Linux-stable-mirror

linux-stable-mirror@lists.linaro.org

297 participants
124134 discussions

[PATCH 6.12 stable] pktcdvd: Handle bio_split() failure

by Haotian Zhang

The error return from bio_split() is not checked before being passed to bio_chain(), leading to a kernel panic from an invalid pointer dereference. Add a check with IS_ERR() to handle the allocation failure and prevent the crash. This patch fixes a bug in the pktcdvd driver, which was removed from the mainline kernel but still exists in stable branches. Fixes: 4b83e99ee7092 ("Revert "pktcdvd: remove driver."") Cc: stable(a)vger.kernel.org Signed-off-by: Haotian Zhang <vulab(a)iscas.ac.cn> --- drivers/block/pktcdvd.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c index 65b96c083b3c..c0999c3d167a 100644 --- a/drivers/block/pktcdvd.c +++ b/drivers/block/pktcdvd.c @@ -2466,6 +2466,8 @@ static void pkt_submit_bio(struct bio *bio) split = bio_split(bio, last_zone - bio->bi_iter.bi_sector, GFP_NOIO, &pkt_bio_set); + if (IS_ERR(split)) + goto end_io; bio_chain(split, bio); } else { split = bio; -- 2.25.1

3 months, 1 week

[PATCH v3] net/can/gs_usb: increase max interface to U8_MAX

by Celeste Liu

This issue was found by Runcheng Lu when develop HSCanT USB to CAN FD converter[1]. The original developers may have only 3 intefaces device to test so they write 3 here and wait for future change. During the HSCanT development, we actually used 4 interfaces, so the limitation of 3 is not enough now. But just increase one is not future-proofed. Since the channel type in gs_host_frame is u8, just increase interface number limit to max size of u8 safely. [1]: https://github.com/cherry-embedded/HSCanT-hardware Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") Reported-by: Runcheng Lu <runcheng.lu(a)hpmicro.com> Cc: stable(a)vger.kernel.org Signed-off-by: Celeste Liu <uwu(a)coelacanthus.name> --- Changes in v3: - Cc stable should in patch instead of cover letter. - Link to v2: https://lore.kernel.org/r/20250930-gs-usb-max-if-v2-1-2cf9a44e6861@coelacan… Changes in v2: - Use flexible array member instead of fixed array. - Link to v1: https://lore.kernel.org/r/20250929-gs-usb-max-if-v1-1-e41b5c09133a@coelacan… --- drivers/net/can/usb/gs_usb.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c index c9482d6e947b0c7b033dc4f0c35f5b111e1bfd92..69b068c8fa8fbab42337e2b0a3d0860ac678c792 100644 --- a/drivers/net/can/usb/gs_usb.c +++ b/drivers/net/can/usb/gs_usb.c @@ -289,11 +289,6 @@ struct gs_host_frame { #define GS_MAX_RX_URBS 30 #define GS_NAPI_WEIGHT 32 -/* Maximum number of interfaces the driver supports per device. - * Current hardware only supports 3 interfaces. The future may vary. - */ -#define GS_MAX_INTF 3 - struct gs_tx_context { struct gs_can *dev; unsigned int echo_id; @@ -324,7 +319,6 @@ struct gs_can { /* usb interface struct */ struct gs_usb { - struct gs_can *canch[GS_MAX_INTF]; struct usb_anchor rx_submitted; struct usb_device *udev; @@ -336,9 +330,11 @@ struct gs_usb { unsigned int hf_size_rx; u8 active_channels; + u8 channel_cnt; unsigned int pipe_in; unsigned int pipe_out; + struct gs_can *canch[] __counted_by(channel_cnt); }; /* 'allocate' a tx context. @@ -599,7 +595,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) } /* device reports out of range channel id */ - if (hf->channel >= GS_MAX_INTF) + if (hf->channel >= parent->channel_cnt) goto device_detach; dev = parent->canch[hf->channel]; @@ -699,7 +695,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) /* USB failure take down all interfaces */ if (rc == -ENODEV) { device_detach: - for (rc = 0; rc < GS_MAX_INTF; rc++) { + for (rc = 0; rc < parent->channel_cnt; rc++) { if (parent->canch[rc]) netif_device_detach(parent->canch[rc]->netdev); } @@ -1460,17 +1456,19 @@ static int gs_usb_probe(struct usb_interface *intf, icount = dconf.icount + 1; dev_info(&intf->dev, "Configuring for %u interfaces\n", icount); - if (icount > GS_MAX_INTF) { + if (icount > type_max(typeof(parent->channel_cnt))) { dev_err(&intf->dev, "Driver cannot handle more that %u CAN interfaces\n", - GS_MAX_INTF); + type_max(typeof(parent->channel_cnt))); return -EINVAL; } - parent = kzalloc(sizeof(*parent), GFP_KERNEL); + parent = kzalloc(struct_size(parent, canch, icount), GFP_KERNEL); if (!parent) return -ENOMEM; + parent->channel_cnt = icount; + init_usb_anchor(&parent->rx_submitted); usb_set_intfdata(intf, parent); @@ -1531,7 +1529,7 @@ static void gs_usb_disconnect(struct usb_interface *intf) return; } - for (i = 0; i < GS_MAX_INTF; i++) + for (i = 0; i < parent->channel_cnt; i++) if (parent->canch[i]) gs_destroy_candev(parent->canch[i]); --- base-commit: e5f0a698b34ed76002dc5cff3804a61c80233a7a change-id: 20250929-gs-usb-max-if-a304c83243e5 Best regards, -- Celeste Liu <uwu(a)coelacanthus.name>

3 months, 1 week

[PATCH net v2 2/2] octeontx2-pf: fix bitmap leak

by Bo Sun

The bitmap allocated with bitmap_zalloc() in otx2_probe() was not released in otx2_remove(). Unbinding and rebinding the driver therefore triggers a kmemleak warning: unreferenced object (size 8): backtrace: bitmap_zalloc otx2_probe Call bitmap_free() in the remove path to fix the leak. Fixes: efabce290151 ("octeontx2-pf: AF_XDP zero copy receive support") Cc: stable(a)vger.kernel.org Signed-off-by: Bo Sun <bo(a)mboxify.com> --- drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c index 5027fae0aa77..e808995703cf 100644 --- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c @@ -3542,6 +3542,7 @@ static void otx2_remove(struct pci_dev *pdev) otx2_disable_mbox_intr(pf); otx2_pfaf_mbox_destroy(pf); pci_free_irq_vectors(pf->pdev); + bitmap_free(pf->af_xdp_zc_qidx); pci_set_drvdata(pdev, NULL); free_netdev(netdev); } -- 2.50.1 (Apple Git-155)

3 months, 1 week

[PATCH net v2 1/2] octeontx2-vf: fix bitmap leak

by Bo Sun

The bitmap allocated with bitmap_zalloc() in otx2vf_probe() was not released in otx2vf_remove(). Unbinding and rebinding the driver therefore triggers a kmemleak warning: unreferenced object (size 8): backtrace: bitmap_zalloc otx2vf_probe Call bitmap_free() in the remove path to fix the leak. Fixes: efabce290151 ("octeontx2-pf: AF_XDP zero copy receive support") Cc: stable(a)vger.kernel.org Signed-off-by: Bo Sun <bo(a)mboxify.com> --- drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c index 7ebb6e656884..25381f079b97 100644 --- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c +++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_vf.c @@ -854,6 +854,7 @@ static void otx2vf_remove(struct pci_dev *pdev) qmem_free(vf->dev, vf->dync_lmt); otx2vf_vfaf_mbox_destroy(vf); pci_free_irq_vectors(vf->pdev); + bitmap_free(vf->af_xdp_zc_qidx); pci_set_drvdata(pdev, NULL); free_netdev(netdev); } -- 2.50.1 (Apple Git-155)

3 months, 1 week

[PATCH 1/2] octeontx2-vf: fix bitmap leak

by Bo Sun

3 months, 1 week

[PATCH v2 1/1] mm/rmap: fix soft-dirty and uffd-wp bit loss when remapping zero-filled mTHP subpage to shared zeropage

by Lance Yang

From: Lance Yang <lance.yang(a)linux.dev> When splitting an mTHP and replacing a zero-filled subpage with the shared zeropage, try_to_map_unused_to_zeropage() currently drops several important PTE bits. For userspace tools like CRIU, which rely on the soft-dirty mechanism for incremental snapshots, losing the soft-dirty bit means modified pages are missed, leading to inconsistent memory state after restore. As pointed out by David, the more critical uffd-wp bit is also dropped. This breaks the userfaultfd write-protection mechanism, causing writes to be silently missed by monitoring applications, which can lead to data corruption. Preserve both the soft-dirty and uffd-wp bits from the old PTE when creating the new zeropage mapping to ensure they are correctly tracked. Cc: <stable(a)vger.kernel.org> Fixes: b1f202060afe ("mm: remap unused subpages to shared zeropage when splitting isolated thp") Suggested-by: David Hildenbrand <david(a)redhat.com> Suggested-by: Dev Jain <dev.jain(a)arm.com> Acked-by: David Hildenbrand <david(a)redhat.com> Signed-off-by: Lance Yang <lance.yang(a)linux.dev> --- v1 -> v2: - Avoid calling ptep_get() multiple times (per Dev) - Double-check the uffd-wp bit (per David) - Collect Acked-by from David - thanks! - https://lore.kernel.org/linux-mm/20250928044855.76359-1-lance.yang@linux.de… mm/migrate.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/mm/migrate.c b/mm/migrate.c index ce83c2c3c287..50aa91d9ab4e 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -300,13 +300,14 @@ static bool try_to_map_unused_to_zeropage(struct page_vma_mapped_walk *pvmw, unsigned long idx) { struct page *page = folio_page(folio, idx); + pte_t oldpte = ptep_get(pvmw->pte); pte_t newpte; if (PageCompound(page)) return false; VM_BUG_ON_PAGE(!PageAnon(page), page); VM_BUG_ON_PAGE(!PageLocked(page), page); - VM_BUG_ON_PAGE(pte_present(ptep_get(pvmw->pte)), page); + VM_BUG_ON_PAGE(pte_present(oldpte), page); if (folio_test_mlocked(folio) || (pvmw->vma->vm_flags & VM_LOCKED) || mm_forbids_zeropage(pvmw->vma->vm_mm)) @@ -322,6 +323,12 @@ static bool try_to_map_unused_to_zeropage(struct page_vma_mapped_walk *pvmw, newpte = pte_mkspecial(pfn_pte(my_zero_pfn(pvmw->address), pvmw->vma->vm_page_prot)); + + if (pte_swp_soft_dirty(oldpte)) + newpte = pte_mksoft_dirty(newpte); + if (pte_swp_uffd_wp(oldpte)) + newpte = pte_mkuffd_wp(newpte); + set_pte_at(pvmw->vma->vm_mm, pvmw->address, pvmw->pte, newpte); dec_mm_counter(pvmw->vma->vm_mm, mm_counter(folio)); -- 2.49.0

3 months, 1 week

inquiry

by HOME-HARDWARE

3 months, 1 week

[BUG REPORT] Incorrect adaptation of 7e49538288e5 ("loop: Avoid updating block size under exclusive owner") for stable 6.6

by yangerkun

Error path for blk_validate_block_size is wrong, we should goto unlock, or lo_mutex won't be release, and bdev will keep claimed. ... -static int loop_set_block_size(struct loop_device *lo, unsigned long arg) +static int loop_set_block_size(struct loop_device *lo, blk_mode_t mode, + struct block_device *bdev, unsigned long arg) { int err = 0; - if (lo->lo_state != Lo_bound) - return -ENXIO; + /* + * If we don't hold exclusive handle for the device, upgrade to it + * here to avoid changing device under exclusive owner. + */ + if (!(mode & BLK_OPEN_EXCL)) { + err = bd_prepare_to_claim(bdev, loop_set_block_size, NULL); + if (err) + return err; + } + + err = mutex_lock_killable(&lo->lo_mutex); + if (err) + goto abort_claim; + + if (lo->lo_state != Lo_bound) { + err = -ENXIO; + goto unlock; + } err = blk_validate_block_size(arg); if (err) return err; ^^^^^^^^^^^^^ should goto unlock if (lo->lo_queue->limits.logical_block_size == arg) - return 0; + goto unlock; sync_blockdev(lo->lo_device); invalidate_bdev(lo->lo_device); blk_mq_freeze_queue(lo->lo_queue); blk_queue_logical_block_size(lo->lo_queue, arg); blk_queue_physical_block_size(lo->lo_queue, arg); blk_queue_io_min(lo->lo_queue, arg); loop_update_dio(lo); blk_mq_unfreeze_queue(lo->lo_queue); +unlock: + mutex_unlock(&lo->lo_mutex); +abort_claim: + if (!(mode & BLK_OPEN_EXCL)) + bd_abort_claiming(bdev, loop_set_block_size); return err; }

3 months, 1 week

[PATCH v2] net/can/gs_usb: increase max interface to U8_MAX

by Celeste Liu

This issue was found by Runcheng Lu when develop HSCanT USB to CAN FD converter[1]. The original developers may have only 3 intefaces device to test so they write 3 here and wait for future change. During the HSCanT development, we actually used 4 interfaces, so the limitation of 3 is not enough now. But just increase one is not future-proofed. Since the channel type in gs_host_frame is u8, just increase interface number limit to max size of u8 safely. [1]: https://github.com/cherry-embedded/HSCanT-hardware Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") Reported-by: Runcheng Lu <runcheng.lu(a)hpmicro.com> Signed-off-by: Celeste Liu <uwu(a)coelacanthus.name> --- Changes in v2: - Use flexible array member instead of fixed array. - Link to v1: https://lore.kernel.org/r/20250929-gs-usb-max-if-v1-1-e41b5c09133a@coelacan… --- drivers/net/can/usb/gs_usb.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c index c9482d6e947b0c7b033dc4f0c35f5b111e1bfd92..69b068c8fa8fbab42337e2b0a3d0860ac678c792 100644 --- a/drivers/net/can/usb/gs_usb.c +++ b/drivers/net/can/usb/gs_usb.c @@ -289,11 +289,6 @@ struct gs_host_frame { #define GS_MAX_RX_URBS 30 #define GS_NAPI_WEIGHT 32 -/* Maximum number of interfaces the driver supports per device. - * Current hardware only supports 3 interfaces. The future may vary. - */ -#define GS_MAX_INTF 3 - struct gs_tx_context { struct gs_can *dev; unsigned int echo_id; @@ -324,7 +319,6 @@ struct gs_can { /* usb interface struct */ struct gs_usb { - struct gs_can *canch[GS_MAX_INTF]; struct usb_anchor rx_submitted; struct usb_device *udev; @@ -336,9 +330,11 @@ struct gs_usb { unsigned int hf_size_rx; u8 active_channels; + u8 channel_cnt; unsigned int pipe_in; unsigned int pipe_out; + struct gs_can *canch[] __counted_by(channel_cnt); }; /* 'allocate' a tx context. @@ -599,7 +595,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) } /* device reports out of range channel id */ - if (hf->channel >= GS_MAX_INTF) + if (hf->channel >= parent->channel_cnt) goto device_detach; dev = parent->canch[hf->channel]; @@ -699,7 +695,7 @@ static void gs_usb_receive_bulk_callback(struct urb *urb) /* USB failure take down all interfaces */ if (rc == -ENODEV) { device_detach: - for (rc = 0; rc < GS_MAX_INTF; rc++) { + for (rc = 0; rc < parent->channel_cnt; rc++) { if (parent->canch[rc]) netif_device_detach(parent->canch[rc]->netdev); } @@ -1460,17 +1456,19 @@ static int gs_usb_probe(struct usb_interface *intf, icount = dconf.icount + 1; dev_info(&intf->dev, "Configuring for %u interfaces\n", icount); - if (icount > GS_MAX_INTF) { + if (icount > type_max(typeof(parent->channel_cnt))) { dev_err(&intf->dev, "Driver cannot handle more that %u CAN interfaces\n", - GS_MAX_INTF); + type_max(typeof(parent->channel_cnt))); return -EINVAL; } - parent = kzalloc(sizeof(*parent), GFP_KERNEL); + parent = kzalloc(struct_size(parent, canch, icount), GFP_KERNEL); if (!parent) return -ENOMEM; + parent->channel_cnt = icount; + init_usb_anchor(&parent->rx_submitted); usb_set_intfdata(intf, parent); @@ -1531,7 +1529,7 @@ static void gs_usb_disconnect(struct usb_interface *intf) return; } - for (i = 0; i < GS_MAX_INTF; i++) + for (i = 0; i < parent->channel_cnt; i++) if (parent->canch[i]) gs_destroy_candev(parent->canch[i]); --- base-commit: e5f0a698b34ed76002dc5cff3804a61c80233a7a change-id: 20250929-gs-usb-max-if-a304c83243e5 Best regards, -- Celeste Liu <uwu(a)coelacanthus.name>

3 months, 1 week

[PATCH AUTOSEL 6.16-6.12] netfs: Prevent duplicate unlocking

by Sasha Levin

From: Lizhi Xu <lizhi.xu(a)windriver.com> [ Upstream commit 66d938e89e940e512f4c3deac938ecef399c13f9 ] The filio lock has been released here, so there is no need to jump to error_folio_unlock to release it again. Reported-by: syzbot+b73c7d94a151e2ee1e9b(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=b73c7d94a151e2ee1e9b Signed-off-by: Lizhi Xu <lizhi.xu(a)windriver.com> Acked-by: David Howells <dhowells(a)redhat.com> Reviewed-by: Paulo Alcantara (Red Hat) <pc(a)manguebit.org> Signed-off-by: Christian Brauner <brauner(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: Based on my comprehensive investigation, here is my analysis: ## Backport Decision: **YES** ### Detailed Analysis #### Bug Description This commit fixes a **critical double-unlock bug** in the netfs (Network Filesystem Library) buffered write path. The bug was introduced in commit 8f52de0077ba3b (v6.12-rc1) during a performance optimization refactoring. **The specific bug**: In the `flush_content` error path at fs/netfs/buffered_write.c:346, the code unlocks and releases a folio, then on line 350, if `filemap_write_and_wait_range()` fails, it jumps to `error_folio_unlock` which attempts to unlock the **already unlocked** folio again (line 407). ```c flush_content: folio_unlock(folio); // First unlock - line 346 folio_put(folio); ret = filemap_write_and_wait_range(...); if (ret < 0) goto error_folio_unlock; // BUG: jumps to unlock again! ``` **The fix**: Changes line 350 from `goto error_folio_unlock` to `goto out`, correctly bypassing the duplicate unlock. #### Severity Assessment: **HIGH** 1. **Impact**: - With `CONFIG_DEBUG_VM=y`: Immediate kernel panic via `VM_BUG_ON_FOLIO()` at mm/filemap.c:1498 - With `CONFIG_DEBUG_VM=n`: Silent memory corruption, undefined behavior, potential use-after-free - Affects **all network filesystems**: 9p, AFS, Ceph, NFS, SMB/CIFS 2. **Syzbot Evidence**: - Bug ID: syzbot+b73c7d94a151e2ee1e9b(a)syzkaller.appspotmail.com - Title: "kernel BUG in netfs_perform_write" - **17 crash instances** recorded - Reproducers available (both C and syz formats) - Affected multiple kernel versions (5.4, 5.10, 5.15, 6.1, 6.12) 3. **Triggering Conditions** (Moderate likelihood): - Network filesystem write operation - Incompatible write scenario (netfs_group mismatch or streaming write conflict) - I/O error from `filemap_write_and_wait_range()` (network failure, memory pressure, etc.) #### Backport Criteria Evaluation ✅ **Fixes important bug affecting users**: Yes - causes kernel panics and potential memory corruption for all network filesystem users ✅ **Small and contained fix**: Yes - **single line change**, minimal code modification ✅ **No architectural changes**: Yes - simple error path correction ✅ **Minimal regression risk**: Yes - obviously correct fix, well- reviewed (Acked-by David Howells, Reviewed-by Paulo Alcantara) ✅ **Confined to subsystem**: Yes - only touches netfs buffered write error path ✅ **Well-tested**: Yes - syzbot has reproducers, 17 crash instances documented #### Affected Stable Trees **Bug introduced**: v6.12-rc1 (commit 8f52de0077ba3b) **Bug fixed**: v6.17 (commit 66d938e89e940) **Vulnerable stable kernels**: 6.12.x, 6.13.x, 6.14.x, 6.15.x, 6.16.x #### Missing Metadata (Should be added) The commit is **missing critical stable backport tags**: - No `Fixes: 8f52de0077ba3b ("netfs: Reduce number of conditional branches in netfs_perform_write()")` - No `Cc: stable(a)vger.kernel.org` This appears to be an oversight, as the fix clearly qualifies for stable backporting. ### Conclusion **Strong YES for backporting**. This is a textbook stable tree candidate: - Fixes a serious kernel panic/memory corruption bug - One-line change with zero regression risk - Affects production users of network filesystems - Well-tested with reproducers - Reviewed and acked by subsystem maintainers The fix should be backported to **all stable kernels containing commit 8f52de0077ba3b** (6.12+). fs/netfs/buffered_write.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/netfs/buffered_write.c b/fs/netfs/buffered_write.c index f27ea5099a681..09394ac2c180d 100644 --- a/fs/netfs/buffered_write.c +++ b/fs/netfs/buffered_write.c @@ -347,7 +347,7 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter, folio_put(folio); ret = filemap_write_and_wait_range(mapping, fpos, fpos + flen - 1); if (ret < 0) - goto error_folio_unlock; + goto out; continue; copied: -- 2.51.0

3 months, 1 week

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror