- Linux-stable-mirror - lists.linaro.org

[PATCH v10 1/3] scsi: sd: Fix build warning in sd_revalidate_disk()

by Abinash Singh

A build warning was triggered due to excessive stack usage in sd_revalidate_disk(): drivers/scsi/sd.c: In function ‘sd_revalidate_disk.isra’: drivers/scsi/sd.c:3824:1: warning: the frame size of 1160 bytes is larger than 1024 bytes [-Wframe-larger-than=] This is caused by a large local struct queue_limits (~400B) allocated on the stack. Replacing it with a heap allocation using kmalloc() significantly reduces frame usage. Kernel stack is limited (~8 KB), and allocating large structs on the stack is discouraged. As the function already performs heap allocations (e.g. for buffer), this change fits well. Fixes: 804e498e0496 ("sd: convert to the atomic queue limits API") Cc: stable(a)vger.kernel.org Reviewed-by: Bart Van Assche <bvanassche(a)acm.org> Signed-off-by: Abinash Singh <abinashsinghlalotra(a)gmail.com> --- drivers/scsi/sd.c | 50 ++++++++++++++++++++++++++--------------------- 1 file changed, 28 insertions(+), 22 deletions(-) diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 5b8668accf8e..bf12e23f1212 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -3696,10 +3696,10 @@ static int sd_revalidate_disk(struct gendisk *disk) struct scsi_disk *sdkp = scsi_disk(disk); struct scsi_device *sdp = sdkp->device; sector_t old_capacity = sdkp->capacity; - struct queue_limits lim; - unsigned char *buffer; + struct queue_limits *lim = NULL; + unsigned char *buffer = NULL; unsigned int dev_max; - int err; + int err = 0; SCSI_LOG_HLQUEUE(3, sd_printk(KERN_INFO, sdkp, "sd_revalidate_disk\n")); @@ -3711,6 +3711,10 @@ static int sd_revalidate_disk(struct gendisk *disk) if (!scsi_device_online(sdp)) goto out; + lim = kmalloc(sizeof(*lim), GFP_KERNEL); + if (!lim) + goto out; + buffer = kmalloc(SD_BUF_SIZE, GFP_KERNEL); if (!buffer) { sd_printk(KERN_WARNING, sdkp, "sd_revalidate_disk: Memory " @@ -3720,14 +3724,14 @@ static int sd_revalidate_disk(struct gendisk *disk) sd_spinup_disk(sdkp); - lim = queue_limits_start_update(sdkp->disk->queue); + *lim = queue_limits_start_update(sdkp->disk->queue); /* * Without media there is no reason to ask; moreover, some devices * react badly if we do. */ if (sdkp->media_present) { - sd_read_capacity(sdkp, &lim, buffer); + sd_read_capacity(sdkp, lim, buffer); /* * Some USB/UAS devices return generic values for mode pages * until the media has been accessed. Trigger a READ operation @@ -3741,17 +3745,17 @@ static int sd_revalidate_disk(struct gendisk *disk) * cause this to be updated correctly and any device which * doesn't support it should be treated as rotational. */ - lim.features |= (BLK_FEAT_ROTATIONAL | BLK_FEAT_ADD_RANDOM); + lim->features |= (BLK_FEAT_ROTATIONAL | BLK_FEAT_ADD_RANDOM); if (scsi_device_supports_vpd(sdp)) { sd_read_block_provisioning(sdkp); - sd_read_block_limits(sdkp, &lim); + sd_read_block_limits(sdkp, lim); sd_read_block_limits_ext(sdkp); - sd_read_block_characteristics(sdkp, &lim); - sd_zbc_read_zones(sdkp, &lim, buffer); + sd_read_block_characteristics(sdkp, lim); + sd_zbc_read_zones(sdkp, lim, buffer); } - sd_config_discard(sdkp, &lim, sd_discard_mode(sdkp)); + sd_config_discard(sdkp, lim, sd_discard_mode(sdkp)); sd_print_capacity(sdkp, old_capacity); @@ -3761,47 +3765,46 @@ static int sd_revalidate_disk(struct gendisk *disk) sd_read_app_tag_own(sdkp, buffer); sd_read_write_same(sdkp, buffer); sd_read_security(sdkp, buffer); - sd_config_protection(sdkp, &lim); + sd_config_protection(sdkp, lim); } /* * We now have all cache related info, determine how we deal * with flush requests. */ - sd_set_flush_flag(sdkp, &lim); + sd_set_flush_flag(sdkp, lim); /* Initial block count limit based on CDB TRANSFER LENGTH field size. */ dev_max = sdp->use_16_for_rw ? SD_MAX_XFER_BLOCKS : SD_DEF_XFER_BLOCKS; /* Some devices report a maximum block count for READ/WRITE requests. */ dev_max = min_not_zero(dev_max, sdkp->max_xfer_blocks); - lim.max_dev_sectors = logical_to_sectors(sdp, dev_max); + lim->max_dev_sectors = logical_to_sectors(sdp, dev_max); if (sd_validate_min_xfer_size(sdkp)) - lim.io_min = logical_to_bytes(sdp, sdkp->min_xfer_blocks); + lim->io_min = logical_to_bytes(sdp, sdkp->min_xfer_blocks); else - lim.io_min = 0; + lim->io_min = 0; /* * Limit default to SCSI host optimal sector limit if set. There may be * an impact on performance for when the size of a request exceeds this * host limit. */ - lim.io_opt = sdp->host->opt_sectors << SECTOR_SHIFT; + lim->io_opt = sdp->host->opt_sectors << SECTOR_SHIFT; if (sd_validate_opt_xfer_size(sdkp, dev_max)) { - lim.io_opt = min_not_zero(lim.io_opt, + lim->io_opt = min_not_zero(lim->io_opt, logical_to_bytes(sdp, sdkp->opt_xfer_blocks)); } sdkp->first_scan = 0; set_capacity_and_notify(disk, logical_to_sectors(sdp, sdkp->capacity)); - sd_config_write_same(sdkp, &lim); - kfree(buffer); + sd_config_write_same(sdkp, lim); - err = queue_limits_commit_update_frozen(sdkp->disk->queue, &lim); + err = queue_limits_commit_update_frozen(sdkp->disk->queue, lim); if (err) - return err; + goto out; /* * Query concurrent positioning ranges after @@ -3820,7 +3823,10 @@ static int sd_revalidate_disk(struct gendisk *disk) set_capacity_and_notify(disk, 0); out: - return 0; + kfree(buffer); + kfree(lim); + + return err; } /** -- 2.43.0

1 week, 2 days

2
1
0 0

[PATCH net] net: mana: Remove redundant netdev_lock_ops_to_full() calls

by Saurabh Sengar

NET_SHAPER is always selected for MANA driver. When NET_SHAPER is enabled, netdev_lock_ops_to_full() reduces effectively to only an assert for lock, which is always held in the path when NET_SHAPER is enabled. Remove the redundant netdev_lock_ops_to_full() call. Fixes: d5c8f0e4e0cb ("net: mana: Fix potential deadlocks in mana napi ops") Cc: stable(a)vger.kernel.org Signed-off-by: Saurabh Sengar <ssengar(a)linux.microsoft.com> --- drivers/net/ethernet/microsoft/mana/mana_en.c | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c index 550843e2164b..f0dbf4e82e0b 100644 --- a/drivers/net/ethernet/microsoft/mana/mana_en.c +++ b/drivers/net/ethernet/microsoft/mana/mana_en.c @@ -2100,10 +2100,8 @@ static void mana_destroy_txq(struct mana_port_context *apc) napi = &apc->tx_qp[i].tx_cq.napi; if (apc->tx_qp[i].txq.napi_initialized) { napi_synchronize(napi); - netdev_lock_ops_to_full(napi->dev); napi_disable_locked(napi); netif_napi_del_locked(napi); - netdev_unlock_full_to_ops(napi->dev); apc->tx_qp[i].txq.napi_initialized = false; } mana_destroy_wq_obj(apc, GDMA_SQ, apc->tx_qp[i].tx_object); @@ -2256,10 +2254,8 @@ static int mana_create_txq(struct mana_port_context *apc, mana_create_txq_debugfs(apc, i); set_bit(NAPI_STATE_NO_BUSY_POLL, &cq->napi.state); - netdev_lock_ops_to_full(net); netif_napi_add_locked(net, &cq->napi, mana_poll); napi_enable_locked(&cq->napi); - netdev_unlock_full_to_ops(net); txq->napi_initialized = true; mana_gd_ring_cq(cq->gdma_cq, SET_ARM_BIT); @@ -2295,10 +2291,8 @@ static void mana_destroy_rxq(struct mana_port_context *apc, if (napi_initialized) { napi_synchronize(napi); - netdev_lock_ops_to_full(napi->dev); napi_disable_locked(napi); netif_napi_del_locked(napi); - netdev_unlock_full_to_ops(napi->dev); } xdp_rxq_info_unreg(&rxq->xdp_rxq); @@ -2549,18 +2543,14 @@ static struct mana_rxq *mana_create_rxq(struct mana_port_context *apc, gc->cq_table[cq->gdma_id] = cq->gdma_cq; - netdev_lock_ops_to_full(ndev); netif_napi_add_weight_locked(ndev, &cq->napi, mana_poll, 1); - netdev_unlock_full_to_ops(ndev); WARN_ON(xdp_rxq_info_reg(&rxq->xdp_rxq, ndev, rxq_idx, cq->napi.napi_id)); WARN_ON(xdp_rxq_info_reg_mem_model(&rxq->xdp_rxq, MEM_TYPE_PAGE_POOL, rxq->page_pool)); - netdev_lock_ops_to_full(ndev); napi_enable_locked(&cq->napi); - netdev_unlock_full_to_ops(ndev); mana_gd_ring_cq(cq->gdma_cq, SET_ARM_BIT); out: -- 2.43.0

1 week, 2 days

3
2
0 0

[PATCH 5.15.y] wifi: mac80211: check basic rates validity in sta_link_apply_parameters

by Hanne-Lotta Mäenpää

From: Mikhail Lobanov <m.lobanov(a)rosa.ru> [ Upstream commit 16ee3ea8faef8ff042acc15867a6c458c573de61 ] When userspace sets supported rates for a new station via NL80211_CMD_NEW_STATION, it might send a list that's empty or contains only invalid values. Currently, we process these values in sta_link_apply_parameters() without checking the result of ieee80211_parse_bitrates(), which can lead to an empty rates bitmap. A similar issue was addressed for NL80211_CMD_SET_BSS in commit ce04abc3fcc6 ("wifi: mac80211: check basic rates validity"). This patch applies the same approach in sta_link_apply_parameters() for NL80211_CMD_NEW_STATION, ensuring there is at least one valid rate by inspecting the result of ieee80211_parse_bitrates(). Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: b95eb7f0eee4 ("wifi: cfg80211/mac80211: separate link params from station params") Signed-off-by: Mikhail Lobanov <m.lobanov(a)rosa.ru> Link: https://patch.msgid.link/20250317103139.17625-1-m.lobanov@rosa.ru Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> [ Summary of conflict resolutions: - Function ieee80211_parse_bitrates() takes channel width as its first parameter in mainline kernel version. In v5.15 the function takes the whole chandef struct as its first parameter. - The same function takes link station parameters as its last parameter, and in v5.15 they are in a struct called sta, instead of a struct called link_sta. ] Signed-off-by: Hanne-Lotta Mäenpää <hannelotta(a)gmail.com> --- net/mac80211/cfg.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 2b77cb290788..706ff67f4254 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -1658,12 +1658,13 @@ static int sta_apply_parameters(struct ieee80211_local *local, return ret; } - if (params->supported_rates && params->supported_rates_len) { - ieee80211_parse_bitrates(&sdata->vif.bss_conf.chandef, - sband, params->supported_rates, - params->supported_rates_len, - &sta->sta.supp_rates[sband->band]); - } + if (params->supported_rates && + params->supported_rates_len && + !ieee80211_parse_bitrates(&sdata->vif.bss_conf.chandef, + sband, params->supported_rates, + params->supported_rates_len, + &sta->sta.supp_rates[sband->band])) + return -EINVAL; if (params->ht_capa) ieee80211_ht_cap_ie_to_sta_ht_cap(sdata, sband, -- 2.50.0

1 week, 2 days

1
0
0 0

+ mm-damon-core-set-quota-charged_from-to-jiffies-at-first-charge-window.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/damon/core: set quota->charged_from to jiffies at first charge window has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-damon-core-set-quota-charged_from-to-jiffies-at-first-charge-window.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Sang-Heon Jeon <ekffu200098(a)gmail.com> Subject: mm/damon/core: set quota->charged_from to jiffies at first charge window Date: Fri, 22 Aug 2025 11:50:57 +0900 Kernel initializes the "jiffies" timer as 5 minutes below zero, as shown in include/linux/jiffies.h /* * Have the 32 bit jiffies value wrap 5 minutes after boot * so jiffies wrap bugs show up earlier. */ #define INITIAL_JIFFIES ((unsigned long)(unsigned int) (-300*HZ)) And jiffies comparison help functions cast unsigned value to signed to cover wraparound #define time_after_eq(a,b) \ (typecheck(unsigned long, a) && \ typecheck(unsigned long, b) && \ ((long)((a) - (b)) >= 0)) When quota->charged_from is initialized to 0, time_after_eq() can incorrectly return FALSE even after reset_interval has elapsed. This occurs when (jiffies - reset_interval) produces a value with MSB=1, which is interpreted as negative in signed arithmetic. This issue primarily affects 32-bit systems because: On 64-bit systems: MSB=1 values occur after ~292 million years from boot (assuming HZ=1000), almost impossible. On 32-bit systems: MSB=1 values occur during the first 5 minutes after boot, and the second half of every jiffies wraparound cycle, starting from day 25 (assuming HZ=1000) When above unexpected FALSE return from time_after_eq() occurs, the charging window will not reset. The user impact depends on esz value at that time. If esz is 0, scheme ignores configured quotas and runs without any limits. If esz is not 0, scheme stops working once the quota is exhausted. It remains until the charging window finally resets. So, change quota->charged_from to jiffies at damos_adjust_quota() when it is considered as the first charge window. By this change, we can avoid unexpected FALSE return from time_after_eq() Link: https://lkml.kernel.org/r/20250822025057.1740854-1-ekffu200098@gmail.com Fixes: 2b8a248d5873 ("mm/damon/schemes: implement size quota for schemes application speed control") # 5.16 Signed-off-by: Sang-Heon Jeon <ekffu200098(a)gmail.com> Reviewed-by: SeongJae Park <sj(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/damon/core.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/mm/damon/core.c~mm-damon-core-set-quota-charged_from-to-jiffies-at-first-charge-window +++ a/mm/damon/core.c @@ -2111,6 +2111,10 @@ static void damos_adjust_quota(struct da if (!quota->ms && !quota->sz && list_empty(&quota->goals)) return; + /* First charge window */ + if (!quota->total_charged_sz && !quota->charged_from) + quota->charged_from = jiffies; + /* New charge window starts */ if (time_after_eq(jiffies, quota->charged_from + msecs_to_jiffies(quota->reset_interval))) { _ Patches currently in -mm which might be from ekffu200098(a)gmail.com are mm-damon-core-set-quota-charged_from-to-jiffies-at-first-charge-window.patch mm-damon-update-expired-description-of-damos_action.patch docs-mm-damon-design-fix-typo-s-sz_trtied-sz_tried.patch selftests-damon-test-no-op-commit-broke-damon-status.patch selftests-damon-test-no-op-commit-broke-damon-status-fix.patch mm-damon-tests-core-kunit-add-damos_commit_filter-test.patch

1 week, 2 days

1
0
0 0

+ mm-hugetlb-add-missing-hugetlb_lock-in-__unmap_hugepage_range.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm/hugetlb: add missing hugetlb_lock in __unmap_hugepage_range() has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-hugetlb-add-missing-hugetlb_lock-in-__unmap_hugepage_range.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Jeongjun Park <aha310510(a)gmail.com> Subject: mm/hugetlb: add missing hugetlb_lock in __unmap_hugepage_range() Date: Sun, 24 Aug 2025 03:21:15 +0900 When restoring a reservation for an anonymous page, we need to check to freeing a surplus. However, __unmap_hugepage_range() causes data race because it reads h->surplus_huge_pages without the protection of hugetlb_lock. And adjust_reservation is a boolean variable that indicates whether reservations for anonymous pages in each folio should be restored. Therefore, it should be initialized to false for each round of the loop. However, this variable is not initialized to false except when defining the current adjust_reservation variable. This means that once adjust_reservation is set to true even once within the loop, reservations for anonymous pages will be restored unconditionally in all subsequent rounds, regardless of the folio's state. To fix this, we need to add the missing hugetlb_lock, unlock the page_table_lock earlier so that we don't lock the hugetlb_lock inside the page_table_lock lock, and initialize adjust_reservation to false on each round within the loop. Link: https://lkml.kernel.org/r/20250823182115.1193563-1-aha310510@gmail.com Fixes: df7a6d1f6405 ("mm/hugetlb: restore the reservation if needed") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> Reported-by: syzbot+417aeb05fd190f3a6da9(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=417aeb05fd190f3a6da9 Cc: Breno Leitao <leitao(a)debian.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: Muchun Song <muchun.song(a)linux.dev> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/hugetlb.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) --- a/mm/hugetlb.c~mm-hugetlb-add-missing-hugetlb_lock-in-__unmap_hugepage_range +++ a/mm/hugetlb.c @@ -5851,7 +5851,7 @@ void __unmap_hugepage_range(struct mmu_g spinlock_t *ptl; struct hstate *h = hstate_vma(vma); unsigned long sz = huge_page_size(h); - bool adjust_reservation = false; + bool adjust_reservation; unsigned long last_addr_mask; bool force_flush = false; @@ -5944,6 +5944,7 @@ void __unmap_hugepage_range(struct mmu_g sz); hugetlb_count_sub(pages_per_huge_page(h), mm); hugetlb_remove_rmap(folio); + spin_unlock(ptl); /* * Restore the reservation for anonymous page, otherwise the @@ -5951,14 +5952,16 @@ void __unmap_hugepage_range(struct mmu_g * If there we are freeing a surplus, do not set the restore * reservation bit. */ + adjust_reservation = false; + + spin_lock_irq(&hugetlb_lock); if (!h->surplus_huge_pages && __vma_private_lock(vma) && folio_test_anon(folio)) { folio_set_hugetlb_restore_reserve(folio); /* Reservation to be adjusted after the spin lock */ adjust_reservation = true; } - - spin_unlock(ptl); + spin_unlock_irq(&hugetlb_lock); /* * Adjust the reservation for the region that will have the _ Patches currently in -mm which might be from aha310510(a)gmail.com are mm-hugetlb-add-missing-hugetlb_lock-in-__unmap_hugepage_range.patch

1 week, 2 days

1
0
0 0

+ kexec-arm64-initialize-the-random-field-of-kbuf-to-zero-in-the-image-loader.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: kexec/arm64: initialize the random field of kbuf to zero in the image loader has been added to the -mm mm-hotfixes-unstable branch. Its filename is kexec-arm64-initialize-the-random-field-of-kbuf-to-zero-in-the-image-loader.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Breno Leitao <leitao(a)debian.org> Subject: kexec/arm64: initialize the random field of kbuf to zero in the image loader Date: Thu Aug 21 04:11:21 2025 -0700 Add an explicit initialization for the random member of the kbuf structure within the image_load function in arch/arm64/kernel/kexec_image.c. Setting kbuf.random to zero ensures a deterministic and clean starting state for the buffer used during kernel image loading, avoiding this UBSAN issue later, when kbuf.random is read. [ 32.362488] UBSAN: invalid-load in ./include/linux/kexec.h:210:10 [ 32.362649] load of value 252 is not a valid value for type '_Bool' Link: https://lkml.kernel.org/r/oninomspajhxp4omtdapxnckxydbk2nzmrix7rggmpukpnzad… Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly Signed-off-by: Breno Leitao <leitao(a)debian.org> Cc: Baoquan He <bhe(a)redhat.com> Cc: Coiby Xu <coxu(a)redhat.com> Cc: "Daniel P. Berrange" <berrange(a)redhat.com> Cc: Dave Hansen <dave.hansen(a)intel.com> Cc: Dave Young <dyoung(a)redhat.com> Cc: Kairui Song <ryncsn(a)gmail.com> Cc: Liu Pingfan <kernelfans(a)gmail.com> Cc: Milan Broz <gmazyland(a)gmail.com> Cc: Ondrej Kozina <okozina(a)redhat.com> Cc: Vitaly Kuznetsov <vkuznets(a)redhat.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- arch/arm64/kernel/kexec_image.c | 1 + 1 file changed, 1 insertion(+) --- a/arch/arm64/kernel/kexec_image.c~kexec-arm64-initialize-the-random-field-of-kbuf-to-zero-in-the-image-loader +++ a/arch/arm64/kernel/kexec_image.c @@ -76,6 +76,7 @@ static void *image_load(struct kimage *i kbuf.buf_min = 0; kbuf.buf_max = ULONG_MAX; kbuf.top_down = false; + kbuf.random = 0; kbuf.buffer = kernel; kbuf.bufsz = kernel_len; _ Patches currently in -mm which might be from leitao(a)debian.org are kexec-arm64-initialize-the-random-field-of-kbuf-to-zero-in-the-image-loader.patch

1 week, 2 days

1
0
0 0

[PATCH] net/dccp: validate Reset/Close/CloseReq in DCCP_REQUESTING

by Yizhou Zhao

DCCP sockets in DCCP_REQUESTING state do not check the sequence number or acknowledgment number for incoming Reset, CloseReq, and Close packets. As a result, an attacker can send a spoofed Reset packet while the client is in the requesting state. The client will accept the packet without verification and immediately close the connection, causing a denial of service (DoS) attack. This patch moves the processing of Reset, Close, and CloseReq packets into dccp_rcv_request_sent_state_process() and validates the ack number before accepting them. This fix should apply to stable versions *only* in Linux 5.x and 6.x. Note that DCCP was removed in Linux 6.16, so this patch is only relevant for older versions. We tested it on Ubuntu 24.04 LTS (Linux 6.8) and it worked as expected. Signed-off-by: Yizhou Zhao <zhaoyz24(a)mails.tsinghua.edu.cn> Cc: stable(a)vger.kernel.org Signed-off-by: Yizhou Zhao <zhaoyz24(a)mails.tsinghua.edu.cn> --- net/dccp/input.c | 54 ++++++++++++++++++++++++++++-------------------- 1 file changed, 32 insertions(+), 22 deletions(-) diff --git a/net/dccp/input.c b/net/dccp/input.c index 2cbb757a8..0b1ffb044 100644 --- a/net/dccp/input.c +++ b/net/dccp/input.c @@ -397,21 +397,22 @@ static int dccp_rcv_request_sent_state_process(struct sock *sk, * / * Response processing continues in Step 10; Reset * processing continues in Step 9 * / */ + struct dccp_sock *dp = dccp_sk(sk); + + if (!between48(DCCP_SKB_CB(skb)->dccpd_ack_seq, + dp->dccps_awl, dp->dccps_awh)) { + dccp_pr_debug("invalid ackno: S.AWL=%llu, " + "P.ackno=%llu, S.AWH=%llu\n", + (unsigned long long)dp->dccps_awl, + (unsigned long long)DCCP_SKB_CB(skb)->dccpd_ack_seq, + (unsigned long long)dp->dccps_awh); + goto out_invalid_packet; + } + if (dh->dccph_type == DCCP_PKT_RESPONSE) { const struct inet_connection_sock *icsk = inet_csk(sk); - struct dccp_sock *dp = dccp_sk(sk); - long tstamp = dccp_timestamp(); - - if (!between48(DCCP_SKB_CB(skb)->dccpd_ack_seq, - dp->dccps_awl, dp->dccps_awh)) { - dccp_pr_debug("invalid ackno: S.AWL=%llu, " - "P.ackno=%llu, S.AWH=%llu\n", - (unsigned long long)dp->dccps_awl, - (unsigned long long)DCCP_SKB_CB(skb)->dccpd_ack_seq, - (unsigned long long)dp->dccps_awh); - goto out_invalid_packet; - } + long tstamp = dccp_timestamp(); /* * If option processing (Step 8) failed, return 1 here so that * dccp_v4_do_rcv() sends a Reset. The Reset code depends on @@ -496,6 +497,13 @@ static int dccp_rcv_request_sent_state_process(struct sock *sk, } dccp_send_ack(sk); return -1; + } else if (dh->dccph_type == DCCP_PKT_RESET) { + dccp_rcv_reset(sk, skb); + return 0; + } else if (dh->dccph_type == DCCP_PKT_CLOSEREQ) { + return dccp_rcv_closereq(sk, skb); + } else if (dh->dccph_type == DCCP_PKT_CLOSE) { + return dccp_rcv_close(sk, skb); } out_invalid_packet: @@ -658,17 +666,19 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, * Set TIMEWAIT timer * Drop packet and return */ - if (dh->dccph_type == DCCP_PKT_RESET) { - dccp_rcv_reset(sk, skb); - return 0; - } else if (dh->dccph_type == DCCP_PKT_CLOSEREQ) { /* Step 13 */ - if (dccp_rcv_closereq(sk, skb)) - return 0; - goto discard; - } else if (dh->dccph_type == DCCP_PKT_CLOSE) { /* Step 14 */ - if (dccp_rcv_close(sk, skb)) + if (sk->sk_state != DCCP_REQUESTING) { + if (dh->dccph_type == DCCP_PKT_RESET) { + dccp_rcv_reset(sk, skb); return 0; - goto discard; + } else if (dh->dccph_type == DCCP_PKT_CLOSEREQ) { /* Step 13 */ + if (dccp_rcv_closereq(sk, skb)) + return 0; + goto discard; + } else if (dh->dccph_type == DCCP_PKT_CLOSE) { /* Step 14 */ + if (dccp_rcv_close(sk, skb)) + return 0; + goto discard; + } } switch (sk->sk_state) { -- 2.34.1

1 week, 2 days

1
0
0 0

[PATCH] net/dccp: validate Reset/Close/CloseReq in DCCP_REQUESTING

by Yizhou Zhao

DCCP sockets in DCCP_REQUESTING state do not check the sequence number or acknowledgment number for incoming Reset, CloseReq, and Close packets. As a result, an attacker can send a spoofed Reset packet while the client is in the requesting state. The client will accept the packet without verification and immediately close the connection, causing a denial of service (DoS) attack. This patch moves the processing of Reset, Close, and CloseReq packets into dccp_rcv_request_sent_state_process() and validates the ack number before accepting them. This fix should apply to Linux 5.x and 6.x, including stable versions. Note that DCCP was removed in Linux 6.16, so this patch is only relevant for older versions. We tested it on Ubuntu 24.04 LTS (Linux 6.8) and it worked as expected. Signed-off-by: Yizhou Zhao <zhaoyz24(a)mails.tsinghua.edu.cn> Cc: stable(a)vger.kernel.org --- net/dccp/input.c | 54 ++++++++++++++++++++++++++++-------------------- 1 file changed, 32 insertions(+), 22 deletions(-) diff --git a/net/dccp/input.c b/net/dccp/input.c index 2cbb757a8..0b1ffb044 100644 --- a/net/dccp/input.c +++ b/net/dccp/input.c @@ -397,21 +397,22 @@ static int dccp_rcv_request_sent_state_process(struct sock *sk, * / * Response processing continues in Step 10; Reset * processing continues in Step 9 * / */ + struct dccp_sock *dp = dccp_sk(sk); + + if (!between48(DCCP_SKB_CB(skb)->dccpd_ack_seq, + dp->dccps_awl, dp->dccps_awh)) { + dccp_pr_debug("invalid ackno: S.AWL=%llu, " + "P.ackno=%llu, S.AWH=%llu\n", + (unsigned long long)dp->dccps_awl, + (unsigned long long)DCCP_SKB_CB(skb)->dccpd_ack_seq, + (unsigned long long)dp->dccps_awh); + goto out_invalid_packet; + } + if (dh->dccph_type == DCCP_PKT_RESPONSE) { const struct inet_connection_sock *icsk = inet_csk(sk); - struct dccp_sock *dp = dccp_sk(sk); - long tstamp = dccp_timestamp(); - - if (!between48(DCCP_SKB_CB(skb)->dccpd_ack_seq, - dp->dccps_awl, dp->dccps_awh)) { - dccp_pr_debug("invalid ackno: S.AWL=%llu, " - "P.ackno=%llu, S.AWH=%llu\n", - (unsigned long long)dp->dccps_awl, - (unsigned long long)DCCP_SKB_CB(skb)->dccpd_ack_seq, - (unsigned long long)dp->dccps_awh); - goto out_invalid_packet; - } + long tstamp = dccp_timestamp(); /* * If option processing (Step 8) failed, return 1 here so that * dccp_v4_do_rcv() sends a Reset. The Reset code depends on @@ -496,6 +497,13 @@ static int dccp_rcv_request_sent_state_process(struct sock *sk, } dccp_send_ack(sk); return -1; + } else if (dh->dccph_type == DCCP_PKT_RESET) { + dccp_rcv_reset(sk, skb); + return 0; + } else if (dh->dccph_type == DCCP_PKT_CLOSEREQ) { + return dccp_rcv_closereq(sk, skb); + } else if (dh->dccph_type == DCCP_PKT_CLOSE) { + return dccp_rcv_close(sk, skb); } out_invalid_packet: @@ -658,17 +666,19 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, * Set TIMEWAIT timer * Drop packet and return */ - if (dh->dccph_type == DCCP_PKT_RESET) { - dccp_rcv_reset(sk, skb); - return 0; - } else if (dh->dccph_type == DCCP_PKT_CLOSEREQ) { /* Step 13 */ - if (dccp_rcv_closereq(sk, skb)) - return 0; - goto discard; - } else if (dh->dccph_type == DCCP_PKT_CLOSE) { /* Step 14 */ - if (dccp_rcv_close(sk, skb)) + if (sk->sk_state != DCCP_REQUESTING) { + if (dh->dccph_type == DCCP_PKT_RESET) { + dccp_rcv_reset(sk, skb); return 0; - goto discard; + } else if (dh->dccph_type == DCCP_PKT_CLOSEREQ) { /* Step 13 */ + if (dccp_rcv_closereq(sk, skb)) + return 0; + goto discard; + } else if (dh->dccph_type == DCCP_PKT_CLOSE) { /* Step 14 */ + if (dccp_rcv_close(sk, skb)) + return 0; + goto discard; + } } switch (sk->sk_state) { -- 2.34.1

1 week, 2 days

2
1
0 0

[REGRESSION] IPv6 RA default router advertisement fails after kernel 6.12.42 updates

by 喵公子

Hi, While testing Linux kernel 6.12.42 on OpenWrt, we observed a regression in IPv6 Router Advertisement (RA) handling for the default router. Affected commits The following commits appear related and may have introduced the issue: ipv6: fix possible infinite loop in fib6_info_uses_dev()： https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… ipv6: prevent infinite loop in rt6_nlmsg_size()： https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… ipv6: annotate data-races around rt->fib6_nsiblings： https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=… Problem description： In Linux kernel 6.12.42, IPv6 FIB multipath and concurrent access handling was made stricter (READ_ONCE / WRITE_ONCE + RCU retry). The RA “Automatic” mode relies on checking whether a local default route exists. With the stricter FIB handling, this check can fail in multipath scenarios. As a result, RA does not advertise a default route, and IPv6 clients on LAN fail to receive the default gateway. Steps to reproduce Run OpenWrt with kernel 6.12.42 (or 6.12.43) on a router with br-lan bridge. Configure IPv6 RA in Automatic default router mode. Observe that no default route is advertised to clients (though prefixes may still be delivered). Expected behavior Router Advertisement should continue to advertise the default route as in kernel 6.12.41 and earlier. Client IPv6 connectivity should not break. Actual behavior RA fails to advertise a default route in Automatic mode. Clients do not install a default IPv6 route → connectivity fails. Temporary workaround Change RA default router mode from Automatic → Always / Use available prefixes in OpenWrt. This bypasses the dependency on local default route check and restores correct RA behavior. Additional notes This appears to be an unintended side effect of the stricter FIB handling changes introduced in 6.12.42. Please advise if this has already been reported or if I should prepare a minimal reproducer outside OpenWrt. Thanks, [GitHub: mgz0227]

1 week, 2 days

2
1
0 0

[PATCH v2] btrfs: do more strict compressed read merge check

by Qu Wenruo

[BUG] When running test case generic/457, there is a chance to hit the following error, with 64K page size and 4K btrfs block size, and "compress=zstd" mount option: FSTYP -- btrfs PLATFORM -- Linux/aarch64 btrfs-aarch64 6.17.0-rc2-custom+ #129 SMP PREEMPT_DYNAMIC Wed Aug 20 18:52:51 ACST 2025 MKFS_OPTIONS -- -s 4k /dev/mapper/test-scratch1 MOUNT_OPTIONS -- -o compress=zstd /dev/mapper/test-scratch1 /mnt/scratch generic/457 2s ... [failed, exit status 1]- output mismatch (see /home/adam/xfstests-dev/results//generic/457.out.bad) --- tests/generic/457.out 2024-04-25 18:13:45.160550980 +0930 +++ /home/adam/xfstests-dev/results//generic/457.out.bad 2025-08-22 16:09:41.039352391 +0930 @@ -1,2 +1,3 @@ QA output created by 457 -Silence is golden +testfile6 end md5sum mismatched +(see /home/adam/xfstests-dev/results//generic/457.full for details) ... (Run 'diff -u /home/adam/xfstests-dev/tests/generic/457.out /home/adam/xfstests-dev/results//generic/457.out.bad' to see the entire diff) The root problem is, after certain fsx operations the file contents change just after a mount cycle. There is a much smaller reproducer based on that test case, which I mainly used to debug the bug: workload() { mkfs.btrfs -f $dev > /dev/null dmesg -C trace-cmd clear mount -o compress=zstd $dev $mnt xfs_io -f -c "pwrite -S 0xff 0 256K" -c "sync" $mnt/base > /dev/null cp --reflink=always -p -f $mnt/base $mnt/file $fsx -N 4 -d -k -S 3746842 $mnt/file if [ $? -ne 0 ]; then echo "!!! FSX FAILURE !!!" fail fi csum_before=$(_md5_checksum $mnt/file) stop_trace umount $mnt mount $dev $mnt csum_after=$(_md5_checksum $mnt/file) umount $mnt if [ "$csum_before" != "$csum_after" ]; then echo "!!! CSUM MISMATCH !!!" fail fi } This seed value will cause 100% reproducible csum mismatch after a mount cycle. The seed value results only 2 real operations: Seed set to 3746842 main: filesystem does not support fallocate mode FALLOC_FL_UNSHARE_RANGE, disabling! main: filesystem does not support fallocate mode FALLOC_FL_COLLAPSE_RANGE, disabling! main: filesystem does not support fallocate mode FALLOC_FL_INSERT_RANGE, disabling! main: filesystem does not support exchange range, disabling! main: filesystem does not support dontcache IO, disabling! 2 clone from 0x3b000 to 0x3f000, (0x4000 bytes) at 0x1f000 3 write 0x2975b thru 0x2ba20 (0x22c6 bytes) dontcache=0 All 4 operations completed A-OK! [CAUSE] With extra debug trace_printk(), the following sequence can explain the root cause: fsx-3900290 [002] ..... 161696.160966: btrfs_submit_compressed_read: r/i=5/258 file_off=131072 em start=126976 len=16384 The "r/i" is showing the root id and the ino number. In this case, my minimal reproducer is indeed using inode 258 of subvolume 5, and that's the inode with changing contents. The above trace is from the function btrfs_submit_compressed_read(), triggered by fsx to read the folio at file offset 128K. Notice that the extent map, it's at offset 124K, with a length of 16K. This means the extent map only covers the first 12K (3 blocks) of the folio 128K. fsx-3900290 [002] ..... 161696.160969: trace_dump_cb: btrfs_submit_compressed_read, r/i=5/258 file off start=131072 len=65536 bi_size=65536 This is the line I used to dump the basic info of a bbio, which shows the bi_size is 64K, aka covering the whole 64K folio at file offset 128K. But remember, the extent map only covers 3 blocks, definitely not enough to cover the whole 64K folio at 128K file offset. kworker/u19:1-3748349 [002] ..... 161696.161154: btrfs_decompress_buf2page: r/i=5/258 file_off=131072 copy_len=4096 content=ffff kworker/u19:1-3748349 [002] ..... 161696.161155: btrfs_decompress_buf2page: r/i=5/258 file_off=135168 copy_len=4096 content=ffff kworker/u19:1-3748349 [002] ..... 161696.161156: btrfs_decompress_buf2page: r/i=5/258 file_off=139264 copy_len=4096 content=ffff kworker/u19:1-3748349 [002] ..... 161696.161157: btrfs_decompress_buf2page: r/i=5/258 file_off=143360 copy_len=4096 content=ffff The above lines show that btrfs_decompress_buf2page() called by zstd decompress code is copying the decompressed content into the filemap. But notice that, the last line is already beyond the extent map range. Furthermore, there are no more compressed content copy, as the compressed bio only has the extent map to cover the first 3 blocks (the 4th block copy is already incorrect). kworker/u19:1-3748349 [002] ..... 161696.161161: trace_dump_cb: r/i=5/258 file_pos=131072 content=ffff kworker/u19:1-3748349 [002] ..... 161696.161161: trace_dump_cb: r/i=5/258 file_pos=135168 content=ffff kworker/u19:1-3748349 [002] ..... 161696.161162: trace_dump_cb: r/i=5/258 file_pos=139264 content=ffff kworker/u19:1-3748349 [002] ..... 161696.161162: trace_dump_cb: r/i=5/258 file_pos=143360 content=ffff kworker/u19:1-3748349 [002] ..... 161696.161162: trace_dump_cb: r/i=5/258 file_pos=147456 content=0000 This is the extra dumpping of the compressed bio, after file offset 140K (143360), the content is all zero, which is incorrect. The zero is there because we didn't copy anything into the folio. The root cause of the corruption is, we are submitting a compressed read for a whole folio, but the extent map we get only covers the first 3 blocks, meaning the compressed read path is merging reads that shouldn't be merged. The involved file extents are: item 19 key (258 EXTENT_DATA 126976) itemoff 15143 itemsize 53 generation 9 type 1 (regular) extent data disk byte 13635584 nr 4096 extent data offset 110592 nr 16384 ram 131072 extent compression 3 (zstd) item 20 key (258 EXTENT_DATA 143360) itemoff 15090 itemsize 53 generation 9 type 1 (regular) extent data disk byte 13635584 nr 4096 extent data offset 12288 nr 24576 ram 131072 extent compression 3 (zstd) Note that, both extents at 124K and 140K are pointing to the same compressed extent, but with different offset. This means, we reads of range [124K, 140K) and [140K, 165K) should not be merged. But read merge check function, btrfs_bio_is_contig(), is only checking the disk_bytenr of two compressed reads, as there are not enough info like the involved extent maps to do more comprehensive checks, resulting the incorrect compressed read. Unfortunately this is a long existing bug, way before subpage block size support. But subpage block size support (and experimental large folio support) makes it much easier to detect. If block size equals page size, regular page read will only read one block each time, thus no extent map sharing nor merge. (This means for bs == ps cases, it's still possible to hit the bug with readahead, just we don't have test coverage with content verification for readahead) [FIX] Save the last hit compressed extent map start/len into btrfs_bio_ctrl, and check if the current extent map is the same as the saved one. Here we only save em::start/len to save memory for btrfs_bio_ctrl, as it's using the stack memory, which is a very limited resource inside the kernel. Since the compressed extent maps are never merged, their start/len are unique inside the same inode, thus just checking start/len will be enough to make sure they are the same extent map. If the extent maps do not match, force submitting the current bio, so that the read will never be merged. CC: stable(a)vger.kernel.org Signed-off-by: Qu Wenruo <wqu(a)suse.com> --- v2: - Only save extent_map::start/len to save memory for btrfs_bio_ctrl It's using on-stack memory which is very limited inside the kernel. - Remove the commit message mentioning of clearing last saved em Since we're using em::start/len, there is no need to clear them. Either we hit the same em::start/len, meaning hitting the same extent map, or we hit a different em, which will have a different start/len. --- fs/btrfs/extent_io.c | 52 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index 0c12fd64a1f3..418e3bf40f94 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -131,6 +131,22 @@ struct btrfs_bio_ctrl { */ unsigned long submit_bitmap; struct readahead_control *ractl; + + /* + * The start/len of the last hit compressed extent map. + * + * The current btrfs_bio_is_contig() only uses disk_bytenr as + * the condition to check if the read can be merged with previous + * bio, which is not correct. E.g. two file extents pointing to the + * same extent. + * + * So here we need to do extra check to merge reads that are + * covered by the same extent map. + * Just extent_map::start/len will be enough, as they are unique + * inside the same inode. + */ + u64 last_compress_em_start; + u64 last_compress_em_len; }; /* @@ -957,6 +973,32 @@ static void btrfs_readahead_expand(struct readahead_control *ractl, readahead_expand(ractl, ra_pos, em_end - ra_pos); } +static void save_compressed_em(struct btrfs_bio_ctrl *bio_ctrl, + const struct extent_map *em) +{ + if (btrfs_extent_map_compression(em) == BTRFS_COMPRESS_NONE) + return; + bio_ctrl->last_compress_em_start = em->start; + bio_ctrl->last_compress_em_len = em->len; +} + +static bool is_same_compressed_em(struct btrfs_bio_ctrl *bio_ctrl, + const struct extent_map *em) +{ + /* + * Only if the em is completely the same as the previous one we can merge + * the current folio in the read bio. + * + * Here we only need to compare the em->start/len against saved + * last_compress_em_start/len, as start/len inside an inode are unique, + * and compressed extent maps are never merged. + */ + if (em->start != bio_ctrl->last_compress_em_start || + em->len != bio_ctrl->last_compress_em_len) + return false; + return true; +} + /* * basic readpage implementation. Locked extent state structs are inserted * into the tree that are removed when the IO is done (by the end_io @@ -1080,9 +1122,19 @@ static int btrfs_do_readpage(struct folio *folio, struct extent_map **em_cached, *prev_em_start != em->start) force_bio_submit = true; + /* + * We must ensure we only merge compressed read when the current + * extent map matches the previous one exactly. + */ + if (compress_type != BTRFS_COMPRESS_NONE) { + if (!is_same_compressed_em(bio_ctrl, em)) + force_bio_submit = true; + } + if (prev_em_start) *prev_em_start = em->start; + save_compressed_em(bio_ctrl, em); em_gen = em->generation; btrfs_free_extent_map(em); em = NULL; -- 2.50.1

1 week, 2 days

2
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror