April 2025 - Linux-stable-mirror

Potential Linux Crash: possible deadlock in kernfs_unlink_sibling in linux6.12.24(longterm maintenance)

by Jianzhou Zhao

Hello, I found a potential bug titled " possible deadlock in kernfs_unlink_sibling " with modified syzkaller in the Linux6.12.24(longterm maintenance, last updated on April 20, 2025). (The latest version of 6.12 is 6.12-25 at present. However, after comparison, I found that there seems to be no fix for this bug in the latest version.) Unfortunately, I am unable to reproduce this bug. If you fix this issue, please add the following tag to the commit: Reported-by: Jianzhou Zhao <luckd0g(a)163.com>, xingwei lee <xrivendell7(a)gmail.com>,Penglei Jiang <superman.xpt(a)gmail.com> The commit of the kernel is : b6efa8ce222e58cfe2bbaa4e3329818c2b4bd74e kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=55f8591b98dd132 compiler: gcc version 11.4.0 ------------[ cut here ]----------------------------------------- TITLE: possible deadlock in kernfs_unlink_sibling ------------[ cut here ]------------ ====================================================== ====================================================== WARNING: possible circular locking dependency detected 6.12.24 #3 Not tainted ------------------------------------------------------ syz-executor/42274 is trying to acquire lock: ffff88801bae51e0 (&root->kernfs_iattr_rwsem){++++}-{3:3}, at: kernfs_unlink_sibling+0xad/0x2c0 fs/kernfs/dir.c:413 but task is already holding lock: ffff88801bae5148 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_remove_by_name_ns+0x89/0x130 fs/kernfs/dir.c:1689 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #13 (&root->kernfs_rwsem){++++}-{3:3}: down_write+0x92/0x200 kernel/locking/rwsem.c:1577 kernfs_add_one+0xac/0x530 fs/kernfs/dir.c:778 kernfs_create_dir_ns+0xfa/0x160 fs/kernfs/dir.c:1071 internal_create_group+0x338/0xeb0 fs/sysfs/group.c:167 cpuhp_invoke_callback+0x3d2/0x9d0 kernel/cpu.c:194 cpuhp_issue_call+0x1c1/0x8d0 kernel/cpu.c:2370 __cpuhp_setup_state_cpuslocked+0x400/0x700 kernel/cpu.c:2516 __cpuhp_setup_state+0x106/0x320 kernel/cpu.c:2545 do_one_initcall+0x10e/0x6d0 init/main.c:1269 do_initcall_level init/main.c:1331 [inline] do_initcalls init/main.c:1347 [inline] do_basic_setup init/main.c:1366 [inline] kernel_init_freeable+0x5ae/0x8a0 init/main.c:1580 kernel_init+0x1e/0x2d0 init/main.c:1469 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #12 (cpuhp_state_mutex){+.+.}-{3:3}: -> #11 (cpu_hotplug_lock){++++}-{0:0}: percpu_down_read include/linux/percpu-rwsem.h:51 [inline] cpus_read_lock+0x42/0x160 kernel/cpu.c:490 __static_call_update+0x8b/0x630 kernel/static_call_inline.c:139 tracepoint_update_call kernel/tracepoint.c:317 [inline] tracepoint_add_func+0xa18/0xe50 kernel/tracepoint.c:358 tracepoint_probe_register_prio kernel/tracepoint.c:511 [inline] tracepoint_probe_register+0xa5/0xf0 kernel/tracepoint.c:531 register_trace_sched_wakeup include/trace/events/sched.h:178 [inline] tracing_sched_register kernel/trace/trace_sched_switch.c:56 [inline] tracing_start_sched_switch+0x97/0x1e0 kernel/trace/trace_sched_switch.c:110 __ftrace_event_enable_disable+0x68b/0x8a0 kernel/trace/trace_events.c:831 ftrace_event_enable_disable kernel/trace/trace_events.c:871 [inline] __ftrace_set_clr_event_nolock+0x29b/0x390 kernel/trace/trace_events.c:1200 __ftrace_set_clr_event kernel/trace/trace_events.c:1222 [inline] trace_set_clr_event+0xec/0x150 kernel/trace/trace_events.c:1287 __set_printk_clr_event kernel/trace/bpf_trace.c:416 [inline] bpf_get_trace_printk_proto+0x22/0x90 kernel/trace/bpf_trace.c:422 bpf_base_func_proto+0x9d6/0xbb0 kernel/bpf/helpers.c:2024 bpf_sk_base_func_proto+0x167/0x190 net/core/filter.c:11925 tc_cls_act_func_proto+0x506/0x510 net/core/filter.c:8289 get_helper_proto kernel/bpf/verifier.c:10430 [inline] mark_fastcall_pattern_for_call+0x242/0xd50 kernel/bpf/verifier.c:16305 mark_fastcall_patterns kernel/bpf/verifier.c:16416 [inline] bpf_check+0x85e6/0xb370 kernel/bpf/verifier.c:22458 bpf_prog_load+0x14d9/0x25d0 kernel/bpf/syscall.c:2847 __sys_bpf+0x1711/0x4f20 kernel/bpf/syscall.c:5667 __do_sys_bpf kernel/bpf/syscall.c:5774 [inline] __se_sys_bpf kernel/bpf/syscall.c:5772 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5772 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #10 (tracepoints_mutex){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x147/0x930 kernel/locking/mutex.c:752 tracepoint_probe_register_prio kernel/tracepoint.c:507 [inline] tracepoint_probe_register+0x7c/0xf0 kernel/tracepoint.c:531 register_trace_block_rq_insert include/trace/events/block.h:238 [inline] blk_register_tracepoints+0x1b/0x3c0 kernel/trace/blktrace.c:1094 get_probe_ref kernel/trace/blktrace.c:337 [inline] do_blk_trace_setup+0x98a/0xbc0 kernel/trace/blktrace.c:611 __blk_trace_setup+0xca/0x180 kernel/trace/blktrace.c:630 blk_trace_setup+0x47/0x70 kernel/trace/blktrace.c:648 sg_ioctl_common drivers/scsi/sg.c:1114 [inline] sg_ioctl+0x65e/0x2720 drivers/scsi/sg.c:1156 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x19d/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #9 (blk_probe_mutex){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x147/0x930 kernel/locking/mutex.c:752 get_probe_ref kernel/trace/blktrace.c:335 [inline] do_blk_trace_setup+0x797/0xbc0 kernel/trace/blktrace.c:611 __blk_trace_setup+0xca/0x180 kernel/trace/blktrace.c:630 blk_trace_setup+0x47/0x70 kernel/trace/blktrace.c:648 sg_ioctl_common drivers/scsi/sg.c:1114 [inline] sg_ioctl+0x65e/0x2720 drivers/scsi/sg.c:1156 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x19d/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #8 (&q->debugfs_mutex){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x147/0x930 kernel/locking/mutex.c:752 blk_mq_init_sched+0x436/0x650 block/blk-mq-sched.c:473 elevator_init_mq+0x2cc/0x420 block/elevator.c:610 device_add_disk+0x10e/0x12f0 block/genhd.c:411 sd_probe+0xa0e/0xf80 drivers/scsi/sd.c:4024 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x24f/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1df/0x450 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830 __device_attach_driver+0x1db/0x2f0 drivers/base/dd.c:958 bus_for_each_drv+0x149/0x1d0 drivers/base/bus.c:459 __device_attach_async_helper+0x1d1/0x290 drivers/base/dd.c:987 async_run_entry_fn+0x9c/0x530 kernel/async.c:129 process_one_work+0xa02/0x1bf0 kernel/workqueue.c:3232 process_scheduled_works kernel/workqueue.c:3314 [inline] worker_thread+0x677/0xe90 kernel/workqueue.c:3395 kthread+0x2c7/0x3b0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #7 (&q->q_usage_counter(queue)#51){++++}-{0:0}: blk_queue_enter+0x4d0/0x600 block/blk-core.c:328 blk_mq_alloc_request+0x422/0x9c0 block/blk-mq.c:680 scsi_alloc_request drivers/scsi/scsi_lib.c:1227 [inline] scsi_execute_cmd+0x1fe/0xf20 drivers/scsi/scsi_lib.c:304 read_capacity_16+0x1f2/0xe60 drivers/scsi/sd.c:2655 sd_read_capacity drivers/scsi/sd.c:2824 [inline] sd_revalidate_disk.isra.0+0x1989/0xa440 drivers/scsi/sd.c:3734 sd_probe+0x887/0xf80 drivers/scsi/sd.c:4010 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x24f/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1df/0x450 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830 __device_attach_driver+0x1db/0x2f0 drivers/base/dd.c:958 bus_for_each_drv+0x149/0x1d0 drivers/base/bus.c:459 __device_attach_async_helper+0x1d1/0x290 drivers/base/dd.c:987 async_run_entry_fn+0x9c/0x530 kernel/async.c:129 process_one_work+0xa02/0x1bf0 kernel/workqueue.c:3232 process_scheduled_works kernel/workqueue.c:3314 [inline] worker_thread+0x677/0xe90 kernel/workqueue.c:3395 kthread+0x2c7/0x3b0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #6 (&q->limits_lock){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x147/0x930 kernel/locking/mutex.c:752 queue_limits_start_update include/linux/blkdev.h:935 [inline] loop_reconfigure_limits+0x1f2/0x960 drivers/block/loop.c:1004 loop_set_block_size drivers/block/loop.c:1474 [inline] lo_simple_ioctl drivers/block/loop.c:1497 [inline] lo_ioctl+0xb92/0x1870 drivers/block/loop.c:1560 blkdev_ioctl+0x27b/0x6c0 block/ioctl.c:693 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x19d/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #5 (&q->q_usage_counter(io)#19){++++}-{0:0}: bio_queue_enter block/blk.h:76 [inline] blk_mq_submit_bio+0x2167/0x2b70 block/blk-mq.c:3090 __submit_bio+0x399/0x630 block/blk-core.c:629 __submit_bio_noacct_mq block/blk-core.c:716 [inline] submit_bio_noacct_nocheck+0x6c3/0xd00 block/blk-core.c:745 submit_bio_noacct+0x57a/0x1fa0 block/blk-core.c:868 nilfs_btnode_submit_block+0x58a/0x6e0 fs/nilfs2/btnode.c:139 __nilfs_btree_get_block+0x10b/0x6b0 fs/nilfs2/btree.c:481 nilfs_btree_do_lookup+0x3ea/0x8e0 fs/nilfs2/btree.c:579 nilfs_btree_lookup+0x4b/0x110 fs/nilfs2/btree.c:696 nilfs_bmap_lookup_at_level+0xd4/0x460 fs/nilfs2/bmap.c:69 nilfs_bmap_lookup fs/nilfs2/bmap.h:182 [inline] nilfs_mdt_submit_block+0x1a1/0x870 fs/nilfs2/mdt.c:141 nilfs_mdt_read_block+0x92/0x3c0 fs/nilfs2/mdt.c:175 nilfs_mdt_get_block+0xd2/0xa40 fs/nilfs2/mdt.c:250 nilfs_palloc_get_block+0xc0/0x310 fs/nilfs2/alloc.c:217 nilfs_palloc_get_entry_block+0x16b/0x1d0 fs/nilfs2/alloc.c:319 nilfs_dat_translate+0x82/0x3b0 fs/nilfs2/dat.c:413 nilfs_bmap_lookup_at_level+0x250/0x460 fs/nilfs2/bmap.c:74 nilfs_bmap_lookup fs/nilfs2/bmap.h:182 [inline] nilfs_mdt_submit_block+0x1a1/0x870 fs/nilfs2/mdt.c:141 nilfs_mdt_read_block+0x92/0x3c0 fs/nilfs2/mdt.c:175 nilfs_mdt_get_block+0xd2/0xa40 fs/nilfs2/mdt.c:250 nilfs_sufile_read+0x20f/0x5f0 fs/nilfs2/sufile.c:1254 nilfs_load_super_root fs/nilfs2/the_nilfs.c:128 [inline] load_nilfs+0x69d/0x1300 fs/nilfs2/the_nilfs.c:299 nilfs_fill_super fs/nilfs2/super.c:1067 [inline] nilfs_get_tree+0xa62/0x10d0 fs/nilfs2/super.c:1220 vfs_get_tree+0x94/0x380 fs/super.c:1814 do_new_mount fs/namespace.c:3512 [inline] path_mount+0x6b2/0x1ea0 fs/namespace.c:3839 do_mount fs/namespace.c:3852 [inline] __do_sys_mount fs/namespace.c:4062 [inline] __se_sys_mount fs/namespace.c:4039 [inline] __x64_sys_mount+0x284/0x310 fs/namespace.c:4039 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #4 (&nilfs_bmap_dat_lock_key){++++}-{3:3}: down_read+0x9a/0x330 kernel/locking/rwsem.c:1524 nilfs_bmap_lookup_at_level+0x7f/0x460 fs/nilfs2/bmap.c:68 nilfs_bmap_lookup fs/nilfs2/bmap.h:182 [inline] nilfs_mdt_submit_block+0x1a1/0x870 fs/nilfs2/mdt.c:141 nilfs_mdt_read_block+0x92/0x3c0 fs/nilfs2/mdt.c:175 nilfs_mdt_get_block+0xd2/0xa40 fs/nilfs2/mdt.c:250 nilfs_palloc_get_block+0xc0/0x310 fs/nilfs2/alloc.c:217 nilfs_palloc_get_entry_block+0x16b/0x1d0 fs/nilfs2/alloc.c:319 nilfs_dat_translate+0x82/0x3b0 fs/nilfs2/dat.c:413 nilfs_direct_lookup_contig+0x294/0x330 fs/nilfs2/direct.c:67 nilfs_bmap_lookup_contig+0x89/0x190 fs/nilfs2/bmap.c:100 nilfs_get_block+0x1fc/0xa70 fs/nilfs2/inode.c:82 do_mpage_readpage+0x6e2/0x16a0 fs/mpage.c:225 mpage_readahead+0x344/0x580 fs/mpage.c:374 read_pages+0x19b/0xd50 mm/readahead.c:160 page_cache_ra_unbounded+0x3ac/0x680 mm/readahead.c:290 do_page_cache_ra mm/readahead.c:320 [inline] page_cache_ra_order+0x8ee/0xb70 mm/readahead.c:519 page_cache_sync_ra+0x4e3/0x9e0 mm/readahead.c:607 page_cache_sync_readahead include/linux/pagemap.h:1394 [inline] filemap_get_pages+0x327/0x19f0 mm/filemap.c:2558 filemap_read+0x3a2/0xc70 mm/filemap.c:2656 generic_file_read_iter+0x349/0x450 mm/filemap.c:2844 __kernel_read+0x3c6/0xb20 fs/read_write.c:527 integrity_kernel_read+0x7f/0xb0 security/integrity/iint.c:28 ima_calc_file_hash_tfm+0x2bd/0x3c0 security/integrity/ima/ima_crypto.c:480 ima_calc_file_shash security/integrity/ima/ima_crypto.c:511 [inline] ima_calc_file_hash+0x1b5/0x490 security/integrity/ima/ima_crypto.c:568 ima_collect_measurement+0x86c/0xa20 security/integrity/ima/ima_api.c:293 process_measurement+0xff9/0x1fb0 security/integrity/ima/ima_main.c:383 ima_file_check+0xb9/0x100 security/integrity/ima/ima_main.c:583 security_file_post_open+0x95/0x230 security/security.c:3129 do_open fs/namei.c:3776 [inline] path_openat+0x14d8/0x2960 fs/namei.c:3933 do_filp_open+0x1c7/0x410 fs/namei.c:3960 do_sys_openat2+0x164/0x1d0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x140/0x1f0 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #3 (&bmap->b_sem){++++}-{3:3}: down_write+0x92/0x200 kernel/locking/rwsem.c:1577 nilfs_bmap_clear+0x1c/0xa0 fs/nilfs2/bmap.c:319 nilfs_clear_inode+0x21c/0x330 fs/nilfs2/inode.c:869 nilfs_evict_inode+0x3c1/0x530 fs/nilfs2/inode.c:889 evict+0x3ef/0x940 fs/inode.c:725 dispose_list+0x117/0x1e0 fs/inode.c:774 prune_icache_sb+0xeb/0x150 fs/inode.c:963 super_cache_scan+0x37f/0x570 fs/super.c:223 do_shrink_slab+0x44b/0x1190 mm/shrinker.c:437 shrink_slab_memcg mm/shrinker.c:550 [inline] shrink_slab+0xb61/0x12a0 mm/shrinker.c:628 shrink_one+0x4ad/0x7c0 mm/vmscan.c:4835 shrink_many mm/vmscan.c:4896 [inline] lru_gen_shrink_node mm/vmscan.c:4974 [inline] shrink_node+0x2420/0x3890 mm/vmscan.c:5954 kswapd_shrink_node mm/vmscan.c:6782 [inline] balance_pgdat+0xbe5/0x18c0 mm/vmscan.c:6974 kswapd+0x702/0xd50 mm/vmscan.c:7243 kthread+0x2c7/0x3b0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #2 (fs_reclaim){+.+.}-{0:0}: __fs_reclaim_acquire mm/page_alloc.c:3853 [inline] fs_reclaim_acquire+0x102/0x150 mm/page_alloc.c:3867 might_alloc include/linux/sched/mm.h:318 [inline] slab_pre_alloc_hook mm/slub.c:4058 [inline] slab_alloc_node mm/slub.c:4136 [inline] kmem_cache_alloc_noprof+0x4e/0x2f0 mm/slub.c:4163 __kernfs_iattrs+0xbc/0x3f0 fs/kernfs/inode.c:37 kernfs_iattrs fs/kernfs/inode.c:60 [inline] kernfs_xattr_set fs/kernfs/inode.c:309 [inline] kernfs_vfs_xattr_set+0x5d/0xe0 fs/kernfs/inode.c:340 __vfs_setxattr+0x173/0x1e0 fs/xattr.c:200 __vfs_setxattr_noperm+0x129/0x670 fs/xattr.c:234 __vfs_setxattr_locked+0x1d7/0x260 fs/xattr.c:295 vfs_setxattr+0x143/0x360 fs/xattr.c:321 do_setxattr+0x171/0x1e0 fs/xattr.c:629 path_setxattr+0x202/0x260 fs/xattr.c:658 __do_sys_setxattr fs/xattr.c:676 [inline] __se_sys_setxattr fs/xattr.c:672 [inline] __x64_sys_setxattr+0xc4/0x160 fs/xattr.c:672 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #1 (iattr_mutex){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x147/0x930 kernel/locking/mutex.c:752 __kernfs_iattrs+0x2b/0x3f0 fs/kernfs/inode.c:32 kernfs_iattrs fs/kernfs/inode.c:60 [inline] __kernfs_setattr+0x4d/0x3d0 fs/kernfs/inode.c:73 kernfs_iop_setattr+0x12b/0x190 fs/kernfs/inode.c:127 notify_change+0x6d3/0x1280 fs/attr.c:503 do_truncate+0x143/0x200 fs/open.c:65 handle_truncate fs/namei.c:3395 [inline] do_open fs/namei.c:3778 [inline] path_openat+0x22b6/0x2960 fs/namei.c:3933 do_filp_open+0x1c7/0x410 fs/namei.c:3960 do_sys_openat2+0x164/0x1d0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x140/0x1f0 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (&root->kernfs_iattr_rwsem){++++}-{3:3}: check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/locking/lockdep.c:3280 [inline] validate_chain kernel/locking/lockdep.c:3904 [inline] __lock_acquire+0x2425/0x3b90 kernel/locking/lockdep.c:5202 lock_acquire.part.0+0x11b/0x370 kernel/locking/lockdep.c:5825 down_write+0x92/0x200 kernel/locking/rwsem.c:1577 kernfs_unlink_sibling+0xad/0x2c0 fs/kernfs/dir.c:413 __kernfs_remove+0x2b3/0x670 fs/kernfs/dir.c:1492 kernfs_remove_by_name_ns+0xb4/0x130 fs/kernfs/dir.c:1694 kernfs_remove_by_name include/linux/kernfs.h:625 [inline] remove_files+0x96/0x1c0 fs/sysfs/group.c:28 sysfs_remove_group+0x8b/0x180 fs/sysfs/group.c:319 sysfs_remove_groups fs/sysfs/group.c:343 [inline] sysfs_remove_groups+0x60/0xa0 fs/sysfs/group.c:335 __kobject_del+0x89/0x1f0 lib/kobject.c:595 kobject_cleanup lib/kobject.c:680 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x2e5/0x4c0 lib/kobject.c:737 net_rx_queue_update_kobjects+0x4d4/0x640 net/core/net-sysfs.c:1178 remove_queue_kobjects net/core/net-sysfs.c:1953 [inline] netdev_unregister_kobject+0x150/0x270 net/core/net-sysfs.c:2107 unregister_netdevice_many_notify+0x1202/0x1ce0 net/core/dev.c:11503 unregister_netdevice_many net/core/dev.c:11531 [inline] unregister_netdevice_queue+0x307/0x3f0 net/core/dev.c:11405 unregister_netdevice include/linux/netdevice.h:3126 [inline] nsim_destroy+0x102/0x6c0 drivers/net/netdevsim/netdev.c:778 __nsim_dev_port_del+0x189/0x240 drivers/net/netdevsim/dev.c:1428 nsim_dev_port_del_all drivers/net/netdevsim/dev.c:1440 [inline] nsim_dev_reload_destroy+0x105/0x490 drivers/net/netdevsim/dev.c:1661 nsim_drv_remove+0x52/0x1d0 drivers/net/netdevsim/dev.c:1676 device_remove+0xc8/0x170 drivers/base/dd.c:567 __device_release_driver drivers/base/dd.c:1273 [inline] device_release_driver_internal+0x443/0x620 drivers/base/dd.c:1296 bus_remove_device+0x22f/0x420 drivers/base/bus.c:576 device_del+0x395/0x9d0 drivers/base/core.c:3855 device_unregister+0x1e/0xc0 drivers/base/core.c:3896 nsim_bus_dev_del drivers/net/netdevsim/bus.c:462 [inline] del_device_store+0x34e/0x4b0 drivers/net/netdevsim/bus.c:226 bus_attr_store+0x71/0xb0 drivers/base/bus.c:172 sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136 kernfs_fop_write_iter+0x335/0x500 fs/kernfs/file.c:334 new_sync_write fs/read_write.c:590 [inline] vfs_write+0xbfc/0x10d0 fs/read_write.c:683 ksys_write+0x122/0x250 fs/read_write.c:736 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Chain exists of: &root->kernfs_iattr_rwsem --> cpuhp_state_mutex --> &root->kernfs_rwsem Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&root->kernfs_rwsem); lock(cpuhp_state_mutex); lock(&root->kernfs_rwsem); lock(&root->kernfs_iattr_rwsem); *** DEADLOCK *** 8 locks held by syz-executor/42274: #0: ffff8880454fe420 (sb_writers#5){.+.+}-{0:0}, at: ksys_write+0x122/0x250 fs/read_write.c:736 #1: ffff88806a42d488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x27a/0x500 fs/kernfs/file.c:325 #2: ffff888043faf0f8 (kn->active#64){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x29e/0x500 fs/kernfs/file.c:326 #3: ffffffff8f280da8 (nsim_bus_dev_list_lock){+.+.}-{3:3}, at: del_device_store+0xc9/0x4b0 drivers/net/netdevsim/bus.c:216 #4: ffff88801fc9c0e8 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88801fc9c0e8 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline] #4: ffff88801fc9c0e8 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x620 drivers/base/dd.c:1293 #5: ffff88801fc9d250 (&devlink->lock_key#42){+.+.}-{3:3}, at: nsim_drv_remove+0x4a/0x1d0 drivers/net/netdevsim/dev.c:1675 #6: ffffffff8fce93a8 (rtnl_mutex){+.+.}-{3:3}, at: nsim_destroy+0x6b/0x6c0 drivers/net/netdevsim/netdev.c:773 #7: ffff88801bae5148 (&root->kernfs_rwsem){++++}-{3:3}, at: kernfs_remove_by_name_ns+0x89/0x130 fs/kernfs/dir.c:1689 stack backtrace: CPU: 1 UID: 0 PID: 42274 Comm: syz-executor Not tainted 6.12.24 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_circular_bug+0x406/0x5c0 kernel/locking/lockdep.c:2074 check_noncircular+0x2f7/0x3e0 kernel/locking/lockdep.c:2206 check_prev_add kernel/locking/lockdep.c:3161 [inline] check_prevs_add kernel/locking/lockdep.c:3280 [inline] validate_chain kernel/locking/lockdep.c:3904 [inline] __lock_acquire+0x2425/0x3b90 kernel/locking/lockdep.c:5202 lock_acquire.part.0+0x11b/0x370 kernel/locking/lockdep.c:5825 down_write+0x92/0x200 kernel/locking/rwsem.c:1577 kernfs_unlink_sibling+0xad/0x2c0 fs/kernfs/dir.c:413 __kernfs_remove+0x2b3/0x670 fs/kernfs/dir.c:1492 kernfs_remove_by_name_ns+0xb4/0x130 fs/kernfs/dir.c:1694 kernfs_remove_by_name include/linux/kernfs.h:625 [inline] remove_files+0x96/0x1c0 fs/sysfs/group.c:28 sysfs_remove_group+0x8b/0x180 fs/sysfs/group.c:319 sysfs_remove_groups fs/sysfs/group.c:343 [inline] sysfs_remove_groups+0x60/0xa0 fs/sysfs/group.c:335 __kobject_del+0x89/0x1f0 lib/kobject.c:595 kobject_cleanup lib/kobject.c:680 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x2e5/0x4c0 lib/kobject.c:737 net_rx_queue_update_kobjects+0x4d4/0x640 net/core/net-sysfs.c:1178 remove_queue_kobjects net/core/net-sysfs.c:1953 [inline] netdev_unregister_kobject+0x150/0x270 net/core/net-sysfs.c:2107 unregister_netdevice_many_notify+0x1202/0x1ce0 net/core/dev.c:11503 unregister_netdevice_many net/core/dev.c:11531 [inline] unregister_netdevice_queue+0x307/0x3f0 net/core/dev.c:11405 unregister_netdevice include/linux/netdevice.h:3126 [inline] nsim_destroy+0x102/0x6c0 drivers/net/netdevsim/netdev.c:778 __nsim_dev_port_del+0x189/0x240 drivers/net/netdevsim/dev.c:1428 nsim_dev_port_del_all drivers/net/netdevsim/dev.c:1440 [inline] nsim_dev_reload_destroy+0x105/0x490 drivers/net/netdevsim/dev.c:1661 nsim_drv_remove+0x52/0x1d0 drivers/net/netdevsim/dev.c:1676 device_remove+0xc8/0x170 drivers/base/dd.c:567 __device_release_driver drivers/base/dd.c:1273 [inline] device_release_driver_internal+0x443/0x620 drivers/base/dd.c:1296 bus_remove_device+0x22f/0x420 drivers/base/bus.c:576 device_del+0x395/0x9d0 drivers/base/core.c:3855 device_unregister+0x1e/0xc0 drivers/base/core.c:3896 nsim_bus_dev_del drivers/net/netdevsim/bus.c:462 [inline] del_device_store+0x34e/0x4b0 drivers/net/netdevsim/bus.c:226 bus_attr_store+0x71/0xb0 drivers/base/bus.c:172 sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136 kernfs_fop_write_iter+0x335/0x500 fs/kernfs/file.c:334 new_sync_write fs/read_write.c:590 [inline] vfs_write+0xbfc/0x10d0 fs/read_write.c:683 ksys_write+0x122/0x250 fs/read_write.c:736 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7feb2b1ac01f Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 79 0d 03 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 bc 0d 03 00 48 RSP: 002b:00007ffdd4ed8e70 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007feb2b1ac01f RDX: 0000000000000001 RSI: 00007ffdd4ed8ec0 RDI: 0000000000000005 RBP: 0000000000000005 R08: 0000000000000000 R09: 00007ffdd4ed8e10 R10: 0000000000000000 R11: 0000000000000293 R12: 00007feb2b247e34 R13: 00007ffdd4ed8ec0 R14: 0000000000000000 R15: 00007ffdd4ed9aa0 </TASK> netdevsim netdevsim4 netdevsim0: renamed from eth0 netdevsim netdevsim4 netdevsim1: renamed from eth1 netdevsim netdevsim4 netdevsim2: renamed from eth2 netdevsim netdevsim4 netdevsim3: renamed from eth3 8021q: adding VLAN 0 to HW filter on device bond0 8021q: adding VLAN 0 to HW filter on device team0 8021q: adding VLAN 0 to HW filter on device batadv0 veth0_vlan: entered promiscuous mode veth1_vlan: entered promiscuous mode veth0_macvtap: entered promiscuous mode veth1_macvtap: entered promiscuous mode batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: batadv0: Interface activated: batadv_slave_0 batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: batadv0: Interface activated: batadv_slave_1 netdevsim netdevsim4 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim4 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim4 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim4 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 ieee80211 phy54: Selected rate control algorithm 'minstrel_ht' ieee80211 phy55: Selected rate control algorithm 'minstrel_ht' ================================================================== I hope it helps. Best regards Jianzhou Zhao

2 months

1
0
0 0

Re: Patch "lib/Kconfig.ubsan: Remove 'default UBSAN' from UBSAN_INTEGER_WRAP" has been added to the 6.14-stable tree

by Kees Cook

On April 26, 2025 6:25:09 AM PDT, Sasha Levin <sashal(a)kernel.org> wrote: >This is a note to let you know that I've just added the patch titled > > lib/Kconfig.ubsan: Remove 'default UBSAN' from UBSAN_INTEGER_WRAP > >to the 6.14-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > >The filename of the patch is: > lib-kconfig.ubsan-remove-default-ubsan-from-ubsan_in.patch >and it can be found in the queue-6.14 subdirectory. > >If you, or anyone else, feels it should not be added to the stable tree, >please let <stable(a)vger.kernel.org> know about it. Please drop this; it's fixing the other patch that should not be backported. :) -Kees -- Kees Cook

2 months

3
5
0 0

[PATCH] securityfs: fix missing of d_delete() in securityfs_remove()

by alexjlzheng＠gmail.com

From: Jinliang Zheng <alexjlzheng(a)tencent.com> Consider the following module code: static struct dentry *dentry; static int __init securityfs_test_init(void) { dentry = securityfs_create_dir("standon", NULL); return PTR_ERR(dentry); } static void __exit securityfs_test_exit(void) { securityfs_remove(dentry); } module_init(securityfs_test_init); module_exit(securityfs_test_exit); and then: insmod /path/to/thismodule cd /sys/kernel/security/standon <- we hold 'standon' rmmod thismodule <- 'standon' don't go away insmod /path/to/thismodule <- Failed: File exists! Fix this by adding d_delete() in securityfs_remove(). Fixes: b67dbf9d4c198 ("[PATCH] add securityfs for all LSMs to use") Signed-off-by: Jinliang Zheng <alexjlzheng(a)tencent.com> Cc: <stable(a)vger.kernel.org> --- security/inode.c | 1 + 1 file changed, 1 insertion(+) diff --git a/security/inode.c b/security/inode.c index da3ab44c8e57..d99baf26350a 100644 --- a/security/inode.c +++ b/security/inode.c @@ -306,6 +306,7 @@ void securityfs_remove(struct dentry *dentry) simple_rmdir(dir, dentry); else simple_unlink(dir, dentry); + d_delete(dentry); dput(dentry); } inode_unlock(dir); -- 2.49.0

2 months

4
4
0 0

Re: Patch "lib/Kconfig.ubsan: Remove 'default UBSAN' from UBSAN_INTEGER_WRAP" has been added to the 6.12-stable tree

by Kees Cook

On April 26, 2025 6:27:11 AM PDT, Sasha Levin <sashal(a)kernel.org> wrote: >This is a note to let you know that I've just added the patch titled > > lib/Kconfig.ubsan: Remove 'default UBSAN' from UBSAN_INTEGER_WRAP > >to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > >The filename of the patch is: > lib-kconfig.ubsan-remove-default-ubsan-from-ubsan_in.patch >and it can be found in the queue-6.12 subdirectory. > >If you, or anyone else, feels it should not be added to the stable tree, >please let <stable(a)vger.kernel.org> know about it. And this too; please drop. :) -Kees -- Kees Cook

2 months

1
0
0 0

Re: Patch "ubsan/overflow: Rework integer overflow sanitizer option to turn on everything" has been added to the 6.12-stable tree

by Kees Cook

On April 26, 2025 6:27:07 AM PDT, Sasha Levin <sashal(a)kernel.org> wrote: >This is a note to let you know that I've just added the patch titled > > ubsan/overflow: Rework integer overflow sanitizer option to turn on everything > >to the 6.12-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > >The filename of the patch is: > ubsan-overflow-rework-integer-overflow-sanitizer-opt.patch >and it can be found in the queue-6.12 subdirectory. > >If you, or anyone else, feels it should not be added to the stable tree, >please let <stable(a)vger.kernel.org> know about it. Same as the other email; please drop. -Kees -- Kees Cook

2 months

1
0
0 0

Re: Patch "ubsan/overflow: Rework integer overflow sanitizer option to turn on everything" has been added to the 6.14-stable tree

by Kees Cook

On April 26, 2025 6:25:06 AM PDT, Sasha Levin <sashal(a)kernel.org> wrote: >This is a note to let you know that I've just added the patch titled > > ubsan/overflow: Rework integer overflow sanitizer option to turn on everything > >to the 6.14-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > >The filename of the patch is: > ubsan-overflow-rework-integer-overflow-sanitizer-opt.patch >and it can be found in the queue-6.14 subdirectory. > >If you, or anyone else, feels it should not be added to the stable tree, >please let <stable(a)vger.kernel.org> know about it. Please drop this; it is a config change and should not be backported. -Kees -- Kees Cook

2 months

1
0
0 0

FAILED: patch "[PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 2ccd42b959aaf490333dbd3b9b102eaf295c036a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041736-abrasion-yonder-b301@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2ccd42b959aaf490333dbd3b9b102eaf295c036a Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Wed, 2 Apr 2025 22:36:21 +0200 Subject: [PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues If we finds a vq without a name in our input array in virtio_ccw_find_vqs(), we treat it as "non-existing" and set the vq pointer to NULL; we will not call virtio_ccw_setup_vq() to allocate/setup a vq. Consequently, we create only a queue if it actually exists (name != NULL) and assign an incremental queue index to each such existing queue. However, in virtio_ccw_register_adapter_ind()->get_airq_indicator() we will not ignore these "non-existing queues", but instead assign an airq indicator to them. Besides never releasing them in virtio_ccw_drop_indicators() (because there is no virtqueue), the bigger issue seems to be that there will be a disagreement between the device and the Linux guest about the airq indicator to be used for notifying a queue, because the indicator bit for adapter I/O interrupt is derived from the queue index. The virtio spec states under "Setting Up Two-Stage Queue Indicators": ... indicator contains the guest address of an area wherein the indicators for the devices are contained, starting at bit_nr, one bit per virtqueue of the device. And further in "Notification via Adapter I/O Interrupts": For notifying the driver of virtqueue buffers, the device sets the bit in the guest-provided indicator area at the corresponding offset. For example, QEMU uses in virtio_ccw_notify() the queue index (passed as "vector") to select the relevant indicator bit. If a queue does not exist, it does not have a corresponding indicator bit assigned, because it effectively doesn't have a queue index. Using a virtio-balloon-ccw device under QEMU with free-page-hinting disabled ("free-page-hint=off") but free-page-reporting enabled ("free-page-reporting=on") will result in free page reporting not working as expected: in the virtio_balloon driver, we'll be stuck forever in virtballoon_free_page_report()->wait_event(), because the waitqueue will not be woken up as the notification from the device is lost: it would use the wrong indicator bit. Free page reporting stops working and we get splats (when configured to detect hung wqs) like: INFO: task kworker/1:3:463 blocked for more than 61 seconds. Not tainted 6.14.0 #4 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:3 [...] Workqueue: events page_reporting_process Call Trace: [<000002f404e6dfb2>] __schedule+0x402/0x1640 [<000002f404e6f22e>] schedule+0x3e/0xe0 [<000002f3846a88fa>] virtballoon_free_page_report+0xaa/0x110 [virtio_balloon] [<000002f40435c8a4>] page_reporting_process+0x2e4/0x740 [<000002f403fd3ee2>] process_one_work+0x1c2/0x400 [<000002f403fd4b96>] worker_thread+0x296/0x420 [<000002f403fe10b4>] kthread+0x124/0x290 [<000002f403f4e0dc>] __ret_from_fork+0x3c/0x60 [<000002f404e77272>] ret_from_fork+0xa/0x38 There was recently a discussion [1] whether the "holes" should be treated differently again, effectively assigning also non-existing queues a queue index: that should also fix the issue, but requires other workarounds to not break existing setups. Let's fix it without affecting existing setups for now by properly ignoring the non-existing queues, so the indicator bits will match the queue indexes. [1] https://lore.kernel.org/all/cover.1720611677.git.mst@redhat.com/ Fixes: a229989d975e ("virtio: don't allocate vqs when names[i] = NULL") Reported-by: Chandra Merla <cmerla(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: David Hildenbrand <david(a)redhat.com> Tested-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Cornelia Huck <cohuck(a)redhat.com> Acked-by: Michael S. Tsirkin <mst(a)redhat.com> Acked-by: Christian Borntraeger <borntraeger(a)linux.ibm.com> Link: https://lore.kernel.org/r/20250402203621.940090-1-david@redhat.com Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com> diff --git a/drivers/s390/virtio/virtio_ccw.c b/drivers/s390/virtio/virtio_ccw.c index 21fa7ac849e5..4904b831c0a7 100644 --- a/drivers/s390/virtio/virtio_ccw.c +++ b/drivers/s390/virtio/virtio_ccw.c @@ -302,11 +302,17 @@ static struct airq_info *new_airq_info(int index) static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, u64 *first, void **airq_info) { - int i, j; + int i, j, queue_idx, highest_queue_idx = -1; struct airq_info *info; unsigned long *indicator_addr = NULL; unsigned long bit, flags; + /* Array entries without an actual queue pointer must be ignored. */ + for (i = 0; i < nvqs; i++) { + if (vqs[i]) + highest_queue_idx++; + } + for (i = 0; i < MAX_AIRQ_AREAS && !indicator_addr; i++) { mutex_lock(&airq_areas_lock); if (!airq_areas[i]) @@ -316,7 +322,7 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, if (!info) return NULL; write_lock_irqsave(&info->lock, flags); - bit = airq_iv_alloc(info->aiv, nvqs); + bit = airq_iv_alloc(info->aiv, highest_queue_idx + 1); if (bit == -1UL) { /* Not enough vacancies. */ write_unlock_irqrestore(&info->lock, flags); @@ -325,8 +331,10 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, *first = bit; *airq_info = info; indicator_addr = info->aiv->vector; - for (j = 0; j < nvqs; j++) { - airq_iv_set_ptr(info->aiv, bit + j, + for (j = 0, queue_idx = 0; j < nvqs; j++) { + if (!vqs[j]) + continue; + airq_iv_set_ptr(info->aiv, bit + queue_idx++, (unsigned long)vqs[j]); } write_unlock_irqrestore(&info->lock, flags);

2 months

3
2
0 0

[PATCH stable 6.12 0/4] Fix xdp_devmap_attach failure in BPF selftests

by Shung-Hsi Yu

This patchset backport commit to fix BPF selftests failure in stable 6.12 since commit 972bafed67ca ("bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()"), which is backport of upstream commit 6b3d638ca897. The fix needed is upstream commit c7f2188d68c1 ("selftests/bpf: Adjust data size to have ETH_HLEN"), which in turn depends on upstream commit d5fbcf46ee82 "selftests/bpf: make xdp_cpumap_attach keep redirect prog attached". Latter is part of "selftests/bpf: add coverage for xdp_features in test_progs"[1], and I opt to backport the series entirely since it adds coverage. With these patches the xdp_devmap_attach no longer fails[2]. BPF selftests failure log below for completeness. See [3] for the raw log. Error: #566 xdp_devmap_attach Error: #566/1 xdp_devmap_attach/DEVMAP with programs in entries test_xdp_with_devmap_helpers:PASS:ip netns add devmap_attach_ns 0 nsec test_xdp_with_devmap_helpers:PASS:open_netns 0 nsec test_xdp_with_devmap_helpers:PASS:ip link set dev lo up 0 nsec test_xdp_with_devmap_helpers:PASS:test_xdp_with_devmap_helpers__open_and_load 0 nsec test_xdp_with_devmap_helpers:PASS:Generic attach of program with 8-byte devmap 0 nsec test_xdp_with_devmap_helpers:PASS:bpf_prog_get_info_by_fd 0 nsec test_xdp_with_devmap_helpers:PASS:Add program to devmap entry 0 nsec test_xdp_with_devmap_helpers:PASS:Read devmap entry 0 nsec test_xdp_with_devmap_helpers:PASS:Match program id to devmap entry prog_id 0 nsec test_xdp_with_devmap_helpers:FAIL:XDP test run unexpected error: -22 (errno 22) test_xdp_with_devmap_helpers:PASS:XDP program detach 0 nsec libbpf: Kernel error message: BPF_XDP_DEVMAP programs can not be attached to a device test_xdp_with_devmap_helpers:PASS:Attach of BPF_XDP_DEVMAP program 0 nsec test_xdp_with_devmap_helpers:PASS:Add non-BPF_XDP_DEVMAP program to devmap entry 0 nsec test_xdp_with_devmap_helpers:PASS:Add BPF_XDP program with frags to devmap entry 0 nsec Error: #566/4 xdp_devmap_attach/DEVMAP with programs in entries on veth test_xdp_with_devmap_helpers_veth:PASS:ip netns add devmap_attach_ns 0 nsec test_xdp_with_devmap_helpers_veth:PASS:open_netns 0 nsec test_xdp_with_devmap_helpers_veth:PASS:ip link add veth_src type veth peer name veth_dst 0 nsec test_xdp_with_devmap_helpers_veth:PASS:ip link set dev veth_src up 0 nsec test_xdp_with_devmap_helpers_veth:PASS:ip link set dev veth_dst up 0 nsec test_xdp_with_devmap_helpers_veth:PASS:val.ifindex 0 nsec test_xdp_with_devmap_helpers_veth:PASS:ifindex_dst 0 nsec test_xdp_with_devmap_helpers_veth:PASS:test_xdp_with_devmap_helpers__open_and_load 0 nsec test_xdp_with_devmap_helpers_veth:PASS:Attach of program with 8-byte devmap 0 nsec test_xdp_with_devmap_helpers_veth:PASS:bpf_prog_get_info_by_fd 0 nsec test_xdp_with_devmap_helpers_veth:PASS:Add program to devmap entry 0 nsec test_xdp_with_devmap_helpers_veth:PASS:Read devmap entry 0 nsec test_xdp_with_devmap_helpers_veth:PASS:Match program id to devmap entry prog_id 0 nsec test_xdp_with_devmap_helpers_veth:PASS:Attach of dummy XDP 0 nsec test_xdp_with_devmap_helpers_veth:FAIL:XDP test run unexpected error: -22 (errno 22) test_xdp_with_devmap_helpers_veth:PASS:XDP program detach 0 nsec test_xdp_with_devmap_helpers_veth:PASS:XDP program detach 0 nsec 1: https://lore.kernel.org/all/20241009-convert_xdp_tests-v3-0-51cea913710c@bo… 2: https://github.com/shunghsiyu/libbpf/actions/runs/14569651139/job/408644287… 3: https://github.com/shunghsiyu/libbpf/actions/runs/14562221313/job/408469275… Alexis Lothoré (eBPF Foundation) (3): selftests/bpf: fix bpf_map_redirect call for cpu map test selftests/bpf: make xdp_cpumap_attach keep redirect prog attached selftests/bpf: check program redirect in xdp_cpumap_attach Shigeru Yoshida (1): selftests/bpf: Adjust data size to have ETH_HLEN .../bpf/prog_tests/xdp_cpumap_attach.c | 44 +++++++++++++++---- .../bpf/prog_tests/xdp_devmap_attach.c | 8 ++-- .../bpf/progs/test_xdp_with_cpumap_helpers.c | 7 ++- 3 files changed, 46 insertions(+), 13 deletions(-) -- 2.49.0

2 months

2
8
0 0

FAILED: patch "[PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 2ccd42b959aaf490333dbd3b9b102eaf295c036a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025041737-impart-slacker-8722@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 2ccd42b959aaf490333dbd3b9b102eaf295c036a Mon Sep 17 00:00:00 2001 From: David Hildenbrand <david(a)redhat.com> Date: Wed, 2 Apr 2025 22:36:21 +0200 Subject: [PATCH] s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues If we finds a vq without a name in our input array in virtio_ccw_find_vqs(), we treat it as "non-existing" and set the vq pointer to NULL; we will not call virtio_ccw_setup_vq() to allocate/setup a vq. Consequently, we create only a queue if it actually exists (name != NULL) and assign an incremental queue index to each such existing queue. However, in virtio_ccw_register_adapter_ind()->get_airq_indicator() we will not ignore these "non-existing queues", but instead assign an airq indicator to them. Besides never releasing them in virtio_ccw_drop_indicators() (because there is no virtqueue), the bigger issue seems to be that there will be a disagreement between the device and the Linux guest about the airq indicator to be used for notifying a queue, because the indicator bit for adapter I/O interrupt is derived from the queue index. The virtio spec states under "Setting Up Two-Stage Queue Indicators": ... indicator contains the guest address of an area wherein the indicators for the devices are contained, starting at bit_nr, one bit per virtqueue of the device. And further in "Notification via Adapter I/O Interrupts": For notifying the driver of virtqueue buffers, the device sets the bit in the guest-provided indicator area at the corresponding offset. For example, QEMU uses in virtio_ccw_notify() the queue index (passed as "vector") to select the relevant indicator bit. If a queue does not exist, it does not have a corresponding indicator bit assigned, because it effectively doesn't have a queue index. Using a virtio-balloon-ccw device under QEMU with free-page-hinting disabled ("free-page-hint=off") but free-page-reporting enabled ("free-page-reporting=on") will result in free page reporting not working as expected: in the virtio_balloon driver, we'll be stuck forever in virtballoon_free_page_report()->wait_event(), because the waitqueue will not be woken up as the notification from the device is lost: it would use the wrong indicator bit. Free page reporting stops working and we get splats (when configured to detect hung wqs) like: INFO: task kworker/1:3:463 blocked for more than 61 seconds. Not tainted 6.14.0 #4 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:3 [...] Workqueue: events page_reporting_process Call Trace: [<000002f404e6dfb2>] __schedule+0x402/0x1640 [<000002f404e6f22e>] schedule+0x3e/0xe0 [<000002f3846a88fa>] virtballoon_free_page_report+0xaa/0x110 [virtio_balloon] [<000002f40435c8a4>] page_reporting_process+0x2e4/0x740 [<000002f403fd3ee2>] process_one_work+0x1c2/0x400 [<000002f403fd4b96>] worker_thread+0x296/0x420 [<000002f403fe10b4>] kthread+0x124/0x290 [<000002f403f4e0dc>] __ret_from_fork+0x3c/0x60 [<000002f404e77272>] ret_from_fork+0xa/0x38 There was recently a discussion [1] whether the "holes" should be treated differently again, effectively assigning also non-existing queues a queue index: that should also fix the issue, but requires other workarounds to not break existing setups. Let's fix it without affecting existing setups for now by properly ignoring the non-existing queues, so the indicator bits will match the queue indexes. [1] https://lore.kernel.org/all/cover.1720611677.git.mst@redhat.com/ Fixes: a229989d975e ("virtio: don't allocate vqs when names[i] = NULL") Reported-by: Chandra Merla <cmerla(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: David Hildenbrand <david(a)redhat.com> Tested-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Thomas Huth <thuth(a)redhat.com> Reviewed-by: Cornelia Huck <cohuck(a)redhat.com> Acked-by: Michael S. Tsirkin <mst(a)redhat.com> Acked-by: Christian Borntraeger <borntraeger(a)linux.ibm.com> Link: https://lore.kernel.org/r/20250402203621.940090-1-david@redhat.com Signed-off-by: Heiko Carstens <hca(a)linux.ibm.com> diff --git a/drivers/s390/virtio/virtio_ccw.c b/drivers/s390/virtio/virtio_ccw.c index 21fa7ac849e5..4904b831c0a7 100644 --- a/drivers/s390/virtio/virtio_ccw.c +++ b/drivers/s390/virtio/virtio_ccw.c @@ -302,11 +302,17 @@ static struct airq_info *new_airq_info(int index) static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, u64 *first, void **airq_info) { - int i, j; + int i, j, queue_idx, highest_queue_idx = -1; struct airq_info *info; unsigned long *indicator_addr = NULL; unsigned long bit, flags; + /* Array entries without an actual queue pointer must be ignored. */ + for (i = 0; i < nvqs; i++) { + if (vqs[i]) + highest_queue_idx++; + } + for (i = 0; i < MAX_AIRQ_AREAS && !indicator_addr; i++) { mutex_lock(&airq_areas_lock); if (!airq_areas[i]) @@ -316,7 +322,7 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, if (!info) return NULL; write_lock_irqsave(&info->lock, flags); - bit = airq_iv_alloc(info->aiv, nvqs); + bit = airq_iv_alloc(info->aiv, highest_queue_idx + 1); if (bit == -1UL) { /* Not enough vacancies. */ write_unlock_irqrestore(&info->lock, flags); @@ -325,8 +331,10 @@ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs, *first = bit; *airq_info = info; indicator_addr = info->aiv->vector; - for (j = 0; j < nvqs; j++) { - airq_iv_set_ptr(info->aiv, bit + j, + for (j = 0, queue_idx = 0; j < nvqs; j++) { + if (!vqs[j]) + continue; + airq_iv_set_ptr(info->aiv, bit + queue_idx++, (unsigned long)vqs[j]); } write_unlock_irqrestore(&info->lock, flags);

2 months

3
2
0 0

[PATCH stable 6.12 6.14 1/1] selftests/bpf: Mitigate sockmap_ktls disconnect_after_delete failure

by Shung-Hsi Yu

From: Ihor Solodrai <ihor.solodrai(a)linux.dev> commit 5071a1e606b30c0c11278d3c6620cd6a24724cf6 upstream. "sockmap_ktls disconnect_after_delete" test has been failing on BPF CI after recent merges from netdev: * https://github.com/kernel-patches/bpf/actions/runs/14458537639 * https://github.com/kernel-patches/bpf/actions/runs/14457178732 It happens because disconnect has been disabled for TLS [1], and it renders the test case invalid. Removing all the test code creates a conflict between bpf and bpf-next, so for now only remove the offending assert [2]. The test will be removed later on bpf-next. [1] https://lore.kernel.org/netdev/20250404180334.3224206-1-kuba@kernel.org/ [2] https://lore.kernel.org/bpf/cfc371285323e1a3f3b006bfcf74e6cf7ad65258@linux.… Signed-off-by: Ihor Solodrai <ihor.solodrai(a)linux.dev> Signed-off-by: Andrii Nakryiko <andrii(a)kernel.org> Reviewed-by: Jiayuan Chen <jiayuan.chen(a)linux.dev> Link: https://lore.kernel.org/bpf/20250416170246.2438524-1-ihor.solodrai@linux.dev [ shung-hsi.yu: needed because upstream commit 5071a1e606b3 ("net: tls: explicitly disallow disconnect") is backported ] Signed-off-by: Shung-Hsi Yu <shung-hsi.yu(a)suse.com> --- tools/testing/selftests/bpf/prog_tests/sockmap_ktls.c | 1 - 1 file changed, 1 deletion(-) diff --git a/tools/testing/selftests/bpf/prog_tests/sockmap_ktls.c b/tools/testing/selftests/bpf/prog_tests/sockmap_ktls.c index 2d0796314862..0a99fd404f6d 100644 --- a/tools/testing/selftests/bpf/prog_tests/sockmap_ktls.c +++ b/tools/testing/selftests/bpf/prog_tests/sockmap_ktls.c @@ -68,7 +68,6 @@ static void test_sockmap_ktls_disconnect_after_delete(int family, int map) goto close_cli; err = disconnect(cli); - ASSERT_OK(err, "disconnect"); close_cli: close(cli); -- 2.49.0

2 months

3
5
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror April 2025