Content analysis details: (-1.2 points) --- pts rule name description ---- ---------------------- ----------------------------------------- -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager -0.0 DKIMWL_WL_HIGH DKIMwl.org - High trust sender SpamTally: Final spam score: -11 The pull request you sent on Fri, 26 Dec 2025 08:51:42 -0700: > https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git tags/io_uring-6.19-20251226 has been merged into torvalds/linux.git: https://git.kernel.org/torvalds/c/4079a38693910c44780b31cd3cbd220b4144e473 Thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/prtracker.html From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id eBXoLwS9TWkc6woAYBR5ng (envelope-from ) for ; Thu, 25 Dec 2025 22:39:00 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Thu, 25 Dec 2025 22:39:00 +0000 Received: from sea.lore.kernel.org ([172.234.253.10]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vYtz2-00000004QTF-12LE for hi@josie.lol; Thu, 25 Dec 2025 22:39:00 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sea.lore.kernel.org (Postfix) with ESMTP id C23B33007ECF for ; Thu, 25 Dec 2025 22:38:58 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E00CD29AB11; Thu, 25 Dec 2025 22:38:57 +0000 (UTC) X-Original-To: stable@vger.kernel.org Received: from vmicros1.altlinux.org (vmicros1.altlinux.org [194.107.17.57]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6A4DC26FA4B; Thu, 25 Dec 2025 22:38:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=194.107.17.57 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766702337; cv=none; b=rmUnj30c/tIhqiMahbm367GDpt9OAxM3cwXITf8CZocBRbeG692iR8Mbi3RMTpKEjP0udWQ3lWsP2LHE9jgHgKQRzRspaeFp+2Zj9V+JWqlVbmrayXImNn5gnojEun0P23NZSrJjlkJnxRR2vPONFjuXoH/qiAKDU/sq6mq+QoI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766702337; c=relaxed/simple; bh=RTMVmwwt7+fBDHrbiJYj7gmoXhgCmVjePNzqaRuSsWk=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=Nr6aBs+nWO9fAYSF6JqSAUwZs2Yt4JwUCtIOHSRLDPC23VvC+PM5mTfM2KEThIJHsKdJqSAK2LeOcMAtwmibeQq84pHnUQbIfq4b9M+RLsNmWbTY14hP85suW95dDrA5OTqC5liQ5n0jlVxbwriv5TZqDlY54d62OuWM1ROaWGc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=altlinux.org; spf=pass smtp.mailfrom=altlinux.org; arc=none smtp.client-ip=194.107.17.57 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=altlinux.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=altlinux.org Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id E80E172C8CC; Fri, 26 Dec 2025 01:29:13 +0300 (MSK) Received: from pony.office.basealt.ru (unknown [193.43.10.9]) by imap.altlinux.org (Postfix) with ESMTPSA id DD5DC36D00D1; Fri, 26 Dec 2025 01:29:13 +0300 (MSK) Received: by pony.office.basealt.ru (Postfix, from userid 500) id A8082360D63C; Fri, 26 Dec 2025 01:29:13 +0300 (MSK) Date: Fri, 26 Dec 2025 01:29:13 +0300 From: Vitaly Chikunov To: Junjie Cao Cc: Thomas Zimmermann , Simona Vetter , Helge Deller , Zsolt Kajtar , Albin Babu Varghese , linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, regressions@lists.linux.dev Subject: Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs* Message-ID: References: <20251020134701.84082-1-junjie.cao@intel.com> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20251020134701.84082-1-junjie.cao@intel.com> X-Spam-Score: 0.5 (/) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (0.5 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: syzkaller.appspot.com] 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [172.234.253.10 listed in list.dnswl.org] 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager SpamTally: Final spam score: 5 Dear linux-fbdev, stable, On Mon, Oct 20, 2025 at 09:47:01PM +0800, Junjie Cao wrote: > bit_putcs_aligned()/unaligned() derived the glyph pointer from the > character value masked by 0xff/0x1ff, which may exceed the actual font's > glyph count and read past the end of the built-in font array. > Clamp the index to the actual glyph count before computing the address. > > This fixes a global out-of-bounds read reported by syzbot. > > Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2 > Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com > Signed-off-by: Junjie Cao This commit is applied to v5.10.247 and causes a regression: when switching VT with ctrl-alt-f2 the screen is blank or completely filled with angle characters, then new text is not appearing (or not visible). This commit is found with git bisect from v5.10.246 to v5.10.247: 0998a6cb232674408a03e8561dc15aa266b2f53b is the first bad commit commit 0998a6cb232674408a03e8561dc15aa266b2f53b Author: Junjie Cao AuthorDate: 2025-10-20 21:47:01 +0800 Commit: Greg Kroah-Hartman CommitDate: 2025-12-07 06:08:07 +0900 fbdev: bitblit: bound-check glyph index in bit_putcs* commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream. bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot. Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2 Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com Signed-off-by: Junjie Cao Reviewed-by: Thomas Zimmermann Signed-off-by: Helge Deller Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) The minimal reproducer in cli, after kernel is booted: date >/dev/tty2; chvt 2 and the date does not appear. Thanks, #regzbot introduced: 0998a6cb232674408a03e8561dc15aa266b2f53b > --- > v1: https://lore.kernel.org/linux-fbdev/5d237d1a-a528-4205-a4d8-71709134f1e1@suse.de/ > v1 -> v2: > - Fix indentation and add blank line after declarations with the .pl helper > - No functional changes > > drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++---- > 1 file changed, 12 insertions(+), 4 deletions(-) > > diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/fbdev/core/bitblit.c > index 9d2e59796c3e..085ffb44c51a 100644 > --- a/drivers/video/fbdev/core/bitblit.c > +++ b/drivers/video/fbdev/core/bitblit.c > @@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(struct vc_data *vc, struct fb_info *info, > struct fb_image *image, u8 *buf, u8 *dst) > { > u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; > + unsigned int charcnt = vc->vc_font.charcount; > u32 idx = vc->vc_font.width >> 3; > u8 *src; > > while (cnt--) { > - src = vc->vc_font.data + (scr_readw(s++)& > - charmask)*cellsize; > + u16 ch = scr_readw(s++) & charmask; > + > + if (ch >= charcnt) > + ch = 0; > + src = vc->vc_font.data + (unsigned int)ch * cellsize; > > if (attr) { > update_attr(buf, src, attr, vc); > @@ -112,14 +116,18 @@ static inline void bit_putcs_unaligned(struct vc_data *vc, > u8 *dst) > { > u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; > + unsigned int charcnt = vc->vc_font.charcount; > u32 shift_low = 0, mod = vc->vc_font.width % 8; > u32 shift_high = 8; > u32 idx = vc->vc_font.width >> 3; > u8 *src; > > while (cnt--) { > - src = vc->vc_font.data + (scr_readw(s++)& > - charmask)*cellsize; > + u16 ch = scr_readw(s++) & charmask; > + > + if (ch >= charcnt) > + ch = 0; > + src = vc->vc_font.data + (unsigned int)ch * cellsize; > > if (attr) { > update_attr(buf, src, attr, vc); > -- > 2.48.1 > From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id SKS9KE7ATWl4HBAAYBR5ng (envelope-from ) for ; Thu, 25 Dec 2025 22:53:02 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Thu, 25 Dec 2025 22:53:02 +0000 Received: from sea.lore.kernel.org ([172.234.253.10]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vYuCc-000000050sp-14h1 for hi@josie.lol; Thu, 25 Dec 2025 22:53:02 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sea.lore.kernel.org (Postfix) with ESMTP id 092123005FFA for ; Thu, 25 Dec 2025 22:53:01 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 24EBC273D75; Thu, 25 Dec 2025 22:53:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="B8eGu+1v" X-Original-To: stable@vger.kernel.org Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7A0C122B584 for ; Thu, 25 Dec 2025 22:52:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.179 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766703180; cv=none; b=nwzUsGZ3Oq/+Af8DXYF1gojZ5V6tzTCGllINKsGtRgOk/IFvoy4rcsuGWBHv17CCY9HAeRXT2gQjadlHYImjHPoWF2ie44eHxFXt1NoyeuZShkVFb3ETBnoQlX7qTXyIQj0+MkFR5oxgUBg34yUfbkYVYZS414IYJhXOwnVeXcE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766703180; c=relaxed/simple; bh=+kqVhuGAp70JBRY0EW8eCqFm/v5Q7ApiuONFrnwt1ig=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=FEo2mMY9Bdn8gy9R6DYFjhXv6ilT53YM6Vqaoq7J/M9KAg66hZhT2Xur+lnLcmeZkMDlT1FNEz4WULNBg5YEPViMFIBXrDC7B/OqXl24I/pq5m2m08nuBGE49VuM2P52VNn7u1FKn+YQPFx6uBjG7qgEP184ODYS4dew6AQtU5g= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=B8eGu+1v; arc=none smtp.client-ip=209.85.210.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-7b80fed1505so7072389b3a.3 for ; Thu, 25 Dec 2025 14:52:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766703178; x=1767307978; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=NhwH/JXEKKcfKOMiFKKzVSt+hz04mD15fU2MulSweNo=; b=B8eGu+1vFDuof49XEUJT4C1876VLVBkqcFv7zcQ6EG+nKSX75jiM2JEv0PCKOTAgC1 CClCqfJYde7KFPyKHxbTIEuaqLMh/Eb4eUNrwhC6Lo05eGYrj628ktAfZI3S5ak+MEjR 4YsQlqpxNeVhAh0JFZ3yHkErGpq+4ttrrp94TMlB/E6BkV9CeW14qtCm+mp/oe9tgNj7 o6EYZ2ojQgIZpxZr0N/4RMR89KmBLaPG1kqEbX641hSLYBV4b025MK3ONufEt4BJJn3i D2dsXs7GnUr2gnsxYpaUPVf0caWGrGl6UeQHnaIL7UwoSmkX76OITzEsSluyijE2bDV0 APrQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766703178; x=1767307978; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NhwH/JXEKKcfKOMiFKKzVSt+hz04mD15fU2MulSweNo=; b=jLKY/e9dAoHuYimZuw8ukwx0CVCcanM+bJuanu/CHqkNAe1lbTlciA+XOobHWounVB X4xvLSg0iJx40UVXcH94luBPMEfLw6FRUB9aA9jr2ZzHgsQfdgwRQxWimA9pOHOPPVfQ dguppbUplMVvGTjkpxQvgxL9sKalr3r3NBlL3LlmAdQpiaQkhs6gL10WDMVQ8qLBLBJf yNIdLt0Tb/pNKeb1aVZjGapTD7oN5ZEV//wTN2jRQQ1htXTjodNHWh/rZQZ2tYQwpZLz KEhpDfLHasM78TtR+3xv1fIzmukPS/P92w4uXPBwohPlBvNJHlzNolMNLx9KFF4UYLBq ua6g== X-Forwarded-Encrypted: i=1; AJvYcCXmCIijaGSqKSR/2et9aircoUK6oWq/b8msoTdYStsF/JvdRpED3MZhS8INBSsYdfETDFeAdrM=@vger.kernel.org X-Gm-Message-State: AOJu0Yzaa4J5oKwduH8B2xkfdovn5XHa/BLE01wCUR7iA51O3uBwMOr0 knIP/zAJChIAWdhpnlNS/JKQFLBuHbWn5PFiBBUk5WzWUBof7xJ4p7hk X-Gm-Gg: AY/fxX4LM6KGrQeeXAu4pNRFi7J4ERBU+N8rbhq2RoZ2ahrPjCoMWzxdUUDVYGho2GJ OQ2AOslY6mN7hklOnVw8c/FD+Qu7zKfu3P7UvC3qPoPEZFdL46URiHiG/nTBc2W15AOCIHwSO77 mYMj8/SKGvJgRYCNtGr4ws+vw5VnTarKClg8JYTe6sjrizMkBLrIzTTyjzhi/OGECt3DLn9a3J6 /fKpONarhY/XEZExEJZ2qAutHizzTvo2d1DFbXA1YOr/X+mznUaX7xstSGn0og3yd7IlFb6ewcS +FcL6wrrC7A+MmJBO8a76ejXm/YQh0OxHkY2sDe0EEajy13ksOKmj2+pXd5dvaBaVroQ5jIhxo8 mkjNmxMmE41ZUfCAvWitJUaSjFxTcRZKRpAe8rrPQyrd1SVqX+CCcCnNFpS/c43+rn6/w3wTeTs lMbUXHk7lcog== X-Google-Smtp-Source: AGHT+IHJoqJhJWA4uzBCGelajm/RKgdfLG5bGvfxJEnozG40ZRkQEb0/KncACBHBrJkoVGWLi9E4Cw== X-Received: by 2002:a05:7023:a84:b0:11b:9386:8262 with SMTP id a92af1059eb24-12172314a24mr20348599c88.47.1766703177467; Thu, 25 Dec 2025 14:52:57 -0800 (PST) Received: from localhost ([154.21.93.22]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-1217254d369sm83681223c88.16.2025.12.25.14.52.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Dec 2025 14:52:56 -0800 (PST) Date: Fri, 26 Dec 2025 06:52:53 +0800 From: Yao Yuan To: Paolo Bonzini Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, seanjc@google.com, x86@kernel.org, stable@vger.kernel.org Subject: Re: [PATCH 2/5] x86, fpu: separate fpstate->xfd and guest XFD Message-ID: References: <20251224001249.1041934-1-pbonzini@redhat.com> <20251224001249.1041934-3-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20251224001249.1041934-3-pbonzini@redhat.com> X-DKIM: signer='gmail.com' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: 0.4 (/) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (0.4 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [yaoyuan0329os[at]gmail.com] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager SpamTally: Final spam score: 4 On Wed, Dec 24, 2025 at 01:12:46AM +0100, Paolo Bonzini wrote: > Until now, fpstate->xfd has acted as both the guest value and the value > that the host used when executing XSAVES and XRSTORS. This is wrong: the > data in the guest's FPU might not be initialized even if a bit is > set in XFD and, when that happens, XRSTORing the guest FPU will fail > with a #NM exception *on the host*. > > Instead, store the value of XFD together with XFD_ERR in struct > fpu_guest; it will still be synchronized in fpu_load_guest_fpstate(), but > the XRSTOR(S) operation will be able to load any valid state of the FPU > independent of the XFD value. Hi Paolo, LGTM. Reviewed-by: Yuan Yao > > Cc: stable@vger.kernel.org > Fixes: 820a6ee944e7 ("kvm: x86: Add emulation for IA32_XFD", 2022-01-14) > Signed-off-by: Paolo Bonzini > --- > arch/x86/include/asm/fpu/api.h | 6 ++---- > arch/x86/include/asm/fpu/types.h | 7 +++++++ > arch/x86/kernel/fpu/core.c | 19 ++++--------------- > arch/x86/kernel/fpu/xstate.h | 18 ++++++++++-------- > arch/x86/kvm/x86.c | 6 +++--- > 5 files changed, 26 insertions(+), 30 deletions(-) > > diff --git a/arch/x86/include/asm/fpu/api.h b/arch/x86/include/asm/fpu/api.h > index 0820b2621416..ee9ba06b7dbe 100644 > --- a/arch/x86/include/asm/fpu/api.h > +++ b/arch/x86/include/asm/fpu/api.h > @@ -152,11 +152,9 @@ extern int fpu_swap_kvm_fpstate(struct fpu_guest *gfpu, bool enter_guest); > extern int fpu_enable_guest_xfd_features(struct fpu_guest *guest_fpu, u64 xfeatures); > > #ifdef CONFIG_X86_64 > -extern void fpu_update_guest_xfd(struct fpu_guest *guest_fpu, u64 xfd); > -extern void fpu_sync_guest_vmexit_xfd_state(void); > +extern void fpu_sync_guest_vmexit_xfd_state(struct fpu_guest *gfpu); > #else > -static inline void fpu_update_guest_xfd(struct fpu_guest *guest_fpu, u64 xfd) { } > -static inline void fpu_sync_guest_vmexit_xfd_state(void) { } > +static inline void fpu_sync_guest_vmexit_xfd_state(struct fpu_guest *gfpu) { } > #endif > > extern void fpu_copy_guest_fpstate_to_uabi(struct fpu_guest *gfpu, void *buf, > diff --git a/arch/x86/include/asm/fpu/types.h b/arch/x86/include/asm/fpu/types.h > index 93e99d2583d6..7abe231e2ffe 100644 > --- a/arch/x86/include/asm/fpu/types.h > +++ b/arch/x86/include/asm/fpu/types.h > @@ -545,6 +545,13 @@ struct fpu_guest { > */ > u64 xfeatures; > > + /* > + * @xfd: Save the guest value. Note that this is > + * *not* fpstate->xfd, which is the value > + * the host uses when doing XSAVE/XRSTOR. > + */ > + u64 xfd; > + > /* > * @xfd_err: Save the guest value. > */ > diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c > index a480fa8c65d5..ff17c96d290a 100644 > --- a/arch/x86/kernel/fpu/core.c > +++ b/arch/x86/kernel/fpu/core.c > @@ -317,16 +317,6 @@ int fpu_enable_guest_xfd_features(struct fpu_guest *guest_fpu, u64 xfeatures) > EXPORT_SYMBOL_FOR_KVM(fpu_enable_guest_xfd_features); > > #ifdef CONFIG_X86_64 > -void fpu_update_guest_xfd(struct fpu_guest *guest_fpu, u64 xfd) > -{ > - fpregs_lock(); > - guest_fpu->fpstate->xfd = xfd; > - if (guest_fpu->fpstate->in_use) > - xfd_update_state(guest_fpu->fpstate); > - fpregs_unlock(); > -} > -EXPORT_SYMBOL_FOR_KVM(fpu_update_guest_xfd); > - > /** > * fpu_sync_guest_vmexit_xfd_state - Synchronize XFD MSR and software state > * > @@ -339,14 +329,12 @@ EXPORT_SYMBOL_FOR_KVM(fpu_update_guest_xfd); > * Note: It can be invoked unconditionally even when write emulation is > * enabled for the price of a then pointless MSR read. > */ > -void fpu_sync_guest_vmexit_xfd_state(void) > +void fpu_sync_guest_vmexit_xfd_state(struct fpu_guest *gfpu) > { > - struct fpstate *fpstate = x86_task_fpu(current)->fpstate; > - > lockdep_assert_irqs_disabled(); > if (fpu_state_size_dynamic()) { > - rdmsrq(MSR_IA32_XFD, fpstate->xfd); > - __this_cpu_write(xfd_state, fpstate->xfd); > + rdmsrq(MSR_IA32_XFD, gfpu->xfd); > + __this_cpu_write(xfd_state, gfpu->xfd); > } > } > EXPORT_SYMBOL_FOR_KVM(fpu_sync_guest_vmexit_xfd_state); > @@ -890,6 +878,7 @@ void fpu_load_guest_fpstate(struct fpu_guest *gfpu) > fpregs_restore_userregs(); > > fpregs_assert_state_consistent(); > + xfd_set_state(gfpu->xfd); > if (gfpu->xfd_err) > wrmsrq(MSR_IA32_XFD_ERR, gfpu->xfd_err); > } > diff --git a/arch/x86/kernel/fpu/xstate.h b/arch/x86/kernel/fpu/xstate.h > index 52ce19289989..c0ce05bee637 100644 > --- a/arch/x86/kernel/fpu/xstate.h > +++ b/arch/x86/kernel/fpu/xstate.h > @@ -180,26 +180,28 @@ static inline void xfd_validate_state(struct fpstate *fpstate, u64 mask, bool rs > #endif > > #ifdef CONFIG_X86_64 > -static inline void xfd_set_state(u64 xfd) > +static inline void __xfd_set_state(u64 xfd) > { > wrmsrq(MSR_IA32_XFD, xfd); > __this_cpu_write(xfd_state, xfd); > } > > +static inline void xfd_set_state(u64 xfd) > +{ > + if (__this_cpu_read(xfd_state) != xfd) > + __xfd_set_state(xfd); > +} > + > static inline void xfd_update_state(struct fpstate *fpstate) > { > - if (fpu_state_size_dynamic()) { > - u64 xfd = fpstate->xfd; > - > - if (__this_cpu_read(xfd_state) != xfd) > - xfd_set_state(xfd); > - } > + if (fpu_state_size_dynamic()) > + xfd_set_state(fpstate->xfd); > } > > extern int __xfd_enable_feature(u64 which, struct fpu_guest *guest_fpu); > #else > static inline void xfd_set_state(u64 xfd) { } > - > +static inline void __xfd_set_state(u64 xfd) { } > static inline void xfd_update_state(struct fpstate *fpstate) { } > > static inline int __xfd_enable_feature(u64 which, struct fpu_guest *guest_fpu) { > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c > index 01d95192dfc5..56fd082859bc 100644 > --- a/arch/x86/kvm/x86.c > +++ b/arch/x86/kvm/x86.c > @@ -4261,7 +4261,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) > if (data & ~kvm_guest_supported_xfd(vcpu)) > return 1; > > - fpu_update_guest_xfd(&vcpu->arch.guest_fpu, data); > + vcpu->arch.guest_fpu.xfd = data; > break; > case MSR_IA32_XFD_ERR: > if (!msr_info->host_initiated && > @@ -4617,7 +4617,7 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info) > !guest_cpu_cap_has(vcpu, X86_FEATURE_XFD)) > return 1; > > - msr_info->data = vcpu->arch.guest_fpu.fpstate->xfd; > + msr_info->data = vcpu->arch.guest_fpu.xfd; > break; > case MSR_IA32_XFD_ERR: > if (!msr_info->host_initiated && > @@ -11405,7 +11405,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) > * in #NM irqoff handler). > */ > if (vcpu->arch.xfd_no_write_intercept) > - fpu_sync_guest_vmexit_xfd_state(); > + fpu_sync_guest_vmexit_xfd_state(&vcpu->arch.guest_fpu); > > kvm_x86_call(handle_exit_irqoff)(vcpu); > > -- > 2.52.0 > > From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id aHwkKbXcTWkSZCQAYBR5ng (envelope-from ) for ; Fri, 26 Dec 2025 00:54:13 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Fri, 26 Dec 2025 00:54:14 +0000 Received: from tor.lore.kernel.org ([172.105.105.114]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vYw5t-0000000A5Cl-0yBt for hi@josie.lol; Fri, 26 Dec 2025 00:54:13 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by tor.lore.kernel.org (Postfix) with ESMTP id 629663004F18 for ; Fri, 26 Dec 2025 00:54:12 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C0E473A1E86; Fri, 26 Dec 2025 00:54:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="G5kL6WxH" X-Original-To: stable@vger.kernel.org Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2EE4115E97 for ; Fri, 26 Dec 2025 00:54:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.169 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766710449; cv=none; b=eQn1NRDiu9KXl/hfDNu82THiiCpAsKJCuHHd0jsVVwLhhTvI0bA7Ag1saZPveYsWvHzqoD7Icik+7n2ZguV82lYiqd8YEeXmsXmdkGCFeewfo/UNPu8/Wt1iPTTPBKoMJa6e6edgrP8EimagCcmcxd2yERo7B1qZcNx7HA0t/2c= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766710449; c=relaxed/simple; bh=i5COWy3rfZwIgUNxrI4GAwaQqLJsqNDLuisCM/dK6f8=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=BPKpznHq+2IPTf/lm+Vwt3/Po6QntEQLu+RxoB9CW2zw+LTsSSbe7pWRFVTkprpm64Zzs6I8Whlyt0fp9pl5+5HRl4RQfalPako6IosSEDD+QIUfPJgaEn0ir4bI/x/gEd8s9JzKFZhvFhCnngWIirtUpDLemMjroh/CndJhW9k= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=G5kL6WxH; arc=none smtp.client-ip=209.85.214.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-29efd139227so91639495ad.1 for ; Thu, 25 Dec 2025 16:54:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766710446; x=1767315246; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=0Nz8Tjp3AaOWOXlLmwlKJ8QCQ6dId4zIiZlrgYittUg=; b=G5kL6WxHOM2FDWL9Hd8D7Dkw/R4dqp8FGwi5pRN0CHb7wlAGTCKIzpRBf3Lkw4uamt bxivJcWkCsZAK+kS4HMbLIAjsYoJg+TCayiAjjtO4rOAExWIL3Ox74pW2U/VRDqiAOh1 zZMe3GPBZpJpsz3mpvk3NYVvHVmuKibyjrOHjQBR+QZuN6MJ87zCz5X752BIUZM0+bK5 4SZM8mpYsKbNSzvzHMllc4GuNJw9WZze4dz3H3zvhkfcRwTEREwWPLCtJO3lVU2bFSMq yIBuj3G6BTY2CSDKHm+eGnzeoV0GyfbcEtwitlfTetcXcJagrt7ZzyRZGNHzWAG8Z52t 3GDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766710446; x=1767315246; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=0Nz8Tjp3AaOWOXlLmwlKJ8QCQ6dId4zIiZlrgYittUg=; b=QI7N4fiCbA6kgpsmGEWvdJUvruEEALzFLq8OX4waOm4vnyKWIJJTmzuxBea9Fn/ZHA xCqabUY9WWre2r/OIy9ORLW/UrcQEigQroJ+DSr9FVoylkP5fTec9dkSWppszdggwu8f AAEYokLVMlb8OlXCuhuSjnE8Xdm/FORCHiAtRMuhugQ5nXgZzHW8JbtKt55C2reFj5jZ 4k+qvt21jqVpqcFLplCWXTCH7k0/egj22IOSxRrlJlR56mFdCXP+uAgzZwOGpM/Ci4vA ydbcHCpcncih+uz1lpk94WtkUPJiqXMbIFS+mR1EImQVc6vzuDYsx90+TomhwqO0n1nS EFWg== X-Forwarded-Encrypted: i=1; AJvYcCVCj3iAF2xIsR0sXmjck7dzULuQ3iu8b/G9N2c03TgeNqtxwLEiQGC3ef3zzN02nLm/7csxLTE=@vger.kernel.org X-Gm-Message-State: AOJu0YyXbLlzc2Lb8EGWKRSSeuYDu82f4c5n3ZYWi9JhQfGr600a5Jox IN9xmybv10TpT0h8DRybRXxrtK5v6l+7QXvA5iB203cTI0yJNkn7esR+ X-Gm-Gg: AY/fxX5EHRyzIGlxVlj9XGol0bnouDIypLKxUpr1dXSoBSy9gHG1QNID0NHLjiqIkE/ IeZquUQ3Unom2rB/5zU0VYBFz64B/GaLIPQBq9dDzvmrKDrPYLW9nRtHs9cIxAivFqJj2ZPpvrx mb0ZoFVBWm/DVRS+c+8o/PZNiMPBHaKmmInF9+bCG2OCTcGrzrv2qjgvUiKA9sWYUNHPJtvYibB Fpht/jfuAF7J/d3POOT6QsQy8cq8T30Agzr+30jr136SV6+gNXiWb0KBFN56381BuCanYsBjWQL x9a1b19hcTIrd4Km71tjq2OxlQ/tdDdeqx+oq4Kp60IfGhTf1n7AoL+k9vxYJGawRv/ymNcP2RV 8hUKir/9lMcp97j7yXLqj/L5t9xz5EfhjlQ5xfxytXjn53voeknCDv1DRMykM1W1dg5huATYNR6 j52DBhjFeDJw== X-Google-Smtp-Source: AGHT+IGaDsT0j4q8/ZSFFbw2xdc1M9VAnGq5qpd7JQCuRHzrrYcXtXjqAkcYXXbP4gPMX3j0h85Juw== X-Received: by 2002:a17:902:ce82:b0:2a0:f469:1f56 with SMTP id d9443c01a7336-2a2f272b393mr241519525ad.31.1766710446312; Thu, 25 Dec 2025 16:54:06 -0800 (PST) Received: from localhost ([2403:2c80:6::30e5]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7ff7a8442edsm20380428b3a.12.2025.12.25.16.54.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Dec 2025 16:54:05 -0800 (PST) Date: Fri, 26 Dec 2025 08:53:54 +0800 From: Jinchao Wang To: Jan Kara Cc: Theodore Ts'o , Andreas Dilger , linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, syzbot+f792df426ff0f5ceb8d1@syzkaller.appspotmail.com Subject: Re: [PATCH] ext4: xattr: fix wrong search.here in clone_block Message-ID: References: <20251216113504.297535-1-wangjinchao600@gmail.com> <4msliwnvyg6n3xdzfrh4jnqklzt6zji5vlr5qj4v3lrylaigpr@lyd36cukckl7> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-DKIM: signer='gmail.com' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: 0.4 (/) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (0.4 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: syzkaller.appspot.com] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [wangjinchao600[at]gmail.com] 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [172.105.105.114 listed in list.dnswl.org] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager SpamTally: Final spam score: 4 On Thu, Dec 18, 2025 at 04:39:08PM +0100, Jan Kara wrote: > On Thu 18-12-25 09:40:36, Jinchao Wang wrote: > > On Wed, Dec 17, 2025 at 12:30:15PM +0100, Jan Kara wrote: > > > Hello! > > > > > > On Tue 16-12-25 19:34:55, Jinchao Wang wrote: > > > > syzbot reported a KASAN out-of-bounds Read in ext4_xattr_set_entry()[1]. > > > > > > > > When xattr_find_entry() returns -ENODATA, search.here still points to the > > > > position after the last valid entry. ext4_xattr_block_set() clones the xattr > > > > block because the original block maybe shared and must not be modified in > > > > place. > > > > > > > > In the clone_block, search.here is recomputed unconditionally from the old > > > > offset, which may place it past search.first. This results in a negative > > > > reset size and an out-of-bounds memmove() in ext4_xattr_set_entry(). > > > > > > > > Fix this by initializing search.here correctly when search.not_found is set. > > > > > > > > [1] https://syzkaller.appspot.com/bug?extid=f792df426ff0f5ceb8d1 > > > > > > > > Fixes: fd48e9acdf2 (ext4: Unindent codeblock in ext4_xattr_block_set) > > > > Cc: stable@vger.kernel.org > > > > Reported-by: syzbot+f792df426ff0f5ceb8d1@syzkaller.appspotmail.com > > > > Signed-off-by: Jinchao Wang > > > > > > Thanks for the patch! But I think the problem must be somewhere else. > > The first syzbot test report was run without the patch applied, > > which caused confusion. > > The correct usage and report show that this patch fixes the crash: > > https://lore.kernel.org/all/20251216123945.391988-2-wangjinchao600@gmail.com/ > > https://lore.kernel.org/all/6941580e.a70a0220.33cd7b.013d.GAE@google.com/ > > I was not arguing that your patch doesn't fix this syzbot issue. Just that > I don't understand how what you describe can happen and thus I'm not sure > whether the fix is really the best one... > > > > in ext4_xattr_set_entry(). And I don't see how 'here' can be greater than > > > 'last' which should be pointing to the very same 4-byte zeroed word. The > > > fact that 'here' and 'last' are not equal is IMO the problem which needs > > > debugging and it indicates there's something really fishy going on with the > > > xattr block we work with. The block should be freshly allocated one as far > > > as I'm checking the disk image (as the 'file1' file doesn't have xattr > > > block in the original image). > > > > I traced the crash path and find how this hapens: > > Thanks for sharing the details! > > > entry_SYSCALL_64 > > ... > > ext4_xattr_move_to_block > > ext4_xattr_block_find (){ > > error = xattr_find_entry(inode, &bs->s.here, ...); // bs->s.here updated > > // to ENTRY(header(s->first)+1); > > if (error && error != -ENODATA) > > return error; > > bs->s.not_found = error; // and returned to the caller > > } > > ext4_xattr_block_set (bs) { > > s = bs->s; > > offset = (char *)s->here - bs->bh->b_data; // bs->bh->b_data == bs->s.base > > // offset = ENTRY(header(s->first)+1) - s.base > > // leads to wrong offset > > Why do you think the offset is wrong here? The offset is correct AFAICS - > it will be the offset of the 0 word from the beginning of xattr block. I > have run the reproducer myself and as I guessed in my previous email the > real problem is that someone modifies the xattr block between we compute > the offset here and the moment we call kmemdup() in clone_block. Thus the > computation of 'last' in ext4_xattr_set_entry() yields a different result > that what we saw in ext4_xattr_block_set(). The block modification happens > because the xattr block - block 33 is used for it - is also referenced from > file3 (but it was marked as unused in the block bitmap and so xattr block > got placed there). > > So your patch was fixing the problem only by chance and slightly different > syzbot reproducer (overwriting the block 33 with a different contents) > would trigger the crash again. > > So far I wasn't able to figure out how exactly the block 33 got zeroed out > but with corrupted filesystem it can happen in principle rather easily. The > question is how we can possibly fix this because this is one of the nastier > cases of fs corrution to deal with. The overhead of re-verifying fs > metadata each time we relock the buffer is just too big... So far no great > ideas for this. > > Honza > Baokun explained part of the process in the kernel space. https://lore.kernel.org/all/d62a25e9-04de-4309-98d1-22a4f9b5bb49@huawei.com/ I analysed syz-reproducer and add some userspace details: - original filesystem state - file1: - inode 15 with File ACL block 33 - file2: - inode 16 with data blocks 27–35 - actions - syscall(__NR_creat, "file2") - syscall(__NR_unlink, "file1") // panic happens here The original filesystem state is already corrupted, with block 33 beging referenced both as an xattr block and as file data. From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id uE3DMcTqTWkSZCQAYBR5ng (envelope-from ) for ; Fri, 26 Dec 2025 01:54:12 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Fri, 26 Dec 2025 01:54:12 +0000 Received: from sea.lore.kernel.org ([172.234.253.10]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vYx1w-0000000CZIE-0qLG for hi@josie.lol; Fri, 26 Dec 2025 01:54:12 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sea.lore.kernel.org (Postfix) with ESMTP id 80E55300795A for ; Fri, 26 Dec 2025 01:54:10 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4306213AA2D; Fri, 26 Dec 2025 01:54:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=163.com header.i=@163.com header.b="ATYbKYUo" X-Original-To: stable@vger.kernel.org Received: from m16.mail.163.com (m16.mail.163.com [220.197.31.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4D08B15E97; Fri, 26 Dec 2025 01:54:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=220.197.31.5 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766714049; cv=none; b=HlDw5n0ESUPsBU5acoF/JniUD50aIvMLef73wRNrQmah/EGQXwVr7BNd4KKMzPdJgyq+4l9jWp+6MMsUnVj5zVJPgG5NrR25GRXXbtGj0saZ3cbMrolO2R/YaJRxjVYaOaZYsiMbEq56g9FdVYbt2P8JlAiIF+GMYoSmeQhFtRY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766714049; c=relaxed/simple; bh=T5+KczoAP1NUwDlN6a69PvYkARmGNe9ONrOwxLlPiUk=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=H6/YI8Q4XGiwj2snpJQikWNkLT42p9nndFrSnXRj5a4b4pAQZt07+AS8ou38/SlxBR/hZjvoernQkZCEaEVTw2xhlZ1Dq5WUUNHKcQKQVlEmQL+BPr+geGScTNQDSF7gCaiWR6vp9wdatS9vAIXZ5cCq70XXHFpc0VWrSpAzc1o= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=163.com; spf=pass smtp.mailfrom=163.com; dkim=pass (1024-bit key) header.d=163.com header.i=@163.com header.b=ATYbKYUo; arc=none smtp.client-ip=220.197.31.5 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=163.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=163.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:To:Subject:Date:Message-Id:MIME-Version; bh=ww bgMuHQZvi+yF5BLaeUFOatTaDISEHlDID+NA7oQGE=; b=ATYbKYUo7O1CwnuaGw 6jOY6MeT9vFhVpG5Ck52wXfT8PIEfuVZy235eztSTqLmgfJnqatAZMY+HR8HKuT3 H+f2figyUhZJL8ahA2QzjQR/uVVamMOyGjgk93Jd/l7gfeE0ILVXw/LtOvyaFVTh HSLboVQZKmPVByPdleyToNS+Y= Received: from pek-lpg-core6.wrs.com (unknown []) by gzga-smtp-mtada-g1-2 (Coremail) with SMTP id _____wC3k6OW6k1pfyWDCQ--.731S2; Fri, 26 Dec 2025 09:53:27 +0800 (CST) From: Rahul Sharma To: gregkh@linuxfoundation.org, stable@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Gyeyoung Baek , Thomas Gleixner , Rahul Sharma Subject: [PATCH v6.6] genirq/irq_sim: Initialize work context pointers properly Date: Fri, 26 Dec 2025 09:53:07 +0800 Message-Id: <20251226015307.1660054-1-black.hawk@163.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID:_____wC3k6OW6k1pfyWDCQ--.731S2 X-Coremail-Antispam: 1Uf129KBjvJXoW7Aw43try5Zr4xXry7JFW8Zwb_yoW8JFyfpF WfGw1Ivr4DX3WFga4UGrs2vr9Yg3WDXw47Gan8uFyfXrZ0qwnrXF1qqrWaqr10vrWFgFWj vF1Fqa1jvw1DAw7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0pE0eHsUUUUU= X-CM-SenderInfo: 5eoduy4okd4yi6rwjhhfrp/xtbC+hmOKGlN6plgVgAA3k X-DKIM: signer='163.com' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: 0.4 (/) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (0.4 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [black.hawk[at]163.com] 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager SpamTally: Final spam score: 4 From: Gyeyoung Baek [ Upstream commit 8a2277a3c9e4cc5398f80821afe7ecbe9bdf2819 ] Initialize `ops` member's pointers properly by using kzalloc() instead of kmalloc() when allocating the simulation work context. Otherwise the pointers contain random content leading to invalid dereferencing. Signed-off-by: Gyeyoung Baek Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/all/20250612124827.63259-1-gye976@gmail.com [ The context change is due to the commit 011f583781fa ("genirq/irq_sim: add an extended irq_sim initializer") which is irrelevant to the logic of this patch. ] Signed-off-by: Rahul Sharma --- kernel/irq/irq_sim.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/irq/irq_sim.c b/kernel/irq/irq_sim.c index dd76323ea3fd..bde31468c19d 100644 --- a/kernel/irq/irq_sim.c +++ b/kernel/irq/irq_sim.c @@ -166,7 +166,7 @@ struct irq_domain *irq_domain_create_sim(struct fwnode_handle *fwnode, { struct irq_sim_work_ctx *work_ctx; - work_ctx = kmalloc(sizeof(*work_ctx), GFP_KERNEL); + work_ctx = kzalloc(sizeof(*work_ctx), GFP_KERNEL); if (!work_ctx) goto err_out; -- 2.34.1 From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id WEXsFiTrTWkSZCQAYBR5ng (envelope-from ) for ; Fri, 26 Dec 2025 01:55:48 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Fri, 26 Dec 2025 01:55:48 +0000 Received: from sea.lore.kernel.org ([172.234.253.10]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vYx3U-0000000CdKO-0J2t for hi@josie.lol; Fri, 26 Dec 2025 01:55:48 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sea.lore.kernel.org (Postfix) with ESMTP id 7FC033007FF8 for ; Fri, 26 Dec 2025 01:55:45 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 234EE1D63F5; Fri, 26 Dec 2025 01:55:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=realtek.com header.i=@realtek.com header.b="EUSSsvP9" X-Original-To: stable@vger.kernel.org Received: from rtits2.realtek.com.tw (rtits2.realtek.com [211.75.126.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E576E3B28D; Fri, 26 Dec 2025 01:55:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=211.75.126.72 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766714144; cv=none; b=D9XfGaGslxWcW9CmvAq9bV0AT/fw5Wx4BHRaHqTR0UEnfSezsR6thyp5LVAZyGlhGIN+vlcy90AXqAJcQSKpK0nF3JrqCq8K/37AUx1d3PF/ikTPugtY/nOvcBK4HreUOQTK8o/VaQVALaZD/g17Xi+sJMa3tH+Kk6/10zpE5hY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766714144; c=relaxed/simple; bh=lKUDsZEB6P4Jr599npIY4/DwlX0b3o4KcVduo8EtJ4M=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:MIME-Version; b=CAL3s52GHtXztld4ruB9YkIjZPym/W5tVQVRCPLNzXBqslriIhvo5Y0CqNpbnPZ+x3JFFHUFXinccSba3Rw+DCJXt0unFRiIa9P/Gz1iOS7+JEgRfYQs0VejFn4yJbeW6ZCftPcJPjZ+u8RSg56Rl/PS0EgXUIMYeq0E0G3V2+Q= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=realtek.com; spf=pass smtp.mailfrom=realtek.com; dkim=pass (2048-bit key) header.d=realtek.com header.i=@realtek.com header.b=EUSSsvP9; arc=none smtp.client-ip=211.75.126.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=realtek.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=realtek.com X-SpamFilter-By: ArmorX SpamTrap 5.80 with qID 5BQ1tc6jB2697011, This message is accepted by code: ctloc85258 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=realtek.com; s=dkim; t=1766714138; bh=Xcr311D0Fwlm6t0GpVBPTHLELg3jWFeIwOlZbazR/NY=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=EUSSsvP9noJXxIDb/MjkWoMP8ocA+h4JeO6djgNjGiRWinI90qsLiFscKD3ZYhFgZ pKhBfHFLw3o98z0iDvcyBfSY3DAqs3MymVZK/qlBGhfqzQOFlwhowZ/VWwIA9UOINd HpktyZ2TDUMrFlu2DnMb2BtX4xfcR6uJY0espah+G8SWLuYl24ordP6u9dx2MV+z59 OiKifw5eczG1E3a1lrCa/T6MMvRaX81pWM9JDQbxS3oWzaXuaiR338wtmi6MKWLE+Y 44gK1i0t0lJYdQSXIYuP04Roh0cC4LWiXt9GnvwH5opmQpkExQqy+LFGMEpoNjOBTO KZG+YWI5LwWQQ== Received: from mail.realtek.com (rtkexhmbs03.realtek.com.tw[10.21.1.53]) by rtits2.realtek.com.tw (8.15.2/3.21/5.94) with ESMTPS id 5BQ1tc6jB2697011 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 26 Dec 2025 09:55:38 +0800 Received: from RTKEXHMBS01.realtek.com.tw (172.21.6.40) by RTKEXHMBS03.realtek.com.tw (10.21.1.53) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.10; Fri, 26 Dec 2025 09:55:38 +0800 Received: from RTKEXHMBS06.realtek.com.tw (10.21.1.56) by RTKEXHMBS01.realtek.com.tw (172.21.6.40) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1748.10; Fri, 26 Dec 2025 09:55:38 +0800 Received: from RTKEXHMBS06.realtek.com.tw ([fe80::4cbd:6c6c:b92b:3913]) by RTKEXHMBS06.realtek.com.tw ([fe80::4cbd:6c6c:b92b:3913%10]) with mapi id 15.02.1748.010; Fri, 26 Dec 2025 09:55:38 +0800 From: Ping-Ke Shih To: Ali Tariq , "Jes.Sorensen@gmail.com" CC: "linux-wireless@vger.kernel.org" , "netdev@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" Subject: RE: [PATCH] rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add Thread-Topic: [PATCH] rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add Thread-Index: AQHcdZVkivwbOu3+UEmR84fOAq6vqbUzKaSA Date: Fri, 26 Dec 2025 01:55:38 +0000 Message-ID: <678a9c63a185486d89efe46e66d71315@realtek.com> References: <20251225115430.13011-1-alitariq45892@gmail.com> In-Reply-To: <20251225115430.13011-1-alitariq45892@gmail.com> Accept-Language: en-US, zh-TW Content-Language: zh-TW Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-DKIM: signer='realtek.com' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: 0.4 (/) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (0.4 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [172.234.253.10 listed in list.dnswl.org] 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager SpamTally: Final spam score: 4 Ali Tariq wrote: > The driver does not set hw->sta_data_size, which causes mac80211 to > allocate insufficient space for driver private station data in > __sta_info_alloc(). When rtl8xxxu_sta_add() accesses members of > struct rtl8xxxu_sta_info through sta->drv_priv, this results in a > slab-out-of-bounds write. >=20 > KASAN report on RISC-V (VisionFive 2) with RTL8192EU adapter: >=20 > BUG: KASAN: slab-out-of-bounds in rtl8xxxu_sta_add+0x31c/0x346 > Write of size 8 at addr ffffffd6d3e9ae88 by task kworker/u16:0/12 >=20 > Set hw->sta_data_size to sizeof(struct rtl8xxxu_sta_info) during > probe, similar to how hw->vif_data_size is configured. This ensures > mac80211 allocates sufficient space for the driver's per-station > private data. >=20 > Tested on StarFive VisionFive 2 v1.2A board. >=20 > Fixes: eef55f1545c9 ("wifi: rtl8xxxu: support multiple interfaces in {add= ,remove}_interface()") >=20 > Cc: stable@vger.kernel.org >=20 No need empty lines after Fixes and Cc tags. I will remove them while getti= ng merged into rtw tree. > Signed-off-by: Ali Tariq Reviewed-by: Ping-Ke Shih From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id gDKKE10MTmlknwIAYBR5ng (envelope-from ) for ; Fri, 26 Dec 2025 04:17:33 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Fri, 26 Dec 2025 04:17:33 +0000 Received: from sto.lore.kernel.org ([172.232.135.74]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vYzGe-00000000mTx-249B for hi@josie.lol; Fri, 26 Dec 2025 04:17:33 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sto.lore.kernel.org (Postfix) with ESMTP id A64293000E97 for ; Fri, 26 Dec 2025 04:17:30 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7D7A67E0FF; Fri, 26 Dec 2025 04:17:29 +0000 (UTC) X-Original-To: stable@vger.kernel.org Received: from cstnet.cn (smtp21.cstnet.cn [159.226.251.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E6FDB4414; Fri, 26 Dec 2025 04:17:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.21 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766722649; cv=none; b=T/3Q2Gu/ivoH0XzGD4HVe3bfuWzxN/BKeBdLwV86ECEqDTYWowvRDr2LbEl0mHctTFKCnaPgW9aVnqPHNu1GjW2DMp71UoGQvl7BFZEt7+6XtZNHIew0/TYPFrlBxvmmbgsnoAJhdIsX+OKSn5Mzf68dVbInLwXC3Q1YMOpTPOM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766722649; c=relaxed/simple; bh=Pogo4etnkPqNpaamNBBLM12DtD0IXYYjfZAsBoD7QDE=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=G3prhi9SgqT1MVRkGkehbqw2jEGehNHSUovLS8DBtCVYNEZ4MaYl0CBB7P4ca8EWl+GBafei3A31s0/df91h8ubUJ0oMv78l8xiS7NohT4YiVoRm4IOuf3MMV7bltOceGEAbFce3THABhfSs15UNFinht+Cl4k9CWSUJGnAoCpQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.21 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from dfae2b116770.home.arpa (unknown [124.16.138.129]) by APP-01 (Coremail) with SMTP id qwCowAAnzWhNDE5psCHdAQ--.33559S2; Fri, 26 Dec 2025 12:17:17 +0800 (CST) From: Wentao Liang To: vkoul@kernel.org, kishon@kernel.org, heiko@sntech.de Cc: linux-phy@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-rockchip@lists.infradead.org, linux-kernel@vger.kernel.org, Wentao Liang , stable@vger.kernel.org Subject: [PATCH] phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe() Date: Fri, 26 Dec 2025 04:17:11 +0000 Message-Id: <20251226041711.2369638-1-vulab@iscas.ac.cn> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID:qwCowAAnzWhNDE5psCHdAQ--.33559S2 X-Coremail-Antispam: 1UD129KBjvJXoW7uw18KF15Wr15Wry3Jr43Jrb_yoW8GrW8pa yDCrWDtrW8Kay8Wr1qyrn8ZFsYyayDt3yxGFZ2k3WfZ3Zxtw1DZa4fuFyUursxJFW8ZFsx Jrs8ta4UAF43Zw7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvv14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26r4j6ryUM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4j 6F4UM28EF7xvwVC2z280aVAFwI0_Cr1j6rxdM28EF7xvwVC2z280aVCY1x0267AKxVWxJr 0_GcWle2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E 2Ix0cI8IcVAFwI0_Wrv_ZF1lYx0Ex4A2jsIE14v26rkl6F8dMcvjeVCFs4IE7xkEbVWUJV W8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lc7CjxVAaw2AFwI0_ Jw0_GFylc2xSY4AK67AK6r45MxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r 4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF 67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2I x0cI8IcVCY1x0267AKxVWUJVW8JwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2 z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVWUJVW8JbIYCTnIWIevJa73Uj IFyTuYvjTRAPEfUUUUU X-CM-SenderInfo: pyxotu46lvutnvoduhdfq/1tbiDAgIA2lN4TqlYQAAs0 X-Spam-Score: 0.5 (/) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (0.5 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [172.232.135.74 listed in list.dnswl.org] 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager SpamTally: Final spam score: 5 The for_each_available_child_of_node() calls of_node_put() to release child_np in each success loop. After breaking from the loop with the child_np has been released, the code will jump to the put_child label and will call the of_node_put() again if the devm_request_threaded_irq() fails. These cause a double free bug. Fix by using a separate label to avoid the duplicate of_node_put(). Fixes: ed2b5a8e6b98 ("phy: phy-rockchip-inno-usb2: support muxed interrupts") Cc: stable@vger.kernel.org Signed-off-by: Wentao Liang --- drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c index b0f23690ec30..f754c3b1c357 100644 --- a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c +++ b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c @@ -1491,7 +1491,7 @@ static int rockchip_usb2phy_probe(struct platform_device *pdev) rphy); if (ret) { dev_err_probe(rphy->dev, ret, "failed to request usb2phy irq handle\n"); - goto put_child; + goto ret_error; } } @@ -1499,6 +1499,7 @@ static int rockchip_usb2phy_probe(struct platform_device *pdev) put_child: of_node_put(child_np); +ret_error: return ret; } -- 2.34.1 From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id OHxsOfMWTmkJTAgAYBR5ng (envelope-from ) for ; Fri, 26 Dec 2025 05:02:43 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Fri, 26 Dec 2025 05:02:44 +0000 Received: from sea.lore.kernel.org ([172.234.253.10]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vYzyN-00000002bfB-1YN7 for hi@josie.lol; Fri, 26 Dec 2025 05:02:43 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sea.lore.kernel.org (Postfix) with ESMTP id D76153008EAD for ; Fri, 26 Dec 2025 05:02:41 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A9B73186E2E; Fri, 26 Dec 2025 05:02:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.beauty header.i=me@linux.beauty header.b="G/hKDSVg" X-Original-To: stable@vger.kernel.org Received: from sender4-pp-f112.zoho.com (sender4-pp-f112.zoho.com [136.143.188.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 35DA23A1E92; Fri, 26 Dec 2025 05:02:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=pass smtp.client-ip=136.143.188.112 ARC-Seal:i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766725360; cv=pass; b=YIk7p0V9F6G8epFnWDqBdEpbSPnTqqWgGEaGYcW7MxsjlP92c8yV0lM+1tBTymR6QXT/OiUX7ggnpPDkqXZ9CT9vnnl8iNKyOCb3Q00S2XKzeWWWYIYvxTT8EiAuoPc9EliYswI2QXMM5t+wrBJn4c2C06d6XFUDBRmKv4ffhes= ARC-Message-Signature:i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766725360; c=relaxed/simple; bh=yCznxMTkqi3qZm+nW2rL30mF727CoYfCBgqYAHRXTKE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=SfQGq1zKu4m9a7zrAQRJEd8t7GR/9B9gXcukbHCyZbldfBv70dYcuY6UZM7nEAWGK8YFddmazZUxOPV10FXezMLcEwWpKJYxwNI5kjLEOruKiQDY7v19tKkXs5XVu/fA4UvfgK8Vc5Z82brvgQbMuWm8UMrcs7TmM3OFfcb6oiU= ARC-Authentication-Results:i=2; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=linux.beauty; spf=pass smtp.mailfrom=linux.beauty; dkim=pass (1024-bit key) header.d=linux.beauty header.i=me@linux.beauty header.b=G/hKDSVg; arc=pass smtp.client-ip=136.143.188.112 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=linux.beauty Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.beauty ARC-Seal: i=1; a=rsa-sha256; t=1766725351; cv=none; d=zohomail.com; s=zohoarc; b=GwsU0A2k+XgnMhb5kVZ/4khKGfe7YgNKxnKYkK4eFWnFhxNSGYTE/kUp3DHm02afSMnGEtvnk5mYVwb48kr3Xz/eCkgD6UUQMKNU0BEMpjMSmKmB0dOnzd8UR3HpOi3YCElrs8uWv7i+a/nw5j3vBjdSPMhFV1BbsKfQ+1JWTvw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1766725351; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To; bh=ljr2y9wPyQAtR7GqZRtXx1ATldfEYrgDSiKxNJV9mpE=; b=XBwWz2bdAXv/1DMF1xceyoUx2Q7bERSY2aWM9XySnmabpVsal4betCa9K5byRITnIheroZdAJJC60Rx6dn2TbRXKw2kCGQdQEIFHSgRMTxLoUveLAuAOfs7Si79LrqEcFvNHW4s9TLMf+Mh4kezmo8DkqUwd77HFV47FuWIpzF4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=linux.beauty; spf=pass smtp.mailfrom=me@linux.beauty; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1766725351; s=zmail; d=linux.beauty; i=me@linux.beauty; h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:MIME-Version:Content-Transfer-Encoding:Message-Id:Reply-To; bh=ljr2y9wPyQAtR7GqZRtXx1ATldfEYrgDSiKxNJV9mpE=; b=G/hKDSVgOiDXuSI2eztNbjwOruL8BUf8r5nO7GCiKEl56dNZ5V+uJVQrZnYrI80v sWOR17dc5Na1cUUvxGV6e/RWIotYhDAIwAiw8bwvZY6onXE+p9YtREYorW1PbKO1Kdl n+M+faOyEBBOam+YFN/wsUZvmdS0FwQnP6zRQS/U= Received: by mx.zohomail.com with SMTPS id 1766725348148408.1575736439132; Thu, 25 Dec 2025 21:02:28 -0800 (PST) From: Li Chen To: "Theodore Ts'o" , Andreas Dilger , Jan Kara , linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org, Li Chen Subject: [PATCH] ext4: publish jinode after initialization Date: Fri, 26 Dec 2025 13:02:20 +0800 Message-ID: <20251226050220.138194-1-me@linux.beauty> X-Mailer: git-send-email 2.52.0 Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-ZohoMailClient: External X-DKIM: signer='linux.beauty' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-DKIM: signer='me@linux.beauty' status='pass' reason='' X-Spam-Score: 0.4 (/) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (0.4 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: linux.beauty] 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [172.234.253.10 listed in list.dnswl.org] 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager SpamTally: Final spam score: 4 ext4_inode_attach_jinode() publishes ei->jinode to concurrent users. It assigned ei->jinode before calling jbd2_journal_init_jbd_inode(). This allows another thread to observe a non-NULL jinode with i_vfs_inode still unset. The fast commit flush path can then pass this jinode to jbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping and may crash. Below is the crash I observe: ``` BUG: unable to handle page fault for address: 000000010beb47f4 PGD 110e51067 P4D 110e51067 PUD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 4850 Comm: fc_fsync_bench_ Not tainted 6.18.0-00764-g795a690c06a5 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014 RIP: 0010:xas_find_marked+0x3d/0x2e0 Code: e0 03 48 83 f8 02 0f 84 f0 01 00 00 48 8b 47 08 48 89 c3 48 39 c6 0f 82 fd 01 00 00 48 85 c9 74 3d 48 83 f9 03 77 63 4c 8b 0f <49> 8b 71 08 48 c7 47 18 00 00 00 00 48 89 f1 83 e1 03 48 83 f9 02 RSP: 0018:ffffbbee806e7bf0 EFLAGS: 00010246 RAX: 000000000010beb4 RBX: 000000000010beb4 RCX: 0000000000000003 RDX: 0000000000000001 RSI: 0000002000300000 RDI: ffffbbee806e7c10 RBP: 0000000000000001 R08: 0000002000300000 R09: 000000010beb47ec R10: ffff9ea494590090 R11: 0000000000000000 R12: 0000002000300000 R13: ffffbbee806e7c90 R14: ffff9ea494513788 R15: ffffbbee806e7c88 FS: 00007fc2f9e3e6c0(0000) GS:ffff9ea6b1444000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000010beb47f4 CR3: 0000000119ac5000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: filemap_get_folios_tag+0x87/0x2a0 __filemap_fdatawait_range+0x5f/0xd0 ? srso_alias_return_thunk+0x5/0xfbef5 ? __schedule+0x3e7/0x10c0 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ? srso_alias_return_thunk+0x5/0xfbef5 ? cap_safe_nice+0x37/0x70 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ? srso_alias_return_thunk+0x5/0xfbef5 filemap_fdatawait_range_keep_errors+0x12/0x40 ext4_fc_commit+0x697/0x8b0 ? ext4_file_write_iter+0x64b/0x950 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ? srso_alias_return_thunk+0x5/0xfbef5 ? vfs_write+0x356/0x480 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ext4_sync_file+0xf7/0x370 do_fsync+0x3b/0x80 ? syscall_trace_enter+0x108/0x1d0 __x64_sys_fdatasync+0x16/0x20 do_syscall_64+0x62/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ... ``` To fix this issue, initialize the jbd2_inode first and only then publish the pointer with smp_store_release(). Use smp_load_acquire() at the read sites to pair with the release and ensure the initialized fields are visible. On x86 (TSO), the crash should primarily be due to the logical early publish window (another CPU can run between the store and initialization). x86 also relies on compiler ordering; the acquire/release helpers include the necessary compiler barriers while keeping the fast-path cheap. On weakly-ordered architectures (e.g. arm64/ppc), plain "init; store ptr" is not sufficient: without release/acquire, a reader may observe the pointer while still missing prior initialization stores. The explicit pairing makes this publish/consume relationship correct under LKMM. Fixes: a361293f5fede ("jbd2: Fix oops in jbd2_journal_file_inode()") Cc: stable@vger.kernel.org Signed-off-by: Li Chen --- fs/ext4/ext4_jbd2.h | 18 ++++++++++++++---- fs/ext4/fast_commit.c | 9 +++++++-- fs/ext4/inode.c | 15 +++++++++++---- fs/ext4/super.c | 10 +++++++--- 4 files changed, 39 insertions(+), 13 deletions(-) diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h index 63d17c5201b5..3bc79b894130 100644 --- a/fs/ext4/ext4_jbd2.h +++ b/fs/ext4/ext4_jbd2.h @@ -336,18 +336,28 @@ static inline int ext4_journal_force_commit(journal_t *journal) static inline int ext4_jbd2_inode_add_write(handle_t *handle, struct inode *inode, loff_t start_byte, loff_t length) { - if (ext4_handle_valid(handle)) + if (ext4_handle_valid(handle)) { + struct jbd2_inode *jinode; + + /* Pairs with smp_store_release() in ext4_inode_attach_jinode(). */ + jinode = smp_load_acquire(&EXT4_I(inode)->jinode); return jbd2_journal_inode_ranged_write(handle, - EXT4_I(inode)->jinode, start_byte, length); + jinode, start_byte, length); + } return 0; } static inline int ext4_jbd2_inode_add_wait(handle_t *handle, struct inode *inode, loff_t start_byte, loff_t length) { - if (ext4_handle_valid(handle)) + if (ext4_handle_valid(handle)) { + struct jbd2_inode *jinode; + + /* Pairs with smp_store_release() in ext4_inode_attach_jinode(). */ + jinode = smp_load_acquire(&EXT4_I(inode)->jinode); return jbd2_journal_inode_ranged_wait(handle, - EXT4_I(inode)->jinode, start_byte, length); + jinode, start_byte, length); + } return 0; } diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c index a6e79b3f1b48..3f148c048a6f 100644 --- a/fs/ext4/fast_commit.c +++ b/fs/ext4/fast_commit.c @@ -1087,16 +1087,21 @@ static int ext4_fc_flush_data(journal_t *journal) struct super_block *sb = journal->j_private; struct ext4_sb_info *sbi = EXT4_SB(sb); struct ext4_inode_info *ei; + struct jbd2_inode *jinode; int ret = 0; list_for_each_entry(ei, &sbi->s_fc_q[FC_Q_MAIN], i_fc_list) { - ret = jbd2_submit_inode_data(journal, ei->jinode); + /* Pairs with smp_store_release() in ext4_inode_attach_jinode(). */ + jinode = smp_load_acquire(&ei->jinode); + ret = jbd2_submit_inode_data(journal, jinode); if (ret) return ret; } list_for_each_entry(ei, &sbi->s_fc_q[FC_Q_MAIN], i_fc_list) { - ret = jbd2_wait_inode_data(journal, ei->jinode); + /* Pairs with smp_store_release() in ext4_inode_attach_jinode(). */ + jinode = smp_load_acquire(&ei->jinode); + ret = jbd2_wait_inode_data(journal, jinode); if (ret) return ret; } diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 78ea864fa8cd..74b189c10f2b 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -126,6 +126,9 @@ void ext4_inode_csum_set(struct inode *inode, struct ext4_inode *raw, static inline int ext4_begin_ordered_truncate(struct inode *inode, loff_t new_size) { + /* Pairs with smp_store_release() in ext4_inode_attach_jinode(). */ + struct jbd2_inode *jinode = smp_load_acquire(&EXT4_I(inode)->jinode); + trace_ext4_begin_ordered_truncate(inode, new_size); /* * If jinode is zero, then we never opened the file for @@ -133,10 +136,10 @@ static inline int ext4_begin_ordered_truncate(struct inode *inode, * jbd2_journal_begin_ordered_truncate() since there's no * outstanding writes we need to flush. */ - if (!EXT4_I(inode)->jinode) + if (!jinode) return 0; return jbd2_journal_begin_ordered_truncate(EXT4_JOURNAL(inode), - EXT4_I(inode)->jinode, + jinode, new_size); } @@ -4497,8 +4500,12 @@ int ext4_inode_attach_jinode(struct inode *inode) spin_unlock(&inode->i_lock); return -ENOMEM; } - ei->jinode = jinode; - jbd2_journal_init_jbd_inode(ei->jinode, inode); + jbd2_journal_init_jbd_inode(jinode, inode); + /* + * Publish ->jinode only after it is fully initialized so that + * readers never observe a partially initialized jbd2_inode. + */ + smp_store_release(&ei->jinode, jinode); jinode = NULL; } spin_unlock(&inode->i_lock); diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 43f1ac6e8559..a3f015129c00 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -1513,16 +1513,20 @@ static void destroy_inodecache(void) void ext4_clear_inode(struct inode *inode) { + struct jbd2_inode *jinode; + ext4_fc_del(inode); invalidate_inode_buffers(inode); clear_inode(inode); ext4_discard_preallocations(inode); ext4_es_remove_extent(inode, 0, EXT_MAX_BLOCKS); dquot_drop(inode); - if (EXT4_I(inode)->jinode) { + /* Pairs with smp_store_release() in ext4_inode_attach_jinode(). */ + jinode = smp_load_acquire(&EXT4_I(inode)->jinode); + if (jinode) { jbd2_journal_release_jbd_inode(EXT4_JOURNAL(inode), - EXT4_I(inode)->jinode); - jbd2_free_inode(EXT4_I(inode)->jinode); + jinode); + jbd2_free_inode(jinode); EXT4_I(inode)->jinode = NULL; } fscrypt_put_encryption_info(inode); -- 2.52.0 From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id GM57OXkaTmlL6woAYBR5ng (envelope-from ) for ; Fri, 26 Dec 2025 05:17:45 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Fri, 26 Dec 2025 05:17:46 +0000 Received: from sea.lore.kernel.org ([172.234.253.10]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vZ0Cv-00000003Bga-2kkD for hi@josie.lol; Fri, 26 Dec 2025 05:17:45 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sea.lore.kernel.org (Postfix) with ESMTP id 0D09D3012BEB for ; Fri, 26 Dec 2025 05:17:19 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 41100265629; Fri, 26 Dec 2025 05:17:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Vj7vg8uv" X-Original-To: io-uring@vger.kernel.org Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9CD352609FD for ; Fri, 26 Dec 2025 05:17:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766726235; cv=none; b=BLgQg2zQrFAGXmMTtejrGugJBnCTIxVAFsEIvRelzK5gXekUOO8C2ZgL86LHifpvALSGZ83u9YBFU0pPqw5SyuKegPs7c7C3xbz3C4avufB62pjG/PyHSA3rjPcaVJGvQdCZHmSv4GXBCsOZUKtMvejHZjRACSC5E0il5hCNTrE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766726235; c=relaxed/simple; bh=z6tN2koOVYt5xxAFCQCSSARH1+DI6PvUPVVhQVBJ6fM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=iZHAexlacEj/QEuIXXR5cPeKQo2LfEUmPwZrs6X+MM9EE0SP1260jjHlyXEDmvNZApQ5txGV4iLpYSNP++XPz0/CxyvCcQ0GTpL7VTchGXD7/cqHKv0Mxp5gqRZi/FKBpDx7WCD4iGtzlwYoWJASv/gX5I5s7DpsofRmZOB9W+U= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Vj7vg8uv; arc=none smtp.client-ip=209.85.214.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-2a07f8dd9cdso74081865ad.1 for ; Thu, 25 Dec 2025 21:17:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766726233; x=1767331033; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=m9FIBnBIT8ZoZIIN6usk5vCof387U33RW9IfQgNu4dE=; b=Vj7vg8uvSpW8pSSvOsaq4AgFRhgWEqRJyFSQNhScyIoCx9t91GoXkDbEpwqasNETYD fdpajnE7fgaM4vooYyljW/p90FEd10ZKz3p5SeqHU5UlIQ+DvNgrjjCXQY8rxOLHT4fJ Hpndhj9yVIdLuJDcGe6m/X9FyGjP93YMzABhL3Qkc4g/7nvgqyDhZosHJntcs95fLbbG TJGNptDTCNOoJ2gWqK05gbTSHTeWXx3ZlMskyCfQynw127gL/ul3d34E1HtR0oUhrIKN nqTo4bdyOPH8ibtYrFNmUgJm941XtYjMSdp40H8gu5kV+nJH6nQy+AqEGirnikaDChvN an0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766726233; x=1767331033; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=m9FIBnBIT8ZoZIIN6usk5vCof387U33RW9IfQgNu4dE=; b=kpQ3nkaSNVjoTUoUJk5f45bLEy/+CEye3AV8YZYFXVU+kBpHESTE3HGngtDOfQXMrj 0T+OCCvZsi7E4eKeDDIZf+BtTA2ih3xax03fv3XI7aq++0ALFHPHu/AgGiGJ+a4PQZb0 AsTfQJMOQSTGcStv0ul/lwm7YQY3NU+avjhcHV0OyAVvoOFf2pvRmUh4xWGm9gjCDvWj x9rffR1fKjBg8q2XqmIBbZho9EyPZ6ky9lZ7eJBslj15ccDYOJTByz0viEG0x563FbbS dTyHNPRGoNaNPtdDqBX66v3qeXhkTFhrOCnu911hs9My69QgsNrwhK3Hu/tUzzA5FAHN WIJA== X-Gm-Message-State: AOJu0Ywoa7wWEtDdwHTbzWC/YGHIE3FPNg3NPVBhxf9jNuFUz4FyADOz pTqT53hjYbIhuyURgptoLvV9uTQzOmSdsCqVy1oUwZ6BHQuBaO1YKLiZtyV4dA== X-Gm-Gg: AY/fxX4QiFVEkHv/PcU3PSg8a6X4D6RrrCaveWIYcm2loKuDRkdTrNOJiCvVbv+6qNm 1pnejGtWL37FH1RV36YgFxUkCm66GJ+DJkiw1sn+P+ui6pHqdnxj06a75thTf1DUvnxj3lh5MlD Oms5BFYr7NQFEiSzGa5XwLPRlazzf7RlF6cXspQ7HOhc1iNSawwn4KBT3r40WEVdeT6oTY5ruge 4IMDByalE0lanXLrHJSQv9exdRMcsv0ZC8bamOwdeBhqeZhn6qsSFXM7Cb204AUGUGbNIr6D/Di ykRYpwlNJ0WkJsZI8vPILmbWZq68SzHAsz9S0AlZZOOg0KsoeUHBia3tHIx9q0tEokL5K+FAvyP HE1F6V8lLcwNtasa3qbXsiR9AwnaHHuy5iEEFw+voIaTovWN/M7M50gGewNqF4j0Uij7B6CZCZQ NleeM6q/6IzbuOHpAmwVUHuTa8aRj22oPyEI1VJnK30SUWdhch4x4= X-Google-Smtp-Source: AGHT+IF+0jA+Wk/IxGkJejZoWaUDwFSIVKNCa82JxbexbFr7JdRi7N174T19loWbeLafMPokiOiILg== X-Received: by 2002:a17:902:d488:b0:2a0:7f9e:518c with SMTP id d9443c01a7336-2a2f222aed1mr218214765ad.16.1766726232867; Thu, 25 Dec 2025 21:17:12 -0800 (PST) Received: from gourav-pc.lan (host-30-47.highlandsfibernetwork.com. [216.9.30.47]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a2f3c74490sm191467395ad.5.2025.12.25.21.17.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Dec 2025 21:17:12 -0800 (PST) From: Gourav Roy To: axboe@kernel.dk Cc: io-uring@vger.kernel.org, linux-kernel@vger.kernel.org, Gourav Roy Subject: [PATCH] io-uring: fixed an int type code style issue Date: Thu, 25 Dec 2025 21:16:16 -0800 Message-ID: <20251226051616.124925-1-gourav.bit@gmail.com> X-Mailer: git-send-email 2.51.0 Precedence: bulk X-Mailing-List: io-uring@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-DKIM: signer='gmail.com' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: 0.4 (/) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (0.4 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [172.234.253.10 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [gourav.bit[at]gmail.com] 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager SpamTally: Final spam score: 4 Fixed a code style issue to prefer 'unsigned int' over bare use of 'unsigned'. Signed-off-by: Gourav Roy --- io_uring/alloc_cache.c | 2 +- io_uring/alloc_cache.h | 2 +- io_uring/cancel.c | 2 +- io_uring/eventfd.c | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/io_uring/alloc_cache.c b/io_uring/alloc_cache.c index 58423888b736..9aee9f944d2c 100644 --- a/io_uring/alloc_cache.c +++ b/io_uring/alloc_cache.c @@ -19,7 +19,7 @@ void io_alloc_cache_free(struct io_alloc_cache *cache, /* returns false if the cache was initialized properly */ bool io_alloc_cache_init(struct io_alloc_cache *cache, - unsigned max_nr, unsigned int size, + unsigned int max_nr, unsigned int size, unsigned int init_bytes) { cache->entries = kvmalloc_array(max_nr, sizeof(void *), GFP_KERNEL); diff --git a/io_uring/alloc_cache.h b/io_uring/alloc_cache.h index d33ce159ef33..8f70af6eb341 100644 --- a/io_uring/alloc_cache.h +++ b/io_uring/alloc_cache.h @@ -11,7 +11,7 @@ void io_alloc_cache_free(struct io_alloc_cache *cache, void (*free)(const void *)); bool io_alloc_cache_init(struct io_alloc_cache *cache, - unsigned max_nr, unsigned int size, + unsigned int max_nr, unsigned int size, unsigned int init_bytes); void *io_cache_alloc_new(struct io_alloc_cache *cache, gfp_t gfp); diff --git a/io_uring/cancel.c b/io_uring/cancel.c index ca12ac10c0ae..a9a674581871 100644 --- a/io_uring/cancel.c +++ b/io_uring/cancel.c @@ -104,7 +104,7 @@ static int io_async_cancel_one(struct io_uring_task *tctx, } int io_try_cancel(struct io_uring_task *tctx, struct io_cancel_data *cd, - unsigned issue_flags) + unsigned int issue_flags) { struct io_ring_ctx *ctx = cd->ctx; int ret; diff --git a/io_uring/eventfd.c b/io_uring/eventfd.c index 78f8ab7db104..ecf899a9c697 100644 --- a/io_uring/eventfd.c +++ b/io_uring/eventfd.c @@ -15,7 +15,7 @@ struct io_ev_fd { struct eventfd_ctx *cq_ev_fd; unsigned int eventfd_async; /* protected by ->completion_lock */ - unsigned last_cq_tail; + unsigned int last_cq_tail; refcount_t refs; atomic_t ops; struct rcu_head rcu; -- 2.51.0 From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id AEAeFTQfTmlQjQ0AYBR5ng (envelope-from ) for ; Fri, 26 Dec 2025 05:37:56 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Fri, 26 Dec 2025 05:37:56 +0000 Received: from sea.lore.kernel.org ([172.234.253.10]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vZ0WS-000000042M6-0KYm for hi@josie.lol; Fri, 26 Dec 2025 05:37:56 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sea.lore.kernel.org (Postfix) with ESMTP id 91E683008190 for ; Fri, 26 Dec 2025 05:37:53 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 5178D1C5F27; Fri, 26 Dec 2025 05:37:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="HWUjcvaz" X-Original-To: stable@vger.kernel.org Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B23D21F5842 for ; Fri, 26 Dec 2025 05:37:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.176 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766727472; cv=none; b=hYTG7WRXwwezCedGy3056sxhiJUToqLpItpxFgrJR01OwPnzG/Eun/XwWtbuVwo0392m48QfWb2BcBiLFYLwhuGkJ7jhYVDLM62AftEvYIxdjDRiIeCnyt/+/lCNpqDWOrBii/7PSsB4SAcwnYN/3SZm5BpHQb9y3B2itxKx1oQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766727472; c=relaxed/simple; bh=CNfjI1T1+B23dZV3+u5LqFMovbJwrjQnRfDKEwasWwU=; h=MIME-Version:From:Date:Message-ID:Subject:To:Cc:Content-Type; b=WxZI+KroqnCFpmK4Ub1ifkIiV1Nosq4W+Ru906YX03phUnbuvSBzHFuebzc+zavQ3f7ElVI858ngn2s2KXW6J6wN6HZIoYh0kZEU5F9PlNe8seMX72ujiioXTE0UhGoOaY90dQLNkrl+yP3PggJAXfrx7DvNVwMEaZUTYzJcR9g= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=HWUjcvaz; arc=none smtp.client-ip=209.85.214.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-2a0f3f74587so98651225ad.2 for ; Thu, 25 Dec 2025 21:37:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766727469; x=1767332269; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:reply-to:mime-version:from:to:cc :subject:date:message-id:reply-to; bh=CNfjI1T1+B23dZV3+u5LqFMovbJwrjQnRfDKEwasWwU=; b=HWUjcvazx9v/7iGJm8OsV7/MylhDUAVKNwzmZXyLBKbR3gLNINi/L/gTe560kxnnr7 KK/jBF44SDViT+38gHDairfxjb6sqdxcfOq7ow/4yT6uElXmNmZq85Y/Yr6TdXs3dxWj AE6ElB0lsvEAFAQpGPGnzfjHydnyUJSH6ryAe2MCci0AOTgCEGMOVqFC22cL8Qre5rRM 50it65A5gg1XXbe5Fqcq7vn0psYSX2g64K6VRE2LQ9ucV9PcwjwFuKwFDwsgbCVPTe20 PYD6NDhlg1fZZqZ290bpbi1COCI0oMfbz5UKpogXungdFHCOcohc8HCg8O7dbkU4Vhs6 oygw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766727469; x=1767332269; h=cc:to:subject:message-id:date:from:reply-to:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=CNfjI1T1+B23dZV3+u5LqFMovbJwrjQnRfDKEwasWwU=; b=wCskQ06tpKgYog8vW5QDnwt60OvreITpFyg3XPrjqHGKY6fPZPXadpQEjKlr5dqLXr di+Ijfr82TqJwSNOMxqLnzCJ7Jc2xM4B3494L1bKtOxl4xb2CXP8I5qqDb+HDTfGOod8 hI7BBbe0tBSPkPJDKfSbSLWb98i2sR923l0B/KXmtV9hz32qm416z3+sKPhSYT5X2Pj2 nzoRgoun7ab1cqKuWOddxSydXX8FhZ6EoUJoUPGIiaA4sDXAcMtO/auccWy1DujCQlY2 oJD9nVNjBZSd+i6W+iA+yIpOCw/qm7aXKRNiq0cnFD8KJFZ2vWscWvg5r9/BZQIb1v5n DEUg== X-Gm-Message-State: AOJu0YzB7svfYtONFUfdbGP0o2jUVc3CJ+aoFxgquzZDhFqXXVRaxcSP Dm4FUCnQ79noEmG4Vlj7suz82vYSgG5P/7ZoUU9LMMK3Pozssw5XycHcu5eQATUxNwVY/xRm6Lp L15T7HW/cZBxtE4n56NqLonCFjhEdtVJiOrGT X-Gm-Gg: AY/fxX5WuJlRX1uSfnvTplH6glOlLZq4syPouS+ozAadavZavrG3aeERekTnNoSjTO8 bPSNP3Wx+kjmtMm5Ld+yvZV09yJFg3VQDerlg5VsN55lKzchqJLbTSZAFCsk+OnJQs5kP0NE1M0 dzLtlgirLCDa7tr+vNXG88+/WE1Nd6WWnHitNld3NM3krkT6ZKEcydIqXpQJ4QSjTRMznqTZdNQ Uew3a/pt7XTWh+re3/uqA71/Y+hVYcXuD5FlrIykAHnyMIJ+3EMem1H6+P4lk9bOE5ifKdoV4Cf IbF5UoKBcjKNu7g2HKk= X-Google-Smtp-Source: AGHT+IFHmB3KAtgnAFZEBLxVZw8dua5doOOkhyb8dga0r6/LbV83FGc+6ZMMGYXDisl2Q9jYYm/7PROAUjWhG9ZCnvo= X-Received: by 2002:a17:903:18b:b0:295:fc0:5a32 with SMTP id d9443c01a7336-2a2f221284fmr227033725ad.3.1766727469576; Thu, 25 Dec 2025 21:37:49 -0800 (PST) Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Reply-To: micro6947@gmail.com From: Xingjing Deng Date: Fri, 26 Dec 2025 13:37:38 +0800 X-Gm-Features: AQt7F2pMD-yyutgxIcP81xrEnfriCzQVdNO_izI04YscekyKSdJbpbOdUCutT6k Message-ID: Subject: [BUG] net/sunrpc/auth_gss: Memory leak in gssx_dec_status/gssx_dec_buffer To: stable@vger.kernel.org Cc: linux-nfs@vger.kernel.org, regressions@lists.linux.dev Content-Type: text/plain; charset="UTF-8" X-DKIM: signer='gmail.com' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: 0.7 (/) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (0.7 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [172.234.253.10 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [micro6947[at]gmail.com] 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit [micro6947[at]gmail.com] 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager SpamTally: Final spam score: 7 A potential memory leak exists in the gssx_dec_status function (in net/sunrpc/auth_gss/gss_rpc_xdr.c) and its dependent gssx_dec_buffer function. The leak occurs when gssx_dec_buffer allocates memory via kmemdup for gssx_buffer fields, but the allocated memory is not freed in error paths of the chained decoding process in gssx_dec_status. The gssx_dec_buffer function allocates memory using kmemdup when buf->data is NULL (to store decoded XDR buffer data). This allocation is not paired with a release mechanism in case of subsequent decoding failures. gssx_dec_status sequentially decodes multiple gssx_buffer fields (e.g., mech, major_status_string, minor_status_string, server_ctx) by calling gssx_dec_buffer. If a later decoding step fails (e.g., gssx_dec_buffer returns -ENOSPC or -ENOMEM), the function immediately returns the error without freeing the memory allocated for earlier gssx_buffer fields. This results in persistent kernel memory leaks. This memory allocation is conditional. I traced upward through the callers gssx_dec_status and found that it is ultimately invoked by the interface gssx_dec_accept_sec_context. Although I have not identified the specific code execution path that triggers this memory leak, I believe this coding pattern is highly prone to causing confusion between callers and callees, which in turn leads to memory leaks. Relevant code links: https://github.com/torvalds/linux/blob/ccd1cdca5cd433c8a5dff78b69a79b31d9b77ee1/net/sunrpc/auth_gss/gss_rpc_xdr.c#L84-L92 https://github.com/torvalds/linux/blob/ccd1cdca5cd433c8a5dff78b69a79b31d9b77ee1/net/sunrpc/auth_gss/gss_rpc_xdr.c#L304-L347 I have searched Bugzilla, lore.kernel.org, and client.linux-nfs.org, but no related issues were found. From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id cGS5IfYjTmkkExAAYBR5ng (envelope-from ) for ; Fri, 26 Dec 2025 05:58:14 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Fri, 26 Dec 2025 05:58:14 +0000 Received: from sea.lore.kernel.org ([172.234.253.10]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vZ0q6-00000004ppP-1At2 for hi@josie.lol; Fri, 26 Dec 2025 05:58:14 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sea.lore.kernel.org (Postfix) with ESMTP id 694273007253 for ; Fri, 26 Dec 2025 05:58:12 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 52546189BB0; Fri, 26 Dec 2025 05:58:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Hh5tGZoi" X-Original-To: stable@vger.kernel.org Received: from mail-oi1-f182.google.com (mail-oi1-f182.google.com [209.85.167.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B28D314AD20 for ; Fri, 26 Dec 2025 05:58:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766728691; cv=none; b=HncPkg6sqotPsOASxL5sNQhRmaRve7F0cicDSbkTahCcgsg1HYUSVV8/QWEYM+QMuLjlhDv6URcnpGcI8M+ki7F2A1ztj+s1PLS4QHnk3+71Q7Ecjw/ZSBSggkDQyq1OzW6G5Q5WqJLVzWps5+M1y1Ys3HLtDoXiS4yXVzkoAV0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766728691; c=relaxed/simple; bh=emkMh02Q6ttc7Q/RZPhcfOPMT53pTT0Ad5hIy77TNBk=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=I8PLlELnfo8CXeTKQpkG14+8xCag54JDVgEtn1wy/5zG3HZ+CUmHsKipH5momf9hwy9JsX12BCEsB9BFRgWVx5Revn8+ih9pPDuhd8kj/Q36xavQNXOQqyvdbd88c3OUuf9BDCcO2wwfr50vP/lvEpHVNxt3mK/CUnk5fPuKZ5U= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Hh5tGZoi; arc=none smtp.client-ip=209.85.167.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-oi1-f182.google.com with SMTP id 5614622812f47-459a516592eso761475b6e.1 for ; Thu, 25 Dec 2025 21:58:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766728688; x=1767333488; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=bwiw7tmLfV8izGYWwiiJT1zXhrZjZ4Clv168Ox4HqPw=; b=Hh5tGZoiKuM3NJztDZS4pCMMtllz/H3gDT92bRBlHLkc51/zBJjjjuivKpq12FIVVg lW2jIpGuqtgM6yZ2UjvsDgwWvJwCQMQFrLygft5XKACBLsiKs6rfVChvxJfLjGTSc3Tu EdnBrPBMn5F1wsOvMSIrrX2gxZDHAp1gUtU5TId9ZIwJKQst6TTXn+iVaWpq7xrD/lGj bszbWkII+DlQvcLxHGKJi49jAB9HfF1uqmN6xxHEOz+9QBrppsBA5oqCXQcSWiWmIBof Qmgkvc1sbEOZrBaxOPuHeaoO4xXrT6T9+jKv5mU/V+o8dXE+YlNqOFu/ZqDtU/onk2yx D9tg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766728688; x=1767333488; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=bwiw7tmLfV8izGYWwiiJT1zXhrZjZ4Clv168Ox4HqPw=; b=ispO9IUQjY3SkglY5SOXW5CenZ1C5x45Mc3Bd6PQ5qQS6IsRb1ZC6RyxmvLhAW3yhC KmbEvDwuUfibWcejejTkRf6VWW3fVHkgyw2mw/lNATT8AjfJEgUOXT7VbN7FRGx3ovqX ZgFoP8JJ+q3/scnO8x84Kr2p91tddBVNx+4fwdMfUvm1g6Pmt1UijbXEcGLjYIWvLk+5 KgPMKx/tIb6TTGBhC/MKZeuDJfi/NdmNyABOkTWJAXesa7mSp9j5UaaMeZeDyRExqFde okqetMCcj4QEBOjexFdF0GFFtXsbkfsWOvgzKYewGfDX905xs3WDRczjByHlTWEwhE+o GPxg== X-Gm-Message-State: AOJu0YxxpTrj5fREz7Kv04kLsQl4B4j0AklhPJ06dNsHCnJimiUWZHqm njMc4kttuUYYUKTPT7nDtr0qgpazGrFyyzYzSVyS6GF09t1w80CsA1rBeWKwNw== X-Gm-Gg: AY/fxX5xpMLSFoWbHDJWj9uVmKv1bjrbq27OfgAaVnWCrMmHnULPP3xzw2soKJYP+Kw NMtSGi8F9iXNB0+k2hWkzpYBlM9nzCNDYYEQS+0MdCGJMecDwd0Rzu8aqlGMpEjjPIF4sl3qAvM DjUfFUJ4TGBVVgPwduq30WAexAcxxwKngte9mhr0edARGpyNd+byDdsfXK8J4j6UYCjISk0gryX Lzki/nFtNluijsiabsJHdvhJPBd+Km4+JifIxXHBzumNgo4JHBr/1KQcGFGlWJUaqwS4K2McxQT greXtN+rafKxS3ywqG2EyHkROEYZUXheVEMB/FaXMQbthO7pI6EBpip8mklzAAx+6W4OkxuVSIN 8f6sYASSqR/6gmzSUO3zPS069a16KFCQifNXSMjER5nKI4ygf5LTzzFKXU+kbaaosZJmE8fkvCU as45YSV1uSdSR29Y8jMngt7WGfhTy+j1e6KqISUq61kqBQzpR8dQ1zk4VHyDI= X-Google-Smtp-Source: AGHT+IEbYXMUaBY1WDYPye8ZFTP68iAFQKXwvIJGdrgeoPkqJ++gNaoMC3ARxRe+0RazTxyn93cW7w== X-Received: by 2002:a05:6808:8851:20b0:459:b569:702f with SMTP id 5614622812f47-459b569766emr697392b6e.15.1766728688464; Thu, 25 Dec 2025 21:58:08 -0800 (PST) Received: from nairdora (108-75-189-46.lightspeed.wchtks.sbcglobal.net. [108.75.189.46]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7cc66645494sm14532416a34.0.2025.12.25.21.58.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Dec 2025 21:58:08 -0800 (PST) From: Adrian Yip To: stable@vger.kernel.org Cc: Adrian Yip , Pravin B Shelar , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-kernel-mentees@lists.linux.dev, skhan@linuxfoundation.org, david.hunter.linux@gmail.com, khalid@kernel.org Subject: [PATCH 6.6.y 0/2] fix push_nsh() validation + silence selftest warnings Date: Thu, 25 Dec 2025 23:56:03 -0600 Message-ID: <20251226055610.3120437-1-adrian.ytw@gmail.com> X-Mailer: git-send-email 2.52.0 Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-DKIM: signer='gmail.com' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: 0.4 (/) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (0.4 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: ovs-dpctl.py] 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [172.234.253.10 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [adrian.ytw[at]gmail.com] 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager SpamTally: Final spam score: 4 Hi maintainers, This is a v6.6 backport mainly for an upstream commit `5ace7ef87f05 net: openvswitch: fix middle attribute validation in push_nsh() action`. I built the kernel then tested it with selftest. The selftest that ran with a a bunch of SyntaxWarning. Example: /ovs-dpctl.py:598: SyntaxWarning: invalid escape sequence '\d' actstr, ":", "(\d+)", int, False /ovs-dpctl.py:601: SyntaxWarning: invalid escape sequence '\d' actstr, "-", "(\d+)", int, False /ovs-dpctl.py:505: SyntaxWarning: invalid escape sequence '\d' elif parse_starts_block(actstr, "^(\d+)", False, True): This error was then easily fixed with another minimal backport for the file tools/testing/selftests/net/openvswitch/ovs-dpctl.py. Hence the series. Both patches was applied cleanly and was tested with selftest and passed though the timeout had to be increased for drop_reason to pass. Adrian Moreno (1): selftests: openvswitch: Fix escape chars in regexp. Ilya Maximets (1): net: openvswitch: fix middle attribute validation in push_nsh() action net/openvswitch/flow_netlink.c | 13 ++++++++++--- .../selftests/net/openvswitch/ovs-dpctl.py | 16 ++++++++-------- 2 files changed, 18 insertions(+), 11 deletions(-) -- 2.52.0 From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id +KCSFfgjTmnbeQoAYBR5ng (envelope-from ) for ; Fri, 26 Dec 2025 05:58:16 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Fri, 26 Dec 2025 05:58:16 +0000 Received: from sto.lore.kernel.org ([172.232.135.74]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vZ0q7-00000004pqo-3xXw for hi@josie.lol; Fri, 26 Dec 2025 05:58:16 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sto.lore.kernel.org (Postfix) with ESMTP id 05B6E3001028 for ; Fri, 26 Dec 2025 05:58:13 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 95E4B15624B; Fri, 26 Dec 2025 05:58:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="IY/Mb+fA" X-Original-To: stable@vger.kernel.org Received: from mail-ot1-f46.google.com (mail-ot1-f46.google.com [209.85.210.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E12751448E0 for ; Fri, 26 Dec 2025 05:58:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.46 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766728693; cv=none; b=QGdXsLkUxyTdstdWRAz6J0hrlMPIQnOwnhqadD8+s9kkyBheXAOWoHDxFFFdcYNXLsP1zleJPBEgwCpvUgJRn7+ZMODXTzgZ2vXFc0qX6J+DRSUebpMVghrLfzsgf4it79Jp/80dtu9CF1qj4VidrZ0q4S592h1aGLwPw/xtyhU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766728693; c=relaxed/simple; bh=SWafGHchQ/WupSVFE44reC0oea2jmGzjOwOgHXp6duk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=dbjnD3YCDGbPkE8nwomUiGlQr1WH2DfK0TL/J+cN/3ptmVPLjGKyofFkEvo9WqFieV1p44Tp+Ecw96YWh8sbxhq0mk+Bh23stemxxW5eAkFUTsWzFfWZdv+Jb1JlOdEE44f8bQ5QUC4KZT4p74pMKWZjneYFziUUAp9K1hmOF94= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=IY/Mb+fA; arc=none smtp.client-ip=209.85.210.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-ot1-f46.google.com with SMTP id 46e09a7af769-7c765f41346so3048694a34.3 for ; Thu, 25 Dec 2025 21:58:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766728691; x=1767333491; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=GEDLwh/JQNESRj4Jh747I4xTT7R/UMI4uSVnVsPwLP8=; b=IY/Mb+fASCdl3sbylhgh2CSqNx4DElHzy8DAXQjWW3sCyB7WmzApXNBwiauH1lfU1E tKe7dwMmHu3zpRpO+zq0rGq6FDJA7zZijA9MwdSRKJDi9qRMlLbxMRTqPnr0yOApJgZs /t1o5YVXZ2hupQA6LpYiaEIfMXc9Y9qfV7vPn2/067fzAwjITGj5r9W5InYZDIOY/pEa P/rJQ0RZYS34cGFUpoE4bt50APduFuXG1WypmQiBF8mlDD9ViZ9eL1dVPMvigEMHvxQe tq8jhRUdA8dckUBxv3CGk+jxowLfTAbatQUaGcezfuzhhxjJb1BMl3nDEKF9my+QGJJd 05aQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766728691; x=1767333491; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=GEDLwh/JQNESRj4Jh747I4xTT7R/UMI4uSVnVsPwLP8=; b=tyb4aYD9ZoVeUtQfQVJ9Y4gQ1UhTC6mLWMgKzhZk9vbRDx+jFVpqDHpFIXlTkCmhSo bxQPXacHDOLu8bGzeERkyT8nac15fu/UrQ/6IU+2NQo66R+i10EvFoqIJOb9EY0nbg0R Nzrod1Urm3hl0kEj7fXPYnUJBvuQBcgueKKwtkoHZigSxfLNNFPCDGnXoc+1AumukHmh tou+OdrhF4c/26Df3K/JW7d4aZT/U/O6jFRempcfX9/PQMsqcPDEg3iOrf48lNSB5y4F Xey6tQ7oqGxnY2ERvKEK6iYBSXwVHGYorAz4ejULAcUHuXHsClcDCVxPazVGypCSM7KC slTA== X-Gm-Message-State: AOJu0YyZGRDKZCTO5TS4ObeJA5qQcGosdihNn3lCmW9UIlYoNEY9p8Hv CHFbYqobejJ98WjdiIeSWI1kHUsZTflZ8wDobio+HD0deuWKidoBGEHnpKG4AA== X-Gm-Gg: AY/fxX77dzDsHrXTep+MfkIU7Ocb4hrdawCgizHAnae3SjUwXFmHOfhzbbvuhN6RxLp gyq6XYIkj3m9I4EBmZD372S3S+uAkqGHJQCc0gSutBXpSpvVfdnb92lY0hP1bzxrDyNCIi7OCGz N7P+6NO6JfH4UvmBIlZxwJ/HSfWtVX6iH8a2aKQstN5L/m49aw5IdD8i1M8VZ9nm1bhyJc/sBV0 wh/g9Chc2zZ3O0zpGosS76b2CCwUKCXOy8PpMOT4HTzPg6DdjU/s7JyjA1T+Ta/sywZGeCnRokl hhqJcgosa+waXEatiqxXkZEoqcfAc68Uw8lgvlUM4T95MKqyEehPp7eHQ/BRU36Y3ZsCvfU9XRV ++toIn+9vHjUl2sySs0w+eQHyJ1bWE72MDdnFYypG4MmzbsA2TmLujUcF33Ms0+nYm9O60e1kmF szMRnRmq2UiYkDNN0m6roxWHjQx8n+KGWSWQThpjGghn0wIslNsIgpMzzfNKM= X-Google-Smtp-Source: AGHT+IEBxDfwWRrZ1vDRbVLUN+XMFV3KU+eNVhr6y4k9b09yPfFabGcvaVkj8qpo0djiX4KdJQ2C9Q== X-Received: by 2002:a05:6830:dc6:b0:7c7:1c77:f107 with SMTP id 46e09a7af769-7cc66a9e05dmr11412583a34.34.1766728690767; Thu, 25 Dec 2025 21:58:10 -0800 (PST) Received: from nairdora (108-75-189-46.lightspeed.wchtks.sbcglobal.net. [108.75.189.46]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7cc66645494sm14532416a34.0.2025.12.25.21.58.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Dec 2025 21:58:10 -0800 (PST) From: Adrian Yip To: stable@vger.kernel.org Cc: Adrian Moreno , Pravin B Shelar , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-kernel-mentees@lists.linux.dev, skhan@linuxfoundation.org, david.hunter.linux@gmail.com, khalid@kernel.org, Aaron Conole , Adrian Yip Subject: [PATCH 6.6.y 1/2] selftests: openvswitch: Fix escape chars in regexp. Date: Thu, 25 Dec 2025 23:56:04 -0600 Message-ID: <20251226055610.3120437-2-adrian.ytw@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251226055610.3120437-1-adrian.ytw@gmail.com> References: <20251226055610.3120437-1-adrian.ytw@gmail.com> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-DKIM: signer='gmail.com' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: 0.4 (/) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (0.4 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: ovs-dpctl.py] 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [172.232.135.74 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [adrian.ytw[at]gmail.com] 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager SpamTally: Final spam score: 4 From: Adrian Moreno [ Upstream commit 3fde60afe1f84746c1177861bd27b3ebb00cb8f5 ] Character sequences starting with `\` are interpreted by python as escaped Unicode characters. However, they have other meaning in regular expressions (e.g: "\d"). It seems Python >= 3.12 starts emitting a SyntaxWarning when these escaped sequences are not recognized as valid Unicode characters. An example of these warnings: tools/testing/selftests/net/openvswitch/ovs-dpctl.py:505: SyntaxWarning: invalid escape sequence '\d' Fix all the warnings by flagging literals as raw strings. Signed-off-by: Adrian Moreno Reviewed-by: Aaron Conole Link: https://lore.kernel.org/r/20240416090913.2028475-1-amorenoz@redhat.com Signed-off-by: Jakub Kicinski (cherry picked from commit 3fde60afe1f84746c1177861bd27b3ebb00cb8f5) Signed-off-by: Adrian Yip --- .../selftests/net/openvswitch/ovs-dpctl.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tools/testing/selftests/net/openvswitch/ovs-dpctl.py b/tools/testing/selftests/net/openvswitch/ovs-dpctl.py index 8b120718768e..9f8dec2f6539 100644 --- a/tools/testing/selftests/net/openvswitch/ovs-dpctl.py +++ b/tools/testing/selftests/net/openvswitch/ovs-dpctl.py @@ -489,7 +489,7 @@ class ovsactions(nla): actstr, reason = parse_extract_field( actstr, "drop(", - "([0-9]+)", + r"([0-9]+)", lambda x: int(x, 0), False, None, @@ -502,9 +502,9 @@ class ovsactions(nla): actstr = actstr[len("drop"): ] return (totallen - len(actstr)) - elif parse_starts_block(actstr, "^(\d+)", False, True): + elif parse_starts_block(actstr, r"^(\d+)", False, True): actstr, output = parse_extract_field( - actstr, None, "(\d+)", lambda x: int(x), False, "0" + actstr, None, r"(\d+)", lambda x: int(x), False, "0" ) self["attrs"].append(["OVS_ACTION_ATTR_OUTPUT", output]) parsed = True @@ -512,7 +512,7 @@ class ovsactions(nla): actstr, recircid = parse_extract_field( actstr, "recirc(", - "([0-9a-fA-Fx]+)", + r"([0-9a-fA-Fx]+)", lambda x: int(x, 0), False, 0, @@ -588,17 +588,17 @@ class ovsactions(nla): actstr = actstr[3:] actstr, ip_block_min = parse_extract_field( - actstr, "=", "([0-9a-fA-F\.]+)", str, False + actstr, "=", r"([0-9a-fA-F\.]+)", str, False ) actstr, ip_block_max = parse_extract_field( - actstr, "-", "([0-9a-fA-F\.]+)", str, False + actstr, "-", r"([0-9a-fA-F\.]+)", str, False ) actstr, proto_min = parse_extract_field( - actstr, ":", "(\d+)", int, False + actstr, ":", r"(\d+)", int, False ) actstr, proto_max = parse_extract_field( - actstr, "-", "(\d+)", int, False + actstr, "-", r"(\d+)", int, False ) if t is not None: -- 2.52.0 From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id IAiSNv4jTmnbeQoAYBR5ng (envelope-from ) for ; Fri, 26 Dec 2025 05:58:22 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Fri, 26 Dec 2025 05:58:23 +0000 Received: from tor.lore.kernel.org ([172.105.105.114]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vZ0qE-00000004qJU-2j2h for hi@josie.lol; Fri, 26 Dec 2025 05:58:22 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by tor.lore.kernel.org (Postfix) with ESMTP id BAA6230052A0 for ; Fri, 26 Dec 2025 05:58:21 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 5005F1EEA5F; Fri, 26 Dec 2025 05:58:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="coURInNx" X-Original-To: stable@vger.kernel.org Received: from mail-ot1-f48.google.com (mail-ot1-f48.google.com [209.85.210.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 95B8819309C for ; Fri, 26 Dec 2025 05:58:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.48 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766728700; cv=none; b=bXQVTLkyT1ZYDYhNpecT0tQbB6X12uG5eaIPL8XlhfgNBwYHWiu9yPV78tSSC8LC9kS34Ff4VFFbkOtACalkQuBBoEJwocFF3RfaCZP/2wHAYMHgCxlFaRfwx4zWkyZ4KWzXFZBEEjB1KsGvx7nrP+TQiXd8q4pSDNNZfSuZzbA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766728700; c=relaxed/simple; bh=NTTVqERX9FTQEL3McWJAQL3aH1Bf120MwcBg4zvWWYI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qtRjkJIQuIVZK66CiYp1AwKydYpAsRwgjRwDt+vtituu9By2PE3LtOi+uWK7h3KmaDQMqraO9D20x4OlACKVZxtDTBcbSK3WN9rnBjsOKxIf9JDiaBpPZOwtGwEJgOI4p3GLdCgIiDnrxb/lvjgtOXX91hBsJuiBekwwgg1poao= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=coURInNx; arc=none smtp.client-ip=209.85.210.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-ot1-f48.google.com with SMTP id 46e09a7af769-7caf5314847so4378679a34.0 for ; Thu, 25 Dec 2025 21:58:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766728697; x=1767333497; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=J35MMwRLRI1OhwUaCUkOR32KgBWoW2oQB2rGPnLXRWk=; b=coURInNx9GER0/G1k4Au9SakBpGc+uQxuTYgU243eIKI2cY1b6xL29z7ve5RTGOIl9 7DG61Ws7s6CVXAuxor7U57loHSDebVqG1aZAyTnYrCFbPpM3oDzSwgLzuKesqr2eFcke YpOPfZqoIZxC8vHx0NKJZStK8dQualaW0sAKP6PaMwitW6TcBEeLjqdcg46bTZX/oePk IMLia6GnGjMlwQJicHJnjfPITDkP0UMPir9lKwXN38szXj3XYce0DFXzDNTtwqC48LJ1 F5BbJZqGVIZA9EcM/ylCNSEO6FezNJ74X0dEKpzgwclVJx8qWMRu3YI2VzLgm94d9fnd Ty2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766728697; x=1767333497; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=J35MMwRLRI1OhwUaCUkOR32KgBWoW2oQB2rGPnLXRWk=; b=MdZmQWxxi2tIfjmGvblSf9GXvoC7OTiljT7HhtmpIcFUO5FI4TPSq97LrVjBUhdG58 Yha0K2Es0ft3oXWGH3e0/NvXkpZ7XWzxXr3dVdJ371BQI/LnoD3EGSqYBznJ8UDm4MqW YiRVSYwb8fG2Xj5iB+Khlhrj4UZS64DZWM+VENIq8iOBl+Ko+xLUIeH10owof4Ew4120 9HzbdgxCKQGkaOfpqpSLTop0lNHNd9euFwypEH/ndDuxX8DRnG6AqLpoqeZ0s7HNqkLP 2hSnpJkFVh6Dxc2LxG0sxsziptylX11vAWbUhQ6XIsC3OkKUeYiabVay3TQnWSCsaxfi lnRA== X-Gm-Message-State: AOJu0YynilVUIh9YdWctjR5SExUvyytRwjcdrLWPrvKNEhU8bAQVXUcw ZGVXFTZV0AROmLLyKpmfY3PoxpcizLxZuOvFxNLIcZBgrLZ4ti8M3ZqLYKv3sw== X-Gm-Gg: AY/fxX4JpUgFv3d00pThEHoXDQfcOfYbDPUfBxz48k78OyK2j2agl4V6ArBp3eT0/qw wtZZfPVBLJxOQHqCNmfSJbAdmBAoLudR0Q25RlQ8/ScxH85j8eP535wjnuoAVkRcYtmOpP4ZvRH UaT2FDntTtBP7fTzP8eDFWxqSGaREZJCoqrqzQzBlteM2sWXL86w2nVROGctOJUp3tio1pLivEj Nlm/vqWyh+CXqoIXxc2UjIDPFHFlTuq6tqLaaExCm+M1+wQFrwsoAIU2gpobZPuZRNhD2ImqGuz NZKWW+3/n9jqvDlngt7GHackcHU5M8O96Jn74F6srjoDuwzqNEdSdL6f8geOyaEQWHiEL/c3jLT ie8gtlkR35n/jBF67RzG33cGtmo0CcQnhb2PYLVu1kHEDu7E0WcbgYvHxxrEYMuuf+ffgXx2Ztv Fq+vSSClj/pCXbU9W1eC2A1k8PWII8uskk/RH/hnjgewI8VIyIpwwj4iYn5Y4= X-Google-Smtp-Source: AGHT+IFYcCSgngrAqqt/msC31T0xeYSRISiEwO4YLCgkxzXcsMbAQ6iCxcn4ohRzGkd20cN3NXVt5Q== X-Received: by 2002:a05:6830:2e05:b0:79c:f9ff:43e with SMTP id 46e09a7af769-7cc66adcd8bmr11340183a34.28.1766728697341; Thu, 25 Dec 2025 21:58:17 -0800 (PST) Received: from nairdora (108-75-189-46.lightspeed.wchtks.sbcglobal.net. [108.75.189.46]) by smtp.gmail.com with ESMTPSA id 46e09a7af769-7cc66645494sm14532416a34.0.2025.12.25.21.58.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Dec 2025 21:58:17 -0800 (PST) From: Adrian Yip To: stable@vger.kernel.org Cc: Ilya Maximets , Pravin B Shelar , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-kernel-mentees@lists.linux.dev, skhan@linuxfoundation.org, david.hunter.linux@gmail.com, khalid@kernel.org, Junvy Yang , Eelco Chaudron , Aaron Conole , Adrian Yip Subject: [PATCH 6.6.y 2/2] net: openvswitch: fix middle attribute validation in push_nsh() action Date: Thu, 25 Dec 2025 23:56:05 -0600 Message-ID: <20251226055610.3120437-3-adrian.ytw@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251226055610.3120437-1-adrian.ytw@gmail.com> References: <20251226055610.3120437-1-adrian.ytw@gmail.com> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-DKIM: signer='gmail.com' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: 0.4 (/) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (0.4 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [172.105.105.114 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [adrian.ytw[at]gmail.com] 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: msgid.link] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager SpamTally: Final spam score: 4 From: Ilya Maximets [ Upstream commit 5ace7ef87f059d68b5f50837ef3e8a1a4870c36e ] The push_nsh() action structure looks like this: OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...)) The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by the nla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested() inside nsh_key_put_from_nlattr(). But nothing checks if the attribute in the middle is OK. We don't even check that this attribute is the OVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data() calls - first time directly while calling validate_push_nsh() and the second time as part of the nla_for_each_nested() macro, which isn't safe, potentially causing invalid memory access if the size of this attribute is incorrect. The failure may not be noticed during validation due to larger netlink buffer, but cause trouble later during action execution where the buffer is allocated exactly to the size: BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch] Read of size 184 at addr ffff88816459a634 by task a.out/22624 CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary) Call Trace: dump_stack_lvl+0x51/0x70 print_address_description.constprop.0+0x2c/0x390 kasan_report+0xdd/0x110 kasan_check_range+0x35/0x1b0 __asan_memcpy+0x20/0x60 nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch] push_nsh+0x82/0x120 [openvswitch] do_execute_actions+0x1405/0x2840 [openvswitch] ovs_execute_actions+0xd5/0x3b0 [openvswitch] ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch] genl_family_rcv_msg_doit+0x1d6/0x2b0 genl_family_rcv_msg+0x336/0x580 genl_rcv_msg+0x9f/0x130 netlink_rcv_skb+0x11f/0x370 genl_rcv+0x24/0x40 netlink_unicast+0x73e/0xaa0 netlink_sendmsg+0x744/0xbf0 __sys_sendto+0x3d6/0x450 do_syscall_64+0x79/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Let's add some checks that the attribute is properly sized and it's the only one attribute inside the action. Technically, there is no real reason for OVS_KEY_ATTR_NSH to be there, as we know that we're pushing an NSH header already, it just creates extra nesting, but that's how uAPI works today. So, keeping as it is. Fixes: b2d0f5d5dc53 ("openvswitch: enable NSH support") Reported-by: Junvy Yang Signed-off-by: Ilya Maximets Acked-by: Eelco Chaudron Reviewed-by: Aaron Conole Link: https://patch.msgid.link/20251204105334.900379-1-i.maximets@ovn.org Signed-off-by: Jakub Kicinski (cherry picked from commit 5ace7ef87f059d68b5f50837ef3e8a1a4870c36e) Signed-off-by: Adrian Yip --- net/openvswitch/flow_netlink.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c index 836e8e705d40..1d9a44d6216a 100644 --- a/net/openvswitch/flow_netlink.c +++ b/net/openvswitch/flow_netlink.c @@ -2788,13 +2788,20 @@ static int validate_and_copy_set_tun(const struct nlattr *attr, return err; } -static bool validate_push_nsh(const struct nlattr *attr, bool log) +static bool validate_push_nsh(const struct nlattr *a, bool log) { + struct nlattr *nsh_key = nla_data(a); struct sw_flow_match match; struct sw_flow_key key; + /* There must be one and only one NSH header. */ + if (!nla_ok(nsh_key, nla_len(a)) || + nla_total_size(nla_len(nsh_key)) != nla_len(a) || + nla_type(nsh_key) != OVS_KEY_ATTR_NSH) + return false; + ovs_match_init(&match, &key, true, NULL); - return !nsh_key_put_from_nlattr(attr, &match, false, true, log); + return !nsh_key_put_from_nlattr(nsh_key, &match, false, true, log); } /* Return false if there are any non-masked bits set. @@ -3351,7 +3358,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, return -EINVAL; } mac_proto = MAC_PROTO_NONE; - if (!validate_push_nsh(nla_data(a), log)) + if (!validate_push_nsh(a, log)) return -EINVAL; break; -- 2.52.0 From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id GLf7DHclTmmGWRAAYBR5ng (envelope-from ) for ; Fri, 26 Dec 2025 06:04:39 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Fri, 26 Dec 2025 06:04:39 +0000 Received: from sea.lore.kernel.org ([172.234.253.10]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vZ0wI-000000056TM-1OQC for hi@josie.lol; Fri, 26 Dec 2025 06:04:39 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sea.lore.kernel.org (Postfix) with ESMTP id DD12430034BD for ; Fri, 26 Dec 2025 06:04:36 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 30E6E271468; Fri, 26 Dec 2025 06:04:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cse-iitm-ac-in.20230601.gappssmtp.com header.i=@cse-iitm-ac-in.20230601.gappssmtp.com header.b="cI+vNnf1" X-Original-To: stable@vger.kernel.org Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E213C1C5F27 for ; Fri, 26 Dec 2025 06:04:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766729076; cv=none; b=TVoqqeIzSEXXxCWsykAEQiyEygdIHR/H8fmQzpZWKRwdeFOMYs3OqRVde4rHJdIB5kBoQtnHJvCTm8ax+o/zuPJyazjhtG3nT87swIa0/WBevAHr4yAKNqtxGJN/Rlgb6oHnms8NwNgnmcW/XS5KR6ymYVFFqNDa1qfdPvVce4Q= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766729076; c=relaxed/simple; bh=OKO8pPQ2u1PVbIbGFtwSsJ8PUCHGOqHmtWYFr7S9Uf4=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=astQSeF1PTeti0YoK0ZA/7Ti3qmFnfcQDumkyMro4Ci8n1ZPMNfQsHTu9QielPoGuj6SiS0MIRBwM4wWG6Cd0fsNhLYYGluoayprJnrTzQbcn+1k1Pgm2z/Z7e+PuWP673c4isk34TsTuPbf1bm35T6woxDXF3m6OZiOp8w+LIc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cse.iitm.ac.in; spf=pass smtp.mailfrom=cse.iitm.ac.in; dkim=pass (2048-bit key) header.d=cse-iitm-ac-in.20230601.gappssmtp.com header.i=@cse-iitm-ac-in.20230601.gappssmtp.com header.b=cI+vNnf1; arc=none smtp.client-ip=209.85.210.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cse.iitm.ac.in Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cse.iitm.ac.in Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-7b8eff36e3bso11071497b3a.2 for ; Thu, 25 Dec 2025 22:04:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cse-iitm-ac-in.20230601.gappssmtp.com; s=20230601; t=1766729073; x=1767333873; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=j4xGho7aYPu0F2BOeXnW+h7VL+kSgq0Xp5r0+dbQtUA=; b=cI+vNnf1uUnYbrrx3IjPLs1moi2coHQLtkzNejX7Pka+zTg4SPoKVrG3eklXax2pxZ jQCnPgjliO69vuZ7XpyxKu9czN4+9I9PixYceRrjER6FBxTB6k/0d1PaExmnT4txHmSN 6AiWVMgenegnSMkuieLZ3ev9x7b++OLyzTM9Sdvfu6DiI7A+qvGsKZ/dTT2Njq0ZE+3P fV68IDoPNYxFR1Avh63kOx3isk1NrxUtUGRT2s5usI98opgQy1PH9kIuJuC57jDEW6RG QXXou5u7I7ktESXevN7vaHELmLrE1rq7/Odc0wTqN0RkzkI+luyhiI3R3rXGRtkaiNY9 Z/Vg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766729073; x=1767333873; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=j4xGho7aYPu0F2BOeXnW+h7VL+kSgq0Xp5r0+dbQtUA=; b=IJlfbvF/9z9ZSngLK0qO0p03LM0SYx4pizrWAckH+lM3TFBAVXSoU/khunkA4l5/U1 T98NrenlFTIX9+pqh5QJ+fiuhmLPV+KTu9i8lut/rLYyic5KF0PiuMY1QjRcsBVYKlbQ rB0KAMKgcCGr6ayuplKrWyYX6Vkf81PXfqQBfqZJrBmWNPcooCEHhxjPia4WoPN5cCxt eaMjUA4vigU/SjZMnbaRH31z7M5J71sXu0dNblFEUpu56qRFqj31SGlawpBcs8mHGsv+ iaNdmhiiHQx7gwR4zL2ohF7GdPjmCla8LVi+2P85V/vNFHv4q1thCQuv7PCwIk5xWN1q +/vg== X-Forwarded-Encrypted: i=1; AJvYcCVhqA6FQSAyqJe3GfxFmjNBDDAjWanoSGjea66brStbvtZxRpDS6bDkmrl3pLueJIwPzdOtgyQ=@vger.kernel.org X-Gm-Message-State: AOJu0YyEEDVVXxaaPOLyOGz3BoFVej1nZq2c/t4XksbRauABk2f+QH+x 0Zlgw5A84aV0xRvRMncqKgHNrEoFEX51PTRC8WT9cEoNSBLE1ImG8CkLYu9JvuP1sy0= X-Gm-Gg: AY/fxX6EDbLG0/8BKxva/ztm8fhsBWoR29QfCceGwtoqonkGChVvgslELHq7ZFdGDFz WGBwVJBMZOaNjvEZ3rKZISAxfS+v8ogKNpZOaK98ZWv6hCuIcipi7UaDvHJTphkjSLQ6PmipKsC qDSqa08Lz7D9j1Sv4IbAtdiuqINotf9nRFX4W3HCvCjyOS5TUUl8b3FILkEhYdWLbbq53Qhph53 LqVFhwdfvHz34cdU9nvm7AFLY+EIiGBd12JnJKZeGfJEBVUTX7kZWGeIbX/lqptyvC/BR5bKgt6 h/ssUkV4YhASmcnLqRKz+u2hjXDqMzSOutvm1WfiFphfNxqQxccE9UtrcMTOSfM/WKDQ4H/fP8u L323CVwtQuOTQttT9NdWjB+fPXGAmQ59UzPrjwK5M7dQbJCczjwg+WWHtHWum1FPBQ+juGnzf2a mEsqvenaXXdZ1wyRLihabBfyju X-Google-Smtp-Source: AGHT+IG+gJCqvf6cX/cvf23QXKpxJilzTTZX3/LI0nMqhPGbDIqafJa+NVZYkW9sVgMEo5U1DYe4PA== X-Received: by 2002:a05:6a00:302a:b0:7b7:79ca:9a73 with SMTP id d2e1a72fcca58-7ff646f9664mr22376207b3a.10.1766729072784; Thu, 25 Dec 2025 22:04:32 -0800 (PST) Received: from localhost.localdomain ([103.158.43.19]) by smtp.googlemail.com with ESMTPSA id d2e1a72fcca58-7ff7e48cea1sm21262129b3a.45.2025.12.25.22.04.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Dec 2025 22:04:32 -0800 (PST) From: Abdun Nihaal To: linusw@kernel.org Cc: Abdun Nihaal , brgl@kernel.org, linux-gpio@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v2] gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths Date: Fri, 26 Dec 2025 11:34:10 +0530 Message-ID: <20251226060414.20785-1-nihaal@cse.iitm.ac.in> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-DKIM: signer='cse-iitm-ac-in.20230601.gappssmtp.com' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: 0.5 (/) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (0.5 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [172.234.253.10 listed in list.dnswl.org] 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager SpamTally: Final spam score: 5 The reference obtained by calling usb_get_dev() is not released in the gpio_mpsse_probe() error paths. Fix that by using device managed helper functions. Also remove the usb_put_dev() call in the disconnect function since now it will be released automatically. Cc: stable@vger.kernel.org Fixes: c46a74ff05c0 ("gpio: add support for FTDI's MPSSE as GPIO") Signed-off-by: Abdun Nihaal --- Compile tested only. Not tested on real hardware. v1->v2: - Switched to use devm_add_action_or_reset() to avoid unnecessary gotos, as suggested by Bartosz Golaszewski. Link to v1: https://lore.kernel.org/all/20251223065306.131008-1-nihaal@cse.iitm.ac.in/ drivers/gpio/gpio-mpsse.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/gpio/gpio-mpsse.c b/drivers/gpio/gpio-mpsse.c index ace652ba4df1..12191aeb6566 100644 --- a/drivers/gpio/gpio-mpsse.c +++ b/drivers/gpio/gpio-mpsse.c @@ -548,6 +548,13 @@ static void gpio_mpsse_ida_remove(void *data) ida_free(&gpio_mpsse_ida, priv->id); } +static void gpio_mpsse_usb_put_dev(void *data) +{ + struct mpsse_priv *priv = data; + + usb_put_dev(priv->udev); +} + static int mpsse_init_valid_mask(struct gpio_chip *chip, unsigned long *valid_mask, unsigned int ngpios) @@ -592,6 +599,10 @@ static int gpio_mpsse_probe(struct usb_interface *interface, INIT_LIST_HEAD(&priv->workers); priv->udev = usb_get_dev(interface_to_usbdev(interface)); + err = devm_add_action_or_reset(dev, gpio_mpsse_usb_put_dev, priv); + if (err) + return err; + priv->intf = interface; priv->intf_id = interface->cur_altsetting->desc.bInterfaceNumber; @@ -713,7 +724,6 @@ static void gpio_mpsse_disconnect(struct usb_interface *intf) priv->intf = NULL; usb_set_intfdata(intf, NULL); - usb_put_dev(priv->udev); } static struct usb_driver gpio_mpsse_driver = { -- 2.43.0 From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id eAefBI0wTmnMchgAYBR5ng (envelope-from ) for ; Fri, 26 Dec 2025 06:51:57 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Fri, 26 Dec 2025 06:51:57 +0000 Received: from sea.lore.kernel.org ([172.234.253.10]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vZ1g4-000000071Vi-0gQU for hi@josie.lol; Fri, 26 Dec 2025 06:51:57 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sea.lore.kernel.org (Postfix) with ESMTP id 58DAF3009562 for ; Fri, 26 Dec 2025 06:51:53 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E9D1978F4F; Fri, 26 Dec 2025 06:51:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b="pCwrccDr" X-Original-To: stable@vger.kernel.org Received: from out30-99.freemail.mail.aliyun.com (out30-99.freemail.mail.aliyun.com [115.124.30.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CBBCDB652; Fri, 26 Dec 2025 06:51:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=115.124.30.99 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766731911; cv=none; b=YtInDE4oQ68+LHyqHeqn8gLrFEjp5JGul33tTiJHuJONAcPvf5QJapuKpD2R9mnsLvjN203BdncGZcf1olLF5TJALidYvZRRsWOaDQi2P/k7b7oOEpilKmix0fFgaI9q3QTB+rwm4CMalfQhJ7Osa7kXrIoTdpIi1hikA2mS3AU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766731911; c=relaxed/simple; bh=4WihWL+bInC+cAJOjCn/osSgBmLo8EdsB0pnCpyEZp0=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=PD+PPlpblwnteprzYQDFkAzMouqZ3SAEHI4Y5zHBwSdhHeFoiOiksyaWRCSXUUCUMNG5QnzJo/zc523YJCZnJFvip/hhxjpVi4KZxQtYBJr2LQkPP3kEUEj3FNBJcaDfTw3L1E+HUrV+0Uz4ZrWUXwz6pDVx1GW7F5dEK6538Qk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com; spf=pass smtp.mailfrom=linux.alibaba.com; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b=pCwrccDr; arc=none smtp.client-ip=115.124.30.99 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com DKIM-Signature:v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.alibaba.com; s=default; t=1766731898; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type; bh=0x/FfIujGwHcIqEZKKhM/7sF5/cqnIaX1YYYstX2tG4=; b=pCwrccDrezWWnnnf8HDJHwDZ+bLQ3nf2wPpOlNZhR+H4E3gnSx7M5/tLOevhWXPMbwB5uJGu8tI6AKk7zSp2of8w2SDf0BLwN8Llu5BKyqgg04dkjQeclAzZ2gkMJ9v3c1odxRp2MfY4hvg036ZszbJoclF2sYRW42ng+i444MQ= Received: from localhost(mailfrom:yaoyuan@linux.alibaba.com fp:SMTPD_---0WvgmF6o_1766731897 cluster:ay36) by smtp.aliyun-inc.com; Fri, 26 Dec 2025 14:51:38 +0800 Date: Fri, 26 Dec 2025 14:51:37 +0800 From: Yao Yuan To: Paolo Bonzini Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, seanjc@google.com, x86@kernel.org, stable@vger.kernel.org Subject: Re: [PATCH 1/5] x86, fpu: introduce fpu_load_guest_fpstate() Message-ID: References: <20251224001249.1041934-1-pbonzini@redhat.com> <20251224001249.1041934-2-pbonzini@redhat.com> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20251224001249.1041934-2-pbonzini@redhat.com> X-DKIM: signer='linux.alibaba.com' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: -7.1 (-------) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (-7.1 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [172.234.253.10 listed in list.dnswl.org] -7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM welcome-list 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager SpamTally: Final spam score: -70 On Wed, Dec 24, 2025 at 01:12:45AM +0800, Paolo Bonzini wrote: > Create a variant of fpregs_lock_and_load() that KVM can use in its > vCPU entry code after preemption has been disabled. While basing > it on the existing logic in vcpu_enter_guest(), ensure that > fpregs_assert_state_consistent() always runs and sprinkle a few > more assertions. > > Cc: stable@vger.kernel.org > Fixes: 820a6ee944e7 ("kvm: x86: Add emulation for IA32_XFD", 2022-01-14) > Signed-off-by: Paolo Bonzini > --- > arch/x86/include/asm/fpu/api.h | 1 + > arch/x86/kernel/fpu/core.c | 17 +++++++++++++++++ > arch/x86/kvm/x86.c | 8 +------- > 3 files changed, 19 insertions(+), 7 deletions(-) > > diff --git a/arch/x86/include/asm/fpu/api.h b/arch/x86/include/asm/fpu/api.h > index cd6f194a912b..0820b2621416 100644 > --- a/arch/x86/include/asm/fpu/api.h > +++ b/arch/x86/include/asm/fpu/api.h > @@ -147,6 +147,7 @@ extern void *get_xsave_addr(struct xregs_state *xsave, int xfeature_nr); > /* KVM specific functions */ > extern bool fpu_alloc_guest_fpstate(struct fpu_guest *gfpu); > extern void fpu_free_guest_fpstate(struct fpu_guest *gfpu); > +extern void fpu_load_guest_fpstate(struct fpu_guest *gfpu); > extern int fpu_swap_kvm_fpstate(struct fpu_guest *gfpu, bool enter_guest); > extern int fpu_enable_guest_xfd_features(struct fpu_guest *guest_fpu, u64 xfeatures); > > diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c > index 3ab27fb86618..a480fa8c65d5 100644 > --- a/arch/x86/kernel/fpu/core.c > +++ b/arch/x86/kernel/fpu/core.c > @@ -878,6 +878,23 @@ void fpregs_lock_and_load(void) > fpregs_assert_state_consistent(); > } > > +void fpu_load_guest_fpstate(struct fpu_guest *gfpu) > +{ > +#ifdef CONFIG_X86_DEBUG_FPU > + struct fpu *fpu = x86_task_fpu(current); > + WARN_ON_ONCE(gfpu->fpstate != fpu->fpstate); > +#endif > + > + lockdep_assert_preemption_disabled(); Hi Paolo, Do we need make sure the irq is disabled w/ lockdep ? The irq_fpu_usable() returns true for: !in_nmi () && in_hardirq() and !softirq_count() It's possible that the TIF_NEED_FPU_LOAD is set again w/ interrupt is enabled. > + if (test_thread_flag(TIF_NEED_FPU_LOAD)) > + fpregs_restore_userregs(); > + > + fpregs_assert_state_consistent(); > + if (gfpu->xfd_err) > + wrmsrq(MSR_IA32_XFD_ERR, gfpu->xfd_err); > +} > +EXPORT_SYMBOL_FOR_KVM(fpu_load_guest_fpstate); > + > #ifdef CONFIG_X86_DEBUG_FPU > /* > * If current FPU state according to its tracking (loaded FPU context on this > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c > index ff8812f3a129..01d95192dfc5 100644 > --- a/arch/x86/kvm/x86.c > +++ b/arch/x86/kvm/x86.c > @@ -11300,13 +11300,7 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) > kvm_make_request(KVM_REQ_EVENT, vcpu); > } > > - fpregs_assert_state_consistent(); > - if (test_thread_flag(TIF_NEED_FPU_LOAD)) > - switch_fpu_return(); > - > - if (vcpu->arch.guest_fpu.xfd_err) > - wrmsrq(MSR_IA32_XFD_ERR, vcpu->arch.guest_fpu.xfd_err); > - > + fpu_load_guest_fpstate(&vcpu->arch.guest_fpu); > kvm_load_xfeatures(vcpu, true); > > if (unlikely(vcpu->arch.switch_db_regs && > -- > 2.52.0 > From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id GDysJ0E8TmkoERsAYBR5ng (envelope-from ) for ; Fri, 26 Dec 2025 07:41:53 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Fri, 26 Dec 2025 07:41:53 +0000 Received: from sea.lore.kernel.org ([172.234.253.10]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vZ2SP-000000091mj-0Fb3 for hi@josie.lol; Fri, 26 Dec 2025 07:41:53 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sea.lore.kernel.org (Postfix) with ESMTP id AD055300726B for ; Fri, 26 Dec 2025 07:41:51 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E3B3527FD75; Fri, 26 Dec 2025 07:41:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="p1yaLKyq" X-Original-To: stable@vger.kernel.org Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2820623D7FC for ; Fri, 26 Dec 2025 07:41:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.202 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766734910; cv=none; b=d1jFpfkHC3PxMMSL/Zr6DbIyBIP4rVKA3KqF8L/2uKLPriDHfu+8cf6GImJZG2I8q6WwwnIBA+C0QKwPET1bhpvsLuvJnXvE5/BDxHn9DLkXJhSKK02Uza0FT5kBbzg4gaVnZhRxTaMRxT/waR9HeKOD7iwTkxD2iGSLeBEN/2U= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766734910; c=relaxed/simple; bh=IZ0YyMqF7AcH4SIF+Ig/gnhB65izmk2b64FNwGGa3gY=; h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type; b=NUVr4w7MWL5A1jU/Ax9JQdSV9c/J4GCchE3teQo1Os9hzkPxwq12vUcB5mgBRpBXxWTjxgtLFzpP4BCl/PsYMWgNuYg5BjTCf3vjHRCiAsggfTXTvEwMqmQJvE0c40Q1yaN1s9IH7getk/44mIsCx7G8kdP1LL8+61s35zoQLzk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--lucaswei.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=p1yaLKyq; arc=none smtp.client-ip=209.85.214.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--lucaswei.bounces.google.com Received: by mail-pl1-f202.google.com with SMTP id d9443c01a7336-2a0a4b748a0so170604055ad.1 for ; Thu, 25 Dec 2025 23:41:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1766734908; x=1767339708; darn=vger.kernel.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=cMh1B9jeIE4aw279198M1b/hk/GMIA7jSM//p/wGIko=; b=p1yaLKyqo7Nu+uZEmbRWfsgutWpUZkxqFzlaOD+XmVcyUAXIEZGVVpBzEi/Ea6B5at YxxC0/ONWRw6wkUVye51GE7q+JJ18beDU2+5tDw5gDDW0EeWfbL+YIpYCk8prrawGAhP SVxV3aa3V5MF6qtc8RQab5h7ASyTFma9Ys4tfegKYmAqpb1JjkgQyc3j+/Etf0AQ8CS1 TR1+rBLP70DvPqttVSfCHkGKzyw1cvzikUMAaat0HQza9pEULfhqLohh79TGfI0MleTT GHBumPZxWaDXIG3TR5vw8k//F1EWIYEmkzn2bacPM5PgbqE6YLjhK+6WhBPrv8dycHSt 8L2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766734908; x=1767339708; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=cMh1B9jeIE4aw279198M1b/hk/GMIA7jSM//p/wGIko=; b=XoHbTytaEwp753Zd52yWDOV1GBxIe1bL5vCYOaxydOxg9btAsovnp+mD7dPGgZE+6h 2lnMwEbdng8W3h8+KrYMqxhVVisTLdqhim0rRr+BPPOTOOFoSugZr/74pnOckFpnKfcg 05C6uv+q7AmbMpvuWaOvsODiI56CHpjJW1zMsira7tKVHyRb8YGQYi22INK199N7si/Q aMLWVizhDA4YC7ZWtXniOH8vtxA++zM2b8DWtxwkk6zMrWEmcS2fHnrfMvVYuQUwNjVT JtuFBQtsMwmH1DBVTb/AX3o1ZVcmFqKGrP22zj9w5hFxJMsdYtNWsYI3MbzfWtxmC2kY y4vA== X-Forwarded-Encrypted: i=1; AJvYcCXP/1UZRzUo8+0J1GNKdYXYnsNi/m5QovnnLwJuHdemyyv7GphhS5QDXdW5LER6NSgn4Qz12l0=@vger.kernel.org X-Gm-Message-State: AOJu0YxxTY94/KxycIm9ihDtlp2eDod3JXlwF/TWSRFtHYA1djY24Q2g k8/q+oXO5T30VhAUokoo1/Ai0oozmnixv/6pywMM75qi1a+eaTs+8wCvzBb4x2W5eouynAKkzZc 5jfgQdTAL8aYpmA== X-Google-Smtp-Source: AGHT+IFtF1K9L6PYp/XzYAz9RZqRh29e1exGwQNKVor5fhVi5cRkwnbSQpCOKzH10Rx1XFEgf7xJTaY0uGlvqQ== X-Received: from plrf19.prod.google.com ([2002:a17:902:ab93:b0:29f:22e:147c]) (user=lucaswei job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:ccc3:b0:2a0:97d2:a25d with SMTP id d9443c01a7336-2a2f2426c84mr257403495ad.15.1766734908420; Thu, 25 Dec 2025 23:41:48 -0800 (PST) Date: Fri, 26 Dec 2025 07:41:03 +0000 Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Mailer: git-send-email 2.52.0.358.g0dd7633a29-goog Message-ID: <20251226074106.3751725-1-lucaswei@google.com> Subject: [PATCH] arm64: errata: Workaround for SI L1 downstream coherency issue From: Lucas Wei To: Catalin Marinas , Will Deacon , Jonathan Corbet Cc: sjadavani@google.com, Lucas Wei , stable@vger.kernel.org, kernel-team@android.com, linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-DKIM: signer='google.com' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: -7.4 (-------) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (-7.4 points) --- pts rule name description ---- ---------------------- ----------------------------------------- -7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM welcome-list 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [172.234.253.10 listed in list.dnswl.org] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager -0.3 DKIMWL_WL_MED DKIMwl.org - Medium trust sender SpamTally: Final spam score: -73 When software issues a Cache Maintenance Operation (CMO) targeting a dirty cache line, the CPU and DSU cluster may optimize the operation by combining the CopyBack Write and CMO into a single combined CopyBack Write plus CMO transaction presented to the interconnect (MCN). For these combined transactions, the MCN splits the operation into two separate transactions, one Write and one CMO, and then propagates the write and optionally the CMO to the downstream memory system or external Point of Serialization (PoS). However, the MCN may return an early CompCMO response to the DSU cluster before the corresponding Write and CMO transactions have completed at the external PoS or downstream memory. As a result, stale data may be observed by external observers that are directly connected to the external PoS or downstream memory. This erratum affects any system topology in which the following conditions apply: - The Point of Serialization (PoS) is located downstream of the interconnect. - A downstream observer accesses memory directly, bypassing the interconnect. Conditions: This erratum occurs only when all of the following conditions are met: 1. Software executes a data cache maintenance operation, specifically, a clean or invalidate by virtual address (DC CVAC, DC CIVAC, or DC IVAC), that hits on unique dirty data in the CPU or DSU cache. This results in a combined CopyBack and CMO being issued to the interconnect. 2. The interconnect splits the combined transaction into separate Write and CMO transactions and returns an early completion response to the CPU or DSU before the write has completed at the downstream memory or PoS. 3. A downstream observer accesses the affected memory address after the early completion response is issued but before the actual memory write has completed. This allows the observer to read stale data that has not yet been updated at the PoS or downstream memory. The implementation of workaround put a second loop of CMOs at the same virtual address whose operation meet erratum conditions to wait until cache data be cleaned to PoC.. This way of implementation mitigates performance panalty compared to purly duplicate orignial CMO. Cc: stable@vger.kernel.org # 6.12.x Signed-off-by: Lucas Wei --- Documentation/arch/arm64/silicon-errata.rst | 3 ++ arch/arm64/Kconfig | 19 +++++++++++++ arch/arm64/include/asm/assembler.h | 10 +++++++ arch/arm64/kernel/cpu_errata.c | 31 +++++++++++++++++++++ arch/arm64/mm/cache.S | 13 ++++++++- arch/arm64/tools/cpucaps | 1 + 6 files changed, 76 insertions(+), 1 deletion(-) diff --git a/Documentation/arch/arm64/silicon-errata.rst b/Documentation/arch/arm64/silicon-errata.rst index a7ec57060f64..98efdf528719 100644 --- a/Documentation/arch/arm64/silicon-errata.rst +++ b/Documentation/arch/arm64/silicon-errata.rst @@ -213,6 +213,9 @@ stable kernels. | ARM | GIC-700 | #2941627 | ARM64_ERRATUM_2941627 | +----------------+-----------------+-----------------+-----------------------------+ +----------------+-----------------+-----------------+-----------------------------+ +| ARM | SI L1 | #4311569 | ARM64_ERRATUM_4311569 | ++----------------+-----------------+-----------------+-----------------------------+ ++----------------+-----------------+-----------------+-----------------------------+ | Broadcom | Brahma-B53 | N/A | ARM64_ERRATUM_845719 | +----------------+-----------------+-----------------+-----------------------------+ | Broadcom | Brahma-B53 | N/A | ARM64_ERRATUM_843419 | diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 93173f0a09c7..89326bb26f48 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -1155,6 +1155,25 @@ config ARM64_ERRATUM_3194386 If unsure, say Y. +config ARM64_ERRATUM_4311569 + bool "SI L1: 4311569: workaround for premature CMO completion erratum" + default y + help + This option adds the workaround for ARM SI L1 erratum 4311569. + + The erratum of SI L1 can cause an early response to a combined write + and cache maintenance operation (WR+CMO) before the operation is fully + completed to the Point of Serialization (POS). + This can result in a non-I/O coherent agent observing stale data, + potentially leading to system instability or incorrect behavior. + + Enabling this option implements a software workaround by inserting a + second loop of Cache Maintenance Operation (CMO) immediately following the + end of function to do CMOs. This ensures that the data is correctly serialized + before the buffer is handed off to a non-coherent agent. + + If unsure, say Y. + config CAVIUM_ERRATUM_22375 bool "Cavium erratum 22375, 24313" default y diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h index f0ca7196f6fa..d3d46e5f7188 100644 --- a/arch/arm64/include/asm/assembler.h +++ b/arch/arm64/include/asm/assembler.h @@ -381,6 +381,9 @@ alternative_endif .macro dcache_by_myline_op op, domain, start, end, linesz, tmp, fixup sub \tmp, \linesz, #1 bic \start, \start, \tmp +alternative_if ARM64_WORKAROUND_4311569 + mov \tmp, \start +alternative_else_nop_endif .Ldcache_op\@: .ifc \op, cvau __dcache_op_workaround_clean_cache \op, \start @@ -402,6 +405,13 @@ alternative_endif add \start, \start, \linesz cmp \start, \end b.lo .Ldcache_op\@ +alternative_if ARM64_WORKAROUND_4311569 + .ifnc \op, cvau + mov \start, \tmp + mov \tmp, xzr + cbnz \start, .Ldcache_op\@ + .endif +alternative_else_nop_endif dsb \domain _cond_uaccess_extable .Ldcache_op\@, \fixup diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c index 8cb3b575a031..c69678c512f1 100644 --- a/arch/arm64/kernel/cpu_errata.c +++ b/arch/arm64/kernel/cpu_errata.c @@ -141,6 +141,30 @@ has_mismatched_cache_type(const struct arm64_cpu_capabilities *entry, return (ctr_real != sys) && (ctr_raw != sys); } +#ifdef CONFIG_ARM64_ERRATUM_4311569 +DEFINE_STATIC_KEY_FALSE(arm_si_l1_workaround_4311569); +static int __init early_arm_si_l1_workaround_4311569_cfg(char *arg) +{ + static_branch_enable(&arm_si_l1_workaround_4311569); + pr_info("Enabling cache maintenance workaround for ARM SI-L1 erratum 4311569\n"); + + return 0; +} +early_param("arm_si_l1_workaround_4311569", early_arm_si_l1_workaround_4311569_cfg); + +/* + * We have some earlier use cases to call cache maintenance operation functions, for example, + * dcache_inval_poc() and dcache_clean_poc() in head.S, before making decision to turn on this + * workaround. Since the scope of this workaround is limited to non-coherent DMA agents, its + * safe to have the workaround off by default. + */ +static bool +need_arm_si_l1_workaround_4311569(const struct arm64_cpu_capabilities *entry, int scope) +{ + return static_branch_unlikely(&arm_si_l1_workaround_4311569); +} +#endif + static void cpu_enable_trap_ctr_access(const struct arm64_cpu_capabilities *cap) { @@ -870,6 +894,13 @@ const struct arm64_cpu_capabilities arm64_errata[] = { ERRATA_MIDR_RANGE_LIST(erratum_spec_ssbs_list), }, #endif +#ifdef CONFIG_ARM64_ERRATUM_4311569 + { + .capability = ARM64_WORKAROUND_4311569, + .type = ARM64_CPUCAP_SYSTEM_FEATURE, + .matches = need_arm_si_l1_workaround_4311569, + }, +#endif #ifdef CONFIG_ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD { .desc = "ARM errata 2966298, 3117295", diff --git a/arch/arm64/mm/cache.S b/arch/arm64/mm/cache.S index 503567c864fd..ddf0097624ed 100644 --- a/arch/arm64/mm/cache.S +++ b/arch/arm64/mm/cache.S @@ -143,9 +143,14 @@ SYM_FUNC_END(dcache_clean_pou) * - end - kernel end address of region */ SYM_FUNC_START(__pi_dcache_inval_poc) +alternative_if ARM64_WORKAROUND_4311569 + mov x4, x0 + mov x5, x1 + mov x6, #1 +alternative_else_nop_endif dcache_line_size x2, x3 sub x3, x2, #1 - tst x1, x3 // end cache line aligned? +again: tst x1, x3 // end cache line aligned? bic x1, x1, x3 b.eq 1f dc civac, x1 // clean & invalidate D / U line @@ -158,6 +163,12 @@ SYM_FUNC_START(__pi_dcache_inval_poc) 3: add x0, x0, x2 cmp x0, x1 b.lo 2b +alternative_if ARM64_WORKAROUND_4311569 + mov x0, x4 + mov x1, x5 + sub x6, x6, #1 + cbz x6, again +alternative_else_nop_endif dsb sy ret SYM_FUNC_END(__pi_dcache_inval_poc) diff --git a/arch/arm64/tools/cpucaps b/arch/arm64/tools/cpucaps index 0fac75f01534..856b6cf6e71e 100644 --- a/arch/arm64/tools/cpucaps +++ b/arch/arm64/tools/cpucaps @@ -103,6 +103,7 @@ WORKAROUND_2077057 WORKAROUND_2457168 WORKAROUND_2645198 WORKAROUND_2658417 +WORKAROUND_4311569 WORKAROUND_AMPERE_AC03_CPU_38 WORKAROUND_AMPERE_AC04_CPU_23 WORKAROUND_TRBE_OVERWRITE_FILL_MODE -- 2.52.0.358.g0dd7633a29-goog From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id 4NmSF8d9TmlQYwIAYBR5ng (envelope-from ) for ; Fri, 26 Dec 2025 12:21:27 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Fri, 26 Dec 2025 12:21:27 +0000 Received: from sea.lore.kernel.org ([172.234.253.10]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vZ6ow-000000036zV-31Hj for hi@josie.lol; Fri, 26 Dec 2025 12:21:27 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sea.lore.kernel.org (Postfix) with ESMTP id A0DCE3008EAC for ; Fri, 26 Dec 2025 12:21:18 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id DCF3B126BF1; Fri, 26 Dec 2025 12:21:17 +0000 (UTC) X-Original-To: stable@vger.kernel.org Received: from vmicros1.altlinux.org (vmicros1.altlinux.org [194.107.17.57]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A5073314B6E; Fri, 26 Dec 2025 12:21:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=194.107.17.57 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766751677; cv=none; b=hiqT5vcF0jZbdtshsZPT3CC4y0L/6DfHijuoVHS0ef4O43qKnFPpRgy8GxtNETx4bcM7xN91kKVCUMsDf15iPsBuBaIWAf6KqO4evcpBlM62JoXLSJqxuUUU3FMfHSPY9f+wHZBAZZlDuscW8i+6AaR9N/9VCnkzkr9ueW5qgws= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766751677; c=relaxed/simple; bh=XfD4oBld84hGa0frYTJY3dTeUChuqIrn5kecni3QS+w=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=fCAVAhElRe4Rh9hD7FnlrU572z6i/DhLEkKq7SuGZ9K2mzZyet2UoG4Ypi2KZd2hqVwxaI5Ce+YSRpCQ+2H16u1fbejZlzBOqkjk5tQs6ABc/gp5k3yZfGvMho5TerppZ5Ztkc9P9MtgD0E4Q/fM554y9jrNUTZ6UnnGSrctea8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=altlinux.org; spf=pass smtp.mailfrom=altlinux.org; arc=none smtp.client-ip=194.107.17.57 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=altlinux.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=altlinux.org Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id E0FF172C8CC; Fri, 26 Dec 2025 15:21:12 +0300 (MSK) Received: from pony.office.basealt.ru (unknown [193.43.10.9]) by imap.altlinux.org (Postfix) with ESMTPSA id CC2F636D00D1; Fri, 26 Dec 2025 15:21:12 +0300 (MSK) Received: by pony.office.basealt.ru (Postfix, from userid 500) id A1B95360D63C; Fri, 26 Dec 2025 15:21:12 +0300 (MSK) Date: Fri, 26 Dec 2025 15:21:12 +0300 From: Vitaly Chikunov To: Junjie Cao , Thomas Zimmermann , Greg Kroah-Hartman Cc: Peilin Ye , Daniel Vetter , Shigeru Yoshida , Simona Vetter , Helge Deller , Zsolt Kajtar , Albin Babu Varghese , linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, regressions@lists.linux.dev Subject: Re: [PATCH v2] fbdev: bitblit: bound-check glyph index in bit_putcs* Message-ID: References: <20251020134701.84082-1-junjie.cao@intel.com> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Score: 0.5 (/) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (0.5 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: syzkaller.appspot.com] 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager SpamTally: Final spam score: 5 Dear linux-fbdev, stable, On Fri, Dec 26, 2025 at 01:29:13AM +0300, Vitaly Chikunov wrote: > > On Mon, Oct 20, 2025 at 09:47:01PM +0800, Junjie Cao wrote: > > bit_putcs_aligned()/unaligned() derived the glyph pointer from the > > character value masked by 0xff/0x1ff, which may exceed the actual font's > > glyph count and read past the end of the built-in font array. > > Clamp the index to the actual glyph count before computing the address. > > > > This fixes a global out-of-bounds read reported by syzbot. > > > > Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com > > Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2 > > Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com > > Signed-off-by: Junjie Cao > > This commit is applied to v5.10.247 and causes a regression: when > switching VT with ctrl-alt-f2 the screen is blank or completely filled > with angle characters, then new text is not appearing (or not visible). > > This commit is found with git bisect from v5.10.246 to v5.10.247: > > 0998a6cb232674408a03e8561dc15aa266b2f53b is the first bad commit > commit 0998a6cb232674408a03e8561dc15aa266b2f53b > Author: Junjie Cao > AuthorDate: 2025-10-20 21:47:01 +0800 > Commit: Greg Kroah-Hartman > CommitDate: 2025-12-07 06:08:07 +0900 > > fbdev: bitblit: bound-check glyph index in bit_putcs* > > commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream. > > bit_putcs_aligned()/unaligned() derived the glyph pointer from the > character value masked by 0xff/0x1ff, which may exceed the actual font's > glyph count and read past the end of the built-in font array. > Clamp the index to the actual glyph count before computing the address. > > This fixes a global out-of-bounds read reported by syzbot. > > Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2 > Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com > Signed-off-by: Junjie Cao > Reviewed-by: Thomas Zimmermann > Signed-off-by: Helge Deller > Cc: stable@vger.kernel.org > Signed-off-by: Greg Kroah-Hartman > > drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++---- > 1 file changed, 12 insertions(+), 4 deletions(-) > > The minimal reproducer in cli, after kernel is booted: > > date >/dev/tty2; chvt 2 > > and the date does not appear. > > Thanks, > > #regzbot introduced: 0998a6cb232674408a03e8561dc15aa266b2f53b > > > --- > > v1: https://lore.kernel.org/linux-fbdev/5d237d1a-a528-4205-a4d8-71709134f1e1@suse.de/ > > v1 -> v2: > > - Fix indentation and add blank line after declarations with the .pl helper > > - No functional changes > > > > drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++---- > > 1 file changed, 12 insertions(+), 4 deletions(-) > > > > diff --git a/drivers/video/fbdev/core/bitblit.c b/drivers/video/fbdev/core/bitblit.c > > index 9d2e59796c3e..085ffb44c51a 100644 > > --- a/drivers/video/fbdev/core/bitblit.c > > +++ b/drivers/video/fbdev/core/bitblit.c > > @@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(struct vc_data *vc, struct fb_info *info, > > struct fb_image *image, u8 *buf, u8 *dst) > > { > > u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; > > + unsigned int charcnt = vc->vc_font.charcount; Perhaps, vc->vc_font.charcount (which is relied upon in the following comparison) is not always set correctly in v5.10.247. At least two commits that set vc_font.charcount are missing from v5.10.247: a1ac250a82a5 ("fbcon: Avoid using FNTCHARCNT() and hard-coded built-in font charcount") a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed") Thanks, > > u32 idx = vc->vc_font.width >> 3; > > u8 *src; > > > > while (cnt--) { > > - src = vc->vc_font.data + (scr_readw(s++)& > > - charmask)*cellsize; > > + u16 ch = scr_readw(s++) & charmask; > > + > > + if (ch >= charcnt) > > + ch = 0; > > + src = vc->vc_font.data + (unsigned int)ch * cellsize; > > > > if (attr) { > > update_attr(buf, src, attr, vc); > > @@ -112,14 +116,18 @@ static inline void bit_putcs_unaligned(struct vc_data *vc, > > u8 *dst) > > { > > u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff; > > + unsigned int charcnt = vc->vc_font.charcount; > > u32 shift_low = 0, mod = vc->vc_font.width % 8; > > u32 shift_high = 8; > > u32 idx = vc->vc_font.width >> 3; > > u8 *src; > > > > while (cnt--) { > > - src = vc->vc_font.data + (scr_readw(s++)& > > - charmask)*cellsize; > > + u16 ch = scr_readw(s++) & charmask; > > + > > + if (ch >= charcnt) > > + ch = 0; > > + src = vc->vc_font.data + (unsigned int)ch * cellsize; > > > > if (attr) { > > update_attr(buf, src, attr, vc); > > -- > > 2.48.1 > > From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id CJywLQ2BTmlYcAwAYBR5ng (envelope-from ) for ; Fri, 26 Dec 2025 12:35:25 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Fri, 26 Dec 2025 12:35:25 +0000 Received: from sto.lore.kernel.org ([172.232.135.74]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vZ72T-00000003em5-0zxC for hi@josie.lol; Fri, 26 Dec 2025 12:35:25 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sto.lore.kernel.org (Postfix) with ESMTP id A5BDF30011B6 for ; Fri, 26 Dec 2025 12:35:23 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4BBD2314D2B; Fri, 26 Dec 2025 12:35:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=itoolabs-com.20230601.gappssmtp.com header.i=@itoolabs-com.20230601.gappssmtp.com header.b="a2PDBHUx" X-Original-To: stable@vger.kernel.org Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8C468280325 for ; Fri, 26 Dec 2025 12:35:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.46 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766752522; cv=none; b=Lm35QF7OTP9xBH2Uadm3XwbjaEWGN5GhKlTyzJFGy4XCXEe5TLD3PSUUTYwSU8dmTea/UzVspbA+l8pFjYHW4scsZ+uGOsqcblhGBGLNSqmcD57KKoDe2WnIE+3mVB6vYkLqB+1JHSEmai5VKKpnOcOiDDdtjudgIoeiSQ/6nGA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766752522; c=relaxed/simple; bh=0rJ95WY4LkO1lS96o4vxvfUz6Rz7lIC7caKrw4+SpCE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=qVxmv8FV2KrxCrnPgQb14U7KlS6ujXEvEGheLSJrMzCNgwU0+fIWpfyHmag0X+h3MkVri1snx+3vBLyu0dGJbyC6mWEyJ0cZ+Z34O2sSZMdN/FvZdsblsPMuWxn/MloqmpDZhXwY8gTG522iA7ovCI6AaAGP2G6tCml6Kgjz0L0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=digitaltide.io; spf=pass smtp.mailfrom=itoolabs.com; dkim=pass (2048-bit key) header.d=itoolabs-com.20230601.gappssmtp.com header.i=@itoolabs-com.20230601.gappssmtp.com header.b=a2PDBHUx; arc=none smtp.client-ip=209.85.128.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=digitaltide.io Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=itoolabs.com Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-47774d3536dso56672815e9.0 for ; Fri, 26 Dec 2025 04:35:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=itoolabs-com.20230601.gappssmtp.com; s=20230601; t=1766752517; x=1767357317; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=V6tRdcuP0wqKPHELS2CPAX3klPxKMBxEEEHLvH3w9ao=; b=a2PDBHUxtKLEZJWp1kq+GQjQALJpdiAewwf+3uhkn+pESggN3cH631r+4tg7xOk74r KdbQU1YFjGvnDVc/lUIomXONO7l4j5F7ebfk7gvGALKp6kfvFPziT3DoaUoQZtcJP7+4 0SfPVvCRRErnM8PU1n81W6hbNOokhUzcwICcyppjlJ/Uwgkcpg2ZKZlkD5LKEajayrpq MkH07NwJ+122DH0u0IvRy7VV14Kc7rf6BgO4Nb3Jl+mQqcELatGBlDWP9H9Ey5DhZuS/ KhEuaSHAGRffN00sKLmw89TwWnFoMfGwpvp+/iCZMJnIJf3p6UCMhy6AhLphXX7gbw+x jwRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766752517; x=1767357317; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=V6tRdcuP0wqKPHELS2CPAX3klPxKMBxEEEHLvH3w9ao=; b=J/kZTFQyac4jOgEZ0o58Wda+sfoWOtE0j8q+7nfybvrdmfIuiH+J1qs1wag9wDGwai Avry01O6b9NNJaC7JHtCn5GyxzTBzE9RcdGUBZ0mskp+R8xzxqvb2SQtlSjm+26+Olni O069/qV3Es30bTDyXA7Rdhr+Y09uk7fnYnsSTqaupGIhNlPmbTcWh7OmMJjUfHYJdnr3 +2CGRn0t5w5uD1rRhCRoScCBZY78P3g58B26uxcLIzP2jY3HEMbd9/nBxLRZEOrajwAp x7KRgPLDb1aE7JT/lC1fsuiSsyd+E2CyV4jkq3ercZ2Ug/4tdl85yydg0HrKGyWioWDH 59Lw== X-Gm-Message-State: AOJu0Yw50oqan8hTAyKydVmcY/pT+6cmNX6Jax8eszej02Z9bw/qloGT qmSLWEpRohAJY/Tl9/O9e6/cfZpkWfm7R66fmT/gDravZ4YRHBxlRUmreddzIrFPaoX8b4C5bM3 IizqM X-Gm-Gg: AY/fxX5mRrHxNCyjVC88sUsBKO4cDUGgnwDWK2GT1fBWBSZ+09ll3cMOow5tKccUMS4 IdJ4p3tUUylSCGxIpRm7FrG4K4xFLISBbmKFTJCM2PFbLvsQFJyhKWwSNOTFtbCxpg0DNM384nV 3RBW2TxJkGuVUm8pW2Za7eWKBBZzZo40zcfHrCxFjU7Izj8ETDKL6veUd19nw6Q4NF3RSH9ltj2 PlxOM69XBuGrU1JQ3wACKQUhi56tyrUR3ZOuC35reEKpR41yNX9l+QT+OGXrgnfjR0V7OxQVDOo bMZ+svWbKskIS64U3wCe0VrXap8ViU7itLob1vBog503B9YZKKKBzbPR3+q3oauw1VwYCFij+Uc gGNLS2vX2GIJN8gPIzINR0TnKYTk/PCnlteVwoKcZaS2Ol9ju3xZMS2LDyRJOiQoisRza50laO0 mD54q5Idc= X-Google-Smtp-Source: AGHT+IGpcB6fzs67bzB42F3nEfa7jC6d98MoCdt0ERV86bPdMf/lMarUyr6A03ZLX3YHQkzarY7wEw== X-Received: by 2002:a7b:c454:0:b0:477:7588:c8cc with SMTP id 5b1f17b1804b1-47be29adacbmr184783165e9.7.1766752517546; Fri, 26 Dec 2025 04:35:17 -0800 (PST) Received: from gamestation ([188.26.196.207]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-47be272e46fsm432931215e9.4.2025.12.26.04.35.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 26 Dec 2025 04:35:17 -0800 (PST) From: =?UTF-8?q?Aleks=C3=A9i=20Naid=C3=A9nov?= To: stable@vger.kernel.org Cc: linux-erofs@lists.ozlabs.org, linux-kernel@vger.kernel.org, xiang@kernel.org Subject: [REGRESSION] erofs: new file-backed stacking limit breaks container overlay use case in 6.12.63 Date: Fri, 26 Dec 2025 13:34:37 +0100 Message-ID: <20251226123453.5914-1-an@digitaltide.io> X-Mailer: git-send-email 2.51.2 Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-DKIM: signer='itoolabs-com.20230601.gappssmtp.com' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: 0.5 (/) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (0.5 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [172.232.135.74 listed in list.dnswl.org] 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager SpamTally: Final spam score: 5 Hello, I am reporting a regression in the 6.12 stable series related to EROFS file-backed mounts. After updating from Linux 6.12.62 to 6.12.63, a previously working setup using OSTree-backed composefs mounts as Podman rootfs no longer works. The regression appears to be caused by the following commit: 34447aeedbaea8f9aad3da5b07030a1c0e124639 ("erofs: limit the level of fs stacking for file-backed mounts") (backport of upstream commit d53cd891f0e4311889349fff3a784dc552f814b9) ## Setup description We use OSTree to materialize filesystem trees, which are mounted via composefs (EROFS + overlayfs) as a read-only filesystem. This mounted composefs tree is then used as a Podman rootfs, with Podman mounting a writable overlayfs on top for each container. This setup worked correctly on Linux 6.12.62 and earlier. In short, the stacking looks like: EROFS (file-backed) -> composefs (EROFS + overlayfs with ostree repo as datadir, read-only) -> Podman rootfs overlays (RW upperdir) There is no recursive or self-stacking of EROFS. ## Working case (6.12.62) The composefs mount exists and Podman can successfully start a container using it as rootfs. Example composefs mount: ❯ mount | grep a31550cc69eef0e3227fa700623250592711fdfd51b5403a74288b55e89e7e8c a31550cc69eef0e3227fa700623250592711fdfd51b5403a74288b55e89e7e8c on /home/growler/.local/share/containers/ostree/a31550cc69eef0e3227fa700623250592711fdfd51b5403a74288b55e89e7e8c type overlay (ro,noatime,lowerdir+=/proc/self/fd/10,datadir+=/proc/self/fd/7,redirect_dir=on,metacopy=on) (lowedir is a handle for the erofs file-backed mount, datadir is a handle for the ostree repository objects directory) Running Podman: ❯ podman run --rm -it --rootfs $HOME/.local/share/containers/ostree/a31550cc69eef0e3227fa700623250592711fdfd51b5403a74288b55e89e7e8c:O bash -l root@d691e785bba3:/# uname -a Linux d691e785bba3 6.12.62 #1-NixOS SMP PREEMPT_DYNAMIC Fri Dec 12 17:37:22 UTC 2025 x86_64 GNU/Linux root@d691e785bba3:/# (succeed) ## Failing case (6.12.63) After upgrading to 6.12.63, the same command fails when Podman tries to create the writable overlay on top of the composefs mount. Error: ❯ podman run --rm -it --rootfs $HOME/.local/share/containers/ostree/a31550cc69eef0e3227fa700623250592711fdfd51b5403a74288b55e89e7e8c:O bash -l Error: rootfs-overlay: creating overlay failed "/home/growler/.local/share/containers/ostree/a31550cc69eef0e3227fa700623250592711fdfd51b5403a74288b55e89e7e8c" from native overlay: mount overlay:/home/growler/.local/share/containers/storage/overlay-containers/a0851294d6b5b18062d4f5316032ee84d7bae700ea7d12c5be949d9e1999b0a1/rootfs/merge, flags: 0x4, data: lowerdir=/home/growler/.local/share/containers/ostree/a31550cc69eef0e3227fa700623250592711fdfd51b5403a74288b55e89e7e8c,upperdir=/home/growler/.local/share/containers/storage/overlay-containers/a0851294d6b5b18062d4f5316032ee84d7bae700ea7d12c5be949d9e1999b0a1/rootfs/upper,workdir=/home/growler/.local/share/containers/storage/overlay-containers/a0851294d6b5b18062d4f5316032ee84d7bae700ea7d12c5be949d9e1999b0a1/rootfs/work,userxattr: invalid argument ❯ uname -a Linux ci-node-09 6.12.63 #1-NixOS SMP PREEMPT_DYNAMIC Thu Dec 18 12:55:23 UTC 2025 x86_64 GNU/Linux ## Expected behavior Using a composefs (EROFS + overlayfs) read-only mount as the lowerdir for a container rootfs overlay should continue to work as it did in 6.12.62. ## Actual behavior Overlayfs mounting fails with EINVAL when stacking on top of the composefs mount backed by EROFS. ## Notes The setup does not involve recursive EROFS mounting or unbounded stacking depth. It appears the new stacking limit rejects this valid and previously supported container use case. Please let me know if further details or testing would be helpful. Thank you, -- Alekséi Nadénov From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id AO5mGR+aTmkgGxkAYBR5ng (envelope-from ) for ; Fri, 26 Dec 2025 14:22:23 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Fri, 26 Dec 2025 14:22:24 +0000 Received: from sea.lore.kernel.org ([172.234.253.10]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vZ8hy-000000088lZ-3S3M for hi@josie.lol; Fri, 26 Dec 2025 14:22:23 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sea.lore.kernel.org (Postfix) with ESMTP id 9A3B43005BAD for ; Fri, 26 Dec 2025 14:22:21 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 8A056322C78; Fri, 26 Dec 2025 14:22:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b="j4tb5Ztz" X-Original-To: stable@vger.kernel.org Received: from out30-132.freemail.mail.aliyun.com (out30-132.freemail.mail.aliyun.com [115.124.30.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 528281607A4; Fri, 26 Dec 2025 14:22:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=115.124.30.132 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766758939; cv=none; b=kuGY6qfrgv/WMyqXzOlFhMf7YHeZMuL38bGUxr5wMcMXD4j7zqJ3bZfTjW8z6TYre0GMl/JsUmc2eODey+i0lItD1pFOp38uxpgDv17x6IoDD8LubfNMhNr+IdJ897aB67N5iboouZ3f2e7TDTr5vtPx/nPuPS33xgL92SV/S+c= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766758939; c=relaxed/simple; bh=ff0ntZw7Gi4F++vaU/E8El4jhspXYH4arAN2FTm/6Dc=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=EcpVYIPTjyZItOhXDUluxLxFAfWbtuHbsFcujI+qdT+t2SNdQJSPsVrgHDXNdEIzAni6CG9N/aA/JEsFCstwoF8uZJ7dNaznzhZR4VLrW2ncZrFH12+vjfD8Ys6s7sFRLJM8hSA9J8SXRnp7gO6r3Dqjfmnwt1+3bX26VVTpA0U= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com; spf=pass smtp.mailfrom=linux.alibaba.com; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b=j4tb5Ztz; arc=none smtp.client-ip=115.124.30.132 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com DKIM-Signature:v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.alibaba.com; s=default; t=1766758932; h=Message-ID:Date:MIME-Version:Subject:To:From:Content-Type; bh=9xf2HFCC6Ziw68Fb8elQMRwG16Hpctrj/C6ytUD938o=; b=j4tb5Ztzcn1/uId5tzxEvo3r1QVyacbIVGxkDX7K1yBQmYg3Hsnzzi2pIn2FnbMfJWO/mFhYSfm+//2SNmow431+cCx09bKKty+7EEgdgp4+lwR21jOlDVRWW0xdLw8TU2Byl2kaFlJvZlHQvEvaETDLZSV7F2WSkUedAwRvABQ= Received: from 30.69.38.206(mailfrom:hsiangkao@linux.alibaba.com fp:SMTPD_---0WvhnUlN_1766758923 cluster:ay36) by smtp.aliyun-inc.com; Fri, 26 Dec 2025 22:22:11 +0800 Message-ID: Date: Fri, 26 Dec 2025 22:22:01 +0800 Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [REGRESSION] erofs: new file-backed stacking limit breaks container overlay use case in 6.12.63 To: =?UTF-8?B?QWxla3PDqWkgTmFpZMOpbm92?= , stable@vger.kernel.org Cc: linux-erofs@lists.ozlabs.org, linux-kernel@vger.kernel.org, xiang@kernel.org, Amir Goldstein , Christian Brauner References: From: Gao Xiang In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-DKIM: signer='linux.alibaba.com' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: -7.1 (-------) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (-7.1 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [172.234.253.10 listed in list.dnswl.org] -7.5 USER_IN_DEF_DKIM_WL From: address is in the default DKIM welcome-list 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager SpamTally: Final spam score: -70 Hi Alekséi, On 2025/12/26 20:17, Alekséi Naidénov wrote: > Hello, > > I am reporting a regression in the 6.12 stable series related to EROFS > file-backed mounts. > > After updating from Linux 6.12.62 to 6.12.63, a previously working setup > using OSTree-backed composefs mounts as Podman rootfs no longer works. > > The regression appears to be caused by the following commit: > > 34447aeedbaea8f9aad3da5b07030a1c0e124639 ("erofs: limit the level of fs > stacking for file-backed mounts") > (backport of upstream commit d53cd891f0e4311889349fff3a784dc552f814b9) > > ## Setup description > > We use OSTree to materialize filesystem trees, which are mounted via > composefs (EROFS + overlayfs) as a read-only filesystem. This mounted > composefs tree is then used as a Podman rootfs, with Podman mounting a > writable overlayfs on top for each container. > > This setup worked correctly on Linux 6.12.62 and earlier. The following issue just tracks this: https://github.com/coreos/fedora-coreos-tracker/issues/2087 I don't think more information is needed, but I really think the EROFS commit is needed to avoid kernel stack overflow due to nested fses. > > In short, the stacking looks like: > > EROFS (file-backed) > -> composefs (EROFS + overlayfs with ostree repo as datadir, read-only) > -> Podman rootfs overlays (RW upperdir) > > There is no recursive or self-stacking of EROFS. Yes, but there are two overlayfs + one file-backed EROFS already, and it exceeds FILESYSTEM_MAX_STACK_DEPTH. That is overlayfs refuses to mount the nested fses. Thanks, Gao Xiang From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id YLaLDZymTmmAYyAAYBR5ng (envelope-from ) for ; Fri, 26 Dec 2025 15:15:40 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Fri, 26 Dec 2025 15:15:40 +0000 Received: from sea.lore.kernel.org ([172.234.253.10]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vZ9XW-0000000ANCs-437X for hi@josie.lol; Fri, 26 Dec 2025 15:15:40 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sea.lore.kernel.org (Postfix) with ESMTP id 1CBC830062EE for ; Fri, 26 Dec 2025 15:15:37 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 24CA01991B6; Fri, 26 Dec 2025 15:15:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Ao8mhHhF" X-Original-To: stable@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EF47215853B; Fri, 26 Dec 2025 15:15:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766762136; cv=none; b=M/ERJ3qzk6mmRKhJ6uKxmsfop9D0DmTNoFQ3GvgQNwdBTEuCqZTCZ7ofTZrL7c/gg6y6ahuAnIymyHyT6loFI2deYLeEuaAfUd97rXek45DEH25jntnF1L2YA2TSS60aYW7H8RZdkVJ8ozZZFM/v1vK8DUkFLYmeHw3FBTF1FHo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766762136; c=relaxed/simple; bh=AiJR4/Gv5Iou63LOX3tJ3AG4YPAHUGlU/cQNJc3NJP0=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=dWsMEFj3UYvM5/v7z+lOh65v9+eujcw/c+XDIPQC2QzLh6U8TWgnAvFwRDwHzrtwq2oCbVA7agGO66cAKM0zY3avZ9gj5RbqyTLLhUPvFE8iZC17eWFVVP/fmVrcgVcOOVMs6L2o3V5VXgZiFNG7HOjYQ1J/knrCiFqwPKo3sBk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Ao8mhHhF; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id AF730C4CEF7; Fri, 26 Dec 2025 15:15:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1766762135; bh=AiJR4/Gv5Iou63LOX3tJ3AG4YPAHUGlU/cQNJc3NJP0=; h=From:To:Cc:Subject:Date:From; b=Ao8mhHhFPVzFGO+Y7VwTs/2NDw/lXXwxBKYK4zTgeaeethHUSJLclLhCtS6nHU8oP 0EhXNR3IhMh2zowWII7IvynVx4Pdn3SDXGodcvfgLcpp5Hhf3LU+BEyxhp8Ib/57FG S6yiSFvGag9MPUe4cBrktBBlXve5Bi6Dpp/sLfyWUD9kG2ewacakweSAsykZVezGlZ h7JjsnpIj/fsXOBKkeQmEZi0HpyGt7r/iS30R5fewAcJzd0oFfgyKY5jz103vbcCp2 Hr6n293PY3v4PyRO2YTdd6c19ONDdkz2+kwZvgTNHIClmfJpW8u/oIKratpZL4+BYk e3jPEouCO5FKQ== From: Chuck Lever To: NeilBrown , Jeff Layton , Olga Kornievskaia , Dai Ngo , Tom Talpey Cc: , Chuck Lever , Xingjing Deng , stable@vger.kernel.org Subject: [PATCH] SUNRPC: auth_gss: fix memory leaks in XDR decoding error paths Date: Fri, 26 Dec 2025 10:15:32 -0500 Message-ID: <20251226151532.440886-1-cel@kernel.org> X-Mailer: git-send-email 2.52.0 Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-DKIM: signer='kernel.org' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: -1.2 (-) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (-1.2 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: state.data] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager -0.0 DKIMWL_WL_HIGH DKIMwl.org - High trust sender SpamTally: Final spam score: -11 From: Chuck Lever The gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name() functions allocate memory via gssx_dec_buffer(), which calls kmemdup(). When a subsequent decode operation fails, these functions return immediately without freeing previously allocated buffers, causing memory leaks. The leak in gssx_dec_ctx() is particularly relevant because the caller (gssp_accept_sec_context_upcall) initializes several buffer length fields to non-zero values, resulting in memory allocation: struct gssx_ctx rctxh = { .exported_context_token.len = GSSX_max_output_handle_sz, .mech.len = GSS_OID_MAX_LEN, .src_name.display_name.len = GSSX_max_princ_sz, .targ_name.display_name.len = GSSX_max_princ_sz }; If, for example, gssx_dec_name() succeeds for src_name but fails for targ_name, the memory allocated for exported_context_token, mech, and src_name.display_name remains unreferenced and cannot be reclaimed. Add error handling with goto-based cleanup to free any previously allocated buffers before returning an error. Reported-by: Xingjing Deng Closes: https://lore.kernel.org/linux-nfs/CAK+ZN9qttsFDu6h1FoqGadXjMx1QXqPMoYQ=6O9RY4SxVTvKng@mail.gmail.com/ Fixes: 1d658336b05f ("SUNRPC: Add RPC based upcall mechanism for RPCGSS auth") Cc: stable@vger.kernel.org Signed-off-by: Chuck Lever --- net/sunrpc/auth_gss/gss_rpc_xdr.c | 82 ++++++++++++++++++++++++------- 1 file changed, 64 insertions(+), 18 deletions(-) diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c index 7d2cdc2bd374..f320c0a8e604 100644 --- a/net/sunrpc/auth_gss/gss_rpc_xdr.c +++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c @@ -320,29 +320,47 @@ static int gssx_dec_status(struct xdr_stream *xdr, /* status->minor_status */ p = xdr_inline_decode(xdr, 8); - if (unlikely(p == NULL)) - return -ENOSPC; + if (unlikely(p == NULL)) { + err = -ENOSPC; + goto out_free_mech; + } p = xdr_decode_hyper(p, &status->minor_status); /* status->major_status_string */ err = gssx_dec_buffer(xdr, &status->major_status_string); if (err) - return err; + goto out_free_mech; /* status->minor_status_string */ err = gssx_dec_buffer(xdr, &status->minor_status_string); if (err) - return err; + goto out_free_major_status_string; /* status->server_ctx */ err = gssx_dec_buffer(xdr, &status->server_ctx); if (err) - return err; + goto out_free_minor_status_string; /* we assume we have no options for now, so simply consume them */ /* status->options */ err = dummy_dec_opt_array(xdr, &status->options); + if (err) + goto out_free_server_ctx; + return 0; + +out_free_server_ctx: + kfree(status->server_ctx.data); + status->server_ctx.data = NULL; +out_free_minor_status_string: + kfree(status->minor_status_string.data); + status->minor_status_string.data = NULL; +out_free_major_status_string: + kfree(status->major_status_string.data); + status->major_status_string.data = NULL; +out_free_mech: + kfree(status->mech.data); + status->mech.data = NULL; return err; } @@ -505,28 +523,35 @@ static int gssx_dec_name(struct xdr_stream *xdr, /* name->name_type */ err = gssx_dec_buffer(xdr, &dummy_netobj); if (err) - return err; + goto out_free_display_name; /* name->exported_name */ err = gssx_dec_buffer(xdr, &dummy_netobj); if (err) - return err; + goto out_free_display_name; /* name->exported_composite_name */ err = gssx_dec_buffer(xdr, &dummy_netobj); if (err) - return err; + goto out_free_display_name; /* we assume we have no attributes for now, so simply consume them */ /* name->name_attributes */ err = dummy_dec_nameattr_array(xdr, &dummy_name_attr_array); if (err) - return err; + goto out_free_display_name; /* we assume we have no options for now, so simply consume them */ /* name->extensions */ err = dummy_dec_opt_array(xdr, &dummy_option_array); + if (err) + goto out_free_display_name; + return 0; + +out_free_display_name: + kfree(name->display_name.data); + name->display_name.data = NULL; return err; } @@ -649,32 +674,34 @@ static int gssx_dec_ctx(struct xdr_stream *xdr, /* ctx->state */ err = gssx_dec_buffer(xdr, &ctx->state); if (err) - return err; + goto out_free_exported_context_token; /* ctx->need_release */ err = gssx_dec_bool(xdr, &ctx->need_release); if (err) - return err; + goto out_free_state; /* ctx->mech */ err = gssx_dec_buffer(xdr, &ctx->mech); if (err) - return err; + goto out_free_state; /* ctx->src_name */ err = gssx_dec_name(xdr, &ctx->src_name); if (err) - return err; + goto out_free_mech; /* ctx->targ_name */ err = gssx_dec_name(xdr, &ctx->targ_name); if (err) - return err; + goto out_free_src_name; /* ctx->lifetime */ p = xdr_inline_decode(xdr, 8+8); - if (unlikely(p == NULL)) - return -ENOSPC; + if (unlikely(p == NULL)) { + err = -ENOSPC; + goto out_free_targ_name; + } p = xdr_decode_hyper(p, &ctx->lifetime); /* ctx->ctx_flags */ @@ -683,17 +710,36 @@ static int gssx_dec_ctx(struct xdr_stream *xdr, /* ctx->locally_initiated */ err = gssx_dec_bool(xdr, &ctx->locally_initiated); if (err) - return err; + goto out_free_targ_name; /* ctx->open */ err = gssx_dec_bool(xdr, &ctx->open); if (err) - return err; + goto out_free_targ_name; /* we assume we have no options for now, so simply consume them */ /* ctx->options */ err = dummy_dec_opt_array(xdr, &ctx->options); + if (err) + goto out_free_targ_name; + return 0; + +out_free_targ_name: + kfree(ctx->targ_name.display_name.data); + ctx->targ_name.display_name.data = NULL; +out_free_src_name: + kfree(ctx->src_name.display_name.data); + ctx->src_name.display_name.data = NULL; +out_free_mech: + kfree(ctx->mech.data); + ctx->mech.data = NULL; +out_free_state: + kfree(ctx->state.data); + ctx->state.data = NULL; +out_free_exported_context_token: + kfree(ctx->exported_context_token.data); + ctx->exported_context_token.data = NULL; return err; } -- 2.52.0 From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id aCCrHCCqTmkSAycAYBR5ng (envelope-from ) for ; Fri, 26 Dec 2025 15:30:40 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Fri, 26 Dec 2025 15:30:40 +0000 Received: from sea.lore.kernel.org ([172.234.253.10]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vZ9m3-0000000B20y-2tqQ for hi@josie.lol; Fri, 26 Dec 2025 15:30:40 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sea.lore.kernel.org (Postfix) with ESMTP id 4837D30062E8 for ; Fri, 26 Dec 2025 15:30:38 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B5449D27E; Fri, 26 Dec 2025 15:30:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="d4+ny/tN" X-Original-To: stable@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8B0513A1E7F; Fri, 26 Dec 2025 15:30:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766763036; cv=none; b=JtZicmHE+LwvdtJVMNNFV8Sb8SFtWOYdM+yyL1MVRon3ypTJBIAzNi84+vz5PmR8B9I/dqoZR5mFvE3zUj7G99XKAmkj6vHRpRhTU7zBCZ9I2wwn3u3L4kNWkch9k/WfBmOcFpNSWMjciY34bbHsfz7pyrMjsp8ckPS2ipFf/ng= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766763036; c=relaxed/simple; bh=WT++a7q9zbXRNnNDsFP/up1Cp0gwvu7kGgDTaKS/TWw=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=eolSCJHF3L2ZXnkPRUQ2f8H9gWyP7cJuYyQ5VzadXtViWtklUIz0GpBBSLerbwaHqqGHWZenni1km71OWj2z/X0Rmf7Rp4xj9aiUMlyevmgAXHKTJMwFk8ebCRwLzVBPpAJlVe5FOI8M5cXogtp0fwQc2trjuQeVJmyvpg0jxmQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=d4+ny/tN; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3B9E1C4CEF7; Fri, 26 Dec 2025 15:30:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1766763036; bh=WT++a7q9zbXRNnNDsFP/up1Cp0gwvu7kGgDTaKS/TWw=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=d4+ny/tNRBmTG+nmjrOMofcT7hWiApcXEgrlAn2V6A23NOAAo0FDovcw3KMPXfQeN qeqapDdkjRDWW7+t4mnr5E/OGDRsiJeZohi98bc1jj1ZPbeK9vF1FaxdAx7Mzkh0DL dR1t2bIZqK9zxLUTj+XFAwtI8Uc5yayXELbRLIs2tFPooyhPFuB9mKY/fuLyWNvvl6 zklGqxO6Lis+pDqOzJ8O7xm15O26NCH1BJ4OZ5ae0cPC5bczYRhb2rjlw/kQ29yTOT qnjiG7NVQjNqdG+GG324GF50s6Rpk6A9pfGbRgpsUDG5UOa+CwwQdRKq36qw5/Elcr PWXrJdTbbRuxw== Message-ID: <7dea5c5fdc5a9d268bb95b2c7a967fedf629d19b.camel@kernel.org> Subject: Re: [PATCH] SUNRPC: auth_gss: fix memory leaks in XDR decoding error paths From: Jeff Layton To: Chuck Lever , NeilBrown , Olga Kornievskaia , Dai Ngo , Tom Talpey Cc: linux-nfs@vger.kernel.org, Chuck Lever , Xingjing Deng , stable@vger.kernel.org Date: Fri, 26 Dec 2025 10:30:33 -0500 In-Reply-To: <20251226151532.440886-1-cel@kernel.org> References: <20251226151532.440886-1-cel@kernel.org> Autocrypt: addr=jlayton@kernel.org; prefer-encrypt=mutual; keydata=mQINBE6V0TwBEADXhJg7s8wFDwBMEvn0qyhAnzFLTOCHooMZyx7XO7dAiIhDSi7G1NPxw n8jdFUQMCR/GlpozMFlSFiZXiObE7sef9rTtM68ukUyZM4pJ9l0KjQNgDJ6Fr342Htkjxu/kFV1Wv egyjnSsFt7EGoDjdKqr1TS9syJYFjagYtvWk/UfHlW09X+jOh4vYtfX7iYSx/NfqV3W1D7EDi0PqV T2h6v8i8YqsATFPwO4nuiTmL6I40ZofxVd+9wdRI4Db8yUNA4ZSP2nqLcLtFjClYRBoJvRWvsv4lm 0OX6MYPtv76hka8lW4mnRmZqqx3UtfHX/hF/zH24Gj7A6sYKYLCU3YrI2Ogiu7/ksKcl7goQjpvtV YrOOI5VGLHge0awt7bhMCTM9KAfPc+xL/ZxAMVWd3NCk5SamL2cE99UWgtvNOIYU8m6EjTLhsj8sn VluJH0/RcxEeFbnSaswVChNSGa7mXJrTR22lRL6ZPjdMgS2Km90haWPRc8Wolcz07Y2se0xpGVLEQ cDEsvv5IMmeMe1/qLZ6NaVkNuL3WOXvxaVT9USW1+/SGipO2IpKJjeDZfehlB/kpfF24+RrK+seQf CBYyUE8QJpvTZyfUHNYldXlrjO6n5MdOempLqWpfOmcGkwnyNRBR46g/jf8KnPRwXs509yAqDB6sE LZH+yWr9LQZEwARAQABtCVKZWZmIExheXRvbiA8amxheXRvbkBwb29jaGllcmVkcy5uZXQ+iQI7BB MBAgAlAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCTpXWPAIZAQAKCRAADmhBGVaCFc65D/4 gBLNMHopQYgG/9RIM3kgFCCQV0pLv0hcg1cjr+bPI5f1PzJoOVi9s0wBDHwp8+vtHgYhM54yt43uI 7Htij0RHFL5eFqoVT4TSfAg2qlvNemJEOY0e4daljjmZM7UtmpGs9NN0r9r50W82eb5Kw5bc/r0km R/arUS2st+ecRsCnwAOj6HiURwIgfDMHGPtSkoPpu3DDp/cjcYUg3HaOJuTjtGHFH963B+f+hyQ2B rQZBBE76ErgTDJ2Db9Ey0kw7VEZ4I2nnVUY9B5dE2pJFVO5HJBMp30fUGKvwaKqYCU2iAKxdmJXRI ONb7dSde8LqZahuunPDMZyMA5+mkQl7kpIpR6kVDIiqmxzRuPeiMP7O2FCUlS2DnJnRVrHmCljLkZ Wf7ZUA22wJpepBligemtSRSbqCyZ3B48zJ8g5B8xLEntPo/NknSJaYRvfEQqGxgk5kkNWMIMDkfQO lDSXZvoxqU9wFH/9jTv1/6p8dHeGM0BsbBLMqQaqnWiVt5mG92E1zkOW69LnoozE6Le+12DsNW7Rj iR5K+27MObjXEYIW7FIvNN/TQ6U1EOsdxwB8o//Yfc3p2QqPr5uS93SDDan5ehH59BnHpguTc27Xi QQZ9EGiieCUx6Zh2ze3X2UW9YNzE15uKwkkuEIj60NvQRmEDfweYfOfPVOueC+iFifbQgSmVmZiBM YXl0b24gPGpsYXl0b25AcmVkaGF0LmNvbT6JAjgEEwECACIFAk6V0q0CGwMGCwkIBwMCBhUIAgkKC wQWAgMBAh4BAheAAAoJEAAOaEEZVoIViKUQALpvsacTMWWOd7SlPFzIYy2/fjvKlfB/Xs4YdNcf9q LqF+lk2RBUHdR/dGwZpvw/OLmnZ8TryDo2zXVJNWEEUFNc7wQpl3i78r6UU/GUY/RQmOgPhs3epQC 3PMJj4xFx+VuVcf/MXgDDdBUHaCTT793hyBeDbQuciARDJAW24Q1RCmjcwWIV/pgrlFa4lAXsmhoa c8UPc82Ijrs6ivlTweFf16VBc4nSLX5FB3ls7S5noRhm5/Zsd4PGPgIHgCZcPgkAnU1S/A/rSqf3F LpU+CbVBDvlVAnOq9gfNF+QiTlOHdZVIe4gEYAU3CUjbleywQqV02BKxPVM0C5/oVjMVx3bri75n1 TkBYGmqAXy9usCkHIsG5CBHmphv9MHmqMZQVsxvCzfnI5IO1+7MoloeeW/lxuyd0pU88dZsV/riHw 87i2GJUJtVlMl5IGBNFpqoNUoqmvRfEMeXhy/kUX4Xc03I1coZIgmwLmCSXwx9MaCPFzV/dOOrju2 xjO+2sYyB5BNtxRqUEyXglpujFZqJxxau7E0eXoYgoY9gtFGsspzFkVNntamVXEWVVgzJJr/EWW0y +jNd54MfPRqH+eCGuqlnNLktSAVz1MvVRY1dxUltSlDZT7P2bUoMorIPu8p7ZCg9dyX1+9T6Muc5d Hxf/BBP/ir+3e8JTFQBFOiLNdFtB9KZWZmIExheXRvbiA8amxheXRvbkBzYW1iYS5vcmc+iQI4BBM BAgAiBQJOldK9AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAADmhBGVaCFWgWD/0ZRi4h N9FK2BdQs9RwNnFZUr7JidAWfCrs37XrA/56olQl3ojn0fQtrP4DbTmCuh0SfMijB24psy1GnkPep naQ6VRf7Dxg/Y8muZELSOtsv2CKt3/02J1BBitrkkqmHyni5fLLYYg6fub0T/8Kwo1qGPdu1hx2BQ RERYtQ/S5d/T0cACdlzi6w8rs5f09hU9Tu4qV1JLKmBTgUWKN969HPRkxiojLQziHVyM/weR5Reu6 FZVNuVBGqBD+sfk/c98VJHjsQhYJijcsmgMb1NohAzwrBKcSGKOWJToGEO/1RkIN8tqGnYNp2G+aR 685D0chgTl1WzPRM6mFG1+n2b2RR95DxumKVpwBwdLPoCkI24JkeDJ7lXSe3uFWISstFGt0HL8Eew P8RuGC8s5h7Ct91HMNQTbjgA+Vi1foWUVXpEintAKgoywaIDlJfTZIl6Ew8ETN/7DLy8bXYgq0Xzh aKg3CnOUuGQV5/nl4OAX/3jocT5Cz/OtAiNYj5mLPeL5z2ZszjoCAH6caqsF2oLyAnLqRgDgR+wTQ T6gMhr2IRsl+cp8gPHBwQ4uZMb+X00c/Amm9VfviT+BI7B66cnC7Zv6Gvmtu2rEjWDGWPqUgccB7h dMKnKDthkA227/82tYoFiFMb/NwtgGrn5n2vwJyKN6SEoygGrNt0SI84y6hEVbQlSmVmZiBMYXl0b 24gPGpsYXl0b25AcHJpbWFyeWRhdGEuY29tPokCOQQTAQIAIwUCU4xmKQIbAwcLCQgHAwIBBhUIAg kKCwQWAgMBAh4BAheAAAoJEAAOaEEZVoIV1H0P/j4OUTwFd7BBbpoSp695qb6HqCzWMuExsp8nZjr uymMaeZbGr3OWMNEXRI1FWNHMtcMHWLP/RaDqCJil28proO+PQ/yPhsr2QqJcW4nr91tBrv/MqItu AXLYlsgXqp4BxLP67bzRJ1Bd2x0bWXurpEXY//VBOLnODqThGEcL7jouwjmnRh9FTKZfBDpFRaEfD FOXIfAkMKBa/c9TQwRpx2DPsl3eFWVCNuNGKeGsirLqCxUg5kWTxEorROppz9oU4HPicL6rRH22Ce 6nOAON2vHvhkUuO3GbffhrcsPD4DaYup4ic+DxWm+DaSSRJ+e1yJvwi6NmQ9P9UAuLG93S2MdNNbo sZ9P8k2mTOVKMc+GooI9Ve/vH8unwitwo7ORMVXhJeU6Q0X7zf3SjwDq2lBhn1DSuTsn2DbsNTiDv qrAaCvbsTsw+SZRwF85eG67eAwouYk+dnKmp1q57LDKMyzysij2oDKbcBlwB/TeX16p8+LxECv51a sjS9TInnipssssUDrHIvoTTXWcz7Y5wIngxDFwT8rPY3EggzLGfK5Zx2Q5S/N0FfmADmKknG/D8qG IcJE574D956tiUDKN4I+/g125ORR1v7bP+OIaayAvq17RP+qcAqkxc0x8iCYVCYDouDyNvWPGRhbL UO7mlBpjW9jK9e2fvZY9iw3QzIPGKtClKZWZmIExheXRvbiA8amVmZi5sYXl0b25AcHJpbWFyeWRh dGEuY29tPokCOQQTAQIAIwUCU4xmUAIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEAAOa EEZVoIVzJoQALFCS6n/FHQS+hIzHIb56JbokhK0AFqoLVzLKzrnaeXhE5isWcVg0eoV2oTScIwUSU apy94if69tnUo4Q7YNt8/6yFM6hwZAxFjOXR0ciGE3Q+Z1zi49Ox51yjGMQGxlakV9ep4sV/d5a50 M+LFTmYSAFp6HY23JN9PkjVJC4PUv5DYRbOZ6Y1+TfXKBAewMVqtwT1Y+LPlfmI8dbbbuUX/kKZ5d dhV2736fgyfpslvJKYl0YifUOVy4D1G/oSycyHkJG78OvX4JKcf2kKzVvg7/Rnv+AueCfFQ6nGwPn 0P91I7TEOC4XfZ6a1K3uTp4fPPs1Wn75X7K8lzJP/p8lme40uqwAyBjk+IA5VGd+CVRiyJTpGZwA0 jwSYLyXboX+Dqm9pSYzmC9+/AE7lIgpWj+3iNisp1SWtHc4pdtQ5EU2SEz8yKvDbD0lNDbv4ljI7e flPsvN6vOrxz24mCliEco5DwhpaaSnzWnbAPXhQDWb/lUgs/JNk8dtwmvWnqCwRqElMLVisAbJmC0 BhZ/Ab4sph3EaiZfdXKhiQqSGdK4La3OTJOJYZphPdGgnkvDV9Pl1QZ0ijXQrVIy3zd6VCNaKYq7B AKidn5g/2Q8oio9Tf4XfdZ9dtwcB+bwDJFgvvDYaZ5bI3ln4V3EyW5i2NfXazz/GA/I/ZtbsigCFc 8ftCBKZWZmIExheXRvbiA8amxheXRvbkBrZXJuZWwub3JnPokCOAQTAQIAIgUCWe8u6AIbAwYLCQg HAwIGFQgCCQoLBBYCAwECHgECF4AACgkQAA5oQRlWghUuCg/+Lb/xGxZD2Q1oJVAE37uW308UpVSD 2tAMJUvFTdDbfe3zKlPDTuVsyNsALBGclPLagJ5ZTP+Vp2irAN9uwBuacBOTtmOdz4ZN2tdvNgozz uxp4CHBDVzAslUi2idy+xpsp47DWPxYFIRP3M8QG/aNW052LaPc0cedYxp8+9eiVUNpxF4SiU4i9J DfX/sn9XcfoVZIxMpCRE750zvJvcCUz9HojsrMQ1NFc7MFT1z3MOW2/RlzPcog7xvR5ENPH19ojRD CHqumUHRry+RF0lH00clzX/W8OrQJZtoBPXv9ahka/Vp7kEulcBJr1cH5Wz/WprhsIM7U9pse1f1g Yy9YbXtWctUz8uvDR7shsQxAhX3qO7DilMtuGo1v97I/Kx4gXQ52syh/w6EBny71CZrOgD6kJwPVV AaM1LRC28muq91WCFhs/nzHozpbzcheyGtMUI2Ao4K6mnY+3zIuXPygZMFr9KXE6fF7HzKxKuZMJO aEZCiDOq0anx6FmOzs5E6Jqdpo/mtI8beK+BE7Va6ni7YrQlnT0i3vaTVMTiCThbqsB20VrbMjlhp f8lfK1XVNbRq/R7GZ9zHESlsa35ha60yd/j3pu5hT2xyy8krV8vGhHvnJ1XRMJBAB/UYb6FyC7S+m QZIQXVeAA+smfTT0tDrisj1U5x6ZB9b3nBg65kc= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.58.2 (3.58.2-1.fc43) Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-DKIM: signer='kernel.org' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: -1.2 (-) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (-1.2 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: state.data] 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [172.234.253.10 listed in list.dnswl.org] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager -0.0 DKIMWL_WL_HIGH DKIMwl.org - High trust sender SpamTally: Final spam score: -11 On Fri, 2025-12-26 at 10:15 -0500, Chuck Lever wrote: > From: Chuck Lever >=20 > The gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name() > functions allocate memory via gssx_dec_buffer(), which calls > kmemdup(). When a subsequent decode operation fails, these > functions return immediately without freeing previously > allocated buffers, causing memory leaks. >=20 > The leak in gssx_dec_ctx() is particularly relevant because > the caller (gssp_accept_sec_context_upcall) initializes several > buffer length fields to non-zero values, resulting in memory > allocation: >=20 > struct gssx_ctx rctxh =3D { > .exported_context_token.len =3D GSSX_max_output_handle_sz, > .mech.len =3D GSS_OID_MAX_LEN, > .src_name.display_name.len =3D GSSX_max_princ_sz, > .targ_name.display_name.len =3D GSSX_max_princ_sz > }; >=20 > If, for example, gssx_dec_name() succeeds for src_name but > fails for targ_name, the memory allocated for > exported_context_token, mech, and src_name.display_name > remains unreferenced and cannot be reclaimed. >=20 > Add error handling with goto-based cleanup to free any > previously allocated buffers before returning an error. >=20 > Reported-by: Xingjing Deng > Closes: https://lore.kernel.org/linux-nfs/CAK+ZN9qttsFDu6h1FoqGadXjMx1QXq= PMoYQ=3D6O9RY4SxVTvKng@mail.gmail.com/ > Fixes: 1d658336b05f ("SUNRPC: Add RPC based upcall mechanism for RPCGSS a= uth") > Cc: stable@vger.kernel.org > Signed-off-by: Chuck Lever > --- > net/sunrpc/auth_gss/gss_rpc_xdr.c | 82 ++++++++++++++++++++++++------- > 1 file changed, 64 insertions(+), 18 deletions(-) >=20 > diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_= rpc_xdr.c > index 7d2cdc2bd374..f320c0a8e604 100644 > --- a/net/sunrpc/auth_gss/gss_rpc_xdr.c > +++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c > @@ -320,29 +320,47 @@ static int gssx_dec_status(struct xdr_stream *xdr, > =20 > /* status->minor_status */ > p =3D xdr_inline_decode(xdr, 8); > - if (unlikely(p =3D=3D NULL)) > - return -ENOSPC; > + if (unlikely(p =3D=3D NULL)) { > + err =3D -ENOSPC; > + goto out_free_mech; > + } > p =3D xdr_decode_hyper(p, &status->minor_status); > =20 > /* status->major_status_string */ > err =3D gssx_dec_buffer(xdr, &status->major_status_string); > if (err) > - return err; > + goto out_free_mech; > =20 > /* status->minor_status_string */ > err =3D gssx_dec_buffer(xdr, &status->minor_status_string); > if (err) > - return err; > + goto out_free_major_status_string; > =20 > /* status->server_ctx */ > err =3D gssx_dec_buffer(xdr, &status->server_ctx); > if (err) > - return err; > + goto out_free_minor_status_string; > =20 > /* we assume we have no options for now, so simply consume them */ > /* status->options */ > err =3D dummy_dec_opt_array(xdr, &status->options); > + if (err) > + goto out_free_server_ctx; > =20 > + return 0; > + > +out_free_server_ctx: > + kfree(status->server_ctx.data); > + status->server_ctx.data =3D NULL; > +out_free_minor_status_string: > + kfree(status->minor_status_string.data); > + status->minor_status_string.data =3D NULL; > +out_free_major_status_string: > + kfree(status->major_status_string.data); > + status->major_status_string.data =3D NULL; > +out_free_mech: > + kfree(status->mech.data); > + status->mech.data =3D NULL; > return err; > } > =20 > @@ -505,28 +523,35 @@ static int gssx_dec_name(struct xdr_stream *xdr, > /* name->name_type */ > err =3D gssx_dec_buffer(xdr, &dummy_netobj); > if (err) > - return err; > + goto out_free_display_name; > =20 > /* name->exported_name */ > err =3D gssx_dec_buffer(xdr, &dummy_netobj); > if (err) > - return err; > + goto out_free_display_name; > =20 > /* name->exported_composite_name */ > err =3D gssx_dec_buffer(xdr, &dummy_netobj); > if (err) > - return err; > + goto out_free_display_name; > =20 > /* we assume we have no attributes for now, so simply consume them */ > /* name->name_attributes */ > err =3D dummy_dec_nameattr_array(xdr, &dummy_name_attr_array); > if (err) > - return err; > + goto out_free_display_name; > =20 > /* we assume we have no options for now, so simply consume them */ > /* name->extensions */ > err =3D dummy_dec_opt_array(xdr, &dummy_option_array); > + if (err) > + goto out_free_display_name; > =20 > + return 0; > + > +out_free_display_name: > + kfree(name->display_name.data); > + name->display_name.data =3D NULL; > return err; > } > =20 > @@ -649,32 +674,34 @@ static int gssx_dec_ctx(struct xdr_stream *xdr, > /* ctx->state */ > err =3D gssx_dec_buffer(xdr, &ctx->state); > if (err) > - return err; > + goto out_free_exported_context_token; > =20 > /* ctx->need_release */ > err =3D gssx_dec_bool(xdr, &ctx->need_release); > if (err) > - return err; > + goto out_free_state; > =20 > /* ctx->mech */ > err =3D gssx_dec_buffer(xdr, &ctx->mech); > if (err) > - return err; > + goto out_free_state; > =20 > /* ctx->src_name */ > err =3D gssx_dec_name(xdr, &ctx->src_name); > if (err) > - return err; > + goto out_free_mech; > =20 > /* ctx->targ_name */ > err =3D gssx_dec_name(xdr, &ctx->targ_name); > if (err) > - return err; > + goto out_free_src_name; > =20 > /* ctx->lifetime */ > p =3D xdr_inline_decode(xdr, 8+8); > - if (unlikely(p =3D=3D NULL)) > - return -ENOSPC; > + if (unlikely(p =3D=3D NULL)) { > + err =3D -ENOSPC; > + goto out_free_targ_name; > + } > p =3D xdr_decode_hyper(p, &ctx->lifetime); > =20 > /* ctx->ctx_flags */ > @@ -683,17 +710,36 @@ static int gssx_dec_ctx(struct xdr_stream *xdr, > /* ctx->locally_initiated */ > err =3D gssx_dec_bool(xdr, &ctx->locally_initiated); > if (err) > - return err; > + goto out_free_targ_name; > =20 > /* ctx->open */ > err =3D gssx_dec_bool(xdr, &ctx->open); > if (err) > - return err; > + goto out_free_targ_name; > =20 > /* we assume we have no options for now, so simply consume them */ > /* ctx->options */ > err =3D dummy_dec_opt_array(xdr, &ctx->options); > + if (err) > + goto out_free_targ_name; > =20 > + return 0; > + > +out_free_targ_name: > + kfree(ctx->targ_name.display_name.data); > + ctx->targ_name.display_name.data =3D NULL; > +out_free_src_name: > + kfree(ctx->src_name.display_name.data); > + ctx->src_name.display_name.data =3D NULL; > +out_free_mech: > + kfree(ctx->mech.data); > + ctx->mech.data =3D NULL; > +out_free_state: > + kfree(ctx->state.data); > + ctx->state.data =3D NULL; > +out_free_exported_context_token: > + kfree(ctx->exported_context_token.data); > + ctx->exported_context_token.data =3D NULL; > return err; > } > =20 Reviewed-by: Jeff Layton From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id eGZuDRuvTmmYUSoAYBR5ng (envelope-from ) for ; Fri, 26 Dec 2025 15:51:55 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Fri, 26 Dec 2025 15:51:55 +0000 Received: from sea.lore.kernel.org ([172.234.253.10]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vZA6c-0000000BvdD-12zb for hi@josie.lol; Fri, 26 Dec 2025 15:51:55 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sea.lore.kernel.org (Postfix) with ESMTP id E0E4C3005BAA for ; Fri, 26 Dec 2025 15:51:52 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id D1B5821CFF6; Fri, 26 Dec 2025 15:51:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel-dk.20230601.gappssmtp.com header.i=@kernel-dk.20230601.gappssmtp.com header.b="pS3p5zp2" X-Original-To: io-uring@vger.kernel.org Received: from mail-oa1-f50.google.com (mail-oa1-f50.google.com [209.85.160.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A2C281D5141 for ; Fri, 26 Dec 2025 15:51:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.50 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766764310; cv=none; b=cjRvoMjOFVpgHdHpJ5RbNL1fWfQRHp3NOSE67AwHWySt7j24aIsD+dzEhSzJjwRabs06yytrmXoXdIbTMfvblmJqjLECYgfStfz+cmautWrMeBrUNwSnlgTKpiBFwwi/h7jC7D/CTa41VpedkBlAIq1D4CFqBrp1NvzGJ0dW8n8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766764310; c=relaxed/simple; bh=PfjWb790qtagjcKEYSicDCthr7KYiINvFTdKNwcq0uU=; h=Message-ID:Date:MIME-Version:To:Cc:From:Subject:Content-Type; b=pMNQ4j6nywQ0UzhyOM+tvnHnPx48Lt++lj9G7WS2SUgsN+XbkMmOBgvCNfzQdzvsvCrDKek0RHU/r6NsCJ8nWsbq1M0CTGpMBW+z/2MGGwkALka9bSKOLLkJJxjkJHLXbuMgq0KSdCCUezfeGCjSYx1mePF/lVwsaYxNhe7plv4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.dk; spf=pass smtp.mailfrom=kernel.dk; dkim=pass (2048-bit key) header.d=kernel-dk.20230601.gappssmtp.com header.i=@kernel-dk.20230601.gappssmtp.com header.b=pS3p5zp2; arc=none smtp.client-ip=209.85.160.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.dk Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=kernel.dk Received: by mail-oa1-f50.google.com with SMTP id 586e51a60fabf-3e89d226c3aso5210226fac.2 for ; Fri, 26 Dec 2025 07:51:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20230601.gappssmtp.com; s=20230601; t=1766764305; x=1767369105; darn=vger.kernel.org; h=content-transfer-encoding:subject:from:cc:to:content-language :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=AM4V42ZoIToy8yE9bbtfGSpKts/x/HFTewSeTSQP/vs=; b=pS3p5zp2B2vpUo5U9+2ngn9cDv+FNsaVhlhFT50t2sX/Tfid7yFaZkmZJ17wzjW2U3 1d4dA8rWXk8+D73gsQdA8J6HjyDtrUm/bmMFm21V9Qk3Z718nFzH3DCxnHmkMvobcp9l Ap+XH+IQoFnRl9oWUZ7KdDdbrO0rJoaMNfmviUcM4KHe08H/64mD4m+wZhaXGTAkEcdY uqHR4hyEtAzo1B4Qe6KMRq6FJdcwDRihcRXtoe0D+H/RKXAaW6gNQZVPhFOj8Lr0pdi5 wW5ZJv3i/N2zg2YKWCjKuwwb9VYrNmEKyAklGrnV2x2UCvQD5GepQ30Y069gELGjFDfY SNVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766764305; x=1767369105; h=content-transfer-encoding:subject:from:cc:to:content-language :user-agent:mime-version:date:message-id:x-gm-gg:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=AM4V42ZoIToy8yE9bbtfGSpKts/x/HFTewSeTSQP/vs=; b=ajUdrM4xL89MDYk8oFbLQ1OUK5LEL9exSMjqasQ0Ni1iM3VESU4xIm7l1OruzknrPg jnD9YpuuPMS0bh3ItON0NuzP+5RH+MCFGckcm07KY5E7tUY7Q5sYR1fUcq/LaQuluYjb xHbfotWzh4Ofxpgp8UtXY2q8/EoHcm7qWbnp0F4NZRepCdH+egbbPhknNwD7KNRk4jrP JWLJWSfevaWzGUXLi+ATN7o+pAHcrKIprKhxOW1p8Akz/5N10BSxiprned/ChY/Ep1KP cyp79ebcn0WYluR6WYkmdOv41/VwVZMVlW2zj0sHzW3em45iGh+PxvZB3z6QaTdXqL8j HZMg== X-Gm-Message-State: AOJu0Yys731H4UFYZRG6LKjqX01zxZfj6uk6lk8xYVbiULImbzwUOkGW rMvi7AzpeUq9tw30OCEpxsLVhDPOhcJ7YXoFBYvWDSBx12vafq9xYN4UXCOEPVZxPK6T9ac5mR4 FqmfW X-Gm-Gg: AY/fxX4nqOpRvkye1pGVI2FMwboTW3EfeALmBSjsEtVHZqS6sbJzEZa3RQWGshPlDkz U4JgAtLrnnqwDpN9wHOfXVNVZH9VEGgDsCH4a5vKupeKYKECETyzr1LuEW4aBhk0Fv77VWb/Ai5 GENcpiZmB6j1P+RUZN0LXdm/w7PwjbGIROmN5xvo1yQdAb/7Qd5jg3cM0Nqa50+ccfM0UbBf35q fitV/vx55dX7Z4mAIfI76kJsqqyuuvECzktcbrhQyoQZvc+++iVMSbIqfpGGfrjVP2UtDng1FU0 BioYvTJGeUi6MldxTXXGqZBCztrs+xEmT+IB633QsIcj84ATfQbeHPby2EE8gQWIWJw74KnDw1o UDY3jL9ZGRKzOXzTr39PHgZqW+R+WEu39WWzupn6s82eq7Dwyhu+chmpxOj87eMWepRbu7y66Wo cuJrYA9TaxMakHFGl8idU= X-Google-Smtp-Source: AGHT+IG+oxV82HQbXi5TZU+oNX5g8vLe4oR51WbwAU5rRFI+Xi8yZmn7OBXL8va84t+yysb5GfOUhw== X-Received: by 2002:a05:6871:3326:b0:3ec:a336:f2c7 with SMTP id 586e51a60fabf-3fda5241ccfmr12971648fac.20.1766764305095; Fri, 26 Dec 2025 07:51:45 -0800 (PST) Received: from [192.168.1.150] ([198.8.77.157]) by smtp.gmail.com with ESMTPSA id 586e51a60fabf-3fdaa931b0esm14526071fac.8.2025.12.26.07.51.43 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 26 Dec 2025 07:51:43 -0800 (PST) Message-ID: Date: Fri, 26 Dec 2025 08:51:42 -0700 Precedence: bulk X-Mailing-List: io-uring@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: Linus Torvalds Cc: io-uring From: Jens Axboe Subject: [GIT PULL] io_uring fix for 6.19-rc3 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-DKIM: signer='kernel-dk.20230601.gappssmtp.com' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: 0.5 (/) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (0.5 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [172.234.253.10 listed in list.dnswl.org] 1.5 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager SpamTally: Final spam score: 5 Hi Linus, Just a single fix for a bug that can cause a leak of the filename with IORING_OP_OPENAT, if direct descriptors are asked for and O_CLOEXEC has been set in the request flags. Please pull! The following changes since commit 114ea9bbaf7681c4d363e13b7916e6fef6a4963a: io_uring: fix nr_segs calculation in io_import_kbuf (2025-12-17 07:35:42 -0700) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git tags/io_uring-6.19-20251226 for you to fetch changes up to b14fad555302a2104948feaff70503b64c80ac01: io_uring: fix filename leak in __io_openat_prep() (2025-12-25 07:58:33 -0700) ---------------------------------------------------------------- io_uring-6.19-20251226 ---------------------------------------------------------------- Prithvi Tambewagh (1): io_uring: fix filename leak in __io_openat_prep() io_uring/openclose.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- Jens Axboe From - Fri Dec 26 19:56:50 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id mIdbB6HDTmlQHTcAYBR5ng (envelope-from ) for ; Fri, 26 Dec 2025 17:19:29 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Fri, 26 Dec 2025 17:19:29 +0000 Received: from sin.lore.kernel.org ([104.64.211.4]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vZBTM-0000000Fgfv-1Opm for hi@josie.lol; Fri, 26 Dec 2025 17:19:29 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sin.lore.kernel.org (Postfix) with ESMTP id 85354300093D for ; Fri, 26 Dec 2025 17:19:24 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 812012E36F8; Fri, 26 Dec 2025 17:19:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="eGR7GzLh" X-Original-To: stable@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4A31E2E0413; Fri, 26 Dec 2025 17:19:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766769562; cv=none; b=ASuDIRbl9jeULNTtOSxSDQC/KYEqhW5Zm4xiAQrgEICmnbNAEfnwteBpkIyTU7uetQIxx7WogRZdLPgKqpSLx5rDU9Y1/bZ8d/bIlqy157LqmpG20JS0NotuOsEKCwJc0gnAiZR3m/d6oNpbTU4VJuo/MfDYM5JbMCWCx/YfEM8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766769562; c=relaxed/simple; bh=R7Xe8Vo0sAqcTqxB+ijnQow2uxhO0kGbyfHDUMMcV7M=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition:In-Reply-To; b=h8euBzwoLMMC5cVVCu1fDpIj7K3PEAiCvEKq3yn2nGVnyQ9DoxEf6AXYlCzOsX+DTum609vf37vX74QISOiSDaD56gnBZ0pBlbyQGEn5rS5aIytMDz0ZhJFo7V2Wsuh/1vjSVrK3nUxBpfpqudFmKysZKm3A+s4d6taLhmMSPo0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=eGR7GzLh; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id AB1B7C4CEF7; Fri, 26 Dec 2025 17:19:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1766769560; bh=R7Xe8Vo0sAqcTqxB+ijnQow2uxhO0kGbyfHDUMMcV7M=; h=Date:From:To:Cc:Subject:In-Reply-To:From; b=eGR7GzLhAOzoM/tW2iHh7BICj3wp6aJVpL1auZt5PIo8y14Aah7cHx+VU6wDZU2Pl TqZDTKbjHnLHXrNmSUqSmQ9z2vMhqD4F53kR3cFbQYJ4AaBJd1teUunFB+qyc/zsC5 DQaODq0Sm/zgpvSXU1MHAiRUHU3yMN8QCDi3V+NhHH53qkgpED1HNKxaTjq0k+ptIT +YMNKdP6N4ivct58Q9+hdFhmE0ahD1SQ6DtZmuAlJXzhrBt2VASeyBK66+TO7+IORA gwKTuW2+pQabXKk8+V9FVCSJZ5vf0owUAy+qbrGzGwj7seTL91q5wQBN72TH6Fp6jH CgOIgWdlrJeqg== Date: Fri, 26 Dec 2025 11:19:19 -0600 From: Bjorn Helgaas To: Siddharth Vadapalli Cc: vigneshr@ti.com, lpieralisi@kernel.org, kwilczynski@kernel.org, mani@kernel.org, robh@kernel.org, bhelgaas@google.com, arnd@arndb.de, kishon@kernel.org, stable@vger.kernel.org, linux-omap@vger.kernel.org, linux-pci@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, srk@ti.com Subject: Re: [PATCH] PCI: j721e: Add config guards for Cadence Host and Endpoint library APIs Message-ID: <20251226171919.GA4131469@bhelgaas> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20251117113246.1460644-1-s-vadapalli@ti.com> X-DKIM: signer='kernel.org' status='pass' reason='' DKIMCheck: Server passes DKIM test, 0 Spam score X-Spam-Score: -1.2 (-) X-Spam-Report: Spam detection software, running on the system "witcher.mxrouting.net", has performed the tests listed below against this email. Information: https://mxroutedocs.com/directadmin/spamfilters/ --- Content analysis details: (-1.2 points) --- pts rule name description ---- ---------------------- ----------------------------------------- 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [104.64.211.4 listed in list.dnswl.org] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager -0.0 DKIMWL_WL_HIGH DKIMwl.org - High trust sender SpamTally: Final spam score: -11 On Mon, Nov 17, 2025 at 05:02:06PM +0530, Siddharth Vadapalli wrote: > Commit under Fixes enabled loadable module support for the driver under > the assumption that it shall be the sole user of the Cadence Host and > Endpoint library APIs. This assumption guarantees that we won't end up > in a case where the driver is built-in and the library support is built > as a loadable module. > > With the introduction of [1], this assumption is no longer valid. The > SG2042 driver could be built as a loadable module, implying that the > Cadence Host library is also selected as a loadable module. However, the > pci-j721e.c driver could be built-in as indicated by CONFIG_PCI_J721E=y > due to which the Cadence Endpoint library is built-in. Despite the > library drivers being built as specified by their respective consumers, > since the 'pci-j721e.c' driver has references to the Cadence Host > library APIs as well, we run into a build error as reported at [0]. > > Fix this by adding config guards as a temporary workaround. The proper > fix is to split the 'pci-j721e.c' driver into independent Host and > Endpoint drivers as aligned at [2]. If we know what the proper fix is, why aren't we just doing that instead of adding a temporary workaround? > Fixes: a2790bf81f0f ("PCI: j721e: Add support to build as a loadable module") > Reported-by: kernel test robot > Closes: https://lore.kernel.org/oe-kbuild-all/202511111705.MZ7ls8Hm-lkp@intel.com/ > Cc: > [0]: https://lore.kernel.org/r/202511111705.MZ7ls8Hm-lkp@intel.com/ > [1]: commit 1c72774df028 ("PCI: sg2042: Add Sophgo SG2042 PCIe driver") > [2]: https://lore.kernel.org/r/37f6f8ce-12b2-44ee-a94c-f21b29c98821@app.fastmail.com/ > Suggested-by: Arnd Bergmann > Signed-off-by: Siddharth Vadapalli > --- > drivers/pci/controller/cadence/pci-j721e.c | 43 +++++++++++++--------- > 1 file changed, 26 insertions(+), 17 deletions(-) > > diff --git a/drivers/pci/controller/cadence/pci-j721e.c b/drivers/pci/controller/cadence/pci-j721e.c > index 5bc5ab20aa6d..67c5e02afccf 100644 > --- a/drivers/pci/controller/cadence/pci-j721e.c > +++ b/drivers/pci/controller/cadence/pci-j721e.c > @@ -628,10 +628,12 @@ static int j721e_pcie_probe(struct platform_device *pdev) > gpiod_set_value_cansleep(gpiod, 1); > } > > - ret = cdns_pcie_host_setup(rc); > - if (ret < 0) { > - clk_disable_unprepare(pcie->refclk); > - goto err_pcie_setup; > + if (IS_ENABLED(CONFIG_PCI_J721E_HOST)) { > + ret = cdns_pcie_host_setup(rc); > + if (ret < 0) { > + clk_disable_unprepare(pcie->refclk); > + goto err_pcie_setup; > + } > } > > break; > @@ -642,9 +644,11 @@ static int j721e_pcie_probe(struct platform_device *pdev) > goto err_get_sync; > } > > - ret = cdns_pcie_ep_setup(ep); > - if (ret < 0) > - goto err_pcie_setup; > + if (IS_ENABLED(CONFIG_PCI_J721E_EP)) { > + ret = cdns_pcie_ep_setup(ep); > + if (ret < 0) > + goto err_pcie_setup; > + } > > break; > } > @@ -669,10 +673,11 @@ static void j721e_pcie_remove(struct platform_device *pdev) > struct cdns_pcie_ep *ep; > struct cdns_pcie_rc *rc; > > - if (pcie->mode == PCI_MODE_RC) { > + if (IS_ENABLED(CONFIG_PCI_J721E_HOST) && > + pcie->mode == PCI_MODE_RC) { > rc = container_of(cdns_pcie, struct cdns_pcie_rc, pcie); > cdns_pcie_host_disable(rc); > - } else { > + } else if (IS_ENABLED(CONFIG_PCI_J721E_EP)) { > ep = container_of(cdns_pcie, struct cdns_pcie_ep, pcie); > cdns_pcie_ep_disable(ep); > } > @@ -739,10 +744,12 @@ static int j721e_pcie_resume_noirq(struct device *dev) > gpiod_set_value_cansleep(pcie->reset_gpio, 1); > } > > - ret = cdns_pcie_host_link_setup(rc); > - if (ret < 0) { > - clk_disable_unprepare(pcie->refclk); > - return ret; > + if (IS_ENABLED(CONFIG_PCI_J721E_HOST)) { > + ret = cdns_pcie_host_link_setup(rc); > + if (ret < 0) { > + clk_disable_unprepare(pcie->refclk); > + return ret; > + } > } > > /* > @@ -752,10 +759,12 @@ static int j721e_pcie_resume_noirq(struct device *dev) > for (enum cdns_pcie_rp_bar bar = RP_BAR0; bar <= RP_NO_BAR; bar++) > rc->avail_ib_bar[bar] = true; > > - ret = cdns_pcie_host_init(rc); > - if (ret) { > - clk_disable_unprepare(pcie->refclk); > - return ret; > + if (IS_ENABLED(CONFIG_PCI_J721E_HOST)) { > + ret = cdns_pcie_host_init(rc); > + if (ret) { > + clk_disable_unprepare(pcie->refclk); > + return ret; > + } > } > } > > -- > 2.51.1 > From - Sat Dec 27 08:58:23 2025 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Delivered-To: hi@josie.lol Received: from witcher.mxrouting.net by witcher.mxrouting.net with LMTP id sID3NuQMT2lIHCYAYBR5ng (envelope-from ) for ; Fri, 26 Dec 2025 22:32:04 +0000 Return-path: Envelope-to: hi@josie.lol Delivery-date: Fri, 26 Dec 2025 22:32:05 +0000 Received: from sea.lore.kernel.org ([172.234.253.10]) by witcher.mxrouting.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1vZGLs-0000000BCnO-2HS4 for hi@josie.lol; Fri, 26 Dec 2025 22:32:04 +0000 Received: from smtp.subspace.kernel.org (conduit.subspace.kernel.org [100.90.174.1]) by sea.lore.kernel.org (Postfix) with ESMTP id 481A530057DC for ; Fri, 26 Dec 2025 22:32:03 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B2556269CE6; Fri, 26 Dec 2025 22:32:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="b1HEiD2E" X-Original-To: stable@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 88F507E792; Fri, 26 Dec 2025 22:32:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766788321; cv=none; b=pHm6urLVvmdae/i0HfKmLGxi8ETcbfhKk1gn+TNubWYQ3mmL3JSfeyUBHnIraxBKtWe0sRjKIW3OHddlS7x24Co+xzgXseVAHuBZTN5gttyiPOLnFN4b1v8iqnn4M0uYsVpXDI1rx/WT0zUipDXS71XPGzTuvW31eDUc4PbFeCk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766788321; c=relaxed/simple; bh=J5Jqm5xsdySK6xnw1VOys1NDqCq9XV/QNBpwKwi1/rM=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition:In-Reply-To; b=RKc9dkUjaBCdgHoN/kt2gk1DmNVwbPCPw4YOpM7xmiE2o1OZKjH/zm3T63kJE495FEUXxJCB9mqV/CiyxeanLgtqhnOXKnAYWdrG+NL7JVLUojpPIxTPXnrsKFGNZ3KnY/wXvzh8sGvsj7pOVak9+3r5CFpEBV5VOVncdO2SoiU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=b1HEiD2E; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 06D7EC4CEF7; Fri, 26 Dec 2025 22:32:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1766788321; bh=J5Jqm5xsdySK6xnw1VOys1NDqCq9XV/QNBpwKwi1/rM=; h=Date:From:To:Cc:Subject:In-Reply-To:From; b=b1HEiD2EHgPf9ffbPpEE6A2XqMeKh/t3qOKgip2nJydL4o3hl5o43AkPq/jBtUmIF 478b6PN5m9qR3iMtaxcoWaTX90c/Yqog9RuZBT55YbNj+C4bTYrXtIKMpv9fdC+SXS NY10aMu1C4iiovc9Qh8M0wCPraOdrLjyDbUzKqLIGTP6X8FrjS2An2IMHP5zZ8L36M JHcTs1S61D01i9oLu1Ey7xcj4vVn4r9jVjmeH0V7YIe9tMVH0IRJ5iGgbxgcHDIwVa K5K3TxXbCqnsWRYKvj5+738dMefEX4SZ8ptQoSRdIv7o2EsMk22ECxvJdZh0JApuTe oqJEptSeNxHLA== Date: Fri, 26 Dec 2025 16:31:59 -0600 From: Bjorn Helgaas To: Niklas Cassel Cc: Lorenzo Pieralisi , Krzysztof =?utf-8?Q?Wilczy=C5=84ski?= , Manivannan Sadhasivam