blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [104.64.211.4 listed in list.dnswl.org] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager -0.0 DKIMWL_WL_HIGH DKIMwl.org - High trust sender SpamTally: Final spam score: -11 From: Jens Axboe [ Upstream commit 806ae939c41e5da1d94a1e2b31f5702e96b6c3e3 ] If a send bundle has picked a bunch of buffers, then it needs to send all of those to be complete. This may require poll arming, if the send buffer ends up being full. Once a send bundle has been poll armed, no further bundles should be attempted. This allows a current bundle to complete even though it needs to go through polling to do so, but it will not allow another bundle to be started once that has happened. Ideally we would abort a bundle if it was only partially sent, but as some parts of it already went out on the wire, this obviously isn't feasible. Not continuing more bundle attempts post encountering a full socket buffer is the second best thing. Cc: stable@vger.kernel.org Fixes: a05d1f625c7a ("io_uring/net: support bundles for send") Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin --- io_uring/net.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/io_uring/net.c b/io_uring/net.c index 43d77f95db51d..2e21a4294407b 100644 --- a/io_uring/net.c +++ b/io_uring/net.c @@ -516,7 +516,11 @@ static inline bool io_send_finish(struct io_kiocb *req, cflags = io_put_kbufs(req, sel->val, sel->buf_list, io_bundle_nbufs(kmsg, sel->val)); - if (bundle_finished || req->flags & REQ_F_BL_EMPTY) + /* + * Don't start new bundles if the buffer list is empty, or if the + * current operation needed to go through polling to complete. + */ + if (bundle_finished || req->flags & (REQ_F_BL_EMPTY | REQ_F_POLLED)) goto finish; /* -- 2.51.0 From - Sat Feb 28 20:59:04 2026 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id QGZCNRNXo2lAPAYAYBR5ng (envelope-from ) for ; Sat, 28 Feb 2026 20:58:59 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Sat, 28 Feb 2026 20:59:00 +0000 Received: from sin.lore.kernel.org ([104.64.211.4]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vwROs-00000002q3q-3fPT for hi@josie.lol; Sat, 28 Feb 2026 20:58:59 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sin.lore.kernel.org (Postfix) with ESMTP id 1E3603164D5F for ; Sat, 28 Feb 2026 19:47:24 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4E3D536DA05; Sat, 28 Feb 2026 17:57:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="PgqvI3s4" X-Original-To: stable@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2AAFE36D9E9; Sat, 28 Feb 2026 17:57:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772301441; cv=none; b=nEUyCb40EmH4jw94i7dz+fHo9jggp89itbFfOmETu7mqRvux7I+SkITa8lrWqaEsE9L8bhEwjTDpa1xfNU5YJ03QjCNj78KQyoevfMsO20JM5icHBfGQT0SZksT5vPIQOj4fJtTAuqpsM9THt46rk+ahWKlmWlr0BdU4h2WCv0I= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772301441; c=relaxed/simple; bh=5s8BBKdf4ztkBwOi4i6eDwdPKMgB3eEiCkhMfk7U7/g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=kXLw7GemV7YnTP0OImRDGgfHnbY8a9IUM5884CM3FYhR9G3pO0npohgh5/K0l5iWK0Rpt8sXasfReVpvPcIoqcQ6JGylCKCP1wLDfPeyB2aGgQGeS36HJxhmEwHiO4EsFnpsAi138adSaKrgkkiav7UBEawTuSkzeAqmYStXfgU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=PgqvI3s4; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 397DAC2BC87; Sat, 28 Feb 2026 17:57:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1772301441; bh=5s8BBKdf4ztkBwOi4i6eDwdPKMgB3eEiCkhMfk7U7/g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PgqvI3s4uqnL3DfUfiAH4lq2UgquU02rCVyh82FY3zDXPtwSjniftHwAVF1rVQgGc OKei7XXggxwn8tlzRKTXX0C0O0eRtr2ZO/t3wbBnvbMgHVLEh2qPcslTrMGJRBWh2F jR1sIc+Z9KYPXESMRAsLJHXKpWDWlrsHKE+WMf/ACrv+BeVVpXuUU/0JCC99uF6PQu 9LgkIVz5iaepsYPKPUoZLJR5DSfwps84SmqsOBjN9ZNxgPr3Ix3g12moa8YycmvNgQ RJ/GxSKsRDWGC6QPj7eHXJl4e5cDcAg46+ZLNMmuoz0LuPneEdhSSSfv092oohpmLU oCHlaNaErxUOQ== From: Sasha Levin To: patches@lists.linux.dev Cc: Deepanshu Kartikey , syzbot+d8d4c31d40f868eaea30@syzkaller.appspotmail.com, Uladzislau Rezki , Hillf Danton , stable@vger.kernel.org, Andrew Morton , Sasha Levin Subject: [PATCH 6.18 627/752] mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node Date: Sat, 28 Feb 2026 12:45:38 -0500 Message-ID: <20260228174750.1542406-627-sashal@kernel.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260228174750.1542406-1-sashal@kernel.org> References: <20260228174750.1542406-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit X-DKIM: signer='kernel.org' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: -1.2 (-) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://docs.mxroute.com/docs/expert-spam-filtering.html --- Content analysis details: (-1.2 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: syzkaller.appspot.com] 0.0 URIBL_DBL_BLOCKED_OPENDNS ADMINISTRATOR NOTICE: The query to dbl.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ [URIs: syzkaller.appspot.com] 0.0 RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ [104.64.211.4 listed in zen.spamhaus.org] 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [104.64.211.4 listed in list.dnswl.org] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager -0.0 DKIMWL_WL_HIGH DKIMwl.org - High trust sender SpamTally: Final spam score: -11 From: Deepanshu Kartikey [ Upstream commit 5747435e0fd474c24530ef1a6822f47e7d264b27 ] When CONFIG_PAGE_OWNER is enabled, freeing KASAN shadow pages during vmalloc cleanup triggers expensive stack unwinding that acquires RCU read locks. Processing a large purge_list without rescheduling can cause the task to hold CPU for extended periods (10+ seconds), leading to RCU stalls and potential OOM conditions. The issue manifests in purge_vmap_node() -> kasan_release_vmalloc_node() where iterating through hundreds or thousands of vmap_area entries and freeing their associated shadow pages causes: rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6229/1:b..l ... task:kworker/0:17 state:R running task stack:28840 pid:6229 ... kasan_release_vmalloc_node+0x1ba/0xad0 mm/vmalloc.c:2299 purge_vmap_node+0x1ba/0xad0 mm/vmalloc.c:2299 Each call to kasan_release_vmalloc() can free many pages, and with page_owner tracking, each free triggers save_stack() which performs stack unwinding under RCU read lock. Without yielding, this creates an unbounded RCU critical section. Add periodic cond_resched() calls within the loop to allow: - RCU grace periods to complete - Other tasks to run - Scheduler to preempt when needed The fix uses need_resched() for immediate response under load, with a batch count of 32 as a guaranteed upper bound to prevent worst-case stalls even under light load. Link: https://lkml.kernel.org/r/20260112103612.627247-1-kartikey406@gmail.com Signed-off-by: Deepanshu Kartikey Reported-by: syzbot+d8d4c31d40f868eaea30@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d8d4c31d40f868eaea30 Link: https://lore.kernel.org/all/20260112084723.622910-1-kartikey406@gmail.com/T/ [v1] Suggested-by: Uladzislau Rezki Reviewed-by: Uladzislau Rezki (Sony) Cc: Hillf Danton Cc: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin --- mm/vmalloc.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/mm/vmalloc.c b/mm/vmalloc.c index 4fbd6e7dc479a..e2f526ad7abba 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -2241,11 +2241,14 @@ decay_va_pool_node(struct vmap_node *vn, bool full_decay) reclaim_list_global(&decay_list); } +#define KASAN_RELEASE_BATCH_SIZE 32 + static void kasan_release_vmalloc_node(struct vmap_node *vn) { struct vmap_area *va; unsigned long start, end; + unsigned int batch_count = 0; start = list_first_entry(&vn->purge_list, struct vmap_area, list)->va_start; end = list_last_entry(&vn->purge_list, struct vmap_area, list)->va_end; @@ -2255,6 +2258,11 @@ kasan_release_vmalloc_node(struct vmap_node *vn) kasan_release_vmalloc(va->va_start, va->va_end, va->va_start, va->va_end, KASAN_VMALLOC_PAGE_RANGE); + + if (need_resched() || (++batch_count >= KASAN_RELEASE_BATCH_SIZE)) { + cond_resched(); + batch_count = 0; + } } kasan_release_vmalloc(start, end, start, end, KASAN_VMALLOC_TLB_FLUSH); -- 2.51.0 From - Sat Feb 28 20:59:19 2026 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id oJy/OhVXo2nZpwAAYBR5ng (envelope-from ) for ; Sat, 28 Feb 2026 20:59:01 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Sat, 28 Feb 2026 20:59:02 +0000 Received: from sin.lore.kernel.org ([104.64.211.4]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vwROv-00000002q8V-1EK5 for hi@josie.lol; Sat, 28 Feb 2026 20:59:01 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sin.lore.kernel.org (Postfix) with ESMTP id CA72130FFA8E for ; Sat, 28 Feb 2026 19:47:24 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 555C436DA18; Sat, 28 Feb 2026 17:57:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="TmRxl3HJ" X-Original-To: stable@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 326A036DA12; Sat, 28 Feb 2026 17:57:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772301443; cv=none; b=UuX8iL/7ocrjxlS8+QqI0jVCc0JSZb8USl7yx/A3o3/gWvvhR7H5/fvL7gp29iD998baj7g1qQKjY+ttH/9ZQPAVu0cC/AF/AfQEzQtFu8K+seOkCVspOmv1tMP8T5uSO4xF3tBJg1dF0xOWIKtKKOa0kxg5DOc+Gg77RRGgivc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772301443; c=relaxed/simple; bh=72RPNUc/iXLcDRYOIDPFhqLI8iZaaPVe6lyiIJlNqvE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HxMPjccuKMaF5c6zwNSJ1bhOAdzEA3DEb4z/FYmkUO6PGqOdf95vGbDNWV6Ol7AcibYJ0MTNUK8ZzeU4DOc30mlsJua5/snG8G//el8MCv8WVVXU8N+K54i76+Jj+QDIId4vEGgoLTxxFAOZ9h+467Q/ul8sC/1zXLsJ5ZY+nKE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=TmRxl3HJ; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 42982C19423; Sat, 28 Feb 2026 17:57:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1772301443; bh=72RPNUc/iXLcDRYOIDPFhqLI8iZaaPVe6lyiIJlNqvE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TmRxl3HJmzU7hj0uVoH/BymOsrQGNOViqteRMU/HFlgkL0s//BLAbiWBgjyTSq4vM aCV9GtUSNIZrxnI4KTTJ+0HN+kQSN0FMW5T+RFb/9OcLntkji1WRSVHxXM3jPmXNpS qiJdgWqSuMgo2lADQJOUmo63fdAv1BX5nNGyUPtTJ7j017/DO96XuWzqrlBtuRvU19 HgEca+YkWvYaxNw638iuYThc/HeIgyIT0o0OGQSuExC4/KnuaXGiN6w3IrCFVdhbo3 MBXQ1itws3mH49RuRr554ahtNmUGLCN7U7oSVh8FfQZ8+Pb+8rXPeKPM8vYXzx7dPn s7CFm/C8OkrhA== From: Sasha Levin To: patches@lists.linux.dev Cc: Vlastimil Babka , kernel test robot , stable@vger.kernel.org, Harry Yoo , Suren Baghdasaryan , "Liam R. Howlett" , Sasha Levin Subject: [PATCH 6.18 629/752] mm/slab: add rcu_barrier() to kvfree_rcu_barrier_on_cache() Date: Sat, 28 Feb 2026 12:45:40 -0500 Message-ID: <20260228174750.1542406-629-sashal@kernel.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260228174750.1542406-1-sashal@kernel.org> References: <20260228174750.1542406-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit X-DKIM: signer='kernel.org' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: -1.2 (-) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://docs.mxroute.com/docs/expert-spam-filtering.html --- Content analysis details: (-1.2 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ [104.64.211.4 listed in zen.spamhaus.org] 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [104.64.211.4 listed in list.dnswl.org] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager -0.0 DKIMWL_WL_HIGH DKIMwl.org - High trust sender SpamTally: Final spam score: -11 From: Vlastimil Babka [ Upstream commit b55b423e8518361124ff0a9e15df431b3682ee4f ] After we submit the rcu_free sheaves to call_rcu() we need to make sure the rcu callbacks complete. kvfree_rcu_barrier() does that via flush_all_rcu_sheaves() but kvfree_rcu_barrier_on_cache() doesn't. Fix that. This currently causes no issues because the caches with sheaves we have are never destroyed. The problem flagged by kernel test robot was reported for a patch that enables sheaves for (almost) all caches, and occurred only with CONFIG_KASAN. Harry Yoo found the root cause [1]: It turns out the object freed by sheaf_flush_unused() was in KASAN percpu quarantine list (confirmed by dumping the list) by the time __kmem_cache_shutdown() returns an error. Quarantined objects are supposed to be flushed by kasan_cache_shutdown(), but things go wrong if the rcu callback (rcu_free_sheaf_nobarn()) is processed after kasan_cache_shutdown() finishes. That's why rcu_barrier() in __kmem_cache_shutdown() didn't help, because it's called after kasan_cache_shutdown(). Calling rcu_barrier() in kvfree_rcu_barrier_on_cache() guarantees that it'll be added to the quarantine list before kasan_cache_shutdown() is called. So it's a valid fix! [1] https://lore.kernel.org/all/aWd6f3jERlrB5yeF@hyeyoo/ Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-lkp/202601121442.c530bed3-lkp@intel.com Fixes: 0f35040de593 ("mm/slab: introduce kvfree_rcu_barrier_on_cache() for cache destruction") Cc: stable@vger.kernel.org Reviewed-by: Harry Yoo Tested-by: Harry Yoo Reviewed-by: Suren Baghdasaryan Reviewed-by: Liam R. Howlett Signed-off-by: Vlastimil Babka Signed-off-by: Sasha Levin --- mm/slab_common.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mm/slab_common.c b/mm/slab_common.c index 87bde1d8916be..0f58265ca200e 100644 --- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -2134,8 +2134,11 @@ EXPORT_SYMBOL_GPL(kvfree_rcu_barrier); */ void kvfree_rcu_barrier_on_cache(struct kmem_cache *s) { - if (s->cpu_sheaves) + if (s->cpu_sheaves) { flush_rcu_sheaves_on_cache(s); + rcu_barrier(); + } + /* * TODO: Introduce a version of __kvfree_rcu_barrier() that works * on a specific slab cache. -- 2.51.0 From - Sat Feb 28 20:59:19 2026 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id KFQeCyJXo2noAgoAYBR5ng (envelope-from ) for ; Sat, 28 Feb 2026 20:59:14 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Sat, 28 Feb 2026 20:59:14 +0000 Received: from sin.lore.kernel.org ([104.64.211.4]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vwRP7-00000002qg1-1XdL for hi@josie.lol; Sat, 28 Feb 2026 20:59:14 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sin.lore.kernel.org (Postfix) with ESMTP id 801E731644CC for ; Sat, 28 Feb 2026 19:47:21 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 3778836DA0E; Sat, 28 Feb 2026 17:57:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="aJ1QhhcJ" X-Original-To: stable@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1232B36DA0B; Sat, 28 Feb 2026 17:57:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772301440; cv=none; b=m/KYEZ+qvnkL0EmsFZxv3/cXxB0zVhUUOBAZT9Zc6UOZpEUfT0KzWLRvVzuG4crAWiQtIgVG5K+wzza+QfqKcYiWDYIPMeXLwzlde6VMy04QcKWm9IwdAEaQslWYcJTbn+Wkrr59cmv4fBmP1MGL5rW4AhgW6PtO37axZnZ0Fgs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772301440; c=relaxed/simple; bh=eka7zON3gX8jz16OwPRfwdNq2KwQ6lxsdlOJPMoc0bU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=ZbLlyVJUja8rnpmx58FBaUlmgiUndyjUnEWzb+5tpK23FxVjj9btlbXV9ge3L73t5V5yd84EV/E1rn07S+5n8pY695wYTPUJvl7nu1dnz/ecrqLhrOT4lwOwb58y5naReXn7KAAYyY+MZtBJn4QqR4zUHpFKwiWlCsZhcVzQcgA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=aJ1QhhcJ; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id C3BDCC19423; Sat, 28 Feb 2026 17:57:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1772301440; bh=eka7zON3gX8jz16OwPRfwdNq2KwQ6lxsdlOJPMoc0bU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aJ1QhhcJo3v9Qhx8cl4M9hz4pOykgDe8rANkywz7jzPsETD6bcFJ/uM1UtSujLovI /BVt96wD0V0ZhoRoDsf9Fbvvv5eLEvGeqqaP2hyLtUVRkYzeqlQ0ElzmZDoicCdeYk DmHbZFJ00m80iMwUSfLoX5gavG2uJxObT5XVaqlA96/JkOExeBlzCnhgietnI47r2y guJ9LrBnCvjHG3fJ8qCqoA0R7D4Q+WNev1lfTFpqAp46EKTBJOXQc5/IAmgJ/34au1 5pLrsKYryJZt0pBKnrghQP3vRvkbQJDBIXXQws00xxfPwydBVXQhfBqWFO4g3D5o1+ HpSpYcT8N+a+g== From: Sasha Levin To: patches@lists.linux.dev Cc: Harshit Mogalapalli , Paul Webb , Mimi Zohar , Alexander Graf , Ard Biesheuvel , Baoquan He , Borislav Betkov , guoweikang , Henry Willard , "H. Peter Anvin" , Ingo Molnar , Jiri Bohac , Joel Granados , Jonathan McDowell , Mike Rapoport , Sohil Mehta , Sourabh Jain , Thomas Gleinxer , Yifei Liu , stable@vger.kernel.org, Andrew Morton , Sasha Levin Subject: [PATCH 6.18 626/752] x86/kexec: add a sanity check on previous kernel's ima kexec buffer Date: Sat, 28 Feb 2026 12:45:37 -0500 Message-ID: <20260228174750.1542406-626-sashal@kernel.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260228174750.1542406-1-sashal@kernel.org> References: <20260228174750.1542406-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit X-DKIM: signer='kernel.org' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: -1.2 (-) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://docs.mxroute.com/docs/expert-spam-filtering.html --- Content analysis details: (-1.2 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ [104.64.211.4 listed in zen.spamhaus.org] 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [104.64.211.4 listed in list.dnswl.org] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager -0.0 DKIMWL_WL_HIGH DKIMwl.org - High trust sender SpamTally: Final spam score: -11 From: Harshit Mogalapalli [ Upstream commit c5489d04337b47e93c0623e8145fcba3f5739efd ] When the second-stage kernel is booted via kexec with a limiting command line such as "mem=", the physical range that contains the carried over IMA measurement list may fall outside the truncated RAM leading to a kernel panic. BUG: unable to handle page fault for address: ffff97793ff47000 RIP: ima_restore_measurement_list+0xdc/0x45a #PF: error_code(0x0000) – not-present page Other architectures already validate the range with page_is_ram(), as done in commit cbf9c4b9617b ("of: check previous kernel's ima-kexec-buffer against memory bounds") do a similar check on x86. Without carrying the measurement list across kexec, the attestation would fail. Link: https://lkml.kernel.org/r/20251231061609.907170-4-harshit.m.mogalapalli@oracle.com Signed-off-by: Harshit Mogalapalli Fixes: b69a2afd5afc ("x86/kexec: Carry forward IMA measurement log on kexec") Reported-by: Paul Webb Reviewed-by: Mimi Zohar Cc: Alexander Graf Cc: Ard Biesheuvel Cc: Baoquan He Cc: Borislav Betkov Cc: guoweikang Cc: Henry Willard Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: Jiri Bohac Cc: Joel Granados Cc: Jonathan McDowell Cc: Mike Rapoport Cc: Sohil Mehta Cc: Sourabh Jain Cc: Thomas Gleinxer Cc: Yifei Liu Cc: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin --- arch/x86/kernel/setup.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c index 1b2edd07a3e17..383d4a4784f5b 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -439,9 +439,15 @@ int __init ima_free_kexec_buffer(void) int __init ima_get_kexec_buffer(void **addr, size_t *size) { + int ret; + if (!ima_kexec_buffer_size) return -ENOENT; + ret = ima_validate_range(ima_kexec_buffer_phys, ima_kexec_buffer_size); + if (ret) + return ret; + *addr = __va(ima_kexec_buffer_phys); *size = ima_kexec_buffer_size; -- 2.51.0 From - Sat Feb 28 20:59:28 2026 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id kJ7bDixXo2nZpwAAYBR5ng (envelope-from ) for ; Sat, 28 Feb 2026 20:59:24 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Sat, 28 Feb 2026 20:59:24 +0000 Received: from sin.lore.kernel.org ([104.64.211.4]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vwRPH-00000002qyP-1nSL for hi@josie.lol; Sat, 28 Feb 2026 20:59:24 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sin.lore.kernel.org (Postfix) with ESMTP id ABEA5316380A for ; Sat, 28 Feb 2026 19:47:17 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BF60A36DA06; Sat, 28 Feb 2026 17:57:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="W87DTvHX" X-Original-To: stable@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9A9B536DA04; Sat, 28 Feb 2026 17:57:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772301437; cv=none; b=s3JB0BuJlip+g8djYnjO2kLYS3TaldTEuabu3CDh1i+bwl7J9aIbmYQAf3KmiuIBsftEhc4InauG2PMpPux7d5rMZA54hjry+SZjMyKOmZMpN+o/o2c8XpiAlHbORkhDZ4xCRKN4d2L/eiSt6BflpS6a80zJbAqhRrDdQN/IsuM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772301437; c=relaxed/simple; bh=hynepgpAQS62ggttobeYcs2o4UAKAYMz2B4KjnrM9KM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=cyCJaXvi3bFFRglj3otC8HT13bebQEuEYsH4Q9hm1jUBiXhlNK4G1lXl0MGC6SdjwT+LKA/VgPh0vYvxp94i48fvbQvcNqqaAh24Rh7tSqubDlKlLgeS0rHoJ6LhNivLA7+KvNby0fVzExw7K7gUJm7M3xPVdB6sYJnODfQC2cg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=W87DTvHX; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 57F2BC116D0; Sat, 28 Feb 2026 17:57:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1772301437; bh=hynepgpAQS62ggttobeYcs2o4UAKAYMz2B4KjnrM9KM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=W87DTvHXDCDmRExZzNcjNSrnpS26zuUjk41MJRO/udzyC63viDdelVdo1Fv3y73tu WbFtU2/BX7mVWkWqKCUjSbaCB1gNo7/yqV1xiD0MICaugJiqXCiGpIsnRIeytO2mPR SXr+mskO/wq/0EdgZC95tYL8IosqC28deN7EHPHA9oqUbETiK3Q2BB9pOBmxU/QA1E ngmJNsJcd0rwuoqRpa4jZIb6kKM5JB3jCFMvt5ptXPSZKhsc0qlMcAABAK8fOg0MZ+ +49tUGCGxhhNqJ7nH+2jxnHZU63LHjGthSbnCdc4YYHJM6Yh09y7wOyv0FsHegEU+l fCfTcn8jlglIg== From: Sasha Levin To: patches@lists.linux.dev Cc: Harshit Mogalapalli , Mimi Zohar , Alexander Graf , Ard Biesheuvel , Baoquan He , Borislav Betkov , guoweikang , Henry Willard , "H. Peter Anvin" , Ingo Molnar , Jiri Bohac , Joel Granados , Jonathan McDowell , Mike Rapoport , Paul Webb , Sohil Mehta , Sourabh Jain , Thomas Gleinxer , Yifei Liu , stable@vger.kernel.org, Andrew Morton , Sasha Levin Subject: [PATCH 6.18 625/752] of/kexec: refactor ima_get_kexec_buffer() to use ima_validate_range() Date: Sat, 28 Feb 2026 12:45:36 -0500 Message-ID: <20260228174750.1542406-625-sashal@kernel.org> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260228174750.1542406-1-sashal@kernel.org> References: <20260228174750.1542406-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit X-DKIM: signer='kernel.org' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: -1.2 (-) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://docs.mxroute.com/docs/expert-spam-filtering.html --- Content analysis details: (-1.2 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 RCVD_IN_ZEN_BLOCKED_OPENDNS RBL: ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ [104.64.211.4 listed in zen.spamhaus.org] 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [104.64.211.4 listed in list.dnswl.org] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager -0.0 DKIMWL_WL_HIGH DKIMwl.org - High trust sender SpamTally: Final spam score: -11 From: Harshit Mogalapalli [ Upstream commit 4d02233235ed0450de9c10fcdcf3484e3c9401ce ] Refactor the OF/DT ima_get_kexec_buffer() to use a generic helper to validate the address range. No functional change intended. Link: https://lkml.kernel.org/r/20251231061609.907170-3-harshit.m.mogalapalli@oracle.com Signed-off-by: Harshit Mogalapalli Reviewed-by: Mimi Zohar Cc: Alexander Graf Cc: Ard Biesheuvel Cc: Baoquan He Cc: Borislav Betkov Cc: guoweikang Cc: Henry Willard Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: Jiri Bohac Cc: Joel Granados Cc: Jonathan McDowell Cc: Mike Rapoport Cc: Paul Webb Cc: Sohil Mehta Cc: Sourabh Jain Cc: Thomas Gleinxer Cc: Yifei Liu Cc: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin --- drivers/of/kexec.c | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/drivers/of/kexec.c b/drivers/of/kexec.c index 1ee2d31816aeb..c4cf3552c0183 100644 --- a/drivers/of/kexec.c +++ b/drivers/of/kexec.c @@ -128,7 +128,6 @@ int __init ima_get_kexec_buffer(void **addr, size_t *size) { int ret, len; unsigned long tmp_addr; - unsigned long start_pfn, end_pfn; size_t tmp_size; const void *prop; @@ -144,17 +143,9 @@ int __init ima_get_kexec_buffer(void **addr, size_t *size) if (!tmp_size) return -ENOENT; - /* - * Calculate the PFNs for the buffer and ensure - * they are with in addressable memory. - */ - start_pfn = PHYS_PFN(tmp_addr); - end_pfn = PHYS_PFN(tmp_addr + tmp_size - 1); - if (!page_is_ram(start_pfn) || !page_is_ram(end_pfn)) { - pr_warn("IMA buffer at 0x%lx, size = 0x%zx beyond memory\n", - tmp_addr, tmp_size); - return -EINVAL; - } + ret = ima_validate_range(tmp_addr, tmp_size); + if (ret) + return ret; *addr = __va(tmp_addr); *size = tmp_size; -- 2.51.0 From - Sat Feb 28 20:59:33 2026 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id wFrdOTBXo2mHIQQAYBR5ng (envelope-from ) for ; Sat, 28 Feb 2026 20:59:28 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Sat, 28 Feb 2026 20:59:29 +0000 Received: from sin.lore.kernel.org ([104.64.211.4]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vwRPM-00000002r7Y-0NM2 for hi@josie.lol; Sat, 28 Feb 2026 20:59:28 +0000 Received: from sm