From: Greg Kroah-Hartman Date: Fri, 10 Oct 2025 12:37:30 +0000 (+0200) Subject: 6.17-stable patches X-Git-Tag: v6.6.111~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4e5b086e51dffd4e87095e6277a71f5da2df4e37;p=thirdparty%2Fkernel%2Fstable-queue.git 6.17-stable patches added patches: f2fs-fix-to-do-sanity-check-on-node-footer-for-non-inode-dnode.patch kvm-x86-don-t-re-check-l1-intercepts-when-completing-userspace-i-o.patch net-9p-fix-double-req-put-in-p9_fd_cancelled.patch ring-buffer-propagate-__rb_map_vma-return-value-to-caller.patch --- diff --git a/queue-6.17/f2fs-fix-to-do-sanity-check-on-node-footer-for-non-inode-dnode.patch b/queue-6.17/f2fs-fix-to-do-sanity-check-on-node-footer-for-non-inode-dnode.patch new file mode 100644 index 0000000000..80ee940eed --- /dev/null +++ b/queue-6.17/f2fs-fix-to-do-sanity-check-on-node-footer-for-non-inode-dnode.patch @@ -0,0 +1,237 @@ +From c18ecd99e0c707ef8f83cace861cbc3162f4fdf1 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Sat, 23 Aug 2025 13:45:34 +0800 +Subject: f2fs: fix to do sanity check on node footer for non inode dnode + +From: Chao Yu + +commit c18ecd99e0c707ef8f83cace861cbc3162f4fdf1 upstream. + +As syzbot reported below: + +------------[ cut here ]------------ +kernel BUG at fs/f2fs/file.c:1243! +Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI +CPU: 0 UID: 0 PID: 5354 Comm: syz.0.0 Not tainted 6.17.0-rc1-syzkaller-00211-g90d970cade8e #0 PREEMPT(full) +RIP: 0010:f2fs_truncate_hole+0x69e/0x6c0 fs/f2fs/file.c:1243 +Call Trace: + + f2fs_punch_hole+0x2db/0x330 fs/f2fs/file.c:1306 + f2fs_fallocate+0x546/0x990 fs/f2fs/file.c:2018 + vfs_fallocate+0x666/0x7e0 fs/open.c:342 + ksys_fallocate fs/open.c:366 [inline] + __do_sys_fallocate fs/open.c:371 [inline] + __se_sys_fallocate fs/open.c:369 [inline] + __x64_sys_fallocate+0xc0/0x110 fs/open.c:369 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7f1e65f8ebe9 + +w/ a fuzzed image, f2fs may encounter panic due to it detects inconsistent +truncation range in direct node in f2fs_truncate_hole(). + +The root cause is: a non-inode dnode may has the same footer.ino and +footer.nid, so the dnode will be parsed as an inode, then ADDRS_PER_PAGE() +may return wrong blkaddr count which may be 923 typically, by chance, +dn.ofs_in_node is equal to 923, then count can be calculated to 0 in below +statement, later it will trigger panic w/ f2fs_bug_on(, count == 0 || ...). + + count = min(end_offset - dn.ofs_in_node, pg_end - pg_start); + +This patch introduces a new node_type NODE_TYPE_NON_INODE, then allowing +passing the new_type to sanity_check_node_footer in f2fs_get_node_folio() +to detect corruption that a non-inode dnode has the same footer.ino and +footer.nid. + +Scripts to reproduce: +mkfs.f2fs -f /dev/vdb +mount /dev/vdb /mnt/f2fs +touch /mnt/f2fs/foo +touch /mnt/f2fs/bar +dd if=/dev/zero of=/mnt/f2fs/foo bs=1M count=8 +umount /mnt/f2fs +inject.f2fs --node --mb i_nid --nid 4 --idx 0 --val 5 /dev/vdb +mount /dev/vdb /mnt/f2fs +xfs_io /mnt/f2fs/foo -c "fpunch 6984k 4k" + +Cc: stable@kernel.org +Reported-by: syzbot+b9c7ffd609c3f09416ab@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/linux-f2fs-devel/68a68e27.050a0220.1a3988.0002.GAE@google.com +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/f2fs.h | 4 ++- + fs/f2fs/gc.c | 4 +-- + fs/f2fs/node.c | 58 +++++++++++++++++++++++++++++++++++------------------ + fs/f2fs/node.h | 1 + fs/f2fs/recovery.c | 2 - + 5 files changed, 46 insertions(+), 23 deletions(-) + +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -3764,6 +3764,7 @@ void f2fs_hash_filename(const struct ino + * node.c + */ + struct node_info; ++enum node_type; + + int f2fs_check_nid_range(struct f2fs_sb_info *sbi, nid_t nid); + bool f2fs_available_free_memory(struct f2fs_sb_info *sbi, int type); +@@ -3786,7 +3787,8 @@ int f2fs_remove_inode_page(struct inode + struct folio *f2fs_new_inode_folio(struct inode *inode); + struct folio *f2fs_new_node_folio(struct dnode_of_data *dn, unsigned int ofs); + void f2fs_ra_node_page(struct f2fs_sb_info *sbi, nid_t nid); +-struct folio *f2fs_get_node_folio(struct f2fs_sb_info *sbi, pgoff_t nid); ++struct folio *f2fs_get_node_folio(struct f2fs_sb_info *sbi, pgoff_t nid, ++ enum node_type node_type); + struct folio *f2fs_get_inode_folio(struct f2fs_sb_info *sbi, pgoff_t ino); + struct folio *f2fs_get_xnode_folio(struct f2fs_sb_info *sbi, pgoff_t xnid); + int f2fs_move_node_folio(struct folio *node_folio, int gc_type); +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -1071,7 +1071,7 @@ next_step: + } + + /* phase == 2 */ +- node_folio = f2fs_get_node_folio(sbi, nid); ++ node_folio = f2fs_get_node_folio(sbi, nid, NODE_TYPE_REGULAR); + if (IS_ERR(node_folio)) + continue; + +@@ -1145,7 +1145,7 @@ static bool is_alive(struct f2fs_sb_info + nid = le32_to_cpu(sum->nid); + ofs_in_node = le16_to_cpu(sum->ofs_in_node); + +- node_folio = f2fs_get_node_folio(sbi, nid); ++ node_folio = f2fs_get_node_folio(sbi, nid, NODE_TYPE_REGULAR); + if (IS_ERR(node_folio)) + return false; + +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -871,7 +871,8 @@ int f2fs_get_dnode_of_data(struct dnode_ + } + + if (!done) { +- nfolio[i] = f2fs_get_node_folio(sbi, nids[i]); ++ nfolio[i] = f2fs_get_node_folio(sbi, nids[i], ++ NODE_TYPE_NON_INODE); + if (IS_ERR(nfolio[i])) { + err = PTR_ERR(nfolio[i]); + f2fs_folio_put(nfolio[0], false); +@@ -989,7 +990,7 @@ static int truncate_dnode(struct dnode_o + return 1; + + /* get direct node */ +- folio = f2fs_get_node_folio(sbi, dn->nid); ++ folio = f2fs_get_node_folio(sbi, dn->nid, NODE_TYPE_NON_INODE); + if (PTR_ERR(folio) == -ENOENT) + return 1; + else if (IS_ERR(folio)) +@@ -1033,7 +1034,8 @@ static int truncate_nodes(struct dnode_o + + trace_f2fs_truncate_nodes_enter(dn->inode, dn->nid, dn->data_blkaddr); + +- folio = f2fs_get_node_folio(F2FS_I_SB(dn->inode), dn->nid); ++ folio = f2fs_get_node_folio(F2FS_I_SB(dn->inode), dn->nid, ++ NODE_TYPE_NON_INODE); + if (IS_ERR(folio)) { + trace_f2fs_truncate_nodes_exit(dn->inode, PTR_ERR(folio)); + return PTR_ERR(folio); +@@ -1111,7 +1113,8 @@ static int truncate_partial_nodes(struct + /* get indirect nodes in the path */ + for (i = 0; i < idx + 1; i++) { + /* reference count'll be increased */ +- folios[i] = f2fs_get_node_folio(F2FS_I_SB(dn->inode), nid[i]); ++ folios[i] = f2fs_get_node_folio(F2FS_I_SB(dn->inode), nid[i], ++ NODE_TYPE_NON_INODE); + if (IS_ERR(folios[i])) { + err = PTR_ERR(folios[i]); + idx = i - 1; +@@ -1496,21 +1499,37 @@ static int sanity_check_node_footer(stru + struct folio *folio, pgoff_t nid, + enum node_type ntype) + { +- if (unlikely(nid != nid_of_node(folio) || +- (ntype == NODE_TYPE_INODE && !IS_INODE(folio)) || +- (ntype == NODE_TYPE_XATTR && +- !f2fs_has_xattr_block(ofs_of_node(folio))) || +- time_to_inject(sbi, FAULT_INCONSISTENT_FOOTER))) { +- f2fs_warn(sbi, "inconsistent node block, node_type:%d, nid:%lu, " +- "node_footer[nid:%u,ino:%u,ofs:%u,cpver:%llu,blkaddr:%u]", +- ntype, nid, nid_of_node(folio), ino_of_node(folio), +- ofs_of_node(folio), cpver_of_node(folio), +- next_blkaddr_of_node(folio)); +- set_sbi_flag(sbi, SBI_NEED_FSCK); +- f2fs_handle_error(sbi, ERROR_INCONSISTENT_FOOTER); +- return -EFSCORRUPTED; ++ if (unlikely(nid != nid_of_node(folio))) ++ goto out_err; ++ ++ switch (ntype) { ++ case NODE_TYPE_INODE: ++ if (!IS_INODE(folio)) ++ goto out_err; ++ break; ++ case NODE_TYPE_XATTR: ++ if (!f2fs_has_xattr_block(ofs_of_node(folio))) ++ goto out_err; ++ break; ++ case NODE_TYPE_NON_INODE: ++ if (IS_INODE(folio)) ++ goto out_err; ++ break; ++ default: ++ break; + } ++ if (time_to_inject(sbi, FAULT_INCONSISTENT_FOOTER)) ++ goto out_err; + return 0; ++out_err: ++ f2fs_warn(sbi, "inconsistent node block, node_type:%d, nid:%lu, " ++ "node_footer[nid:%u,ino:%u,ofs:%u,cpver:%llu,blkaddr:%u]", ++ ntype, nid, nid_of_node(folio), ino_of_node(folio), ++ ofs_of_node(folio), cpver_of_node(folio), ++ next_blkaddr_of_node(folio)); ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ f2fs_handle_error(sbi, ERROR_INCONSISTENT_FOOTER); ++ return -EFSCORRUPTED; + } + + static struct folio *__get_node_folio(struct f2fs_sb_info *sbi, pgoff_t nid, +@@ -1567,9 +1586,10 @@ out_put_err: + return ERR_PTR(err); + } + +-struct folio *f2fs_get_node_folio(struct f2fs_sb_info *sbi, pgoff_t nid) ++struct folio *f2fs_get_node_folio(struct f2fs_sb_info *sbi, pgoff_t nid, ++ enum node_type node_type) + { +- return __get_node_folio(sbi, nid, NULL, 0, NODE_TYPE_REGULAR); ++ return __get_node_folio(sbi, nid, NULL, 0, node_type); + } + + struct folio *f2fs_get_inode_folio(struct f2fs_sb_info *sbi, pgoff_t ino) +--- a/fs/f2fs/node.h ++++ b/fs/f2fs/node.h +@@ -57,6 +57,7 @@ enum node_type { + NODE_TYPE_REGULAR, + NODE_TYPE_INODE, + NODE_TYPE_XATTR, ++ NODE_TYPE_NON_INODE, + }; + + /* +--- a/fs/f2fs/recovery.c ++++ b/fs/f2fs/recovery.c +@@ -548,7 +548,7 @@ got_it: + } + + /* Get the node page */ +- node_folio = f2fs_get_node_folio(sbi, nid); ++ node_folio = f2fs_get_node_folio(sbi, nid, NODE_TYPE_REGULAR); + if (IS_ERR(node_folio)) + return PTR_ERR(node_folio); + diff --git a/queue-6.17/kvm-x86-don-t-re-check-l1-intercepts-when-completing-userspace-i-o.patch b/queue-6.17/kvm-x86-don-t-re-check-l1-intercepts-when-completing-userspace-i-o.patch new file mode 100644 index 0000000000..a31fd8308c --- /dev/null +++ b/queue-6.17/kvm-x86-don-t-re-check-l1-intercepts-when-completing-userspace-i-o.patch @@ -0,0 +1,159 @@ +From e750f85391286a4c8100275516973324b621a269 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Tue, 15 Jul 2025 12:06:38 -0700 +Subject: KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O + +From: Sean Christopherson + +commit e750f85391286a4c8100275516973324b621a269 upstream. + +When completing emulation of instruction that generated a userspace exit +for I/O, don't recheck L1 intercepts as KVM has already finished that +phase of instruction execution, i.e. has already committed to allowing L2 +to perform I/O. If L1 (or host userspace) modifies the I/O permission +bitmaps during the exit to userspace, KVM will treat the access as being +intercepted despite already having emulated the I/O access. + +Pivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation. +Of the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the +intended "recipient") can reach the code in question. gp_interception()'s +use is mutually exclusive with is_guest_mode(), and +complete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with +EMULTYPE_SKIP. + +The bad behavior was detected by a syzkaller program that toggles port I/O +interception during the userspace I/O exit, ultimately resulting in a WARN +on vcpu->arch.pio.count being non-zero due to KVM no completing emulation +of the I/O instruction. + + WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm] + Modules linked in: kvm_intel kvm irqbypass + CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm] + PKRU: 55555554 + Call Trace: + + kvm_fast_pio+0xd6/0x1d0 [kvm] + vmx_handle_exit+0x149/0x610 [kvm_intel] + kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm] + kvm_vcpu_ioctl+0x244/0x8c0 [kvm] + __x64_sys_ioctl+0x8a/0xd0 + do_syscall_64+0x5d/0xc60 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + + +Reported-by: syzbot+cc2032ba16cc2018ca25@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/68790db4.a00a0220.3af5df.0020.GAE@google.com +Fixes: 8a76d7f25f8f ("KVM: x86: Add x86 callback for intercept check") +Cc: stable@vger.kernel.org +Cc: Jim Mattson +Link: https://lore.kernel.org/r/20250715190638.1899116-1-seanjc@google.com +Signed-off-by: Sean Christopherson +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/emulate.c | 9 ++++----- + arch/x86/kvm/kvm_emulate.h | 3 +-- + arch/x86/kvm/x86.c | 15 ++++++++------- + 3 files changed, 13 insertions(+), 14 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -5107,12 +5107,11 @@ void init_decode_cache(struct x86_emulat + ctxt->mem_read.end = 0; + } + +-int x86_emulate_insn(struct x86_emulate_ctxt *ctxt) ++int x86_emulate_insn(struct x86_emulate_ctxt *ctxt, bool check_intercepts) + { + const struct x86_emulate_ops *ops = ctxt->ops; + int rc = X86EMUL_CONTINUE; + int saved_dst_type = ctxt->dst.type; +- bool is_guest_mode = ctxt->ops->is_guest_mode(ctxt); + + ctxt->mem_read.pos = 0; + +@@ -5160,7 +5159,7 @@ int x86_emulate_insn(struct x86_emulate_ + fetch_possible_mmx_operand(&ctxt->dst); + } + +- if (unlikely(is_guest_mode) && ctxt->intercept) { ++ if (unlikely(check_intercepts) && ctxt->intercept) { + rc = emulator_check_intercept(ctxt, ctxt->intercept, + X86_ICPT_PRE_EXCEPT); + if (rc != X86EMUL_CONTINUE) +@@ -5189,7 +5188,7 @@ int x86_emulate_insn(struct x86_emulate_ + goto done; + } + +- if (unlikely(is_guest_mode) && (ctxt->d & Intercept)) { ++ if (unlikely(check_intercepts) && (ctxt->d & Intercept)) { + rc = emulator_check_intercept(ctxt, ctxt->intercept, + X86_ICPT_POST_EXCEPT); + if (rc != X86EMUL_CONTINUE) +@@ -5243,7 +5242,7 @@ int x86_emulate_insn(struct x86_emulate_ + + special_insn: + +- if (unlikely(is_guest_mode) && (ctxt->d & Intercept)) { ++ if (unlikely(check_intercepts) && (ctxt->d & Intercept)) { + rc = emulator_check_intercept(ctxt, ctxt->intercept, + X86_ICPT_POST_MEMACCESS); + if (rc != X86EMUL_CONTINUE) +--- a/arch/x86/kvm/kvm_emulate.h ++++ b/arch/x86/kvm/kvm_emulate.h +@@ -235,7 +235,6 @@ struct x86_emulate_ops { + void (*set_nmi_mask)(struct x86_emulate_ctxt *ctxt, bool masked); + + bool (*is_smm)(struct x86_emulate_ctxt *ctxt); +- bool (*is_guest_mode)(struct x86_emulate_ctxt *ctxt); + int (*leave_smm)(struct x86_emulate_ctxt *ctxt); + void (*triple_fault)(struct x86_emulate_ctxt *ctxt); + int (*set_xcr)(struct x86_emulate_ctxt *ctxt, u32 index, u64 xcr); +@@ -521,7 +520,7 @@ bool x86_page_table_writing_insn(struct + #define EMULATION_RESTART 1 + #define EMULATION_INTERCEPTED 2 + void init_decode_cache(struct x86_emulate_ctxt *ctxt); +-int x86_emulate_insn(struct x86_emulate_ctxt *ctxt); ++int x86_emulate_insn(struct x86_emulate_ctxt *ctxt, bool check_intercepts); + int emulator_task_switch(struct x86_emulate_ctxt *ctxt, + u16 tss_selector, int idt_index, int reason, + bool has_error_code, u32 error_code); +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -8470,11 +8470,6 @@ static bool emulator_is_smm(struct x86_e + return is_smm(emul_to_vcpu(ctxt)); + } + +-static bool emulator_is_guest_mode(struct x86_emulate_ctxt *ctxt) +-{ +- return is_guest_mode(emul_to_vcpu(ctxt)); +-} +- + #ifndef CONFIG_KVM_SMM + static int emulator_leave_smm(struct x86_emulate_ctxt *ctxt) + { +@@ -8558,7 +8553,6 @@ static const struct x86_emulate_ops emul + .guest_cpuid_is_intel_compatible = emulator_guest_cpuid_is_intel_compatible, + .set_nmi_mask = emulator_set_nmi_mask, + .is_smm = emulator_is_smm, +- .is_guest_mode = emulator_is_guest_mode, + .leave_smm = emulator_leave_smm, + .triple_fault = emulator_triple_fault, + .set_xcr = emulator_set_xcr, +@@ -9143,7 +9137,14 @@ restart: + ctxt->exception.address = 0; + } + +- r = x86_emulate_insn(ctxt); ++ /* ++ * Check L1's instruction intercepts when emulating instructions for ++ * L2, unless KVM is re-emulating a previously decoded instruction, ++ * e.g. to complete userspace I/O, in which case KVM has already ++ * checked the intercepts. ++ */ ++ r = x86_emulate_insn(ctxt, is_guest_mode(vcpu) && ++ !(emulation_type & EMULTYPE_NO_DECODE)); + + if (r == EMULATION_INTERCEPTED) + return 1; diff --git a/queue-6.17/net-9p-fix-double-req-put-in-p9_fd_cancelled.patch b/queue-6.17/net-9p-fix-double-req-put-in-p9_fd_cancelled.patch new file mode 100644 index 0000000000..f9b2fa3088 --- /dev/null +++ b/queue-6.17/net-9p-fix-double-req-put-in-p9_fd_cancelled.patch @@ -0,0 +1,121 @@ +From 674b56aa57f9379854cb6798c3bbcef7e7b51ab7 Mon Sep 17 00:00:00 2001 +From: Nalivayko Sergey +Date: Tue, 15 Jul 2025 18:48:15 +0300 +Subject: net/9p: fix double req put in p9_fd_cancelled + +From: Nalivayko Sergey + +commit 674b56aa57f9379854cb6798c3bbcef7e7b51ab7 upstream. + +Syzkaller reports a KASAN issue as below: + +general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI +KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f] +CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +RIP: 0010:__list_del include/linux/list.h:114 [inline] +RIP: 0010:__list_del_entry include/linux/list.h:137 [inline] +RIP: 0010:list_del include/linux/list.h:148 [inline] +RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734 + +Call Trace: + + p9_client_flush+0x351/0x440 net/9p/client.c:614 + p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734 + p9_client_version net/9p/client.c:920 [inline] + p9_client_create+0xb51/0x1240 net/9p/client.c:1027 + v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408 + v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126 + legacy_get_tree+0x108/0x220 fs/fs_context.c:632 + vfs_get_tree+0x8e/0x300 fs/super.c:1573 + do_new_mount fs/namespace.c:3056 [inline] + path_mount+0x6a6/0x1e90 fs/namespace.c:3386 + do_mount fs/namespace.c:3399 [inline] + __do_sys_mount fs/namespace.c:3607 [inline] + __se_sys_mount fs/namespace.c:3584 [inline] + __x64_sys_mount+0x283/0x300 fs/namespace.c:3584 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x6e/0xd8 + +This happens because of a race condition between: + +- The 9p client sending an invalid flush request and later cleaning it up; +- The 9p client in p9_read_work() canceled all pending requests. + + Thread 1 Thread 2 + ... + p9_client_create() + ... + p9_fd_create() + ... + p9_conn_create() + ... + // start Thread 2 + INIT_WORK(&m->rq, p9_read_work); + p9_read_work() + ... + p9_client_rpc() + ... + ... + p9_conn_cancel() + ... + spin_lock(&m->req_lock); + ... + p9_fd_cancelled() + ... + ... + spin_unlock(&m->req_lock); + // status rewrite + p9_client_cb(m->client, req, REQ_STATUS_ERROR) + // first remove + list_del(&req->req_list); + ... + + spin_lock(&m->req_lock) + ... + // second remove + list_del(&req->req_list); + spin_unlock(&m->req_lock) + ... + +Commit 74d6a5d56629 ("9p/trans_fd: Fix concurrency del of req_list in +p9_fd_cancelled/p9_read_work") fixes a concurrency issue in the 9p filesystem +client where the req_list could be deleted simultaneously by both +p9_read_work and p9_fd_cancelled functions, but for the case where req->status +equals REQ_STATUS_RCVD. + +Update the check for req->status in p9_fd_cancelled to skip processing not +just received requests, but anything that is not SENT, as whatever +changed the state from SENT also removed the request from its list. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: afd8d6541155 ("9P: Add cancelled() to the transport functions.") +Cc: stable@vger.kernel.org +Signed-off-by: Nalivayko Sergey +Message-ID: <20250715154815.3501030-1-Sergey.Nalivayko@kaspersky.com> +[updated the check from status == RECV || status == ERROR to status != SENT] +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman +--- + net/9p/trans_fd.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -726,10 +726,10 @@ static int p9_fd_cancelled(struct p9_cli + p9_debug(P9_DEBUG_TRANS, "client %p req %p\n", client, req); + + spin_lock(&m->req_lock); +- /* Ignore cancelled request if message has been received +- * before lock. +- */ +- if (req->status == REQ_STATUS_RCVD) { ++ /* Ignore cancelled request if status changed since the request was ++ * processed in p9_client_flush() ++ */ ++ if (req->status != REQ_STATUS_SENT) { + spin_unlock(&m->req_lock); + return 0; + } diff --git a/queue-6.17/ring-buffer-propagate-__rb_map_vma-return-value-to-caller.patch b/queue-6.17/ring-buffer-propagate-__rb_map_vma-return-value-to-caller.patch new file mode 100644 index 0000000000..e89f1a20e6 --- /dev/null +++ b/queue-6.17/ring-buffer-propagate-__rb_map_vma-return-value-to-caller.patch @@ -0,0 +1,40 @@ +From de4cbd704731778a2dc833ce5a24b38e5d672c05 Mon Sep 17 00:00:00 2001 +From: Ankit Khushwaha +Date: Wed, 8 Oct 2025 22:55:16 +0530 +Subject: ring buffer: Propagate __rb_map_vma return value to caller + +From: Ankit Khushwaha + +commit de4cbd704731778a2dc833ce5a24b38e5d672c05 upstream. + +The return value from `__rb_map_vma()`, which rejects writable or +executable mappings (VM_WRITE, VM_EXEC, or !VM_MAYSHARE), was being +ignored. As a result the caller of `__rb_map_vma` always returned 0 +even when the mapping had actually failed, allowing it to proceed +with an invalid VMA. + +Cc: stable@vger.kernel.org +Cc: Masami Hiramatsu +Cc: Mathieu Desnoyers +Link: https://lore.kernel.org/20251008172516.20697-1-ankitkhushwaha.linux@gmail.com +Fixes: 117c39200d9d7 ("ring-buffer: Introducing ring-buffer mapping functions") +Reported-by: syzbot+ddc001b92c083dbf2b97@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?id=194151be8eaebd826005329b2e123aecae714bdb +Signed-off-by: Ankit Khushwaha +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/ring_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -7273,7 +7273,7 @@ int ring_buffer_map(struct trace_buffer + atomic_dec(&cpu_buffer->resize_disabled); + } + +- return 0; ++ return err; + } + + int ring_buffer_unmap(struct trace_buffer *buffer, int cpu) diff --git a/queue-6.17/series b/queue-6.17/series index 363a64f305..32d2cc097d 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -20,3 +20,7 @@ driver-core-pm-set-power.no_callbacks-along-with-power.no_pm.patch revert-crypto-testmgr-desupport-sha-1-for-fips-140.patch crypto-zstd-fix-compression-bug-caused-by-truncation.patch crypto-rng-ensure-set_ent-is-always-present.patch +net-9p-fix-double-req-put-in-p9_fd_cancelled.patch +kvm-x86-don-t-re-check-l1-intercepts-when-completing-userspace-i-o.patch +f2fs-fix-to-do-sanity-check-on-node-footer-for-non-inode-dnode.patch +ring-buffer-propagate-__rb_map_vma-return-value-to-caller.patch