[BUG]
For the following write sequence with 64K page size and 4K fs block size,
it will lead to file extent items to be inserted without any data
checksum:
mkfs.btrfs -s 4k -f $dev > /dev/null
mount $dev $mnt
xfs_io -f -c "pwrite 0 16k" -c "pwrite 32k 4k" -c pwrite "60k 64K" \
-c "truncate 16k" $mnt/foobar
umount $mnt
This will result the following 2 file extent items to be inserted (extra
trace point added to insert_ordered_extent_file_extent()):
btrfs_finish_one_ordered: root=5 ino=257 file_off=61440 num_bytes=4096 csum_bytes=0
btrfs_finish_one_ordered: root=5 ino=257 file_off=0 num_bytes=16384 csum_bytes=16384
Note for file offset 60K, we're inserting an file extent without any
data checksum.
Also note that range [32K, 36K) didn't reach
insert_ordered_extent_file_extent(), which is the correct behavior as
that OE is fully truncated, should not result any file extent.
Although file extent at 60K will be later dropped by btrfs_truncate(),
if the transaction got committed after file extent inserted but before
the file extent dropping, we will have a small window where we have a
file extent beyond EOF and without any data checksum.
That will cause "btrfs check" to report error.
[CAUSE]
The sequence happens like this:
- Buffered write dirtied the page cache and updated isize
Now the inode size is 64K, with the following page cache layout:
0 16K 32K 48K 64K
|/////////////| |//| |//|
- Truncate the inode to 16K
Which will trigger writeback through:
btrfs_setsize()
|- truncate_setsize()
| Now the inode size is set to 16K
|
|- btrfs_truncacte()
|- btrfs_wait_ordered_range() for [16K, u64(-1)]
|- btrfs_fdatawrite_range() for [16K, u64(-1)}
|- extent_writepage() for folio 0
|- writepage_delalloc()
| Generated OE for [0, 16K), [32K, 36K] and [60K, 64K)
|
|- extent_writepage_io()
Then inside extent_writepage_io(), the dirty fs blocks are handled
differently:
- Submit write for range [0, 16K)
As they are still inside the inode size (16K).
- Mark OE [32K, 36K) as truncated
Since we only call btrfs_lookup_first_ordered_range() once, which
returned the first OE after file offset 16K.
- Mark all OEs inside range [16K, 64K) as finished
Which will mark OE ranges [32K, 36K) and [60K, 64K) as finished.
For OE [32K, 36K) since it's already marked as truncated, and its
truncated length is 0, no file extent will be inserted.
For OE [60K, 64K) it has never been submitted thus has no data
checksum, and we insert the file extent as usual.
This is the root cause of file extent at 60K to be inserted without
any data checksum.
- Clear dirty flags for range [16K, 64K)
It is the function btrfs_folio_clear_dirty() which search and clear
any dirty blocks inside that range.
[FIX]
The bug itself is introduced a long time ago, way before subpage and
larger folio support.
At that time, fs block size must match page size, thus the range
[cur, end) is just one fs block.
But later with subpage and larger folios, the same range [cur, end)
can have multiple blocks and ordered extents.
Later commit 18de34daa7c6 ("btrfs: truncate ordered extent when skipping
writeback past i_size") is fixing a bug related to subpage/larger
folios, but it's still utilizing the old range [cur, end), meaning only
the first OE will be marked as truncated.
The proper fix here is to make EOF handling block-by-block, not trying
to handle the whole range to @end.
By this we always locate and truncate the OE for every dirty block.
Cc: stable(a)vger.kernel.org # 5.15+
Signed-off-by: Qu Wenruo <wqu(a)suse.com>
---
fs/btrfs/extent_io.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index 629fd5af4286..a4b74023618d 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -1728,7 +1728,7 @@ static noinline_for_stack int extent_writepage_io(struct btrfs_inode *inode,
struct btrfs_ordered_extent *ordered;
ordered = btrfs_lookup_first_ordered_range(inode, cur,
- folio_end - cur);
+ fs_info->sectorsize);
/*
* We have just run delalloc before getting here, so
* there must be an ordered extent.
@@ -1742,7 +1742,7 @@ static noinline_for_stack int extent_writepage_io(struct btrfs_inode *inode,
btrfs_put_ordered_extent(ordered);
btrfs_mark_ordered_io_finished(inode, folio, cur,
- end - cur, true);
+ fs_info->sectorsize, true);
/*
* This range is beyond i_size, thus we don't need to
* bother writing back.
@@ -1751,8 +1751,8 @@ static noinline_for_stack int extent_writepage_io(struct btrfs_inode *inode,
* writeback the sectors with subpage dirty bits,
* causing writeback without ordered extent.
*/
- btrfs_folio_clear_dirty(fs_info, folio, cur, end - cur);
- break;
+ btrfs_folio_clear_dirty(fs_info, folio, cur, fs_info->sectorsize);
+ continue;
}
ret = submit_one_sector(inode, folio, cur, bio_ctrl, i_size);
if (unlikely(ret < 0)) {
--
2.52.0
This is the start of the stable review cycle for the 6.12.62 release.
There are 49 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Fri, 12 Dec 2025 07:29:38 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.62-rc…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 6.12.62-rc1
Daniele Palmas <dnlplm(a)gmail.com>
bus: mhi: host: pci_generic: Add Telit FN990B40 modem support
Daniele Palmas <dnlplm(a)gmail.com>
bus: mhi: host: pci_generic: Add Telit FN920C04 modem support
Navaneeth K <knavaneeth786(a)gmail.com>
staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing
Navaneeth K <knavaneeth786(a)gmail.com>
staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing
Navaneeth K <knavaneeth786(a)gmail.com>
staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
Nikita Zhandarovich <n.zhandarovich(a)fintech.ru>
comedi: check device's attached status in compat ioctls
Nikita Zhandarovich <n.zhandarovich(a)fintech.ru>
comedi: multiq3: sanitize config options in multiq3_attach()
Ian Abbott <abbotti(a)mev.co.uk>
comedi: c6xdigio: Fix invalid PNP driver unregistration
Zenm Chen <zenmchen(a)gmail.com>
wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U rev. A1
Zenm Chen <zenmchen(a)gmail.com>
wifi: rtl8xxxu: Add USB ID 2001:3328 for D-Link AN3U rev. A1
Linus Torvalds <torvalds(a)linux-foundation.org>
samples: work around glibc redefining some of our defines wrong
Huacai Chen <chenhuacai(a)kernel.org>
LoongArch: Mask all interrupts during kexec/kdump
Naoki Ueki <naoki25519(a)gmail.com>
HID: elecom: Add support for ELECOM M-XT3URBK (018F)
Antheas Kapenekakis <lkml(a)antheas.dev>
platform/x86/amd/pmc: Add spurious_8042 to Xbox Ally
Antheas Kapenekakis <lkml(a)antheas.dev>
platform/x86/amd: pmc: Add Lenovo Legion Go 2 to pmc quirk list
Jia Ston <ston.jia(a)outlook.com>
platform/x86: huawei-wmi: add keys for HONOR models
April Grimoire <april(a)aprilg.moe>
HID: apple: Add SONiX AK870 PRO to non_apple_keyboards quirk list
Armin Wolf <W_Armin(a)gmx.de>
platform/x86: acer-wmi: Ignore backlight event
Praveen Talari <praveen.talari(a)oss.qualcomm.com>
pinctrl: qcom: msm: Fix deadlock in pinmux configuration
Keith Busch <kbusch(a)kernel.org>
nvme: fix admin request_queue lifetime
Mario Limonciello (AMD) <superm1(a)kernel.org>
HID: hid-input: Extend Elan ignore battery quirk to USB
Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp>
bfs: Reconstruct file type when loading from disk
Lushih Hsieh <bruce(a)mail.kh.edu.tw>
ALSA: usb-audio: Add native DSD quirks for PureAudio DAC series
Harish Kasiviswanathan <Harish.Kasiviswanathan(a)amd.com>
drm/amdkfd: Fix GPU mappings for APU after prefetch
Yiqi Sun <sunyiqixm(a)gmail.com>
smb: fix invalid username check in smb3_fs_context_parse_param()
Max Chou <max.chou(a)realtek.com>
Bluetooth: btrtl: Avoid loading the config file on security chips
Ian Forbes <ian.forbes(a)broadcom.com>
drm/vmwgfx: Use kref in vmw_bo_dirty
Robin Gong <yibin.gong(a)nxp.com>
spi: imx: keep dma request disabled before dma transfer setup
Alvaro Gamez Machado <alvaro.gamez(a)hazent.com>
spi: xilinx: increase number of retries before declaring stall
Song Liu <song(a)kernel.org>
ftrace: bpf: Fix IPMODIFY + DIRECT in modify_ftrace_direct()
Johan Hovold <johan(a)kernel.org>
USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC
Johan Hovold <johan(a)kernel.org>
USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC
Magne Bruno <magne.bruno(a)addi-data.com>
serial: add support of CPCI cards
Johan Hovold <johan(a)kernel.org>
USB: serial: ftdi_sio: match on interface number for jtag
Fabio Porcedda <fabio.porcedda(a)gmail.com>
USB: serial: option: move Telit 0x10c7 composition in the right place
Fabio Porcedda <fabio.porcedda(a)gmail.com>
USB: serial: option: add Telit Cinterion FE910C04 new compositions
Slark Xiao <slark_xiao(a)163.com>
USB: serial: option: add Foxconn T99W760
Omar Sandoval <osandov(a)fb.com>
KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced
Nikita Zhandarovich <n.zhandarovich(a)fintech.ru>
comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()
Alexey Nepomnyashih <sdl(a)nppct.ru>
ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()
Alexander Sverdlin <alexander.sverdlin(a)siemens.com>
locking/spinlock/debug: Fix data-race in do_raw_write_lock
Qianchang Zhao <pioooooooooip(a)gmail.com>
ksmbd: ipc: fix use-after-free in ipc_msg_send_request
Deepanshu Kartikey <kartikey406(a)gmail.com>
ext4: refresh inline data size before write operations
Ye Bin <yebin10(a)huawei.com>
jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted
Bagas Sanjaya <bagasdotme(a)gmail.com>
Documentation: process: Also mention Sasha Levin as stable tree maintainer
Sabrina Dubroca <sd(a)queasysnail.net>
xfrm: flush all states in xfrm_state_fini
Sabrina Dubroca <sd(a)queasysnail.net>
xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added
Sabrina Dubroca <sd(a)queasysnail.net>
Revert "xfrm: destroy xfrm_state synchronously on net exit path"
Sabrina Dubroca <sd(a)queasysnail.net>
xfrm: delete x->tunnel as we delete x
-------------
Diffstat:
Documentation/process/2.Process.rst | 6 ++-
Makefile | 4 +-
arch/loongarch/kernel/machine_kexec.c | 2 +
arch/x86/include/asm/kvm_host.h | 9 ++++
arch/x86/kvm/svm/svm.c | 24 +++++----
arch/x86/kvm/x86.c | 21 ++++++++
drivers/bluetooth/btrtl.c | 24 +++++----
drivers/bus/mhi/host/pci_generic.c | 52 +++++++++++++++++++
drivers/comedi/comedi_fops.c | 42 ++++++++++++---
drivers/comedi/drivers/c6xdigio.c | 46 ++++++++++++----
drivers/comedi/drivers/multiq3.c | 9 ++++
drivers/comedi/drivers/pcl818.c | 5 +-
drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 2 +
drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c | 12 ++---
drivers/hid/hid-apple.c | 1 +
drivers/hid/hid-elecom.c | 6 ++-
drivers/hid/hid-ids.h | 3 +-
drivers/hid/hid-input.c | 5 +-
drivers/hid/hid-quirks.c | 3 +-
drivers/net/wireless/realtek/rtl8xxxu/core.c | 3 ++
drivers/net/wireless/realtek/rtw88/rtw8822cu.c | 2 +
drivers/nvme/host/core.c | 3 +-
drivers/pinctrl/qcom/pinctrl-msm.c | 2 +-
drivers/platform/x86/acer-wmi.c | 4 ++
drivers/platform/x86/amd/pmc/pmc-quirks.c | 25 +++++++++
drivers/platform/x86/huawei-wmi.c | 4 ++
drivers/spi/spi-imx.c | 15 ++++--
drivers/spi/spi-xilinx.c | 2 +-
drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 14 ++---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 13 +++--
drivers/tty/serial/8250/8250_pci.c | 37 +++++++++++++
drivers/usb/serial/belkin_sa.c | 28 ++++++----
drivers/usb/serial/ftdi_sio.c | 72 +++++++++-----------------
drivers/usb/serial/kobil_sct.c | 18 +++----
drivers/usb/serial/option.c | 22 ++++++--
fs/bfs/inode.c | 19 ++++++-
fs/ext4/inline.c | 14 ++++-
fs/jbd2/transaction.c | 19 +++++--
fs/smb/client/fs_context.c | 2 +-
fs/smb/server/transport_ipc.c | 7 ++-
include/net/xfrm.h | 13 ++---
kernel/locking/spinlock_debug.c | 4 +-
kernel/trace/ftrace.c | 40 ++++++++++----
net/ipv4/ipcomp.c | 2 +
net/ipv6/ipcomp6.c | 2 +
net/ipv6/xfrm6_tunnel.c | 2 +-
net/key/af_key.c | 2 +-
net/xfrm/xfrm_ipcomp.c | 1 -
net/xfrm/xfrm_state.c | 41 ++++++---------
net/xfrm/xfrm_user.c | 2 +-
samples/vfs/test-statx.c | 6 +++
samples/watch_queue/watch_test.c | 6 +++
sound/usb/quirks.c | 6 +++
53 files changed, 521 insertions(+), 207 deletions(-)
Since we recently started warning about uses of this function after the
atomic check phase completes, we've started getting warnings about this in
nouveau. It appears a misplaced drm_atomic_get_crtc_state() call has been
hiding in our .prepare_fb callback for a while.
So, fix this by adding a new nv50_head_atom_get_new() function and use that
in our .prepare_fb callback instead.
Signed-off-by: Lyude Paul <lyude(a)redhat.com>
Fixes: 1590700d94ac ("drm/nouveau/kms/nv50-: split each resource type into their own source files")
Cc: <stable(a)vger.kernel.org> # v4.18+
Signed-off-by: Lyude Paul <lyude(a)redhat.com>
---
drivers/gpu/drm/nouveau/dispnv50/atom.h | 13 +++++++++++++
drivers/gpu/drm/nouveau/dispnv50/wndw.c | 2 +-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/nouveau/dispnv50/atom.h b/drivers/gpu/drm/nouveau/dispnv50/atom.h
index 93f8f4f645784..85b7cf70d13c4 100644
--- a/drivers/gpu/drm/nouveau/dispnv50/atom.h
+++ b/drivers/gpu/drm/nouveau/dispnv50/atom.h
@@ -152,8 +152,21 @@ static inline struct nv50_head_atom *
nv50_head_atom_get(struct drm_atomic_state *state, struct drm_crtc *crtc)
{
struct drm_crtc_state *statec = drm_atomic_get_crtc_state(state, crtc);
+
if (IS_ERR(statec))
return (void *)statec;
+
+ return nv50_head_atom(statec);
+}
+
+static inline struct nv50_head_atom *
+nv50_head_atom_get_new(struct drm_atomic_state *state, struct drm_crtc *crtc)
+{
+ struct drm_crtc_state *statec = drm_atomic_get_new_crtc_state(state, crtc);
+
+ if (IS_ERR(statec))
+ return (void*)statec;
+
return nv50_head_atom(statec);
}
diff --git a/drivers/gpu/drm/nouveau/dispnv50/wndw.c b/drivers/gpu/drm/nouveau/dispnv50/wndw.c
index ef9e410babbfb..9a2c20fce0f3e 100644
--- a/drivers/gpu/drm/nouveau/dispnv50/wndw.c
+++ b/drivers/gpu/drm/nouveau/dispnv50/wndw.c
@@ -583,7 +583,7 @@ nv50_wndw_prepare_fb(struct drm_plane *plane, struct drm_plane_state *state)
asyw->image.offset[0] = nvbo->offset;
if (wndw->func->prepare) {
- asyh = nv50_head_atom_get(asyw->state.state, asyw->state.crtc);
+ asyh = nv50_head_atom_get_new(asyw->state.state, asyw->state.crtc);
if (IS_ERR(asyh))
return PTR_ERR(asyh);
--
2.52.0
__pci_read_base() sets resource start and end addresses when resource
is larger than 4G but pci_bus_addr_t or resource_size_t are not capable
of representing 64-bit PCI addresses. This creates a problematic
resource that has non-zero flags but the start and end addresses do not
yield to resource size of 0 but 1.
Replace custom resource addresses setup with resource_set_range()
that correctly sets end address as -1 which results in resource_size()
returning 0.
For consistency, also use resource_set_range() in the other branch that
does size based resource setup.
Fixes: 23b13bc76f35 ("PCI: Fail safely if we can't handle BARs larger than 4GB")
Link: https://lore.kernel.org/all/20251207215359.28895-1-ansuelsmth@gmail.com/T/#…
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com>
Cc: stable(a)vger.kernel.org
Cc: Christian Marangi <ansuelsmth(a)gmail.com>
---
drivers/pci/probe.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index 124d2d309c58..b8294a2f11f9 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -287,8 +287,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
if ((sizeof(pci_bus_addr_t) < 8 || sizeof(resource_size_t) < 8)
&& sz64 > 0x100000000ULL) {
res->flags |= IORESOURCE_UNSET | IORESOURCE_DISABLED;
- res->start = 0;
- res->end = 0;
+ resource_set_range(res, 0, 0);
pci_err(dev, "%s: can't handle BAR larger than 4GB (size %#010llx)\n",
res_name, (unsigned long long)sz64);
goto out;
@@ -297,8 +296,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
if ((sizeof(pci_bus_addr_t) < 8) && l) {
/* Above 32-bit boundary; try to reallocate */
res->flags |= IORESOURCE_UNSET;
- res->start = 0;
- res->end = sz64 - 1;
+ resource_set_range(res, 0, sz64);
pci_info(dev, "%s: can't handle BAR above 4GB (bus address %#010llx)\n",
res_name, (unsigned long long)l64);
goto out;
base-commit: 43dfc13ca972988e620a6edb72956981b75ab6b0
--
2.39.5
¿Cuánto cuesta una mala contratación?
body {
margin: 0;
padding: 0;
font-family: Arial, Helvetica, sans-serif;
font-size: 14px;
color: #333;
background-color: #ffffff;
}
table {
border-spacing: 0;
width: 100%;
max-width: 600px;
margin: auto;
}
td {
padding: 12px 20px;
}
a {
color: #1a73e8;
text-decoration: none;
}
.footer {
font-size: 12px;
color: #888888;
text-align: center;
}
Una mala contratación cuesta 3X el salario. Evítalo con datos, no percepciones.
Hola, ,
¿Sabías que una mala contratación cuesta hasta 3 veces el salario anual?
El 74% de empresas admite haber contratado a la persona equivocada. El motivo: decisiones basadas en percepciones, no en datos objetivos.
PsicoSmart te ayuda a evaluar talento con precisión:
31 pruebas psicométricas validadas para medir liderazgo, honestidad e inteligencia
2,500+ exámenes técnicos especializados por industria
Verificación de identidad con captura fotográfica automática
Resultados en minutos, accesible desde cualquier dispositivo
Reduce hasta 60% el riesgo de error en selección.
¿Quieres una demostración gratuita? Responde este correo y te contacto en menos de 24 horas.
Saludos,
--------------
Atte.: Valeria Pérez
Ciudad de México: (55) 5018 0565
WhatsApp: +52 33 1607 2089
Si no deseas recibir más correos, haz clic aquí para darte de baja.
Para remover su dirección de esta lista haga <a href="https://s1.arrobamail.com/unsuscribe.php?id=yiwtsrewiswqtyseup">click aquí</a>