From: Greg Kroah-Hartman Date: Mon, 29 Sep 2025 13:11:27 +0000 (+0200) Subject: 6.12-stable patches X-Git-Tag: v5.4.300~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5dcbac9022f3ce1a877c332f322c747c28a7f576;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: afs-fix-potential-null-pointer-dereference-in-afs_put_server.patch fbcon-fix-integer-overflow-in-fbcon_do_set_font.patch fbcon-fix-oob-access-in-font-allocation.patch fs-proc-task_mmu-check-p-vec_buf-for-null.patch gpiolib-extend-software-node-support-to-support-secondary-software-nodes.patch kmsan-fix-out-of-bounds-access-to-shadow-memory.patch mm-hugetlb-fix-folio-is-still-mapped-when-deleted.patch --- diff --git a/queue-6.12/afs-fix-potential-null-pointer-dereference-in-afs_put_server.patch b/queue-6.12/afs-fix-potential-null-pointer-dereference-in-afs_put_server.patch new file mode 100644 index 0000000000..e1a99b43c0 --- /dev/null +++ b/queue-6.12/afs-fix-potential-null-pointer-dereference-in-afs_put_server.patch @@ -0,0 +1,42 @@ +From 9158c6bb245113d4966df9b2ba602197a379412e Mon Sep 17 00:00:00 2001 +From: Zhen Ni +Date: Tue, 23 Sep 2025 15:51:04 +0800 +Subject: afs: Fix potential null pointer dereference in afs_put_server + +From: Zhen Ni + +commit 9158c6bb245113d4966df9b2ba602197a379412e upstream. + +afs_put_server() accessed server->debug_id before the NULL check, which +could lead to a null pointer dereference. Move the debug_id assignment, +ensuring we never dereference a NULL server pointer. + +Fixes: 2757a4dc1849 ("afs: Fix access after dec in put functions") +Cc: stable@vger.kernel.org +Signed-off-by: Zhen Ni +Acked-by: David Howells +Reviewed-by: Jeffrey Altman +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/server.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/afs/server.c ++++ b/fs/afs/server.c +@@ -394,13 +394,14 @@ struct afs_server *afs_use_server(struct + void afs_put_server(struct afs_net *net, struct afs_server *server, + enum afs_server_trace reason) + { +- unsigned int a, debug_id = server->debug_id; ++ unsigned int a, debug_id; + bool zero; + int r; + + if (!server) + return; + ++ debug_id = server->debug_id; + a = atomic_read(&server->active); + zero = __refcount_dec_and_test(&server->ref, &r); + trace_afs_server(debug_id, r - 1, a, reason); diff --git a/queue-6.12/fbcon-fix-integer-overflow-in-fbcon_do_set_font.patch b/queue-6.12/fbcon-fix-integer-overflow-in-fbcon_do_set_font.patch new file mode 100644 index 0000000000..dee99316a9 --- /dev/null +++ b/queue-6.12/fbcon-fix-integer-overflow-in-fbcon_do_set_font.patch @@ -0,0 +1,71 @@ +From 1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe Mon Sep 17 00:00:00 2001 +From: Samasth Norway Ananda +Date: Fri, 12 Sep 2025 10:00:23 -0700 +Subject: fbcon: fix integer overflow in fbcon_do_set_font +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Samasth Norway Ananda + +commit 1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe upstream. + +Fix integer overflow vulnerabilities in fbcon_do_set_font() where font +size calculations could overflow when handling user-controlled font +parameters. + +The vulnerabilities occur when: +1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount + multiplication with user-controlled values that can overflow. +2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow +3. This results in smaller allocations than expected, leading to buffer + overflows during font data copying. + +Add explicit overflow checking using check_mul_overflow() and +check_add_overflow() kernel helpers to safety validate all size +calculations before allocation. + +Signed-off-by: Samasth Norway Ananda +Reviewed-by: Thomas Zimmermann +Fixes: 39b3cffb8cf3 ("fbcon: prevent user font height or width change from causing potential out-of-bounds access") +Cc: George Kennedy +Cc: stable +Cc: syzbot+38a3699c7eaf165b97a6@syzkaller.appspotmail.com +Cc: Greg Kroah-Hartman +Cc: Simona Vetter +Cc: Helge Deller +Cc: Thomas Zimmermann +Cc: "Ville Syrjälä" +Cc: Sam Ravnborg +Cc: Qianqiang Liu +Cc: Shixiong Ou +Cc: Kees Cook +Cc: # v5.9+ +Signed-off-by: Thomas Zimmermann +Link: https://lore.kernel.org/r/20250912170023.3931881-1-samasth.norway.ananda@oracle.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbcon.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -2519,9 +2519,16 @@ static int fbcon_set_font(struct vc_data + if (fbcon_invalid_charcount(info, charcount)) + return -EINVAL; + +- size = CALC_FONTSZ(h, pitch, charcount); ++ /* Check for integer overflow in font size calculation */ ++ if (check_mul_overflow(h, pitch, &size) || ++ check_mul_overflow(size, charcount, &size)) ++ return -EINVAL; ++ ++ /* Check for overflow in allocation size calculation */ ++ if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size)) ++ return -EINVAL; + +- new_data = kmalloc(FONT_EXTRA_WORDS * sizeof(int) + size, GFP_USER); ++ new_data = kmalloc(size, GFP_USER); + + if (!new_data) + return -ENOMEM; diff --git a/queue-6.12/fbcon-fix-oob-access-in-font-allocation.patch b/queue-6.12/fbcon-fix-oob-access-in-font-allocation.patch new file mode 100644 index 0000000000..d1c568a582 --- /dev/null +++ b/queue-6.12/fbcon-fix-oob-access-in-font-allocation.patch @@ -0,0 +1,67 @@ +From 9b2f5ef00e852f8e8902a4d4f73aeedc60220c12 Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Mon, 22 Sep 2025 15:45:54 +0200 +Subject: fbcon: Fix OOB access in font allocation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Zimmermann + +commit 9b2f5ef00e852f8e8902a4d4f73aeedc60220c12 upstream. + +Commit 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font") +introduced an out-of-bounds access by storing data and allocation sizes +in the same variable. Restore the old size calculation and use the new +variable 'alloc_size' for the allocation. + +Signed-off-by: Thomas Zimmermann +Fixes: 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font") +Reported-by: Jani Nikula +Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15020 +Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6201 +Cc: Samasth Norway Ananda +Cc: Thomas Zimmermann +Cc: George Kennedy +Cc: Greg Kroah-Hartman +Cc: Simona Vetter +Cc: Helge Deller +Cc: "Ville Syrjälä" +Cc: Sam Ravnborg +Cc: Qianqiang Liu +Cc: Shixiong Ou +Cc: Kees Cook +Cc: # v5.9+ +Cc: Zsolt Kajtar +Reviewed-by: Lucas De Marchi +Reviewed-by: Qianqiang Liu +Link: https://lore.kernel.org/r/20250922134619.257684-1-tzimmermann@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/fbcon.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/video/fbdev/core/fbcon.c ++++ b/drivers/video/fbdev/core/fbcon.c +@@ -2492,7 +2492,7 @@ static int fbcon_set_font(struct vc_data + unsigned charcount = font->charcount; + int w = font->width; + int h = font->height; +- int size; ++ int size, alloc_size; + int i, csum; + u8 *new_data, *data = font->data; + int pitch = PITCH(font->width); +@@ -2525,10 +2525,10 @@ static int fbcon_set_font(struct vc_data + return -EINVAL; + + /* Check for overflow in allocation size calculation */ +- if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size)) ++ if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &alloc_size)) + return -EINVAL; + +- new_data = kmalloc(size, GFP_USER); ++ new_data = kmalloc(alloc_size, GFP_USER); + + if (!new_data) + return -ENOMEM; diff --git a/queue-6.12/fs-proc-task_mmu-check-p-vec_buf-for-null.patch b/queue-6.12/fs-proc-task_mmu-check-p-vec_buf-for-null.patch new file mode 100644 index 0000000000..8ae8ff94a5 --- /dev/null +++ b/queue-6.12/fs-proc-task_mmu-check-p-vec_buf-for-null.patch @@ -0,0 +1,92 @@ +From 28aa29986dde79e8466bc87569141291053833f5 Mon Sep 17 00:00:00 2001 +From: Jakub Acs +Date: Mon, 22 Sep 2025 08:22:05 +0000 +Subject: fs/proc/task_mmu: check p->vec_buf for NULL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakub Acs + +commit 28aa29986dde79e8466bc87569141291053833f5 upstream. + +When the PAGEMAP_SCAN ioctl is invoked with vec_len = 0 reaches +pagemap_scan_backout_range(), kernel panics with null-ptr-deref: + +[ 44.936808] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI +[ 44.937797] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +[ 44.938391] CPU: 1 UID: 0 PID: 2480 Comm: reproducer Not tainted 6.17.0-rc6 #22 PREEMPT(none) +[ 44.939062] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 +[ 44.939935] RIP: 0010:pagemap_scan_thp_entry.isra.0+0x741/0xa80 + + + +[ 44.946828] Call Trace: +[ 44.947030] +[ 44.949219] pagemap_scan_pmd_entry+0xec/0xfa0 +[ 44.952593] walk_pmd_range.isra.0+0x302/0x910 +[ 44.954069] walk_pud_range.isra.0+0x419/0x790 +[ 44.954427] walk_p4d_range+0x41e/0x620 +[ 44.954743] walk_pgd_range+0x31e/0x630 +[ 44.955057] __walk_page_range+0x160/0x670 +[ 44.956883] walk_page_range_mm+0x408/0x980 +[ 44.958677] walk_page_range+0x66/0x90 +[ 44.958984] do_pagemap_scan+0x28d/0x9c0 +[ 44.961833] do_pagemap_cmd+0x59/0x80 +[ 44.962484] __x64_sys_ioctl+0x18d/0x210 +[ 44.962804] do_syscall_64+0x5b/0x290 +[ 44.963111] entry_SYSCALL_64_after_hwframe+0x76/0x7e + +vec_len = 0 in pagemap_scan_init_bounce_buffer() means no buffers are +allocated and p->vec_buf remains set to NULL. + +This breaks an assumption made later in pagemap_scan_backout_range(), that +page_region is always allocated for p->vec_buf_index. + +Fix it by explicitly checking p->vec_buf for NULL before dereferencing. + +Other sites that might run into same deref-issue are already (directly or +transitively) protected by checking p->vec_buf. + +Note: +From PAGEMAP_SCAN man page, it seems vec_len = 0 is valid when no output +is requested and it's only the side effects caller is interested in, +hence it passes check in pagemap_scan_get_args(). + +This issue was found by syzkaller. + +Link: https://lkml.kernel.org/r/20250922082206.6889-1-acsjakub@amazon.de +Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs") +Signed-off-by: Jakub Acs +Reviewed-by: Muhammad Usama Anjum +Acked-by: David Hildenbrand +Cc: Vlastimil Babka +Cc: Lorenzo Stoakes +Cc: Jinjiang Tu +Cc: Suren Baghdasaryan +Cc: Penglei Jiang +Cc: Mark Brown +Cc: Baolin Wang +Cc: Ryan Roberts +Cc: Andrei Vagin +Cc: "Michał Mirosław" +Cc: Stephen Rothwell +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/task_mmu.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -2259,6 +2259,9 @@ static void pagemap_scan_backout_range(s + { + struct page_region *cur_buf = &p->vec_buf[p->vec_buf_index]; + ++ if (!p->vec_buf) ++ return; ++ + if (cur_buf->start != addr) + cur_buf->end = addr; + else diff --git a/queue-6.12/gpiolib-extend-software-node-support-to-support-secondary-software-nodes.patch b/queue-6.12/gpiolib-extend-software-node-support-to-support-secondary-software-nodes.patch new file mode 100644 index 0000000000..36b70f1a17 --- /dev/null +++ b/queue-6.12/gpiolib-extend-software-node-support-to-support-secondary-software-nodes.patch @@ -0,0 +1,68 @@ +From c6ccc4dde17676dfe617b9a37bd9ba19a8fc87ee Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 20 Sep 2025 22:09:55 +0200 +Subject: gpiolib: Extend software-node support to support secondary software-nodes + +From: Hans de Goede + +commit c6ccc4dde17676dfe617b9a37bd9ba19a8fc87ee upstream. + +When a software-node gets added to a device which already has another +fwnode as primary node it will become the secondary fwnode for that +device. + +Currently if a software-node with GPIO properties ends up as the secondary +fwnode then gpiod_find_by_fwnode() will fail to find the GPIOs. + +Add a new gpiod_fwnode_lookup() helper which falls back to calling +gpiod_find_by_fwnode() with the secondary fwnode if the GPIO was not +found in the primary fwnode. + +Fixes: e7f9ff5dc90c ("gpiolib: add support for software nodes") +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Reviewed-by: Dmitry Torokhov +Link: https://lore.kernel.org/r/20250920200955.20403-1-hansg@kernel.org +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -4317,6 +4317,23 @@ static struct gpio_desc *gpiod_find_by_f + return desc; + } + ++static struct gpio_desc *gpiod_fwnode_lookup(struct fwnode_handle *fwnode, ++ struct device *consumer, ++ const char *con_id, ++ unsigned int idx, ++ enum gpiod_flags *flags, ++ unsigned long *lookupflags) ++{ ++ struct gpio_desc *desc; ++ ++ desc = gpiod_find_by_fwnode(fwnode, consumer, con_id, idx, flags, lookupflags); ++ if (gpiod_not_found(desc) && !IS_ERR_OR_NULL(fwnode)) ++ desc = gpiod_find_by_fwnode(fwnode->secondary, consumer, con_id, ++ idx, flags, lookupflags); ++ ++ return desc; ++} ++ + struct gpio_desc *gpiod_find_and_request(struct device *consumer, + struct fwnode_handle *fwnode, + const char *con_id, +@@ -4335,8 +4352,8 @@ struct gpio_desc *gpiod_find_and_request + int ret = 0; + + scoped_guard(srcu, &gpio_devices_srcu) { +- desc = gpiod_find_by_fwnode(fwnode, consumer, con_id, idx, +- &flags, &lookupflags); ++ desc = gpiod_fwnode_lookup(fwnode, consumer, con_id, idx, ++ &flags, &lookupflags); + if (gpiod_not_found(desc) && platform_lookup_allowed) { + /* + * Either we are not using DT or ACPI, or their lookup diff --git a/queue-6.12/kmsan-fix-out-of-bounds-access-to-shadow-memory.patch b/queue-6.12/kmsan-fix-out-of-bounds-access-to-shadow-memory.patch new file mode 100644 index 0000000000..9145ff55c6 --- /dev/null +++ b/queue-6.12/kmsan-fix-out-of-bounds-access-to-shadow-memory.patch @@ -0,0 +1,128 @@ +From 85e1ff61060a765d91ee62dc5606d4d547d9d105 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 11 Sep 2025 12:58:58 -0700 +Subject: kmsan: fix out-of-bounds access to shadow memory + +From: Eric Biggers + +commit 85e1ff61060a765d91ee62dc5606d4d547d9d105 upstream. + +Running sha224_kunit on a KMSAN-enabled kernel results in a crash in +kmsan_internal_set_shadow_origin(): + + BUG: unable to handle page fault for address: ffffbc3840291000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 1810067 P4D 1810067 PUD 192d067 PMD 3c17067 PTE 0 + Oops: 0000 [#1] SMP NOPTI + CPU: 0 UID: 0 PID: 81 Comm: kunit_try_catch Tainted: G N 6.17.0-rc3 #10 PREEMPT(voluntary) + Tainted: [N]=TEST + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 + RIP: 0010:kmsan_internal_set_shadow_origin+0x91/0x100 + [...] + Call Trace: + + __msan_memset+0xee/0x1a0 + sha224_final+0x9e/0x350 + test_hash_buffer_overruns+0x46f/0x5f0 + ? kmsan_get_shadow_origin_ptr+0x46/0xa0 + ? __pfx_test_hash_buffer_overruns+0x10/0x10 + kunit_try_run_case+0x198/0xa00 + +This occurs when memset() is called on a buffer that is not 4-byte aligned +and extends to the end of a guard page, i.e. the next page is unmapped. + +The bug is that the loop at the end of kmsan_internal_set_shadow_origin() +accesses the wrong shadow memory bytes when the address is not 4-byte +aligned. Since each 4 bytes are associated with an origin, it rounds the +address and size so that it can access all the origins that contain the +buffer. However, when it checks the corresponding shadow bytes for a +particular origin, it incorrectly uses the original unrounded shadow +address. This results in reads from shadow memory beyond the end of the +buffer's shadow memory, which crashes when that memory is not mapped. + +To fix this, correctly align the shadow address before accessing the 4 +shadow bytes corresponding to each origin. + +Link: https://lkml.kernel.org/r/20250911195858.394235-1-ebiggers@kernel.org +Fixes: 2ef3cec44c60 ("kmsan: do not wipe out origin when doing partial unpoisoning") +Signed-off-by: Eric Biggers +Tested-by: Alexander Potapenko +Reviewed-by: Alexander Potapenko +Cc: Dmitriy Vyukov +Cc: Marco Elver +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/kmsan/core.c | 10 +++++++--- + mm/kmsan/kmsan_test.c | 16 ++++++++++++++++ + 2 files changed, 23 insertions(+), 3 deletions(-) + +--- a/mm/kmsan/core.c ++++ b/mm/kmsan/core.c +@@ -195,7 +195,8 @@ void kmsan_internal_set_shadow_origin(vo + u32 origin, bool checked) + { + u64 address = (u64)addr; +- u32 *shadow_start, *origin_start; ++ void *shadow_start; ++ u32 *aligned_shadow, *origin_start; + size_t pad = 0; + + KMSAN_WARN_ON(!kmsan_metadata_is_contiguous(addr, size)); +@@ -214,9 +215,12 @@ void kmsan_internal_set_shadow_origin(vo + } + __memset(shadow_start, b, size); + +- if (!IS_ALIGNED(address, KMSAN_ORIGIN_SIZE)) { ++ if (IS_ALIGNED(address, KMSAN_ORIGIN_SIZE)) { ++ aligned_shadow = shadow_start; ++ } else { + pad = address % KMSAN_ORIGIN_SIZE; + address -= pad; ++ aligned_shadow = shadow_start - pad; + size += pad; + } + size = ALIGN(size, KMSAN_ORIGIN_SIZE); +@@ -230,7 +234,7 @@ void kmsan_internal_set_shadow_origin(vo + * corresponding shadow slot is zero. + */ + for (int i = 0; i < size / KMSAN_ORIGIN_SIZE; i++) { +- if (origin || !shadow_start[i]) ++ if (origin || !aligned_shadow[i]) + origin_start[i] = origin; + } + } +--- a/mm/kmsan/kmsan_test.c ++++ b/mm/kmsan/kmsan_test.c +@@ -556,6 +556,21 @@ DEFINE_TEST_MEMSETXX(16) + DEFINE_TEST_MEMSETXX(32) + DEFINE_TEST_MEMSETXX(64) + ++/* Test case: ensure that KMSAN does not access shadow memory out of bounds. */ ++static void test_memset_on_guarded_buffer(struct kunit *test) ++{ ++ void *buf = vmalloc(PAGE_SIZE); ++ ++ kunit_info(test, ++ "memset() on ends of guarded buffer should not crash\n"); ++ ++ for (size_t size = 0; size <= 128; size++) { ++ memset(buf, 0xff, size); ++ memset(buf + PAGE_SIZE - size, 0xff, size); ++ } ++ vfree(buf); ++} ++ + static noinline void fibonacci(int *array, int size, int start) + { + if (start < 2 || (start == size)) +@@ -661,6 +676,7 @@ static struct kunit_case kmsan_test_case + KUNIT_CASE(test_memset16), + KUNIT_CASE(test_memset32), + KUNIT_CASE(test_memset64), ++ KUNIT_CASE(test_memset_on_guarded_buffer), + KUNIT_CASE(test_long_origin_chain), + KUNIT_CASE(test_stackdepot_roundtrip), + KUNIT_CASE(test_unpoison_memory), diff --git a/queue-6.12/mm-hugetlb-fix-folio-is-still-mapped-when-deleted.patch b/queue-6.12/mm-hugetlb-fix-folio-is-still-mapped-when-deleted.patch new file mode 100644 index 0000000000..a69a63c6b9 --- /dev/null +++ b/queue-6.12/mm-hugetlb-fix-folio-is-still-mapped-when-deleted.patch @@ -0,0 +1,78 @@ +From 7b7387650dcf2881fd8bb55bcf3c8bd6c9542dd7 Mon Sep 17 00:00:00 2001 +From: Jinjiang Tu +Date: Fri, 12 Sep 2025 15:41:39 +0800 +Subject: mm/hugetlb: fix folio is still mapped when deleted + +From: Jinjiang Tu + +commit 7b7387650dcf2881fd8bb55bcf3c8bd6c9542dd7 upstream. + +Migration may be raced with fallocating hole. remove_inode_single_folio +will unmap the folio if the folio is still mapped. However, it's called +without folio lock. If the folio is migrated and the mapped pte has been +converted to migration entry, folio_mapped() returns false, and won't +unmap it. Due to extra refcount held by remove_inode_single_folio, +migration fails, restores migration entry to normal pte, and the folio is +mapped again. As a result, we triggered BUG in filemap_unaccount_folio. + +The log is as follows: + BUG: Bad page cache in process hugetlb pfn:156c00 + page: refcount:515 mapcount:0 mapping:0000000099fef6e1 index:0x0 pfn:0x156c00 + head: order:9 mapcount:1 entire_mapcount:1 nr_pages_mapped:0 pincount:0 + aops:hugetlbfs_aops ino:dcc dentry name(?):"my_hugepage_file" + flags: 0x17ffffc00000c1(locked|waiters|head|node=0|zone=2|lastcpupid=0x1fffff) + page_type: f4(hugetlb) + page dumped because: still mapped when deleted + CPU: 1 UID: 0 PID: 395 Comm: hugetlb Not tainted 6.17.0-rc5-00044-g7aac71907bde-dirty #484 NONE + Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 + Call Trace: + + dump_stack_lvl+0x4f/0x70 + filemap_unaccount_folio+0xc4/0x1c0 + __filemap_remove_folio+0x38/0x1c0 + filemap_remove_folio+0x41/0xd0 + remove_inode_hugepages+0x142/0x250 + hugetlbfs_fallocate+0x471/0x5a0 + vfs_fallocate+0x149/0x380 + +Hold folio lock before checking if the folio is mapped to avold race with +migration. + +Link: https://lkml.kernel.org/r/20250912074139.3575005-1-tujinjiang@huawei.com +Fixes: 4aae8d1c051e ("mm/hugetlbfs: unmap pages if page fault raced with hole punch") +Signed-off-by: Jinjiang Tu +Cc: David Hildenbrand +Cc: Kefeng Wang +Cc: Matthew Wilcox (Oracle) +Cc: Muchun Song +Cc: Oscar Salvador +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + fs/hugetlbfs/inode.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/fs/hugetlbfs/inode.c ++++ b/fs/hugetlbfs/inode.c +@@ -594,14 +594,16 @@ static bool remove_inode_single_folio(st + + /* + * If folio is mapped, it was faulted in after being +- * unmapped in caller. Unmap (again) while holding +- * the fault mutex. The mutex will prevent faults +- * until we finish removing the folio. ++ * unmapped in caller or hugetlb_vmdelete_list() skips ++ * unmapping it due to fail to grab lock. Unmap (again) ++ * while holding the fault mutex. The mutex will prevent ++ * faults until we finish removing the folio. Hold folio ++ * lock to guarantee no concurrent migration. + */ ++ folio_lock(folio); + if (unlikely(folio_mapped(folio))) + hugetlb_unmap_file_folio(h, mapping, folio, index); + +- folio_lock(folio); + /* + * We must remove the folio from page cache before removing + * the region/ reserve map (hugetlb_unreserve_pages). In diff --git a/queue-6.12/series b/queue-6.12/series index 8eae6eeaca..5ae0eb4228 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -78,3 +78,10 @@ arm-dts-socfpga-sodia-fix-mdio-bus-probe-and-phy-address.patch arm64-dts-marvell-cn9132-clearfog-disable-emmc-high-speed-modes.patch arm64-dts-marvell-cn9132-clearfog-fix-multi-lane-pci-x2-and-x4-ports.patch drm-ast-use-msleep-instead-of-mdelay-for-edid-read.patch +afs-fix-potential-null-pointer-dereference-in-afs_put_server.patch +fs-proc-task_mmu-check-p-vec_buf-for-null.patch +gpiolib-extend-software-node-support-to-support-secondary-software-nodes.patch +kmsan-fix-out-of-bounds-access-to-shadow-memory.patch +mm-hugetlb-fix-folio-is-still-mapped-when-deleted.patch +fbcon-fix-integer-overflow-in-fbcon_do_set_font.patch +fbcon-fix-oob-access-in-font-allocation.patch