctx_exit(struct crypto_tfm *tfm);
+void nx_crypto_ctx_exit(struct nx_crypto_ctx *nx_ctx);
void nx_crypto_ctx_skcipher_exit(struct crypto_skcipher *tfm);
void nx_crypto_ctx_aead_exit(struct crypto_aead *tfm);
void nx_crypto_ctx_shash_exit(struct crypto_shash *tfm);
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 080/120] gfs2: fix use-after-free in gfs2_qd_dealloc
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 079/120] crypto: nx - fix nx_crypto_ctx_exit argument Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 081/120] pwrseq: core: fix use-after-free in pwrseq_debugfs_seq_next() Greg Kroah-Hartman
` (45 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+42a37bf8045847d8f9d2,
Tristan Madani, Andreas Gruenbacher
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tristan Madani <tristan@talencesecurity.com>
commit f9c9ec2c319f843b70ecdf939d48b52d189bc081 upstream.
gfs2_qd_dealloc(), called as an RCU callback from gfs2_qd_dispose(),
accesses the superblock object sdp through qd->qd_sbd after freeing qd.
It does so to decrement sd_quota_count and wake up sd_kill_wait.
However, by the time the RCU callback runs, gfs2_put_super() may have
already freed sdp via free_sbd(). This can happen when
gfs2_quota_cleanup() is called during unmount: it disposes of quota
objects via call_rcu() and then waits on sd_kill_wait with a 60-second
timeout. If the timeout expires, or if gfs2_gl_hash_clear() triggers
additional qd_put() calls that schedule more RCU callbacks after the
wait completes, gfs2_put_super() will proceed to free the superblock
while RCU callbacks referencing it are still pending.
Add an rcu_barrier() before free_sbd() in gfs2_put_super() to ensure
all pending RCU callbacks (including gfs2_qd_dealloc) have completed
before the superblock is freed.
Fixes: a475c5dd16e5 ("gfs2: Free quota data objects synchronously")
Reported-by: syzbot+42a37bf8045847d8f9d2@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=42a37bf8045847d8f9d2
Tested-by: syzbot+42a37bf8045847d8f9d2@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/gfs2/super.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/gfs2/super.c
+++ b/fs/gfs2/super.c
@@ -643,6 +643,7 @@ restart:
gfs2_delete_debugfs_file(sdp);
gfs2_sys_fs_del(sdp);
+ rcu_barrier();
free_sbd(sdp);
}
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 081/120] pwrseq: core: fix use-after-free in pwrseq_debugfs_seq_next()
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 080/120] gfs2: fix use-after-free in gfs2_qd_dealloc Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 082/120] hdlc_ppp: sync per-proto timers before freeing hdlc state Greg Kroah-Hartman
` (44 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Bartosz Golaszewski
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit 257595adf9dac15ae1edd9d07753fbc576a7583d upstream.
pwrseq_debugfs_seq_next() declares 'next' with __free(put_device),
which causes put_device() to be called on the returned pointer when
the variable goes out of scope. This results in a use-after-free
since the seq_file framework receives a pointer whose reference has
already been dropped.
Simply removing __free(put_device) would fix the UAF but would leak
the reference acquired by bus_find_next_device(), as stop() only
calls up_read(&pwrseq_sem) and never releases the device reference.
Fix this by making the reference counting consistent across all
seq_file callbacks, matching the standard pattern used by PCI and
SCSI:
- start(): use get_device() so it returns a referenced pointer.
- next(): explicitly put_device(curr) to release the previous
device's reference (no NULL check needed - the seq_file framework
only calls next() while the previous return was non-NULL).
- stop(): put_device(data) to release the last iterated device's
reference, with a NULL guard since stop() may be called with NULL
when start() returned NULL or next() reached end-of-sequence.
Cc: stable@vger.kernel.org
Fixes: 249ebf3f65f8 ("power: sequencing: implement the pwrseq core")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20260616151049.1705503-1-vulab@iscas.ac.cn
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/power/sequencing/core.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
--- a/drivers/power/sequencing/core.c
+++ b/drivers/power/sequencing/core.c
@@ -989,8 +989,9 @@ static void *pwrseq_debugfs_seq_start(st
ctx.index = *pos;
/*
- * We're holding the lock for the entire printout so no need to fiddle
- * with device reference count.
+ * Hold the lock for the entire printout to prevent device removal.
+ * Reference counts are managed by start()/next()/stop() as required
+ * by the seq_file contract.
*/
down_read(&pwrseq_sem);
@@ -998,7 +999,7 @@ static void *pwrseq_debugfs_seq_start(st
if (!ctx.index)
return NULL;
- return ctx.dev;
+ return get_device(ctx.dev);
}
static void *pwrseq_debugfs_seq_next(struct seq_file *seq, void *data,
@@ -1008,8 +1009,9 @@ static void *pwrseq_debugfs_seq_next(str
++*pos;
- struct device *next __free(put_device) =
- bus_find_next_device(&pwrseq_bus, curr);
+ struct device *next = bus_find_next_device(&pwrseq_bus, curr);
+
+ put_device(curr);
return next;
}
@@ -1058,6 +1060,8 @@ static int pwrseq_debugfs_seq_show(struc
static void pwrseq_debugfs_seq_stop(struct seq_file *seq, void *data)
{
+ if (data)
+ put_device(data);
up_read(&pwrseq_sem);
}
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 082/120] hdlc_ppp: sync per-proto timers before freeing hdlc state
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 081/120] pwrseq: core: fix use-after-free in pwrseq_debugfs_seq_next() Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 083/120] blk-cgroup: fix UAF in __blkcg_rstat_flush() Greg Kroah-Hartman
` (43 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fan Wu, Jakub Kicinski
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fan Wu <fanwu01@zju.edu.cn>
commit c78a4e41ab5ead6193ad8a2dd92e8906bae659fa upstream.
Each PPP control protocol (LCP/IPCP/IPV6CP) embedded in struct ppp
registers a timer via timer_setup(). That struct ppp is the
hdlc->state allocation, which detach_hdlc_protocol() frees with kfree()
in both teardown paths: unregister_hdlc_device() and the re-attach inside
attach_hdlc_protocol().
The ppp proto never registered a .detach callback, so
detach_hdlc_protocol() performs no timer synchronization before the
kfree(). The only cancel, timer_delete(&proto->timer) in ppp_cp_event(),
is partial (it does not wait for a running callback) and only runs on the
->CLOSED transition; ppp_stop()/ppp_close() do not sync either. A
ppp_timer callback already executing (blocked on ppp->lock) survives the
kfree and then dereferences proto->state / ppp->lock in freed memory,
leading to a use-after-free.
Fix this by adding a .detach helper that calls timer_shutdown_sync() on
every per-proto timer. detach_hdlc_protocol() invokes proto->detach(dev)
before kfree(hdlc->state), so timer_shutdown_sync()
now runs on both free paths.
timer_shutdown_sync() is used instead of timer_delete_sync() because the
keepalive path re-arms the timer through add_timer()/mod_timer() and
shutdown blocks any re-activation during teardown.
Initialize the per-protocol timers in ppp_ioctl() when the protocol is
attached, and remove the now-redundant timer_setup() from ppp_start(), so
that the timers are initialized exactly once at attach time and
ppp_timer_release() never operates on uninitialized timer_list
structures. attach_hdlc_protocol() uses kmalloc() (not kzalloc), so
struct ppp's protos[i].timer is uninitialized garbage until the first
timer_setup(); without this init-at-attach, attaching the PPP protocol
without ever bringing the device up would leave timer_shutdown_sync()
operating on uninitialized memory in .detach. Moving the init out of
ppp_start() (which only runs on NETDEV_UP) into the attach path makes the
initialization unconditional and avoids initializing the same timer_list
twice.
This bug was found by static analysis.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Fan Wu <fanwu01@zju.edu.cn>
Link: https://patch.msgid.link/20260617020518.116319-1-fanwu01@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wan/hdlc_ppp.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/drivers/net/wan/hdlc_ppp.c
+++ b/drivers/net/wan/hdlc_ppp.c
@@ -619,7 +619,6 @@ static void ppp_start(struct net_device
struct proto *proto = &ppp->protos[i];
proto->dev = dev;
- timer_setup(&proto->timer, ppp_timer, 0);
proto->state = CLOSED;
}
ppp->protos[IDX_LCP].pid = PID_LCP;
@@ -639,6 +638,15 @@ static void ppp_close(struct net_device
ppp_tx_flush();
}
+static void ppp_timer_release(struct net_device *dev)
+{
+ struct ppp *ppp = get_ppp(dev);
+ int i;
+
+ for (i = 0; i < IDX_COUNT; i++)
+ timer_shutdown_sync(&ppp->protos[i].timer);
+}
+
static struct hdlc_proto proto = {
.start = ppp_start,
.stop = ppp_stop,
@@ -647,6 +655,7 @@ static struct hdlc_proto proto = {
.ioctl = ppp_ioctl,
.netif_rx = ppp_rx,
.module = THIS_MODULE,
+ .detach = ppp_timer_release,
};
static const struct header_ops ppp_header_ops = {
@@ -657,7 +666,7 @@ static int ppp_ioctl(struct net_device *
{
hdlc_device *hdlc = dev_to_hdlc(dev);
struct ppp *ppp;
- int result;
+ int i, result;
switch (ifs->type) {
case IF_GET_PROTO:
@@ -685,6 +694,8 @@ static int ppp_ioctl(struct net_device *
return result;
ppp = get_ppp(dev);
+ for (i = 0; i < IDX_COUNT; i++)
+ timer_setup(&ppp->protos[i].timer, ppp_timer, 0);
spin_lock_init(&ppp->lock);
ppp->req_timeout = 2;
ppp->cr_retries = 10;
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 083/120] blk-cgroup: fix UAF in __blkcg_rstat_flush()
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 082/120] hdlc_ppp: sync per-proto timers before freeing hdlc state Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 084/120] tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done Greg Kroah-Hartman
` (42 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jay Shin, Tejun Heo, Waiman Long,
coregee2000, Ming Lei, Jose Fernandez (Anthropic), Jens Axboe
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Koutný <mkoutny@suse.com>
commit 0ab5ee5a1badb58cbb2242617cb01a4972b1f2a2 upstream.
When multiple blkgs in the same blkcg are released concurrently,
a use-after-free can occur. The race happens when one blkg's
__blkcg_rstat_flush() removes another blkg's iostat entries via
llist_del_all(). The second blkg sees an empty list and proceeds
to free itself while the first is still iterating over its entries.
Move the flush from __blkg_release() (RCU callback) to blkg_release()
(before call_rcu). This ensures the RCU grace period waits for any
concurrent flush's rcu_read_lock() section to complete before freeing.
Cc: stable@vger.kernel.org
Cc: Jay Shin <jaeshin@redhat.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Waiman Long <longman@redhat.com>
Fixes: 20cb1c2fb756 ("blk-cgroup: Flush stats before releasing blkcg_gq")
Reported-by: coregee2000@gmail.com
Closes: https://lore.kernel.org/linux-block/CAHPqNmwT9oRpem3J3erS_W0uSQND47LGGSBsNxP8E6uSUish1w@mail.gmail.com/
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Tested-by: Jose Fernandez (Anthropic) <jose.fernandez@linux.dev>
Link: https://patch.msgid.link/20260205155425.342084-1-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-cgroup.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -164,20 +164,10 @@ static void blkg_free(struct blkcg_gq *b
static void __blkg_release(struct rcu_head *rcu)
{
struct blkcg_gq *blkg = container_of(rcu, struct blkcg_gq, rcu_head);
- struct blkcg *blkcg = blkg->blkcg;
- int cpu;
#ifdef CONFIG_BLK_CGROUP_PUNT_BIO
WARN_ON(!bio_list_empty(&blkg->async_bios));
#endif
- /*
- * Flush all the non-empty percpu lockless lists before releasing
- * us, given these stat belongs to us.
- *
- * blkg_stat_lock is for serializing blkg stat update
- */
- for_each_possible_cpu(cpu)
- __blkcg_rstat_flush(blkcg, cpu);
/* release the blkcg and parent blkg refs this blkg has been holding */
css_put(&blkg->blkcg->css);
@@ -195,6 +185,17 @@ static void __blkg_release(struct rcu_he
static void blkg_release(struct percpu_ref *ref)
{
struct blkcg_gq *blkg = container_of(ref, struct blkcg_gq, refcnt);
+ struct blkcg *blkcg = blkg->blkcg;
+ int cpu;
+
+ /*
+ * Flush all the non-empty percpu lockless lists before releasing
+ * us, given these stat belongs to us.
+ *
+ * blkg_stat_lock is for serializing blkg stat update
+ */
+ for_each_possible_cpu(cpu)
+ __blkcg_rstat_flush(blkcg, cpu);
call_rcu(&blkg->rcu_head, __blkg_release);
}
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 084/120] tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 083/120] blk-cgroup: fix UAF in __blkcg_rstat_flush() Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 085/120] LoongArch: Report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
` (41 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doruk Tan Ozturk, Alexander Lobakin,
Tung Nguyen, Simon Horman, Jakub Kicinski
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Doruk Tan Ozturk <doruk@0sec.ai>
commit bda3348872a2ef0d19f2df6aa8cb5025adce2f20 upstream.
tipc_aead_decrypt() goes straight from tipc_bearer_hold(b) to
crypto_aead_decrypt(req) without taking a reference on the netns, unlike
the encrypt path. When crypto_aead_decrypt() is offloaded asynchronously
(e.g. the SIMD aead wrapper queuing to cryptd), the cryptd worker runs
tipc_aead_decrypt_done() later. If the bearer's netns is torn down in the
meantime, cleanup_net() -> tipc_exit_net() -> tipc_crypto_stop() frees the
per-netns tipc_crypto, and the completion then reads it:
tipc_aead_decrypt_done() dereferences aead->crypto->stats and
aead->crypto->net, and tipc_crypto_rcv_complete() dereferences
aead->crypto->aead[] and the node table -- reading freed memory.
Decoded KASAN splat (v7.1-rc7, CONFIG_KASAN_INLINE + TIPC + TIPC_CRYPTO):
BUG: KASAN: slab-use-after-free in tipc_aead_decrypt_done (net/tipc/crypto.c:999)
Read of size 8 at addr ffff8881056258a8 by task kworker/u16:2/51
Workqueue: events_unbound
Call Trace:
tipc_aead_decrypt_done (net/tipc/crypto.c:999)
process_one_work (kernel/workqueue.c:3314)
worker_thread (kernel/workqueue.c:3397 kernel/workqueue.c:3478)
kthread (kernel/kthread.c:436)
ret_from_fork (arch/x86/kernel/process.c:158)
ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
Allocated by task 169:
__kasan_kmalloc (mm/kasan/common.c:398 mm/kasan/common.c:415)
tipc_crypto_start (net/tipc/crypto.c:1502)
tipc_init_net (net/tipc/core.c:72)
ops_init (net/core/net_namespace.c:137)
setup_net (net/core/net_namespace.c:446)
copy_net_ns (net/core/net_namespace.c:579)
create_new_namespaces (kernel/nsproxy.c:132)
__x64_sys_unshare (kernel/fork.c:3316)
do_syscall_64 (arch/x86/entry/syscall_64.c:63)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
Freed by task 8:
kfree (mm/slub.c:6566)
tipc_exit_net (net/tipc/core.c:119)
cleanup_net (net/core/net_namespace.c:704)
process_one_work (kernel/workqueue.c:3314)
kthread (kernel/kthread.c:436)
This is the same class of bug that commit e279024617134 ("net/tipc: fix
slab-use-after-free Read in tipc_aead_encrypt_done") fixed for the encrypt
side. The encrypt path takes maybe_get_net(aead->crypto->net) before
crypto_aead_encrypt() and drops it with put_net() on the synchronous
return paths and in tipc_aead_encrypt_done(); the -EINPROGRESS/-EBUSY
return keeps the reference for the async callback to release. The decrypt
path was left without the equivalent guard.
Mirror the encrypt-side fix on the decrypt path: take a net reference
before crypto_aead_decrypt() (failing with -ENODEV and the matching
bearer put if it cannot be acquired), keep it across the
-EINPROGRESS/-EBUSY async return, and drop it with put_net() on the
synchronous success/error return and at the end of
tipc_aead_decrypt_done().
Reproduced under KASAN on v7.1-rc7: a UDP bearer with a cluster key is
flooded with crafted encrypted frames from an unknown peer (driving the
cluster-key decrypt path) while the bearer's netns is repeatedly torn
down. The completion must run asynchronously to outlive
tipc_crypto_stop(); on x86 the stock aesni gcm(aes) now decrypts
synchronously, so the async path was exercised via cryptd offload. The
unguarded aead->crypto dereference in tipc_aead_decrypt_done() is the
unpatched upstream path; tipc_aead_decrypt() still lacks
maybe_get_net(aead->crypto->net), so the completion can outlive the free
on any config where crypto_aead_decrypt() goes async.
Found by 0sec automated security-research tooling (https://0sec.ai).
Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
Cc: stable@vger.kernel.org
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260617075818.37431-1-doruk@0sec.ai
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tipc/crypto.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/net/tipc/crypto.c
+++ b/net/tipc/crypto.c
@@ -941,12 +941,20 @@ static int tipc_aead_decrypt(struct net
goto exit;
}
+ /* Get net to avoid freed tipc_crypto when delete namespace */
+ if (!maybe_get_net(net)) {
+ tipc_bearer_put(b);
+ rc = -ENODEV;
+ goto exit;
+ }
+
/* Now, do decrypt */
rc = crypto_aead_decrypt(req);
if (rc == -EINPROGRESS || rc == -EBUSY)
return rc;
tipc_bearer_put(b);
+ put_net(net);
exit:
kfree(ctx);
@@ -984,6 +992,7 @@ static void tipc_aead_decrypt_done(void
}
tipc_bearer_put(b);
+ put_net(net);
}
static inline int tipc_ehdr_size(struct tipc_ehdr *ehdr)
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 085/120] LoongArch: Report dying CPU to RCU in stop_this_cpu()
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 084/120] tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 086/120] pNFS: Fix use-after-free in pnfs_update_layout() Greg Kroah-Hartman
` (40 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guo Ren, Huacai Chen
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit f2539c56c74691e7a88af6372ba2b48c06ed2fe4 upstream.
This is a port of MIPS commit 9f3f3bdc6d9dac1 ("MIPS: smp: report dying
CPU to RCU in stop_this_cpu()"). smp_send_stop() parks all secondary
CPUs in stop_this_cpu(). And the function marks the CPU offline for the
scheduler via set_cpu_online(false) but never informs RCU, so RCU keeps
expecting a quiescent state from CPUs that are now spinning forever with
interrupts disabled.
As long as nothing waits for an RCU grace period after smp_send_stop()
this is harmless, which is why it went unnoticed. However, since commit
91840be8f710370 ("irq_work: Fix use-after-free in irq_work_single() on
PREEMPT_RT"), irq_work_sync() calls synchronize_rcu() on architectures
without an irq_work self-IPI, i.e. where arch_irq_work_has_interrupt()
returns false. Any irq_work_sync() issued in the reboot/shutdown/halt
path after smp_send_stop() then blocks on a grace period that can never
complete, hanging the reboot:
WARNING: CPU: 0 PID: 15 at kernel/irq_work.c:144 irq_work_queue_on
...
rcu: INFO: rcu_sched detected stalls on CPUs/tasks:
rcu: Offline CPU 1 blocking current GP.
rcu: Offline CPU 2 blocking current GP.
rcu: Offline CPU 3 blocking current GP.
This issue needs some hacks to reproduce, and it was not noticed on
LoongArch because arch_irq_work_has_interrupt() usually returns true.
Call rcutree_report_cpu_dead() once interrupts are disabled, mirroring
the generic CPU-hotplug offline path, so RCU stops waiting on the parked
CPUs and grace periods can still complete. LoongArch shuts down all CPUs
here without going through the CPU-hotplug mechanism, so this report is
not otherwise issued.
Cc: <stable@vger.kernel.org>
Fixes: 91840be8f710 ("irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT")
Reviewed-by: Guo Ren <guoren@kernel.org>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kernel/smp.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/loongarch/kernel/smp.c
+++ b/arch/loongarch/kernel/smp.c
@@ -705,6 +705,7 @@ static void stop_this_cpu(void *dummy)
set_cpu_online(smp_processor_id(), false);
calculate_cpu_foreign_map();
local_irq_disable();
+ rcutree_report_cpu_dead();
while (true);
}
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 086/120] pNFS: Fix use-after-free in pnfs_update_layout()
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 085/120] LoongArch: Report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 087/120] sched/mmcid: Fix OOB clear_bit when CID is MM_CID_UNSET in fixup path Greg Kroah-Hartman
` (39 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Anna Schumaker
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit 13e198a90ca4050f4bee8a3f23680389a6563ccc upstream.
When hitting the NFS_LAYOUT_RETURN branch in pnfs_update_layout(),
the code calls pnfs_prepare_to_retry_layoutget(lo). If it succeeds,
pnfs_put_layout_hdr(lo) is called before trace_pnfs_update_layout(),
which still references 'lo'. This results in a use-after-free when the
tracepoint accesses lo's fields.
Fix this by moving the tracepoint call before pnfs_put_layout_hdr(lo).
Fixes: 2c8d5fc37fe2 ("pNFS: Stricter ordering of layoutget and layoutreturn")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/pnfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -2229,11 +2229,11 @@ lookup_again:
dprintk("%s wait for layoutreturn\n", __func__);
lseg = ERR_PTR(pnfs_prepare_to_retry_layoutget(lo));
if (!IS_ERR(lseg)) {
- pnfs_put_layout_hdr(lo);
dprintk("%s retrying\n", __func__);
trace_pnfs_update_layout(ino, pos, count, iomode, lo,
lseg,
PNFS_UPDATE_LAYOUT_RETRY);
+ pnfs_put_layout_hdr(lo);
goto lookup_again;
}
trace_pnfs_update_layout(ino, pos, count, iomode, lo, lseg,
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 087/120] sched/mmcid: Fix OOB clear_bit when CID is MM_CID_UNSET in fixup path
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 086/120] pNFS: Fix use-after-free in pnfs_update_layout() Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 088/120] irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove Greg Kroah-Hartman
` (38 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rik van Riel, Thomas Gleixner,
Mathieu Desnoyers
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rik van Riel <riel@surriel.com>
commit de3ab9bd3133899efb92e4cd05ba4203e58fc0a3 upstream.
In mm_cid_fixup_cpus_to_tasks(), when rq->curr has the target mm and
mm_cid.active is set, the CID is checked with cid_in_transit() before
setting the transition bit. In per-CPU mode a newly forked or exec'd
task can be running with mm_cid.cid == MM_CID_UNSET because CIDs are
assigned lazily on schedule-in. With cid_in_transit() the guard passes
for MM_CID_UNSET (no transit bit), converts it to MM_CID_UNSET |
MM_CID_TRANSIT and stores it back; later mm_cid_schedout() feeds this
to clear_bit() with MM_CID_UNSET as the bit number, triggering an
out-of-bounds write.
Symptoms: this is genuine memory corruption, but a bounded out-of-bounds
write, not an arbitrary one. MM_CID_UNSET is the fixed sentinel BIT(31),
so once the bad value reaches mm_cid_schedout() the cid_from_transit_cid()
strip leaves MM_CID_UNSET, which fails the "cid < max_cids" convergence
test and falls into mm_drop_cid() -> clear_bit(MM_CID_UNSET,
mm_cidmask(mm)). The cid bitmap is embedded in the mm_struct slab object
(after cpu_bitmap and mm_cpus_allowed) and is only num_possible_cpus()
bits wide, so clearing bit 31 is a deterministic OOB bit-clear at a
fixed offset of 2^31 / 8 == 256 MiB past the bitmap base. The address is
not attacker-influenced (fixed sentinel -> fixed offset) and the op only
clears a single bit; what sits 256 MiB further along the direct map is
whatever kernel object happens to live there, so this corrupts one bit of
unpredictable kernel memory -- it is not an arbitrary-address or
arbitrary-value write.
It triggers only in per-CPU CID mode, when a CPU is running an active
task of the target mm whose cid is still MM_CID_UNSET -- the
fork()/execve() window before that task's next schedule-in assigns it a
real CID -- and a per-CPU -> per-task fixup walks over it (the mode
fallback driven by a thread exit, sched_mm_cid_exit(), or by the deferred
max_cids recompute in mm_cid_work_fn()).
In practice syzkaller surfaced it as a KASAN use-after-free reported in
__schedule -> mm_cid_switch_to, where the offending clear_bit() is inlined
via mm_cid_schedout() -> mm_drop_cid().
Guard the transition-bit assignment against MM_CID_UNSET, in addition to
the existing cid_in_transit() check, so the bit is only set on a genuine
task-owned CID. A CPU-owned (MM_CID_ONCPU) CID of a running active task
is handled by the cid_on_cpu(pcp->cid) branch above and never reaches
this path, so excluding MM_CID_UNSET (and the already-transitioning case)
is sufficient.
Fixes: fbd0e71dc370 ("sched/mmcid: Provide CID ownership mode fixup functions")
Signed-off-by: Rik van Riel <riel@surriel.com>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Assisted-by: Claude:claude-opus-4-8 syzkaller
Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260616203818.1516263-1-riel@surriel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/core.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -10880,8 +10880,19 @@ static void mm_cid_fixup_cpus_to_tasks(s
} else if (rq->curr->mm == mm && rq->curr->mm_cid.active) {
unsigned int cid = rq->curr->mm_cid.cid;
- /* Ensure it has the transition bit set */
- if (!cid_in_transit(cid)) {
+ /*
+ * Set the transition bit only on a genuine task-owned
+ * CID. A running active task can legitimately have
+ * MM_CID_UNSET here: in per-CPU mode CIDs are assigned
+ * lazily on schedule-in, so the fork()/execve() window
+ * leaves the task active with no owned CID. Setting the
+ * transition bit on MM_CID_UNSET would later feed
+ * clear_bit() an out-of-bounds bit number via
+ * mm_cid_schedout(), so exclude it. A CPU-owned
+ * (MM_CID_ONCPU) CID is handled by the cid_on_cpu()
+ * branch above and never reaches here.
+ */
+ if (cid != MM_CID_UNSET && !cid_in_transit(cid)) {
cid = cid_to_transit_cid(cid);
rq->curr->mm_cid.cid = cid;
pcp->cid = cid;
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 088/120] irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 087/120] sched/mmcid: Fix OOB clear_bit when CID is MM_CID_UNSET in fixup path Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 089/120] fpga: region: fix use-after-free in child_regions_with_firmware() Greg Kroah-Hartman
` (37 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qingshuang Fu, Thomas Gleixner
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qingshuang Fu <fuqingshuang@kylinos.cn>
commit 37738fdf2ab1e504d1c63ce5bc0aeb6452d8f057 upstream.
The driver allocates domain generic chips using
irq_alloc_domain_generic_chips() during probe and sets up chained
handlers using irq_set_chained_handler_and_data(). However, on driver
removal, the generic chips are not freed and the chained handlers are
not removed.
The generic chips remain on the global gc_list and may later be accessed by
generic interrupt chip suspend, resume, or shutdown callbacks after the
driver has been removed, potentially resulting in a use-after-free and
kernel crash.
The chained handlers that were installed in probe for peripheral and
syswake interrupts are also left dangling, which can lead to spurious
interrupts accessing freed memory.
Fix these issues by:
- Setting IRQ_DOMAIN_FLAG_DESTROY_GC flag in domain->flags, so the
core code automatically removes generic chips when irq_domain_remove()
is called
- Clearing all chained handlers with NULL in pdc_intc_remove()
Fixes: b6ef9161e43a ("irq-imgpdc: add ImgTec PDC irqchip driver")
Signed-off-by: Qingshuang Fu <fuqingshuang@kylinos.cn>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260618021352.661773-1-fffsqian@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/irqchip/irq-imgpdc.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/irqchip/irq-imgpdc.c
+++ b/drivers/irqchip/irq-imgpdc.c
@@ -378,6 +378,7 @@ static int pdc_intc_probe(struct platfor
dev_err(&pdev->dev, "cannot add IRQ domain\n");
return -ENOMEM;
}
+ priv->domain->flags |= IRQ_DOMAIN_FLAG_DESTROY_GC;
/*
* Set up 2 generic irq chips with 2 chip types.
@@ -465,6 +466,11 @@ static void pdc_intc_remove(struct platf
{
struct pdc_intc_priv *priv = platform_get_drvdata(pdev);
+ for (unsigned int i = 0; i < priv->nr_perips; ++i)
+ irq_set_chained_handler_and_data(priv->perip_irqs[i], NULL, NULL);
+
+ irq_set_chained_handler_and_data(priv->syswake_irq, NULL, NULL);
+
irq_domain_remove(priv->domain);
}
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 089/120] fpga: region: fix use-after-free in child_regions_with_firmware()
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 088/120] irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 090/120] rpmsg: char: Fix use-after-free on probe error path Greg Kroah-Hartman
` (36 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Xu Yilun, Xu Yilun
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit 54f3c5643ec523a04b6ec0e7c19eb10f5ebebdd3 upstream.
Move of_node_put(child_region) after the error print to avoid accessing
freed memory when pr_err() references child_region.
Fixes: 0fa20cdfcc1f ("fpga: fpga-region: device tree control for FPGA")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
[ Yilun: Fix the Fixes tag ]
Reviewed-by: Xu Yilun <yilun.xu@intel.com>
Link: https://lore.kernel.org/r/20260408154534.404327-1-vulab@iscas.ac.cn
Signed-off-by: Xu Yilun <yilun.xu@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/fpga/of-fpga-region.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/fpga/of-fpga-region.c
+++ b/drivers/fpga/of-fpga-region.c
@@ -168,11 +168,10 @@ static int child_regions_with_firmware(s
fpga_region_of_match);
}
- of_node_put(child_region);
-
if (ret)
pr_err("firmware-name not allowed in child FPGA region: %pOF",
child_region);
+ of_node_put(child_region);
return ret;
}
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 090/120] rpmsg: char: Fix use-after-free on probe error path
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 089/120] fpga: region: fix use-after-free in child_regions_with_firmware() Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 091/120] ocfs2: reject oversized group bitmap descriptors Greg Kroah-Hartman
` (35 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuho Choi, Mathieu Poirier
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuho Choi <dbgh9129@gmail.com>
commit 1ff3f528e67d20e2b1483dcaba899dc7832b2e6b upstream.
rpmsg_chrdev_probe() stores the newly allocated eptdev in the default
endpoint's priv pointer before calling rpmsg_chrdev_eptdev_add(). If
rpmsg_chrdev_eptdev_add() then fails, its error path frees eptdev while
the default endpoint may still dispatch callbacks with the stale priv
pointer.
Avoid publishing eptdev through the default endpoint until
rpmsg_chrdev_eptdev_add() succeeds. Messages received before the priv
pointer is published should be ignored by rpmsg_ept_cb(). Flow-control
updates can hit rpmsg_ept_flow_cb() in the same window, so make both
callbacks return success when priv is NULL.
Fixes: bc69d1066569 ("rpmsg: char: Introduce the "rpmsg-raw" channel")
Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20260601183247.1962010-1-dbgh9129@gmail.com
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rpmsg/rpmsg_char.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/drivers/rpmsg/rpmsg_char.c
+++ b/drivers/rpmsg/rpmsg_char.c
@@ -104,6 +104,9 @@ static int rpmsg_ept_cb(struct rpmsg_dev
struct rpmsg_eptdev *eptdev = priv;
struct sk_buff *skb;
+ if (!eptdev)
+ return 0;
+
skb = alloc_skb(len, GFP_ATOMIC);
if (!skb)
return -ENOMEM;
@@ -124,6 +127,9 @@ static int rpmsg_ept_flow_cb(struct rpms
{
struct rpmsg_eptdev *eptdev = priv;
+ if (!eptdev)
+ return 0;
+
eptdev->remote_flow_restricted = enable;
eptdev->remote_flow_updated = true;
@@ -490,6 +496,7 @@ static int rpmsg_chrdev_probe(struct rpm
struct rpmsg_channel_info chinfo;
struct rpmsg_eptdev *eptdev;
struct device *dev = &rpdev->dev;
+ int ret;
memcpy(chinfo.name, rpdev->id.name, RPMSG_NAME_SIZE);
chinfo.src = rpdev->src;
@@ -502,13 +509,17 @@ static int rpmsg_chrdev_probe(struct rpm
/* Set the default_ept to the rpmsg device endpoint */
eptdev->default_ept = rpdev->ept;
+ ret = rpmsg_chrdev_eptdev_add(eptdev, chinfo);
+
+ if (ret)
+ return ret;
/*
* The rpmsg_ept_cb uses *priv parameter to get its rpmsg_eptdev context.
- * Storedit in default_ept *priv field.
+ * Stored it in default_ept *priv field.
*/
eptdev->default_ept->priv = eptdev;
- return rpmsg_chrdev_eptdev_add(eptdev, chinfo);
+ return 0;
}
static void rpmsg_chrdev_remove(struct rpmsg_device *rpdev)
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 091/120] ocfs2: reject oversized group bitmap descriptors
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 090/120] rpmsg: char: Fix use-after-free on probe error path Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 092/120] 9p: avoid putting oldfid in p9_client_walk() error path Greg Kroah-Hartman
` (34 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Cen, Joseph Qi, Mark Fasheh,
Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao, Heming Zhao,
Andrew Morton
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Cen <rollkingzzc@gmail.com>
commit 9bd541e09dffff27e5bec0f9f45b0228173a5375 upstream.
ocfs2_validate_gd_parent() only bounds bg_bits against the parent
allocator's chain geometry. A malicious descriptor can still claim a
bg_size/bg_bits pair that exceeds the bitmap bytes that physically fit in
the group descriptor block, so later bitmap scans and bit updates can run
past bg_bitmap.
Add a physical-cap check based on ocfs2_group_bitmap_size() for the parent
allocator type and reject descriptors whose bg_size or bg_bits exceed that
capacity. Keep the existing chain geometry check so both the on-disk
bitmap layout and the allocator metadata must agree before the descriptor
is used.
Validation reproduced this kernel report:
KASAN use-after-free in _find_next_bit+0x7f/0xc0
Read of size 8
Call trace:
dump_stack_lvl+0x66/0xa0 (?:?)
print_report+0xd0/0x630 (?:?)
_find_next_bit+0x7f/0xc0 (?:?)
srso_alias_return_thunk+0x5/0xfbef5 (?:?)
__virt_addr_valid+0x188/0x2f0 (?:?)
kasan_report+0xe4/0x120 (?:?)
ocfs2_find_max_contig_free_bits+0x35/0x70 (fs/ocfs2/suballoc.c:1375)
ocfs2_block_group_set_bits+0x472/0x4b0 (fs/ocfs2/suballoc.c:1457)
ocfs2_cluster_group_search+0x16b/0x440 (fs/ocfs2/suballoc.c:86)
ocfs2_bg_discontig_fix_result+0x1ef/0x230 (fs/ocfs2/suballoc.c:1786)
ocfs2_search_chain+0x8f8/0x10a0 (fs/ocfs2/suballoc.c:1886)
get_page_from_freelist+0x70e/0x2370 (?:?)
lock_release+0xc6/0x290 (?:?)
do_raw_spin_unlock+0x9a/0x100 (?:?)
kasan_unpoison+0x27/0x60 (?:?)
__bfs+0x147/0x240 (?:?)
get_page_from_freelist+0x83d/0x2370 (?:?)
ocfs2_claim_suballoc_bits+0x38c/0xe70 (fs/ocfs2/suballoc.c:96)
sched_domains_numa_masks_clear+0x70/0xd0 (?:?)
check_irq_usage+0xe8/0xb70 (?:?)
__ocfs2_claim_clusters+0x18d/0x4c0 (fs/ocfs2/suballoc.c:2497)
check_path+0x24/0x50 (?:?)
rcu_is_watching+0x20/0x50 (?:?)
check_prev_add+0xfd/0xd00 (?:?)
ocfs2_add_clusters_in_btree+0x17d/0x810 (fs/ocfs2/suballoc.c:?)
__folio_batch_add_and_move+0x1f5/0x3d0 (?:?)
ocfs2_add_inode_data+0xd9/0x120 (fs/ocfs2/suballoc.c:?)
filemap_add_folio+0x105/0x1f0 (?:?)
ocfs2_write_begin_nolock+0x29f7/0x2f80 (fs/ocfs2/suballoc.c:3043)
ocfs2_read_inode_block+0xb5/0x110 (fs/ocfs2/suballoc.c:?)
down_write+0xf5/0x180 (?:?)
ocfs2_write_begin+0x180/0x240 (fs/ocfs2/suballoc.c:?)
__mark_inode_dirty+0x758/0x9a0 (?:?)
inode_to_bdi+0x41/0x90 (?:?)
balance_dirty_pages_ratelimited_flags+0xf8/0x1d0 (?:?)
generic_perform_write+0x252/0x440 (?:?)
mnt_put_write_access_file+0x16/0x70 (?:?)
file_update_time_flags+0xe4/0x200 (?:?)
ocfs2_file_write_iter+0x80a/0x1320 (fs/ocfs2/suballoc.c:?)
lock_acquire+0x184/0x2f0 (?:?)
ksys_write+0xd2/0x170 (?:?)
apparmor_file_permission+0xf5/0x310 (?:?)
read_zero+0x8d/0x140 (?:?)
lock_is_held_type+0x8f/0x100 (?:?)
Link: https://lore.kernel.org/20260524111248.1429884-1-rollkingzzc@gmail.com
Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/suballoc.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -231,8 +231,16 @@ static int ocfs2_validate_gd_parent(stru
int resize)
{
unsigned int max_bits;
+ unsigned int max_bitmap_bits;
+ unsigned int max_bitmap_size;
+ int suballocator;
struct ocfs2_group_desc *gd = (struct ocfs2_group_desc *)bh->b_data;
+ suballocator = le64_to_cpu(di->i_blkno) != OCFS2_SB(sb)->bitmap_blkno;
+ max_bitmap_size = ocfs2_group_bitmap_size(sb, suballocator,
+ OCFS2_SB(sb)->s_feature_incompat);
+ max_bitmap_bits = max_bitmap_size * 8;
+
if (di->i_blkno != gd->bg_parent_dinode) {
do_error("Group descriptor #%llu has bad parent pointer (%llu, expected %llu)\n",
(unsigned long long)bh->b_blocknr,
@@ -240,6 +248,20 @@ static int ocfs2_validate_gd_parent(stru
(unsigned long long)le64_to_cpu(di->i_blkno));
}
+ if (le16_to_cpu(gd->bg_size) > max_bitmap_size) {
+ do_error("Group descriptor #%llu has bitmap size %u but physical max of %u\n",
+ (unsigned long long)bh->b_blocknr,
+ le16_to_cpu(gd->bg_size),
+ max_bitmap_size);
+ }
+
+ if (le16_to_cpu(gd->bg_bits) > max_bitmap_bits) {
+ do_error("Group descriptor #%llu has bit count %u but physical max of %u\n",
+ (unsigned long long)bh->b_blocknr,
+ le16_to_cpu(gd->bg_bits),
+ max_bitmap_bits);
+ }
+
max_bits = le16_to_cpu(di->id2.i_chain.cl_cpg) * le16_to_cpu(di->id2.i_chain.cl_bpc);
if (le16_to_cpu(gd->bg_bits) > max_bits) {
do_error("Group descriptor #%llu has bit count of %u\n",
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 092/120] 9p: avoid putting oldfid in p9_client_walk() error path
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 091/120] ocfs2: reject oversized group bitmap descriptors Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 093/120] MIPS: smp: report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
` (33 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuxiang Yang, Ao Wang, Xuewei Feng,
Qi Li, Ke Xu, Yizhou Zhao, Dominique Martinet
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
commit 1a3860d46e3eb47dbd60339783cdad7904486b9f upstream.
When p9_client_walk() is called with clone set to false, fid aliases
oldfid. If the walk subsequently fails after the request has been sent,
the error path jumps to clunk_fid, which currently calls p9_fid_put(fid)
unconditionally.
This drops a reference to oldfid even though ownership of oldfid remains
with the caller. If this is the last reference, oldfid can be clunked and
destroyed while the caller still expects it to be valid. A later use or
put of oldfid can then trigger a use-after-free or refcount underflow.
Fix this by only putting fid in the clunk_fid error path when it does not
alias oldfid, matching the existing guard in the error path below.
This can be triggered when a multi-component walk is split into multiple
p9_client_walk() calls and a later non-cloning walk fails. A reproducer
and refcount warning logs are available on request.
Fixes: b48dbb998d70 ("9p fid refcount: add p9_fid_get/put wrappers")
Cc: stable@vger.kernel.org
Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
Reported-by: Ao Wang <wangao@seu.edu.cn>
Reported-by: Xuewei Feng <fengxw06@126.com>
Reported-by: Qi Li <qli01@tsinghua.edu.cn>
Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
Assisted-by: GLM 5.1
Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Message-ID: <20260528053918.53550-1-zhaoyz24@mails.tsinghua.edu.cn>
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/9p/client.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -1092,7 +1092,8 @@ struct p9_fid *p9_client_walk(struct p9_
clunk_fid:
kfree(wqids);
- p9_fid_put(fid);
+ if (fid != oldfid)
+ p9_fid_put(fid);
fid = NULL;
error:
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 093/120] MIPS: smp: report dying CPU to RCU in stop_this_cpu()
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 092/120] 9p: avoid putting oldfid in p9_client_walk() error path Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 094/120] KVM: x86: hyper-v: Bound the bank index when querying sparse banks Greg Kroah-Hartman
` (32 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jonas Jelonek, Thomas Bogendoerfer
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Jelonek <jelonek.jonas@gmail.com>
commit 9f3f3bdc6d9dac1a5a8262ee7ad0f2ff1527a7e7 upstream.
smp_send_stop() parks all secondary CPUs in stop_this_cpu(). The function
marks the CPU offline for the scheduler via set_cpu_online(false) but
never informs RCU, so RCU keeps expecting a quiescent state from CPUs
that are now spinning forever with interrupts disabled.
As long as nothing waits for an RCU grace period after smp_send_stop()
this is harmless, which is why it went unnoticed. Since commit
91840be8f710 ("irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT")
however, irq_work_sync() calls synchronize_rcu() on architectures without
an irq_work self-IPI, i.e. where arch_irq_work_has_interrupt() returns
false. That is the asm-generic default used by MIPS. Any irq_work_sync()
issued in the reboot/shutdown path after smp_send_stop() then blocks on
a grace period that can never complete, hanging the reboot:
WARNING: CPU: 0 PID: 15 at kernel/irq_work.c:144 irq_work_queue_on
...
rcu: INFO: rcu_sched detected stalls on CPUs/tasks:
rcu: Offline CPU 1 blocking current GP.
rcu: Offline CPU 2 blocking current GP.
rcu: Offline CPU 3 blocking current GP.
This issue was noticed on several Realtek MIPS switch SoCs (MIPS
interAptiv) and came up during kernel bump downstream in OpenWrt from
6.18.33 to 6.18.34, after the backport of the patch to the 6.18 stable
branch. The patch also has been backported all the way back to 6.1.
Call rcutree_report_cpu_dead() once interrupts are disabled, mirroring the
generic CPU-hotplug offline path, so RCU stops waiting on the parked CPUs
and grace periods can still complete. MIPS shuts down all CPUs here
without going through the CPU-hotplug mechanism, so this report is not
otherwise issued. Reporting a dying CPU to RCU outside the regular hotplug
offline path is not unprecedented: arm64 does the same in cpu_die_early().
There it is an exception for a CPU that was coming online and is aborting
bringup, rather than the default shutdown action as on MIPS.
Fixes: 91840be8f710 ("irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT")
CC: stable@vger.kernel.org
Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/kernel/smp.c | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/mips/kernel/smp.c
+++ b/arch/mips/kernel/smp.c
@@ -20,6 +20,7 @@
#include <linux/sched/mm.h>
#include <linux/cpumask.h>
#include <linux/cpu.h>
+#include <linux/rcupdate.h>
#include <linux/err.h>
#include <linux/ftrace.h>
#include <linux/irqdomain.h>
@@ -422,6 +423,7 @@ static void stop_this_cpu(void *dummy)
set_cpu_online(smp_processor_id(), false);
calculate_cpu_foreign_map();
local_irq_disable();
+ rcutree_report_cpu_dead();
while (1);
}
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 094/120] KVM: x86: hyper-v: Bound the bank index when querying sparse banks
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 093/120] MIPS: smp: report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 095/120] KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path Greg Kroah-Hartman
` (31 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Vitaly Kuznetsov,
Sean Christopherson
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunwoo Kim <imv4bel@gmail.com>
commit 4721f8160f17554b003e8928bb61e6c9b2fe92a3 upstream.
When checking if a VP ID is included in a sparse bank set, explicitly check
that the ID can actually be contained in a sparse bank (the TLFS allows for
a maximum of 64 banks of 64 vCPUs each). When handling a paravirtual TLB
flush for L2, the VP ID is copied verbatim from the enlightened VMCS,
without any bounds check, i.e. isn't guaranteed to be under the limit of
4096.
Failure to check the bounds of the VP ID leads to an out-of-bounds read
when testing the sparse bank, and super strictly speaking could lead to KVM
performing an unnecessary TLB flush for an L2 vCPU.
==================================================================
BUG: KASAN: use-after-free in hv_is_vp_in_sparse_set+0x85/0x100 [kvm]
Read of size 8 at addr ffff88811ba5f598 by task hyperv_evmcs/2802
CPU: 12 UID: 1000 PID: 2802 Comm: hyperv_evmcs Not tainted 7.1.0-rc2 #7 PREEMPT
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Call Trace:
<TASK>
dump_stack_lvl+0x51/0x60
print_report+0xcb/0x5d0
kasan_report+0xb4/0xe0
kasan_check_range+0x35/0x1b0
hv_is_vp_in_sparse_set+0x85/0x100 [kvm]
kvm_hv_flush_tlb+0xe9e/0x16c0 [kvm]
kvm_hv_hypercall+0xe6b/0x1e60 [kvm]
vmx_handle_exit+0x485/0x1b60 [kvm_intel]
kvm_arch_vcpu_ioctl_run+0x22e3/0x5070 [kvm]
kvm_vcpu_ioctl+0x5d0/0x10c0 [kvm]
__x64_sys_ioctl+0x129/0x1a0
do_syscall_64+0xb9/0xcf0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f0e62d1a9bf
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffffffffffffffff pfn:0x11ba5f
flags: 0x4000000000000000(zone=1)
raw: 4000000000000000 0000000000000000 00000000ffffffff 0000000000000000
raw: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88811ba5f480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88811ba5f500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88811ba5f580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88811ba5f600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88811ba5f680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Disabling lock debugging due to kernel taint
Opportunistically add a compile time assertion to ensure the maximum number
of sparse banks exactly matches the number of possible bits in the passed
in mask.
Cc: stable@vger.kernel.org
Fixes: c58a318f6090 ("KVM: x86: hyper-v: L2 TLB flush")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Link: https://patch.msgid.link/aiQyZIJtO-2Aj_xN@v4bel
[sean: add KASAN splat, drop comment, add assert, massage changelog]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/hyperv.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/arch/x86/kvm/hyperv.c
+++ b/arch/x86/kvm/hyperv.c
@@ -1839,6 +1839,11 @@ static bool hv_is_vp_in_sparse_set(u32 v
int valid_bit_nr = vp_id / HV_VCPUS_PER_SPARSE_BANK;
unsigned long sbank;
+ BUILD_BUG_ON(BITS_PER_TYPE(valid_bank_mask) != HV_MAX_SPARSE_VCPU_BANKS);
+
+ if (valid_bit_nr >= HV_MAX_SPARSE_VCPU_BANKS)
+ return false;
+
if (!test_bit(valid_bit_nr, (unsigned long *)&valid_bank_mask))
return false;
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 095/120] KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 094/120] KVM: x86: hyper-v: Bound the bank index when querying sparse banks Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 096/120] power: reset: linkstation-poweroff: fix use-after-free in the linkstation_poweroff_init() Greg Kroah-Hartman
` (30 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ashutosh Desai, Sean Christopherson
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ashutosh Desai <ashutoshdesai993@gmail.com>
commit 78ee2d50185a037b3d2452a97f3dad69c3f7f389 upstream.
In sev_dbg_crypt(), the per-iteration transfer length is bounded by
the source page offset (PAGE_SIZE - s_off) but not by the destination
page offset (PAGE_SIZE - d_off). When d_off > s_off, the encrypt
path (__sev_dbg_encrypt_user) performs a read-modify-write using a
single-page intermediate buffer (dst_tpage):
1. __sev_dbg_decrypt() expands the size to round_up(len + (d_off & 15), 16)
before issuing the PSP command. If len + (d_off & 15) > PAGE_SIZE,
the PSP writes beyond the end of the 4096-byte dst_tpage allocation.
2. The subsequent memcpy()/copy_from_user() into
page_address(dst_tpage) + (d_off & 15) of 'len' bytes overflows
by up to 15 bytes under the same condition.
Trigger example: s_off = 0, d_off = 1, debug.len = PAGE_SIZE -
the PSP is instructed to write round_up(4097, 16) = 4112 bytes to
a 4096-byte buffer.
Fix by also bounding len by (PAGE_SIZE - d_off), the same check that
sev_send_update_data() already performs for its single-page guest
region.
==================================================================
BUG: KASAN: slab-use-after-free in sev_dbg_crypt+0x993/0xd10 [kvm_amd]
Write of size 4095 at addr ff110062293bb009 by task sev_dbg_test/228214
CPU: 96 UID: 0 PID: 228214 Comm: sev_dbg_test Tainted: G U W 7.0.0-smp--5ce9b0c48211-dbg #156 PREEMPTLAZY
Tainted: [U]=USER, [W]=WARN
Hardware name: Google Astoria/astoria, BIOS 0.20250817.1-0 08/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0x54/0x70
print_report+0xbc/0x260
kasan_report+0xa2/0xd0
kasan_check_range+0x25f/0x2c0
__asan_memcpy+0x40/0x70
sev_dbg_crypt+0x993/0xd10 [kvm_amd]
sev_mem_enc_ioctl+0x33c/0x450 [kvm_amd]
kvm_vm_ioctl+0x65d/0x6d0 [kvm]
__se_sys_ioctl+0xb2/0x100
do_syscall_64+0xe8/0x870
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7fe72b6a0 pfn:0x62293bb
memcg:ff11000112827d82
flags: 0x1400000000000000(node=1|zone=1)
raw: 1400000000000000 0000000000000000 dead000000000122 0000000000000000
raw: 00000007fe72b6a0 0000000000000000 00000001ffffffff ff11000112827d82
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ff110062293bbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ff110062293bbf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ff110062293bc000: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
^
ff110062293bc080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ff110062293bc100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
Disabling lock debugging due to kernel taint
Fixes: 24f41fb23a39 ("KVM: SVM: Add support for SEV DEBUG_DECRYPT command")
Fixes: 7d1594f5d94b ("KVM: SVM: Add support for SEV DEBUG_ENCRYPT command")
Cc: stable@vger.kernel.org
Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
[sean: add sample KASAN splat, Fixes, and stable@]
Link: https://patch.msgid.link/20260501203537.2120074-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/sev.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -1396,6 +1396,7 @@ static int sev_dbg_crypt(struct kvm *kvm
s_off = vaddr & ~PAGE_MASK;
d_off = dst_vaddr & ~PAGE_MASK;
len = min_t(size_t, (PAGE_SIZE - s_off), size);
+ len = min_t(size_t, len, PAGE_SIZE - d_off);
if (dec)
ret = __sev_dbg_decrypt_user(kvm,
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 096/120] power: reset: linkstation-poweroff: fix use-after-free in the linkstation_poweroff_init()
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 095/120] KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 097/120] riscv: kfence: Call mark_new_valid_map() for kfence_unprotect() Greg Kroah-Hartman
` (29 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Sebastian Reichel
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit 8eec545cde69e46e9a1d2b7d915ce4f5df85b3bd upstream.
Move of_node_put(dn) after the of_match_node() call, which still needs
the node pointer. The node reference is correctly released after use.
Fixes: e2f471efe1d6 ("power: reset: linkstation-poweroff: prepare for new devices")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20260407073025.271865-1-vulab@iscas.ac.cn
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/power/reset/linkstation-poweroff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/power/reset/linkstation-poweroff.c
+++ b/drivers/power/reset/linkstation-poweroff.c
@@ -163,10 +163,10 @@ static int __init linkstation_poweroff_i
dn = of_find_matching_node(NULL, ls_poweroff_of_match);
if (!dn)
return -ENODEV;
- of_node_put(dn);
match = of_match_node(ls_poweroff_of_match, dn);
cfg = match->data;
+ of_node_put(dn);
dn = of_find_node_by_name(NULL, cfg->mdio_node_name);
if (!dn)
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 097/120] riscv: kfence: Call mark_new_valid_map() for kfence_unprotect()
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 096/120] power: reset: linkstation-poweroff: fix use-after-free in the linkstation_poweroff_init() Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-03 5:05 ` Vivian Wang
2026-07-02 16:21 ` [PATCH 7.1 098/120] ntfs: serialize volume label accesses Greg Kroah-Hartman
` (28 subsequent siblings)
125 siblings, 1 reply; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yanko Kaneti, Vivian Wang,
Paul Walmsley
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vivian Wang <wangruikang@iscas.ac.cn>
commit 8d6c8c40e733b3fcaf92fed0a078bba2f6941a3b upstream.
In kfence_protect_page(), which kfence_unprotect() calls, we cannot send
IPIs to other CPUs to ask them to flush TLB. This may lead to those CPUs
spuriously faulting on a recently allocated kfence object despite it
being valid, leading to false positive use-after-free reports.
Fix this by calling mark_new_valid_map() so that the page fault handling
code path notices the spurious fault and flushes TLB then retries the
access.
Update the comment in handle_exception to indicate that
new_valid_map_cpus_check also handles kfence_unprotect() spurious
faults.
Note that kfence_protect() has the same stale TLB entries problem, but
that leads to false negatives, which is fine with kfence.
Cc: stable@vger.kernel.org
Reported-by: Yanko Kaneti <yaneti@declera.com>
Fixes: b3431a8bb336 ("riscv: Fix IPIs usage in kfence_protect_page()")
Signed-off-by: Vivian Wang <wangruikang@iscas.ac.cn>
Link: https://patch.msgid.link/20260303-handle-kfence-protect-spurious-fault-v2-2-f80d8354d79d@iscas.ac.cn
Signed-off-by: Paul Walmsley <pjw@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/include/asm/kfence.h | 7 +++++--
arch/riscv/kernel/entry.S | 6 ++++--
2 files changed, 9 insertions(+), 4 deletions(-)
--- a/arch/riscv/include/asm/kfence.h
+++ b/arch/riscv/include/asm/kfence.h
@@ -6,6 +6,7 @@
#include <linux/kfence.h>
#include <linux/pfn.h>
#include <asm-generic/pgalloc.h>
+#include <asm/cacheflush.h>
#include <asm/pgtable.h>
static inline bool arch_kfence_init_pool(void)
@@ -17,10 +18,12 @@ static inline bool kfence_protect_page(u
{
pte_t *pte = virt_to_kpte(addr);
- if (protect)
+ if (protect) {
set_pte(pte, __pte(pte_val(ptep_get(pte)) & ~_PAGE_PRESENT));
- else
+ } else {
set_pte(pte, __pte(pte_val(ptep_get(pte)) | _PAGE_PRESENT));
+ mark_new_valid_map();
+ }
preempt_disable();
local_flush_tlb_kernel_range(addr, addr + PAGE_SIZE);
--- a/arch/riscv/kernel/entry.S
+++ b/arch/riscv/kernel/entry.S
@@ -136,8 +136,10 @@ SYM_CODE_START(handle_exception)
#ifdef CONFIG_64BIT
/*
- * The RISC-V kernel does not eagerly emit a sfence.vma after each
- * new vmalloc mapping, which may result in exceptions:
+ * The RISC-V kernel does not flush TLBs on all CPUS after each new
+ * vmalloc mapping or kfence_unprotect(), which may result in
+ * exceptions:
+ *
* - if the uarch caches invalid entries, the new mapping would not be
* observed by the page table walker and an invalidation is needed.
* - if the uarch does not cache invalid entries, a reordered access
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 098/120] ntfs: serialize volume label accesses
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 097/120] riscv: kfence: Call mark_new_valid_map() for kfence_unprotect() Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 099/120] fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var Greg Kroah-Hartman
` (27 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hyunchul Lee, Namjae Jeon
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hyunchul Lee <hyc.lee@gmail.com>
commit e9e50ce4f13dc721014af622613409455c734942 upstream.
Protect vol->volume_label with a mutex and snaphost the label before
copy_to_user. This prevent a use-after-free when FS_IOC_SETFSLABEL
replaces the vol->volume_label and FS_IOC_GETTSLABEL reads it
concurrently.
Cc: stable@vger.kernel.org # v7.1
Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs/file.c | 17 +++++++++++++----
fs/ntfs/super.c | 19 +++++++++++++------
fs/ntfs/volume.h | 2 ++
3 files changed, 28 insertions(+), 10 deletions(-)
--- a/fs/ntfs/file.c
+++ b/fs/ntfs/file.c
@@ -707,12 +707,21 @@ static int ntfs_ioctl_get_volume_label(s
{
struct ntfs_volume *vol = NTFS_SB(file_inode(filp)->i_sb);
char __user *buf = (char __user *)arg;
+ char label[FSLABEL_MAX];
+ ssize_t len;
+ mutex_lock(&vol->volume_label_lock);
if (!vol->volume_label) {
- if (copy_to_user(buf, "", 1))
- return -EFAULT;
- } else if (copy_to_user(buf, vol->volume_label,
- MIN(FSLABEL_MAX, strlen(vol->volume_label) + 1)))
+ label[0] = '\0';
+ len = 0;
+ } else {
+ len = strscpy(label, vol->volume_label, sizeof(label));
+ if (len == -E2BIG)
+ len = FSLABEL_MAX - 1;
+ }
+ mutex_unlock(&vol->volume_label_lock);
+
+ if (copy_to_user(buf, label, len + 1))
return -EFAULT;
return 0;
}
--- a/fs/ntfs/super.c
+++ b/fs/ntfs/super.c
@@ -460,17 +460,23 @@ int ntfs_write_volume_label(struct ntfs_
ret = ntfs_resident_attr_record_add(vol_ni, AT_VOLUME_NAME, AT_UNNAMED, 0,
(u8 *)uname, uname_len * sizeof(__le16), 0);
out:
- mutex_unlock(&vol_ni->mrec_lock);
- kvfree(uname);
-
if (ret >= 0) {
- kfree(vol->volume_label);
+ char *old_label;
+
+ mutex_lock(&vol->volume_label_lock);
+ old_label = vol->volume_label;
vol->volume_label = new_label;
+ mutex_unlock(&vol->volume_label_lock);
+
+ kfree(old_label);
mark_inode_dirty_sync(vol->vol_ino);
ret = 0;
- } else {
- kfree(new_label);
}
+ mutex_unlock(&vol_ni->mrec_lock);
+ kvfree(uname);
+
+ if (ret < 0)
+ kfree(new_label);
return ret;
}
@@ -2631,6 +2637,7 @@ static int ntfs_init_fs_context(struct f
NVolSetCaseSensitive(vol);
init_rwsem(&vol->mftbmp_lock);
init_rwsem(&vol->lcnbmp_lock);
+ mutex_init(&vol->volume_label_lock);
fc->s_fs_info = vol;
fc->ops = &ntfs_context_ops;
--- a/fs/ntfs/volume.h
+++ b/fs/ntfs/volume.h
@@ -72,6 +72,7 @@
* @vol_flags: Volume flags.
* @major_ver: Ntfs major version of volume.
* @minor_ver: Ntfs minor version of volume.
+ * @volume_label_lock: protects @volume_label.
* @volume_label: volume label.
* @root_ino: The VFS inode of the root directory.
* @secure_ino: The VFS inode of $Secure (NTFS3.0+ only, otherwise NULL).
@@ -133,6 +134,7 @@ struct ntfs_volume {
struct inode *logfile_ino;
struct inode *lcnbmp_ino;
struct rw_semaphore lcnbmp_lock;
+ struct mutex volume_label_lock;
struct inode *vol_ino;
__le16 vol_flags;
u8 major_ver;
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 099/120] fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 098/120] ntfs: serialize volume label accesses Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 100/120] fbdev: fbcon: fix out-of-bounds read in err_out of fbcon_do_set_font() Greg Kroah-Hartman
` (26 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Bridges, Helge Deller
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Bridges <icb@fastmail.org>
commit 7f08fc10fa3d3366dc3af723970bd03d7d6d10e3 upstream.
info->var, a framebuffer's current mode, is expected to have a matching
entry in info->modelist. var_to_display() relies on this and treats a
failed fb_match_mode() as "This should not happen". fb_set_var() keeps it
true by adding the mode to the list on every change, and
do_register_framebuffer() does the same at registration.
store_modes() replaces the modelist from userspace. fb_new_modelist()
validates the new modes but does not check that info->var still has a
match. It relies on fbcon_new_modelist() to re-point consoles, but that
only handles consoles mapped to the framebuffer. With fbcon unbound there
are none, so info->var is left describing a mode that is no longer in the
list.
A later console takeover runs var_to_display(), where fb_match_mode()
returns NULL and leaves fb_display[i].mode NULL. fbcon_switch() passes it
to display_to_var(), and fb_videomode_to_var() dereferences the NULL mode.
Keep the current mode in the list in fb_new_modelist(), the same way
fb_set_var() does.
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Ian Bridges <icb@fastmail.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/core/fbmem.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/drivers/video/fbdev/core/fbmem.c
+++ b/drivers/video/fbdev/core/fbmem.c
@@ -734,6 +734,18 @@ int fb_new_modelist(struct fb_info *info
if (list_empty(&info->modelist))
return 1;
+ /*
+ * The new modelist may not contain the current mode (info->var), and
+ * fbcon_new_modelist() below only re-points consoles mapped to this
+ * framebuffer. Add the current mode here so info->var keeps a match
+ * even when fbcon is unbound.
+ */
+ if (!fb_match_mode(&info->var, &info->modelist)) {
+ fb_var_to_videomode(&mode, &info->var);
+ if (fb_add_videomode(&mode, &info->modelist))
+ return 1;
+ }
+
fbcon_new_modelist(info);
return 0;
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 100/120] fbdev: fbcon: fix out-of-bounds read in err_out of fbcon_do_set_font()
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 099/120] fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 101/120] fbdev: omap2: fix use-after-free in omapfb_mmap Greg Kroah-Hartman
` (25 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mingyu Wang, Thomas Zimmermann,
Helge Deller
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mingyu Wang <25181214217@stu.xidian.edu.cn>
commit 8fdc8c2057eea08d40ce2c8eed41ff9e451c65c2 upstream.
When fbcon_do_set_font() fails (e.g., due to a memory allocation failure
inside vc_resize() under heavy memory pressure), it jumps to the `err_out`
label to roll back the console state. However, the current rollback logic
forgets to restore the `hi_font` state, leading to a severe state machine
corruption.
Earlier in the function, `set_vc_hi_font()` might be called to change
`vc->vc_hi_font_mask` and mutate the screen buffer. If `vc_resize()`
subsequently fails, the `err_out` path restores `vc_font.charcount`
but entirely skips rolling back the `vc_hi_font_mask` and the screen
buffer.
This mismatch leaves the terminal in a desynchronized state. Because
`vc_hi_font_mask` remains set, the VT subsystem will still accept
character indices greater than 255 from userspace and write them to the
screen buffer. Subsequent rendering calls (e.g., `fbcon_putcs()`) will
then use these inflated indices to access the reverted, 256-character
font array, leading to a deterministic out-of-bounds read and potential
kernel memory disclosure.
Fix this by adding the missing rollback logic for the `hi_font` mask
and screen buffer in the error path.
Fixes: a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed")
Cc: stable@vger.kernel.org
Signed-off-by: Mingyu Wang <25181214217@stu.xidian.edu.cn>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/core/fbcon.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/video/fbdev/core/fbcon.c
+++ b/drivers/video/fbdev/core/fbcon.c
@@ -2407,6 +2407,7 @@ static int fbcon_do_set_font(struct vc_d
int resize, ret, old_width, old_height, old_charcount;
font_data_t *old_fontdata = p->fontdata;
const u8 *old_data = vc->vc_font.data;
+ unsigned short old_hi_font_mask = vc->vc_hi_font_mask;
font_data_get(data);
@@ -2453,6 +2454,12 @@ err_out:
vc->vc_font.height = old_height;
vc->vc_font.charcount = old_charcount;
+ /* Restore the hi_font state and screen buffer */
+ if (old_hi_font_mask && !vc->vc_hi_font_mask)
+ set_vc_hi_font(vc, true);
+ else if (!old_hi_font_mask && vc->vc_hi_font_mask)
+ set_vc_hi_font(vc, false);
+
font_data_put(data);
return ret;
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 101/120] fbdev: omap2: fix use-after-free in omapfb_mmap
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 100/120] fbdev: fbcon: fix out-of-bounds read in err_out of fbcon_do_set_font() Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 102/120] fbdev: modedb: fix a possible UAF in fb_find_mode() Greg Kroah-Hartman
` (24 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hongling Zeng, Helge Deller
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hongling Zeng <zenghongling@kylinos.cn>
commit 7958e67375aa111522086286bba13cfc0816ce8d upstream.
omapfb_mmap() has a race condition with OMAPFB_SETUP_PLANE ioctl that
can lead to use-after-free:
The fb_mmap() entry point holds mm_lock but not lock (fb_info->lock),
while ioctl handlers like OMAPFB_SETUP_PLANE hold lock but not mm_lock.
This allows concurrent execution.
In omapfb_mmap():
1. rg = omapfb_get_mem_region(ofbi->region); // Get old region ref
2. start = omapfb_get_region_paddr(ofbi); // Read from NEW region
3. len = fix->smem_len; // Read from NEW region
4. vm_iomap_memory(vma, start, len); // Map NEW region memory
5. atomic_inc(&rg->map_count); // Increment OLD region!
Concurrently, OMAPFB_SETUP_PLANE can:
- Reassign ofbi->region = new_rg
- Update fix->smem_len
- OMAPFB_SETUP_MEM then checks NEW region's map_count (0!) and frees it
This leaves userspace with a mapping to freed physical memory.
The fix is to read all required values (start, len) from the same
region reference (rg) that will have its map_count incremented,
preventing the region from being freed while still mapped.
Cc: stable@vger.kernel.org
Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/omap2/omapfb/omapfb-main.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/video/fbdev/omap2/omapfb/omapfb-main.c
+++ b/drivers/video/fbdev/omap2/omapfb/omapfb-main.c
@@ -1099,7 +1099,11 @@ static int omapfb_mmap(struct fb_info *f
rg = omapfb_get_mem_region(ofbi->region);
- start = omapfb_get_region_paddr(ofbi);
+ if (ofbi->rotation_type == OMAP_DSS_ROT_VRFB)
+ start = rg->vrfb.paddr[0];
+ else
+ start = rg->paddr;
+
len = fix->smem_len;
DBG("user mmap region start %lx, len %d, off %lx\n", start, len,
@@ -1109,6 +1113,8 @@ static int omapfb_mmap(struct fb_info *f
vma->vm_ops = &mmap_user_ops;
vma->vm_private_data = rg;
+ atomic_inc(&rg->map_count);
+
r = vm_iomap_memory(vma, start, len);
if (r)
goto error;
@@ -1121,6 +1127,7 @@ static int omapfb_mmap(struct fb_info *f
return 0;
error:
+ atomic_dec(&rg->map_count);
omapfb_put_mem_region(rg);
return r;
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 102/120] fbdev: modedb: fix a possible UAF in fb_find_mode()
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 101/120] fbdev: omap2: fix use-after-free in omapfb_mmap Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 103/120] fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode Greg Kroah-Hartman
` (23 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tuo Li, Helge Deller
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tuo Li <islituo@gmail.com>
commit 85b6256469cebdac395e7447147e06b2e151014f upstream.
If mode_option is NULL, it is assigned from mode_option_buf:
if (!mode_option) {
fb_get_options(NULL, &mode_option_buf);
mode_option = mode_option_buf;
}
Later, name is assigned from mode_option:
const char *name = mode_option;
However, mode_option_buf is freed before name is no longer used:
kfree(mode_option_buf);
while name is still accessed by:
if ((name_matches(db[i], name, namelen) ||
Since name aliases mode_option_buf, this may result in a
use-after-free.
Fix this by extending the lifetime of mode_option_buf until the end of the
function by using scope-based resource management for cleanup.
Signed-off-by: Tuo Li <islituo@gmail.com>
Cc: stable@vger.kernel.org # v6.5+
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/core/modedb.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/video/fbdev/core/modedb.c
+++ b/drivers/video/fbdev/core/modedb.c
@@ -626,7 +626,7 @@ int fb_find_mode(struct fb_var_screeninf
const struct fb_videomode *default_mode,
unsigned int default_bpp)
{
- char *mode_option_buf = NULL;
+ char *mode_option_buf __free(kfree) = NULL;
int i;
/* Set up defaults */
@@ -724,7 +724,6 @@ int fb_find_mode(struct fb_var_screeninf
res_specified = 1;
}
done:
- kfree(mode_option_buf);
if (cvt) {
struct fb_videomode cvt_mode;
int ret;
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 103/120] fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 102/120] fbdev: modedb: fix a possible UAF in fb_find_mode() Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 104/120] i2c: core: fix adapter registration race Greg Kroah-Hartman
` (22 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Steffen Persvold, Helge Deller
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steffen Persvold <spersvold@gmail.com>
commit d894c48a57d78206e4df9c90d4acfaf39394806a upstream.
The 1920x1080@60 modedb entry has one too many initializers before
its sync field: a stray "0" occupies the sync slot, which shifts the
remaining values by one field. The entry therefore decodes as
sync = 0, vmode = FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT (0x3,
i.e. FB_VMODE_INTERLACED | FB_VMODE_DOUBLE), and flag =
FB_VMODE_NONINTERLACED, instead of the intended sync = positive H/V,
vmode = non-interlaced.
fb_find_mode() then returns a 1920x1080 mode flagged as interlaced +
doublescan with active-low syncs. Drivers that honour var->vmode and
var->sync when programming display timing enable doublescan and the
wrong sync polarity, corrupting the output.
Drop the stray initializer so sync and vmode hold their intended
values (positive H/V sync, non-interlaced), matching the adjacent
1920x1200 entry.
Fixes: c8902258b2b8 ("fbdev: modedb: Add 1920x1080 at 60 Hz video mode")
Cc: stable@vger.kernel.org
Signed-off-by: Steffen Persvold <spersvold@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/core/modedb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/video/fbdev/core/modedb.c
+++ b/drivers/video/fbdev/core/modedb.c
@@ -259,7 +259,7 @@ static const struct fb_videomode modedb[
FB_VMODE_DOUBLE },
/* 1920x1080 @ 60 Hz, 67.3 kHz hsync */
- { NULL, 60, 1920, 1080, 6734, 148, 88, 36, 4, 44, 5, 0,
+ { NULL, 60, 1920, 1080, 6734, 148, 88, 36, 4, 44, 5,
FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
FB_VMODE_NONINTERLACED },
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 104/120] i2c: core: fix adapter registration race
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 103/120] fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 105/120] nfsd: release layout stid on setlease failure Greg Kroah-Hartman
` (21 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Wolfram Sang
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit ba14d7cf2fe7284610a29854bdff22b2537d3ce6 upstream.
Adapters can be looked up based on their id using i2c_get_adapter()
which takes a reference to the embedded struct device.
Make sure that the adapter (including its struct device) has been
initialised before adding it to the IDR to avoid accessing uninitialised
data which could, for example, lead to NULL-pointer dereferences or
use-after-free.
Note that the i2c-dev chardev, which is registered from a bus notifier,
currently uses i2c_get_adapter() so the adapter needs to be added to the
IDR before registration.
Fixes: 6e13e6418418 ("i2c: Add i2c_add_numbered_adapter()")
Cc: stable@vger.kernel.org # 2.6.22
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/i2c-core-base.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/i2c/i2c-core-base.c
+++ b/drivers/i2c/i2c-core-base.c
@@ -1569,6 +1569,10 @@ static int i2c_register_adapter(struct i
pm_suspend_ignore_children(&adap->dev, true);
pm_runtime_enable(&adap->dev);
+ mutex_lock(&core_lock);
+ idr_replace(&i2c_adapter_idr, adap, adap->nr);
+ mutex_unlock(&core_lock);
+
res = device_add(&adap->dev);
if (res) {
pr_err("adapter '%s': can't register device (%d)\n", adap->name, res);
@@ -1627,7 +1631,7 @@ static int __i2c_add_numbered_adapter(st
int id;
mutex_lock(&core_lock);
- id = idr_alloc(&i2c_adapter_idr, adap, adap->nr, adap->nr + 1, GFP_KERNEL);
+ id = idr_alloc(&i2c_adapter_idr, NULL, adap->nr, adap->nr + 1, GFP_KERNEL);
mutex_unlock(&core_lock);
if (WARN(id < 0, "couldn't get idr"))
return id == -ENOSPC ? -EBUSY : id;
@@ -1661,7 +1665,7 @@ int i2c_add_adapter(struct i2c_adapter *
}
mutex_lock(&core_lock);
- id = idr_alloc(&i2c_adapter_idr, adapter,
+ id = idr_alloc(&i2c_adapter_idr, NULL,
__i2c_first_dynamic_bus_num, 0, GFP_KERNEL);
mutex_unlock(&core_lock);
if (WARN(id < 0, "couldn't get idr"))
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 105/120] nfsd: release layout stid on setlease failure
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 104/120] i2c: core: fix adapter registration race Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 106/120] NFSD: Fix SECINFO_NO_NAME decode error cleanup Greg Kroah-Hartman
` (20 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chris Mason, Jeff Layton,
Chuck Lever
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Mason <clm@meta.com>
commit 30d55c8aabb261bc3f427d6b9aae7ef6206063f9 upstream.
nfs4_alloc_stid() publishes the new stid into cl->cl_stateids via
idr_alloc_cyclic() under cl_lock before returning to
nfsd4_alloc_layout_stateid(). When nfsd4_layout_setlease() then
fails, the error path frees the layout stateid directly with
kmem_cache_free() without ever calling idr_remove(), leaving the
IDR slot pointing at freed slab memory. Any subsequent IDR walker
(states_show, client teardown) dereferences the dangling pointer.
The correct teardown for an IDR-published stid is nfs4_put_stid(),
which removes the IDR slot under cl_lock, dispatches sc_free
(nfsd4_free_layout_stateid) to release ls->ls_file via
nfsd4_close_layout(), and drops the nfs4_file reference in its
tail.
A second issue blocks that switch: nfsd4_free_layout_stateid()
unconditionally inspects ls->ls_fence_work via
delayed_work_pending() under ls_lock, but
INIT_DELAYED_WORK(&ls->ls_fence_work, ...) currently runs only
after the setlease call. On the setlease-failure path the
destructor would touch an uninitialized delayed_work.
nfsd4_alloc_layout_stateid()
nfs4_alloc_stid() /* idr_alloc_cyclic under cl_lock */
nfsd4_layout_setlease() /* fails */
nfs4_put_stid()
nfsd4_free_layout_stateid()
delayed_work_pending(&ls->ls_fence_work) /* needs INIT */
nfsd4_close_layout() /* nfsd_file_put(ls->ls_file) */
put_nfs4_file()
Fix by hoisting the ls_fenced / ls_fence_delay / INIT_DELAYED_WORK
initialization above the nfsd4_layout_setlease() call, and replace
the manual nfsd_file_put + put_nfs4_file + kmem_cache_free cleanup
with a single nfs4_put_stid(stp).
Fixes: c5c707f96fc9 ("nfsd: implement pNFS layout recalls")
Cc: stable@vger.kernel.org
Assisted-by: kres (claude-opus-4-7)
Signed-off-by: Chris Mason <clm@meta.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4layouts.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
--- a/fs/nfsd/nfs4layouts.c
+++ b/fs/nfsd/nfs4layouts.c
@@ -264,10 +264,12 @@ nfsd4_alloc_layout_stateid(struct nfsd4_
ls->ls_file = find_any_file(fp);
BUG_ON(!ls->ls_file);
+ ls->ls_fenced = false;
+ ls->ls_fence_delay = 0;
+ INIT_DELAYED_WORK(&ls->ls_fence_work, nfsd4_layout_fence_worker);
+
if (nfsd4_layout_setlease(ls)) {
- nfsd_file_put(ls->ls_file);
- put_nfs4_file(fp);
- kmem_cache_free(nfs4_layout_stateid_cache, ls);
+ nfs4_put_stid(stp);
return NULL;
}
@@ -280,10 +282,6 @@ nfsd4_alloc_layout_stateid(struct nfsd4_
list_add(&ls->ls_perfile, &fp->fi_lo_states);
spin_unlock(&fp->fi_lock);
- ls->ls_fenced = false;
- ls->ls_fence_delay = 0;
- INIT_DELAYED_WORK(&ls->ls_fence_work, nfsd4_layout_fence_worker);
-
trace_nfsd_layoutstate_alloc(&ls->ls_stid.sc_stateid);
return ls;
}
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 106/120] NFSD: Fix SECINFO_NO_NAME decode error cleanup
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 105/120] nfsd: release layout stid on setlease failure Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 107/120] nfsd: fix posix_acl leak on SETACL decode failure Greg Kroah-Hartman
` (19 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guannan Wang, Chuck Lever
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guannan Wang <wgnbuaa@gmail.com>
commit 9e18e83b8846a5c3fe13fc8a464b4865d33996c6 upstream.
nfsd4_decode_secinfo_no_name() currently initializes sin_exp after
decoding sin_style. If the XDR stream is truncated, the decoder returns
nfserr_bad_xdr before sin_exp is initialized.
Since commit 3fdc54646234 ("NFSD: Reduce amount of struct
nfsd4_compoundargs that needs clearing"), the inline iops array is not
cleared between RPC calls. A failed SECINFO_NO_NAME decode can therefore
leave sin_exp holding stale union contents from a previous operation.
The error response path still invokes nfsd4_secinfo_no_name_release(),
which calls exp_put() on a non-NULL sin_exp.
Initialize sin_exp before the first failable decode step, matching
nfsd4_decode_secinfo().
Fixes: 3fdc54646234 ("NFSD: Reduce amount of struct nfsd4_compoundargs that needs clearing")
Cc: stable@vger.kernel.org
Signed-off-by: Guannan Wang <wgnbuaa@gmail.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4xdr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -2008,10 +2008,11 @@ static __be32 nfsd4_decode_secinfo_no_na
union nfsd4_op_u *u)
{
struct nfsd4_secinfo_no_name *sin = &u->secinfo_no_name;
+
+ sin->sin_exp = NULL;
if (xdr_stream_decode_u32(argp->xdr, &sin->sin_style) < 0)
return nfserr_bad_xdr;
- sin->sin_exp = NULL;
return nfs_ok;
}
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 107/120] nfsd: fix posix_acl leak on SETACL decode failure
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 106/120] NFSD: Fix SECINFO_NO_NAME decode error cleanup Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 108/120] nfsd: fix inverted cp_ttl check in async copy reaper Greg Kroah-Hartman
` (18 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Chuck Lever
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
commit 0853ac544c590880d797b04daa33fcb72b6be0e1 upstream.
nfsaclsvc_decode_setaclargs() and nfs3svc_decode_setaclargs() each
call nfs_stream_decode_acl() twice, first for NFS_ACL and then for
NFS_DFACL. Each successful call transfers ownership of a freshly
allocated posix_acl into argp->acl_access or argp->acl_default. If
the first call succeeds but the second fails, the decoder returns
false and argp->acl_access is left dangling.
ACLPROC2_SETACL.pc_release was wired to nfssvc_release_attrstat and
ACLPROC3_SETACL.pc_release was wired to nfs3svc_release_fhandle.
Both only call fh_put() and have no knowledge of the ACL fields on
argp. The posix_acl_release() pairs sat at the out: labels inside
nfsacld_proc_setacl() and nfsd3_proc_setacl(), but svc_process()
skips pc_func when pc_decode returns false, so that cleanup is
unreachable on decode failure:
svc_process_common()
pc_decode() /* decode_setaclargs: false */
/* pc_func skipped */
pc_release() /* fh_put only -- ACLs leaked */
The orphaned posix_acl is leaked for the lifetime of the server.
Fix by adding nfsaclsvc_release_setacl() and nfs3svc_release_setacl(),
which release both argp->acl_access and argp->acl_default in addition
to fh_put(), and wiring them as pc_release for their respective SETACL
procedures. pc_release runs on every path svc_process() takes after
decode, including decode failure, so the posix_acl_release() pairs are
removed from the proc functions' out: labels to keep ownership in one
place. This matches the existing release_getacl() pattern used by
the sibling GETACL procedures.
Fixes: a257cdd0e217 ("[PATCH] NFSD: Add server support for NFSv3 ACLs.")
Cc: stable@vger.kernel.org
Assisted-by: kres:claude-opus-4-7
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs2acl.c | 17 ++++++++++++-----
fs/nfsd/nfs3acl.c | 17 ++++++++++++-----
2 files changed, 24 insertions(+), 10 deletions(-)
--- a/fs/nfsd/nfs2acl.c
+++ b/fs/nfsd/nfs2acl.c
@@ -131,10 +131,7 @@ static __be32 nfsacld_proc_setacl(struct
resp->status = fh_getattr(fh, &resp->stat);
out:
- /* argp->acl_{access,default} may have been allocated in
- nfssvc_decode_setaclargs. */
- posix_acl_release(argp->acl_access);
- posix_acl_release(argp->acl_default);
+ /* argp->acl_{access,default} are released in nfsaclsvc_release_setacl. */
return rpc_success;
out_drop_lock:
@@ -310,6 +307,16 @@ static void nfsaclsvc_release_access(str
fh_put(&resp->fh);
}
+static void nfsaclsvc_release_setacl(struct svc_rqst *rqstp)
+{
+ struct nfsd3_setaclargs *argp = rqstp->rq_argp;
+ struct nfsd_attrstat *resp = rqstp->rq_resp;
+
+ fh_put(&resp->fh);
+ posix_acl_release(argp->acl_access);
+ posix_acl_release(argp->acl_default);
+}
+
#define ST 1 /* status*/
#define AT 21 /* attributes */
#define pAT (1+AT) /* post attributes - conditional */
@@ -343,7 +350,7 @@ static const struct svc_procedure nfsd_a
.pc_func = nfsacld_proc_setacl,
.pc_decode = nfsaclsvc_decode_setaclargs,
.pc_encode = nfssvc_encode_attrstatres,
- .pc_release = nfssvc_release_attrstat,
+ .pc_release = nfsaclsvc_release_setacl,
.pc_argsize = sizeof(struct nfsd3_setaclargs),
.pc_argzero = sizeof(struct nfsd3_setaclargs),
.pc_ressize = sizeof(struct nfsd_attrstat),
--- a/fs/nfsd/nfs3acl.c
+++ b/fs/nfsd/nfs3acl.c
@@ -118,10 +118,7 @@ out_drop_lock:
out_errno:
resp->status = nfserrno(error);
out:
- /* argp->acl_{access,default} may have been allocated in
- nfs3svc_decode_setaclargs. */
- posix_acl_release(argp->acl_access);
- posix_acl_release(argp->acl_default);
+ /* argp->acl_{access,default} are released in nfs3svc_release_setacl. */
return rpc_success;
}
@@ -223,6 +220,16 @@ static void nfs3svc_release_getacl(struc
posix_acl_release(resp->acl_default);
}
+static void nfs3svc_release_setacl(struct svc_rqst *rqstp)
+{
+ struct nfsd3_setaclargs *argp = rqstp->rq_argp;
+ struct nfsd3_attrstat *resp = rqstp->rq_resp;
+
+ fh_put(&resp->fh);
+ posix_acl_release(argp->acl_access);
+ posix_acl_release(argp->acl_default);
+}
+
#define ST 1 /* status*/
#define AT 21 /* attributes */
#define pAT (1+AT) /* post attributes - conditional */
@@ -256,7 +263,7 @@ static const struct svc_procedure nfsd_a
.pc_func = nfsd3_proc_setacl,
.pc_decode = nfs3svc_decode_setaclargs,
.pc_encode = nfs3svc_encode_setaclres,
- .pc_release = nfs3svc_release_fhandle,
+ .pc_release = nfs3svc_release_setacl,
.pc_argsize = sizeof(struct nfsd3_setaclargs),
.pc_argzero = sizeof(struct nfsd3_setaclargs),
.pc_ressize = sizeof(struct nfsd3_attrstat),
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 108/120] nfsd: fix inverted cp_ttl check in async copy reaper
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 107/120] nfsd: fix posix_acl leak on SETACL decode failure Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 109/120] nfsd: fix posix_acl leak and ignored error in nfsd4_create_file Greg Kroah-Hartman
` (17 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chris Mason, Jeff Layton,
Chuck Lever
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
commit 0150459b05490b88b7e7378a31550a9e07b5517c upstream.
nfsd4_async_copy_reaper() is supposed to keep completed async copy
state around for NFSD_COPY_INITIAL_TTL (10) laundromat ticks so
that OFFLOAD_STATUS can report the result, then reap the state once
the countdown expires.
The TTL predicate is inverted: `if (--copy->cp_ttl)` is true while
ticks remain and false when the counter reaches zero. This causes
the copy to be reaped on the very first tick (cp_ttl goes from 10
to 9, which is non-zero) instead of after all 10 ticks elapse.
Once reaped, OFFLOAD_STATUS returns NFS4ERR_BAD_STATEID because
the copy state has already been freed.
Fix by negating the test so that cleanup runs when the TTL expires.
Fixes: aa0ebd21df9c ("NFSD: Add nfsd4_copy time-to-live")
Cc: stable@vger.kernel.org
Reported-by: Chris Mason <clm@meta.com>
Assisted-by: kres:claude-opus-4-6
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4proc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -1470,7 +1470,7 @@ void nfsd4_async_copy_reaper(struct nfsd
list_for_each_safe(pos, next, &clp->async_copies) {
copy = list_entry(pos, struct nfsd4_copy, copies);
if (test_bit(NFSD4_COPY_F_OFFLOAD_DONE, ©->cp_flags)) {
- if (--copy->cp_ttl) {
+ if (!--copy->cp_ttl) {
list_del_init(©->copies);
list_add(©->copies, &reaplist);
}
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 109/120] nfsd: fix posix_acl leak and ignored error in nfsd4_create_file
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 108/120] nfsd: fix inverted cp_ttl check in async copy reaper Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 110/120] nfsd: check get_user() return when reading princhashlen Greg Kroah-Hartman
` (16 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chris Mason, Jeff Layton,
Chuck Lever
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
commit 24c975bbdd564d7d0ad90294bfa69729830345de upstream.
nfsd4_create_file() has two bugs in its ACL handling:
The return value of nfsd4_acl_to_attr() is silently discarded. When
the NFSv4-to-POSIX ACL conversion fails (e.g., -EINVAL for
unsupported ACE types), the file is created without any ACL and the
client receives NFS4_OK. This violates RFC 7530/8881 which require
the server to reject unsupported attributes on CREATE.
When start_creating() fails after ACL attributes have been populated
in attrs (either via nfsd4_acl_to_attr or via ownership transfer from
open->op_dpacl/op_pacl), the function jumps to out_write which skips
nfsd_attrs_free(). The posix_acl allocations are leaked. A client
can trigger this repeatedly with OPEN(CREATE), ACL attributes, and an
invalid filename (e.g., longer than NAME_MAX).
Fix both by capturing the nfsd4_acl_to_attr() return value and by
changing the early error paths to jump to out instead of out_write.
Initialize child to ERR_PTR(-EINVAL) so that end_creating() is safe
to call even if start_creating() was never reached.
Reported-by: Chris Mason <clm@meta.com>
Fixes: 7ab96df840e6 ("VFS/nfsd/cachefiles/ovl: add start_creating() and end_creating()")
Cc: stable@vger.kernel.org
Assisted-by: kres:claude-opus-4-6
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4proc.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -253,7 +253,7 @@ nfsd4_create_file(struct svc_rqst *rqstp
.na_iattr = iap,
.na_seclabel = &open->op_label,
};
- struct dentry *parent, *child;
+ struct dentry *parent, *child = ERR_PTR(-EINVAL);
__u32 v_mtime, v_atime;
struct inode *inode;
__be32 status;
@@ -277,10 +277,14 @@ nfsd4_create_file(struct svc_rqst *rqstp
if (open->op_acl) {
if (open->op_dpacl || open->op_pacl) {
status = nfserr_inval;
- goto out_write;
+ goto out;
+ }
+ if (is_create_with_attrs(open)) {
+ status = nfsd4_acl_to_attr(NF4REG, open->op_acl,
+ &attrs);
+ if (status)
+ goto out;
}
- if (is_create_with_attrs(open))
- nfsd4_acl_to_attr(NF4REG, open->op_acl, &attrs);
} else if (is_create_with_attrs(open)) {
/* The dpacl and pacl will get released by nfsd_attrs_free(). */
attrs.na_dpacl = open->op_dpacl;
@@ -293,7 +297,7 @@ nfsd4_create_file(struct svc_rqst *rqstp
&QSTR_LEN(open->op_fname, open->op_fnamelen));
if (IS_ERR(child)) {
status = nfserrno(PTR_ERR(child));
- goto out_write;
+ goto out;
}
if (d_really_is_negative(child)) {
@@ -407,7 +411,6 @@ set_attr:
out:
end_creating(child);
nfsd_attrs_free(&attrs);
-out_write:
fh_drop_write(fhp);
return status;
}
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 110/120] nfsd: check get_user() return when reading princhashlen
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 109/120] nfsd: fix posix_acl leak and ignored error in nfsd4_create_file Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 111/120] nfsd: fix dead ACL conflict guard in nfsd4_create Greg Kroah-Hartman
` (15 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dominik Woźniak, Jeff Layton,
Chuck Lever
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dominik Woźniak <stalion@gmail.com>
commit e186fa1c057f5eccb22afb1e83e34c0627085868 upstream.
In __cld_pipe_inprogress_downcall(), the get_user() that reads
princhashlen from the userspace cld_msg_v2 buffer does not check its
return value. A failing copy leaves princhashlen with uninitialised
stack contents, which are then used to drive memdup_user() and stored
as princhash.len on the resulting reclaim record. The other get_user()
calls in this function all check the return; only this one is missed,
which is most likely a copy-paste oversight from when v2 upcalls were
introduced.
Mirror the existing pattern used a few lines above for namelen.
namecopy is declared with __free(kfree) so the early return cleans up
the already-allocated buffer automatically.
Fixes: 6ee95d1c8991 ("nfsd: add support for upcall version 2")
Cc: stable@vger.kernel.org
Signed-off-by: Dominik Woźniak <stalion@gmail.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4recover.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/nfsd/nfs4recover.c
+++ b/fs/nfsd/nfs4recover.c
@@ -718,7 +718,8 @@ __cld_pipe_inprogress_downcall(const str
return PTR_ERR(namecopy);
name.data = namecopy;
name.len = namelen;
- get_user(princhashlen, &ci->cc_princhash.cp_len);
+ if (get_user(princhashlen, &ci->cc_princhash.cp_len))
+ return -EFAULT;
if (princhashlen > 0) {
princhashcopy = memdup_user(
&ci->cc_princhash.cp_data,
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 111/120] nfsd: fix dead ACL conflict guard in nfsd4_create
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 110/120] nfsd: check get_user() return when reading princhashlen Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 112/120] nfsd: avoid leaking pre-allocated openowner on unconfirmed retry race Greg Kroah-Hartman
` (14 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chris Mason, Jeff Layton,
Chuck Lever
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
commit a60f25a800846ab8e5a13f8a9d05111f2aee55a7 upstream.
nfsd4_create() steals create->cr_dpacl/cr_pacl into the local
nfsd_attrs via the designated initializer, then immediately sets the
source pointers to NULL. The subsequent conflict guard tests the
already-nilled source fields, making it permanently dead code:
if (create->cr_acl) {
if (create->cr_dpacl || create->cr_pacl) /* always false */
When a client encodes both FATTR4_WORD0_ACL and
FATTR4_WORD2_POSIX_{DEFAULT,ACCESS}_ACL in the same CREATE fattr
bitmap, nfsd4_acl_to_attr() overwrites attrs.na_pacl/na_dpacl without
releasing the originals, leaking two posix_acl slab objects per
request. Repeated requests cause unbounded slab exhaustion.
Fix by checking attrs.na_dpacl/na_pacl (the stolen values) instead of
the nilled create->cr_dpacl/cr_pacl, matching the correct pattern
already used in nfsd4_setattr().
Reported-by: Chris Mason <clm@meta.com>
Assisted-by: kres:claude-opus-4-6
Fixes: d2ca50606f5f ("NFSD: Add support for POSIX draft ACLs for file creation")
Cc: stable@vger.kernel.org
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4proc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -840,7 +840,7 @@ nfsd4_create(struct svc_rqst *rqstp, str
goto out_aftermask;
if (create->cr_acl) {
- if (create->cr_dpacl || create->cr_pacl) {
+ if (attrs.na_dpacl || attrs.na_pacl) {
status = nfserr_inval;
goto out_aftermask;
}
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 112/120] nfsd: avoid leaking pre-allocated openowner on unconfirmed retry race
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 111/120] nfsd: fix dead ACL conflict guard in nfsd4_create Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 113/120] nfsd: reset write verifier on deferred writeback errors Greg Kroah-Hartman
` (13 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chris Mason, Jeff Layton,
Chuck Lever
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
commit 57aee7a35bb12753057c5b65d72d1f46c0e95b07 upstream.
When find_or_alloc_open_stateowner() encounters an unconfirmed owner, it
calls release_openowner() and sets oo = NULL. Control then falls through
past the `if (oo)` guard -- which would have freed any pre-allocated
`new` -- and unconditionally executes `new = alloc_stateowner(...)`. If
`new` was already allocated on a prior iteration, the pointer is
silently overwritten and the previous allocation (slab object + owner
name buffer) is leaked.
This requires a race: two NFSv4.0 OPEN threads with the same owner
string, where a concurrent thread inserts a new unconfirmed owner into
the hash between retry iterations. The window is narrow but repeatable
under adversarial conditions.
Fix by adding `goto retry` after `oo = NULL` so the already-allocated
`new` is reused on the next iteration rather than overwritten.
Reported-by: Chris Mason <clm@meta.com>
Fixes: 23df17788c62 ("nfsd: perform all find_openstateowner_str calls in the one place.")
Cc: stable@vger.kernel.org
Assisted-by: kres:claude-opus-4-6
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4state.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -5169,6 +5169,7 @@ retry:
/* Replace unconfirmed owners without checking for replay. */
release_openowner(oo);
oo = NULL;
+ goto retry;
}
if (oo) {
if (new)
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 113/120] nfsd: reset write verifier on deferred writeback errors
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 112/120] nfsd: avoid leaking pre-allocated openowner on unconfirmed retry race Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 114/120] NFSv4/flexfiles: reject zero filehandle version count Greg Kroah-Hartman
` (12 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chris Mason, Jeff Layton,
Chuck Lever
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
commit 2090b05803faab8a9fa62fbff871007862cac1b7 upstream.
nfsd_vfs_write() and nfsd_commit() both call filemap_check_wb_err() to
detect deferred writeback errors, but neither rotates the server's write
verifier (nn->writeverf) when this check fails. Every other
durable-storage-failure path in these functions calls
commit_reset_write_verifier() before returning an error.
The missing rotation means clients holding UNSTABLE write data under the
current verifier will COMMIT, receive the unchanged verifier back, and
conclude their data is durable — silently dropping data that failed
writeback. This violates the UNSTABLE+COMMIT durability contract
(RFC 1813 §3.3.7, RFC 8881 §18.32).
Add commit_reset_write_verifier() calls at both filemap_check_wb_err()
error sites, matching the pattern used by adjacent error paths in the
same functions. The helper already filters -EAGAIN and -ESTALE
internally, so the calls are unconditionally safe.
Reported-by: Chris Mason <clm@meta.com>
Fixes: 555dbf1a9aac ("nfsd: Replace use of rwsem with errseq_t")
Cc: stable@vger.kernel.org
Assisted-by: kres:claude-opus-4-6
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/vfs.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -1508,8 +1508,10 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
nfsd_stats_io_write_add(nn, exp, *cnt);
fsnotify_modify(file);
host_err = filemap_check_wb_err(file->f_mapping, since);
- if (host_err < 0)
+ if (host_err < 0) {
+ commit_reset_write_verifier(nn, rqstp, host_err);
goto out_nfserr;
+ }
if (stable && fhp->fh_use_wgather) {
host_err = wait_for_concurrent_writes(file);
@@ -1689,6 +1691,8 @@ nfsd_commit(struct svc_rqst *rqstp, stru
nfsd_copy_write_verifier(verf, nn);
err2 = filemap_check_wb_err(nf->nf_file->f_mapping,
since);
+ if (err2 < 0)
+ commit_reset_write_verifier(nn, rqstp, err2);
err = nfserrno(err2);
break;
case -EINVAL:
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 114/120] NFSv4/flexfiles: reject zero filehandle version count
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 113/120] nfsd: reset write verifier on deferred writeback errors Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 115/120] NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr Greg Kroah-Hartman
` (11 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Anna Schumaker
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 2c6bb3c40bc24f6aa8dfbe6fe98c3ad6389203f2 upstream.
ff_layout_alloc_lseg() decodes the filehandle-version array count
from the flexfiles layout body. The value is used as the count for
kzalloc_objs(), and the current code only rejects NULL.
A zero count yields ZERO_SIZE_PTR, which can be stored in
dss_info->fh_versions even though later flexfiles paths assume that at
least one filehandle version exists.
Reject fh_count == 0 before the allocation, matching the existing zero
version_count validation in the flexfiles GETDEVICEINFO parser.
A QEMU/KASAN run with a malformed flexfiles layout hit:
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
RIP: 0010:ff_layout_encode_ff_layoutupdate.isra.0+0x15f/0x750
ff_layout_encode_layoutreturn+0x683/0x970
nfs4_xdr_enc_layoutreturn+0x278/0x3a0
Kernel panic - not syncing: Fatal exception
The patched kernel rejects the malformed layout without KASAN/oops/panic,
and a valid fh_count=1 regression still opens, reads, and unmounts cleanly.
Cc: stable@vger.kernel.org
Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver")
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/flexfilelayout/flexfilelayout.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/fs/nfs/flexfilelayout/flexfilelayout.c
+++ b/fs/nfs/flexfilelayout/flexfilelayout.c
@@ -551,6 +551,10 @@ ff_layout_alloc_lseg(struct pnfs_layout_
if (!p)
goto out_err_free;
fh_count = be32_to_cpup(p);
+ if (fh_count == 0) {
+ rc = -EINVAL;
+ goto out_err_free;
+ }
dss_info->fh_versions =
kzalloc_objs(struct nfs_fh, fh_count, gfp_flags);
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 115/120] NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 114/120] NFSv4/flexfiles: reject zero filehandle version count Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 116/120] NFSv4: clear exception state on successful mkdir retry Greg Kroah-Hartman
` (10 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Bommarito, Anna Schumaker
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Bommarito <michael.bommarito@gmail.com>
commit 41fe0f7b84f0cb822ae10ab08592996a592b2a25 upstream.
nfs4_decode_mp_ds_addr() decodes the r_netid and r_addr opaques of a
netaddr4 from a GETDEVICEINFO multipath-DS body, then immediately
calls strrchr(buf, '.') to locate the port separator. Both decodes
use xdr_stream_decode_string_dup(), and the current code checks only
"nlen < 0" / "rlen < 0" before dereferencing the returned string.
When the on-wire opaque has length zero, xdr_stream_decode_opaque_inline()
returns 0 and xdr_stream_decode_string_dup() falls through to its
"*str = NULL; return ret" tail, leaving buf NULL with a return value
of 0. The "< 0" check does not catch this, and the next line is
strrchr(NULL, '.'), a kernel NULL pointer dereference reachable from
any pNFS-flexfile client mounted against a malicious or compromised
metadata server.
Reject the zero-length cases explicitly so the decoder fails with
-EBADMSG (treated as a malformed GETDEVICEINFO body) instead of
panicking the client.
Cc: stable@vger.kernel.org
Fixes: 6b7f3cf96364 ("nfs41: pull decode_ds_addr from file layout to generic pnfs")
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/pnfs_nfs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/nfs/pnfs_nfs.c
+++ b/fs/nfs/pnfs_nfs.c
@@ -1075,14 +1075,14 @@ nfs4_decode_mp_ds_addr(struct net *net,
/* r_netid */
nlen = xdr_stream_decode_string_dup(xdr, &netid, XDR_MAX_NETOBJ,
gfp_flags);
- if (unlikely(nlen < 0))
+ if (unlikely(nlen <= 0))
goto out_err;
/* r_addr: ip/ip6addr with port in dec octets - see RFC 5665 */
/* port is ".ABC.DEF", 8 chars max */
rlen = xdr_stream_decode_string_dup(xdr, &buf, INET6_ADDRSTRLEN +
IPV6_SCOPE_ID_LEN + 8, gfp_flags);
- if (unlikely(rlen < 0))
+ if (unlikely(rlen <= 0))
goto out_free_netid;
/* replace port '.' with '-' */
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 116/120] NFSv4: clear exception state on successful mkdir retry
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 115/120] NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 117/120] NFS: Prevent resource leak in nfs_alloc_server() Greg Kroah-Hartman
` (9 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, NeilBrown, Igor Raits,
Anna Schumaker, Jan Čípa
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Igor Raits <igor.raits@gmail.com>
commit 238e9b51aa29f48b6243212a3b75c8e48d6b96fd upstream.
After a server returns NFS4ERR_DELAY for an NFSv4 CREATE issued by
mkdir(2), the client correctly waits and retries. When the retry
succeeds, however, mkdir(2) can still surface -EEXIST to userspace
even though the directory was just created on the server.
Reproducer (random 16-hex names so collisions are not the cause)
against an in-kernel Linux nfsd; reproduces under both NFSv4.0 and
NFSv4.2:
N=2000000; base=/var/gdc/export
for ((i=1; i<=N; i++)); do
d=$base/$(openssl rand -hex 8)
mkdir "$d" 2>/dev/null || echo "$(date +%T) failed loop=$i $d"
rmdir "$d" 2>/dev/null
done
Failures cluster at the cadence at which the server-side auth/export
cache refresh path causes nfsd to return NFS4ERR_DELAY for CREATE.
A wire trace of one failure (the three CREATE RPCs all come from a
single mkdir(2), generated by the do-while in nfs4_proc_mkdir()):
client -> server CREATE name=... -> NFS4ERR_DELAY
~100 ms later
client -> server CREATE name=... -> NFS4_OK (dir created)
~80 us later
client -> server CREATE name=... -> NFS4ERR_EXIST (correct)
Since commit dd862da61e91 ("nfs: fix incorrect handling of large-number
NFS errors in nfs4_do_mkdir()"), nfs4_handle_exception() is called only
when _nfs4_proc_mkdir() returned an error. That gate breaks retry-state
hygiene: nfs4_do_handle_exception() resets exception.{delay,recovering,
retry} to 0 on entry, so calling it on success is what previously
cleared the retry flag set by the preceding NFS4ERR_DELAY iteration.
With the gate in place, exception.retry stays at 1 after the successful
retry, the loop runs once more, and the resulting CREATE for an
already-created name yields NFS4ERR_EXIST -> -EEXIST to userspace.
Drop the conditional and call nfs4_handle_exception() unconditionally,
matching every other do-while in fs/nfs/nfs4proc.c (nfs4_proc_symlink(),
nfs4_proc_link(), etc.). The dentry/status separation introduced by
that commit is preserved.
Fixes: dd862da61e91 ("nfs: fix incorrect handling of large-number NFS errors in nfs4_do_mkdir()")
Reported-and-tested-by: Jan Čípa <jan.cipa@gooddata.com>
Closes: https://lore.kernel.org/linux-nfs/CA+9S74hSp_tJu2Ffe2BPNC2T25gfkhgjjDkdgSsF5c2rnJq_wA@mail.gmail.com/
Reviewed-by: NeilBrown <neil@brown.name>
Cc: stable@vger.kernel.org
Signed-off-by: Igor Raits <igor.raits@gmail.com>
Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/nfs4proc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -5302,10 +5302,9 @@ static struct dentry *nfs4_proc_mkdir(st
do {
alias = _nfs4_proc_mkdir(dir, dentry, sattr, label, &err);
trace_nfs4_mkdir(dir, &dentry->d_name, err);
+ err = nfs4_handle_exception(NFS_SERVER(dir), err, &exception);
if (err)
- alias = ERR_PTR(nfs4_handle_exception(NFS_SERVER(dir),
- err,
- &exception));
+ alias = ERR_PTR(err);
} while (exception.retry);
nfs4_label_release_security(label);
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 117/120] NFS: Prevent resource leak in nfs_alloc_server()
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 116/120] NFSv4: clear exception state on successful mkdir retry Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 118/120] ksmbd: fix out-of-bounds read in smb_check_perm_dacl() Greg Kroah-Hartman
` (8 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Jaillet, Markus Elfring,
Anna Schumaker
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Markus Elfring <elfring@users.sourceforge.net>
commit d189f224308c8ac3feeea8e442c99922bd18f1b2 upstream.
It was overlooked to call ida_free() after a failed nfs_alloc_iostats() call.
Thus add the missed function call in an if branch.
Fixes: 1c7251187dc067a6d460cf33ca67da9c1dd87807 ("NFS: add superblock sysfs entries")
Cc: stable@vger.kernel.org
Reported-by: Christophe Jaillet <christophe.jaillet@wanadoo.fr>
Closes: https://lore.kernel.org/linux-nfs/1c8e10c9-def7-4f0d-8aa1-23c8035a38c8@wanadoo.fr/
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Anna Schumaker <anna.schumaker@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/client.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -1074,6 +1074,7 @@ struct nfs_server *nfs_alloc_server(void
server->io_stats = nfs_alloc_iostats();
if (!server->io_stats) {
+ ida_free(&s_sysfs_ids, server->s_sysfs_id);
kfree(server);
return NULL;
}
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 118/120] ksmbd: fix out-of-bounds read in smb_check_perm_dacl()
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 117/120] NFS: Prevent resource leak in nfs_alloc_server() Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 119/120] net/tcp-ao: fix use-after-free of key in del_async path Greg Kroah-Hartman
` (7 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hem Parekh, Namjae Jeon,
Steve French
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hem Parekh <hemparekh1596@gmail.com>
commit 1ef06004ed4bd6d3ed8c840d9d1a376b66d4935b upstream.
The permission-check ACE walk in smb_check_perm_dacl() validates the ACE
header size and caps sid.num_subauth at SID_MAX_SUB_AUTHORITIES, but it
never checks that ace->size is actually large enough to contain
num_subauth sub-authorities before compare_sids() dereferences them.
CIFS_SID_BASE_SIZE covers the SID header up to but excluding the
sub_auth[] array, and offsetof(struct smb_ace, sid) is the ACE header,
so the existing guards only guarantee the 8-byte SID base, i.e. zero
sub-authorities. compare_sids() then reads ace->sid.sub_auth[i] for
i < min(local_sid->num_subauth, ace->sid.num_subauth). The local
comparison SIDs (sid_everyone, sid_unix_NFS_mode, and the id_to_sid()
result) always have at least one sub-authority, and an attacker controls
the ACE revision and authority bytes (which lie within the in-bounds SID
base), so they can match one of those SIDs and force the sub_auth read.
A crafted ACE with size == 16 and num_subauth >= 1 placed at the tail of
the security descriptor therefore causes a heap out-of-bounds read of up
to SID_MAX_SUB_AUTHORITIES * sizeof(__le32) bytes past the pntsd
allocation. The security descriptor is loaded by ksmbd_vfs_get_sd_xattr()
into a buffer sized exactly to the on-disk data (kzalloc(sd_size) in
ndr_decode_v4_ntacl()), so the read lands past the allocation. The
malformed descriptor can be stored verbatim via SMB2_SET_INFO (the DACL
is not normalised before being written to the security.NTACL xattr) and
the read fires on a subsequent SMB2_CREATE access check, making this
reachable by an authenticated client on a share that uses ACL xattrs.
Add the missing num_subauth-versus-ace_size check, mirroring the
identical guards already present in the sibling parsers parse_dacl() and
smb_inherit_dacl().
Fixes: d07b26f39246 ("ksmbd: require minimum ACE size in smb_check_perm_dacl()")
Cc: stable@vger.kernel.org
Signed-off-by: Hem Parekh <hemparekh1596@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smbacl.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/smb/server/smbacl.c
+++ b/fs/smb/server/smbacl.c
@@ -1477,7 +1477,9 @@ int smb_check_perm_dacl(struct ksmbd_con
break;
aces_size -= ace_size;
- if (ace->sid.num_subauth > SID_MAX_SUB_AUTHORITIES)
+ if (ace->sid.num_subauth > SID_MAX_SUB_AUTHORITIES ||
+ ace_size < offsetof(struct smb_ace, sid) + CIFS_SID_BASE_SIZE +
+ sizeof(__le32) * ace->sid.num_subauth)
break;
if (!compare_sids(&sid, &ace->sid) ||
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 119/120] net/tcp-ao: fix use-after-free of key in del_async path
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 118/120] ksmbd: fix out-of-bounds read in smb_check_perm_dacl() Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 120/120] apparmor: advertise the tcp fast open fix is applied Greg Kroah-Hartman
` (6 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, HanQuan, Eric Dumazet,
Jakub Kicinski
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: HanQuan <eilaimemedsnaimel@gmail.com>
commit 5ba9950bc9078e19b69cca1e56d1553b125c6857 upstream.
In tcp_ao_delete_key(), the del_async path skips the current_key
and rnext_key validity checks present in the synchronous path,
assuming these pointers are always NULL on LISTEN sockets. However,
if a key was added with set_current=1/set_rnext=1 while the socket
was in CLOSE state, current_key and rnext_key will be non-NULL
after listen() transitions the socket to LISTEN.
When such a key is deleted with del_async=1, hlist_del_rcu() and
call_rcu() free the key without clearing the dangling pointers.
After the RCU grace period, getsockopt(TCP_AO_INFO) dereferences
current_key->sndid and rnext_key->rcvid from freed slab memory.
Clear current_key and rnext_key in the del_async path when they
reference the key being deleted.
Fixes: d6732b95b6fb ("net/tcp: Allow asynchronous delete for TCP-AO keys (MKTs)")
Signed-off-by: HanQuan <eilaimemedsnaimel@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260623015208.1191687-1-eilaimemedsnaimel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_ao.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/ipv4/tcp_ao.c
+++ b/net/ipv4/tcp_ao.c
@@ -1776,6 +1776,10 @@ static int tcp_ao_delete_key(struct sock
* them and we can just free all resources in RCU fashion.
*/
if (del_async) {
+ if (ao_info->current_key == key)
+ WRITE_ONCE(ao_info->current_key, NULL);
+ if (ao_info->rnext_key == key)
+ WRITE_ONCE(ao_info->rnext_key, NULL);
atomic_sub(tcp_ao_sizeof_key(key), &sk->sk_omem_alloc);
call_rcu(&key->rcu, tcp_ao_key_free_rcu);
return 0;
^ permalink raw reply [flat|nested] 134+ messages in thread
* [PATCH 7.1 120/120] apparmor: advertise the tcp fast open fix is applied
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 119/120] net/tcp-ao: fix use-after-free of key in del_async path Greg Kroah-Hartman
@ 2026-07-02 16:21 ` Greg Kroah-Hartman
2026-07-02 17:44 ` [PATCH 7.1 000/120] 7.1.3-rc1 review Shuah Khan
` (5 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-02 16:21 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John Johansen
7.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Johansen <john.johansen@canonical.com>
commit 2f6701a5ce6257ae7a64ddc6d89d0a08d2a034f8 upstream.
The fix for tcp-fast-open ensures that the connect permission is being
mediated correctly but it didn't add an artifact to the feature set to
advertise the fix is available. Add an artifact so that the test suite
can identify if the fix has not been properly applied or a new
unexpected regression has occurred.
Fixes: 4d587cd8a7215 ("apparmor: mediate the implicit connect of TCP fast open sendmsg")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/apparmor/net.c | 2 ++
1 file changed, 2 insertions(+)
--- a/security/apparmor/net.c
+++ b/security/apparmor/net.c
@@ -22,12 +22,14 @@
struct aa_sfs_entry aa_sfs_entry_network[] = {
AA_SFS_FILE_STRING("af_mask", AA_SFS_AF_MASK),
+ AA_SFS_FILE_BOOLEAN("tcp-fast-open", 1),
{ }
};
struct aa_sfs_entry aa_sfs_entry_networkv9[] = {
AA_SFS_FILE_STRING("af_mask", AA_SFS_AF_MASK),
AA_SFS_FILE_BOOLEAN("af_unix", 1),
+ AA_SFS_FILE_BOOLEAN("tcp-fast-open", 1),
{ }
};
^ permalink raw reply [flat|nested] 134+ messages in thread
* Re: [PATCH 7.1 000/120] 7.1.3-rc1 review
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-07-02 16:21 ` [PATCH 7.1 120/120] apparmor: advertise the tcp fast open fix is applied Greg Kroah-Hartman
@ 2026-07-02 17:44 ` Shuah Khan
2026-07-02 23:12 ` Peter Schneider
2026-07-02 17:46 ` Ronald Warsow
` (4 subsequent siblings)
125 siblings, 1 reply; 134+ messages in thread
From: Shuah Khan @ 2026-07-02 17:44 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr, Shuah Khan
On 7/2/26 10:19, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 7.1.3 release.
> There are 120 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 04 Jul 2026 15:50:58 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v7.x/stable-review/patch-7.1.3-rc1.gz
I am seeing 404 on this link. Maybe I will it more time for it to show up on
kernel.org
Same with 6.18 link - haven't tried the others.
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 134+ messages in thread
* Re: [PATCH 7.1 000/120] 7.1.3-rc1 review
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-07-02 17:44 ` [PATCH 7.1 000/120] 7.1.3-rc1 review Shuah Khan
@ 2026-07-02 17:46 ` Ronald Warsow
2026-07-02 19:46 ` Brett A C Sheffield
` (3 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Ronald Warsow @ 2026-07-02 17:46 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
conor, hargar, broonie, achill, sr
Hi
kernel build / boot test on x86_64.
No regressions here.
Thanks
Tested-by: Ronald Warsow <rwarsow@gmx.de>
^ permalink raw reply [flat|nested] 134+ messages in thread
* Re: [PATCH 7.1 000/120] 7.1.3-rc1 review
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-07-02 17:46 ` Ronald Warsow
@ 2026-07-02 19:46 ` Brett A C Sheffield
2026-07-03 0:09 ` Peter Schneider
` (2 subsequent siblings)
125 siblings, 0 replies; 134+ messages in thread
From: Brett A C Sheffield @ 2026-07-02 19:46 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
Brett A C Sheffield
# Librecast Test Results
020/020 [ OK ] liblcrq
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 7.1.3-rc1-g5837b6ec156c #1 SMP PREEMPT_DYNAMIC Thu Jul 2 19:39:10 -00 2026 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 134+ messages in thread
* Re: [PATCH 7.1 000/120] 7.1.3-rc1 review
2026-07-02 17:44 ` [PATCH 7.1 000/120] 7.1.3-rc1 review Shuah Khan
@ 2026-07-02 23:12 ` Peter Schneider
0 siblings, 0 replies; 134+ messages in thread
From: Peter Schneider @ 2026-07-02 23:12 UTC (permalink / raw)
To: Shuah Khan, Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
Am 02.07.2026 um 19:44 schrieb Shuah Khan:
> On 7/2/26 10:19, Greg Kroah-Hartman wrote:
>> This is the start of the stable review cycle for the 7.1.3 release.
>> There are 120 patches in this series, all will be posted as a response
>> to this one. If anyone has any issues with these being applied, please
>> let me know.
>>
>> Responses should be made by Sat, 04 Jul 2026 15:50:58 +0000.
>> Anything received after that time might be too late.
>>
>> The whole patch series can be found in one patch at:
>> https://www.kernel.org/pub/linux/kernel/v7.x/stable-review/patch-7.1.3-rc1.gz
>
> I am seeing 404 on this link. Maybe I will it more time for it to show up on
> kernel.org
>
> Same with 6.18 link - haven't tried the others.
>
> thanks,
> -- Shuah
LWN has the story that there was a mirroring issue due to a misconfiguration which led to the deletion of everything
under /pub on the public mirrors only, and that Konstantin is working on restoring everything.
https://lwn.net/Articles/1081015/
This is the ticket status at Linux Foundation:
https://status.linuxfoundation.org/incidents/3y1k8b4ky71t
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 134+ messages in thread
* Re: [PATCH 7.1 000/120] 7.1.3-rc1 review
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-07-02 19:46 ` Brett A C Sheffield
@ 2026-07-03 0:09 ` Peter Schneider
2026-07-03 0:15 ` Miguel Ojeda
2026-07-03 5:41 ` Ron Economos
125 siblings, 0 replies; 134+ messages in thread
From: Peter Schneider @ 2026-07-03 0:09 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
Am 02.07.2026 um 18:19 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 7.1.3 release.
> There are 120 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 134+ messages in thread
* Re: [PATCH 7.1 000/120] 7.1.3-rc1 review
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-07-03 0:09 ` Peter Schneider
@ 2026-07-03 0:15 ` Miguel Ojeda
2026-07-03 5:38 ` Greg KH
2026-07-04 2:05 ` Sasha Levin
2026-07-03 5:41 ` Ron Economos
125 siblings, 2 replies; 134+ messages in thread
From: Miguel Ojeda @ 2026-07-03 0:15 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Miguel Ojeda
On Thu, 02 Jul 2026 18:19:56 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 7.1.3 release.
> There are 120 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 04 Jul 2026 15:50:58 +0000.
> Anything received after that time might be too late.
Boot-tested under QEMU for Rust x86_64, arm64 and riscv64; built-tested
for loongarch64 and arm32:
Tested-by: Miguel Ojeda <ojeda@kernel.org>
It would be nice to get this one in for 6.18 and 7.1:
3fff4271809b ("rust: str: clean unused import for Rust >= 1.98")
Thanks!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 134+ messages in thread
* Re: [PATCH 7.1 097/120] riscv: kfence: Call mark_new_valid_map() for kfence_unprotect()
2026-07-02 16:21 ` [PATCH 7.1 097/120] riscv: kfence: Call mark_new_valid_map() for kfence_unprotect() Greg Kroah-Hartman
@ 2026-07-03 5:05 ` Vivian Wang
2026-07-03 7:26 ` Greg Kroah-Hartman
0 siblings, 1 reply; 134+ messages in thread
From: Vivian Wang @ 2026-07-03 5:05 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable; +Cc: patches, Yanko Kaneti, Paul Walmsley
On 7/3/26 00:21, Greg Kroah-Hartman wrote:
> 7.1-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Vivian Wang <wangruikang@iscas.ac.cn>
>
> commit 8d6c8c40e733b3fcaf92fed0a078bba2f6941a3b upstream.
> [...]
>
> --- a/arch/riscv/include/asm/kfence.h
> +++ b/arch/riscv/include/asm/kfence.h
>
> [...]
>
> - if (protect)
> + if (protect) {
> set_pte(pte, __pte(pte_val(ptep_get(pte)) & ~_PAGE_PRESENT));
> - else
> + } else {
> set_pte(pte, __pte(pte_val(ptep_get(pte)) | _PAGE_PRESENT));
> + mark_new_valid_map();
Please also backport this commit's parent, the introduction of
mark_new_valid_map():
9ee25d0a70ff4494b4e1d266b962d0a574ef318a ("riscv: mm: Extract helper mark_new_valid_map()")
before this patch.
IIUC this is needed on 6.12.y, 6.18.y, 7.1.y.
Thanks,
Vivian "dramforever" Wang
^ permalink raw reply [flat|nested] 134+ messages in thread
* Re: [PATCH 7.1 000/120] 7.1.3-rc1 review
2026-07-03 0:15 ` Miguel Ojeda
@ 2026-07-03 5:38 ` Greg KH
2026-07-04 2:05 ` Sasha Levin
1 sibling, 0 replies; 134+ messages in thread
From: Greg KH @ 2026-07-03 5:38 UTC (permalink / raw)
To: Miguel Ojeda
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds
On Fri, Jul 03, 2026 at 02:15:46AM +0200, Miguel Ojeda wrote:
> On Thu, 02 Jul 2026 18:19:56 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> >
> > This is the start of the stable review cycle for the 7.1.3 release.
> > There are 120 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sat, 04 Jul 2026 15:50:58 +0000.
> > Anything received after that time might be too late.
>
> Boot-tested under QEMU for Rust x86_64, arm64 and riscv64; built-tested
> for loongarch64 and arm32:
>
> Tested-by: Miguel Ojeda <ojeda@kernel.org>
>
> It would be nice to get this one in for 6.18 and 7.1:
>
> 3fff4271809b ("rust: str: clean unused import for Rust >= 1.98")
It will get there eventually, my backlog right now is huge...
^ permalink raw reply [flat|nested] 134+ messages in thread
* Re: [PATCH 7.1 000/120] 7.1.3-rc1 review
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-07-03 0:15 ` Miguel Ojeda
@ 2026-07-03 5:41 ` Ron Economos
2026-07-03 7:26 ` Greg Kroah-Hartman
125 siblings, 1 reply; 134+ messages in thread
From: Ron Economos @ 2026-07-03 5:41 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
On 7/2/26 09:19, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 7.1.3 release.
> There are 120 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 04 Jul 2026 15:50:58 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v7.x/stable-review/patch-7.1.3-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-7.1.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
The build is broken on RISC-V with:
In file included from mm/kfence/core.c:36:
./arch/riscv/include/asm/kfence.h: In function 'kfence_protect_page':
./arch/riscv/include/asm/kfence.h:25:17: error: implicit declaration of function 'mark_new_valid_map' [-Wimplicit-function-declaration]
25 | mark_new_valid_map();
| ^~~~~~~~~~~~~~~~~~
This is caused by commit "riscv: kfence: Call mark_new_valid_map() for kfence_unprotect()" 66fcdb7f71b9d3d32828130cf5895adea059016d
As already reported by https://lore.kernel.org/stable/6c5c0723-66c6-4f9f-8021-2562efc95c6e@iscas.ac.cn/, upstream commit "riscv: mm:
Extract helper mark_new_valid_map()" 9ee25d0a70ff4494b4e1d266b962d0a574ef318a solves the issue. This commit cherry picks successfully.
^ permalink raw reply [flat|nested] 134+ messages in thread
* Re: [PATCH 7.1 097/120] riscv: kfence: Call mark_new_valid_map() for kfence_unprotect()
2026-07-03 5:05 ` Vivian Wang
@ 2026-07-03 7:26 ` Greg Kroah-Hartman
0 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-03 7:26 UTC (permalink / raw)
To: Vivian Wang; +Cc: stable, patches, Yanko Kaneti, Paul Walmsley
On Fri, Jul 03, 2026 at 01:05:30PM +0800, Vivian Wang wrote:
> On 7/3/26 00:21, Greg Kroah-Hartman wrote:
>
> > 7.1-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Vivian Wang <wangruikang@iscas.ac.cn>
> >
> > commit 8d6c8c40e733b3fcaf92fed0a078bba2f6941a3b upstream.
> > [...]
> >
> > --- a/arch/riscv/include/asm/kfence.h
> > +++ b/arch/riscv/include/asm/kfence.h
> >
> > [...]
> >
> > - if (protect)
> > + if (protect) {
> > set_pte(pte, __pte(pte_val(ptep_get(pte)) & ~_PAGE_PRESENT));
> > - else
> > + } else {
> > set_pte(pte, __pte(pte_val(ptep_get(pte)) | _PAGE_PRESENT));
> > + mark_new_valid_map();
>
> Please also backport this commit's parent, the introduction of
> mark_new_valid_map():
>
> 9ee25d0a70ff4494b4e1d266b962d0a574ef318a ("riscv: mm: Extract helper mark_new_valid_map()")
>
> before this patch.
>
> IIUC this is needed on 6.12.y, 6.18.y, 7.1.y.
Now fixed up, thanks!
greg k-h
^ permalink raw reply [flat|nested] 134+ messages in thread
* Re: [PATCH 7.1 000/120] 7.1.3-rc1 review
2026-07-03 5:41 ` Ron Economos
@ 2026-07-03 7:26 ` Greg Kroah-Hartman
0 siblings, 0 replies; 134+ messages in thread
From: Greg Kroah-Hartman @ 2026-07-03 7:26 UTC (permalink / raw)
To: Ron Economos
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Thu, Jul 02, 2026 at 10:41:41PM -0700, Ron Economos wrote:
> On 7/2/26 09:19, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 7.1.3 release.
> > There are 120 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sat, 04 Jul 2026 15:50:58 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v7.x/stable-review/patch-7.1.3-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-7.1.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
> >
> The build is broken on RISC-V with:
>
> In file included from mm/kfence/core.c:36:
> ./arch/riscv/include/asm/kfence.h: In function 'kfence_protect_page':
> ./arch/riscv/include/asm/kfence.h:25:17: error: implicit declaration of function 'mark_new_valid_map' [-Wimplicit-function-declaration]
> 25 | mark_new_valid_map();
> | ^~~~~~~~~~~~~~~~~~
>
> This is caused by commit "riscv: kfence: Call mark_new_valid_map() for kfence_unprotect()" 66fcdb7f71b9d3d32828130cf5895adea059016d
>
> As already reported by https://lore.kernel.org/stable/6c5c0723-66c6-4f9f-8021-2562efc95c6e@iscas.ac.cn/,
> upstream commit "riscv: mm: Extract helper mark_new_valid_map()"
> 9ee25d0a70ff4494b4e1d266b962d0a574ef318a solves the issue. This commit
> cherry picks successfully.
Let me go do this and push out some -rc2 releases, thanks!
greg k-h
^ permalink raw reply [flat|nested] 134+ messages in thread
* Re: [PATCH 7.1 000/120] 7.1.3-rc1 review
2026-07-03 0:15 ` Miguel Ojeda
2026-07-03 5:38 ` Greg KH
@ 2026-07-04 2:05 ` Sasha Levin
2026-07-04 12:24 ` Miguel Ojeda
1 sibling, 1 reply; 134+ messages in thread
From: Sasha Levin @ 2026-07-04 2:05 UTC (permalink / raw)
To: gregkh
Cc: Sasha Levin, achill, akpm, broonie, conor, f.fainelli, hargar,
jonathanh, linux-kernel, linux, lkft-triage, patches, patches,
pavel, rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Miguel Ojeda
On Thu, Jul 03, 2026 at 02:15:46AM +0200, Miguel Ojeda wrote:
> It would be nice to get this one in for 6.18 and 7.1:
>
> 3fff4271809b ("rust: str: clean unused import for Rust >= 1.98")
Queued for 7.1.y and 6.18.y (along with its imports-style prerequisite),
thanks!
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 134+ messages in thread
* Re: [PATCH 7.1 000/120] 7.1.3-rc1 review
2026-07-04 2:05 ` Sasha Levin
@ 2026-07-04 12:24 ` Miguel Ojeda
0 siblings, 0 replies; 134+ messages in thread
From: Miguel Ojeda @ 2026-07-04 12:24 UTC (permalink / raw)
To: Sasha Levin
Cc: gregkh, achill, akpm, broonie, conor, f.fainelli, hargar,
jonathanh, linux-kernel, linux, lkft-triage, patches, patches,
pavel, rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Miguel Ojeda
On Sat, Jul 4, 2026 at 4:05 AM Sasha Levin <sashal@kernel.org> wrote:
>
> Queued for 7.1.y and 6.18.y (along with its imports-style prerequisite),
> thanks!
Ah, thanks for dealing with the imports bit!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 134+ messages in thread
end of thread, other threads:[~2026-07-04 12:25 UTC | newest]
Thread overview: 134+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-02 16:19 [PATCH 7.1 000/120] 7.1.3-rc1 review Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 7.1 001/120] KVM: x86: Fix shadow paging use-after-free due to unexpected role Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 7.1 002/120] batman-adv: tp_meter: keep unacked list in ascending ordered Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 7.1 003/120] batman-adv: tp_meter: initialize dup_acks explicitly Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 004/120] batman-adv: tp_meter: initialize dec_cwnd explicitly Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 005/120] batman-adv: tp_meter: avoid window underflow Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 006/120] batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 007/120] batman-adv: tp_meter: fix fast recovery precondition Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 008/120] batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 009/120] batman-adv: tp_meter: add only finished tp_vars to lists Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 010/120] batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 011/120] batman-adv: prevent ELP transmission interval underflow Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 012/120] batman-adv: tp_meter: initialize last_recv_time during init Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 013/120] batman-adv: gw: dont deselect gateway with active hardif Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 014/120] batman-adv: ensure bcast is writable before modifying TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 015/120] batman-adv: fix (m|b)cast csum after decrementing TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 016/120] batman-adv: frag: ensure fragment is writable before modifying TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 017/120] batman-adv: frag: avoid underflow of TTL Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 018/120] batman-adv: v: prevent OGM aggregation on disabled hardif Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 019/120] batman-adv: tp_meter: restrict number of unacked list entries Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 020/120] batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 021/120] batman-adv: tp_meter: prevent parallel modifications of last_recv Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 022/120] batman-adv: tp_meter: handle overlapping packets Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 023/120] batman-adv: tt: dont merge change entries with different VIDs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 024/120] batman-adv: tt: track roam count per VID Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 025/120] batman-adv: dat: prevent false sharing between VLANs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 026/120] batman-adv: tvlv: enforce 2-byte alignment Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 027/120] batman-adv: tvlv: avoid race of cifsnotfound handler state Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 028/120] ipv6: account for fraggap on the paged allocation path Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 029/120] ipv4: " Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 030/120] ntfs3: reject direct userspace writes to reserved $LX* xattrs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 031/120] wifi: mt76: add wcid publish check in mt76_sta_add Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 032/120] mac802154: llsec: add skb_cow_data() before in-place crypto Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 033/120] net: skmsg: preserve sg.copy across SG transforms Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 034/120] net: ip_gre: require CAP_NET_ADMIN in the device netns for changelink Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 035/120] PCI/P2PDMA: Add Intel QAT, DSA, IAA devices to whitelist Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 036/120] apparmor: mediate the implicit connect of TCP fast open sendmsg Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 037/120] apparmor: fix use-after-free in rawdata dedup loop Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 038/120] NTB: epf: Avoid pci_iounmap() with offset when PEER_SPAD and CONFIG share BAR Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 039/120] fbdev: fix use-after-free in store_modes() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 040/120] fscrypt: Fix key setup in edge case with multiple data unit sizes Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 041/120] block: invalidate cached plug timestamp after task switch Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 042/120] KVM: arm64: Omit tag sync on stage-2 mappings of the zero page Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 043/120] err.h: use __always_inline on all error pointer helpers Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 044/120] gcov: use atomic counter updates to fix concurrent access crashes Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 045/120] KEYS: fix overflow in keyctl_pkey_params_get_2() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 046/120] keys: Pin request_key_auth payload in instantiate paths Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 047/120] userfaultfd: ensure mremap_userfaultfd_fail() releases mmap_changing Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 048/120] userfaultfd: build __VMA_UFFD_FLAGS from config-gated masks Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 049/120] wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 050/120] wifi: mt76: mt7925: dont disable AP BSS when removing TDLS peer Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 051/120] wifi: ath11k: fix warning when unbinding Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 052/120] wifi: rtl8xxxu: Detect the maximum supported channel width Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 053/120] wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 054/120] wifi: rtw88: increase TX report timeout to fix race condition Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 055/120] wifi: rtw88: usb: fix memory leaks on USB write failures Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 056/120] wifi: iwlwifi: mvm: fix race condition in PTP removal Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 057/120] wifi: iwlwifi: mld: " Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 058/120] wifi: iwlwifi: mld: validate sta_mask before ffs() in BA session handlers Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 059/120] f2fs: fix missing read bio submission on large folio error Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 060/120] f2fs: pass correct iostat type for single node writes Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 061/120] f2fs: reject setattr size changes on large folio files Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 062/120] f2fs: fix to do sanity check on f2fs_get_node_folio_ra() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 7.1 063/120] f2fs: validate orphan inode entry count Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 064/120] f2fs: validate compress cache inode only when enabled Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 065/120] f2fs: atomic: fix UAF issue on f2fs_inode_info.atomic_inode Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 066/120] f2fs: fix to round down start offset of fallocate for pin file Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 067/120] f2fs: bound i_inline_xattr_size for non-inline-xattr inodes Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 068/120] f2fs: validate ACL entry sizes in f2fs_acl_from_disk() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 069/120] Revert "f2fs: remove non-uptodate folio from the page cache in move_data_block" Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 070/120] f2fs: fix incorrect FI_NO_EXTENT handling in __destroy_extent_node() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 071/120] f2fs: keep atomic write retry from zeroing original data Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 072/120] f2fs: read COW data with the original inode during atomic write Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 073/120] block: Avoid mounting the bdev pseudo-filesystem in userspace Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 074/120] bpf: use kvfree() for replaced sysctl write buffer Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 075/120] MIPS: DEC: Prevent initial console buffer from landing in XKPHYS Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 076/120] exfat: fix potential use-after-free in exfat_find_dir_entry() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 077/120] KVM: x86/mmu: Ensure hugepage is in by slot before checking max mapping level Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 078/120] KVM: Replace guest-triggerable BUG_ON() in ioeventfd datamatch with get_unaligned() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 079/120] crypto: nx - fix nx_crypto_ctx_exit argument Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 080/120] gfs2: fix use-after-free in gfs2_qd_dealloc Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 081/120] pwrseq: core: fix use-after-free in pwrseq_debugfs_seq_next() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 082/120] hdlc_ppp: sync per-proto timers before freeing hdlc state Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 083/120] blk-cgroup: fix UAF in __blkcg_rstat_flush() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 084/120] tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 085/120] LoongArch: Report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 086/120] pNFS: Fix use-after-free in pnfs_update_layout() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 087/120] sched/mmcid: Fix OOB clear_bit when CID is MM_CID_UNSET in fixup path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 088/120] irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 089/120] fpga: region: fix use-after-free in child_regions_with_firmware() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 090/120] rpmsg: char: Fix use-after-free on probe error path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 091/120] ocfs2: reject oversized group bitmap descriptors Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 092/120] 9p: avoid putting oldfid in p9_client_walk() error path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 093/120] MIPS: smp: report dying CPU to RCU in stop_this_cpu() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 094/120] KVM: x86: hyper-v: Bound the bank index when querying sparse banks Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 095/120] KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 096/120] power: reset: linkstation-poweroff: fix use-after-free in the linkstation_poweroff_init() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 097/120] riscv: kfence: Call mark_new_valid_map() for kfence_unprotect() Greg Kroah-Hartman
2026-07-03 5:05 ` Vivian Wang
2026-07-03 7:26 ` Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 098/120] ntfs: serialize volume label accesses Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 099/120] fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 100/120] fbdev: fbcon: fix out-of-bounds read in err_out of fbcon_do_set_font() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 101/120] fbdev: omap2: fix use-after-free in omapfb_mmap Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 102/120] fbdev: modedb: fix a possible UAF in fb_find_mode() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 103/120] fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 104/120] i2c: core: fix adapter registration race Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 105/120] nfsd: release layout stid on setlease failure Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 106/120] NFSD: Fix SECINFO_NO_NAME decode error cleanup Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 107/120] nfsd: fix posix_acl leak on SETACL decode failure Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 108/120] nfsd: fix inverted cp_ttl check in async copy reaper Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 109/120] nfsd: fix posix_acl leak and ignored error in nfsd4_create_file Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 110/120] nfsd: check get_user() return when reading princhashlen Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 111/120] nfsd: fix dead ACL conflict guard in nfsd4_create Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 112/120] nfsd: avoid leaking pre-allocated openowner on unconfirmed retry race Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 113/120] nfsd: reset write verifier on deferred writeback errors Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 114/120] NFSv4/flexfiles: reject zero filehandle version count Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 115/120] NFSv4/pNFS: reject zero-length r_addr in nfs4_decode_mp_ds_addr Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 116/120] NFSv4: clear exception state on successful mkdir retry Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 117/120] NFS: Prevent resource leak in nfs_alloc_server() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 118/120] ksmbd: fix out-of-bounds read in smb_check_perm_dacl() Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 119/120] net/tcp-ao: fix use-after-free of key in del_async path Greg Kroah-Hartman
2026-07-02 16:21 ` [PATCH 7.1 120/120] apparmor: advertise the tcp fast open fix is applied Greg Kroah-Hartman
2026-07-02 17:44 ` [PATCH 7.1 000/120] 7.1.3-rc1 review Shuah Khan
2026-07-02 23:12 ` Peter Schneider
2026-07-02 17:46 ` Ronald Warsow
2026-07-02 19:46 ` Brett A C Sheffield
2026-07-03 0:09 ` Peter Schneider
2026-07-03 0:15 ` Miguel Ojeda
2026-07-03 5:38 ` Greg KH
2026-07-04 2:05 ` Sasha Levin
2026-07-04 12:24 ` Miguel Ojeda
2026-07-03 5:41 ` Ron Economos
2026-07-03 7:26 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox