* RE: [PATCH] tipc: crypto: require a NUL-terminated AEAD algorithm name
From: Tung Quang Nguyen @ 2026-04-17 11:25 UTC (permalink / raw)
To: Pengpeng Hou
Cc: Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman,
netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
David S. Miller, Jon Maloy
In-Reply-To: <20260417075353.30662-1-pengpeng@iscas.ac.cn>
>Subject: [PATCH] tipc: crypto: require a NUL-terminated AEAD algorithm name
>
>struct tipc_aead_key carries alg_name in a fixed 32-byte field, but both the
>generic netlink validation path and the MSG_CRYPTO receive path pass that
>field straight to crypto_has_alg(), strcmp(), and
>crypto_alloc_aead() without first proving that it contains a terminating NUL.
>
This is not correct. TIPC guarantees the algorithm string is nul-terminated one.
>Reject locally supplied and received keys whose algorithm name fills the entire
>fixed-width field without a terminator.
>
>Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication")
>Cc: stable@vger.kernel.org
>
>Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
>---
> net/tipc/crypto.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
>diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c index
>6d3b6b89b1d1..60110ea0fe7c 100644
>--- a/net/tipc/crypto.c
>+++ b/net/tipc/crypto.c
>@@ -307,6 +307,11 @@ static void tipc_crypto_work_tx(struct work_struct
>*work); static void tipc_crypto_work_rx(struct work_struct *work); static int
>tipc_aead_key_generate(struct tipc_aead_key *skey);
>
>+static bool tipc_aead_alg_name_valid(const char *alg_name) {
>+ return strnlen(alg_name, TIPC_AEAD_ALG_NAME) <
>TIPC_AEAD_ALG_NAME; }
>+
This is not needed because TIPC only supports one algorithm name "gcm(aes)" which is 8-byte length.
> #define is_tx(crypto) (!(crypto)->node) #define is_rx(crypto) (!is_tx(crypto))
>
>@@ -335,6 +340,11 @@ int tipc_aead_key_validate(struct tipc_aead_key
>*ukey, struct genl_info *info) {
> int keylen;
>
>+ if (unlikely(!tipc_aead_alg_name_valid(ukey->alg_name))) {
>+ GENL_SET_ERR_MSG(info, "algorithm name is not NUL-
>terminated");
>+ return -EINVAL;
>+ }
>+
This is not needed because the system guarantees that the string passed from user-space is nul-terminated one.
> /* Check if algorithm exists */
> if (unlikely(!crypto_has_alg(ukey->alg_name, 0, 0))) {
> GENL_SET_ERR_MSG(info, "unable to load the algorithm
>(module existed?)"); @@ -2298,6 +2308,10 @@ static bool
>tipc_crypto_key_rcv(struct tipc_crypto *rx, struct tipc_msg *hdr)
> pr_debug("%s: invalid MSG_CRYPTO key size\n", rx->name);
> goto exit;
> }
>+ if (unlikely(!tipc_aead_alg_name_valid(data))) {
>+ pr_debug("%s: invalid MSG_CRYPTO algorithm name\n", rx-
>>name);
>+ goto exit;
>+ }
This is not needed as explained above.
>
> spin_lock(&rx->lock);
> if (unlikely(rx->skey || (key_gen == rx->key_gen && rx->key.keys))) {
>--
>2.50.1 (Apple Git-155)
>
^ permalink raw reply
* [PATCH] pmdomain: core: Fix detach procedure for virtual devices in genpd
From: Ulf Hansson @ 2026-04-17 11:13 UTC (permalink / raw)
To: Geert Uytterhoeven, Ulf Hansson, linux-pm
Cc: Geert Uytterhoeven, Frank Binns, Matt Coster, Marek Vasut,
Rafael J . Wysocki, linux-arm-kernel, linux-kernel, Ulf Hansson,
stable
If a device is attached to a PM domain through genpd_dev_pm_attach_by_id(),
genpd calls pm_runtime_enable() for the corresponding virtual device that
it registers. While this avoids boilerplate code in drivers, there is no
corresponding call to pm_runtime_disable() in genpd_dev_pm_detach().
This means these virtual devices are typically detached from its genpd,
while runtime PM remains enabled for them, which is not how things are
designed to work. In worst cases it may lead to critical errors, like a
NULL pointer dereference bug in genpd_runtime_suspend(), which was recently
reported. For another case, we may end up keeping an unnecessary vote for a
performance state for the device.
To fix these problems, let's add this missing call to pm_runtime_disable()
in genpd_dev_pm_detach().
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Fixes: 3c095f32a92b ("PM / Domains: Add support for multi PM domains per device to genpd")
Cc: stable@vger.kernel.org
Closes: https://lore.kernel.org/all/CAMuHMdWapT40hV3c+CSBqFOW05aWcV1a6v_NiJYgoYi0i9_PDQ@mail.gmail.com/
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
---
drivers/pmdomain/core.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/pmdomain/core.c b/drivers/pmdomain/core.c
index 4d32fc676aaf..71e930e80178 100644
--- a/drivers/pmdomain/core.c
+++ b/drivers/pmdomain/core.c
@@ -3089,6 +3089,7 @@ static const struct bus_type genpd_bus_type = {
static void genpd_dev_pm_detach(struct device *dev, bool power_off)
{
struct generic_pm_domain *pd;
+ bool is_virt_dev;
unsigned int i;
int ret = 0;
@@ -3098,6 +3099,13 @@ static void genpd_dev_pm_detach(struct device *dev, bool power_off)
dev_dbg(dev, "removing from PM domain %s\n", pd->name);
+ /* Check if the device was created by genpd at attach. */
+ is_virt_dev = dev->bus == &genpd_bus_type;
+
+ /* Disable runtime PM if we enabled it at attach. */
+ if (is_virt_dev)
+ pm_runtime_disable(dev);
+
/* Drop the default performance state */
if (dev_gpd_data(dev)->default_pstate) {
dev_pm_genpd_set_performance_state(dev, 0);
@@ -3123,7 +3131,7 @@ static void genpd_dev_pm_detach(struct device *dev, bool power_off)
genpd_queue_power_off_work(pd);
/* Unregister the device if it was created by genpd. */
- if (dev->bus == &genpd_bus_type)
+ if (is_virt_dev)
device_unregister(dev);
}
--
2.43.0
^ permalink raw reply related
* [PATCH v3 2/2] wifi: b43legacy: enforce bounds check on firmware key index in RX path
From: Tristan Madani @ 2026-04-17 11:11 UTC (permalink / raw)
To: linux-wireless; +Cc: johannes, jonas.gorski, m, b43-dev, stable
In-Reply-To: <20260417111145.2694196-1-tristmd@gmail.com>
From: Tristan Madani <tristan@talencesecurity.com>
Same fix as b43: the firmware-controlled key index in b43legacy_rx()
can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is
non-enforcing in production builds, allowing an out-of-bounds read of
dev->key[].
Make the check enforcing by dropping the frame for invalid indices.
Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
drivers/net/wireless/broadcom/b43legacy/xmit.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/broadcom/b43legacy/xmit.c b/drivers/net/wireless/broadcom/b43legacy/xmit.c
index efd63f4ce..ee199d4ea 100644
--- a/drivers/net/wireless/broadcom/b43legacy/xmit.c
+++ b/drivers/net/wireless/broadcom/b43legacy/xmit.c
@@ -476,7 +476,8 @@ void b43legacy_rx(struct b43legacy_wldev *dev,
* key index, but the ucode passed it slightly different.
*/
keyidx = b43legacy_kidx_to_raw(dev, keyidx);
- B43legacy_WARN_ON(keyidx >= dev->max_nr_keys);
+ if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys))
+ goto drop;
if (dev->key[keyidx].algorithm != B43legacy_SEC_ALGO_NONE) {
/* Remove PROTECTED flag to mark it as decrypted. */
--
2.47.3
^ permalink raw reply related
* [PATCH v3 1/2] wifi: b43: enforce bounds check on firmware key index in b43_rx()
From: Tristan Madani @ 2026-04-17 11:11 UTC (permalink / raw)
To: linux-wireless; +Cc: johannes, jonas.gorski, m, b43-dev, stable
From: Tristan Madani <tristan@talencesecurity.com>
The firmware-controlled key index in b43_rx() can exceed the dev->key[]
array size (58 entries). The existing B43_WARN_ON is non-enforcing in
production builds, allowing an out-of-bounds read.
Make the B43_WARN_ON check enforcing by dropping the frame when the
firmware returns an invalid key index.
Suggested-by: Jonas Gorski <jonas.gorski@gmail.com>
Acked-by: Michael Büsch <m@bues.ch>
Fixes: e4d6b7951812 ("[B43]: add mac80211-based driver for modern BCM43xx devices")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
drivers/net/wireless/broadcom/b43/xmit.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/broadcom/b43/xmit.c b/drivers/net/wireless/broadcom/b43/xmit.c
index 7651b1bdb..f0b082596 100644
--- a/drivers/net/wireless/broadcom/b43/xmit.c
+++ b/drivers/net/wireless/broadcom/b43/xmit.c
@@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struct sk_buff *skb, const void *_rxhdr)
* key index, but the ucode passed it slightly different.
*/
keyidx = b43_kidx_to_raw(dev, keyidx);
- B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key));
+ if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)))
+ goto drop;
if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) {
wlhdr_len = ieee80211_hdrlen(fctl);
--
2.47.3
^ permalink raw reply related
* [PATCH] ASoC: ES8389: convert to devm_clk_get_optional() to get clock
From: Li Jian @ 2026-04-17 10:53 UTC (permalink / raw)
To: linux-kernel
Cc: lgirdwood, loongarch, chenhuacai, zhoubinbin, jeffbai, Li Jian,
stable, Mark Brown, Jaroslav Kysela, Takashi Iwai, Zhang Yi,
Charles Keepax, Kuninori Morimoto, Alexandru Ardelean,
Jonathan Cameron, Stephen Boyd, Uwe Kleine-König,
linux-sound
When enabling ES8390 via ACPI description, es8389 would fail to
obtain a clock source, causing the driver to fail to initialize.
This was not an issue with older kernels, but since commit
abae8e57e49a ("clk: generalize devm_clk_get() a bit"),
devm_clk_get() would return an error pointer when a clock source
was not detected (instead of falling back to a static clock),
causing the driver to fail early.
Use devm_clk_get_optional() instead to return to the previous
behaviour, allowing the use of a static clock source.
Cc: stable@vger.kernel.org
Fixes: abae8e57e49a ("clk: generalize devm_clk_get() a bit")
Signed-off-by: Li Jian <lazycat-xiao@foxmail.com>
---
sound/soc/codecs/es8389.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/codecs/es8389.c b/sound/soc/codecs/es8389.c
index 8d418cae3..449d9574b 100644
--- a/sound/soc/codecs/es8389.c
+++ b/sound/soc/codecs/es8389.c
@@ -892,7 +892,7 @@ static int es8389_probe(struct snd_soc_component *component)
return ret;
}
- es8389->mclk = devm_clk_get(component->dev, "mclk");
+ es8389->mclk = devm_clk_get_optional(component->dev, "mclk");
if (IS_ERR(es8389->mclk))
return dev_err_probe(component->dev, PTR_ERR(es8389->mclk),
"ES8389 is unable to get mclk\n");
--
2.47.3
^ permalink raw reply related
* [PATCH v3] Bluetooth: hci_bcm4377: validate firmware event length in completion ring
From: Tristan Madani @ 2026-04-17 10:46 UTC (permalink / raw)
To: linux-bluetooth; +Cc: luiz.dentz, marcel, sven, marcan, asahi, stable
From: Tristan Madani <tristan@talencesecurity.com>
The firmware-controlled entry->len is used as the memcpy size for inline
payload data without bounds checking when the PAYLOAD_MAPPED flag is not
set. This causes out-of-bounds reads from the completion ring DMA memory
for the HCI_D2H and SCO_D2H transfer rings.
Add a length validation against the completion ring payload_size.
Fixes: 8a06127602de ("Bluetooth: hci_bcm4377: Add new driver for BCM4377 PCIe boards")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
drivers/bluetooth/hci_bcm4377.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/bluetooth/hci_bcm4377.c b/drivers/bluetooth/hci_bcm4377.c
index 925d0a635..5d2f594c2 100644
--- a/drivers/bluetooth/hci_bcm4377.c
+++ b/drivers/bluetooth/hci_bcm4377.c
@@ -755,6 +755,13 @@ static void bcm4377_handle_completion(struct bcm4377_data *bcm4377,
msg_id = le16_to_cpu(entry->msg_id);
transfer_ring = le16_to_cpu(entry->ring_id);
+ if (data_len > ring->payload_size) {
+ dev_warn(&bcm4377->pdev->dev,
+ "event data len %zu exceeds payload size %zu for ring %d\n",
+ data_len, ring->payload_size, ring->ring_id);
+ return;
+ }
+
if ((ring->transfer_rings & BIT(transfer_ring)) == 0) {
dev_warn(
&bcm4377->pdev->dev,
--
2.47.3
^ permalink raw reply related
* [PATCH v3] Bluetooth: btmtk: validate WMT event SKB length before struct access
From: Tristan Madani @ 2026-04-17 10:29 UTC (permalink / raw)
To: linux-bluetooth
Cc: luiz.dentz, marcel, sean.wang, mark-yw.chen, linux-mediatek,
stable
From: Tristan Madani <tristan@talencesecurity.com>
btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to
struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc
(9 bytes) without first checking that the SKB contains enough data.
A short firmware response causes out-of-bounds reads from SKB tailroom.
Add length validation before each struct access to prevent OOB reads
from malformed WMT event responses.
Fixes: d019930b0049 ("Bluetooth: btmtk: move btusb_mtk_hci_wmt_sync to btmtk.c")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
drivers/bluetooth/btmtk.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index 6fb6ca274..b1a96ebae 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -695,6 +695,12 @@ static int btmtk_usb_hci_wmt_sync(struct hci_dev *hdev,
if (data->evt_skb == NULL)
goto err_free_wc;
+ /* Validate SKB length before accessing WMT event structs */
+ if (data->evt_skb->len < sizeof(*wmt_evt)) {
+ err = -EINVAL;
+ goto err_free_skb;
+ }
+
/* Parse and handle the return WMT event */
wmt_evt = (struct btmtk_hci_wmt_evt *)data->evt_skb->data;
if (wmt_evt->whdr.op != hdr->op) {
@@ -712,6 +718,10 @@ static int btmtk_usb_hci_wmt_sync(struct hci_dev *hdev,
status = BTMTK_WMT_PATCH_DONE;
break;
case BTMTK_WMT_FUNC_CTRL:
+ if (data->evt_skb->len < sizeof(*wmt_evt_funcc)) {
+ err = -EINVAL;
+ goto err_free_skb;
+ }
wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt;
if (be16_to_cpu(wmt_evt_funcc->status) == 0x404)
status = BTMTK_WMT_ON_DONE;
--
2.47.3
^ permalink raw reply related
* [PATCH] ASoC: ES8389: convert to devm_clk_get_optional() to get clock
From: Li Jian @ 2026-04-17 10:16 UTC (permalink / raw)
To: lazycat-xiao; +Cc: stable
When enabling ES8390 via ACPI description, es8389 would fail to
obtain a clock source, causing the driver to fail to initialize.
This was not an issue with older kernels, but since commit
abae8e57e49a ("clk: generalize devm_clk_get() a bit"),
devm_clk_get() would return an error pointer when a clock source
was not detected (instead of falling back to a static clock),
causing the driver to fail early.
Use devm_clk_get_optional() instead to return to the previous
behaviour, allowing the use of a static clock source.
Cc: stable@vger.kernel.org
Fixes: abae8e57e49a ("clk: generalize devm_clk_get() a bit")
Signed-off-by: Li Jian <lazycat-xiao@foxmail.com>
---
sound/soc/codecs/es8389.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/codecs/es8389.c b/sound/soc/codecs/es8389.c
index 8d418cae3..449d9574b 100644
--- a/sound/soc/codecs/es8389.c
+++ b/sound/soc/codecs/es8389.c
@@ -892,7 +892,7 @@ static int es8389_probe(struct snd_soc_component *component)
return ret;
}
- es8389->mclk = devm_clk_get(component->dev, "mclk");
+ es8389->mclk = devm_clk_get_optional(component->dev, "mclk");
if (IS_ERR(es8389->mclk))
return dev_err_probe(component->dev, PTR_ERR(es8389->mclk),
"ES8389 is unable to get mclk\n");
--
2.47.3
^ permalink raw reply related
* Re: [PATCH] powerpc/fadump: reject empty bootargs_append writes
From: Sourabh Jain @ 2026-04-17 9:30 UTC (permalink / raw)
To: Pengpeng Hou, Madhavan Srinivasan, Michael Ellerman
Cc: Nicholas Piggin, Christophe Leroy (CS GROUP), Hari Bathini,
Jiri Bohac, Shrikanth Hegde, linuxppc-dev, linux-kernel, stable
In-Reply-To: <20260417073907.4985-1-pengpeng@iscas.ac.cn>
On 17/04/26 13:09, Pengpeng Hou wrote:
> bootargs_append_store() indexes params[count - 1] when stripping a
> trailing newline from the sysfs write buffer.
>
> kernfs passes zero-length writes through to the store callback, so an
> empty write makes that newline check read before the start of params.
>
> Reject empty writes before looking at the last input byte.
>
> Fixes: 683eab94da75 ("powerpc/fadump: setup additional parameters for dump capture kernel")
> Cc: stable@vger.kernel.org
>
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
> arch/powerpc/kernel/fadump.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c
> index 4ebc333dd786..03ab5565e420 100644
> --- a/arch/powerpc/kernel/fadump.c
> +++ b/arch/powerpc/kernel/fadump.c
> @@ -1479,6 +1479,9 @@ static ssize_t bootargs_append_store(struct kobject *kobj,
> if (!fw_dump.fadump_enabled || fw_dump.dump_active)
> return -EPERM;
>
> + if (!count)
> + return -EINVAL;
How you manage to call this function with count as 0?
> +
> if (count >= COMMAND_LINE_SIZE)
> return -EINVAL;
>
^ permalink raw reply
* Re: [PATCH] slub: fix data loss and overflow in krealloc()
From: Harry Yoo (Oracle) @ 2026-04-17 9:21 UTC (permalink / raw)
To: Marco Elver
Cc: Vlastimil Babka, Andrew Morton, Hao Li, Christoph Lameter,
David Rientjes, Roman Gushchin, linux-mm, linux-kernel, kasan-dev,
stable, Vitaly Wool, Uladzislau Rezki, Danilo Krummrich,
Lorenzo Stoakes, Liam R. Howlett, Alice Ryhl, rust-for-linux
In-Reply-To: <CANpmjNPMxDkzvVnD9pXy1YBTO4n-abQZ+if6XdDj-u4dnfks5A@mail.gmail.com>
On Fri, Apr 17, 2026 at 11:05:09AM +0200, Marco Elver wrote:
> On Fri, 17 Apr 2026 at 06:42, Harry Yoo (Oracle) <harry@kernel.org> wrote:
> > [+Cc relevant folks]
> >
> > On Thu, Apr 16, 2026 at 03:25:07PM +0200, Marco Elver wrote:
> > > Commit 2cd8231796b5 ("mm/slub: allow to set node and align in
> > > k[v]realloc") introduced the ability to force a reallocation if the
> > > original object does not satisfy new alignment or NUMA node, even when
> > > the object is being shrunk.
> > >
> > > This introduced two bugs in the reallocation fallback path:
> > >
> > > 1. Data loss during NUMA migration: The jump to 'alloc_new' happens
> > > before 'ks' and 'orig_size' are initialized. As a result, the
> > > memcpy() in the 'alloc_new' block would copy 0 bytes into the new
> > > allocation.
> >
> > Ouch.
> >
> > > 2. Buffer overflow during shrinking: When shrinking an object while
> > > forcing a new alignment, 'new_size' is smaller than the old size.
> > > However, the memcpy() used the old size ('orig_size ?: ks'), leading
> > > to an out-of-bounds write.
> >
> > Right. before the commit we didn't reallocate when the size is smaller.
> >
> > > The same overflow bug exists in the kvrealloc() fallback path, where the
> > > old bucket size ksize(p) is copied into the new buffer without being
> > > bounded by the new size.
> > >
> > > A simple reproducer:
> > >
> > > // e.g. add to lkdtm as KREALLOC_SHRINK_OVERFLOW
> > > while (1) {
> > > void *p = kmalloc(128, GFP_KERNEL);
> > > p = krealloc_node_align(p, 64, 256, GFP_KERNEL, NUMA_NO_NODE);
> > > kfree(p);
> > > }
> > >
> > > demonstrates the issue:
> > >
> > > ==================================================================
> > > BUG: KFENCE: out-of-bounds write in memcpy_orig+0x68/0x130
> > >
> > > Out-of-bounds write at 0xffff8883ad757038 (120B right of kfence-#47):
> > > memcpy_orig+0x68/0x130
> > > krealloc_node_align_noprof+0x1c8/0x340
> > > lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm]
> > > lkdtm_do_action+0x3a/0x60 [lkdtm]
> > > ...
> > >
> > > kfence-#47: 0xffff8883ad756fc0-0xffff8883ad756fff, size=64, cache=kmalloc-64
> > >
> > > allocated by task 316 on cpu 7 at 97.680481s (0.021813s ago):
> > > krealloc_node_align_noprof+0x19c/0x340
> > > lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm]
> > > lkdtm_do_action+0x3a/0x60 [lkdtm]
> > > ...
> > > ==================================================================
> > >
> > > Fix it by moving the old size calculation to the top of __do_krealloc()
> > > and bounding all copy lengths by the new allocation size.
> > >
> > > Fixes: 2cd8231796b5 ("mm/slub: allow to set node and align in k[v]realloc")
> > > Cc: <stable@vger.kernel.org>
> > > Reported-by: https://sashiko.dev/#/patchset/20260415143735.2974230-1-elver%40google.com
> > > Signed-off-by: Marco Elver <elver@google.com>
> > > ---
> >
> > Looks good to me, but I think we still have a similar issue in
> > vrealloc_node_align_noprof()? (goto need_realloc; due to NUMA mismatch
> > but the new size is smaller)
>
> Good find.
>
> That's a separate patch, though, since it's in the vmalloc subsystem
You're right. for this patch:
Looks good to me,
Reviewed-by: Harry Yoo (Oracle) <harry@kernel.org>
> (it's also not confidence-inspiring that vrealloc_node_align_noprof
> has a bunch of TODOs sprinkled all over...).
;)
looks like one of the TODOs is going to be tacked though. (shrinking)
https://lore.kernel.org/linux-mm/20260404-vmalloc-shrink-v10-0-335759165dfa@zohomail.in
> Since you found that, do you want to claim it?
I have many stuffs going on my plate now (including re-reviewing the
typed kmalloc caches patch) so it'd be nice if somebody could claim :)
> Also by the looks of it slub and vmalloc patches go through different
> trees these days per MAINTAINERS.
Right. slab patches go through the slab tree.
--
Cheers,
Harry / Hyeonggon
^ permalink raw reply
* [PATCH 6.6.y] ice: Fix memory leak in ice_set_ringparam()
From: Rajani Kantha @ 2026-04-17 9:17 UTC (permalink / raw)
To: zilin, pmenzel, aleksandr.loktionov, sx.rinitha, anthony.l.nguyen,
stable
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit fe868b499d16f55bbeea89992edb98043c9de416 ]
In ice_set_ringparam, tx_rings and xdp_rings are allocated before
rx_rings. If the allocation of rx_rings fails, the code jumps to
the done label leaking both tx_rings and xdp_rings. Furthermore, if
the setup of an individual Rx ring fails during the loop, the code jumps
to the free_tx label which releases tx_rings but leaks xdp_rings.
Fix this by introducing a free_xdp label and updating the error paths to
ensure both xdp_rings and tx_rings are properly freed if rx_rings
allocation or setup fails.
Compile tested only. Issue found using a prototype static analysis tool
and code review.
Fixes: fcea6f3da546 ("ice: Add stats and ethtool support")
Fixes: efc2214b6047 ("ice: Add support for XDP")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Rajani Kantha <681739313@139.com>
---
drivers/net/ethernet/intel/ice/ice_ethtool.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c
index 448ca855df90..c254484e9b6b 100644
--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c
+++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c
@@ -2847,7 +2847,7 @@ ice_set_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring,
rx_rings = kcalloc(vsi->num_rxq, sizeof(*rx_rings), GFP_KERNEL);
if (!rx_rings) {
err = -ENOMEM;
- goto done;
+ goto free_xdp;
}
ice_for_each_rxq(vsi, i) {
@@ -2877,7 +2877,7 @@ ice_set_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring,
}
kfree(rx_rings);
err = -ENOMEM;
- goto free_tx;
+ goto free_xdp;
}
}
@@ -2928,6 +2928,13 @@ ice_set_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring,
}
goto done;
+free_xdp:
+ if (xdp_rings) {
+ ice_for_each_xdp_txq(vsi, i)
+ ice_free_tx_ring(&xdp_rings[i]);
+ kfree(xdp_rings);
+ }
+
free_tx:
/* error cleanup if the Rx allocations failed after getting Tx */
if (tx_rings) {
--
2.17.1
^ permalink raw reply related
* Re: [PATCH] platform/chrome: fix reference leak on failed device registration
From: Guangshuo Li @ 2026-04-17 9:11 UTC (permalink / raw)
To: kernel test robot
Cc: Benson Leung, Tzung-Bi Shih, Olof Johansson, chrome-platform,
linux-kernel, llvm, oe-kbuild-all, stable
In-Reply-To: <202604171609.wl8JLCit-lkp@intel.com>
Hi,
On Fri, 17 Apr 2026 at 16:47, kernel test robot <lkp@intel.com> wrote:
>
> Hi Guangshuo,
>
> kernel test robot noticed the following build errors:
>
> [auto build test ERROR on chrome-platform/for-next]
> [also build test ERROR on chrome-platform/for-firmware-next linus/master v7.0 next-20260416]
> [If your patch is applied to the wrong git tree, kindly drop us a note.
> And when submitting patch, we suggest to use '--base' as documented in
> https://git-scm.com/docs/git-format-patch#_base_tree_information]
>
> url: https://github.com/intel-lab-lkp/linux/commits/Guangshuo-Li/platform-chrome-fix-reference-leak-on-failed-device-registration/20260416-135638
> base: https://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux.git for-next
> patch link: https://lore.kernel.org/r/20260415175038.3633384-1-lgs201920130244%40gmail.com
> patch subject: [PATCH] platform/chrome: fix reference leak on failed device registration
> config: x86_64-randconfig-013-20260417 (https://download.01.org/0day-ci/archive/20260417/202604171609.wl8JLCit-lkp@intel.com/config)
> compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
> reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260417/202604171609.wl8JLCit-lkp@intel.com/reproduce)
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@intel.com>
> | Closes: https://lore.kernel.org/oe-kbuild-all/202604171609.wl8JLCit-lkp@intel.com/
>
> All errors (new ones prefixed by >>):
>
> >> drivers/platform/chrome/chromeos_pstore.c:131:3: error: use of undeclared identifier 'ret'
> 131 | ret = platform_device_register(&chromeos_ramoops);
> | ^
> drivers/platform/chrome/chromeos_pstore.c:132:7: error: use of undeclared identifier 'ret'
> 132 | if (ret)
> | ^
> drivers/platform/chrome/chromeos_pstore.c:135:10: error: use of undeclared identifier 'ret'
> 135 | return ret;
> | ^
> 3 errors generated.
>
>
> vim +/ret +131 drivers/platform/chrome/chromeos_pstore.c
>
> 119
> 120 static int __init chromeos_pstore_init(void)
> 121 {
> 122 bool acpi_dev_found;
> 123
> 124 if (ecc_size > 0)
> 125 chromeos_ramoops_data.ecc_info.ecc_size = ecc_size;
> 126
> 127 /* First check ACPI for non-hardcoded values from firmware. */
> 128 acpi_dev_found = chromeos_check_acpi();
> 129
> 130 if (acpi_dev_found || dmi_check_system(chromeos_pstore_dmi_table)) {
> > 131 ret = platform_device_register(&chromeos_ramoops);
> 132 if (ret)
> 133 platform_device_put(&chromeos_ramoops);
> 134
> 135 return ret;
> 136 }
> 137
> 138 return -ENODEV;
> 139 }
> 140
>
> --
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests/wiki
Yes, the build error is because in the first version I accidentally
forgot to declare the local variable ret in chromeos_pstore_init().
Sorry for the oversight, and thanks for the report.
Also, the underlying issue here appears to be related to the
platform_device_register() core/API behavior. We are currently
discussing in another similar case whether the better fix, if any,
should be made in the core/API code rather than in individual callers:
https://patchew.org/linux/20260415174159.3625777-1-lgs201920130244@gmail.com/
Once that discussion reaches a conclusion, we will revisit this and
make the appropriate fix if needed.
Thanks,
Guangshuo
^ permalink raw reply
* Re: [PATCH] slub: fix data loss and overflow in krealloc()
From: Vlastimil Babka (SUSE) @ 2026-04-17 9:11 UTC (permalink / raw)
To: Marco Elver, Andrew Morton
Cc: Harry Yoo, Hao Li, Christoph Lameter, David Rientjes,
Roman Gushchin, linux-mm, linux-kernel, kasan-dev, stable
In-Reply-To: <20260416132837.3787694-1-elver@google.com>
On 4/16/26 15:25, Marco Elver wrote:
> Commit 2cd8231796b5 ("mm/slub: allow to set node and align in
> k[v]realloc") introduced the ability to force a reallocation if the
> original object does not satisfy new alignment or NUMA node, even when
> the object is being shrunk.
>
> This introduced two bugs in the reallocation fallback path:
>
> 1. Data loss during NUMA migration: The jump to 'alloc_new' happens
> before 'ks' and 'orig_size' are initialized. As a result, the
> memcpy() in the 'alloc_new' block would copy 0 bytes into the new
> allocation.
>
> 2. Buffer overflow during shrinking: When shrinking an object while
> forcing a new alignment, 'new_size' is smaller than the old size.
> However, the memcpy() used the old size ('orig_size ?: ks'), leading
> to an out-of-bounds write.
>
> The same overflow bug exists in the kvrealloc() fallback path, where the
> old bucket size ksize(p) is copied into the new buffer without being
> bounded by the new size.
>
> A simple reproducer:
>
> // e.g. add to lkdtm as KREALLOC_SHRINK_OVERFLOW
> while (1) {
> void *p = kmalloc(128, GFP_KERNEL);
> p = krealloc_node_align(p, 64, 256, GFP_KERNEL, NUMA_NO_NODE);
> kfree(p);
> }
>
> demonstrates the issue:
>
> ==================================================================
> BUG: KFENCE: out-of-bounds write in memcpy_orig+0x68/0x130
>
> Out-of-bounds write at 0xffff8883ad757038 (120B right of kfence-#47):
> memcpy_orig+0x68/0x130
> krealloc_node_align_noprof+0x1c8/0x340
> lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm]
> lkdtm_do_action+0x3a/0x60 [lkdtm]
> ...
>
> kfence-#47: 0xffff8883ad756fc0-0xffff8883ad756fff, size=64, cache=kmalloc-64
>
> allocated by task 316 on cpu 7 at 97.680481s (0.021813s ago):
> krealloc_node_align_noprof+0x19c/0x340
> lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm]
> lkdtm_do_action+0x3a/0x60 [lkdtm]
> ...
> ==================================================================
>
> Fix it by moving the old size calculation to the top of __do_krealloc()
> and bounding all copy lengths by the new allocation size.
>
> Fixes: 2cd8231796b5 ("mm/slub: allow to set node and align in k[v]realloc")
> Cc: <stable@vger.kernel.org>
> Reported-by: https://sashiko.dev/#/patchset/20260415143735.2974230-1-elver%40google.com
> Signed-off-by: Marco Elver <elver@google.com>
Ouch, thanks. Added to slab/for-next-fixes
Indeed the vrealloc would be separate patch with different Fixes: commit and
handled in the mm tree.
> ---
> mm/slub.c | 24 ++++++++++++------------
> 1 file changed, 12 insertions(+), 12 deletions(-)
>
> diff --git a/mm/slub.c b/mm/slub.c
> index 92362eeb13e5..161079ac5ba1 100644
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -6645,16 +6645,6 @@ __do_krealloc(const void *p, size_t new_size, unsigned long align, gfp_t flags,
> if (!kasan_check_byte(p))
> return NULL;
>
> - /*
> - * If reallocation is not necessary (e. g. the new size is less
> - * than the current allocated size), the current allocation will be
> - * preserved unless __GFP_THISNODE is set. In the latter case a new
> - * allocation on the requested node will be attempted.
> - */
> - if (unlikely(flags & __GFP_THISNODE) && nid != NUMA_NO_NODE &&
> - nid != page_to_nid(virt_to_page(p)))
> - goto alloc_new;
> -
> if (is_kfence_address(p)) {
> ks = orig_size = kfence_ksize(p);
> } else {
> @@ -6673,6 +6663,16 @@ __do_krealloc(const void *p, size_t new_size, unsigned long align, gfp_t flags,
> }
> }
>
> + /*
> + * If reallocation is not necessary (e. g. the new size is less
> + * than the current allocated size), the current allocation will be
> + * preserved unless __GFP_THISNODE is set. In the latter case a new
> + * allocation on the requested node will be attempted.
> + */
> + if (unlikely(flags & __GFP_THISNODE) && nid != NUMA_NO_NODE &&
> + nid != page_to_nid(virt_to_page(p)))
> + goto alloc_new;
> +
> /* If the old object doesn't fit, allocate a bigger one */
> if (new_size > ks)
> goto alloc_new;
> @@ -6707,7 +6707,7 @@ __do_krealloc(const void *p, size_t new_size, unsigned long align, gfp_t flags,
> if (ret && p) {
> /* Disable KASAN checks as the object's redzone is accessed. */
> kasan_disable_current();
> - memcpy(ret, kasan_reset_tag(p), orig_size ?: ks);
> + memcpy(ret, kasan_reset_tag(p), min(new_size, (size_t)(orig_size ?: ks)));
> kasan_enable_current();
> }
>
> @@ -6941,7 +6941,7 @@ void *kvrealloc_node_align_noprof(const void *p, size_t size, unsigned long alig
> if (p) {
> /* We already know that `p` is not a vmalloc address. */
> kasan_disable_current();
> - memcpy(n, kasan_reset_tag(p), ksize(p));
> + memcpy(n, kasan_reset_tag(p), min(size, ksize(p)));
> kasan_enable_current();
>
> kfree(p);
^ permalink raw reply
* Re: [PATCH] slub: fix data loss and overflow in krealloc()
From: Marco Elver @ 2026-04-17 9:05 UTC (permalink / raw)
To: Harry Yoo (Oracle)
Cc: Vlastimil Babka, Andrew Morton, Hao Li, Christoph Lameter,
David Rientjes, Roman Gushchin, linux-mm, linux-kernel, kasan-dev,
stable, Vitaly Wool, Uladzislau Rezki, Danilo Krummrich,
Lorenzo Stoakes, Liam R. Howlett, Alice Ryhl, rust-for-linux
In-Reply-To: <aeG6RG41sgZuerYa@hyeyoo>
On Fri, 17 Apr 2026 at 06:42, Harry Yoo (Oracle) <harry@kernel.org> wrote:
>
> [+Cc relevant folks]
>
> On Thu, Apr 16, 2026 at 03:25:07PM +0200, Marco Elver wrote:
> > Commit 2cd8231796b5 ("mm/slub: allow to set node and align in
> > k[v]realloc") introduced the ability to force a reallocation if the
> > original object does not satisfy new alignment or NUMA node, even when
> > the object is being shrunk.
> >
> > This introduced two bugs in the reallocation fallback path:
> >
> > 1. Data loss during NUMA migration: The jump to 'alloc_new' happens
> > before 'ks' and 'orig_size' are initialized. As a result, the
> > memcpy() in the 'alloc_new' block would copy 0 bytes into the new
> > allocation.
>
> Ouch.
>
> > 2. Buffer overflow during shrinking: When shrinking an object while
> > forcing a new alignment, 'new_size' is smaller than the old size.
> > However, the memcpy() used the old size ('orig_size ?: ks'), leading
> > to an out-of-bounds write.
>
> Right. before the commit we didn't reallocate when the size is smaller.
>
> > The same overflow bug exists in the kvrealloc() fallback path, where the
> > old bucket size ksize(p) is copied into the new buffer without being
> > bounded by the new size.
> >
> > A simple reproducer:
> >
> > // e.g. add to lkdtm as KREALLOC_SHRINK_OVERFLOW
> > while (1) {
> > void *p = kmalloc(128, GFP_KERNEL);
> > p = krealloc_node_align(p, 64, 256, GFP_KERNEL, NUMA_NO_NODE);
> > kfree(p);
> > }
> >
> > demonstrates the issue:
> >
> > ==================================================================
> > BUG: KFENCE: out-of-bounds write in memcpy_orig+0x68/0x130
> >
> > Out-of-bounds write at 0xffff8883ad757038 (120B right of kfence-#47):
> > memcpy_orig+0x68/0x130
> > krealloc_node_align_noprof+0x1c8/0x340
> > lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm]
> > lkdtm_do_action+0x3a/0x60 [lkdtm]
> > ...
> >
> > kfence-#47: 0xffff8883ad756fc0-0xffff8883ad756fff, size=64, cache=kmalloc-64
> >
> > allocated by task 316 on cpu 7 at 97.680481s (0.021813s ago):
> > krealloc_node_align_noprof+0x19c/0x340
> > lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm]
> > lkdtm_do_action+0x3a/0x60 [lkdtm]
> > ...
> > ==================================================================
> >
> > Fix it by moving the old size calculation to the top of __do_krealloc()
> > and bounding all copy lengths by the new allocation size.
> >
> > Fixes: 2cd8231796b5 ("mm/slub: allow to set node and align in k[v]realloc")
> > Cc: <stable@vger.kernel.org>
> > Reported-by: https://sashiko.dev/#/patchset/20260415143735.2974230-1-elver%40google.com
> > Signed-off-by: Marco Elver <elver@google.com>
> > ---
>
> Looks good to me, but I think we still have a similar issue in
> vrealloc_node_align_noprof()? (goto need_realloc; due to NUMA mismatch
> but the new size is smaller)
Good find.
That's a separate patch, though, since it's in the vmalloc subsystem
(it's also not confidence-inspiring that vrealloc_node_align_noprof
has a bunch of TODOs sprinkled all over...).
Since you found that, do you want to claim it?
Also by the looks of it slub and vmalloc patches go through different
trees these days per MAINTAINERS.
Thanks,
-- Marco
^ permalink raw reply
* Re: [PATCH] f2fs: fix node_cnt race between extent node destroy and writeback
From: Chao Yu @ 2026-04-17 9:00 UTC (permalink / raw)
To: Yongpeng Yang, Jaegeuk Kim; +Cc: chao, linux-f2fs-devel, Yongpeng Yang, stable
In-Reply-To: <20260403144015.221811-3-monty_pavel@sina.com>
On 4/3/26 22:40, Yongpeng Yang wrote:
> From: Yongpeng Yang <yangyongpeng@xiaomi.com>
>
> f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing
> extent nodes. When called from f2fs_drop_inode() with I_SYNC set,
> concurrent kworker writeback can insert new extent nodes into the same
> extent tree, racing with the destroy and triggering f2fs_bug_on() in
> __destroy_extent_node(). The scenario is as follows:
>
> drop inode writeback
> - iput
> - f2fs_drop_inode // I_SYNC set
> - f2fs_destroy_extent_node
> - __destroy_extent_node
> - while (node_cnt) {
> write_lock(&et->lock)
> __free_extent_tree
> write_unlock(&et->lock)
> - __writeback_single_inode
> - f2fs_outplace_write_data
> - f2fs_update_read_extent_cache
> - __update_extent_tree_range
> // FI_NO_EXTENT not set,
> // insert new extent node
> } // node_cnt == 0, exit while
> - f2fs_bug_on(node_cnt) // node_cnt > 0
>
> Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for
> EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.
>
> This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(),
> consistent with other callers (__update_extent_tree_range and
> __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and
> EX_BLOCK_AGE tree.
I suffered below test failure, then I bisect to this change.
generic/475 84s ... [failed, exit status 1]- output mismatch (see /share/git/fstests/results//generic/475.out.bad)
--- tests/generic/475.out 2025-01-12 21:57:40.279440664 +0800
+++ /share/git/fstests/results//generic/475.out.bad 2026-04-17 12:08:28.000000000 +0800
@@ -1,2 +1,6 @@
QA output created by 475
Silence is golden.
+mount: /mnt/scratch_f2fs: mount system call failed: Structure needs cleaning.
+ dmesg(1) may have more information after failed mount system call.
+mount failed
+(see /share/git/fstests/results//generic/475.full for details)
...
(Run 'diff -u /share/git/fstests/tests/generic/475.out /share/git/fstests/results//generic/475.out.bad' to see the entire diff)
generic/388 73s ... [failed, exit status 1]- output mismatch (see /share/git/fstests/results//generic/388.out.bad)
--- tests/generic/388.out 2025-01-12 21:57:40.275440602 +0800
+++ /share/git/fstests/results//generic/388.out.bad 2026-04-17 11:58:05.000000000 +0800
@@ -1,2 +1,6 @@
QA output created by 388
Silence is golden.
+mount: /mnt/scratch_f2fs: mount system call failed: Structure needs cleaning.
+ dmesg(1) may have more information after failed mount system call.
+cycle mount failed
+(see /share/git/fstests/results//generic/388.full for details)
...
(Run 'diff -u /share/git/fstests/tests/generic/388.out /share/git/fstests/results//generic/388.out.bad' to see the entire diff)
F2FS-fs (dm-0): sanity_check_extent_cache: inode (ino=1761) extent info [220057, 57, 6] is incorrect, run fsck to fix
I suspect we may miss any extent updates after we set FI_NO_EXTENT in
__destroy_extent_node(), result in failing in sanity_check_extent_cache().
Can we just relocate f2fs_bug_on(node_cnt) rather than complicated change?
Thoughts?
Thanks,
>
> Fixes: 3fc5d5a182f6 ("f2fs: fix to shrink read extent node in batches")
> Cc: stable@vger.kernel.org
> Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
> ---
> fs/f2fs/extent_cache.c | 17 ++++++++++-------
> 1 file changed, 10 insertions(+), 7 deletions(-)
>
> diff --git a/fs/f2fs/extent_cache.c b/fs/f2fs/extent_cache.c
> index 0ed84cc065a7..87169fd29d89 100644
> --- a/fs/f2fs/extent_cache.c
> +++ b/fs/f2fs/extent_cache.c
> @@ -119,9 +119,10 @@ static bool __may_extent_tree(struct inode *inode, enum extent_type type)
> if (!__init_may_extent_tree(inode, type))
> return false;
>
> + if (is_inode_flag_set(inode, FI_NO_EXTENT))
> + return false;
> +
> if (type == EX_READ) {
> - if (is_inode_flag_set(inode, FI_NO_EXTENT))
> - return false;
> if (is_inode_flag_set(inode, FI_COMPRESSED_FILE) &&
> !f2fs_sb_has_readonly(F2FS_I_SB(inode)))
> return false;
> @@ -644,6 +645,8 @@ static unsigned int __destroy_extent_node(struct inode *inode,
>
> while (atomic_read(&et->node_cnt)) {
> write_lock(&et->lock);
> + if (!is_inode_flag_set(inode, FI_NO_EXTENT))
> + set_inode_flag(inode, FI_NO_EXTENT);
> node_cnt += __free_extent_tree(sbi, et, nr_shrink);
> write_unlock(&et->lock);
> }
> @@ -688,12 +691,12 @@ static void __update_extent_tree_range(struct inode *inode,
>
> write_lock(&et->lock);
>
> - if (type == EX_READ) {
> - if (is_inode_flag_set(inode, FI_NO_EXTENT)) {
> - write_unlock(&et->lock);
> - return;
> - }
> + if (is_inode_flag_set(inode, FI_NO_EXTENT)) {
> + write_unlock(&et->lock);
> + return;
> + }
>
> + if (type == EX_READ) {
> prev = et->largest;
> dei.len = 0;
>
^ permalink raw reply
* Re: [PATCH] crypto: acomp - fix wrong pointer stored by acomp_save_req()
From: Herbert Xu @ 2026-04-17 8:51 UTC (permalink / raw)
To: Giovanni Cabiddu
Cc: linux-crypto, qat-linux, Laurent M Coquerel, Wojciech Drewek,
Andy Shevchenko, stable
In-Reply-To: <aeEXNL2CH8njXY0Q@gcabiddu-mobl.ger.corp.intel.com>
On Thu, Apr 16, 2026 at 06:07:00PM +0100, Giovanni Cabiddu wrote:
>
> acomp_save_req() stores &req->chain in req->base.data. When
> acomp_reqchain_done() is invoked on asynchronous completion, it receives
> &req->chain as the data argument but casts it directly to struct
> acomp_req. Since data points to the chain member, all subsequent field
> accesses are at a wrong offset, resulting in memory corruption.
>
> The issue occurs when an asynchronous hardware implementation, such as
> the QAT driver, completes a request that uses the DMA virtual address
> interface (e.g. acomp_request_set_src_dma()). This combination causes
> crypto_acomp_compress() to enter the acomp_do_req_chain() path, which
> sets acomp_reqchain_done() as the completion callback via
> acomp_save_req().
>
> With KASAN enabled, this manifests as a general protection fault in
> acomp_reqchain_done():
>
> general protection fault, probably for non-canonical address 0xe000040000000000
> KASAN: probably user-memory-access in range [0x0000400000000000-0x0000400000000007]
> RIP: 0010:acomp_reqchain_done+0x15b/0x4e0
> Call Trace:
> <IRQ>
> qat_comp_alg_callback+0x5d/0xa0 [intel_qat]
> adf_ring_response_handler+0x376/0x8b0 [intel_qat]
> adf_response_handler+0x60/0x170 [intel_qat]
> tasklet_action_common+0x223/0x820
> handle_softirqs+0x1ab/0x640
> </IRQ>
>
> Fix this by storing the request itself in req->base.data instead of
> &req->chain, so that acomp_reqchain_done() receives the correct pointer.
> Simplify acomp_restore_req() accordingly to access req->chain directly.
>
> Fixes: 64929fe8c0a4 ("crypto: acomp - Remove request chaining")
> Cc: stable@vger.kernel.org
> Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
> ---
> crypto/acompress.c | 8 +++-----
> 1 file changed, 3 insertions(+), 5 deletions(-)
Patch applied. Thanks.
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply
* Re: [PATCH] platform/chrome: fix reference leak on failed device registration
From: kernel test robot @ 2026-04-17 8:46 UTC (permalink / raw)
To: Guangshuo Li, Benson Leung, Tzung-Bi Shih, Olof Johansson,
chrome-platform, linux-kernel
Cc: llvm, oe-kbuild-all, Guangshuo Li, stable
In-Reply-To: <20260415175038.3633384-1-lgs201920130244@gmail.com>
Hi Guangshuo,
kernel test robot noticed the following build errors:
[auto build test ERROR on chrome-platform/for-next]
[also build test ERROR on chrome-platform/for-firmware-next linus/master v7.0 next-20260416]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Guangshuo-Li/platform-chrome-fix-reference-leak-on-failed-device-registration/20260416-135638
base: https://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux.git for-next
patch link: https://lore.kernel.org/r/20260415175038.3633384-1-lgs201920130244%40gmail.com
patch subject: [PATCH] platform/chrome: fix reference leak on failed device registration
config: x86_64-randconfig-013-20260417 (https://download.01.org/0day-ci/archive/20260417/202604171609.wl8JLCit-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260417/202604171609.wl8JLCit-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202604171609.wl8JLCit-lkp@intel.com/
All errors (new ones prefixed by >>):
>> drivers/platform/chrome/chromeos_pstore.c:131:3: error: use of undeclared identifier 'ret'
131 | ret = platform_device_register(&chromeos_ramoops);
| ^
drivers/platform/chrome/chromeos_pstore.c:132:7: error: use of undeclared identifier 'ret'
132 | if (ret)
| ^
drivers/platform/chrome/chromeos_pstore.c:135:10: error: use of undeclared identifier 'ret'
135 | return ret;
| ^
3 errors generated.
vim +/ret +131 drivers/platform/chrome/chromeos_pstore.c
119
120 static int __init chromeos_pstore_init(void)
121 {
122 bool acpi_dev_found;
123
124 if (ecc_size > 0)
125 chromeos_ramoops_data.ecc_info.ecc_size = ecc_size;
126
127 /* First check ACPI for non-hardcoded values from firmware. */
128 acpi_dev_found = chromeos_check_acpi();
129
130 if (acpi_dev_found || dmi_check_system(chromeos_pstore_dmi_table)) {
> 131 ret = platform_device_register(&chromeos_ramoops);
132 if (ret)
133 platform_device_put(&chromeos_ramoops);
134
135 return ret;
136 }
137
138 return -ENODEV;
139 }
140
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply
* [PATCH 6.1.y] ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free
From: Wenshan Lan @ 2026-04-17 8:45 UTC (permalink / raw)
To: gregkh, sashal, stable
Cc: linux-sound, Jeongjun Park, syzbot+f02665daa2abeef4a947,
Takashi Iwai, Wenshan Lan
From: Jeongjun Park <aha310510@gmail.com>
[ Upstream commit 9f2c0ac1423d5f267e7f1d1940780fc764b0fee3 ]
The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at
removal") patched a UAF issue caused by the error timer.
However, because the error timer kill added in this patch occurs after the
endpoint delete, a race condition to UAF still occurs, albeit rarely.
Additionally, since kill-cleanup for urb is also missing, freed memory can
be accessed in interrupt context related to urb, which can cause UAF.
Therefore, to prevent this, error timer and urb must be killed before
freeing the heap memory.
Cc: <stable@vger.kernel.org>
Reported-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947
Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Wenshan Lan <jetlan9@163.com>
---
sound/usb/midi.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index 08dd0f0b19a3..49a11e517e78 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1522,15 +1522,14 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
{
int i;
+ if (!umidi->disconnected)
+ snd_usbmidi_disconnect(&umidi->list);
+
for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
- if (ep->out)
- snd_usbmidi_out_endpoint_delete(ep->out);
- if (ep->in)
- snd_usbmidi_in_endpoint_delete(ep->in);
+ kfree(ep->out);
}
mutex_destroy(&umidi->mutex);
- timer_shutdown_sync(&umidi->error_timer);
kfree(umidi);
}
--
2.43.0
^ permalink raw reply related
* Re: [PATCH v3 2/2] mailbox: Make mbox_send_message() return error code when tx fails
From: Joonwon Kang @ 2026-04-17 8:43 UTC (permalink / raw)
To: jassisinghbrar
Cc: akpm, angelogioacchino.delregno, jonathanh, joonwonkang,
linux-arm-kernel, linux-kernel, linux-mediatek, linux-tegra,
matthias.bgg, stable, thierry.reding
In-Reply-To: <CABb+yY23aTXeXu6G-8sHjw32DCqmhsJLu2Mt-txenOgTBiyv+A@mail.gmail.com>
> On Fri, Apr 3, 2026 at 10:19 AM Joonwon Kang <joonwonkang@google.com> wrote:
> >
> > > On Thu, Apr 2, 2026 at 12:07 PM Joonwon Kang <joonwonkang@google.com> wrote:
> > > >
> > > > When the mailbox controller failed transmitting message, the error code
> > > > was only passed to the client's tx done handler and not to
> > > > mbox_send_message(). For this reason, the function could return a false
> > > > success. This commit resolves the issue by introducing the tx status and
> > > > checking it before mbox_send_message() returns.
> > > >
> > > Can you please share the scenario when this becomes necessary? This
> > > can potentially change the ground underneath some clients, so we have
> > > to be sure this is really useful.
> >
> > I would say the problem here is generic enough to apply to all the cases where
> > the send result needs to be checked. Since the return value of the send API is
> > not the real send result, any users who believe that this blocking send API
> > will return the real send result could fall for that. For example, users may
> > think the send was successful even though it was not actually. I believe it is
> > uncommon that users have to register a callback solely to get the send result
> > even though they are using the blocking send API already. Also, I guess there
> > is no special reason why only the mailbox send API should work this way among
> > other typical blocking send APIs. For these reasons, this patch makes the send
> > API return the real send result. This way, users will not need to register the
> > redundant callback and I think the return value will align with their common
> > expectation.
> >
> Clients submit a message into the Mailbox subsystem to be sent out to
> the remote side which can happen immediately or later.
> If submission fails, clients get immediately notified. If transmission
> fails (which is now internal to the subsystem) it is reported to the
> client by a callback.
> If the API was called mbox_submit_message (which it actually is)
> instead of mbox_send_message, there would be no confusion.
> We can argue how good/bad the current implementation is, but the fact
> is that it is here. And I am reluctant to cause churn without good
> reason.
> Again, as I said, any, _legal_, setup scenario will help me come over
> my reluctance.
>
> Thanks
> Jassi
Hi Jassi, can we continue discussing this issue from where we left off last
time?
Thanks,
Joonwon Kang
^ permalink raw reply
* Re: [PATCH v3 1/2] mailbox: Use per-thread completion to fix wrong completion order
From: Joonwon Kang @ 2026-04-17 8:41 UTC (permalink / raw)
To: jassisinghbrar
Cc: angelogioacchino.delregno, jonathanh, joonwonkang,
linux-arm-kernel, linux-kernel, linux-mediatek, linux-tegra,
matthias.bgg, stable, thierry.reding
In-Reply-To: <CABb+yY0uDQh-3cadPQONV=NJKjMtc4mJekgjmHYVaHnfHXvGZQ@mail.gmail.com>
> On Fri, Apr 3, 2026 at 9:51 AM Joonwon Kang <joonwonkang@google.com> wrote:
> >
> > > On Thu, Apr 2, 2026 at 12:07 PM Joonwon Kang <joonwonkang@google.com> wrote:
> > > >
> > > > Previously, a sender thread in mbox_send_message() could be woken up at
> > > > a wrong time in blocking mode. It is because there was only a single
> > > > completion for a channel whereas messages from multiple threads could be
> > > > sent in any order; since the shared completion could be signalled in any
> > > > order, it could wake up a wrong sender thread.
> > > >
> > > > This commit resolves the false wake-up issue with the following changes:
> > > > - Completions are created just as many as the number of concurrent sender
> > > > threads
> > > > - A completion is created on a sender thread's stack
> > > > - Each slot of the message queue, i.e. `msg_data`, contains a pointer to
> > > > its target completion
> > > > - tx_tick() signals the completion of the currently active slot of the
> > > > message queue
> > > >
> > > I think I reviewed it already or is this happening on
> > > one-channel-one-client usage? Because mailbox api does not support
> > > channels shared among multiple clients.
> >
> > Yes, this patch is handling the one-channel-one-client usage but when that
> > single channel is shared between multiple threads.
>
> hmm.... how is this not single-channel-multiple-clients ?
> A channel is returned as an opaque token to the clients, if that
> client shares that with other threads - they will race.
> It is the job of the original client to serialize its threads' access
> to the channel.
>
> > From my understanding, the
> > discussion back then ended with how to circumvent the issue rather than whether
> > we will eventually solve this in the mailbox framework or not, and if yes, how
> > we will, and if not, why.
>
> It will be interesting to see how many current clients actually need
> to share channels. If there are enough, it makes sense to implement
> some helper api
> on top of existing code, instead of changing its nature totally.
>
> Thanks
> Jassi
Hi Jassi, can we continue discussing this matter? We can start from the recent
comments from me.
Thanks,
Joonwon Kang
^ permalink raw reply
* Re: [PATCH 5.15 177/570] scsi: core: Fix error handling for scsi_alloc_sdev()
From: Harshit Mogalapalli @ 2026-04-17 8:36 UTC (permalink / raw)
To: junxiao.bi, Greg Kroah-Hartman, stable
Cc: patches, John Garry, Bart Van Assche, Martin K. Petersen,
Vegard Nossum
In-Reply-To: <0c9b5caf-131a-4f47-8d9c-0fac3029e59d@oracle.com>
Hi Junxiao,
>>> - if (scsi_realloc_sdev_budget_map(sdev, depth)) {
>>> - kref_put(&sdev->host->tagset_refcnt, scsi_mq_free_tags);
>>> - put_device(&starget->dev);
>>> - kfree(sdev);
>>> - goto out;
>>> - }
>>> + if (scsi_realloc_sdev_budget_map(sdev, depth))
>>> + goto out_device_destroy;
>>
>> I have run an AI assisted backport review and it spotted an issue: I
>> have taken a look and the issue is:
>>
>>
>> 5.15.y doesn't have commit: 21008cabc5d9 ("scsi: core: Move two
>> statements") - v6.19-rc1 based so backporting this patch introduces
>> something like:
>>
>> if (scsi_realloc_sdev_budget_map(sdev, depth))
>> goto out_device_destroy;
>>
>> scsi_change_queue_depth(sdev, depth);
>> scsi_sysfs_device_initialize(sdev);
>>
>> ...
>> out_device_destroy:
>> __scsi_remove_device(sdev);
>>
>>
>> calling put_device() before device_initialize(), so I think we should
>> drop this patch in stable branches which don't have commit:
>> 21008cabc5d9 ("scsi: core: Move two statements") in them. Upstream
>> moved scsi_sysfs_device_initialize() above the budget_map() call.
>>
>> Thoughts ?
>>
> Right, this commit should be backported as well. Otherwise we could see
> this warning.
>
> "kobject: '%s' (%p): is not initialized, yet kobject_put() is being
> called.\n"
>
Thanks for confirming, Sasha dropped it from the stable queue for this
release.
4th one in:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/commit/?id=f1885e089cd1533e346cb4845e5d6d101303dc44
Thanks,
Harshit
> Thanks,
>
> Junxiao.
>
>> I see the same problem in other stable branches as well.
>>
>> Thanks,
>> Harshit
>>
>>
>>> scsi_change_queue_depth(sdev, depth);
>>>
>>>
>>>
>>
^ permalink raw reply
* [PATCH 5.15.y] nf_tables: nft_dynset: fix possible stateful expression memleak in error path
From: Li hongliang @ 2026-04-17 8:22 UTC (permalink / raw)
To: gregkh, stable, pablo
Cc: patches, linux-kernel, kadlec, fw, davem, edumazet, kuba, pabeni,
netfilter-devel, coreteam, netdev, giki.shergill
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 0548a13b5a145b16e4da0628b5936baf35f51b43 ]
If cloning the second stateful expression in the element via GFP_ATOMIC
fails, then the first stateful expression remains in place without being
released.
unreferenced object (percpu) 0x607b97e9cab8 (size 16):
comm "softirq", pid 0, jiffies 4294931867
hex dump (first 16 bytes on cpu 3):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
backtrace (crc 0):
pcpu_alloc_noprof+0x453/0xd80
nft_counter_clone+0x9c/0x190 [nf_tables]
nft_expr_clone+0x8f/0x1b0 [nf_tables]
nft_dynset_new+0x2cb/0x5f0 [nf_tables]
nft_rhash_update+0x236/0x11c0 [nf_tables]
nft_dynset_eval+0x11f/0x670 [nf_tables]
nft_do_chain+0x253/0x1700 [nf_tables]
nft_do_chain_ipv4+0x18d/0x270 [nf_tables]
nf_hook_slow+0xaa/0x1e0
ip_local_deliver+0x209/0x330
Fixes: 563125a73ac3 ("netfilter: nftables: generalize set extension to support for several expressions")
Reported-by: Gurpreet Shergill <giki.shergill@proton.me>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
[ Minor conflict resolved. ]
Signed-off-by: Li hongliang <1468888505@139.com>
---
include/net/netfilter/nf_tables.h | 2 ++
net/netfilter/nf_tables_api.c | 4 ++--
net/netfilter/nft_dynset.c | 10 +++++++++-
3 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 605d4c0a63e9..1f805590b838 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -821,6 +821,8 @@ void *nft_set_elem_init(const struct nft_set *set,
u64 timeout, u64 expiration, gfp_t gfp);
int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
struct nft_expr *expr_array[]);
+void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
+ struct nft_set_elem_expr *elem_expr);
void nft_set_elem_destroy(const struct nft_set *set, void *elem,
bool destroy_expr);
void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index cbec5fc23719..b78949933acf 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5919,8 +5919,8 @@ static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
}
}
-static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
- struct nft_set_elem_expr *elem_expr)
+void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
+ struct nft_set_elem_expr *elem_expr)
{
struct nft_expr *expr;
u32 size;
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index ecdd4a60db9c..673c5e6a3e8d 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -30,18 +30,26 @@ static int nft_dynset_expr_setup(const struct nft_dynset *priv,
const struct nft_set_ext *ext)
{
struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
+ struct nft_ctx ctx = {
+ .net = read_pnet(&priv->set->net),
+ .family = priv->set->table->family,
+ };
struct nft_expr *expr;
int i;
for (i = 0; i < priv->num_exprs; i++) {
expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
if (nft_expr_clone(expr, priv->expr_array[i], GFP_ATOMIC) < 0)
- return -1;
+ goto err_out;
elem_expr->size += priv->expr_array[i]->ops->size;
}
return 0;
+err_out:
+ nft_set_elem_expr_destroy(&ctx, elem_expr);
+
+ return -1;
}
static void *nft_dynset_new(struct nft_set *set, const struct nft_expr *expr,
--
2.34.1
^ permalink raw reply related
* [PATCH 6.1.y] nf_tables: nft_dynset: fix possible stateful expression memleak in error path
From: Li hongliang @ 2026-04-17 8:21 UTC (permalink / raw)
To: gregkh, stable, pablo
Cc: patches, linux-kernel, kadlec, fw, davem, edumazet, kuba, pabeni,
netfilter-devel, coreteam, netdev, giki.shergill
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 0548a13b5a145b16e4da0628b5936baf35f51b43 ]
If cloning the second stateful expression in the element via GFP_ATOMIC
fails, then the first stateful expression remains in place without being
released.
unreferenced object (percpu) 0x607b97e9cab8 (size 16):
comm "softirq", pid 0, jiffies 4294931867
hex dump (first 16 bytes on cpu 3):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
backtrace (crc 0):
pcpu_alloc_noprof+0x453/0xd80
nft_counter_clone+0x9c/0x190 [nf_tables]
nft_expr_clone+0x8f/0x1b0 [nf_tables]
nft_dynset_new+0x2cb/0x5f0 [nf_tables]
nft_rhash_update+0x236/0x11c0 [nf_tables]
nft_dynset_eval+0x11f/0x670 [nf_tables]
nft_do_chain+0x253/0x1700 [nf_tables]
nft_do_chain_ipv4+0x18d/0x270 [nf_tables]
nf_hook_slow+0xaa/0x1e0
ip_local_deliver+0x209/0x330
Fixes: 563125a73ac3 ("netfilter: nftables: generalize set extension to support for several expressions")
Reported-by: Gurpreet Shergill <giki.shergill@proton.me>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
[ Minor conflict resolved. ]
Signed-off-by: Li hongliang <1468888505@139.com>
---
include/net/netfilter/nf_tables.h | 2 ++
net/netfilter/nf_tables_api.c | 4 ++--
net/netfilter/nft_dynset.c | 10 +++++++++-
3 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 38c74f9fcce2..dafa0a32e6e1 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -838,6 +838,8 @@ void *nft_set_elem_init(const struct nft_set *set,
u64 timeout, u64 expiration, gfp_t gfp);
int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
struct nft_expr *expr_array[]);
+void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
+ struct nft_set_elem_expr *elem_expr);
void nft_set_elem_destroy(const struct nft_set *set, void *elem,
bool destroy_expr);
void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index fb3d529ebf5a..0c4224282638 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6025,8 +6025,8 @@ static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
}
}
-static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
- struct nft_set_elem_expr *elem_expr)
+void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
+ struct nft_set_elem_expr *elem_expr)
{
struct nft_expr *expr;
u32 size;
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index 953aba871f45..5f58ac874005 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -30,18 +30,26 @@ static int nft_dynset_expr_setup(const struct nft_dynset *priv,
const struct nft_set_ext *ext)
{
struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
+ struct nft_ctx ctx = {
+ .net = read_pnet(&priv->set->net),
+ .family = priv->set->table->family,
+ };
struct nft_expr *expr;
int i;
for (i = 0; i < priv->num_exprs; i++) {
expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
if (nft_expr_clone(expr, priv->expr_array[i], GFP_ATOMIC) < 0)
- return -1;
+ goto err_out;
elem_expr->size += priv->expr_array[i]->ops->size;
}
return 0;
+err_out:
+ nft_set_elem_expr_destroy(&ctx, elem_expr);
+
+ return -1;
}
static void *nft_dynset_new(struct nft_set *set, const struct nft_expr *expr,
--
2.34.1
^ permalink raw reply related
* [PATCH 6.6.y] nf_tables: nft_dynset: fix possible stateful expression memleak in error path
From: Li hongliang @ 2026-04-17 8:18 UTC (permalink / raw)
To: gregkh, stable, pablo
Cc: patches, linux-kernel, kadlec, fw, davem, edumazet, kuba, pabeni,
netfilter-devel, coreteam, netdev, giki.shergill
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 0548a13b5a145b16e4da0628b5936baf35f51b43 ]
If cloning the second stateful expression in the element via GFP_ATOMIC
fails, then the first stateful expression remains in place without being
released.
unreferenced object (percpu) 0x607b97e9cab8 (size 16):
comm "softirq", pid 0, jiffies 4294931867
hex dump (first 16 bytes on cpu 3):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
backtrace (crc 0):
pcpu_alloc_noprof+0x453/0xd80
nft_counter_clone+0x9c/0x190 [nf_tables]
nft_expr_clone+0x8f/0x1b0 [nf_tables]
nft_dynset_new+0x2cb/0x5f0 [nf_tables]
nft_rhash_update+0x236/0x11c0 [nf_tables]
nft_dynset_eval+0x11f/0x670 [nf_tables]
nft_do_chain+0x253/0x1700 [nf_tables]
nft_do_chain_ipv4+0x18d/0x270 [nf_tables]
nf_hook_slow+0xaa/0x1e0
ip_local_deliver+0x209/0x330
Fixes: 563125a73ac3 ("netfilter: nftables: generalize set extension to support for several expressions")
Reported-by: Gurpreet Shergill <giki.shergill@proton.me>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
[ Minor conflict resolved. ]
Signed-off-by: Li hongliang <1468888505@139.com>
---
include/net/netfilter/nf_tables.h | 2 ++
net/netfilter/nf_tables_api.c | 4 ++--
net/netfilter/nft_dynset.c | 10 +++++++++-
3 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 000ae2900f8c..ab0567951e31 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -861,6 +861,8 @@ void *nft_set_elem_init(const struct nft_set *set,
u64 timeout, u64 expiration, gfp_t gfp);
int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set,
struct nft_expr *expr_array[]);
+void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
+ struct nft_set_elem_expr *elem_expr);
void nft_set_elem_destroy(const struct nft_set *set, void *elem,
bool destroy_expr);
void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 0aaddc1131c6..a0914a92e07d 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6464,8 +6464,8 @@ static void __nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
}
}
-static void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
- struct nft_set_elem_expr *elem_expr)
+void nft_set_elem_expr_destroy(const struct nft_ctx *ctx,
+ struct nft_set_elem_expr *elem_expr)
{
struct nft_expr *expr;
u32 size;
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index 9a0aaeed2360..87c6a02675ba 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -30,18 +30,26 @@ static int nft_dynset_expr_setup(const struct nft_dynset *priv,
const struct nft_set_ext *ext)
{
struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext);
+ struct nft_ctx ctx = {
+ .net = read_pnet(&priv->set->net),
+ .family = priv->set->table->family,
+ };
struct nft_expr *expr;
int i;
for (i = 0; i < priv->num_exprs; i++) {
expr = nft_setelem_expr_at(elem_expr, elem_expr->size);
if (nft_expr_clone(expr, priv->expr_array[i], GFP_ATOMIC) < 0)
- return -1;
+ goto err_out;
elem_expr->size += priv->expr_array[i]->ops->size;
}
return 0;
+err_out:
+ nft_set_elem_expr_destroy(&ctx, elem_expr);
+
+ return -1;
}
static void *nft_dynset_new(struct nft_set *set, const struct nft_expr *expr,
--
2.34.1
^ permalink raw reply related
* Re: [PATCH net v2] hv_sock: Report EOF instead of -EIO for FIN
From: Stefano Garzarella @ 2026-04-17 8:11 UTC (permalink / raw)
To: Dexuan Cui
Cc: kys, haiyangz, wei.liu, longli, davem, edumazet, kuba, pabeni,
horms, niuxuewei.nxw, linux-hyperv, virtualization, netdev,
linux-kernel, stable, Ben Hillis, Mitchell Levy
In-Reply-To: <20260416191433.840637-1-decui@microsoft.com>
On Thu, Apr 16, 2026 at 12:14:33PM -0700, Dexuan Cui wrote:
>Commit f0c5827d07cb unluckily causes a regression for the FIN packet,
>and the final read syscall gets an error rather than 0.
>
>Ideally, we would want to fix hvs_channel_readable_payload() so that it
>could return 0 in the FIN scenario, but it's not good for the hv_sock
>driver to use the VMBus ringbuffer's cached priv_read_index, which is
>internal data in the VMBus driver.
>
>Fix the regression in hv_sock by returning 0 rather than -EIO.
>
>Fixes: f0c5827d07cb ("hv_sock: Return the readable bytes in hvs_stream_has_data()")
>Cc: stable@vger.kernel.org
>Reported-by: Ben Hillis <Ben.Hillis@microsoft.com>
>Reported-by: Mitchell Levy <levymitchell0@gmail.com>
>Signed-off-by: Dexuan Cui <decui@microsoft.com>
>---
>
>Changes since v1:
> Removed the local variable 'need_refill' to make the code more
> readable. Stefano, thanks!
Thanks for the fix!
>
> No other change.
>
> net/vmw_vsock/hyperv_transport.c | 20 ++++++++++++++++----
> 1 file changed, 16 insertions(+), 4 deletions(-)
Acked-by: Stefano Garzarella <sgarzare@redhat.com>
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox