From 197c586da178001fe4ed64632a3d469f4cb3d3a7 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 23 Oct 2025 11:22:19 -0400 Subject: [PATCH] Fixes for all trees Signed-off-by: Sasha Levin --- ...fined-force-value-in-dlm_lockspace_r.patch | 34 +++ .../exec-fix-incorrect-type-for-ret.patch | 38 +++ ...-and-space-out-of-valid-records-in-b.patch | 94 ++++++++ ...init-value-issue-in-hfs_find_set_zer.patch | 112 +++++++++ ...initalization-of-struct-hfs_find_dat.patch | 76 ++++++ ...-record-offset-in-hfsplus_bmap_alloc.patch | 217 ++++++++++++++++++ ...n-uninit-value-issue-in-__hfsplus_ex.patch | 214 +++++++++++++++++ ...n-uninit-value-issue-in-hfsplus_dele.patch | 198 ++++++++++++++++ ...io-when-type-of-hidden-directory-mis.patch | 39 ++++ ...68k-bitops-fix-find_-_bit-signatures.patch | 90 ++++++++ queue-5.10/series | 10 + ...fined-force-value-in-dlm_lockspace_r.patch | 34 +++ .../exec-fix-incorrect-type-for-ret.patch | 38 +++ ...-and-space-out-of-valid-records-in-b.patch | 94 ++++++++ ...init-value-issue-in-hfs_find_set_zer.patch | 112 +++++++++ ...initalization-of-struct-hfs_find_dat.patch | 76 ++++++ ...-record-offset-in-hfsplus_bmap_alloc.patch | 217 ++++++++++++++++++ ...n-uninit-value-issue-in-__hfsplus_ex.patch | 214 +++++++++++++++++ ...n-uninit-value-issue-in-hfsplus_dele.patch | 198 ++++++++++++++++ ...io-when-type-of-hidden-directory-mis.patch | 39 ++++ ...68k-bitops-fix-find_-_bit-signatures.patch | 90 ++++++++ ...t-memblock.current_limit-is-set-when.patch | 74 ++++++ queue-5.15/series | 11 + ...fined-force-value-in-dlm_lockspace_r.patch | 34 +++ .../exec-fix-incorrect-type-for-ret.patch | 38 +++ ...-and-space-out-of-valid-records-in-b.patch | 94 ++++++++ ...init-value-issue-in-hfs_find_set_zer.patch | 112 +++++++++ ...initalization-of-struct-hfs_find_dat.patch | 76 ++++++ ...-record-offset-in-hfsplus_bmap_alloc.patch | 217 ++++++++++++++++++ ...n-uninit-value-issue-in-__hfsplus_ex.patch | 214 +++++++++++++++++ ...n-uninit-value-issue-in-hfsplus_dele.patch | 198 ++++++++++++++++ ...io-when-type-of-hidden-directory-mis.patch | 39 ++++ ...68k-bitops-fix-find_-_bit-signatures.patch | 90 ++++++++ queue-5.4/series | 10 + ...fined-force-value-in-dlm_lockspace_r.patch | 34 +++ .../exec-fix-incorrect-type-for-ret.patch | 38 +++ ...-and-space-out-of-valid-records-in-b.patch | 94 ++++++++ ...init-value-issue-in-hfs_find_set_zer.patch | 112 +++++++++ ...initalization-of-struct-hfs_find_dat.patch | 76 ++++++ ...-record-offset-in-hfsplus_bmap_alloc.patch | 217 ++++++++++++++++++ ...n-uninit-value-issue-in-__hfsplus_ex.patch | 214 +++++++++++++++++ ...n-uninit-value-issue-in-hfsplus_dele.patch | 198 ++++++++++++++++ ...io-when-type-of-hidden-directory-mis.patch | 39 ++++ ...x-potential-null-dereference-on-kmal.patch | 47 ++++ ...68k-bitops-fix-find_-_bit-signatures.patch | 90 ++++++++ ...t-memblock.current_limit-is-set-when.patch | 74 ++++++ ...e-page_kernel_text-to-fix-startup-fa.patch | 107 +++++++++ queue-6.1/series | 14 ++ ...mb_direct_flush_send_list-invalidate.patch | 52 +++++ ...rect-sign-definitions-for-eiesb-and-.patch | 53 +++++ ...rve-original-elf-e_flags-for-core-du.patch | 162 +++++++++++++ ...map_kmalloc_node-with-kmalloc_nolock.patch | 190 +++++++++++++++ ...fined-force-value-in-dlm_lockspace_r.patch | 34 +++ ...i-relax-the-event-id-check-in-the-fr.patch | 54 +++++ .../exec-fix-incorrect-type-for-ret.patch | 38 +++ ...2-fix-unlikely-race-in-gdlm_put_lock.patch | 54 +++++ ...-and-space-out-of-valid-records-in-b.patch | 94 ++++++++ ...init-value-issue-in-hfs_find_set_zer.patch | 112 +++++++++ ...initalization-of-struct-hfs_find_dat.patch | 76 ++++++ ...-record-offset-in-hfsplus_bmap_alloc.patch | 217 ++++++++++++++++++ ...n-uninit-value-issue-in-__hfsplus_ex.patch | 214 +++++++++++++++++ ...n-uninit-value-issue-in-hfsplus_dele.patch | 198 ++++++++++++++++ ...io-when-type-of-hidden-directory-mis.patch | 39 ++++ ...x-potential-null-dereference-on-kmal.patch | 47 ++++ ...68k-bitops-fix-find_-_bit-signatures.patch | 90 ++++++++ ...t-memblock.current_limit-is-set-when.patch | 74 ++++++ ...for-bit-underflow-in-pcie_set_readrq.patch | 67 ++++++ ...e-page_kernel_text-to-fix-startup-fa.patch | 107 +++++++++ ...p_account-for-user-page-table-alloca.patch | 65 ++++++ queue-6.12/series | 22 ++ ...mb_direct_flush_send_list-invalidate.patch | 52 +++++ ...ak-make-tools-for-user-space-targets.patch | 62 +++++ ...rect-sign-definitions-for-eiesb-and-.patch | 53 +++++ ...rve-original-elf-e_flags-for-core-du.patch | 162 +++++++++++++ ...map_kmalloc_node-with-kmalloc_nolock.patch | 190 +++++++++++++++ ...fix-misc_res_type-kernel-doc-warning.patch | 39 ++++ ...fined-force-value-in-dlm_lockspace_r.patch | 34 +++ ...info-for-all-middle-conversion-cases.patch | 53 +++++ ...i-relax-the-event-id-check-in-the-fr.patch | 54 +++++ .../exec-fix-incorrect-type-for-ret.patch | 38 +++ ...rtfs_can_encode_fh-for-export_fh_fid.patch | 50 ++++ ...2-fix-unlikely-race-in-gdlm_put_lock.patch | 54 +++++ ...-and-space-out-of-valid-records-in-b.patch | 94 ++++++++ ...init-value-issue-in-hfs_find_set_zer.patch | 112 +++++++++ ...initalization-of-struct-hfs_find_dat.patch | 76 ++++++ ...-record-offset-in-hfsplus_bmap_alloc.patch | 217 ++++++++++++++++++ ...n-uninit-value-issue-in-__hfsplus_ex.patch | 214 +++++++++++++++++ ...n-uninit-value-issue-in-hfsplus_dele.patch | 198 ++++++++++++++++ ...io-when-type-of-hidden-directory-mis.patch | 39 ++++ ...x-potential-null-dereference-on-kmal.patch | 47 ++++ ...68k-bitops-fix-find_-_bit-signatures.patch | 90 ++++++++ ...t-memblock.current_limit-is-set-when.patch | 74 ++++++ ...for-bit-underflow-in-pcie_set_readrq.patch | 67 ++++++ ...e-page_kernel_text-to-fix-startup-fa.patch | 107 +++++++++ ...-add-validation-for-zfa-zfh-and-zfhm.patch | 73 ++++++ ...intended-satp-mode-for-noxlvl-option.patch | 61 +++++ ...mmu-type-from-fdt-to-limit-satp-mode.patch | 146 ++++++++++++ ...p_account-for-user-page-table-alloca.patch | 65 ++++++ ...orward-keygenflags-to-ep11_unwrapkey.patch | 49 ++++ queue-6.17/series | 32 +++ ...-the-range-of-info-receive_credit_ta.patch | 73 ++++++ ...use-of-ib_wc_status_msg-and-skip-ib_.patch | 77 +++++++ ...-post_recv_credits_work-also-if-the-.patch | 62 +++++ ...mb_direct_flush_send_list-invalidate.patch | 52 +++++ ...ak-make-tools-for-user-space-targets.patch | 62 +++++ ...fined-force-value-in-dlm_lockspace_r.patch | 34 +++ ...i-relax-the-event-id-check-in-the-fr.patch | 54 +++++ .../exec-fix-incorrect-type-for-ret.patch | 38 +++ ...-and-space-out-of-valid-records-in-b.patch | 94 ++++++++ ...init-value-issue-in-hfs_find_set_zer.patch | 112 +++++++++ ...initalization-of-struct-hfs_find_dat.patch | 76 ++++++ ...-record-offset-in-hfsplus_bmap_alloc.patch | 217 ++++++++++++++++++ ...n-uninit-value-issue-in-__hfsplus_ex.patch | 214 +++++++++++++++++ ...n-uninit-value-issue-in-hfsplus_dele.patch | 198 ++++++++++++++++ ...io-when-type-of-hidden-directory-mis.patch | 39 ++++ ...x-potential-null-dereference-on-kmal.patch | 47 ++++ ...68k-bitops-fix-find_-_bit-signatures.patch | 90 ++++++++ ...t-memblock.current_limit-is-set-when.patch | 74 ++++++ ...e-page_kernel_text-to-fix-startup-fa.patch | 107 +++++++++ queue-6.6/series | 16 ++ ...mb_direct_flush_send_list-invalidate.patch | 52 +++++ ...ak-make-tools-for-user-space-targets.patch | 62 +++++ 122 files changed, 11306 insertions(+) create mode 100644 queue-5.10/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch create mode 100644 queue-5.10/exec-fix-incorrect-type-for-ret.patch create mode 100644 queue-5.10/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch create mode 100644 queue-5.10/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch create mode 100644 queue-5.10/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch create mode 100644 queue-5.10/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch create mode 100644 queue-5.10/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch create mode 100644 queue-5.10/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch create mode 100644 queue-5.10/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch create mode 100644 queue-5.10/m68k-bitops-fix-find_-_bit-signatures.patch create mode 100644 queue-5.15/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch create mode 100644 queue-5.15/exec-fix-incorrect-type-for-ret.patch create mode 100644 queue-5.15/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch create mode 100644 queue-5.15/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch create mode 100644 queue-5.15/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch create mode 100644 queue-5.15/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch create mode 100644 queue-5.15/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch create mode 100644 queue-5.15/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch create mode 100644 queue-5.15/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch create mode 100644 queue-5.15/m68k-bitops-fix-find_-_bit-signatures.patch create mode 100644 queue-5.15/nios2-ensure-that-memblock.current_limit-is-set-when.patch create mode 100644 queue-5.4/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch create mode 100644 queue-5.4/exec-fix-incorrect-type-for-ret.patch create mode 100644 queue-5.4/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch create mode 100644 queue-5.4/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch create mode 100644 queue-5.4/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch create mode 100644 queue-5.4/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch create mode 100644 queue-5.4/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch create mode 100644 queue-5.4/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch create mode 100644 queue-5.4/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch create mode 100644 queue-5.4/m68k-bitops-fix-find_-_bit-signatures.patch create mode 100644 queue-6.1/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch create mode 100644 queue-6.1/exec-fix-incorrect-type-for-ret.patch create mode 100644 queue-6.1/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch create mode 100644 queue-6.1/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch create mode 100644 queue-6.1/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch create mode 100644 queue-6.1/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch create mode 100644 queue-6.1/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch create mode 100644 queue-6.1/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch create mode 100644 queue-6.1/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch create mode 100644 queue-6.1/lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch create mode 100644 queue-6.1/m68k-bitops-fix-find_-_bit-signatures.patch create mode 100644 queue-6.1/nios2-ensure-that-memblock.current_limit-is-set-when.patch create mode 100644 queue-6.1/powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch create mode 100644 queue-6.1/smb-server-let-smb_direct_flush_send_list-invalidate.patch create mode 100644 queue-6.12/arm64-sysreg-correct-sign-definitions-for-eiesb-and-.patch create mode 100644 queue-6.12/binfmt_elf-preserve-original-elf-e_flags-for-core-du.patch create mode 100644 queue-6.12/bpf-replace-bpf_map_kmalloc_node-with-kmalloc_nolock.patch create mode 100644 queue-6.12/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch create mode 100644 queue-6.12/drivers-perf-hisi-relax-the-event-id-check-in-the-fr.patch create mode 100644 queue-6.12/exec-fix-incorrect-type-for-ret.patch create mode 100644 queue-6.12/gfs2-fix-unlikely-race-in-gdlm_put_lock.patch create mode 100644 queue-6.12/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch create mode 100644 queue-6.12/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch create mode 100644 queue-6.12/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch create mode 100644 queue-6.12/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch create mode 100644 queue-6.12/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch create mode 100644 queue-6.12/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch create mode 100644 queue-6.12/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch create mode 100644 queue-6.12/lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch create mode 100644 queue-6.12/m68k-bitops-fix-find_-_bit-signatures.patch create mode 100644 queue-6.12/nios2-ensure-that-memblock.current_limit-is-set-when.patch create mode 100644 queue-6.12/pci-test-for-bit-underflow-in-pcie_set_readrq.patch create mode 100644 queue-6.12/powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch create mode 100644 queue-6.12/s390-mm-use-__gfp_account-for-user-page-table-alloca.patch create mode 100644 queue-6.12/series create mode 100644 queue-6.12/smb-server-let-smb_direct_flush_send_list-invalidate.patch create mode 100644 queue-6.12/unbreak-make-tools-for-user-space-targets.patch create mode 100644 queue-6.17/arm64-sysreg-correct-sign-definitions-for-eiesb-and-.patch create mode 100644 queue-6.17/binfmt_elf-preserve-original-elf-e_flags-for-core-du.patch create mode 100644 queue-6.17/bpf-replace-bpf_map_kmalloc_node-with-kmalloc_nolock.patch create mode 100644 queue-6.17/cgroup-misc-fix-misc_res_type-kernel-doc-warning.patch create mode 100644 queue-6.17/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch create mode 100644 queue-6.17/dlm-move-to-rinfo-for-all-middle-conversion-cases.patch create mode 100644 queue-6.17/drivers-perf-hisi-relax-the-event-id-check-in-the-fr.patch create mode 100644 queue-6.17/exec-fix-incorrect-type-for-ret.patch create mode 100644 queue-6.17/expfs-fix-exportfs_can_encode_fh-for-export_fh_fid.patch create mode 100644 queue-6.17/gfs2-fix-unlikely-race-in-gdlm_put_lock.patch create mode 100644 queue-6.17/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch create mode 100644 queue-6.17/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch create mode 100644 queue-6.17/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch create mode 100644 queue-6.17/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch create mode 100644 queue-6.17/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch create mode 100644 queue-6.17/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch create mode 100644 queue-6.17/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch create mode 100644 queue-6.17/lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch create mode 100644 queue-6.17/m68k-bitops-fix-find_-_bit-signatures.patch create mode 100644 queue-6.17/nios2-ensure-that-memblock.current_limit-is-set-when.patch create mode 100644 queue-6.17/pci-test-for-bit-underflow-in-pcie_set_readrq.patch create mode 100644 queue-6.17/powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch create mode 100644 queue-6.17/riscv-cpufeature-add-validation-for-zfa-zfh-and-zfhm.patch create mode 100644 queue-6.17/riscv-mm-return-intended-satp-mode-for-noxlvl-option.patch create mode 100644 queue-6.17/riscv-mm-use-mmu-type-from-fdt-to-limit-satp-mode.patch create mode 100644 queue-6.17/s390-mm-use-__gfp_account-for-user-page-table-alloca.patch create mode 100644 queue-6.17/s390-pkey-forward-keygenflags-to-ep11_unwrapkey.patch create mode 100644 queue-6.17/smb-client-limit-the-range-of-info-receive_credit_ta.patch create mode 100644 queue-6.17/smb-client-make-use-of-ib_wc_status_msg-and-skip-ib_.patch create mode 100644 queue-6.17/smb-client-queue-post_recv_credits_work-also-if-the-.patch create mode 100644 queue-6.17/smb-server-let-smb_direct_flush_send_list-invalidate.patch create mode 100644 queue-6.17/unbreak-make-tools-for-user-space-targets.patch create mode 100644 queue-6.6/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch create mode 100644 queue-6.6/drivers-perf-hisi-relax-the-event-id-check-in-the-fr.patch create mode 100644 queue-6.6/exec-fix-incorrect-type-for-ret.patch create mode 100644 queue-6.6/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch create mode 100644 queue-6.6/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch create mode 100644 queue-6.6/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch create mode 100644 queue-6.6/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch create mode 100644 queue-6.6/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch create mode 100644 queue-6.6/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch create mode 100644 queue-6.6/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch create mode 100644 queue-6.6/lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch create mode 100644 queue-6.6/m68k-bitops-fix-find_-_bit-signatures.patch create mode 100644 queue-6.6/nios2-ensure-that-memblock.current_limit-is-set-when.patch create mode 100644 queue-6.6/powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch create mode 100644 queue-6.6/series create mode 100644 queue-6.6/smb-server-let-smb_direct_flush_send_list-invalidate.patch create mode 100644 queue-6.6/unbreak-make-tools-for-user-space-targets.patch diff --git a/queue-5.10/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch b/queue-5.10/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch new file mode 100644 index 0000000000..054ddf5a5d --- /dev/null +++ b/queue-5.10/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch @@ -0,0 +1,34 @@ +From 6bb1961d1f55ad3cf11fcbc1d0cf78d7d2505f4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 11:21:52 -0400 +Subject: dlm: check for defined force value in dlm_lockspace_release + +From: Alexander Aring + +[ Upstream commit 6af515c9f3ccec3eb8a262ca86bef2c499d07951 ] + +Force values over 3 are undefined, so don't treat them as 3. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lockspace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c +index 624617c12250a..db33e521556e3 100644 +--- a/fs/dlm/lockspace.c ++++ b/fs/dlm/lockspace.c +@@ -783,7 +783,7 @@ static int release_lockspace(struct dlm_ls *ls, int force) + + dlm_device_deregister(ls); + +- if (force < 3 && dlm_user_daemon_available()) ++ if (force != 3 && dlm_user_daemon_available()) + do_uevent(ls, 0); + + dlm_recoverd_stop(ls); +-- +2.51.0 + diff --git a/queue-5.10/exec-fix-incorrect-type-for-ret.patch b/queue-5.10/exec-fix-incorrect-type-for-ret.patch new file mode 100644 index 0000000000..6396147122 --- /dev/null +++ b/queue-5.10/exec-fix-incorrect-type-for-ret.patch @@ -0,0 +1,38 @@ +From 5ef45f8eb1548294cfb01f3b61d656697387f0a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 15:36:09 +0800 +Subject: exec: Fix incorrect type for ret + +From: Xichao Zhao + +[ Upstream commit 5e088248375d171b80c643051e77ade6b97bc386 ] + +In the setup_arg_pages(), ret is declared as an unsigned long. +The ret might take a negative value. Therefore, its type should +be changed to int. + +Signed-off-by: Xichao Zhao +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20250825073609.219855-1-zhao.xichao@vivo.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/exec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/exec.c b/fs/exec.c +index 7144c541818f6..2979b458b650a 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -746,7 +746,7 @@ int setup_arg_pages(struct linux_binprm *bprm, + unsigned long stack_top, + int executable_stack) + { +- unsigned long ret; ++ int ret; + unsigned long stack_shift; + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma = bprm->vma; +-- +2.51.0 + diff --git a/queue-5.10/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch b/queue-5.10/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch new file mode 100644 index 0000000000..2ea3d50579 --- /dev/null +++ b/queue-5.10/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch @@ -0,0 +1,94 @@ +From 621fd2b4c26528885bab7cb6540d21f9c4f4a0a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Aug 2025 12:49:19 -0700 +Subject: hfs: clear offset and space out of valid records in b-tree node + +From: Viacheslav Dubeyko + +[ Upstream commit 18b07c44f245beb03588b00b212b38fce9af7cc9 ] + +Currently, hfs_brec_remove() executes moving records +towards the location of deleted record and it updates +offsets of moved records. However, the hfs_brec_remove() +logic ignores the "mess" of b-tree node's free space and +it doesn't touch the offsets out of records number. +Potentially, it could confuse fsck or driver logic or +to be a reason of potential corruption cases. + +This patch reworks the logic of hfs_brec_remove() +by means of clearing freed space of b-tree node +after the records moving. And it clear the last +offset that keeping old location of free space +because now the offset before this one is keeping +the actual offset to the free space after the record +deletion. + +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250815194918.38165-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/brec.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c +index 896396554bcc1..b01db1fae147c 100644 +--- a/fs/hfs/brec.c ++++ b/fs/hfs/brec.c +@@ -179,6 +179,7 @@ int hfs_brec_remove(struct hfs_find_data *fd) + struct hfs_btree *tree; + struct hfs_bnode *node, *parent; + int end_off, rec_off, data_off, size; ++ int src, dst, len; + + tree = fd->tree; + node = fd->bnode; +@@ -208,10 +209,14 @@ int hfs_brec_remove(struct hfs_find_data *fd) + } + hfs_bnode_write_u16(node, offsetof(struct hfs_bnode_desc, num_recs), node->num_recs); + +- if (rec_off == end_off) +- goto skip; + size = fd->keylength + fd->entrylength; + ++ if (rec_off == end_off) { ++ src = fd->keyoffset; ++ hfs_bnode_clear(node, src, size); ++ goto skip; ++ } ++ + do { + data_off = hfs_bnode_read_u16(node, rec_off); + hfs_bnode_write_u16(node, rec_off + 2, data_off - size); +@@ -219,9 +224,23 @@ int hfs_brec_remove(struct hfs_find_data *fd) + } while (rec_off >= end_off); + + /* fill hole */ +- hfs_bnode_move(node, fd->keyoffset, fd->keyoffset + size, +- data_off - fd->keyoffset - size); ++ dst = fd->keyoffset; ++ src = fd->keyoffset + size; ++ len = data_off - src; ++ ++ hfs_bnode_move(node, dst, src, len); ++ ++ src = dst + len; ++ len = data_off - src; ++ ++ hfs_bnode_clear(node, src, len); ++ + skip: ++ /* ++ * Remove the obsolete offset to free space. ++ */ ++ hfs_bnode_write_u16(node, end_off, 0); ++ + hfs_bnode_dump(node); + if (!fd->record) + hfs_brec_update_parent(fd); +-- +2.51.0 + diff --git a/queue-5.10/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch b/queue-5.10/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch new file mode 100644 index 0000000000..a7cb52e0c6 --- /dev/null +++ b/queue-5.10/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch @@ -0,0 +1,112 @@ +From 98a7f19664a11d01e70898d5940c05d2337b6d67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Aug 2025 16:06:38 -0700 +Subject: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() + +From: Viacheslav Dubeyko + +[ Upstream commit 2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd ] + +The syzbot reported issue in hfs_find_set_zero_bits(): + +===================================================== +BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 + hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 + hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 + hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 + hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 + __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 + block_write_begin fs/buffer.c:2262 [inline] + cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 + hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 + cont_expand_zero fs/buffer.c:2528 [inline] + cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 + hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 + hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 + hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 + notify_change+0x1993/0x1aa0 fs/attr.c:552 + do_truncate+0x28f/0x310 fs/open.c:68 + do_ftruncate+0x698/0x730 fs/open.c:195 + do_sys_ftruncate fs/open.c:210 [inline] + __do_sys_ftruncate fs/open.c:215 [inline] + __se_sys_ftruncate fs/open.c:213 [inline] + __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 + x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:4154 [inline] + slab_alloc_node mm/slub.c:4197 [inline] + __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 + kmalloc_noprof include/linux/slab.h:905 [inline] + hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 + hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 + get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 + get_tree_bdev+0x38/0x50 fs/super.c:1704 + hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 + vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 + do_new_mount+0x738/0x1610 fs/namespace.c:3902 + path_mount+0x6db/0x1e90 fs/namespace.c:4226 + do_mount fs/namespace.c:4239 [inline] + __do_sys_mount fs/namespace.c:4450 [inline] + __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 + __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 + x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 +===================================================== + +The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): + +HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); + +Finally, it can trigger the reported issue because kmalloc() +doesn't clear the allocated memory. If allocated memory contains +only zeros, then everything will work pretty fine. +But if the allocated memory contains the "garbage", then +it can affect the bitmap operations and it triggers +the reported issue. + +This patch simply exchanges the kmalloc() on kzalloc() +with the goal to guarantee the correctness of bitmap operations. +Because, newly created allocation bitmap should have all +available blocks free. Potentially, initialization bitmap's read +operation could not fill the whole allocated memory and +"garbage" in the not initialized memory will be the reason of +volume coruptions and file system driver bugs. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=773fa9d79b29bd8b6831 +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250820230636.179085-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/mdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c +index cdf0edeeb2781..f8f976afcc740 100644 +--- a/fs/hfs/mdb.c ++++ b/fs/hfs/mdb.c +@@ -172,7 +172,7 @@ int hfs_mdb_get(struct super_block *sb) + pr_warn("continuing without an alternate MDB\n"); + } + +- HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); ++ HFS_SB(sb)->bitmap = kzalloc(8192, GFP_KERNEL); + if (!HFS_SB(sb)->bitmap) + goto out; + +-- +2.51.0 + diff --git a/queue-5.10/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch b/queue-5.10/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch new file mode 100644 index 0000000000..7570f8b801 --- /dev/null +++ b/queue-5.10/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch @@ -0,0 +1,76 @@ +From f4bdcdfcb7bdd269902e2190a5915ec8790f5ff6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 15:52:52 -0700 +Subject: hfs: make proper initalization of struct hfs_find_data + +From: Viacheslav Dubeyko + +[ Upstream commit c62663a986acee7c4485c1fa9de5fc40194b6290 ] + +Potenatially, __hfs_ext_read_extent() could operate by +not initialized values of fd->key after hfs_brec_find() call: + +static inline int __hfs_ext_read_extent(struct hfs_find_data *fd, struct hfs_extent *extent, + u32 cnid, u32 block, u8 type) +{ + int res; + + hfs_ext_build_key(fd->search_key, cnid, block, type); + fd->key->ext.FNum = 0; + res = hfs_brec_find(fd); + if (res && res != -ENOENT) + return res; + if (fd->key->ext.FNum != fd->search_key->ext.FNum || + fd->key->ext.FkType != fd->search_key->ext.FkType) + return -ENOENT; + if (fd->entrylength != sizeof(hfs_extent_rec)) + return -EIO; + hfs_bnode_read(fd->bnode, extent, fd->entryoffset, sizeof(hfs_extent_rec)); + return 0; +} + +This patch changes kmalloc() on kzalloc() in hfs_find_init() +and intializes fd->record, fd->keyoffset, fd->keylength, +fd->entryoffset, fd->entrylength for the case if hfs_brec_find() +has been found nothing in the b-tree node. + +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250818225252.126427-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/bfind.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c +index ef9498a6e88ac..6d37b4c759034 100644 +--- a/fs/hfs/bfind.c ++++ b/fs/hfs/bfind.c +@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) + + fd->tree = tree; + fd->bnode = NULL; +- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); ++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); + if (!ptr) + return -ENOMEM; + fd->search_key = ptr; +@@ -112,6 +112,12 @@ int hfs_brec_find(struct hfs_find_data *fd) + __be32 data; + int height, res; + ++ fd->record = -1; ++ fd->keyoffset = -1; ++ fd->keylength = -1; ++ fd->entryoffset = -1; ++ fd->entrylength = -1; ++ + tree = fd->tree; + if (fd->bnode) + hfs_bnode_put(fd->bnode); +-- +2.51.0 + diff --git a/queue-5.10/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch b/queue-5.10/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch new file mode 100644 index 0000000000..207e3fdd8d --- /dev/null +++ b/queue-5.10/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch @@ -0,0 +1,217 @@ +From f17312bc406313f43c1a4a6d52d44af9d9070f9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 22:17:34 +0800 +Subject: hfs: validate record offset in hfsplus_bmap_alloc + +From: Yang Chenzhi + +[ Upstream commit 738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20 ] + +hfsplus_bmap_alloc can trigger a crash if a +record offset or length is larger than node_size + +[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0 +[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183 +[ 15.265949] +[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary) +[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 15.266167] Call Trace: +[ 15.266168] +[ 15.266169] dump_stack_lvl+0x53/0x70 +[ 15.266173] print_report+0xd0/0x660 +[ 15.266181] kasan_report+0xce/0x100 +[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0 +[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0 +[ 15.266217] hfsplus_brec_insert+0x870/0xb00 +[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570 +[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910 +[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200 +[ 15.266233] hfsplus_file_extend+0x5a7/0x1000 +[ 15.266237] hfsplus_get_block+0x12b/0x8c0 +[ 15.266238] __block_write_begin_int+0x36b/0x12c0 +[ 15.266251] block_write_begin+0x77/0x110 +[ 15.266252] cont_write_begin+0x428/0x720 +[ 15.266259] hfsplus_write_begin+0x51/0x100 +[ 15.266262] cont_write_begin+0x272/0x720 +[ 15.266270] hfsplus_write_begin+0x51/0x100 +[ 15.266274] generic_perform_write+0x321/0x750 +[ 15.266285] generic_file_write_iter+0xc3/0x310 +[ 15.266289] __kernel_write_iter+0x2fd/0x800 +[ 15.266296] dump_user_range+0x2ea/0x910 +[ 15.266301] elf_core_dump+0x2a94/0x2ed0 +[ 15.266320] vfs_coredump+0x1d85/0x45e0 +[ 15.266349] get_signal+0x12e3/0x1990 +[ 15.266357] arch_do_signal_or_restart+0x89/0x580 +[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110 +[ 15.266364] asm_exc_page_fault+0x26/0x30 +[ 15.266366] RIP: 0033:0x41bd35 +[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f +[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283 +[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000 +[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100 +[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000 +[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000 +[ 15.266376] + +When calling hfsplus_bmap_alloc to allocate a free node, this function +first retrieves the bitmap from header node and map node using node->page +together with the offset and length from hfs_brec_lenoff + +``` +len = hfs_brec_lenoff(node, 2, &off16); +off = off16; + +off += node->page_offset; +pagep = node->page + (off >> PAGE_SHIFT); +data = kmap_local_page(*pagep); +``` + +However, if the retrieved offset or length is invalid(i.e. exceeds +node_size), the code may end up accessing pages outside the allocated +range for this node. + +This patch adds proper validation of both offset and length before use, +preventing out-of-bounds page access. Move is_bnode_offset_valid and +check_and_correct_requested_length to hfsplus_fs.h, as they may be +required by other functions. + +Reported-by: syzbot+356aed408415a56543cd@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67bcb4a6.050a0220.bbfd1.008f.GAE@google.com/ +Signed-off-by: Yang Chenzhi +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250818141734.8559-2-yang.chenzhi@vivo.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/bnode.c | 41 ---------------------------------------- + fs/hfsplus/btree.c | 6 ++++++ + fs/hfsplus/hfsplus_fs.h | 42 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 48 insertions(+), 41 deletions(-) + +diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c +index c9c38fddf505b..e566cea238279 100644 +--- a/fs/hfsplus/bnode.c ++++ b/fs/hfsplus/bnode.c +@@ -18,47 +18,6 @@ + #include "hfsplus_fs.h" + #include "hfsplus_raw.h" + +-static inline +-bool is_bnode_offset_valid(struct hfs_bnode *node, int off) +-{ +- bool is_valid = off < node->tree->node_size; +- +- if (!is_valid) { +- pr_err("requested invalid offset: " +- "NODE: id %u, type %#x, height %u, " +- "node_size %u, offset %d\n", +- node->this, node->type, node->height, +- node->tree->node_size, off); +- } +- +- return is_valid; +-} +- +-static inline +-int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len) +-{ +- unsigned int node_size; +- +- if (!is_bnode_offset_valid(node, off)) +- return 0; +- +- node_size = node->tree->node_size; +- +- if ((off + len) > node_size) { +- int new_len = (int)node_size - off; +- +- pr_err("requested length has been corrected: " +- "NODE: id %u, type %#x, height %u, " +- "node_size %u, offset %d, " +- "requested_len %d, corrected_len %d\n", +- node->this, node->type, node->height, +- node->tree->node_size, off, len, new_len); +- +- return new_len; +- } +- +- return len; +-} + + /* Copy a specified range of bytes from the raw data of a node */ + void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len) +diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c +index 66774f4cb4fd5..2211907537fec 100644 +--- a/fs/hfsplus/btree.c ++++ b/fs/hfsplus/btree.c +@@ -392,6 +392,12 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree) + len = hfs_brec_lenoff(node, 2, &off16); + off = off16; + ++ if (!is_bnode_offset_valid(node, off)) { ++ hfs_bnode_put(node); ++ return ERR_PTR(-EIO); ++ } ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + pagep = node->page + (off >> PAGE_SHIFT); + data = kmap(*pagep); +diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h +index c37a2f3d88af0..27fcadf4e9f82 100644 +--- a/fs/hfsplus/hfsplus_fs.h ++++ b/fs/hfsplus/hfsplus_fs.h +@@ -579,6 +579,48 @@ hfsplus_btree_lock_class(struct hfs_btree *tree) + return class; + } + ++static inline ++bool is_bnode_offset_valid(struct hfs_bnode *node, int off) ++{ ++ bool is_valid = off < node->tree->node_size; ++ ++ if (!is_valid) { ++ pr_err("requested invalid offset: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off); ++ } ++ ++ return is_valid; ++} ++ ++static inline ++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len) ++{ ++ unsigned int node_size; ++ ++ if (!is_bnode_offset_valid(node, off)) ++ return 0; ++ ++ node_size = node->tree->node_size; ++ ++ if ((off + len) > node_size) { ++ int new_len = (int)node_size - off; ++ ++ pr_err("requested length has been corrected: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, " ++ "requested_len %d, corrected_len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len, new_len); ++ ++ return new_len; ++ } ++ ++ return len; ++} ++ + /* compatibility */ + #define hfsp_mt2ut(t) (struct timespec64){ .tv_sec = __hfsp_mt2ut(t) } + #define hfsp_ut2mt(t) __hfsp_ut2mt((t).tv_sec) +-- +2.51.0 + diff --git a/queue-5.10/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch b/queue-5.10/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch new file mode 100644 index 0000000000..2c980f55e7 --- /dev/null +++ b/queue-5.10/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch @@ -0,0 +1,214 @@ +From 5b44f17fe8add5fbc93cc29e969a84a8c12c362e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 15:52:32 -0700 +Subject: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() + +From: Viacheslav Dubeyko + +[ Upstream commit 4840ceadef4290c56cc422f0fc697655f3cbf070 ] + +The syzbot reported issue in __hfsplus_ext_cache_extent(): + +[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 +[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 +[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 +[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 +[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 +[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 +[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 +[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 +[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 +[ 70.199771][ T9350] ksys_write+0x23e/0x490 +[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 +[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 +[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 +[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.202054][ T9350] +[ 70.202279][ T9350] Uninit was created at: +[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 +[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 +[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 +[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 +[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 +[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 +[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 +[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 +[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 +[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 +[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 +[ 70.207961][ T9350] ksys_write+0x23e/0x490 +[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 +[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 +[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 +[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.210230][ T9350] +[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 +[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.212115][ T9350] ===================================================== +[ 70.212734][ T9350] Disabling lock debugging due to kernel taint +[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... +[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 +[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE +[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.215999][ T9350] Call Trace: +[ 70.216309][ T9350] +[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 +[ 70.217025][ T9350] dump_stack+0x1e/0x30 +[ 70.217421][ T9350] panic+0x502/0xca0 +[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 + +[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... + kernel +:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +set ... +[ 70.221254][ T9350] ? __msan_warning+0x96/0x120 +[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 +[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 +[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 +[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 +[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 +[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 +[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 +[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 +[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 +[ 70.228997][ T9350] ? ksys_write+0x23e/0x490 +[ 70.229458][ T9350] ? __x64_sys_write+0x97/0xf0 +[ 70.229939][ T9350] ? x64_sys_call+0x3015/0x3cf0 +[ 70.230432][ T9350] ? do_syscall_64+0xd9/0x1d0 +[ 70.230941][ T9350] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.231926][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.232738][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110 +[ 70.233711][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.234516][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.235398][ T9350] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.236323][ T9350] ? hfsplus_brec_find+0x218/0x9f0 +[ 70.237090][ T9350] ? __pfx_hfs_find_rec_by_key+0x10/0x10 +[ 70.237938][ T9350] ? __msan_instrument_asm_store+0xbf/0xf0 +[ 70.238827][ T9350] ? __msan_metadata_ptr_for_store_4+0x27/0x40 +[ 70.239772][ T9350] ? __hfsplus_ext_write_extent+0x536/0x620 +[ 70.240666][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.241175][ T9350] __msan_warning+0x96/0x120 +[ 70.241645][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.242223][ T9350] hfsplus_file_extend+0x74f/0x1cf0 +[ 70.242748][ T9350] hfsplus_get_block+0xe16/0x17b0 +[ 70.243255][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110 +[ 70.243878][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.244400][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.244967][ T9350] __block_write_begin_int+0x962/0x2ce0 +[ 70.245531][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10 +[ 70.246079][ T9350] cont_write_begin+0x1000/0x1950 +[ 70.246598][ T9350] hfsplus_write_begin+0x85/0x130 +[ 70.247105][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10 +[ 70.247650][ T9350] ? __pfx_hfsplus_write_begin+0x10/0x10 +[ 70.248211][ T9350] generic_perform_write+0x3e8/0x1060 +[ 70.248752][ T9350] __generic_file_write_iter+0x215/0x460 +[ 70.249314][ T9350] generic_file_write_iter+0x109/0x5e0 +[ 70.249856][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110 +[ 70.250487][ T9350] vfs_write+0xb0f/0x14e0 +[ 70.250930][ T9350] ? __pfx_generic_file_write_iter+0x10/0x10 +[ 70.251530][ T9350] ksys_write+0x23e/0x490 +[ 70.251974][ T9350] __x64_sys_write+0x97/0xf0 +[ 70.252450][ T9350] x64_sys_call+0x3015/0x3cf0 +[ 70.252924][ T9350] do_syscall_64+0xd9/0x1d0 +[ 70.253384][ T9350] ? irqentry_exit+0x16/0x60 +[ 70.253844][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.254430][ T9350] RIP: 0033:0x7f7a92adffc9 +[ 70.254873][ T9350] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 +[ 70.256674][ T9350] RSP: 002b:00007fff0bca3188 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 +[ 70.257485][ T9350] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a92adffc9 +[ 70.258246][ T9350] RDX: 000000000208e24b RSI: 0000000020000100 RDI: 0000000000000004 +[ 70.258998][ T9350] RBP: 00007fff0bca31a0 R08: 00007fff0bca31a0 R09: 00007fff0bca31a0 +[ 70.259769][ T9350] R10: 0000000000000000 R11: 0000000000000202 R12: 000055e0d75f8250 +[ 70.260520][ T9350] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 70.261286][ T9350] +[ 70.262026][ T9350] Kernel Offset: disabled + +(gdb) l *__hfsplus_ext_cache_extent+0x7d0 +0xffffffff8318aef0 is in __hfsplus_ext_cache_extent (fs/hfsplus/extents.c:168). +163 fd->key->ext.cnid = 0; +164 res = hfs_brec_find(fd, hfs_find_rec_by_key); +165 if (res && res != -ENOENT) +166 return res; +167 if (fd->key->ext.cnid != fd->search_key->ext.cnid || +168 fd->key->ext.fork_type != fd->search_key->ext.fork_type) +169 return -ENOENT; +170 if (fd->entrylength != sizeof(hfsplus_extent_rec)) +171 return -EIO; +172 hfs_bnode_read(fd->bnode, extent, fd->entryoffset, + +The __hfsplus_ext_cache_extent() calls __hfsplus_ext_read_extent(): + +res = __hfsplus_ext_read_extent(fd, hip->cached_extents, inode->i_ino, + block, HFSPLUS_IS_RSRC(inode) ? + HFSPLUS_TYPE_RSRC : + HFSPLUS_TYPE_DATA); + +And if inode->i_ino could be equal to zero or any non-available CNID, +then hfs_brec_find() could not find the record in the tree. As a result, +fd->key could be compared with fd->search_key. But hfsplus_find_init() +uses kmalloc() for fd->key and fd->search_key allocation: + +int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) +{ + + ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); + if (!ptr) + return -ENOMEM; + fd->search_key = ptr; + fd->key = ptr + tree->max_key_len + 2; + +} + +Finally, fd->key is still not initialized if hfs_brec_find() +has found nothing. + +This patch changes kmalloc() on kzalloc() in hfs_find_init() +and intializes fd->record, fd->keyoffset, fd->keylength, +fd->entryoffset, fd->entrylength for the case if hfs_brec_find() +has been found nothing in the b-tree node. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=55ad87f38795d6787521 +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250818225232.126402-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/bfind.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/hfsplus/bfind.c b/fs/hfsplus/bfind.c +index 901e83d65d202..26ebac4c60424 100644 +--- a/fs/hfsplus/bfind.c ++++ b/fs/hfsplus/bfind.c +@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) + + fd->tree = tree; + fd->bnode = NULL; +- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); ++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); + if (!ptr) + return -ENOMEM; + fd->search_key = ptr; +@@ -158,6 +158,12 @@ int hfs_brec_find(struct hfs_find_data *fd, search_strategy_t do_key_compare) + __be32 data; + int height, res; + ++ fd->record = -1; ++ fd->keyoffset = -1; ++ fd->keylength = -1; ++ fd->entryoffset = -1; ++ fd->entrylength = -1; ++ + tree = fd->tree; + if (fd->bnode) + hfs_bnode_put(fd->bnode); +-- +2.51.0 + diff --git a/queue-5.10/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch b/queue-5.10/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch new file mode 100644 index 0000000000..d5546c72f1 --- /dev/null +++ b/queue-5.10/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch @@ -0,0 +1,198 @@ +From 3f3b210e5f5de6908db840ed384620adfb92afc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 15:51:04 -0700 +Subject: hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat() + +From: Viacheslav Dubeyko + +[ Upstream commit 9b3d15a758910bb98ba8feb4109d99cc67450ee4 ] + +The syzbot reported issue in hfsplus_delete_cat(): + +[ 70.682285][ T9333] ===================================================== +[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0 +[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310 +[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810 +[ 70.685447][ T9333] do_rmdir+0x964/0xea0 +[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0 +[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0 +[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.687646][ T9333] +[ 70.687856][ T9333] Uninit was stored to memory at: +[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0 +[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800 +[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600 +[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70 +[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0 +[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30 +[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0 +[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0 +[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.692773][ T9333] +[ 70.692990][ T9333] Uninit was stored to memory at: +[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0 +[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800 +[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700 +[ 70.694911][ T9333] mount_bdev+0x37b/0x530 +[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60 +[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0 +[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0 +[ 70.696588][ T9333] do_new_mount+0x73e/0x1630 +[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0 +[ 70.697425][ T9333] __se_sys_mount+0x733/0x830 +[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150 +[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0 +[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.699730][ T9333] +[ 70.699946][ T9333] Uninit was created at: +[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60 +[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0 +[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0 +[ 70.701774][ T9333] allocate_slab+0x30e/0x1390 +[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0 +[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20 +[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0 +[ 70.703598][ T9333] alloc_inode+0x82/0x490 +[ 70.703984][ T9333] iget_locked+0x22e/0x1320 +[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0 +[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0 +[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700 +[ 70.705776][ T9333] mount_bdev+0x37b/0x530 +[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60 +[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0 +[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0 +[ 70.707444][ T9333] do_new_mount+0x73e/0x1630 +[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0 +[ 70.708270][ T9333] __se_sys_mount+0x733/0x830 +[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150 +[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0 +[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.710611][ T9333] +[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17 +[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.712490][ T9333] ===================================================== +[ 70.713085][ T9333] Disabling lock debugging due to kernel taint +[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ... +[ 70.714159][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Tainted: G B 6.12.0-rc6-dirty #17 +[ 70.715007][ T9333] Tainted: [B]=BAD_PAGE +[ 70.715365][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.716311][ T9333] Call Trace: +[ 70.716621][ T9333] +[ 70.716899][ T9333] dump_stack_lvl+0x1fd/0x2b0 +[ 70.717350][ T9333] dump_stack+0x1e/0x30 +[ 70.717743][ T9333] panic+0x502/0xca0 +[ 70.718116][ T9333] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.718611][ T9333] kmsan_report+0x296/0x2a0 +[ 70.719038][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.719859][ T9333] ? __msan_warning+0x96/0x120 +[ 70.720345][ T9333] ? hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.720881][ T9333] ? hfsplus_delete_cat+0x105d/0x12b0 +[ 70.721412][ T9333] ? hfsplus_rmdir+0x13d/0x310 +[ 70.721880][ T9333] ? vfs_rmdir+0x5ba/0x810 +[ 70.722458][ T9333] ? do_rmdir+0x964/0xea0 +[ 70.722883][ T9333] ? __x64_sys_rmdir+0x71/0xb0 +[ 70.723397][ T9333] ? x64_sys_call+0xcd8/0x3cf0 +[ 70.723915][ T9333] ? do_syscall_64+0xd9/0x1d0 +[ 70.724454][ T9333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.725110][ T9333] ? vprintk_emit+0xd1f/0xe60 +[ 70.725616][ T9333] ? vprintk_default+0x3f/0x50 +[ 70.726175][ T9333] ? vprintk+0xce/0xd0 +[ 70.726628][ T9333] ? _printk+0x17e/0x1b0 +[ 70.727129][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.727739][ T9333] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.728324][ T9333] __msan_warning+0x96/0x120 +[ 70.728854][ T9333] hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.729479][ T9333] hfsplus_delete_cat+0x105d/0x12b0 +[ 70.729984][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.730646][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.731296][ T9333] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.731863][ T9333] hfsplus_rmdir+0x13d/0x310 +[ 70.732390][ T9333] ? __pfx_hfsplus_rmdir+0x10/0x10 +[ 70.732919][ T9333] vfs_rmdir+0x5ba/0x810 +[ 70.733416][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.734044][ T9333] do_rmdir+0x964/0xea0 +[ 70.734537][ T9333] __x64_sys_rmdir+0x71/0xb0 +[ 70.735032][ T9333] x64_sys_call+0xcd8/0x3cf0 +[ 70.735579][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.736092][ T9333] ? irqentry_exit+0x16/0x60 +[ 70.736637][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.737269][ T9333] RIP: 0033:0x7fa9424eafc9 +[ 70.737775][ T9333] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 +[ 70.739844][ T9333] RSP: 002b:00007fff099cd8d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000054 +[ 70.740760][ T9333] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa9424eafc9 +[ 70.741642][ T9333] RDX: 006c6f72746e6f63 RSI: 000000000000000a RDI: 0000000020000100 +[ 70.742543][ T9333] RBP: 00007fff099cd8e0 R08: 00007fff099cd910 R09: 00007fff099cd910 +[ 70.743376][ T9333] R10: 0000000000000000 R11: 0000000000000202 R12: 0000565430642260 +[ 70.744247][ T9333] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 70.745082][ T9333] + +The main reason of the issue that struct hfsplus_inode_info +has not been properly initialized for the case of root folder. +In the case of root folder, hfsplus_fill_super() calls +the hfsplus_iget() that implements only partial initialization of +struct hfsplus_inode_info and subfolders field is not +initialized by hfsplus_iget() logic. + +This patch implements complete initialization of +struct hfsplus_inode_info in the hfsplus_iget() logic with +the goal to prevent likewise issues for the case of +root folder. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=fdedff847a0e5e84c39f +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250825225103.326401-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/super.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c +index 7648f64a17a82..65c63c7a00b12 100644 +--- a/fs/hfsplus/super.c ++++ b/fs/hfsplus/super.c +@@ -67,13 +67,26 @@ struct inode *hfsplus_iget(struct super_block *sb, unsigned long ino) + if (!(inode->i_state & I_NEW)) + return inode; + +- INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list); +- spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock); +- mutex_init(&HFSPLUS_I(inode)->extents_lock); +- HFSPLUS_I(inode)->flags = 0; ++ atomic_set(&HFSPLUS_I(inode)->opencnt, 0); ++ HFSPLUS_I(inode)->first_blocks = 0; ++ HFSPLUS_I(inode)->clump_blocks = 0; ++ HFSPLUS_I(inode)->alloc_blocks = 0; ++ HFSPLUS_I(inode)->cached_start = U32_MAX; ++ HFSPLUS_I(inode)->cached_blocks = 0; ++ memset(HFSPLUS_I(inode)->first_extents, 0, sizeof(hfsplus_extent_rec)); ++ memset(HFSPLUS_I(inode)->cached_extents, 0, sizeof(hfsplus_extent_rec)); + HFSPLUS_I(inode)->extent_state = 0; ++ mutex_init(&HFSPLUS_I(inode)->extents_lock); + HFSPLUS_I(inode)->rsrc_inode = NULL; +- atomic_set(&HFSPLUS_I(inode)->opencnt, 0); ++ HFSPLUS_I(inode)->create_date = 0; ++ HFSPLUS_I(inode)->linkid = 0; ++ HFSPLUS_I(inode)->flags = 0; ++ HFSPLUS_I(inode)->fs_blocks = 0; ++ HFSPLUS_I(inode)->userflags = 0; ++ HFSPLUS_I(inode)->subfolders = 0; ++ INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list); ++ spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock); ++ HFSPLUS_I(inode)->phys_size = 0; + + if (inode->i_ino >= HFSPLUS_FIRSTUSER_CNID || + inode->i_ino == HFSPLUS_ROOT_CNID) { +-- +2.51.0 + diff --git a/queue-5.10/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch b/queue-5.10/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch new file mode 100644 index 0000000000..5e78262ae6 --- /dev/null +++ b/queue-5.10/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch @@ -0,0 +1,39 @@ +From 79cbd4abe81625e5c5f6a388c3499684763b2af6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Aug 2025 10:58:59 -0600 +Subject: hfsplus: return EIO when type of hidden directory mismatch in + hfsplus_fill_super() + +From: Yangtao Li + +[ Upstream commit 9282bc905f0949fab8cf86c0f620ca988761254c ] + +If Catalog File contains corrupted record for the case of +hidden directory's type, regard it as I/O error instead of +Invalid argument. + +Signed-off-by: Yangtao Li +Reviewed-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250805165905.3390154-1-frank.li@vivo.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c +index 65c63c7a00b12..9f8945042faa8 100644 +--- a/fs/hfsplus/super.c ++++ b/fs/hfsplus/super.c +@@ -538,7 +538,7 @@ static int hfsplus_fill_super(struct super_block *sb, void *data, int silent) + if (!hfs_brec_read(&fd, &entry, sizeof(entry))) { + hfs_find_exit(&fd); + if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) { +- err = -EINVAL; ++ err = -EIO; + goto out_put_root; + } + inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id)); +-- +2.51.0 + diff --git a/queue-5.10/m68k-bitops-fix-find_-_bit-signatures.patch b/queue-5.10/m68k-bitops-fix-find_-_bit-signatures.patch new file mode 100644 index 0000000000..5ea984db16 --- /dev/null +++ b/queue-5.10/m68k-bitops-fix-find_-_bit-signatures.patch @@ -0,0 +1,90 @@ +From 5ec620e24abab94f8acc3be20896b98f67924951 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 17:16:13 +0200 +Subject: m68k: bitops: Fix find_*_bit() signatures + +From: Geert Uytterhoeven + +[ Upstream commit 6d5674090543b89aac0c177d67e5fb32ddc53804 ] + +The function signatures of the m68k-optimized implementations of the +find_{first,next}_{,zero_}bit() helpers do not match the generic +variants. + +Fix this by changing all non-pointer inputs and outputs to "unsigned +long", and updating a few local variables. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202509092305.ncd9mzaZ-lkp@intel.com/ +Signed-off-by: Geert Uytterhoeven +Acked-by: "Yury Norov (NVIDIA)" +Link: https://patch.msgid.link/de6919554fbb4cd1427155c6bafbac8a9df822c8.1757517135.git.geert@linux-m68k.org +Signed-off-by: Sasha Levin +--- + arch/m68k/include/asm/bitops.h | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/arch/m68k/include/asm/bitops.h b/arch/m68k/include/asm/bitops.h +index 10133a968c8e1..d2a9aa0485175 100644 +--- a/arch/m68k/include/asm/bitops.h ++++ b/arch/m68k/include/asm/bitops.h +@@ -314,12 +314,12 @@ static inline int bfchg_mem_test_and_change_bit(int nr, + #include + #else + +-static inline int find_first_zero_bit(const unsigned long *vaddr, +- unsigned size) ++static inline unsigned long find_first_zero_bit(const unsigned long *vaddr, ++ unsigned long size) + { + const unsigned long *p = vaddr; +- int res = 32; +- unsigned int words; ++ unsigned long res = 32; ++ unsigned long words; + unsigned long num; + + if (!size) +@@ -340,8 +340,9 @@ static inline int find_first_zero_bit(const unsigned long *vaddr, + } + #define find_first_zero_bit find_first_zero_bit + +-static inline int find_next_zero_bit(const unsigned long *vaddr, int size, +- int offset) ++static inline unsigned long find_next_zero_bit(const unsigned long *vaddr, ++ unsigned long size, ++ unsigned long offset) + { + const unsigned long *p = vaddr + (offset >> 5); + int bit = offset & 31UL, res; +@@ -370,11 +371,12 @@ static inline int find_next_zero_bit(const unsigned long *vaddr, int size, + } + #define find_next_zero_bit find_next_zero_bit + +-static inline int find_first_bit(const unsigned long *vaddr, unsigned size) ++static inline unsigned long find_first_bit(const unsigned long *vaddr, ++ unsigned long size) + { + const unsigned long *p = vaddr; +- int res = 32; +- unsigned int words; ++ unsigned long res = 32; ++ unsigned long words; + unsigned long num; + + if (!size) +@@ -395,8 +397,9 @@ static inline int find_first_bit(const unsigned long *vaddr, unsigned size) + } + #define find_first_bit find_first_bit + +-static inline int find_next_bit(const unsigned long *vaddr, int size, +- int offset) ++static inline unsigned long find_next_bit(const unsigned long *vaddr, ++ unsigned long size, ++ unsigned long offset) + { + const unsigned long *p = vaddr + (offset >> 5); + int bit = offset & 31UL, res; +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 408d9e1914..a74c2efd0d 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -255,3 +255,13 @@ sched-balancing-rename-newidle_balance-sched_balance.patch sched-fair-fix-pelt-lost-idle-time-detection.patch alsa-firewire-amdtp-stream-fix-enum-kernel-doc-warni.patch hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_strcasecmp.patch +exec-fix-incorrect-type-for-ret.patch +hfs-clear-offset-and-space-out-of-valid-records-in-b.patch +hfs-make-proper-initalization-of-struct-hfs_find_dat.patch +hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch +hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch +hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch +dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch +hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch +hfsplus-return-eio-when-type-of-hidden-directory-mis.patch +m68k-bitops-fix-find_-_bit-signatures.patch diff --git a/queue-5.15/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch b/queue-5.15/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch new file mode 100644 index 0000000000..121f155465 --- /dev/null +++ b/queue-5.15/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch @@ -0,0 +1,34 @@ +From c68d007983539ec17f883ce6ca7fbeac186775c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 11:21:52 -0400 +Subject: dlm: check for defined force value in dlm_lockspace_release + +From: Alexander Aring + +[ Upstream commit 6af515c9f3ccec3eb8a262ca86bef2c499d07951 ] + +Force values over 3 are undefined, so don't treat them as 3. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lockspace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c +index fa086a81a8476..5394c5713975d 100644 +--- a/fs/dlm/lockspace.c ++++ b/fs/dlm/lockspace.c +@@ -785,7 +785,7 @@ static int release_lockspace(struct dlm_ls *ls, int force) + + dlm_device_deregister(ls); + +- if (force < 3 && dlm_user_daemon_available()) ++ if (force != 3 && dlm_user_daemon_available()) + do_uevent(ls, 0); + + dlm_recoverd_stop(ls); +-- +2.51.0 + diff --git a/queue-5.15/exec-fix-incorrect-type-for-ret.patch b/queue-5.15/exec-fix-incorrect-type-for-ret.patch new file mode 100644 index 0000000000..6a35a2877c --- /dev/null +++ b/queue-5.15/exec-fix-incorrect-type-for-ret.patch @@ -0,0 +1,38 @@ +From 2a9711e59b977af5339a0efa36d4063e897387ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 15:36:09 +0800 +Subject: exec: Fix incorrect type for ret + +From: Xichao Zhao + +[ Upstream commit 5e088248375d171b80c643051e77ade6b97bc386 ] + +In the setup_arg_pages(), ret is declared as an unsigned long. +The ret might take a negative value. Therefore, its type should +be changed to int. + +Signed-off-by: Xichao Zhao +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20250825073609.219855-1-zhao.xichao@vivo.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/exec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/exec.c b/fs/exec.c +index 8395e7ff7b940..4d5defc2966bd 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -746,7 +746,7 @@ int setup_arg_pages(struct linux_binprm *bprm, + unsigned long stack_top, + int executable_stack) + { +- unsigned long ret; ++ int ret; + unsigned long stack_shift; + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma = bprm->vma; +-- +2.51.0 + diff --git a/queue-5.15/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch b/queue-5.15/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch new file mode 100644 index 0000000000..a8541df541 --- /dev/null +++ b/queue-5.15/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch @@ -0,0 +1,94 @@ +From 01c9ecc3990af3a49872e8ad52bfb0a418ca37cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Aug 2025 12:49:19 -0700 +Subject: hfs: clear offset and space out of valid records in b-tree node + +From: Viacheslav Dubeyko + +[ Upstream commit 18b07c44f245beb03588b00b212b38fce9af7cc9 ] + +Currently, hfs_brec_remove() executes moving records +towards the location of deleted record and it updates +offsets of moved records. However, the hfs_brec_remove() +logic ignores the "mess" of b-tree node's free space and +it doesn't touch the offsets out of records number. +Potentially, it could confuse fsck or driver logic or +to be a reason of potential corruption cases. + +This patch reworks the logic of hfs_brec_remove() +by means of clearing freed space of b-tree node +after the records moving. And it clear the last +offset that keeping old location of free space +because now the offset before this one is keeping +the actual offset to the free space after the record +deletion. + +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250815194918.38165-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/brec.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c +index 896396554bcc1..b01db1fae147c 100644 +--- a/fs/hfs/brec.c ++++ b/fs/hfs/brec.c +@@ -179,6 +179,7 @@ int hfs_brec_remove(struct hfs_find_data *fd) + struct hfs_btree *tree; + struct hfs_bnode *node, *parent; + int end_off, rec_off, data_off, size; ++ int src, dst, len; + + tree = fd->tree; + node = fd->bnode; +@@ -208,10 +209,14 @@ int hfs_brec_remove(struct hfs_find_data *fd) + } + hfs_bnode_write_u16(node, offsetof(struct hfs_bnode_desc, num_recs), node->num_recs); + +- if (rec_off == end_off) +- goto skip; + size = fd->keylength + fd->entrylength; + ++ if (rec_off == end_off) { ++ src = fd->keyoffset; ++ hfs_bnode_clear(node, src, size); ++ goto skip; ++ } ++ + do { + data_off = hfs_bnode_read_u16(node, rec_off); + hfs_bnode_write_u16(node, rec_off + 2, data_off - size); +@@ -219,9 +224,23 @@ int hfs_brec_remove(struct hfs_find_data *fd) + } while (rec_off >= end_off); + + /* fill hole */ +- hfs_bnode_move(node, fd->keyoffset, fd->keyoffset + size, +- data_off - fd->keyoffset - size); ++ dst = fd->keyoffset; ++ src = fd->keyoffset + size; ++ len = data_off - src; ++ ++ hfs_bnode_move(node, dst, src, len); ++ ++ src = dst + len; ++ len = data_off - src; ++ ++ hfs_bnode_clear(node, src, len); ++ + skip: ++ /* ++ * Remove the obsolete offset to free space. ++ */ ++ hfs_bnode_write_u16(node, end_off, 0); ++ + hfs_bnode_dump(node); + if (!fd->record) + hfs_brec_update_parent(fd); +-- +2.51.0 + diff --git a/queue-5.15/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch b/queue-5.15/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch new file mode 100644 index 0000000000..f99b77e30c --- /dev/null +++ b/queue-5.15/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch @@ -0,0 +1,112 @@ +From 8b0ebded6bc465ed2b3d568cd257ad26c0b1c0eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Aug 2025 16:06:38 -0700 +Subject: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() + +From: Viacheslav Dubeyko + +[ Upstream commit 2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd ] + +The syzbot reported issue in hfs_find_set_zero_bits(): + +===================================================== +BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 + hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 + hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 + hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 + hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 + __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 + block_write_begin fs/buffer.c:2262 [inline] + cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 + hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 + cont_expand_zero fs/buffer.c:2528 [inline] + cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 + hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 + hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 + hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 + notify_change+0x1993/0x1aa0 fs/attr.c:552 + do_truncate+0x28f/0x310 fs/open.c:68 + do_ftruncate+0x698/0x730 fs/open.c:195 + do_sys_ftruncate fs/open.c:210 [inline] + __do_sys_ftruncate fs/open.c:215 [inline] + __se_sys_ftruncate fs/open.c:213 [inline] + __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 + x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:4154 [inline] + slab_alloc_node mm/slub.c:4197 [inline] + __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 + kmalloc_noprof include/linux/slab.h:905 [inline] + hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 + hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 + get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 + get_tree_bdev+0x38/0x50 fs/super.c:1704 + hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 + vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 + do_new_mount+0x738/0x1610 fs/namespace.c:3902 + path_mount+0x6db/0x1e90 fs/namespace.c:4226 + do_mount fs/namespace.c:4239 [inline] + __do_sys_mount fs/namespace.c:4450 [inline] + __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 + __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 + x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 +===================================================== + +The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): + +HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); + +Finally, it can trigger the reported issue because kmalloc() +doesn't clear the allocated memory. If allocated memory contains +only zeros, then everything will work pretty fine. +But if the allocated memory contains the "garbage", then +it can affect the bitmap operations and it triggers +the reported issue. + +This patch simply exchanges the kmalloc() on kzalloc() +with the goal to guarantee the correctness of bitmap operations. +Because, newly created allocation bitmap should have all +available blocks free. Potentially, initialization bitmap's read +operation could not fill the whole allocated memory and +"garbage" in the not initialized memory will be the reason of +volume coruptions and file system driver bugs. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=773fa9d79b29bd8b6831 +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250820230636.179085-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/mdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c +index cdf0edeeb2781..f8f976afcc740 100644 +--- a/fs/hfs/mdb.c ++++ b/fs/hfs/mdb.c +@@ -172,7 +172,7 @@ int hfs_mdb_get(struct super_block *sb) + pr_warn("continuing without an alternate MDB\n"); + } + +- HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); ++ HFS_SB(sb)->bitmap = kzalloc(8192, GFP_KERNEL); + if (!HFS_SB(sb)->bitmap) + goto out; + +-- +2.51.0 + diff --git a/queue-5.15/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch b/queue-5.15/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch new file mode 100644 index 0000000000..3a96330c8c --- /dev/null +++ b/queue-5.15/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch @@ -0,0 +1,76 @@ +From b36cc682d177a20b964863c50e2f4af23c09c6db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 15:52:52 -0700 +Subject: hfs: make proper initalization of struct hfs_find_data + +From: Viacheslav Dubeyko + +[ Upstream commit c62663a986acee7c4485c1fa9de5fc40194b6290 ] + +Potenatially, __hfs_ext_read_extent() could operate by +not initialized values of fd->key after hfs_brec_find() call: + +static inline int __hfs_ext_read_extent(struct hfs_find_data *fd, struct hfs_extent *extent, + u32 cnid, u32 block, u8 type) +{ + int res; + + hfs_ext_build_key(fd->search_key, cnid, block, type); + fd->key->ext.FNum = 0; + res = hfs_brec_find(fd); + if (res && res != -ENOENT) + return res; + if (fd->key->ext.FNum != fd->search_key->ext.FNum || + fd->key->ext.FkType != fd->search_key->ext.FkType) + return -ENOENT; + if (fd->entrylength != sizeof(hfs_extent_rec)) + return -EIO; + hfs_bnode_read(fd->bnode, extent, fd->entryoffset, sizeof(hfs_extent_rec)); + return 0; +} + +This patch changes kmalloc() on kzalloc() in hfs_find_init() +and intializes fd->record, fd->keyoffset, fd->keylength, +fd->entryoffset, fd->entrylength for the case if hfs_brec_find() +has been found nothing in the b-tree node. + +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250818225252.126427-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/bfind.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c +index ef9498a6e88ac..6d37b4c759034 100644 +--- a/fs/hfs/bfind.c ++++ b/fs/hfs/bfind.c +@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) + + fd->tree = tree; + fd->bnode = NULL; +- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); ++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); + if (!ptr) + return -ENOMEM; + fd->search_key = ptr; +@@ -112,6 +112,12 @@ int hfs_brec_find(struct hfs_find_data *fd) + __be32 data; + int height, res; + ++ fd->record = -1; ++ fd->keyoffset = -1; ++ fd->keylength = -1; ++ fd->entryoffset = -1; ++ fd->entrylength = -1; ++ + tree = fd->tree; + if (fd->bnode) + hfs_bnode_put(fd->bnode); +-- +2.51.0 + diff --git a/queue-5.15/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch b/queue-5.15/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch new file mode 100644 index 0000000000..9769b9192c --- /dev/null +++ b/queue-5.15/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch @@ -0,0 +1,217 @@ +From 7fd2a77d68d3b30e188d7a255184649769d52f5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 22:17:34 +0800 +Subject: hfs: validate record offset in hfsplus_bmap_alloc + +From: Yang Chenzhi + +[ Upstream commit 738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20 ] + +hfsplus_bmap_alloc can trigger a crash if a +record offset or length is larger than node_size + +[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0 +[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183 +[ 15.265949] +[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary) +[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 15.266167] Call Trace: +[ 15.266168] +[ 15.266169] dump_stack_lvl+0x53/0x70 +[ 15.266173] print_report+0xd0/0x660 +[ 15.266181] kasan_report+0xce/0x100 +[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0 +[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0 +[ 15.266217] hfsplus_brec_insert+0x870/0xb00 +[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570 +[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910 +[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200 +[ 15.266233] hfsplus_file_extend+0x5a7/0x1000 +[ 15.266237] hfsplus_get_block+0x12b/0x8c0 +[ 15.266238] __block_write_begin_int+0x36b/0x12c0 +[ 15.266251] block_write_begin+0x77/0x110 +[ 15.266252] cont_write_begin+0x428/0x720 +[ 15.266259] hfsplus_write_begin+0x51/0x100 +[ 15.266262] cont_write_begin+0x272/0x720 +[ 15.266270] hfsplus_write_begin+0x51/0x100 +[ 15.266274] generic_perform_write+0x321/0x750 +[ 15.266285] generic_file_write_iter+0xc3/0x310 +[ 15.266289] __kernel_write_iter+0x2fd/0x800 +[ 15.266296] dump_user_range+0x2ea/0x910 +[ 15.266301] elf_core_dump+0x2a94/0x2ed0 +[ 15.266320] vfs_coredump+0x1d85/0x45e0 +[ 15.266349] get_signal+0x12e3/0x1990 +[ 15.266357] arch_do_signal_or_restart+0x89/0x580 +[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110 +[ 15.266364] asm_exc_page_fault+0x26/0x30 +[ 15.266366] RIP: 0033:0x41bd35 +[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f +[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283 +[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000 +[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100 +[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000 +[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000 +[ 15.266376] + +When calling hfsplus_bmap_alloc to allocate a free node, this function +first retrieves the bitmap from header node and map node using node->page +together with the offset and length from hfs_brec_lenoff + +``` +len = hfs_brec_lenoff(node, 2, &off16); +off = off16; + +off += node->page_offset; +pagep = node->page + (off >> PAGE_SHIFT); +data = kmap_local_page(*pagep); +``` + +However, if the retrieved offset or length is invalid(i.e. exceeds +node_size), the code may end up accessing pages outside the allocated +range for this node. + +This patch adds proper validation of both offset and length before use, +preventing out-of-bounds page access. Move is_bnode_offset_valid and +check_and_correct_requested_length to hfsplus_fs.h, as they may be +required by other functions. + +Reported-by: syzbot+356aed408415a56543cd@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67bcb4a6.050a0220.bbfd1.008f.GAE@google.com/ +Signed-off-by: Yang Chenzhi +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250818141734.8559-2-yang.chenzhi@vivo.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/bnode.c | 41 ---------------------------------------- + fs/hfsplus/btree.c | 6 ++++++ + fs/hfsplus/hfsplus_fs.h | 42 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 48 insertions(+), 41 deletions(-) + +diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c +index c9c38fddf505b..e566cea238279 100644 +--- a/fs/hfsplus/bnode.c ++++ b/fs/hfsplus/bnode.c +@@ -18,47 +18,6 @@ + #include "hfsplus_fs.h" + #include "hfsplus_raw.h" + +-static inline +-bool is_bnode_offset_valid(struct hfs_bnode *node, int off) +-{ +- bool is_valid = off < node->tree->node_size; +- +- if (!is_valid) { +- pr_err("requested invalid offset: " +- "NODE: id %u, type %#x, height %u, " +- "node_size %u, offset %d\n", +- node->this, node->type, node->height, +- node->tree->node_size, off); +- } +- +- return is_valid; +-} +- +-static inline +-int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len) +-{ +- unsigned int node_size; +- +- if (!is_bnode_offset_valid(node, off)) +- return 0; +- +- node_size = node->tree->node_size; +- +- if ((off + len) > node_size) { +- int new_len = (int)node_size - off; +- +- pr_err("requested length has been corrected: " +- "NODE: id %u, type %#x, height %u, " +- "node_size %u, offset %d, " +- "requested_len %d, corrected_len %d\n", +- node->this, node->type, node->height, +- node->tree->node_size, off, len, new_len); +- +- return new_len; +- } +- +- return len; +-} + + /* Copy a specified range of bytes from the raw data of a node */ + void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len) +diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c +index 66774f4cb4fd5..2211907537fec 100644 +--- a/fs/hfsplus/btree.c ++++ b/fs/hfsplus/btree.c +@@ -392,6 +392,12 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree) + len = hfs_brec_lenoff(node, 2, &off16); + off = off16; + ++ if (!is_bnode_offset_valid(node, off)) { ++ hfs_bnode_put(node); ++ return ERR_PTR(-EIO); ++ } ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + pagep = node->page + (off >> PAGE_SHIFT); + data = kmap(*pagep); +diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h +index c01bf9ff56a96..8396964b056f0 100644 +--- a/fs/hfsplus/hfsplus_fs.h ++++ b/fs/hfsplus/hfsplus_fs.h +@@ -572,6 +572,48 @@ hfsplus_btree_lock_class(struct hfs_btree *tree) + return class; + } + ++static inline ++bool is_bnode_offset_valid(struct hfs_bnode *node, int off) ++{ ++ bool is_valid = off < node->tree->node_size; ++ ++ if (!is_valid) { ++ pr_err("requested invalid offset: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off); ++ } ++ ++ return is_valid; ++} ++ ++static inline ++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len) ++{ ++ unsigned int node_size; ++ ++ if (!is_bnode_offset_valid(node, off)) ++ return 0; ++ ++ node_size = node->tree->node_size; ++ ++ if ((off + len) > node_size) { ++ int new_len = (int)node_size - off; ++ ++ pr_err("requested length has been corrected: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, " ++ "requested_len %d, corrected_len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len, new_len); ++ ++ return new_len; ++ } ++ ++ return len; ++} ++ + /* compatibility */ + #define hfsp_mt2ut(t) (struct timespec64){ .tv_sec = __hfsp_mt2ut(t) } + #define hfsp_ut2mt(t) __hfsp_ut2mt((t).tv_sec) +-- +2.51.0 + diff --git a/queue-5.15/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch b/queue-5.15/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch new file mode 100644 index 0000000000..8e4c2e3eb4 --- /dev/null +++ b/queue-5.15/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch @@ -0,0 +1,214 @@ +From 60593a0805cb65b7a7e26f7a29b5b82df2d71734 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 15:52:32 -0700 +Subject: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() + +From: Viacheslav Dubeyko + +[ Upstream commit 4840ceadef4290c56cc422f0fc697655f3cbf070 ] + +The syzbot reported issue in __hfsplus_ext_cache_extent(): + +[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 +[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 +[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 +[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 +[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 +[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 +[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 +[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 +[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 +[ 70.199771][ T9350] ksys_write+0x23e/0x490 +[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 +[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 +[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 +[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.202054][ T9350] +[ 70.202279][ T9350] Uninit was created at: +[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 +[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 +[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 +[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 +[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 +[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 +[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 +[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 +[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 +[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 +[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 +[ 70.207961][ T9350] ksys_write+0x23e/0x490 +[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 +[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 +[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 +[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.210230][ T9350] +[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 +[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.212115][ T9350] ===================================================== +[ 70.212734][ T9350] Disabling lock debugging due to kernel taint +[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... +[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 +[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE +[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.215999][ T9350] Call Trace: +[ 70.216309][ T9350] +[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 +[ 70.217025][ T9350] dump_stack+0x1e/0x30 +[ 70.217421][ T9350] panic+0x502/0xca0 +[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 + +[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... + kernel +:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +set ... +[ 70.221254][ T9350] ? __msan_warning+0x96/0x120 +[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 +[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 +[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 +[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 +[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 +[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 +[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 +[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 +[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 +[ 70.228997][ T9350] ? ksys_write+0x23e/0x490 +[ 70.229458][ T9350] ? __x64_sys_write+0x97/0xf0 +[ 70.229939][ T9350] ? x64_sys_call+0x3015/0x3cf0 +[ 70.230432][ T9350] ? do_syscall_64+0xd9/0x1d0 +[ 70.230941][ T9350] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.231926][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.232738][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110 +[ 70.233711][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.234516][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.235398][ T9350] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.236323][ T9350] ? hfsplus_brec_find+0x218/0x9f0 +[ 70.237090][ T9350] ? __pfx_hfs_find_rec_by_key+0x10/0x10 +[ 70.237938][ T9350] ? __msan_instrument_asm_store+0xbf/0xf0 +[ 70.238827][ T9350] ? __msan_metadata_ptr_for_store_4+0x27/0x40 +[ 70.239772][ T9350] ? __hfsplus_ext_write_extent+0x536/0x620 +[ 70.240666][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.241175][ T9350] __msan_warning+0x96/0x120 +[ 70.241645][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.242223][ T9350] hfsplus_file_extend+0x74f/0x1cf0 +[ 70.242748][ T9350] hfsplus_get_block+0xe16/0x17b0 +[ 70.243255][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110 +[ 70.243878][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.244400][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.244967][ T9350] __block_write_begin_int+0x962/0x2ce0 +[ 70.245531][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10 +[ 70.246079][ T9350] cont_write_begin+0x1000/0x1950 +[ 70.246598][ T9350] hfsplus_write_begin+0x85/0x130 +[ 70.247105][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10 +[ 70.247650][ T9350] ? __pfx_hfsplus_write_begin+0x10/0x10 +[ 70.248211][ T9350] generic_perform_write+0x3e8/0x1060 +[ 70.248752][ T9350] __generic_file_write_iter+0x215/0x460 +[ 70.249314][ T9350] generic_file_write_iter+0x109/0x5e0 +[ 70.249856][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110 +[ 70.250487][ T9350] vfs_write+0xb0f/0x14e0 +[ 70.250930][ T9350] ? __pfx_generic_file_write_iter+0x10/0x10 +[ 70.251530][ T9350] ksys_write+0x23e/0x490 +[ 70.251974][ T9350] __x64_sys_write+0x97/0xf0 +[ 70.252450][ T9350] x64_sys_call+0x3015/0x3cf0 +[ 70.252924][ T9350] do_syscall_64+0xd9/0x1d0 +[ 70.253384][ T9350] ? irqentry_exit+0x16/0x60 +[ 70.253844][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.254430][ T9350] RIP: 0033:0x7f7a92adffc9 +[ 70.254873][ T9350] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 +[ 70.256674][ T9350] RSP: 002b:00007fff0bca3188 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 +[ 70.257485][ T9350] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a92adffc9 +[ 70.258246][ T9350] RDX: 000000000208e24b RSI: 0000000020000100 RDI: 0000000000000004 +[ 70.258998][ T9350] RBP: 00007fff0bca31a0 R08: 00007fff0bca31a0 R09: 00007fff0bca31a0 +[ 70.259769][ T9350] R10: 0000000000000000 R11: 0000000000000202 R12: 000055e0d75f8250 +[ 70.260520][ T9350] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 70.261286][ T9350] +[ 70.262026][ T9350] Kernel Offset: disabled + +(gdb) l *__hfsplus_ext_cache_extent+0x7d0 +0xffffffff8318aef0 is in __hfsplus_ext_cache_extent (fs/hfsplus/extents.c:168). +163 fd->key->ext.cnid = 0; +164 res = hfs_brec_find(fd, hfs_find_rec_by_key); +165 if (res && res != -ENOENT) +166 return res; +167 if (fd->key->ext.cnid != fd->search_key->ext.cnid || +168 fd->key->ext.fork_type != fd->search_key->ext.fork_type) +169 return -ENOENT; +170 if (fd->entrylength != sizeof(hfsplus_extent_rec)) +171 return -EIO; +172 hfs_bnode_read(fd->bnode, extent, fd->entryoffset, + +The __hfsplus_ext_cache_extent() calls __hfsplus_ext_read_extent(): + +res = __hfsplus_ext_read_extent(fd, hip->cached_extents, inode->i_ino, + block, HFSPLUS_IS_RSRC(inode) ? + HFSPLUS_TYPE_RSRC : + HFSPLUS_TYPE_DATA); + +And if inode->i_ino could be equal to zero or any non-available CNID, +then hfs_brec_find() could not find the record in the tree. As a result, +fd->key could be compared with fd->search_key. But hfsplus_find_init() +uses kmalloc() for fd->key and fd->search_key allocation: + +int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) +{ + + ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); + if (!ptr) + return -ENOMEM; + fd->search_key = ptr; + fd->key = ptr + tree->max_key_len + 2; + +} + +Finally, fd->key is still not initialized if hfs_brec_find() +has found nothing. + +This patch changes kmalloc() on kzalloc() in hfs_find_init() +and intializes fd->record, fd->keyoffset, fd->keylength, +fd->entryoffset, fd->entrylength for the case if hfs_brec_find() +has been found nothing in the b-tree node. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=55ad87f38795d6787521 +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250818225232.126402-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/bfind.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/hfsplus/bfind.c b/fs/hfsplus/bfind.c +index 901e83d65d202..26ebac4c60424 100644 +--- a/fs/hfsplus/bfind.c ++++ b/fs/hfsplus/bfind.c +@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) + + fd->tree = tree; + fd->bnode = NULL; +- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); ++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); + if (!ptr) + return -ENOMEM; + fd->search_key = ptr; +@@ -158,6 +158,12 @@ int hfs_brec_find(struct hfs_find_data *fd, search_strategy_t do_key_compare) + __be32 data; + int height, res; + ++ fd->record = -1; ++ fd->keyoffset = -1; ++ fd->keylength = -1; ++ fd->entryoffset = -1; ++ fd->entrylength = -1; ++ + tree = fd->tree; + if (fd->bnode) + hfs_bnode_put(fd->bnode); +-- +2.51.0 + diff --git a/queue-5.15/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch b/queue-5.15/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch new file mode 100644 index 0000000000..22fba7d61a --- /dev/null +++ b/queue-5.15/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch @@ -0,0 +1,198 @@ +From 47c7c45273bbe3ee9fd67dfc36ab2787559b7437 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 15:51:04 -0700 +Subject: hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat() + +From: Viacheslav Dubeyko + +[ Upstream commit 9b3d15a758910bb98ba8feb4109d99cc67450ee4 ] + +The syzbot reported issue in hfsplus_delete_cat(): + +[ 70.682285][ T9333] ===================================================== +[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0 +[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310 +[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810 +[ 70.685447][ T9333] do_rmdir+0x964/0xea0 +[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0 +[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0 +[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.687646][ T9333] +[ 70.687856][ T9333] Uninit was stored to memory at: +[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0 +[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800 +[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600 +[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70 +[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0 +[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30 +[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0 +[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0 +[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.692773][ T9333] +[ 70.692990][ T9333] Uninit was stored to memory at: +[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0 +[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800 +[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700 +[ 70.694911][ T9333] mount_bdev+0x37b/0x530 +[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60 +[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0 +[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0 +[ 70.696588][ T9333] do_new_mount+0x73e/0x1630 +[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0 +[ 70.697425][ T9333] __se_sys_mount+0x733/0x830 +[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150 +[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0 +[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.699730][ T9333] +[ 70.699946][ T9333] Uninit was created at: +[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60 +[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0 +[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0 +[ 70.701774][ T9333] allocate_slab+0x30e/0x1390 +[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0 +[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20 +[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0 +[ 70.703598][ T9333] alloc_inode+0x82/0x490 +[ 70.703984][ T9333] iget_locked+0x22e/0x1320 +[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0 +[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0 +[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700 +[ 70.705776][ T9333] mount_bdev+0x37b/0x530 +[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60 +[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0 +[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0 +[ 70.707444][ T9333] do_new_mount+0x73e/0x1630 +[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0 +[ 70.708270][ T9333] __se_sys_mount+0x733/0x830 +[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150 +[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0 +[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.710611][ T9333] +[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17 +[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.712490][ T9333] ===================================================== +[ 70.713085][ T9333] Disabling lock debugging due to kernel taint +[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ... +[ 70.714159][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Tainted: G B 6.12.0-rc6-dirty #17 +[ 70.715007][ T9333] Tainted: [B]=BAD_PAGE +[ 70.715365][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.716311][ T9333] Call Trace: +[ 70.716621][ T9333] +[ 70.716899][ T9333] dump_stack_lvl+0x1fd/0x2b0 +[ 70.717350][ T9333] dump_stack+0x1e/0x30 +[ 70.717743][ T9333] panic+0x502/0xca0 +[ 70.718116][ T9333] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.718611][ T9333] kmsan_report+0x296/0x2a0 +[ 70.719038][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.719859][ T9333] ? __msan_warning+0x96/0x120 +[ 70.720345][ T9333] ? hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.720881][ T9333] ? hfsplus_delete_cat+0x105d/0x12b0 +[ 70.721412][ T9333] ? hfsplus_rmdir+0x13d/0x310 +[ 70.721880][ T9333] ? vfs_rmdir+0x5ba/0x810 +[ 70.722458][ T9333] ? do_rmdir+0x964/0xea0 +[ 70.722883][ T9333] ? __x64_sys_rmdir+0x71/0xb0 +[ 70.723397][ T9333] ? x64_sys_call+0xcd8/0x3cf0 +[ 70.723915][ T9333] ? do_syscall_64+0xd9/0x1d0 +[ 70.724454][ T9333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.725110][ T9333] ? vprintk_emit+0xd1f/0xe60 +[ 70.725616][ T9333] ? vprintk_default+0x3f/0x50 +[ 70.726175][ T9333] ? vprintk+0xce/0xd0 +[ 70.726628][ T9333] ? _printk+0x17e/0x1b0 +[ 70.727129][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.727739][ T9333] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.728324][ T9333] __msan_warning+0x96/0x120 +[ 70.728854][ T9333] hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.729479][ T9333] hfsplus_delete_cat+0x105d/0x12b0 +[ 70.729984][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.730646][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.731296][ T9333] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.731863][ T9333] hfsplus_rmdir+0x13d/0x310 +[ 70.732390][ T9333] ? __pfx_hfsplus_rmdir+0x10/0x10 +[ 70.732919][ T9333] vfs_rmdir+0x5ba/0x810 +[ 70.733416][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.734044][ T9333] do_rmdir+0x964/0xea0 +[ 70.734537][ T9333] __x64_sys_rmdir+0x71/0xb0 +[ 70.735032][ T9333] x64_sys_call+0xcd8/0x3cf0 +[ 70.735579][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.736092][ T9333] ? irqentry_exit+0x16/0x60 +[ 70.736637][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.737269][ T9333] RIP: 0033:0x7fa9424eafc9 +[ 70.737775][ T9333] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 +[ 70.739844][ T9333] RSP: 002b:00007fff099cd8d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000054 +[ 70.740760][ T9333] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa9424eafc9 +[ 70.741642][ T9333] RDX: 006c6f72746e6f63 RSI: 000000000000000a RDI: 0000000020000100 +[ 70.742543][ T9333] RBP: 00007fff099cd8e0 R08: 00007fff099cd910 R09: 00007fff099cd910 +[ 70.743376][ T9333] R10: 0000000000000000 R11: 0000000000000202 R12: 0000565430642260 +[ 70.744247][ T9333] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 70.745082][ T9333] + +The main reason of the issue that struct hfsplus_inode_info +has not been properly initialized for the case of root folder. +In the case of root folder, hfsplus_fill_super() calls +the hfsplus_iget() that implements only partial initialization of +struct hfsplus_inode_info and subfolders field is not +initialized by hfsplus_iget() logic. + +This patch implements complete initialization of +struct hfsplus_inode_info in the hfsplus_iget() logic with +the goal to prevent likewise issues for the case of +root folder. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=fdedff847a0e5e84c39f +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250825225103.326401-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/super.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c +index 392edb60edd07..16cf5e1c685bf 100644 +--- a/fs/hfsplus/super.c ++++ b/fs/hfsplus/super.c +@@ -67,13 +67,26 @@ struct inode *hfsplus_iget(struct super_block *sb, unsigned long ino) + if (!(inode->i_state & I_NEW)) + return inode; + +- INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list); +- spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock); +- mutex_init(&HFSPLUS_I(inode)->extents_lock); +- HFSPLUS_I(inode)->flags = 0; ++ atomic_set(&HFSPLUS_I(inode)->opencnt, 0); ++ HFSPLUS_I(inode)->first_blocks = 0; ++ HFSPLUS_I(inode)->clump_blocks = 0; ++ HFSPLUS_I(inode)->alloc_blocks = 0; ++ HFSPLUS_I(inode)->cached_start = U32_MAX; ++ HFSPLUS_I(inode)->cached_blocks = 0; ++ memset(HFSPLUS_I(inode)->first_extents, 0, sizeof(hfsplus_extent_rec)); ++ memset(HFSPLUS_I(inode)->cached_extents, 0, sizeof(hfsplus_extent_rec)); + HFSPLUS_I(inode)->extent_state = 0; ++ mutex_init(&HFSPLUS_I(inode)->extents_lock); + HFSPLUS_I(inode)->rsrc_inode = NULL; +- atomic_set(&HFSPLUS_I(inode)->opencnt, 0); ++ HFSPLUS_I(inode)->create_date = 0; ++ HFSPLUS_I(inode)->linkid = 0; ++ HFSPLUS_I(inode)->flags = 0; ++ HFSPLUS_I(inode)->fs_blocks = 0; ++ HFSPLUS_I(inode)->userflags = 0; ++ HFSPLUS_I(inode)->subfolders = 0; ++ INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list); ++ spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock); ++ HFSPLUS_I(inode)->phys_size = 0; + + if (inode->i_ino >= HFSPLUS_FIRSTUSER_CNID || + inode->i_ino == HFSPLUS_ROOT_CNID) { +-- +2.51.0 + diff --git a/queue-5.15/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch b/queue-5.15/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch new file mode 100644 index 0000000000..ac1c5a3ab5 --- /dev/null +++ b/queue-5.15/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch @@ -0,0 +1,39 @@ +From edaf2c373746c00aa2e2124b48e6fab958b2547b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Aug 2025 10:58:59 -0600 +Subject: hfsplus: return EIO when type of hidden directory mismatch in + hfsplus_fill_super() + +From: Yangtao Li + +[ Upstream commit 9282bc905f0949fab8cf86c0f620ca988761254c ] + +If Catalog File contains corrupted record for the case of +hidden directory's type, regard it as I/O error instead of +Invalid argument. + +Signed-off-by: Yangtao Li +Reviewed-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250805165905.3390154-1-frank.li@vivo.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c +index 16cf5e1c685bf..cb703b3e99fc2 100644 +--- a/fs/hfsplus/super.c ++++ b/fs/hfsplus/super.c +@@ -538,7 +538,7 @@ static int hfsplus_fill_super(struct super_block *sb, void *data, int silent) + if (!hfs_brec_read(&fd, &entry, sizeof(entry))) { + hfs_find_exit(&fd); + if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) { +- err = -EINVAL; ++ err = -EIO; + goto out_put_root; + } + inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id)); +-- +2.51.0 + diff --git a/queue-5.15/m68k-bitops-fix-find_-_bit-signatures.patch b/queue-5.15/m68k-bitops-fix-find_-_bit-signatures.patch new file mode 100644 index 0000000000..5102b6d9d2 --- /dev/null +++ b/queue-5.15/m68k-bitops-fix-find_-_bit-signatures.patch @@ -0,0 +1,90 @@ +From ce93bd51b8fa3c664d4fac6e63e9f9f3dd2dee43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 17:16:13 +0200 +Subject: m68k: bitops: Fix find_*_bit() signatures + +From: Geert Uytterhoeven + +[ Upstream commit 6d5674090543b89aac0c177d67e5fb32ddc53804 ] + +The function signatures of the m68k-optimized implementations of the +find_{first,next}_{,zero_}bit() helpers do not match the generic +variants. + +Fix this by changing all non-pointer inputs and outputs to "unsigned +long", and updating a few local variables. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202509092305.ncd9mzaZ-lkp@intel.com/ +Signed-off-by: Geert Uytterhoeven +Acked-by: "Yury Norov (NVIDIA)" +Link: https://patch.msgid.link/de6919554fbb4cd1427155c6bafbac8a9df822c8.1757517135.git.geert@linux-m68k.org +Signed-off-by: Sasha Levin +--- + arch/m68k/include/asm/bitops.h | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/arch/m68k/include/asm/bitops.h b/arch/m68k/include/asm/bitops.h +index 7b414099e5fc2..cca33f8ba0f67 100644 +--- a/arch/m68k/include/asm/bitops.h ++++ b/arch/m68k/include/asm/bitops.h +@@ -314,12 +314,12 @@ static inline int bfchg_mem_test_and_change_bit(int nr, + #include + #else + +-static inline int find_first_zero_bit(const unsigned long *vaddr, +- unsigned size) ++static inline unsigned long find_first_zero_bit(const unsigned long *vaddr, ++ unsigned long size) + { + const unsigned long *p = vaddr; +- int res = 32; +- unsigned int words; ++ unsigned long res = 32; ++ unsigned long words; + unsigned long num; + + if (!size) +@@ -340,8 +340,9 @@ static inline int find_first_zero_bit(const unsigned long *vaddr, + } + #define find_first_zero_bit find_first_zero_bit + +-static inline int find_next_zero_bit(const unsigned long *vaddr, int size, +- int offset) ++static inline unsigned long find_next_zero_bit(const unsigned long *vaddr, ++ unsigned long size, ++ unsigned long offset) + { + const unsigned long *p = vaddr + (offset >> 5); + int bit = offset & 31UL, res; +@@ -370,11 +371,12 @@ static inline int find_next_zero_bit(const unsigned long *vaddr, int size, + } + #define find_next_zero_bit find_next_zero_bit + +-static inline int find_first_bit(const unsigned long *vaddr, unsigned size) ++static inline unsigned long find_first_bit(const unsigned long *vaddr, ++ unsigned long size) + { + const unsigned long *p = vaddr; +- int res = 32; +- unsigned int words; ++ unsigned long res = 32; ++ unsigned long words; + unsigned long num; + + if (!size) +@@ -395,8 +397,9 @@ static inline int find_first_bit(const unsigned long *vaddr, unsigned size) + } + #define find_first_bit find_first_bit + +-static inline int find_next_bit(const unsigned long *vaddr, int size, +- int offset) ++static inline unsigned long find_next_bit(const unsigned long *vaddr, ++ unsigned long size, ++ unsigned long offset) + { + const unsigned long *p = vaddr + (offset >> 5); + int bit = offset & 31UL, res; +-- +2.51.0 + diff --git a/queue-5.15/nios2-ensure-that-memblock.current_limit-is-set-when.patch b/queue-5.15/nios2-ensure-that-memblock.current_limit-is-set-when.patch new file mode 100644 index 0000000000..7180608f62 --- /dev/null +++ b/queue-5.15/nios2-ensure-that-memblock.current_limit-is-set-when.patch @@ -0,0 +1,74 @@ +From 5dc771e2e57340f5fabe03e22a15fb9ae7a03511 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Aug 2025 12:37:07 +0200 +Subject: nios2: ensure that memblock.current_limit is set when setting pfn + limits + +From: Simon Schuster + +[ Upstream commit a20b83cf45be2057f3d073506779e52c7fa17f94 ] + +On nios2, with CONFIG_FLATMEM set, the kernel relies on +memblock_get_current_limit() to determine the limits of mem_map, in +particular for max_low_pfn. +Unfortunately, memblock.current_limit is only default initialized to +MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading +to situations where max_low_pfn can erroneously exceed the value of +max_pfn and, thus, the valid range of available DRAM. + +This can in turn cause kernel-level paging failures, e.g.: + +[ 76.900000] Unable to handle kernel paging request at virtual address 20303000 +[ 76.900000] ea = c0080890, ra = c000462c, cause = 14 +[ 76.900000] Kernel panic - not syncing: Oops +[ 76.900000] ---[ end Kernel panic - not syncing: Oops ]--- + +This patch fixes this by pre-calculating memblock.current_limit +based on the upper limits of the available memory ranges via +adjust_lowmem_bounds, a simplified version of the equivalent +implementation within the arm architecture. + +Signed-off-by: Simon Schuster +Signed-off-by: Andreas Oetken +Signed-off-by: Dinh Nguyen +Signed-off-by: Sasha Levin +--- + arch/nios2/kernel/setup.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/arch/nios2/kernel/setup.c b/arch/nios2/kernel/setup.c +index 40bc8fb75e0b5..e2fc4b59d93ea 100644 +--- a/arch/nios2/kernel/setup.c ++++ b/arch/nios2/kernel/setup.c +@@ -147,6 +147,20 @@ static void __init find_limits(unsigned long *min, unsigned long *max_low, + *max_high = PFN_DOWN(memblock_end_of_DRAM()); + } + ++static void __init adjust_lowmem_bounds(void) ++{ ++ phys_addr_t block_start, block_end; ++ u64 i; ++ phys_addr_t memblock_limit = 0; ++ ++ for_each_mem_range(i, &block_start, &block_end) { ++ if (block_end > memblock_limit) ++ memblock_limit = block_end; ++ } ++ ++ memblock_set_current_limit(memblock_limit); ++} ++ + void __init setup_arch(char **cmdline_p) + { + console_verbose(); +@@ -160,6 +174,7 @@ void __init setup_arch(char **cmdline_p) + /* Keep a copy of command line */ + *cmdline_p = boot_command_line; + ++ adjust_lowmem_bounds(); + find_limits(&min_low_pfn, &max_low_pfn, &max_pfn); + max_mapnr = max_low_pfn; + +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 8a61d27e2a..a8be826e2b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -38,3 +38,14 @@ alsa-usb-audio-fix-null-pointer-deference-in-try_to_.patch hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_strcasecmp.patch pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch revert-perf-test-don-t-leak-workload-gopipe-in-perf_record_.patch +exec-fix-incorrect-type-for-ret.patch +nios2-ensure-that-memblock.current_limit-is-set-when.patch +hfs-clear-offset-and-space-out-of-valid-records-in-b.patch +hfs-make-proper-initalization-of-struct-hfs_find_dat.patch +hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch +hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch +hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch +dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch +hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch +hfsplus-return-eio-when-type-of-hidden-directory-mis.patch +m68k-bitops-fix-find_-_bit-signatures.patch diff --git a/queue-5.4/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch b/queue-5.4/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch new file mode 100644 index 0000000000..eb5c6cf1e9 --- /dev/null +++ b/queue-5.4/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch @@ -0,0 +1,34 @@ +From 9a203405f8f9ff91ed83026e7fe312002116f2ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 11:21:52 -0400 +Subject: dlm: check for defined force value in dlm_lockspace_release + +From: Alexander Aring + +[ Upstream commit 6af515c9f3ccec3eb8a262ca86bef2c499d07951 ] + +Force values over 3 are undefined, so don't treat them as 3. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lockspace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c +index c689359ca532b..9030e0e5927cb 100644 +--- a/fs/dlm/lockspace.c ++++ b/fs/dlm/lockspace.c +@@ -793,7 +793,7 @@ static int release_lockspace(struct dlm_ls *ls, int force) + + dlm_device_deregister(ls); + +- if (force < 3 && dlm_user_daemon_available()) ++ if (force != 3 && dlm_user_daemon_available()) + do_uevent(ls, 0); + + dlm_recoverd_stop(ls); +-- +2.51.0 + diff --git a/queue-5.4/exec-fix-incorrect-type-for-ret.patch b/queue-5.4/exec-fix-incorrect-type-for-ret.patch new file mode 100644 index 0000000000..fefbf2349e --- /dev/null +++ b/queue-5.4/exec-fix-incorrect-type-for-ret.patch @@ -0,0 +1,38 @@ +From 8ac80cf4ed6fd19ecbd0ac375a6407584d274492 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 15:36:09 +0800 +Subject: exec: Fix incorrect type for ret + +From: Xichao Zhao + +[ Upstream commit 5e088248375d171b80c643051e77ade6b97bc386 ] + +In the setup_arg_pages(), ret is declared as an unsigned long. +The ret might take a negative value. Therefore, its type should +be changed to int. + +Signed-off-by: Xichao Zhao +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20250825073609.219855-1-zhao.xichao@vivo.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/exec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/exec.c b/fs/exec.c +index 5dffc67745c80..5aa0d9ec7f21b 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -701,7 +701,7 @@ int setup_arg_pages(struct linux_binprm *bprm, + unsigned long stack_top, + int executable_stack) + { +- unsigned long ret; ++ int ret; + unsigned long stack_shift; + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma = bprm->vma; +-- +2.51.0 + diff --git a/queue-5.4/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch b/queue-5.4/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch new file mode 100644 index 0000000000..9c3ab8f30b --- /dev/null +++ b/queue-5.4/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch @@ -0,0 +1,94 @@ +From d0ffb9bb0a9ccf295ff1d52b2fb438914d5cd046 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Aug 2025 12:49:19 -0700 +Subject: hfs: clear offset and space out of valid records in b-tree node + +From: Viacheslav Dubeyko + +[ Upstream commit 18b07c44f245beb03588b00b212b38fce9af7cc9 ] + +Currently, hfs_brec_remove() executes moving records +towards the location of deleted record and it updates +offsets of moved records. However, the hfs_brec_remove() +logic ignores the "mess" of b-tree node's free space and +it doesn't touch the offsets out of records number. +Potentially, it could confuse fsck or driver logic or +to be a reason of potential corruption cases. + +This patch reworks the logic of hfs_brec_remove() +by means of clearing freed space of b-tree node +after the records moving. And it clear the last +offset that keeping old location of free space +because now the offset before this one is keeping +the actual offset to the free space after the record +deletion. + +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250815194918.38165-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/brec.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c +index 896396554bcc1..b01db1fae147c 100644 +--- a/fs/hfs/brec.c ++++ b/fs/hfs/brec.c +@@ -179,6 +179,7 @@ int hfs_brec_remove(struct hfs_find_data *fd) + struct hfs_btree *tree; + struct hfs_bnode *node, *parent; + int end_off, rec_off, data_off, size; ++ int src, dst, len; + + tree = fd->tree; + node = fd->bnode; +@@ -208,10 +209,14 @@ int hfs_brec_remove(struct hfs_find_data *fd) + } + hfs_bnode_write_u16(node, offsetof(struct hfs_bnode_desc, num_recs), node->num_recs); + +- if (rec_off == end_off) +- goto skip; + size = fd->keylength + fd->entrylength; + ++ if (rec_off == end_off) { ++ src = fd->keyoffset; ++ hfs_bnode_clear(node, src, size); ++ goto skip; ++ } ++ + do { + data_off = hfs_bnode_read_u16(node, rec_off); + hfs_bnode_write_u16(node, rec_off + 2, data_off - size); +@@ -219,9 +224,23 @@ int hfs_brec_remove(struct hfs_find_data *fd) + } while (rec_off >= end_off); + + /* fill hole */ +- hfs_bnode_move(node, fd->keyoffset, fd->keyoffset + size, +- data_off - fd->keyoffset - size); ++ dst = fd->keyoffset; ++ src = fd->keyoffset + size; ++ len = data_off - src; ++ ++ hfs_bnode_move(node, dst, src, len); ++ ++ src = dst + len; ++ len = data_off - src; ++ ++ hfs_bnode_clear(node, src, len); ++ + skip: ++ /* ++ * Remove the obsolete offset to free space. ++ */ ++ hfs_bnode_write_u16(node, end_off, 0); ++ + hfs_bnode_dump(node); + if (!fd->record) + hfs_brec_update_parent(fd); +-- +2.51.0 + diff --git a/queue-5.4/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch b/queue-5.4/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch new file mode 100644 index 0000000000..30ac987980 --- /dev/null +++ b/queue-5.4/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch @@ -0,0 +1,112 @@ +From a88e7f33c5bec05bd66c50bdad2d4635f97522e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Aug 2025 16:06:38 -0700 +Subject: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() + +From: Viacheslav Dubeyko + +[ Upstream commit 2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd ] + +The syzbot reported issue in hfs_find_set_zero_bits(): + +===================================================== +BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 + hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 + hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 + hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 + hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 + __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 + block_write_begin fs/buffer.c:2262 [inline] + cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 + hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 + cont_expand_zero fs/buffer.c:2528 [inline] + cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 + hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 + hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 + hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 + notify_change+0x1993/0x1aa0 fs/attr.c:552 + do_truncate+0x28f/0x310 fs/open.c:68 + do_ftruncate+0x698/0x730 fs/open.c:195 + do_sys_ftruncate fs/open.c:210 [inline] + __do_sys_ftruncate fs/open.c:215 [inline] + __se_sys_ftruncate fs/open.c:213 [inline] + __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 + x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:4154 [inline] + slab_alloc_node mm/slub.c:4197 [inline] + __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 + kmalloc_noprof include/linux/slab.h:905 [inline] + hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 + hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 + get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 + get_tree_bdev+0x38/0x50 fs/super.c:1704 + hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 + vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 + do_new_mount+0x738/0x1610 fs/namespace.c:3902 + path_mount+0x6db/0x1e90 fs/namespace.c:4226 + do_mount fs/namespace.c:4239 [inline] + __do_sys_mount fs/namespace.c:4450 [inline] + __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 + __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 + x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 +===================================================== + +The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): + +HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); + +Finally, it can trigger the reported issue because kmalloc() +doesn't clear the allocated memory. If allocated memory contains +only zeros, then everything will work pretty fine. +But if the allocated memory contains the "garbage", then +it can affect the bitmap operations and it triggers +the reported issue. + +This patch simply exchanges the kmalloc() on kzalloc() +with the goal to guarantee the correctness of bitmap operations. +Because, newly created allocation bitmap should have all +available blocks free. Potentially, initialization bitmap's read +operation could not fill the whole allocated memory and +"garbage" in the not initialized memory will be the reason of +volume coruptions and file system driver bugs. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=773fa9d79b29bd8b6831 +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250820230636.179085-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/mdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c +index 460281b1299eb..8036445672c5f 100644 +--- a/fs/hfs/mdb.c ++++ b/fs/hfs/mdb.c +@@ -166,7 +166,7 @@ int hfs_mdb_get(struct super_block *sb) + pr_warn("continuing without an alternate MDB\n"); + } + +- HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); ++ HFS_SB(sb)->bitmap = kzalloc(8192, GFP_KERNEL); + if (!HFS_SB(sb)->bitmap) + goto out; + +-- +2.51.0 + diff --git a/queue-5.4/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch b/queue-5.4/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch new file mode 100644 index 0000000000..bb7205267c --- /dev/null +++ b/queue-5.4/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch @@ -0,0 +1,76 @@ +From 645bcf275469dac095dd204a14795953b8c70ab8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 15:52:52 -0700 +Subject: hfs: make proper initalization of struct hfs_find_data + +From: Viacheslav Dubeyko + +[ Upstream commit c62663a986acee7c4485c1fa9de5fc40194b6290 ] + +Potenatially, __hfs_ext_read_extent() could operate by +not initialized values of fd->key after hfs_brec_find() call: + +static inline int __hfs_ext_read_extent(struct hfs_find_data *fd, struct hfs_extent *extent, + u32 cnid, u32 block, u8 type) +{ + int res; + + hfs_ext_build_key(fd->search_key, cnid, block, type); + fd->key->ext.FNum = 0; + res = hfs_brec_find(fd); + if (res && res != -ENOENT) + return res; + if (fd->key->ext.FNum != fd->search_key->ext.FNum || + fd->key->ext.FkType != fd->search_key->ext.FkType) + return -ENOENT; + if (fd->entrylength != sizeof(hfs_extent_rec)) + return -EIO; + hfs_bnode_read(fd->bnode, extent, fd->entryoffset, sizeof(hfs_extent_rec)); + return 0; +} + +This patch changes kmalloc() on kzalloc() in hfs_find_init() +and intializes fd->record, fd->keyoffset, fd->keylength, +fd->entryoffset, fd->entrylength for the case if hfs_brec_find() +has been found nothing in the b-tree node. + +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250818225252.126427-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/bfind.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c +index ef9498a6e88ac..6d37b4c759034 100644 +--- a/fs/hfs/bfind.c ++++ b/fs/hfs/bfind.c +@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) + + fd->tree = tree; + fd->bnode = NULL; +- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); ++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); + if (!ptr) + return -ENOMEM; + fd->search_key = ptr; +@@ -112,6 +112,12 @@ int hfs_brec_find(struct hfs_find_data *fd) + __be32 data; + int height, res; + ++ fd->record = -1; ++ fd->keyoffset = -1; ++ fd->keylength = -1; ++ fd->entryoffset = -1; ++ fd->entrylength = -1; ++ + tree = fd->tree; + if (fd->bnode) + hfs_bnode_put(fd->bnode); +-- +2.51.0 + diff --git a/queue-5.4/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch b/queue-5.4/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch new file mode 100644 index 0000000000..88b80aceba --- /dev/null +++ b/queue-5.4/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch @@ -0,0 +1,217 @@ +From 2127c4e0953600fc49352e812566b6dadd610b8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 22:17:34 +0800 +Subject: hfs: validate record offset in hfsplus_bmap_alloc + +From: Yang Chenzhi + +[ Upstream commit 738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20 ] + +hfsplus_bmap_alloc can trigger a crash if a +record offset or length is larger than node_size + +[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0 +[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183 +[ 15.265949] +[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary) +[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 15.266167] Call Trace: +[ 15.266168] +[ 15.266169] dump_stack_lvl+0x53/0x70 +[ 15.266173] print_report+0xd0/0x660 +[ 15.266181] kasan_report+0xce/0x100 +[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0 +[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0 +[ 15.266217] hfsplus_brec_insert+0x870/0xb00 +[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570 +[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910 +[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200 +[ 15.266233] hfsplus_file_extend+0x5a7/0x1000 +[ 15.266237] hfsplus_get_block+0x12b/0x8c0 +[ 15.266238] __block_write_begin_int+0x36b/0x12c0 +[ 15.266251] block_write_begin+0x77/0x110 +[ 15.266252] cont_write_begin+0x428/0x720 +[ 15.266259] hfsplus_write_begin+0x51/0x100 +[ 15.266262] cont_write_begin+0x272/0x720 +[ 15.266270] hfsplus_write_begin+0x51/0x100 +[ 15.266274] generic_perform_write+0x321/0x750 +[ 15.266285] generic_file_write_iter+0xc3/0x310 +[ 15.266289] __kernel_write_iter+0x2fd/0x800 +[ 15.266296] dump_user_range+0x2ea/0x910 +[ 15.266301] elf_core_dump+0x2a94/0x2ed0 +[ 15.266320] vfs_coredump+0x1d85/0x45e0 +[ 15.266349] get_signal+0x12e3/0x1990 +[ 15.266357] arch_do_signal_or_restart+0x89/0x580 +[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110 +[ 15.266364] asm_exc_page_fault+0x26/0x30 +[ 15.266366] RIP: 0033:0x41bd35 +[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f +[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283 +[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000 +[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100 +[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000 +[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000 +[ 15.266376] + +When calling hfsplus_bmap_alloc to allocate a free node, this function +first retrieves the bitmap from header node and map node using node->page +together with the offset and length from hfs_brec_lenoff + +``` +len = hfs_brec_lenoff(node, 2, &off16); +off = off16; + +off += node->page_offset; +pagep = node->page + (off >> PAGE_SHIFT); +data = kmap_local_page(*pagep); +``` + +However, if the retrieved offset or length is invalid(i.e. exceeds +node_size), the code may end up accessing pages outside the allocated +range for this node. + +This patch adds proper validation of both offset and length before use, +preventing out-of-bounds page access. Move is_bnode_offset_valid and +check_and_correct_requested_length to hfsplus_fs.h, as they may be +required by other functions. + +Reported-by: syzbot+356aed408415a56543cd@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67bcb4a6.050a0220.bbfd1.008f.GAE@google.com/ +Signed-off-by: Yang Chenzhi +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250818141734.8559-2-yang.chenzhi@vivo.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/bnode.c | 41 ---------------------------------------- + fs/hfsplus/btree.c | 6 ++++++ + fs/hfsplus/hfsplus_fs.h | 42 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 48 insertions(+), 41 deletions(-) + +diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c +index c9c38fddf505b..e566cea238279 100644 +--- a/fs/hfsplus/bnode.c ++++ b/fs/hfsplus/bnode.c +@@ -18,47 +18,6 @@ + #include "hfsplus_fs.h" + #include "hfsplus_raw.h" + +-static inline +-bool is_bnode_offset_valid(struct hfs_bnode *node, int off) +-{ +- bool is_valid = off < node->tree->node_size; +- +- if (!is_valid) { +- pr_err("requested invalid offset: " +- "NODE: id %u, type %#x, height %u, " +- "node_size %u, offset %d\n", +- node->this, node->type, node->height, +- node->tree->node_size, off); +- } +- +- return is_valid; +-} +- +-static inline +-int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len) +-{ +- unsigned int node_size; +- +- if (!is_bnode_offset_valid(node, off)) +- return 0; +- +- node_size = node->tree->node_size; +- +- if ((off + len) > node_size) { +- int new_len = (int)node_size - off; +- +- pr_err("requested length has been corrected: " +- "NODE: id %u, type %#x, height %u, " +- "node_size %u, offset %d, " +- "requested_len %d, corrected_len %d\n", +- node->this, node->type, node->height, +- node->tree->node_size, off, len, new_len); +- +- return new_len; +- } +- +- return len; +-} + + /* Copy a specified range of bytes from the raw data of a node */ + void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len) +diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c +index 66774f4cb4fd5..2211907537fec 100644 +--- a/fs/hfsplus/btree.c ++++ b/fs/hfsplus/btree.c +@@ -392,6 +392,12 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree) + len = hfs_brec_lenoff(node, 2, &off16); + off = off16; + ++ if (!is_bnode_offset_valid(node, off)) { ++ hfs_bnode_put(node); ++ return ERR_PTR(-EIO); ++ } ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + pagep = node->page + (off >> PAGE_SHIFT); + data = kmap(*pagep); +diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h +index 86cfc147bf3d1..5355d1ff7a9b2 100644 +--- a/fs/hfsplus/hfsplus_fs.h ++++ b/fs/hfsplus/hfsplus_fs.h +@@ -561,6 +561,48 @@ hfsplus_btree_lock_class(struct hfs_btree *tree) + return class; + } + ++static inline ++bool is_bnode_offset_valid(struct hfs_bnode *node, int off) ++{ ++ bool is_valid = off < node->tree->node_size; ++ ++ if (!is_valid) { ++ pr_err("requested invalid offset: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off); ++ } ++ ++ return is_valid; ++} ++ ++static inline ++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len) ++{ ++ unsigned int node_size; ++ ++ if (!is_bnode_offset_valid(node, off)) ++ return 0; ++ ++ node_size = node->tree->node_size; ++ ++ if ((off + len) > node_size) { ++ int new_len = (int)node_size - off; ++ ++ pr_err("requested length has been corrected: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, " ++ "requested_len %d, corrected_len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len, new_len); ++ ++ return new_len; ++ } ++ ++ return len; ++} ++ + /* compatibility */ + #define hfsp_mt2ut(t) (struct timespec){ .tv_sec = __hfsp_mt2ut(t) } + #define hfsp_ut2mt(t) __hfsp_ut2mt((t).tv_sec) +-- +2.51.0 + diff --git a/queue-5.4/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch b/queue-5.4/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch new file mode 100644 index 0000000000..2c91c30d47 --- /dev/null +++ b/queue-5.4/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch @@ -0,0 +1,214 @@ +From 3daf5d69e92b3cc337c0f2bf55d9dbaf7857dbbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 15:52:32 -0700 +Subject: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() + +From: Viacheslav Dubeyko + +[ Upstream commit 4840ceadef4290c56cc422f0fc697655f3cbf070 ] + +The syzbot reported issue in __hfsplus_ext_cache_extent(): + +[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 +[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 +[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 +[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 +[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 +[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 +[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 +[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 +[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 +[ 70.199771][ T9350] ksys_write+0x23e/0x490 +[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 +[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 +[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 +[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.202054][ T9350] +[ 70.202279][ T9350] Uninit was created at: +[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 +[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 +[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 +[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 +[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 +[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 +[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 +[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 +[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 +[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 +[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 +[ 70.207961][ T9350] ksys_write+0x23e/0x490 +[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 +[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 +[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 +[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.210230][ T9350] +[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 +[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.212115][ T9350] ===================================================== +[ 70.212734][ T9350] Disabling lock debugging due to kernel taint +[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... +[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 +[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE +[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.215999][ T9350] Call Trace: +[ 70.216309][ T9350] +[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 +[ 70.217025][ T9350] dump_stack+0x1e/0x30 +[ 70.217421][ T9350] panic+0x502/0xca0 +[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 + +[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... + kernel +:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +set ... +[ 70.221254][ T9350] ? __msan_warning+0x96/0x120 +[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 +[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 +[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 +[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 +[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 +[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 +[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 +[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 +[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 +[ 70.228997][ T9350] ? ksys_write+0x23e/0x490 +[ 70.229458][ T9350] ? __x64_sys_write+0x97/0xf0 +[ 70.229939][ T9350] ? x64_sys_call+0x3015/0x3cf0 +[ 70.230432][ T9350] ? do_syscall_64+0xd9/0x1d0 +[ 70.230941][ T9350] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.231926][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.232738][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110 +[ 70.233711][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.234516][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.235398][ T9350] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.236323][ T9350] ? hfsplus_brec_find+0x218/0x9f0 +[ 70.237090][ T9350] ? __pfx_hfs_find_rec_by_key+0x10/0x10 +[ 70.237938][ T9350] ? __msan_instrument_asm_store+0xbf/0xf0 +[ 70.238827][ T9350] ? __msan_metadata_ptr_for_store_4+0x27/0x40 +[ 70.239772][ T9350] ? __hfsplus_ext_write_extent+0x536/0x620 +[ 70.240666][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.241175][ T9350] __msan_warning+0x96/0x120 +[ 70.241645][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.242223][ T9350] hfsplus_file_extend+0x74f/0x1cf0 +[ 70.242748][ T9350] hfsplus_get_block+0xe16/0x17b0 +[ 70.243255][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110 +[ 70.243878][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.244400][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.244967][ T9350] __block_write_begin_int+0x962/0x2ce0 +[ 70.245531][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10 +[ 70.246079][ T9350] cont_write_begin+0x1000/0x1950 +[ 70.246598][ T9350] hfsplus_write_begin+0x85/0x130 +[ 70.247105][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10 +[ 70.247650][ T9350] ? __pfx_hfsplus_write_begin+0x10/0x10 +[ 70.248211][ T9350] generic_perform_write+0x3e8/0x1060 +[ 70.248752][ T9350] __generic_file_write_iter+0x215/0x460 +[ 70.249314][ T9350] generic_file_write_iter+0x109/0x5e0 +[ 70.249856][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110 +[ 70.250487][ T9350] vfs_write+0xb0f/0x14e0 +[ 70.250930][ T9350] ? __pfx_generic_file_write_iter+0x10/0x10 +[ 70.251530][ T9350] ksys_write+0x23e/0x490 +[ 70.251974][ T9350] __x64_sys_write+0x97/0xf0 +[ 70.252450][ T9350] x64_sys_call+0x3015/0x3cf0 +[ 70.252924][ T9350] do_syscall_64+0xd9/0x1d0 +[ 70.253384][ T9350] ? irqentry_exit+0x16/0x60 +[ 70.253844][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.254430][ T9350] RIP: 0033:0x7f7a92adffc9 +[ 70.254873][ T9350] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 +[ 70.256674][ T9350] RSP: 002b:00007fff0bca3188 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 +[ 70.257485][ T9350] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a92adffc9 +[ 70.258246][ T9350] RDX: 000000000208e24b RSI: 0000000020000100 RDI: 0000000000000004 +[ 70.258998][ T9350] RBP: 00007fff0bca31a0 R08: 00007fff0bca31a0 R09: 00007fff0bca31a0 +[ 70.259769][ T9350] R10: 0000000000000000 R11: 0000000000000202 R12: 000055e0d75f8250 +[ 70.260520][ T9350] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 70.261286][ T9350] +[ 70.262026][ T9350] Kernel Offset: disabled + +(gdb) l *__hfsplus_ext_cache_extent+0x7d0 +0xffffffff8318aef0 is in __hfsplus_ext_cache_extent (fs/hfsplus/extents.c:168). +163 fd->key->ext.cnid = 0; +164 res = hfs_brec_find(fd, hfs_find_rec_by_key); +165 if (res && res != -ENOENT) +166 return res; +167 if (fd->key->ext.cnid != fd->search_key->ext.cnid || +168 fd->key->ext.fork_type != fd->search_key->ext.fork_type) +169 return -ENOENT; +170 if (fd->entrylength != sizeof(hfsplus_extent_rec)) +171 return -EIO; +172 hfs_bnode_read(fd->bnode, extent, fd->entryoffset, + +The __hfsplus_ext_cache_extent() calls __hfsplus_ext_read_extent(): + +res = __hfsplus_ext_read_extent(fd, hip->cached_extents, inode->i_ino, + block, HFSPLUS_IS_RSRC(inode) ? + HFSPLUS_TYPE_RSRC : + HFSPLUS_TYPE_DATA); + +And if inode->i_ino could be equal to zero or any non-available CNID, +then hfs_brec_find() could not find the record in the tree. As a result, +fd->key could be compared with fd->search_key. But hfsplus_find_init() +uses kmalloc() for fd->key and fd->search_key allocation: + +int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) +{ + + ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); + if (!ptr) + return -ENOMEM; + fd->search_key = ptr; + fd->key = ptr + tree->max_key_len + 2; + +} + +Finally, fd->key is still not initialized if hfs_brec_find() +has found nothing. + +This patch changes kmalloc() on kzalloc() in hfs_find_init() +and intializes fd->record, fd->keyoffset, fd->keylength, +fd->entryoffset, fd->entrylength for the case if hfs_brec_find() +has been found nothing in the b-tree node. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=55ad87f38795d6787521 +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250818225232.126402-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/bfind.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/hfsplus/bfind.c b/fs/hfsplus/bfind.c +index 901e83d65d202..26ebac4c60424 100644 +--- a/fs/hfsplus/bfind.c ++++ b/fs/hfsplus/bfind.c +@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) + + fd->tree = tree; + fd->bnode = NULL; +- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); ++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); + if (!ptr) + return -ENOMEM; + fd->search_key = ptr; +@@ -158,6 +158,12 @@ int hfs_brec_find(struct hfs_find_data *fd, search_strategy_t do_key_compare) + __be32 data; + int height, res; + ++ fd->record = -1; ++ fd->keyoffset = -1; ++ fd->keylength = -1; ++ fd->entryoffset = -1; ++ fd->entrylength = -1; ++ + tree = fd->tree; + if (fd->bnode) + hfs_bnode_put(fd->bnode); +-- +2.51.0 + diff --git a/queue-5.4/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch b/queue-5.4/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch new file mode 100644 index 0000000000..87c6172ff7 --- /dev/null +++ b/queue-5.4/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch @@ -0,0 +1,198 @@ +From 9b833eef6c8aab8c9a9145c8c90a9054fc77eadb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 15:51:04 -0700 +Subject: hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat() + +From: Viacheslav Dubeyko + +[ Upstream commit 9b3d15a758910bb98ba8feb4109d99cc67450ee4 ] + +The syzbot reported issue in hfsplus_delete_cat(): + +[ 70.682285][ T9333] ===================================================== +[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0 +[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310 +[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810 +[ 70.685447][ T9333] do_rmdir+0x964/0xea0 +[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0 +[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0 +[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.687646][ T9333] +[ 70.687856][ T9333] Uninit was stored to memory at: +[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0 +[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800 +[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600 +[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70 +[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0 +[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30 +[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0 +[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0 +[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.692773][ T9333] +[ 70.692990][ T9333] Uninit was stored to memory at: +[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0 +[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800 +[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700 +[ 70.694911][ T9333] mount_bdev+0x37b/0x530 +[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60 +[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0 +[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0 +[ 70.696588][ T9333] do_new_mount+0x73e/0x1630 +[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0 +[ 70.697425][ T9333] __se_sys_mount+0x733/0x830 +[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150 +[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0 +[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.699730][ T9333] +[ 70.699946][ T9333] Uninit was created at: +[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60 +[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0 +[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0 +[ 70.701774][ T9333] allocate_slab+0x30e/0x1390 +[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0 +[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20 +[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0 +[ 70.703598][ T9333] alloc_inode+0x82/0x490 +[ 70.703984][ T9333] iget_locked+0x22e/0x1320 +[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0 +[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0 +[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700 +[ 70.705776][ T9333] mount_bdev+0x37b/0x530 +[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60 +[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0 +[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0 +[ 70.707444][ T9333] do_new_mount+0x73e/0x1630 +[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0 +[ 70.708270][ T9333] __se_sys_mount+0x733/0x830 +[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150 +[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0 +[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.710611][ T9333] +[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17 +[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.712490][ T9333] ===================================================== +[ 70.713085][ T9333] Disabling lock debugging due to kernel taint +[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ... +[ 70.714159][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Tainted: G B 6.12.0-rc6-dirty #17 +[ 70.715007][ T9333] Tainted: [B]=BAD_PAGE +[ 70.715365][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.716311][ T9333] Call Trace: +[ 70.716621][ T9333] +[ 70.716899][ T9333] dump_stack_lvl+0x1fd/0x2b0 +[ 70.717350][ T9333] dump_stack+0x1e/0x30 +[ 70.717743][ T9333] panic+0x502/0xca0 +[ 70.718116][ T9333] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.718611][ T9333] kmsan_report+0x296/0x2a0 +[ 70.719038][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.719859][ T9333] ? __msan_warning+0x96/0x120 +[ 70.720345][ T9333] ? hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.720881][ T9333] ? hfsplus_delete_cat+0x105d/0x12b0 +[ 70.721412][ T9333] ? hfsplus_rmdir+0x13d/0x310 +[ 70.721880][ T9333] ? vfs_rmdir+0x5ba/0x810 +[ 70.722458][ T9333] ? do_rmdir+0x964/0xea0 +[ 70.722883][ T9333] ? __x64_sys_rmdir+0x71/0xb0 +[ 70.723397][ T9333] ? x64_sys_call+0xcd8/0x3cf0 +[ 70.723915][ T9333] ? do_syscall_64+0xd9/0x1d0 +[ 70.724454][ T9333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.725110][ T9333] ? vprintk_emit+0xd1f/0xe60 +[ 70.725616][ T9333] ? vprintk_default+0x3f/0x50 +[ 70.726175][ T9333] ? vprintk+0xce/0xd0 +[ 70.726628][ T9333] ? _printk+0x17e/0x1b0 +[ 70.727129][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.727739][ T9333] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.728324][ T9333] __msan_warning+0x96/0x120 +[ 70.728854][ T9333] hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.729479][ T9333] hfsplus_delete_cat+0x105d/0x12b0 +[ 70.729984][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.730646][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.731296][ T9333] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.731863][ T9333] hfsplus_rmdir+0x13d/0x310 +[ 70.732390][ T9333] ? __pfx_hfsplus_rmdir+0x10/0x10 +[ 70.732919][ T9333] vfs_rmdir+0x5ba/0x810 +[ 70.733416][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.734044][ T9333] do_rmdir+0x964/0xea0 +[ 70.734537][ T9333] __x64_sys_rmdir+0x71/0xb0 +[ 70.735032][ T9333] x64_sys_call+0xcd8/0x3cf0 +[ 70.735579][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.736092][ T9333] ? irqentry_exit+0x16/0x60 +[ 70.736637][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.737269][ T9333] RIP: 0033:0x7fa9424eafc9 +[ 70.737775][ T9333] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 +[ 70.739844][ T9333] RSP: 002b:00007fff099cd8d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000054 +[ 70.740760][ T9333] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa9424eafc9 +[ 70.741642][ T9333] RDX: 006c6f72746e6f63 RSI: 000000000000000a RDI: 0000000020000100 +[ 70.742543][ T9333] RBP: 00007fff099cd8e0 R08: 00007fff099cd910 R09: 00007fff099cd910 +[ 70.743376][ T9333] R10: 0000000000000000 R11: 0000000000000202 R12: 0000565430642260 +[ 70.744247][ T9333] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 70.745082][ T9333] + +The main reason of the issue that struct hfsplus_inode_info +has not been properly initialized for the case of root folder. +In the case of root folder, hfsplus_fill_super() calls +the hfsplus_iget() that implements only partial initialization of +struct hfsplus_inode_info and subfolders field is not +initialized by hfsplus_iget() logic. + +This patch implements complete initialization of +struct hfsplus_inode_info in the hfsplus_iget() logic with +the goal to prevent likewise issues for the case of +root folder. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=fdedff847a0e5e84c39f +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250825225103.326401-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/super.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c +index 29a39afe26535..d744fde416804 100644 +--- a/fs/hfsplus/super.c ++++ b/fs/hfsplus/super.c +@@ -67,13 +67,26 @@ struct inode *hfsplus_iget(struct super_block *sb, unsigned long ino) + if (!(inode->i_state & I_NEW)) + return inode; + +- INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list); +- spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock); +- mutex_init(&HFSPLUS_I(inode)->extents_lock); +- HFSPLUS_I(inode)->flags = 0; ++ atomic_set(&HFSPLUS_I(inode)->opencnt, 0); ++ HFSPLUS_I(inode)->first_blocks = 0; ++ HFSPLUS_I(inode)->clump_blocks = 0; ++ HFSPLUS_I(inode)->alloc_blocks = 0; ++ HFSPLUS_I(inode)->cached_start = U32_MAX; ++ HFSPLUS_I(inode)->cached_blocks = 0; ++ memset(HFSPLUS_I(inode)->first_extents, 0, sizeof(hfsplus_extent_rec)); ++ memset(HFSPLUS_I(inode)->cached_extents, 0, sizeof(hfsplus_extent_rec)); + HFSPLUS_I(inode)->extent_state = 0; ++ mutex_init(&HFSPLUS_I(inode)->extents_lock); + HFSPLUS_I(inode)->rsrc_inode = NULL; +- atomic_set(&HFSPLUS_I(inode)->opencnt, 0); ++ HFSPLUS_I(inode)->create_date = 0; ++ HFSPLUS_I(inode)->linkid = 0; ++ HFSPLUS_I(inode)->flags = 0; ++ HFSPLUS_I(inode)->fs_blocks = 0; ++ HFSPLUS_I(inode)->userflags = 0; ++ HFSPLUS_I(inode)->subfolders = 0; ++ INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list); ++ spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock); ++ HFSPLUS_I(inode)->phys_size = 0; + + if (inode->i_ino >= HFSPLUS_FIRSTUSER_CNID || + inode->i_ino == HFSPLUS_ROOT_CNID) { +-- +2.51.0 + diff --git a/queue-5.4/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch b/queue-5.4/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch new file mode 100644 index 0000000000..1b773094d7 --- /dev/null +++ b/queue-5.4/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch @@ -0,0 +1,39 @@ +From cd632ad48648ddda029f3a76fe5e56b5e656cf20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Aug 2025 10:58:59 -0600 +Subject: hfsplus: return EIO when type of hidden directory mismatch in + hfsplus_fill_super() + +From: Yangtao Li + +[ Upstream commit 9282bc905f0949fab8cf86c0f620ca988761254c ] + +If Catalog File contains corrupted record for the case of +hidden directory's type, regard it as I/O error instead of +Invalid argument. + +Signed-off-by: Yangtao Li +Reviewed-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250805165905.3390154-1-frank.li@vivo.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c +index d744fde416804..db68ed59b4b21 100644 +--- a/fs/hfsplus/super.c ++++ b/fs/hfsplus/super.c +@@ -539,7 +539,7 @@ static int hfsplus_fill_super(struct super_block *sb, void *data, int silent) + if (!hfs_brec_read(&fd, &entry, sizeof(entry))) { + hfs_find_exit(&fd); + if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) { +- err = -EINVAL; ++ err = -EIO; + goto out_put_root; + } + inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id)); +-- +2.51.0 + diff --git a/queue-5.4/m68k-bitops-fix-find_-_bit-signatures.patch b/queue-5.4/m68k-bitops-fix-find_-_bit-signatures.patch new file mode 100644 index 0000000000..3cf8a5c1c7 --- /dev/null +++ b/queue-5.4/m68k-bitops-fix-find_-_bit-signatures.patch @@ -0,0 +1,90 @@ +From 49f7ffff7a362b33d0ff088eb053926cd8f1fac8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 17:16:13 +0200 +Subject: m68k: bitops: Fix find_*_bit() signatures + +From: Geert Uytterhoeven + +[ Upstream commit 6d5674090543b89aac0c177d67e5fb32ddc53804 ] + +The function signatures of the m68k-optimized implementations of the +find_{first,next}_{,zero_}bit() helpers do not match the generic +variants. + +Fix this by changing all non-pointer inputs and outputs to "unsigned +long", and updating a few local variables. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202509092305.ncd9mzaZ-lkp@intel.com/ +Signed-off-by: Geert Uytterhoeven +Acked-by: "Yury Norov (NVIDIA)" +Link: https://patch.msgid.link/de6919554fbb4cd1427155c6bafbac8a9df822c8.1757517135.git.geert@linux-m68k.org +Signed-off-by: Sasha Levin +--- + arch/m68k/include/asm/bitops.h | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/arch/m68k/include/asm/bitops.h b/arch/m68k/include/asm/bitops.h +index 10133a968c8e1..d2a9aa0485175 100644 +--- a/arch/m68k/include/asm/bitops.h ++++ b/arch/m68k/include/asm/bitops.h +@@ -314,12 +314,12 @@ static inline int bfchg_mem_test_and_change_bit(int nr, + #include + #else + +-static inline int find_first_zero_bit(const unsigned long *vaddr, +- unsigned size) ++static inline unsigned long find_first_zero_bit(const unsigned long *vaddr, ++ unsigned long size) + { + const unsigned long *p = vaddr; +- int res = 32; +- unsigned int words; ++ unsigned long res = 32; ++ unsigned long words; + unsigned long num; + + if (!size) +@@ -340,8 +340,9 @@ static inline int find_first_zero_bit(const unsigned long *vaddr, + } + #define find_first_zero_bit find_first_zero_bit + +-static inline int find_next_zero_bit(const unsigned long *vaddr, int size, +- int offset) ++static inline unsigned long find_next_zero_bit(const unsigned long *vaddr, ++ unsigned long size, ++ unsigned long offset) + { + const unsigned long *p = vaddr + (offset >> 5); + int bit = offset & 31UL, res; +@@ -370,11 +371,12 @@ static inline int find_next_zero_bit(const unsigned long *vaddr, int size, + } + #define find_next_zero_bit find_next_zero_bit + +-static inline int find_first_bit(const unsigned long *vaddr, unsigned size) ++static inline unsigned long find_first_bit(const unsigned long *vaddr, ++ unsigned long size) + { + const unsigned long *p = vaddr; +- int res = 32; +- unsigned int words; ++ unsigned long res = 32; ++ unsigned long words; + unsigned long num; + + if (!size) +@@ -395,8 +397,9 @@ static inline int find_first_bit(const unsigned long *vaddr, unsigned size) + } + #define find_first_bit find_first_bit + +-static inline int find_next_bit(const unsigned long *vaddr, int size, +- int offset) ++static inline unsigned long find_next_bit(const unsigned long *vaddr, ++ unsigned long size, ++ unsigned long offset) + { + const unsigned long *p = vaddr + (offset >> 5); + int bit = offset & 31UL, res; +-- +2.51.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 36a20c2d30..79650bd2d6 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -169,3 +169,13 @@ sched-balancing-rename-newidle_balance-sched_balance.patch sched-fair-fix-pelt-lost-idle-time-detection.patch alsa-firewire-amdtp-stream-fix-enum-kernel-doc-warni.patch hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_strcasecmp.patch +exec-fix-incorrect-type-for-ret.patch +hfs-clear-offset-and-space-out-of-valid-records-in-b.patch +hfs-make-proper-initalization-of-struct-hfs_find_dat.patch +hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch +hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch +hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch +dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch +hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch +hfsplus-return-eio-when-type-of-hidden-directory-mis.patch +m68k-bitops-fix-find_-_bit-signatures.patch diff --git a/queue-6.1/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch b/queue-6.1/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch new file mode 100644 index 0000000000..d0e0dcdade --- /dev/null +++ b/queue-6.1/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch @@ -0,0 +1,34 @@ +From fa85221e0c43a952362611e56dbf2b40b75d93d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 11:21:52 -0400 +Subject: dlm: check for defined force value in dlm_lockspace_release + +From: Alexander Aring + +[ Upstream commit 6af515c9f3ccec3eb8a262ca86bef2c499d07951 ] + +Force values over 3 are undefined, so don't treat them as 3. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lockspace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c +index 23cf9b8f31b74..e7372d56c13f4 100644 +--- a/fs/dlm/lockspace.c ++++ b/fs/dlm/lockspace.c +@@ -825,7 +825,7 @@ static int release_lockspace(struct dlm_ls *ls, int force) + + dlm_device_deregister(ls); + +- if (force < 3 && dlm_user_daemon_available()) ++ if (force != 3 && dlm_user_daemon_available()) + do_uevent(ls, 0); + + dlm_recoverd_stop(ls); +-- +2.51.0 + diff --git a/queue-6.1/exec-fix-incorrect-type-for-ret.patch b/queue-6.1/exec-fix-incorrect-type-for-ret.patch new file mode 100644 index 0000000000..60384e719a --- /dev/null +++ b/queue-6.1/exec-fix-incorrect-type-for-ret.patch @@ -0,0 +1,38 @@ +From 9a166cc3972828ad6c26d00427b719758c3425a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 15:36:09 +0800 +Subject: exec: Fix incorrect type for ret + +From: Xichao Zhao + +[ Upstream commit 5e088248375d171b80c643051e77ade6b97bc386 ] + +In the setup_arg_pages(), ret is declared as an unsigned long. +The ret might take a negative value. Therefore, its type should +be changed to int. + +Signed-off-by: Xichao Zhao +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20250825073609.219855-1-zhao.xichao@vivo.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/exec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/exec.c b/fs/exec.c +index b65af8f9a4f9b..a4d21a67723d7 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -750,7 +750,7 @@ int setup_arg_pages(struct linux_binprm *bprm, + unsigned long stack_top, + int executable_stack) + { +- unsigned long ret; ++ int ret; + unsigned long stack_shift; + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma = bprm->vma; +-- +2.51.0 + diff --git a/queue-6.1/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch b/queue-6.1/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch new file mode 100644 index 0000000000..62777fda70 --- /dev/null +++ b/queue-6.1/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch @@ -0,0 +1,94 @@ +From 7d2b252bc4f44632f19e33368d4d2f85fe5503a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Aug 2025 12:49:19 -0700 +Subject: hfs: clear offset and space out of valid records in b-tree node + +From: Viacheslav Dubeyko + +[ Upstream commit 18b07c44f245beb03588b00b212b38fce9af7cc9 ] + +Currently, hfs_brec_remove() executes moving records +towards the location of deleted record and it updates +offsets of moved records. However, the hfs_brec_remove() +logic ignores the "mess" of b-tree node's free space and +it doesn't touch the offsets out of records number. +Potentially, it could confuse fsck or driver logic or +to be a reason of potential corruption cases. + +This patch reworks the logic of hfs_brec_remove() +by means of clearing freed space of b-tree node +after the records moving. And it clear the last +offset that keeping old location of free space +because now the offset before this one is keeping +the actual offset to the free space after the record +deletion. + +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250815194918.38165-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/brec.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c +index 896396554bcc1..b01db1fae147c 100644 +--- a/fs/hfs/brec.c ++++ b/fs/hfs/brec.c +@@ -179,6 +179,7 @@ int hfs_brec_remove(struct hfs_find_data *fd) + struct hfs_btree *tree; + struct hfs_bnode *node, *parent; + int end_off, rec_off, data_off, size; ++ int src, dst, len; + + tree = fd->tree; + node = fd->bnode; +@@ -208,10 +209,14 @@ int hfs_brec_remove(struct hfs_find_data *fd) + } + hfs_bnode_write_u16(node, offsetof(struct hfs_bnode_desc, num_recs), node->num_recs); + +- if (rec_off == end_off) +- goto skip; + size = fd->keylength + fd->entrylength; + ++ if (rec_off == end_off) { ++ src = fd->keyoffset; ++ hfs_bnode_clear(node, src, size); ++ goto skip; ++ } ++ + do { + data_off = hfs_bnode_read_u16(node, rec_off); + hfs_bnode_write_u16(node, rec_off + 2, data_off - size); +@@ -219,9 +224,23 @@ int hfs_brec_remove(struct hfs_find_data *fd) + } while (rec_off >= end_off); + + /* fill hole */ +- hfs_bnode_move(node, fd->keyoffset, fd->keyoffset + size, +- data_off - fd->keyoffset - size); ++ dst = fd->keyoffset; ++ src = fd->keyoffset + size; ++ len = data_off - src; ++ ++ hfs_bnode_move(node, dst, src, len); ++ ++ src = dst + len; ++ len = data_off - src; ++ ++ hfs_bnode_clear(node, src, len); ++ + skip: ++ /* ++ * Remove the obsolete offset to free space. ++ */ ++ hfs_bnode_write_u16(node, end_off, 0); ++ + hfs_bnode_dump(node); + if (!fd->record) + hfs_brec_update_parent(fd); +-- +2.51.0 + diff --git a/queue-6.1/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch b/queue-6.1/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch new file mode 100644 index 0000000000..454c342090 --- /dev/null +++ b/queue-6.1/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch @@ -0,0 +1,112 @@ +From 182a3cfa6bf2495d680f70656acfe15534a86a12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Aug 2025 16:06:38 -0700 +Subject: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() + +From: Viacheslav Dubeyko + +[ Upstream commit 2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd ] + +The syzbot reported issue in hfs_find_set_zero_bits(): + +===================================================== +BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 + hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 + hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 + hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 + hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 + __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 + block_write_begin fs/buffer.c:2262 [inline] + cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 + hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 + cont_expand_zero fs/buffer.c:2528 [inline] + cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 + hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 + hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 + hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 + notify_change+0x1993/0x1aa0 fs/attr.c:552 + do_truncate+0x28f/0x310 fs/open.c:68 + do_ftruncate+0x698/0x730 fs/open.c:195 + do_sys_ftruncate fs/open.c:210 [inline] + __do_sys_ftruncate fs/open.c:215 [inline] + __se_sys_ftruncate fs/open.c:213 [inline] + __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 + x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:4154 [inline] + slab_alloc_node mm/slub.c:4197 [inline] + __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 + kmalloc_noprof include/linux/slab.h:905 [inline] + hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 + hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 + get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 + get_tree_bdev+0x38/0x50 fs/super.c:1704 + hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 + vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 + do_new_mount+0x738/0x1610 fs/namespace.c:3902 + path_mount+0x6db/0x1e90 fs/namespace.c:4226 + do_mount fs/namespace.c:4239 [inline] + __do_sys_mount fs/namespace.c:4450 [inline] + __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 + __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 + x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 +===================================================== + +The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): + +HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); + +Finally, it can trigger the reported issue because kmalloc() +doesn't clear the allocated memory. If allocated memory contains +only zeros, then everything will work pretty fine. +But if the allocated memory contains the "garbage", then +it can affect the bitmap operations and it triggers +the reported issue. + +This patch simply exchanges the kmalloc() on kzalloc() +with the goal to guarantee the correctness of bitmap operations. +Because, newly created allocation bitmap should have all +available blocks free. Potentially, initialization bitmap's read +operation could not fill the whole allocated memory and +"garbage" in the not initialized memory will be the reason of +volume coruptions and file system driver bugs. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=773fa9d79b29bd8b6831 +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250820230636.179085-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/mdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c +index 8082eb01127cd..bf811347bb07d 100644 +--- a/fs/hfs/mdb.c ++++ b/fs/hfs/mdb.c +@@ -172,7 +172,7 @@ int hfs_mdb_get(struct super_block *sb) + pr_warn("continuing without an alternate MDB\n"); + } + +- HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); ++ HFS_SB(sb)->bitmap = kzalloc(8192, GFP_KERNEL); + if (!HFS_SB(sb)->bitmap) + goto out; + +-- +2.51.0 + diff --git a/queue-6.1/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch b/queue-6.1/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch new file mode 100644 index 0000000000..88097ae833 --- /dev/null +++ b/queue-6.1/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch @@ -0,0 +1,76 @@ +From 6315368b3075acd66a504cb0a0691bf79ca8dc39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 15:52:52 -0700 +Subject: hfs: make proper initalization of struct hfs_find_data + +From: Viacheslav Dubeyko + +[ Upstream commit c62663a986acee7c4485c1fa9de5fc40194b6290 ] + +Potenatially, __hfs_ext_read_extent() could operate by +not initialized values of fd->key after hfs_brec_find() call: + +static inline int __hfs_ext_read_extent(struct hfs_find_data *fd, struct hfs_extent *extent, + u32 cnid, u32 block, u8 type) +{ + int res; + + hfs_ext_build_key(fd->search_key, cnid, block, type); + fd->key->ext.FNum = 0; + res = hfs_brec_find(fd); + if (res && res != -ENOENT) + return res; + if (fd->key->ext.FNum != fd->search_key->ext.FNum || + fd->key->ext.FkType != fd->search_key->ext.FkType) + return -ENOENT; + if (fd->entrylength != sizeof(hfs_extent_rec)) + return -EIO; + hfs_bnode_read(fd->bnode, extent, fd->entryoffset, sizeof(hfs_extent_rec)); + return 0; +} + +This patch changes kmalloc() on kzalloc() in hfs_find_init() +and intializes fd->record, fd->keyoffset, fd->keylength, +fd->entryoffset, fd->entrylength for the case if hfs_brec_find() +has been found nothing in the b-tree node. + +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250818225252.126427-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/bfind.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c +index ef9498a6e88ac..6d37b4c759034 100644 +--- a/fs/hfs/bfind.c ++++ b/fs/hfs/bfind.c +@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) + + fd->tree = tree; + fd->bnode = NULL; +- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); ++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); + if (!ptr) + return -ENOMEM; + fd->search_key = ptr; +@@ -112,6 +112,12 @@ int hfs_brec_find(struct hfs_find_data *fd) + __be32 data; + int height, res; + ++ fd->record = -1; ++ fd->keyoffset = -1; ++ fd->keylength = -1; ++ fd->entryoffset = -1; ++ fd->entrylength = -1; ++ + tree = fd->tree; + if (fd->bnode) + hfs_bnode_put(fd->bnode); +-- +2.51.0 + diff --git a/queue-6.1/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch b/queue-6.1/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch new file mode 100644 index 0000000000..89aa60e0bb --- /dev/null +++ b/queue-6.1/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch @@ -0,0 +1,217 @@ +From 55d66faa7318763a7b1356757a80030ea0841389 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 22:17:34 +0800 +Subject: hfs: validate record offset in hfsplus_bmap_alloc + +From: Yang Chenzhi + +[ Upstream commit 738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20 ] + +hfsplus_bmap_alloc can trigger a crash if a +record offset or length is larger than node_size + +[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0 +[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183 +[ 15.265949] +[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary) +[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 15.266167] Call Trace: +[ 15.266168] +[ 15.266169] dump_stack_lvl+0x53/0x70 +[ 15.266173] print_report+0xd0/0x660 +[ 15.266181] kasan_report+0xce/0x100 +[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0 +[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0 +[ 15.266217] hfsplus_brec_insert+0x870/0xb00 +[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570 +[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910 +[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200 +[ 15.266233] hfsplus_file_extend+0x5a7/0x1000 +[ 15.266237] hfsplus_get_block+0x12b/0x8c0 +[ 15.266238] __block_write_begin_int+0x36b/0x12c0 +[ 15.266251] block_write_begin+0x77/0x110 +[ 15.266252] cont_write_begin+0x428/0x720 +[ 15.266259] hfsplus_write_begin+0x51/0x100 +[ 15.266262] cont_write_begin+0x272/0x720 +[ 15.266270] hfsplus_write_begin+0x51/0x100 +[ 15.266274] generic_perform_write+0x321/0x750 +[ 15.266285] generic_file_write_iter+0xc3/0x310 +[ 15.266289] __kernel_write_iter+0x2fd/0x800 +[ 15.266296] dump_user_range+0x2ea/0x910 +[ 15.266301] elf_core_dump+0x2a94/0x2ed0 +[ 15.266320] vfs_coredump+0x1d85/0x45e0 +[ 15.266349] get_signal+0x12e3/0x1990 +[ 15.266357] arch_do_signal_or_restart+0x89/0x580 +[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110 +[ 15.266364] asm_exc_page_fault+0x26/0x30 +[ 15.266366] RIP: 0033:0x41bd35 +[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f +[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283 +[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000 +[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100 +[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000 +[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000 +[ 15.266376] + +When calling hfsplus_bmap_alloc to allocate a free node, this function +first retrieves the bitmap from header node and map node using node->page +together with the offset and length from hfs_brec_lenoff + +``` +len = hfs_brec_lenoff(node, 2, &off16); +off = off16; + +off += node->page_offset; +pagep = node->page + (off >> PAGE_SHIFT); +data = kmap_local_page(*pagep); +``` + +However, if the retrieved offset or length is invalid(i.e. exceeds +node_size), the code may end up accessing pages outside the allocated +range for this node. + +This patch adds proper validation of both offset and length before use, +preventing out-of-bounds page access. Move is_bnode_offset_valid and +check_and_correct_requested_length to hfsplus_fs.h, as they may be +required by other functions. + +Reported-by: syzbot+356aed408415a56543cd@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67bcb4a6.050a0220.bbfd1.008f.GAE@google.com/ +Signed-off-by: Yang Chenzhi +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250818141734.8559-2-yang.chenzhi@vivo.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/bnode.c | 41 ---------------------------------------- + fs/hfsplus/btree.c | 6 ++++++ + fs/hfsplus/hfsplus_fs.h | 42 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 48 insertions(+), 41 deletions(-) + +diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c +index 14f4995588ff0..407d5152eb411 100644 +--- a/fs/hfsplus/bnode.c ++++ b/fs/hfsplus/bnode.c +@@ -18,47 +18,6 @@ + #include "hfsplus_fs.h" + #include "hfsplus_raw.h" + +-static inline +-bool is_bnode_offset_valid(struct hfs_bnode *node, int off) +-{ +- bool is_valid = off < node->tree->node_size; +- +- if (!is_valid) { +- pr_err("requested invalid offset: " +- "NODE: id %u, type %#x, height %u, " +- "node_size %u, offset %d\n", +- node->this, node->type, node->height, +- node->tree->node_size, off); +- } +- +- return is_valid; +-} +- +-static inline +-int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len) +-{ +- unsigned int node_size; +- +- if (!is_bnode_offset_valid(node, off)) +- return 0; +- +- node_size = node->tree->node_size; +- +- if ((off + len) > node_size) { +- int new_len = (int)node_size - off; +- +- pr_err("requested length has been corrected: " +- "NODE: id %u, type %#x, height %u, " +- "node_size %u, offset %d, " +- "requested_len %d, corrected_len %d\n", +- node->this, node->type, node->height, +- node->tree->node_size, off, len, new_len); +- +- return new_len; +- } +- +- return len; +-} + + /* Copy a specified range of bytes from the raw data of a node */ + void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len) +diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c +index 9e1732a2b92a8..fe6a54c4083c3 100644 +--- a/fs/hfsplus/btree.c ++++ b/fs/hfsplus/btree.c +@@ -393,6 +393,12 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree) + len = hfs_brec_lenoff(node, 2, &off16); + off = off16; + ++ if (!is_bnode_offset_valid(node, off)) { ++ hfs_bnode_put(node); ++ return ERR_PTR(-EIO); ++ } ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + pagep = node->page + (off >> PAGE_SHIFT); + data = kmap_local_page(*pagep); +diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h +index 3227436f3a4a6..e13da1fe2c2a2 100644 +--- a/fs/hfsplus/hfsplus_fs.h ++++ b/fs/hfsplus/hfsplus_fs.h +@@ -574,6 +574,48 @@ hfsplus_btree_lock_class(struct hfs_btree *tree) + return class; + } + ++static inline ++bool is_bnode_offset_valid(struct hfs_bnode *node, int off) ++{ ++ bool is_valid = off < node->tree->node_size; ++ ++ if (!is_valid) { ++ pr_err("requested invalid offset: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off); ++ } ++ ++ return is_valid; ++} ++ ++static inline ++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len) ++{ ++ unsigned int node_size; ++ ++ if (!is_bnode_offset_valid(node, off)) ++ return 0; ++ ++ node_size = node->tree->node_size; ++ ++ if ((off + len) > node_size) { ++ int new_len = (int)node_size - off; ++ ++ pr_err("requested length has been corrected: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, " ++ "requested_len %d, corrected_len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len, new_len); ++ ++ return new_len; ++ } ++ ++ return len; ++} ++ + /* compatibility */ + #define hfsp_mt2ut(t) (struct timespec64){ .tv_sec = __hfsp_mt2ut(t) } + #define hfsp_ut2mt(t) __hfsp_ut2mt((t).tv_sec) +-- +2.51.0 + diff --git a/queue-6.1/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch b/queue-6.1/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch new file mode 100644 index 0000000000..2022060415 --- /dev/null +++ b/queue-6.1/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch @@ -0,0 +1,214 @@ +From 83b37f602a1068b87b7bdcb20468b787d9a5b052 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 15:52:32 -0700 +Subject: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() + +From: Viacheslav Dubeyko + +[ Upstream commit 4840ceadef4290c56cc422f0fc697655f3cbf070 ] + +The syzbot reported issue in __hfsplus_ext_cache_extent(): + +[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 +[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 +[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 +[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 +[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 +[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 +[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 +[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 +[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 +[ 70.199771][ T9350] ksys_write+0x23e/0x490 +[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 +[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 +[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 +[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.202054][ T9350] +[ 70.202279][ T9350] Uninit was created at: +[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 +[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 +[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 +[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 +[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 +[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 +[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 +[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 +[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 +[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 +[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 +[ 70.207961][ T9350] ksys_write+0x23e/0x490 +[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 +[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 +[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 +[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.210230][ T9350] +[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 +[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.212115][ T9350] ===================================================== +[ 70.212734][ T9350] Disabling lock debugging due to kernel taint +[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... +[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 +[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE +[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.215999][ T9350] Call Trace: +[ 70.216309][ T9350] +[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 +[ 70.217025][ T9350] dump_stack+0x1e/0x30 +[ 70.217421][ T9350] panic+0x502/0xca0 +[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 + +[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... + kernel +:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +set ... +[ 70.221254][ T9350] ? __msan_warning+0x96/0x120 +[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 +[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 +[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 +[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 +[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 +[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 +[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 +[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 +[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 +[ 70.228997][ T9350] ? ksys_write+0x23e/0x490 +[ 70.229458][ T9350] ? __x64_sys_write+0x97/0xf0 +[ 70.229939][ T9350] ? x64_sys_call+0x3015/0x3cf0 +[ 70.230432][ T9350] ? do_syscall_64+0xd9/0x1d0 +[ 70.230941][ T9350] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.231926][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.232738][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110 +[ 70.233711][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.234516][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.235398][ T9350] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.236323][ T9350] ? hfsplus_brec_find+0x218/0x9f0 +[ 70.237090][ T9350] ? __pfx_hfs_find_rec_by_key+0x10/0x10 +[ 70.237938][ T9350] ? __msan_instrument_asm_store+0xbf/0xf0 +[ 70.238827][ T9350] ? __msan_metadata_ptr_for_store_4+0x27/0x40 +[ 70.239772][ T9350] ? __hfsplus_ext_write_extent+0x536/0x620 +[ 70.240666][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.241175][ T9350] __msan_warning+0x96/0x120 +[ 70.241645][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.242223][ T9350] hfsplus_file_extend+0x74f/0x1cf0 +[ 70.242748][ T9350] hfsplus_get_block+0xe16/0x17b0 +[ 70.243255][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110 +[ 70.243878][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.244400][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.244967][ T9350] __block_write_begin_int+0x962/0x2ce0 +[ 70.245531][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10 +[ 70.246079][ T9350] cont_write_begin+0x1000/0x1950 +[ 70.246598][ T9350] hfsplus_write_begin+0x85/0x130 +[ 70.247105][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10 +[ 70.247650][ T9350] ? __pfx_hfsplus_write_begin+0x10/0x10 +[ 70.248211][ T9350] generic_perform_write+0x3e8/0x1060 +[ 70.248752][ T9350] __generic_file_write_iter+0x215/0x460 +[ 70.249314][ T9350] generic_file_write_iter+0x109/0x5e0 +[ 70.249856][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110 +[ 70.250487][ T9350] vfs_write+0xb0f/0x14e0 +[ 70.250930][ T9350] ? __pfx_generic_file_write_iter+0x10/0x10 +[ 70.251530][ T9350] ksys_write+0x23e/0x490 +[ 70.251974][ T9350] __x64_sys_write+0x97/0xf0 +[ 70.252450][ T9350] x64_sys_call+0x3015/0x3cf0 +[ 70.252924][ T9350] do_syscall_64+0xd9/0x1d0 +[ 70.253384][ T9350] ? irqentry_exit+0x16/0x60 +[ 70.253844][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.254430][ T9350] RIP: 0033:0x7f7a92adffc9 +[ 70.254873][ T9350] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 +[ 70.256674][ T9350] RSP: 002b:00007fff0bca3188 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 +[ 70.257485][ T9350] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a92adffc9 +[ 70.258246][ T9350] RDX: 000000000208e24b RSI: 0000000020000100 RDI: 0000000000000004 +[ 70.258998][ T9350] RBP: 00007fff0bca31a0 R08: 00007fff0bca31a0 R09: 00007fff0bca31a0 +[ 70.259769][ T9350] R10: 0000000000000000 R11: 0000000000000202 R12: 000055e0d75f8250 +[ 70.260520][ T9350] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 70.261286][ T9350] +[ 70.262026][ T9350] Kernel Offset: disabled + +(gdb) l *__hfsplus_ext_cache_extent+0x7d0 +0xffffffff8318aef0 is in __hfsplus_ext_cache_extent (fs/hfsplus/extents.c:168). +163 fd->key->ext.cnid = 0; +164 res = hfs_brec_find(fd, hfs_find_rec_by_key); +165 if (res && res != -ENOENT) +166 return res; +167 if (fd->key->ext.cnid != fd->search_key->ext.cnid || +168 fd->key->ext.fork_type != fd->search_key->ext.fork_type) +169 return -ENOENT; +170 if (fd->entrylength != sizeof(hfsplus_extent_rec)) +171 return -EIO; +172 hfs_bnode_read(fd->bnode, extent, fd->entryoffset, + +The __hfsplus_ext_cache_extent() calls __hfsplus_ext_read_extent(): + +res = __hfsplus_ext_read_extent(fd, hip->cached_extents, inode->i_ino, + block, HFSPLUS_IS_RSRC(inode) ? + HFSPLUS_TYPE_RSRC : + HFSPLUS_TYPE_DATA); + +And if inode->i_ino could be equal to zero or any non-available CNID, +then hfs_brec_find() could not find the record in the tree. As a result, +fd->key could be compared with fd->search_key. But hfsplus_find_init() +uses kmalloc() for fd->key and fd->search_key allocation: + +int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) +{ + + ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); + if (!ptr) + return -ENOMEM; + fd->search_key = ptr; + fd->key = ptr + tree->max_key_len + 2; + +} + +Finally, fd->key is still not initialized if hfs_brec_find() +has found nothing. + +This patch changes kmalloc() on kzalloc() in hfs_find_init() +and intializes fd->record, fd->keyoffset, fd->keylength, +fd->entryoffset, fd->entrylength for the case if hfs_brec_find() +has been found nothing in the b-tree node. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=55ad87f38795d6787521 +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250818225232.126402-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/bfind.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/hfsplus/bfind.c b/fs/hfsplus/bfind.c +index 901e83d65d202..26ebac4c60424 100644 +--- a/fs/hfsplus/bfind.c ++++ b/fs/hfsplus/bfind.c +@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) + + fd->tree = tree; + fd->bnode = NULL; +- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); ++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); + if (!ptr) + return -ENOMEM; + fd->search_key = ptr; +@@ -158,6 +158,12 @@ int hfs_brec_find(struct hfs_find_data *fd, search_strategy_t do_key_compare) + __be32 data; + int height, res; + ++ fd->record = -1; ++ fd->keyoffset = -1; ++ fd->keylength = -1; ++ fd->entryoffset = -1; ++ fd->entrylength = -1; ++ + tree = fd->tree; + if (fd->bnode) + hfs_bnode_put(fd->bnode); +-- +2.51.0 + diff --git a/queue-6.1/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch b/queue-6.1/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch new file mode 100644 index 0000000000..8c2bc8a36d --- /dev/null +++ b/queue-6.1/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch @@ -0,0 +1,198 @@ +From 52cde0a6aba81f4e8f26242bd2dbead23d86736e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 15:51:04 -0700 +Subject: hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat() + +From: Viacheslav Dubeyko + +[ Upstream commit 9b3d15a758910bb98ba8feb4109d99cc67450ee4 ] + +The syzbot reported issue in hfsplus_delete_cat(): + +[ 70.682285][ T9333] ===================================================== +[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0 +[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310 +[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810 +[ 70.685447][ T9333] do_rmdir+0x964/0xea0 +[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0 +[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0 +[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.687646][ T9333] +[ 70.687856][ T9333] Uninit was stored to memory at: +[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0 +[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800 +[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600 +[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70 +[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0 +[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30 +[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0 +[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0 +[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.692773][ T9333] +[ 70.692990][ T9333] Uninit was stored to memory at: +[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0 +[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800 +[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700 +[ 70.694911][ T9333] mount_bdev+0x37b/0x530 +[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60 +[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0 +[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0 +[ 70.696588][ T9333] do_new_mount+0x73e/0x1630 +[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0 +[ 70.697425][ T9333] __se_sys_mount+0x733/0x830 +[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150 +[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0 +[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.699730][ T9333] +[ 70.699946][ T9333] Uninit was created at: +[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60 +[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0 +[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0 +[ 70.701774][ T9333] allocate_slab+0x30e/0x1390 +[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0 +[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20 +[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0 +[ 70.703598][ T9333] alloc_inode+0x82/0x490 +[ 70.703984][ T9333] iget_locked+0x22e/0x1320 +[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0 +[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0 +[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700 +[ 70.705776][ T9333] mount_bdev+0x37b/0x530 +[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60 +[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0 +[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0 +[ 70.707444][ T9333] do_new_mount+0x73e/0x1630 +[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0 +[ 70.708270][ T9333] __se_sys_mount+0x733/0x830 +[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150 +[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0 +[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.710611][ T9333] +[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17 +[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.712490][ T9333] ===================================================== +[ 70.713085][ T9333] Disabling lock debugging due to kernel taint +[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ... +[ 70.714159][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Tainted: G B 6.12.0-rc6-dirty #17 +[ 70.715007][ T9333] Tainted: [B]=BAD_PAGE +[ 70.715365][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.716311][ T9333] Call Trace: +[ 70.716621][ T9333] +[ 70.716899][ T9333] dump_stack_lvl+0x1fd/0x2b0 +[ 70.717350][ T9333] dump_stack+0x1e/0x30 +[ 70.717743][ T9333] panic+0x502/0xca0 +[ 70.718116][ T9333] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.718611][ T9333] kmsan_report+0x296/0x2a0 +[ 70.719038][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.719859][ T9333] ? __msan_warning+0x96/0x120 +[ 70.720345][ T9333] ? hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.720881][ T9333] ? hfsplus_delete_cat+0x105d/0x12b0 +[ 70.721412][ T9333] ? hfsplus_rmdir+0x13d/0x310 +[ 70.721880][ T9333] ? vfs_rmdir+0x5ba/0x810 +[ 70.722458][ T9333] ? do_rmdir+0x964/0xea0 +[ 70.722883][ T9333] ? __x64_sys_rmdir+0x71/0xb0 +[ 70.723397][ T9333] ? x64_sys_call+0xcd8/0x3cf0 +[ 70.723915][ T9333] ? do_syscall_64+0xd9/0x1d0 +[ 70.724454][ T9333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.725110][ T9333] ? vprintk_emit+0xd1f/0xe60 +[ 70.725616][ T9333] ? vprintk_default+0x3f/0x50 +[ 70.726175][ T9333] ? vprintk+0xce/0xd0 +[ 70.726628][ T9333] ? _printk+0x17e/0x1b0 +[ 70.727129][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.727739][ T9333] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.728324][ T9333] __msan_warning+0x96/0x120 +[ 70.728854][ T9333] hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.729479][ T9333] hfsplus_delete_cat+0x105d/0x12b0 +[ 70.729984][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.730646][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.731296][ T9333] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.731863][ T9333] hfsplus_rmdir+0x13d/0x310 +[ 70.732390][ T9333] ? __pfx_hfsplus_rmdir+0x10/0x10 +[ 70.732919][ T9333] vfs_rmdir+0x5ba/0x810 +[ 70.733416][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.734044][ T9333] do_rmdir+0x964/0xea0 +[ 70.734537][ T9333] __x64_sys_rmdir+0x71/0xb0 +[ 70.735032][ T9333] x64_sys_call+0xcd8/0x3cf0 +[ 70.735579][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.736092][ T9333] ? irqentry_exit+0x16/0x60 +[ 70.736637][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.737269][ T9333] RIP: 0033:0x7fa9424eafc9 +[ 70.737775][ T9333] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 +[ 70.739844][ T9333] RSP: 002b:00007fff099cd8d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000054 +[ 70.740760][ T9333] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa9424eafc9 +[ 70.741642][ T9333] RDX: 006c6f72746e6f63 RSI: 000000000000000a RDI: 0000000020000100 +[ 70.742543][ T9333] RBP: 00007fff099cd8e0 R08: 00007fff099cd910 R09: 00007fff099cd910 +[ 70.743376][ T9333] R10: 0000000000000000 R11: 0000000000000202 R12: 0000565430642260 +[ 70.744247][ T9333] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 70.745082][ T9333] + +The main reason of the issue that struct hfsplus_inode_info +has not been properly initialized for the case of root folder. +In the case of root folder, hfsplus_fill_super() calls +the hfsplus_iget() that implements only partial initialization of +struct hfsplus_inode_info and subfolders field is not +initialized by hfsplus_iget() logic. + +This patch implements complete initialization of +struct hfsplus_inode_info in the hfsplus_iget() logic with +the goal to prevent likewise issues for the case of +root folder. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=fdedff847a0e5e84c39f +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250825225103.326401-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/super.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c +index 1986b4f18a901..8c086f16dd589 100644 +--- a/fs/hfsplus/super.c ++++ b/fs/hfsplus/super.c +@@ -67,13 +67,26 @@ struct inode *hfsplus_iget(struct super_block *sb, unsigned long ino) + if (!(inode->i_state & I_NEW)) + return inode; + +- INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list); +- spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock); +- mutex_init(&HFSPLUS_I(inode)->extents_lock); +- HFSPLUS_I(inode)->flags = 0; ++ atomic_set(&HFSPLUS_I(inode)->opencnt, 0); ++ HFSPLUS_I(inode)->first_blocks = 0; ++ HFSPLUS_I(inode)->clump_blocks = 0; ++ HFSPLUS_I(inode)->alloc_blocks = 0; ++ HFSPLUS_I(inode)->cached_start = U32_MAX; ++ HFSPLUS_I(inode)->cached_blocks = 0; ++ memset(HFSPLUS_I(inode)->first_extents, 0, sizeof(hfsplus_extent_rec)); ++ memset(HFSPLUS_I(inode)->cached_extents, 0, sizeof(hfsplus_extent_rec)); + HFSPLUS_I(inode)->extent_state = 0; ++ mutex_init(&HFSPLUS_I(inode)->extents_lock); + HFSPLUS_I(inode)->rsrc_inode = NULL; +- atomic_set(&HFSPLUS_I(inode)->opencnt, 0); ++ HFSPLUS_I(inode)->create_date = 0; ++ HFSPLUS_I(inode)->linkid = 0; ++ HFSPLUS_I(inode)->flags = 0; ++ HFSPLUS_I(inode)->fs_blocks = 0; ++ HFSPLUS_I(inode)->userflags = 0; ++ HFSPLUS_I(inode)->subfolders = 0; ++ INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list); ++ spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock); ++ HFSPLUS_I(inode)->phys_size = 0; + + if (inode->i_ino >= HFSPLUS_FIRSTUSER_CNID || + inode->i_ino == HFSPLUS_ROOT_CNID) { +-- +2.51.0 + diff --git a/queue-6.1/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch b/queue-6.1/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch new file mode 100644 index 0000000000..0b78b9af72 --- /dev/null +++ b/queue-6.1/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch @@ -0,0 +1,39 @@ +From 34dd19057870efcc9baa15ca70150cde27cc7f2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Aug 2025 10:58:59 -0600 +Subject: hfsplus: return EIO when type of hidden directory mismatch in + hfsplus_fill_super() + +From: Yangtao Li + +[ Upstream commit 9282bc905f0949fab8cf86c0f620ca988761254c ] + +If Catalog File contains corrupted record for the case of +hidden directory's type, regard it as I/O error instead of +Invalid argument. + +Signed-off-by: Yangtao Li +Reviewed-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250805165905.3390154-1-frank.li@vivo.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c +index 8c086f16dd589..7e889820a63d0 100644 +--- a/fs/hfsplus/super.c ++++ b/fs/hfsplus/super.c +@@ -538,7 +538,7 @@ static int hfsplus_fill_super(struct super_block *sb, void *data, int silent) + if (!hfs_brec_read(&fd, &entry, sizeof(entry))) { + hfs_find_exit(&fd); + if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) { +- err = -EINVAL; ++ err = -EIO; + goto out_put_root; + } + inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id)); +-- +2.51.0 + diff --git a/queue-6.1/lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch b/queue-6.1/lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch new file mode 100644 index 0000000000..d2fa5682a4 --- /dev/null +++ b/queue-6.1/lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch @@ -0,0 +1,47 @@ +From 7c2c51cba980677c3e0ff43fd0a1d26a48d62a1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 14:06:05 +0800 +Subject: lkdtm: fortify: Fix potential NULL dereference on kmalloc failure + +From: Junjie Cao + +[ Upstream commit 01c7344e21c2140e72282d9d16d79a61f840fc20 ] + +Add missing NULL pointer checks after kmalloc() calls in +lkdtm_FORTIFY_STR_MEMBER() and lkdtm_FORTIFY_MEM_MEMBER() functions. + +Signed-off-by: Junjie Cao +Link: https://lore.kernel.org/r/20250814060605.5264-1-junjie.cao@intel.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + drivers/misc/lkdtm/fortify.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/misc/lkdtm/fortify.c b/drivers/misc/lkdtm/fortify.c +index 0159276656780..00ed2147113e6 100644 +--- a/drivers/misc/lkdtm/fortify.c ++++ b/drivers/misc/lkdtm/fortify.c +@@ -44,6 +44,9 @@ static void lkdtm_FORTIFY_STR_MEMBER(void) + char *src; + + src = kmalloc(size, GFP_KERNEL); ++ if (!src) ++ return; ++ + strscpy(src, "over ten bytes", size); + size = strlen(src) + 1; + +@@ -109,6 +112,9 @@ static void lkdtm_FORTIFY_MEM_MEMBER(void) + char *src; + + src = kmalloc(size, GFP_KERNEL); ++ if (!src) ++ return; ++ + strscpy(src, "over ten bytes", size); + size = strlen(src) + 1; + +-- +2.51.0 + diff --git a/queue-6.1/m68k-bitops-fix-find_-_bit-signatures.patch b/queue-6.1/m68k-bitops-fix-find_-_bit-signatures.patch new file mode 100644 index 0000000000..3cb0560407 --- /dev/null +++ b/queue-6.1/m68k-bitops-fix-find_-_bit-signatures.patch @@ -0,0 +1,90 @@ +From f49e097b18d19fc41f967dca455650662c204e6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 17:16:13 +0200 +Subject: m68k: bitops: Fix find_*_bit() signatures + +From: Geert Uytterhoeven + +[ Upstream commit 6d5674090543b89aac0c177d67e5fb32ddc53804 ] + +The function signatures of the m68k-optimized implementations of the +find_{first,next}_{,zero_}bit() helpers do not match the generic +variants. + +Fix this by changing all non-pointer inputs and outputs to "unsigned +long", and updating a few local variables. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202509092305.ncd9mzaZ-lkp@intel.com/ +Signed-off-by: Geert Uytterhoeven +Acked-by: "Yury Norov (NVIDIA)" +Link: https://patch.msgid.link/de6919554fbb4cd1427155c6bafbac8a9df822c8.1757517135.git.geert@linux-m68k.org +Signed-off-by: Sasha Levin +--- + arch/m68k/include/asm/bitops.h | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/arch/m68k/include/asm/bitops.h b/arch/m68k/include/asm/bitops.h +index e984af71df6be..d86aa744cb8fc 100644 +--- a/arch/m68k/include/asm/bitops.h ++++ b/arch/m68k/include/asm/bitops.h +@@ -329,12 +329,12 @@ arch___test_and_change_bit(unsigned long nr, volatile unsigned long *addr) + #include + #else + +-static inline int find_first_zero_bit(const unsigned long *vaddr, +- unsigned size) ++static inline unsigned long find_first_zero_bit(const unsigned long *vaddr, ++ unsigned long size) + { + const unsigned long *p = vaddr; +- int res = 32; +- unsigned int words; ++ unsigned long res = 32; ++ unsigned long words; + unsigned long num; + + if (!size) +@@ -355,8 +355,9 @@ static inline int find_first_zero_bit(const unsigned long *vaddr, + } + #define find_first_zero_bit find_first_zero_bit + +-static inline int find_next_zero_bit(const unsigned long *vaddr, int size, +- int offset) ++static inline unsigned long find_next_zero_bit(const unsigned long *vaddr, ++ unsigned long size, ++ unsigned long offset) + { + const unsigned long *p = vaddr + (offset >> 5); + int bit = offset & 31UL, res; +@@ -385,11 +386,12 @@ static inline int find_next_zero_bit(const unsigned long *vaddr, int size, + } + #define find_next_zero_bit find_next_zero_bit + +-static inline int find_first_bit(const unsigned long *vaddr, unsigned size) ++static inline unsigned long find_first_bit(const unsigned long *vaddr, ++ unsigned long size) + { + const unsigned long *p = vaddr; +- int res = 32; +- unsigned int words; ++ unsigned long res = 32; ++ unsigned long words; + unsigned long num; + + if (!size) +@@ -410,8 +412,9 @@ static inline int find_first_bit(const unsigned long *vaddr, unsigned size) + } + #define find_first_bit find_first_bit + +-static inline int find_next_bit(const unsigned long *vaddr, int size, +- int offset) ++static inline unsigned long find_next_bit(const unsigned long *vaddr, ++ unsigned long size, ++ unsigned long offset) + { + const unsigned long *p = vaddr + (offset >> 5); + int bit = offset & 31UL, res; +-- +2.51.0 + diff --git a/queue-6.1/nios2-ensure-that-memblock.current_limit-is-set-when.patch b/queue-6.1/nios2-ensure-that-memblock.current_limit-is-set-when.patch new file mode 100644 index 0000000000..cb8918330b --- /dev/null +++ b/queue-6.1/nios2-ensure-that-memblock.current_limit-is-set-when.patch @@ -0,0 +1,74 @@ +From b386cf61d294a4a9e9fcb4a136191aa97e336e06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Aug 2025 12:37:07 +0200 +Subject: nios2: ensure that memblock.current_limit is set when setting pfn + limits + +From: Simon Schuster + +[ Upstream commit a20b83cf45be2057f3d073506779e52c7fa17f94 ] + +On nios2, with CONFIG_FLATMEM set, the kernel relies on +memblock_get_current_limit() to determine the limits of mem_map, in +particular for max_low_pfn. +Unfortunately, memblock.current_limit is only default initialized to +MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading +to situations where max_low_pfn can erroneously exceed the value of +max_pfn and, thus, the valid range of available DRAM. + +This can in turn cause kernel-level paging failures, e.g.: + +[ 76.900000] Unable to handle kernel paging request at virtual address 20303000 +[ 76.900000] ea = c0080890, ra = c000462c, cause = 14 +[ 76.900000] Kernel panic - not syncing: Oops +[ 76.900000] ---[ end Kernel panic - not syncing: Oops ]--- + +This patch fixes this by pre-calculating memblock.current_limit +based on the upper limits of the available memory ranges via +adjust_lowmem_bounds, a simplified version of the equivalent +implementation within the arm architecture. + +Signed-off-by: Simon Schuster +Signed-off-by: Andreas Oetken +Signed-off-by: Dinh Nguyen +Signed-off-by: Sasha Levin +--- + arch/nios2/kernel/setup.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/arch/nios2/kernel/setup.c b/arch/nios2/kernel/setup.c +index 40bc8fb75e0b5..e2fc4b59d93ea 100644 +--- a/arch/nios2/kernel/setup.c ++++ b/arch/nios2/kernel/setup.c +@@ -147,6 +147,20 @@ static void __init find_limits(unsigned long *min, unsigned long *max_low, + *max_high = PFN_DOWN(memblock_end_of_DRAM()); + } + ++static void __init adjust_lowmem_bounds(void) ++{ ++ phys_addr_t block_start, block_end; ++ u64 i; ++ phys_addr_t memblock_limit = 0; ++ ++ for_each_mem_range(i, &block_start, &block_end) { ++ if (block_end > memblock_limit) ++ memblock_limit = block_end; ++ } ++ ++ memblock_set_current_limit(memblock_limit); ++} ++ + void __init setup_arch(char **cmdline_p) + { + console_verbose(); +@@ -160,6 +174,7 @@ void __init setup_arch(char **cmdline_p) + /* Keep a copy of command line */ + *cmdline_p = boot_command_line; + ++ adjust_lowmem_bounds(); + find_limits(&min_low_pfn, &max_low_pfn, &max_pfn); + max_mapnr = max_low_pfn; + +-- +2.51.0 + diff --git a/queue-6.1/powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch b/queue-6.1/powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch new file mode 100644 index 0000000000..0ab57d7b09 --- /dev/null +++ b/queue-6.1/powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch @@ -0,0 +1,107 @@ +From 693f886a7ef196bbb685e32f3622453163301ec8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Sep 2025 12:03:49 +0200 +Subject: powerpc/32: Remove PAGE_KERNEL_TEXT to fix startup failure + +From: Christophe Leroy + +[ Upstream commit 9316512b717f6f25c4649b3fdb0a905b6a318e9f ] + +PAGE_KERNEL_TEXT is an old macro that is used to tell kernel whether +kernel text has to be mapped read-only or read-write based on build +time options. + +But nowadays, with functionnalities like jump_labels, static links, +etc ... more only less all kernels need to be read-write at some +point, and some combinations of configs failed to work due to +innacurate setting of PAGE_KERNEL_TEXT. On the other hand, today +we have CONFIG_STRICT_KERNEL_RWX which implements a more controlled +access to kernel modifications. + +Instead of trying to keep PAGE_KERNEL_TEXT accurate with all +possible options that may imply kernel text modification, always +set kernel text read-write at startup and rely on +CONFIG_STRICT_KERNEL_RWX to provide accurate protection. + +Do this by passing PAGE_KERNEL_X to map_kernel_page() in +__maping_ram_chunk() instead of passing PAGE_KERNEL_TEXT. Once +this is done, the only remaining user of PAGE_KERNEL_TEXT is +mmu_mark_initmem_nx() which uses it in a call to setibat(). +As setibat() ignores the RW/RO, we can seamlessly replace +PAGE_KERNEL_TEXT by PAGE_KERNEL_X here as well and get rid of +PAGE_KERNEL_TEXT completely. + +Reported-by: Erhard Furtner +Closes: https://lore.kernel.org/all/342b4120-911c-4723-82ec-d8c9b03a8aef@mailbox.org/ +Signed-off-by: Christophe Leroy +Tested-by: Andrew Donnellan +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/8e2d793abf87ae3efb8f6dce10f974ac0eda61b8.1757412205.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/pgtable.h | 12 ------------ + arch/powerpc/mm/book3s32/mmu.c | 4 ++-- + arch/powerpc/mm/pgtable_32.c | 2 +- + 3 files changed, 3 insertions(+), 15 deletions(-) + +diff --git a/arch/powerpc/include/asm/pgtable.h b/arch/powerpc/include/asm/pgtable.h +index 9972626ddaf68..eda12ceacb55a 100644 +--- a/arch/powerpc/include/asm/pgtable.h ++++ b/arch/powerpc/include/asm/pgtable.h +@@ -20,18 +20,6 @@ struct mm_struct; + #include + #endif /* !CONFIG_PPC_BOOK3S */ + +-/* +- * Protection used for kernel text. We want the debuggers to be able to +- * set breakpoints anywhere, so don't write protect the kernel text +- * on platforms where such control is possible. +- */ +-#if defined(CONFIG_KGDB) || defined(CONFIG_XMON) || defined(CONFIG_BDI_SWITCH) || \ +- defined(CONFIG_KPROBES) || defined(CONFIG_DYNAMIC_FTRACE) +-#define PAGE_KERNEL_TEXT PAGE_KERNEL_X +-#else +-#define PAGE_KERNEL_TEXT PAGE_KERNEL_ROX +-#endif +- + /* Make modules code happy. We don't set RO yet */ + #define PAGE_KERNEL_EXEC PAGE_KERNEL_X + +diff --git a/arch/powerpc/mm/book3s32/mmu.c b/arch/powerpc/mm/book3s32/mmu.c +index 850783cfa9c73..1b1848761a000 100644 +--- a/arch/powerpc/mm/book3s32/mmu.c ++++ b/arch/powerpc/mm/book3s32/mmu.c +@@ -204,7 +204,7 @@ void mmu_mark_initmem_nx(void) + + for (i = 0; i < nb - 1 && base < top;) { + size = bat_block_size(base, top); +- setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_TEXT); ++ setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_X); + base += size; + } + if (base < top) { +@@ -215,7 +215,7 @@ void mmu_mark_initmem_nx(void) + pr_warn("Some RW data is getting mapped X. " + "Adjust CONFIG_DATA_SHIFT to avoid that.\n"); + } +- setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_TEXT); ++ setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_X); + base += size; + } + for (; i < nb; i++) +diff --git a/arch/powerpc/mm/pgtable_32.c b/arch/powerpc/mm/pgtable_32.c +index 5c02fd08d61ef..69fac96c2dcd1 100644 +--- a/arch/powerpc/mm/pgtable_32.c ++++ b/arch/powerpc/mm/pgtable_32.c +@@ -109,7 +109,7 @@ static void __init __mapin_ram_chunk(unsigned long offset, unsigned long top) + p = memstart_addr + s; + for (; s < top; s += PAGE_SIZE) { + ktext = core_kernel_text(v); +- map_kernel_page(v, p, ktext ? PAGE_KERNEL_TEXT : PAGE_KERNEL); ++ map_kernel_page(v, p, ktext ? PAGE_KERNEL_X : PAGE_KERNEL); + v += PAGE_SIZE; + p += PAGE_SIZE; + } +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 3a8ac0b3f2..047d550d4e 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -64,3 +64,17 @@ hid-hid-input-only-ignore-0-battery-events-for-digit.patch hid-multitouch-fix-name-of-stylus-input-devices.patch hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_strcasecmp.patch pci-sysfs-ensure-devices-are-powered-for-config-reads-part-2.patch +exec-fix-incorrect-type-for-ret.patch +nios2-ensure-that-memblock.current_limit-is-set-when.patch +hfs-clear-offset-and-space-out-of-valid-records-in-b.patch +hfs-make-proper-initalization-of-struct-hfs_find_dat.patch +hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch +hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch +hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch +dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch +hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch +hfsplus-return-eio-when-type-of-hidden-directory-mis.patch +lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch +m68k-bitops-fix-find_-_bit-signatures.patch +powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch +smb-server-let-smb_direct_flush_send_list-invalidate.patch diff --git a/queue-6.1/smb-server-let-smb_direct_flush_send_list-invalidate.patch b/queue-6.1/smb-server-let-smb_direct_flush_send_list-invalidate.patch new file mode 100644 index 0000000000..462f4c88d0 --- /dev/null +++ b/queue-6.1/smb-server-let-smb_direct_flush_send_list-invalidate.patch @@ -0,0 +1,52 @@ +From 4550a62dea60fe761785cf76cb7919b9be41276d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Sep 2025 22:22:35 +0200 +Subject: smb: server: let smb_direct_flush_send_list() invalidate a remote key + first + +From: Stefan Metzmacher + +[ Upstream commit 1b53426334c3c942db47e0959a2527a4f815af50 ] + +If we want to invalidate a remote key we should do that as soon as +possible, so do it in the first send work request. + +Acked-by: Namjae Jeon +Cc: Steve French +Cc: Tom Talpey +Cc: linux-cifs@vger.kernel.org +Cc: samba-technical@lists.samba.org +Signed-off-by: Stefan Metzmacher +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/transport_rdma.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c +index af1c41f922bb3..81da8a5c1e0db 100644 +--- a/fs/smb/server/transport_rdma.c ++++ b/fs/smb/server/transport_rdma.c +@@ -933,12 +933,15 @@ static int smb_direct_flush_send_list(struct smb_direct_transport *t, + struct smb_direct_sendmsg, + list); + ++ if (send_ctx->need_invalidate_rkey) { ++ first->wr.opcode = IB_WR_SEND_WITH_INV; ++ first->wr.ex.invalidate_rkey = send_ctx->remote_key; ++ send_ctx->need_invalidate_rkey = false; ++ send_ctx->remote_key = 0; ++ } ++ + last->wr.send_flags = IB_SEND_SIGNALED; + last->wr.wr_cqe = &last->cqe; +- if (is_last && send_ctx->need_invalidate_rkey) { +- last->wr.opcode = IB_WR_SEND_WITH_INV; +- last->wr.ex.invalidate_rkey = send_ctx->remote_key; +- } + + ret = smb_direct_post_send(t, &first->wr); + if (!ret) { +-- +2.51.0 + diff --git a/queue-6.12/arm64-sysreg-correct-sign-definitions-for-eiesb-and-.patch b/queue-6.12/arm64-sysreg-correct-sign-definitions-for-eiesb-and-.patch new file mode 100644 index 0000000000..bc5751d2d2 --- /dev/null +++ b/queue-6.12/arm64-sysreg-correct-sign-definitions-for-eiesb-and-.patch @@ -0,0 +1,53 @@ +From 4d79ad7da8c6cd79b200e58bdcef5364e5698e44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 10:51:42 +0100 +Subject: arm64: sysreg: Correct sign definitions for EIESB and DoubleLock + +From: Fuad Tabba + +[ Upstream commit f4d4ebc84995178273740f3e601e97fdefc561d2 ] + +The `ID_AA64MMFR4_EL1.EIESB` field, is an unsigned enumeration, but was +incorrectly defined as a `SignedEnum` when introduced in commit +cfc680bb04c5 ("arm64: sysreg: Add layout for ID_AA64MMFR4_EL1"). This is +corrected to `UnsignedEnum`. + +Conversely, the `ID_AA64DFR0_EL1.DoubleLock` field, is a signed +enumeration, but was incorrectly defined as an `UnsignedEnum`. This is +corrected to `SignedEnum`, which wasn't correctly set when annotated as +such in commit ad16d4cf0b4f ("arm64/sysreg: Initial unsigned annotations +for ID registers"). + +Signed-off-by: Fuad Tabba +Acked-by: Mark Rutland +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/tools/sysreg | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/tools/sysreg b/arch/arm64/tools/sysreg +index 362bcfa0aed18..5127d3d3b8677 100644 +--- a/arch/arm64/tools/sysreg ++++ b/arch/arm64/tools/sysreg +@@ -1213,7 +1213,7 @@ UnsignedEnum 43:40 TraceFilt + 0b0000 NI + 0b0001 IMP + EndEnum +-UnsignedEnum 39:36 DoubleLock ++SignedEnum 39:36 DoubleLock + 0b0000 IMP + 0b1111 NI + EndEnum +@@ -1861,7 +1861,7 @@ UnsignedEnum 11:8 ASID2 + 0b0000 NI + 0b0001 IMP + EndEnum +-SignedEnum 7:4 EIESB ++UnsignedEnum 7:4 EIESB + 0b0000 NI + 0b0001 ToEL3 + 0b0010 ToELx +-- +2.51.0 + diff --git a/queue-6.12/binfmt_elf-preserve-original-elf-e_flags-for-core-du.patch b/queue-6.12/binfmt_elf-preserve-original-elf-e_flags-for-core-du.patch new file mode 100644 index 0000000000..915a2d75c6 --- /dev/null +++ b/queue-6.12/binfmt_elf-preserve-original-elf-e_flags-for-core-du.patch @@ -0,0 +1,162 @@ +From eba4f3edaa473a20133488c4893cc6c81e546655 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 20:53:50 +0700 +Subject: binfmt_elf: preserve original ELF e_flags for core dumps + +From: Svetlana Parfenova + +[ Upstream commit 8c94db0ae97c72c253a615f990bd466b456e94f6 ] + +Some architectures, such as RISC-V, use the ELF e_flags field to encode +ABI-specific information (e.g., ISA extensions, fpu support). Debuggers +like GDB rely on these flags in core dumps to correctly interpret +optional register sets. If the flags are missing or incorrect, GDB may +warn and ignore valid data, for example: + + warning: Unexpected size of section '.reg2/213' in core file. + +This can prevent access to fpu or other architecture-specific registers +even when they were dumped. + +Save the e_flags field during ELF binary loading (in load_elf_binary()) +into the mm_struct, and later retrieve it during core dump generation +(in fill_note_info()). Kconfig option CONFIG_ARCH_HAS_ELF_CORE_EFLAGS +is introduced for architectures that require this behaviour. + +Signed-off-by: Svetlana Parfenova +Link: https://lore.kernel.org/r/20250901135350.619485-1-svetlana.parfenova@syntacore.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + arch/riscv/Kconfig | 1 + + fs/Kconfig.binfmt | 9 +++++++++ + fs/binfmt_elf.c | 40 ++++++++++++++++++++++++++++++++++------ + include/linux/mm_types.h | 5 +++++ + 4 files changed, 49 insertions(+), 6 deletions(-) + +diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig +index d160c3b830266..ab6d0321d8e61 100644 +--- a/arch/riscv/Kconfig ++++ b/arch/riscv/Kconfig +@@ -28,6 +28,7 @@ config RISCV + select ARCH_HAS_DEBUG_VIRTUAL if MMU + select ARCH_HAS_DEBUG_VM_PGTABLE + select ARCH_HAS_DEBUG_WX ++ select ARCH_HAS_ELF_CORE_EFLAGS + select ARCH_HAS_FAST_MULTIPLIER + select ARCH_HAS_FORTIFY_SOURCE + select ARCH_HAS_GCOV_PROFILE_ALL +diff --git a/fs/Kconfig.binfmt b/fs/Kconfig.binfmt +index bd2f530e57408..1949e25c7741b 100644 +--- a/fs/Kconfig.binfmt ++++ b/fs/Kconfig.binfmt +@@ -184,4 +184,13 @@ config EXEC_KUNIT_TEST + This builds the exec KUnit tests, which tests boundary conditions + of various aspects of the exec internals. + ++config ARCH_HAS_ELF_CORE_EFLAGS ++ bool ++ depends on BINFMT_ELF && ELF_CORE ++ default n ++ help ++ Select this option if the architecture makes use of the e_flags ++ field in the ELF header to store ABI or other architecture-specific ++ information that should be preserved in core dumps. ++ + endmenu +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index 47335a0f4a618..b37f2a3d58de2 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -110,6 +110,21 @@ static struct linux_binfmt elf_format = { + + #define BAD_ADDR(x) (unlikely((unsigned long)(x) >= TASK_SIZE)) + ++static inline void elf_coredump_set_mm_eflags(struct mm_struct *mm, u32 flags) ++{ ++#ifdef CONFIG_ARCH_HAS_ELF_CORE_EFLAGS ++ mm->saved_e_flags = flags; ++#endif ++} ++ ++static inline u32 elf_coredump_get_mm_eflags(struct mm_struct *mm, u32 flags) ++{ ++#ifdef CONFIG_ARCH_HAS_ELF_CORE_EFLAGS ++ flags = mm->saved_e_flags; ++#endif ++ return flags; ++} ++ + /* + * We need to explicitly zero any trailing portion of the page that follows + * p_filesz when it ends before the page ends (e.g. bss), otherwise this +@@ -1292,6 +1307,8 @@ static int load_elf_binary(struct linux_binprm *bprm) + mm->end_data = end_data; + mm->start_stack = bprm->p; + ++ elf_coredump_set_mm_eflags(mm, elf_ex->e_flags); ++ + /** + * DOC: "brk" handling + * +@@ -1865,6 +1882,8 @@ static int fill_note_info(struct elfhdr *elf, int phdrs, + struct elf_thread_core_info *t; + struct elf_prpsinfo *psinfo; + struct core_thread *ct; ++ u16 machine; ++ u32 flags; + + psinfo = kmalloc(sizeof(*psinfo), GFP_KERNEL); + if (!psinfo) +@@ -1892,17 +1911,26 @@ static int fill_note_info(struct elfhdr *elf, int phdrs, + return 0; + } + +- /* +- * Initialize the ELF file header. +- */ +- fill_elf_header(elf, phdrs, +- view->e_machine, view->e_flags); ++ machine = view->e_machine; ++ flags = view->e_flags; + #else + view = NULL; + info->thread_notes = 2; +- fill_elf_header(elf, phdrs, ELF_ARCH, ELF_CORE_EFLAGS); ++ machine = ELF_ARCH; ++ flags = ELF_CORE_EFLAGS; + #endif + ++ /* ++ * Override ELF e_flags with value taken from process, ++ * if arch needs that. ++ */ ++ flags = elf_coredump_get_mm_eflags(dump_task->mm, flags); ++ ++ /* ++ * Initialize the ELF file header. ++ */ ++ fill_elf_header(elf, phdrs, machine, flags); ++ + /* + * Allocate a structure for each thread. + */ +diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h +index 6894de506b364..d0a075f3fc2d4 100644 +--- a/include/linux/mm_types.h ++++ b/include/linux/mm_types.h +@@ -955,6 +955,11 @@ struct mm_struct { + + unsigned long saved_auxv[AT_VECTOR_SIZE]; /* for /proc/PID/auxv */ + ++#ifdef CONFIG_ARCH_HAS_ELF_CORE_EFLAGS ++ /* the ABI-related flags from the ELF header. Used for core dump */ ++ unsigned long saved_e_flags; ++#endif ++ + struct percpu_counter rss_stat[NR_MM_COUNTERS]; + + struct linux_binfmt *binfmt; +-- +2.51.0 + diff --git a/queue-6.12/bpf-replace-bpf_map_kmalloc_node-with-kmalloc_nolock.patch b/queue-6.12/bpf-replace-bpf_map_kmalloc_node-with-kmalloc_nolock.patch new file mode 100644 index 0000000000..e8d0eac5f8 --- /dev/null +++ b/queue-6.12/bpf-replace-bpf_map_kmalloc_node-with-kmalloc_nolock.patch @@ -0,0 +1,190 @@ +From c17f4964f2c8763bb712c615ef59e50d4e15d2b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 17:07:00 -0700 +Subject: bpf: Replace bpf_map_kmalloc_node() with kmalloc_nolock() to allocate + bpf_async_cb structures. + +From: Alexei Starovoitov + +[ Upstream commit 5fb750e8a9ae123b2034771b864b8a21dbef65cd ] + +The following kmemleak splat: + +[ 8.105530] kmemleak: Trying to color unknown object at 0xff11000100e918c0 as Black +[ 8.106521] Call Trace: +[ 8.106521] +[ 8.106521] dump_stack_lvl+0x4b/0x70 +[ 8.106521] kvfree_call_rcu+0xcb/0x3b0 +[ 8.106521] ? hrtimer_cancel+0x21/0x40 +[ 8.106521] bpf_obj_free_fields+0x193/0x200 +[ 8.106521] htab_map_update_elem+0x29c/0x410 +[ 8.106521] bpf_prog_cfc8cd0f42c04044_overwrite_cb+0x47/0x4b +[ 8.106521] bpf_prog_8c30cd7c4db2e963_overwrite_timer+0x65/0x86 +[ 8.106521] bpf_prog_test_run_syscall+0xe1/0x2a0 + +happens due to the combination of features and fixes, but mainly due to +commit 6d78b4473cdb ("bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()") +It's using __GFP_HIGH, which instructs slub/kmemleak internals to skip +kmemleak_alloc_recursive() on allocation, so subsequent kfree_rcu()-> +kvfree_call_rcu()->kmemleak_ignore() complains with the above splat. + +To fix this imbalance, replace bpf_map_kmalloc_node() with +kmalloc_nolock() and kfree_rcu() with call_rcu() + kfree_nolock() to +make sure that the objects allocated with kmalloc_nolock() are freed +with kfree_nolock() rather than the implicit kfree() that kfree_rcu() +uses internally. + +Note, the kmalloc_nolock() happens under bpf_spin_lock_irqsave(), so +it will always fail in PREEMPT_RT. This is not an issue at the moment, +since bpf_timers are disabled in PREEMPT_RT. In the future +bpf_spin_lock will be replaced with state machine similar to +bpf_task_work. + +Fixes: 6d78b4473cdb ("bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()") +Signed-off-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +Reviewed-by: Shakeel Butt +Acked-by: Harry Yoo +Acked-by: Vlastimil Babka +Cc: linux-mm@kvack.org +Link: https://lore.kernel.org/bpf/20251015000700.28988-1-alexei.starovoitov@gmail.com +Signed-off-by: Sasha Levin +--- + include/linux/bpf.h | 4 ++++ + kernel/bpf/helpers.c | 25 ++++++++++++++----------- + kernel/bpf/syscall.c | 15 +++++++++++++++ + 3 files changed, 33 insertions(+), 11 deletions(-) + +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index e8d9803cc6756..c7c23b8e5657e 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -2321,6 +2321,8 @@ int bpf_map_alloc_pages(const struct bpf_map *map, gfp_t gfp, int nid, + #ifdef CONFIG_MEMCG + void *bpf_map_kmalloc_node(const struct bpf_map *map, size_t size, gfp_t flags, + int node); ++void *bpf_map_kmalloc_nolock(const struct bpf_map *map, size_t size, gfp_t flags, ++ int node); + void *bpf_map_kzalloc(const struct bpf_map *map, size_t size, gfp_t flags); + void *bpf_map_kvcalloc(struct bpf_map *map, size_t n, size_t size, + gfp_t flags); +@@ -2333,6 +2335,8 @@ void __percpu *bpf_map_alloc_percpu(const struct bpf_map *map, size_t size, + */ + #define bpf_map_kmalloc_node(_map, _size, _flags, _node) \ + kmalloc_node(_size, _flags, _node) ++#define bpf_map_kmalloc_nolock(_map, _size, _flags, _node) \ ++ kmalloc_nolock(_size, _flags, _node) + #define bpf_map_kzalloc(_map, _size, _flags) \ + kzalloc(_size, _flags) + #define bpf_map_kvcalloc(_map, _n, _size, _flags) \ +diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c +index a0bf39b7359aa..5c97dbc6c30d5 100644 +--- a/kernel/bpf/helpers.c ++++ b/kernel/bpf/helpers.c +@@ -1221,13 +1221,20 @@ static void bpf_wq_work(struct work_struct *work) + rcu_read_unlock_trace(); + } + ++static void bpf_async_cb_rcu_free(struct rcu_head *rcu) ++{ ++ struct bpf_async_cb *cb = container_of(rcu, struct bpf_async_cb, rcu); ++ ++ kfree_nolock(cb); ++} ++ + static void bpf_wq_delete_work(struct work_struct *work) + { + struct bpf_work *w = container_of(work, struct bpf_work, delete_work); + + cancel_work_sync(&w->work); + +- kfree_rcu(w, cb.rcu); ++ call_rcu(&w->cb.rcu, bpf_async_cb_rcu_free); + } + + static void bpf_timer_delete_work(struct work_struct *work) +@@ -1236,13 +1243,13 @@ static void bpf_timer_delete_work(struct work_struct *work) + + /* Cancel the timer and wait for callback to complete if it was running. + * If hrtimer_cancel() can be safely called it's safe to call +- * kfree_rcu(t) right after for both preallocated and non-preallocated ++ * call_rcu() right after for both preallocated and non-preallocated + * maps. The async->cb = NULL was already done and no code path can see + * address 't' anymore. Timer if armed for existing bpf_hrtimer before + * bpf_timer_cancel_and_free will have been cancelled. + */ + hrtimer_cancel(&t->timer); +- kfree_rcu(t, cb.rcu); ++ call_rcu(&t->cb.rcu, bpf_async_cb_rcu_free); + } + + static int __bpf_async_init(struct bpf_async_kern *async, struct bpf_map *map, u64 flags, +@@ -1276,11 +1283,7 @@ static int __bpf_async_init(struct bpf_async_kern *async, struct bpf_map *map, u + goto out; + } + +- /* Allocate via bpf_map_kmalloc_node() for memcg accounting. Until +- * kmalloc_nolock() is available, avoid locking issues by using +- * __GFP_HIGH (GFP_ATOMIC & ~__GFP_RECLAIM). +- */ +- cb = bpf_map_kmalloc_node(map, size, __GFP_HIGH, map->numa_node); ++ cb = bpf_map_kmalloc_nolock(map, size, 0, map->numa_node); + if (!cb) { + ret = -ENOMEM; + goto out; +@@ -1322,7 +1325,7 @@ static int __bpf_async_init(struct bpf_async_kern *async, struct bpf_map *map, u + * or pinned in bpffs. + */ + WRITE_ONCE(async->cb, NULL); +- kfree(cb); ++ kfree_nolock(cb); + ret = -EPERM; + } + out: +@@ -1587,7 +1590,7 @@ void bpf_timer_cancel_and_free(void *val) + * timer _before_ calling us, such that failing to cancel it here will + * cause it to possibly use struct hrtimer after freeing bpf_hrtimer. + * Therefore, we _need_ to cancel any outstanding timers before we do +- * kfree_rcu, even though no more timers can be armed. ++ * call_rcu, even though no more timers can be armed. + * + * Moreover, we need to schedule work even if timer does not belong to + * the calling callback_fn, as on two different CPUs, we can end up in a +@@ -1614,7 +1617,7 @@ void bpf_timer_cancel_and_free(void *val) + * completion. + */ + if (hrtimer_try_to_cancel(&t->timer) >= 0) +- kfree_rcu(t, cb.rcu); ++ call_rcu(&t->cb.rcu, bpf_async_cb_rcu_free); + else + queue_work(system_unbound_wq, &t->cb.delete_work); + } else { +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index ba4543e771a6e..af6e6a7e71572 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -428,6 +428,21 @@ void *bpf_map_kmalloc_node(const struct bpf_map *map, size_t size, gfp_t flags, + return ptr; + } + ++void *bpf_map_kmalloc_nolock(const struct bpf_map *map, size_t size, gfp_t flags, ++ int node) ++{ ++ struct mem_cgroup *memcg, *old_memcg; ++ void *ptr; ++ ++ memcg = bpf_map_get_memcg(map); ++ old_memcg = set_active_memcg(memcg); ++ ptr = kmalloc_nolock(size, flags | __GFP_ACCOUNT, node); ++ set_active_memcg(old_memcg); ++ mem_cgroup_put(memcg); ++ ++ return ptr; ++} ++ + void *bpf_map_kzalloc(const struct bpf_map *map, size_t size, gfp_t flags) + { + struct mem_cgroup *memcg, *old_memcg; +-- +2.51.0 + diff --git a/queue-6.12/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch b/queue-6.12/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch new file mode 100644 index 0000000000..97fd079cf9 --- /dev/null +++ b/queue-6.12/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch @@ -0,0 +1,34 @@ +From b9b1ab6dc0b7b4b071fe00bef98bd7141d93f445 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 11:21:52 -0400 +Subject: dlm: check for defined force value in dlm_lockspace_release + +From: Alexander Aring + +[ Upstream commit 6af515c9f3ccec3eb8a262ca86bef2c499d07951 ] + +Force values over 3 are undefined, so don't treat them as 3. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lockspace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c +index 8afac6e2dff00..7b4b6977dcd66 100644 +--- a/fs/dlm/lockspace.c ++++ b/fs/dlm/lockspace.c +@@ -730,7 +730,7 @@ static int release_lockspace(struct dlm_ls *ls, int force) + + dlm_device_deregister(ls); + +- if (force < 3 && dlm_user_daemon_available()) ++ if (force != 3 && dlm_user_daemon_available()) + do_uevent(ls, 0); + + dlm_recoverd_stop(ls); +-- +2.51.0 + diff --git a/queue-6.12/drivers-perf-hisi-relax-the-event-id-check-in-the-fr.patch b/queue-6.12/drivers-perf-hisi-relax-the-event-id-check-in-the-fr.patch new file mode 100644 index 0000000000..f0a1b2b59e --- /dev/null +++ b/queue-6.12/drivers-perf-hisi-relax-the-event-id-check-in-the-fr.patch @@ -0,0 +1,54 @@ +From f342a273914d1e74afe0b9e68d50e8f5e740da2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 18:14:19 +0800 +Subject: drivers/perf: hisi: Relax the event ID check in the framework + +From: Yicong Yang + +[ Upstream commit 43de0ac332b815cf56dbdce63687de9acfd35d49 ] + +Event ID is only using the attr::config bit [7, 0] but we check the +event range using the whole 64bit field. It blocks the usage of the +rest field of attr::config. Relax the check by only using the +bit [7, 0]. + +Acked-by: Jonathan Cameron +Signed-off-by: Yicong Yang +Signed-off-by: Yushan Wang +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/hisilicon/hisi_uncore_pmu.c | 2 +- + drivers/perf/hisilicon/hisi_uncore_pmu.h | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/perf/hisilicon/hisi_uncore_pmu.c b/drivers/perf/hisilicon/hisi_uncore_pmu.c +index 918cdc31de572..e37682b280db5 100644 +--- a/drivers/perf/hisilicon/hisi_uncore_pmu.c ++++ b/drivers/perf/hisilicon/hisi_uncore_pmu.c +@@ -198,7 +198,7 @@ int hisi_uncore_pmu_event_init(struct perf_event *event) + return -EINVAL; + + hisi_pmu = to_hisi_pmu(event->pmu); +- if (event->attr.config > hisi_pmu->check_event) ++ if ((event->attr.config & HISI_EVENTID_MASK) > hisi_pmu->check_event) + return -EINVAL; + + if (hisi_pmu->on_cpu == -1) +diff --git a/drivers/perf/hisilicon/hisi_uncore_pmu.h b/drivers/perf/hisilicon/hisi_uncore_pmu.h +index 25b2d43b72bf9..ab5d54170b416 100644 +--- a/drivers/perf/hisilicon/hisi_uncore_pmu.h ++++ b/drivers/perf/hisilicon/hisi_uncore_pmu.h +@@ -43,7 +43,8 @@ + return FIELD_GET(GENMASK_ULL(hi, lo), event->attr.config); \ + } + +-#define HISI_GET_EVENTID(ev) (ev->hw.config_base & 0xff) ++#define HISI_EVENTID_MASK GENMASK(7, 0) ++#define HISI_GET_EVENTID(ev) ((ev)->hw.config_base & HISI_EVENTID_MASK) + + #define HISI_PMU_EVTYPE_BITS 8 + #define HISI_PMU_EVTYPE_SHIFT(idx) ((idx) % 4 * HISI_PMU_EVTYPE_BITS) +-- +2.51.0 + diff --git a/queue-6.12/exec-fix-incorrect-type-for-ret.patch b/queue-6.12/exec-fix-incorrect-type-for-ret.patch new file mode 100644 index 0000000000..6783012e27 --- /dev/null +++ b/queue-6.12/exec-fix-incorrect-type-for-ret.patch @@ -0,0 +1,38 @@ +From e147c1cd5d6680b5527973eb820fd009348cca88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 15:36:09 +0800 +Subject: exec: Fix incorrect type for ret + +From: Xichao Zhao + +[ Upstream commit 5e088248375d171b80c643051e77ade6b97bc386 ] + +In the setup_arg_pages(), ret is declared as an unsigned long. +The ret might take a negative value. Therefore, its type should +be changed to int. + +Signed-off-by: Xichao Zhao +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20250825073609.219855-1-zhao.xichao@vivo.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/exec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/exec.c b/fs/exec.c +index d607943729638..030240d99ab7c 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -717,7 +717,7 @@ int setup_arg_pages(struct linux_binprm *bprm, + unsigned long stack_top, + int executable_stack) + { +- unsigned long ret; ++ int ret; + unsigned long stack_shift; + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma = bprm->vma; +-- +2.51.0 + diff --git a/queue-6.12/gfs2-fix-unlikely-race-in-gdlm_put_lock.patch b/queue-6.12/gfs2-fix-unlikely-race-in-gdlm_put_lock.patch new file mode 100644 index 0000000000..43a98c36e9 --- /dev/null +++ b/queue-6.12/gfs2-fix-unlikely-race-in-gdlm_put_lock.patch @@ -0,0 +1,54 @@ +From e3883d69abd63774315b857bd3eb75e6326e5b35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Aug 2025 23:34:03 +0200 +Subject: gfs2: Fix unlikely race in gdlm_put_lock + +From: Andreas Gruenbacher + +[ Upstream commit 28c4d9bc0708956c1a736a9e49fee71b65deee81 ] + +In gdlm_put_lock(), there is a small window of time in which the +DFL_UNMOUNT flag has been set but the lockspace hasn't been released, +yet. In that window, dlm may still call gdlm_ast() and gdlm_bast(). +To prevent it from dereferencing freed glock objects, only free the +glock if the lockspace has actually been released. + +Signed-off-by: Andreas Gruenbacher +Reviewed-by: Andrew Price +Signed-off-by: Sasha Levin +--- + fs/gfs2/lock_dlm.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/fs/gfs2/lock_dlm.c b/fs/gfs2/lock_dlm.c +index 9e27dd8bef88d..38ea69ca2303d 100644 +--- a/fs/gfs2/lock_dlm.c ++++ b/fs/gfs2/lock_dlm.c +@@ -321,12 +321,6 @@ static void gdlm_put_lock(struct gfs2_glock *gl) + gfs2_sbstats_inc(gl, GFS2_LKS_DCOUNT); + gfs2_update_request_times(gl); + +- /* don't want to call dlm if we've unmounted the lock protocol */ +- if (test_bit(DFL_UNMOUNT, &ls->ls_recover_flags)) { +- gfs2_glock_free(gl); +- return; +- } +- + /* + * When the lockspace is released, all remaining glocks will be + * unlocked automatically. This is more efficient than unlocking them +@@ -348,6 +342,11 @@ static void gdlm_put_lock(struct gfs2_glock *gl) + goto again; + } + ++ if (error == -ENODEV) { ++ gfs2_glock_free(gl); ++ return; ++ } ++ + if (error) { + fs_err(sdp, "gdlm_unlock %x,%llx err=%d\n", + gl->gl_name.ln_type, +-- +2.51.0 + diff --git a/queue-6.12/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch b/queue-6.12/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch new file mode 100644 index 0000000000..62c98420f2 --- /dev/null +++ b/queue-6.12/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch @@ -0,0 +1,94 @@ +From 8d4492d113c405f530677d3326fb7505f7dd71fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Aug 2025 12:49:19 -0700 +Subject: hfs: clear offset and space out of valid records in b-tree node + +From: Viacheslav Dubeyko + +[ Upstream commit 18b07c44f245beb03588b00b212b38fce9af7cc9 ] + +Currently, hfs_brec_remove() executes moving records +towards the location of deleted record and it updates +offsets of moved records. However, the hfs_brec_remove() +logic ignores the "mess" of b-tree node's free space and +it doesn't touch the offsets out of records number. +Potentially, it could confuse fsck or driver logic or +to be a reason of potential corruption cases. + +This patch reworks the logic of hfs_brec_remove() +by means of clearing freed space of b-tree node +after the records moving. And it clear the last +offset that keeping old location of free space +because now the offset before this one is keeping +the actual offset to the free space after the record +deletion. + +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250815194918.38165-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/brec.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c +index 896396554bcc1..b01db1fae147c 100644 +--- a/fs/hfs/brec.c ++++ b/fs/hfs/brec.c +@@ -179,6 +179,7 @@ int hfs_brec_remove(struct hfs_find_data *fd) + struct hfs_btree *tree; + struct hfs_bnode *node, *parent; + int end_off, rec_off, data_off, size; ++ int src, dst, len; + + tree = fd->tree; + node = fd->bnode; +@@ -208,10 +209,14 @@ int hfs_brec_remove(struct hfs_find_data *fd) + } + hfs_bnode_write_u16(node, offsetof(struct hfs_bnode_desc, num_recs), node->num_recs); + +- if (rec_off == end_off) +- goto skip; + size = fd->keylength + fd->entrylength; + ++ if (rec_off == end_off) { ++ src = fd->keyoffset; ++ hfs_bnode_clear(node, src, size); ++ goto skip; ++ } ++ + do { + data_off = hfs_bnode_read_u16(node, rec_off); + hfs_bnode_write_u16(node, rec_off + 2, data_off - size); +@@ -219,9 +224,23 @@ int hfs_brec_remove(struct hfs_find_data *fd) + } while (rec_off >= end_off); + + /* fill hole */ +- hfs_bnode_move(node, fd->keyoffset, fd->keyoffset + size, +- data_off - fd->keyoffset - size); ++ dst = fd->keyoffset; ++ src = fd->keyoffset + size; ++ len = data_off - src; ++ ++ hfs_bnode_move(node, dst, src, len); ++ ++ src = dst + len; ++ len = data_off - src; ++ ++ hfs_bnode_clear(node, src, len); ++ + skip: ++ /* ++ * Remove the obsolete offset to free space. ++ */ ++ hfs_bnode_write_u16(node, end_off, 0); ++ + hfs_bnode_dump(node); + if (!fd->record) + hfs_brec_update_parent(fd); +-- +2.51.0 + diff --git a/queue-6.12/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch b/queue-6.12/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch new file mode 100644 index 0000000000..a9794d8ca2 --- /dev/null +++ b/queue-6.12/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch @@ -0,0 +1,112 @@ +From f4ce019727687254d803d92429de9972107f8afe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Aug 2025 16:06:38 -0700 +Subject: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() + +From: Viacheslav Dubeyko + +[ Upstream commit 2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd ] + +The syzbot reported issue in hfs_find_set_zero_bits(): + +===================================================== +BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 + hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 + hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 + hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 + hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 + __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 + block_write_begin fs/buffer.c:2262 [inline] + cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 + hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 + cont_expand_zero fs/buffer.c:2528 [inline] + cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 + hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 + hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 + hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 + notify_change+0x1993/0x1aa0 fs/attr.c:552 + do_truncate+0x28f/0x310 fs/open.c:68 + do_ftruncate+0x698/0x730 fs/open.c:195 + do_sys_ftruncate fs/open.c:210 [inline] + __do_sys_ftruncate fs/open.c:215 [inline] + __se_sys_ftruncate fs/open.c:213 [inline] + __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 + x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:4154 [inline] + slab_alloc_node mm/slub.c:4197 [inline] + __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 + kmalloc_noprof include/linux/slab.h:905 [inline] + hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 + hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 + get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 + get_tree_bdev+0x38/0x50 fs/super.c:1704 + hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 + vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 + do_new_mount+0x738/0x1610 fs/namespace.c:3902 + path_mount+0x6db/0x1e90 fs/namespace.c:4226 + do_mount fs/namespace.c:4239 [inline] + __do_sys_mount fs/namespace.c:4450 [inline] + __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 + __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 + x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 +===================================================== + +The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): + +HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); + +Finally, it can trigger the reported issue because kmalloc() +doesn't clear the allocated memory. If allocated memory contains +only zeros, then everything will work pretty fine. +But if the allocated memory contains the "garbage", then +it can affect the bitmap operations and it triggers +the reported issue. + +This patch simply exchanges the kmalloc() on kzalloc() +with the goal to guarantee the correctness of bitmap operations. +Because, newly created allocation bitmap should have all +available blocks free. Potentially, initialization bitmap's read +operation could not fill the whole allocated memory and +"garbage" in the not initialized memory will be the reason of +volume coruptions and file system driver bugs. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=773fa9d79b29bd8b6831 +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250820230636.179085-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/mdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c +index 8082eb01127cd..bf811347bb07d 100644 +--- a/fs/hfs/mdb.c ++++ b/fs/hfs/mdb.c +@@ -172,7 +172,7 @@ int hfs_mdb_get(struct super_block *sb) + pr_warn("continuing without an alternate MDB\n"); + } + +- HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); ++ HFS_SB(sb)->bitmap = kzalloc(8192, GFP_KERNEL); + if (!HFS_SB(sb)->bitmap) + goto out; + +-- +2.51.0 + diff --git a/queue-6.12/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch b/queue-6.12/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch new file mode 100644 index 0000000000..a948fe47d9 --- /dev/null +++ b/queue-6.12/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch @@ -0,0 +1,76 @@ +From c104bf1c73d697510723f9cb23d19b6ffebe0f8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 15:52:52 -0700 +Subject: hfs: make proper initalization of struct hfs_find_data + +From: Viacheslav Dubeyko + +[ Upstream commit c62663a986acee7c4485c1fa9de5fc40194b6290 ] + +Potenatially, __hfs_ext_read_extent() could operate by +not initialized values of fd->key after hfs_brec_find() call: + +static inline int __hfs_ext_read_extent(struct hfs_find_data *fd, struct hfs_extent *extent, + u32 cnid, u32 block, u8 type) +{ + int res; + + hfs_ext_build_key(fd->search_key, cnid, block, type); + fd->key->ext.FNum = 0; + res = hfs_brec_find(fd); + if (res && res != -ENOENT) + return res; + if (fd->key->ext.FNum != fd->search_key->ext.FNum || + fd->key->ext.FkType != fd->search_key->ext.FkType) + return -ENOENT; + if (fd->entrylength != sizeof(hfs_extent_rec)) + return -EIO; + hfs_bnode_read(fd->bnode, extent, fd->entryoffset, sizeof(hfs_extent_rec)); + return 0; +} + +This patch changes kmalloc() on kzalloc() in hfs_find_init() +and intializes fd->record, fd->keyoffset, fd->keylength, +fd->entryoffset, fd->entrylength for the case if hfs_brec_find() +has been found nothing in the b-tree node. + +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250818225252.126427-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/bfind.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c +index 34e9804e0f360..e46f650b5e9c2 100644 +--- a/fs/hfs/bfind.c ++++ b/fs/hfs/bfind.c +@@ -21,7 +21,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) + + fd->tree = tree; + fd->bnode = NULL; +- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); ++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); + if (!ptr) + return -ENOMEM; + fd->search_key = ptr; +@@ -115,6 +115,12 @@ int hfs_brec_find(struct hfs_find_data *fd) + __be32 data; + int height, res; + ++ fd->record = -1; ++ fd->keyoffset = -1; ++ fd->keylength = -1; ++ fd->entryoffset = -1; ++ fd->entrylength = -1; ++ + tree = fd->tree; + if (fd->bnode) + hfs_bnode_put(fd->bnode); +-- +2.51.0 + diff --git a/queue-6.12/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch b/queue-6.12/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch new file mode 100644 index 0000000000..efdb754130 --- /dev/null +++ b/queue-6.12/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch @@ -0,0 +1,217 @@ +From f89c37259c54dfbfedff5a813bdb26de1f1895d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 22:17:34 +0800 +Subject: hfs: validate record offset in hfsplus_bmap_alloc + +From: Yang Chenzhi + +[ Upstream commit 738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20 ] + +hfsplus_bmap_alloc can trigger a crash if a +record offset or length is larger than node_size + +[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0 +[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183 +[ 15.265949] +[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary) +[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 15.266167] Call Trace: +[ 15.266168] +[ 15.266169] dump_stack_lvl+0x53/0x70 +[ 15.266173] print_report+0xd0/0x660 +[ 15.266181] kasan_report+0xce/0x100 +[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0 +[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0 +[ 15.266217] hfsplus_brec_insert+0x870/0xb00 +[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570 +[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910 +[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200 +[ 15.266233] hfsplus_file_extend+0x5a7/0x1000 +[ 15.266237] hfsplus_get_block+0x12b/0x8c0 +[ 15.266238] __block_write_begin_int+0x36b/0x12c0 +[ 15.266251] block_write_begin+0x77/0x110 +[ 15.266252] cont_write_begin+0x428/0x720 +[ 15.266259] hfsplus_write_begin+0x51/0x100 +[ 15.266262] cont_write_begin+0x272/0x720 +[ 15.266270] hfsplus_write_begin+0x51/0x100 +[ 15.266274] generic_perform_write+0x321/0x750 +[ 15.266285] generic_file_write_iter+0xc3/0x310 +[ 15.266289] __kernel_write_iter+0x2fd/0x800 +[ 15.266296] dump_user_range+0x2ea/0x910 +[ 15.266301] elf_core_dump+0x2a94/0x2ed0 +[ 15.266320] vfs_coredump+0x1d85/0x45e0 +[ 15.266349] get_signal+0x12e3/0x1990 +[ 15.266357] arch_do_signal_or_restart+0x89/0x580 +[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110 +[ 15.266364] asm_exc_page_fault+0x26/0x30 +[ 15.266366] RIP: 0033:0x41bd35 +[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f +[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283 +[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000 +[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100 +[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000 +[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000 +[ 15.266376] + +When calling hfsplus_bmap_alloc to allocate a free node, this function +first retrieves the bitmap from header node and map node using node->page +together with the offset and length from hfs_brec_lenoff + +``` +len = hfs_brec_lenoff(node, 2, &off16); +off = off16; + +off += node->page_offset; +pagep = node->page + (off >> PAGE_SHIFT); +data = kmap_local_page(*pagep); +``` + +However, if the retrieved offset or length is invalid(i.e. exceeds +node_size), the code may end up accessing pages outside the allocated +range for this node. + +This patch adds proper validation of both offset and length before use, +preventing out-of-bounds page access. Move is_bnode_offset_valid and +check_and_correct_requested_length to hfsplus_fs.h, as they may be +required by other functions. + +Reported-by: syzbot+356aed408415a56543cd@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67bcb4a6.050a0220.bbfd1.008f.GAE@google.com/ +Signed-off-by: Yang Chenzhi +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250818141734.8559-2-yang.chenzhi@vivo.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/bnode.c | 41 ---------------------------------------- + fs/hfsplus/btree.c | 6 ++++++ + fs/hfsplus/hfsplus_fs.h | 42 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 48 insertions(+), 41 deletions(-) + +diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c +index 14f4995588ff0..407d5152eb411 100644 +--- a/fs/hfsplus/bnode.c ++++ b/fs/hfsplus/bnode.c +@@ -18,47 +18,6 @@ + #include "hfsplus_fs.h" + #include "hfsplus_raw.h" + +-static inline +-bool is_bnode_offset_valid(struct hfs_bnode *node, int off) +-{ +- bool is_valid = off < node->tree->node_size; +- +- if (!is_valid) { +- pr_err("requested invalid offset: " +- "NODE: id %u, type %#x, height %u, " +- "node_size %u, offset %d\n", +- node->this, node->type, node->height, +- node->tree->node_size, off); +- } +- +- return is_valid; +-} +- +-static inline +-int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len) +-{ +- unsigned int node_size; +- +- if (!is_bnode_offset_valid(node, off)) +- return 0; +- +- node_size = node->tree->node_size; +- +- if ((off + len) > node_size) { +- int new_len = (int)node_size - off; +- +- pr_err("requested length has been corrected: " +- "NODE: id %u, type %#x, height %u, " +- "node_size %u, offset %d, " +- "requested_len %d, corrected_len %d\n", +- node->this, node->type, node->height, +- node->tree->node_size, off, len, new_len); +- +- return new_len; +- } +- +- return len; +-} + + /* Copy a specified range of bytes from the raw data of a node */ + void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len) +diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c +index 9e1732a2b92a8..fe6a54c4083c3 100644 +--- a/fs/hfsplus/btree.c ++++ b/fs/hfsplus/btree.c +@@ -393,6 +393,12 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree) + len = hfs_brec_lenoff(node, 2, &off16); + off = off16; + ++ if (!is_bnode_offset_valid(node, off)) { ++ hfs_bnode_put(node); ++ return ERR_PTR(-EIO); ++ } ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + pagep = node->page + (off >> PAGE_SHIFT); + data = kmap_local_page(*pagep); +diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h +index 5389918bbf29d..6c19935d6f505 100644 +--- a/fs/hfsplus/hfsplus_fs.h ++++ b/fs/hfsplus/hfsplus_fs.h +@@ -575,6 +575,48 @@ hfsplus_btree_lock_class(struct hfs_btree *tree) + return class; + } + ++static inline ++bool is_bnode_offset_valid(struct hfs_bnode *node, int off) ++{ ++ bool is_valid = off < node->tree->node_size; ++ ++ if (!is_valid) { ++ pr_err("requested invalid offset: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off); ++ } ++ ++ return is_valid; ++} ++ ++static inline ++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len) ++{ ++ unsigned int node_size; ++ ++ if (!is_bnode_offset_valid(node, off)) ++ return 0; ++ ++ node_size = node->tree->node_size; ++ ++ if ((off + len) > node_size) { ++ int new_len = (int)node_size - off; ++ ++ pr_err("requested length has been corrected: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, " ++ "requested_len %d, corrected_len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len, new_len); ++ ++ return new_len; ++ } ++ ++ return len; ++} ++ + /* compatibility */ + #define hfsp_mt2ut(t) (struct timespec64){ .tv_sec = __hfsp_mt2ut(t) } + #define hfsp_ut2mt(t) __hfsp_ut2mt((t).tv_sec) +-- +2.51.0 + diff --git a/queue-6.12/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch b/queue-6.12/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch new file mode 100644 index 0000000000..432d46dbdf --- /dev/null +++ b/queue-6.12/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch @@ -0,0 +1,214 @@ +From f91592bb5635373abe346911ce203d6309aa05e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 15:52:32 -0700 +Subject: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() + +From: Viacheslav Dubeyko + +[ Upstream commit 4840ceadef4290c56cc422f0fc697655f3cbf070 ] + +The syzbot reported issue in __hfsplus_ext_cache_extent(): + +[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 +[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 +[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 +[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 +[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 +[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 +[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 +[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 +[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 +[ 70.199771][ T9350] ksys_write+0x23e/0x490 +[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 +[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 +[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 +[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.202054][ T9350] +[ 70.202279][ T9350] Uninit was created at: +[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 +[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 +[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 +[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 +[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 +[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 +[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 +[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 +[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 +[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 +[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 +[ 70.207961][ T9350] ksys_write+0x23e/0x490 +[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 +[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 +[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 +[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.210230][ T9350] +[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 +[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.212115][ T9350] ===================================================== +[ 70.212734][ T9350] Disabling lock debugging due to kernel taint +[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... +[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 +[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE +[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.215999][ T9350] Call Trace: +[ 70.216309][ T9350] +[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 +[ 70.217025][ T9350] dump_stack+0x1e/0x30 +[ 70.217421][ T9350] panic+0x502/0xca0 +[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 + +[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... + kernel +:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +set ... +[ 70.221254][ T9350] ? __msan_warning+0x96/0x120 +[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 +[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 +[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 +[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 +[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 +[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 +[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 +[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 +[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 +[ 70.228997][ T9350] ? ksys_write+0x23e/0x490 +[ 70.229458][ T9350] ? __x64_sys_write+0x97/0xf0 +[ 70.229939][ T9350] ? x64_sys_call+0x3015/0x3cf0 +[ 70.230432][ T9350] ? do_syscall_64+0xd9/0x1d0 +[ 70.230941][ T9350] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.231926][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.232738][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110 +[ 70.233711][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.234516][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.235398][ T9350] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.236323][ T9350] ? hfsplus_brec_find+0x218/0x9f0 +[ 70.237090][ T9350] ? __pfx_hfs_find_rec_by_key+0x10/0x10 +[ 70.237938][ T9350] ? __msan_instrument_asm_store+0xbf/0xf0 +[ 70.238827][ T9350] ? __msan_metadata_ptr_for_store_4+0x27/0x40 +[ 70.239772][ T9350] ? __hfsplus_ext_write_extent+0x536/0x620 +[ 70.240666][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.241175][ T9350] __msan_warning+0x96/0x120 +[ 70.241645][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.242223][ T9350] hfsplus_file_extend+0x74f/0x1cf0 +[ 70.242748][ T9350] hfsplus_get_block+0xe16/0x17b0 +[ 70.243255][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110 +[ 70.243878][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.244400][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.244967][ T9350] __block_write_begin_int+0x962/0x2ce0 +[ 70.245531][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10 +[ 70.246079][ T9350] cont_write_begin+0x1000/0x1950 +[ 70.246598][ T9350] hfsplus_write_begin+0x85/0x130 +[ 70.247105][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10 +[ 70.247650][ T9350] ? __pfx_hfsplus_write_begin+0x10/0x10 +[ 70.248211][ T9350] generic_perform_write+0x3e8/0x1060 +[ 70.248752][ T9350] __generic_file_write_iter+0x215/0x460 +[ 70.249314][ T9350] generic_file_write_iter+0x109/0x5e0 +[ 70.249856][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110 +[ 70.250487][ T9350] vfs_write+0xb0f/0x14e0 +[ 70.250930][ T9350] ? __pfx_generic_file_write_iter+0x10/0x10 +[ 70.251530][ T9350] ksys_write+0x23e/0x490 +[ 70.251974][ T9350] __x64_sys_write+0x97/0xf0 +[ 70.252450][ T9350] x64_sys_call+0x3015/0x3cf0 +[ 70.252924][ T9350] do_syscall_64+0xd9/0x1d0 +[ 70.253384][ T9350] ? irqentry_exit+0x16/0x60 +[ 70.253844][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.254430][ T9350] RIP: 0033:0x7f7a92adffc9 +[ 70.254873][ T9350] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 +[ 70.256674][ T9350] RSP: 002b:00007fff0bca3188 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 +[ 70.257485][ T9350] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a92adffc9 +[ 70.258246][ T9350] RDX: 000000000208e24b RSI: 0000000020000100 RDI: 0000000000000004 +[ 70.258998][ T9350] RBP: 00007fff0bca31a0 R08: 00007fff0bca31a0 R09: 00007fff0bca31a0 +[ 70.259769][ T9350] R10: 0000000000000000 R11: 0000000000000202 R12: 000055e0d75f8250 +[ 70.260520][ T9350] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 70.261286][ T9350] +[ 70.262026][ T9350] Kernel Offset: disabled + +(gdb) l *__hfsplus_ext_cache_extent+0x7d0 +0xffffffff8318aef0 is in __hfsplus_ext_cache_extent (fs/hfsplus/extents.c:168). +163 fd->key->ext.cnid = 0; +164 res = hfs_brec_find(fd, hfs_find_rec_by_key); +165 if (res && res != -ENOENT) +166 return res; +167 if (fd->key->ext.cnid != fd->search_key->ext.cnid || +168 fd->key->ext.fork_type != fd->search_key->ext.fork_type) +169 return -ENOENT; +170 if (fd->entrylength != sizeof(hfsplus_extent_rec)) +171 return -EIO; +172 hfs_bnode_read(fd->bnode, extent, fd->entryoffset, + +The __hfsplus_ext_cache_extent() calls __hfsplus_ext_read_extent(): + +res = __hfsplus_ext_read_extent(fd, hip->cached_extents, inode->i_ino, + block, HFSPLUS_IS_RSRC(inode) ? + HFSPLUS_TYPE_RSRC : + HFSPLUS_TYPE_DATA); + +And if inode->i_ino could be equal to zero or any non-available CNID, +then hfs_brec_find() could not find the record in the tree. As a result, +fd->key could be compared with fd->search_key. But hfsplus_find_init() +uses kmalloc() for fd->key and fd->search_key allocation: + +int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) +{ + + ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); + if (!ptr) + return -ENOMEM; + fd->search_key = ptr; + fd->key = ptr + tree->max_key_len + 2; + +} + +Finally, fd->key is still not initialized if hfs_brec_find() +has found nothing. + +This patch changes kmalloc() on kzalloc() in hfs_find_init() +and intializes fd->record, fd->keyoffset, fd->keylength, +fd->entryoffset, fd->entrylength for the case if hfs_brec_find() +has been found nothing in the b-tree node. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=55ad87f38795d6787521 +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250818225232.126402-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/bfind.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/hfsplus/bfind.c b/fs/hfsplus/bfind.c +index 901e83d65d202..26ebac4c60424 100644 +--- a/fs/hfsplus/bfind.c ++++ b/fs/hfsplus/bfind.c +@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) + + fd->tree = tree; + fd->bnode = NULL; +- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); ++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); + if (!ptr) + return -ENOMEM; + fd->search_key = ptr; +@@ -158,6 +158,12 @@ int hfs_brec_find(struct hfs_find_data *fd, search_strategy_t do_key_compare) + __be32 data; + int height, res; + ++ fd->record = -1; ++ fd->keyoffset = -1; ++ fd->keylength = -1; ++ fd->entryoffset = -1; ++ fd->entrylength = -1; ++ + tree = fd->tree; + if (fd->bnode) + hfs_bnode_put(fd->bnode); +-- +2.51.0 + diff --git a/queue-6.12/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch b/queue-6.12/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch new file mode 100644 index 0000000000..792743410c --- /dev/null +++ b/queue-6.12/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch @@ -0,0 +1,198 @@ +From 5d874387ed59f4e1cafa52ceb34c388130099f44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 15:51:04 -0700 +Subject: hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat() + +From: Viacheslav Dubeyko + +[ Upstream commit 9b3d15a758910bb98ba8feb4109d99cc67450ee4 ] + +The syzbot reported issue in hfsplus_delete_cat(): + +[ 70.682285][ T9333] ===================================================== +[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0 +[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310 +[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810 +[ 70.685447][ T9333] do_rmdir+0x964/0xea0 +[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0 +[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0 +[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.687646][ T9333] +[ 70.687856][ T9333] Uninit was stored to memory at: +[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0 +[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800 +[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600 +[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70 +[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0 +[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30 +[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0 +[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0 +[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.692773][ T9333] +[ 70.692990][ T9333] Uninit was stored to memory at: +[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0 +[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800 +[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700 +[ 70.694911][ T9333] mount_bdev+0x37b/0x530 +[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60 +[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0 +[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0 +[ 70.696588][ T9333] do_new_mount+0x73e/0x1630 +[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0 +[ 70.697425][ T9333] __se_sys_mount+0x733/0x830 +[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150 +[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0 +[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.699730][ T9333] +[ 70.699946][ T9333] Uninit was created at: +[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60 +[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0 +[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0 +[ 70.701774][ T9333] allocate_slab+0x30e/0x1390 +[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0 +[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20 +[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0 +[ 70.703598][ T9333] alloc_inode+0x82/0x490 +[ 70.703984][ T9333] iget_locked+0x22e/0x1320 +[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0 +[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0 +[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700 +[ 70.705776][ T9333] mount_bdev+0x37b/0x530 +[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60 +[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0 +[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0 +[ 70.707444][ T9333] do_new_mount+0x73e/0x1630 +[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0 +[ 70.708270][ T9333] __se_sys_mount+0x733/0x830 +[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150 +[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0 +[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.710611][ T9333] +[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17 +[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.712490][ T9333] ===================================================== +[ 70.713085][ T9333] Disabling lock debugging due to kernel taint +[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ... +[ 70.714159][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Tainted: G B 6.12.0-rc6-dirty #17 +[ 70.715007][ T9333] Tainted: [B]=BAD_PAGE +[ 70.715365][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.716311][ T9333] Call Trace: +[ 70.716621][ T9333] +[ 70.716899][ T9333] dump_stack_lvl+0x1fd/0x2b0 +[ 70.717350][ T9333] dump_stack+0x1e/0x30 +[ 70.717743][ T9333] panic+0x502/0xca0 +[ 70.718116][ T9333] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.718611][ T9333] kmsan_report+0x296/0x2a0 +[ 70.719038][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.719859][ T9333] ? __msan_warning+0x96/0x120 +[ 70.720345][ T9333] ? hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.720881][ T9333] ? hfsplus_delete_cat+0x105d/0x12b0 +[ 70.721412][ T9333] ? hfsplus_rmdir+0x13d/0x310 +[ 70.721880][ T9333] ? vfs_rmdir+0x5ba/0x810 +[ 70.722458][ T9333] ? do_rmdir+0x964/0xea0 +[ 70.722883][ T9333] ? __x64_sys_rmdir+0x71/0xb0 +[ 70.723397][ T9333] ? x64_sys_call+0xcd8/0x3cf0 +[ 70.723915][ T9333] ? do_syscall_64+0xd9/0x1d0 +[ 70.724454][ T9333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.725110][ T9333] ? vprintk_emit+0xd1f/0xe60 +[ 70.725616][ T9333] ? vprintk_default+0x3f/0x50 +[ 70.726175][ T9333] ? vprintk+0xce/0xd0 +[ 70.726628][ T9333] ? _printk+0x17e/0x1b0 +[ 70.727129][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.727739][ T9333] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.728324][ T9333] __msan_warning+0x96/0x120 +[ 70.728854][ T9333] hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.729479][ T9333] hfsplus_delete_cat+0x105d/0x12b0 +[ 70.729984][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.730646][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.731296][ T9333] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.731863][ T9333] hfsplus_rmdir+0x13d/0x310 +[ 70.732390][ T9333] ? __pfx_hfsplus_rmdir+0x10/0x10 +[ 70.732919][ T9333] vfs_rmdir+0x5ba/0x810 +[ 70.733416][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.734044][ T9333] do_rmdir+0x964/0xea0 +[ 70.734537][ T9333] __x64_sys_rmdir+0x71/0xb0 +[ 70.735032][ T9333] x64_sys_call+0xcd8/0x3cf0 +[ 70.735579][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.736092][ T9333] ? irqentry_exit+0x16/0x60 +[ 70.736637][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.737269][ T9333] RIP: 0033:0x7fa9424eafc9 +[ 70.737775][ T9333] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 +[ 70.739844][ T9333] RSP: 002b:00007fff099cd8d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000054 +[ 70.740760][ T9333] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa9424eafc9 +[ 70.741642][ T9333] RDX: 006c6f72746e6f63 RSI: 000000000000000a RDI: 0000000020000100 +[ 70.742543][ T9333] RBP: 00007fff099cd8e0 R08: 00007fff099cd910 R09: 00007fff099cd910 +[ 70.743376][ T9333] R10: 0000000000000000 R11: 0000000000000202 R12: 0000565430642260 +[ 70.744247][ T9333] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 70.745082][ T9333] + +The main reason of the issue that struct hfsplus_inode_info +has not been properly initialized for the case of root folder. +In the case of root folder, hfsplus_fill_super() calls +the hfsplus_iget() that implements only partial initialization of +struct hfsplus_inode_info and subfolders field is not +initialized by hfsplus_iget() logic. + +This patch implements complete initialization of +struct hfsplus_inode_info in the hfsplus_iget() logic with +the goal to prevent likewise issues for the case of +root folder. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=fdedff847a0e5e84c39f +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250825225103.326401-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/super.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c +index 97920202790f9..51364aacd4626 100644 +--- a/fs/hfsplus/super.c ++++ b/fs/hfsplus/super.c +@@ -67,13 +67,26 @@ struct inode *hfsplus_iget(struct super_block *sb, unsigned long ino) + if (!(inode->i_state & I_NEW)) + return inode; + +- INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list); +- spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock); +- mutex_init(&HFSPLUS_I(inode)->extents_lock); +- HFSPLUS_I(inode)->flags = 0; ++ atomic_set(&HFSPLUS_I(inode)->opencnt, 0); ++ HFSPLUS_I(inode)->first_blocks = 0; ++ HFSPLUS_I(inode)->clump_blocks = 0; ++ HFSPLUS_I(inode)->alloc_blocks = 0; ++ HFSPLUS_I(inode)->cached_start = U32_MAX; ++ HFSPLUS_I(inode)->cached_blocks = 0; ++ memset(HFSPLUS_I(inode)->first_extents, 0, sizeof(hfsplus_extent_rec)); ++ memset(HFSPLUS_I(inode)->cached_extents, 0, sizeof(hfsplus_extent_rec)); + HFSPLUS_I(inode)->extent_state = 0; ++ mutex_init(&HFSPLUS_I(inode)->extents_lock); + HFSPLUS_I(inode)->rsrc_inode = NULL; +- atomic_set(&HFSPLUS_I(inode)->opencnt, 0); ++ HFSPLUS_I(inode)->create_date = 0; ++ HFSPLUS_I(inode)->linkid = 0; ++ HFSPLUS_I(inode)->flags = 0; ++ HFSPLUS_I(inode)->fs_blocks = 0; ++ HFSPLUS_I(inode)->userflags = 0; ++ HFSPLUS_I(inode)->subfolders = 0; ++ INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list); ++ spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock); ++ HFSPLUS_I(inode)->phys_size = 0; + + if (inode->i_ino >= HFSPLUS_FIRSTUSER_CNID || + inode->i_ino == HFSPLUS_ROOT_CNID) { +-- +2.51.0 + diff --git a/queue-6.12/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch b/queue-6.12/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch new file mode 100644 index 0000000000..11f0c1785e --- /dev/null +++ b/queue-6.12/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch @@ -0,0 +1,39 @@ +From 35743ec26dd0c3229fa780e8306a199c038d7675 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Aug 2025 10:58:59 -0600 +Subject: hfsplus: return EIO when type of hidden directory mismatch in + hfsplus_fill_super() + +From: Yangtao Li + +[ Upstream commit 9282bc905f0949fab8cf86c0f620ca988761254c ] + +If Catalog File contains corrupted record for the case of +hidden directory's type, regard it as I/O error instead of +Invalid argument. + +Signed-off-by: Yangtao Li +Reviewed-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250805165905.3390154-1-frank.li@vivo.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c +index 51364aacd4626..0831cd7aa5deb 100644 +--- a/fs/hfsplus/super.c ++++ b/fs/hfsplus/super.c +@@ -544,7 +544,7 @@ static int hfsplus_fill_super(struct super_block *sb, void *data, int silent) + if (!hfs_brec_read(&fd, &entry, sizeof(entry))) { + hfs_find_exit(&fd); + if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) { +- err = -EINVAL; ++ err = -EIO; + goto out_put_root; + } + inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id)); +-- +2.51.0 + diff --git a/queue-6.12/lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch b/queue-6.12/lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch new file mode 100644 index 0000000000..30c0b78ebc --- /dev/null +++ b/queue-6.12/lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch @@ -0,0 +1,47 @@ +From d6c58ab24ab691bc9d7d51e7b3a65d311e2a3e28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 14:06:05 +0800 +Subject: lkdtm: fortify: Fix potential NULL dereference on kmalloc failure + +From: Junjie Cao + +[ Upstream commit 01c7344e21c2140e72282d9d16d79a61f840fc20 ] + +Add missing NULL pointer checks after kmalloc() calls in +lkdtm_FORTIFY_STR_MEMBER() and lkdtm_FORTIFY_MEM_MEMBER() functions. + +Signed-off-by: Junjie Cao +Link: https://lore.kernel.org/r/20250814060605.5264-1-junjie.cao@intel.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + drivers/misc/lkdtm/fortify.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/misc/lkdtm/fortify.c b/drivers/misc/lkdtm/fortify.c +index 0159276656780..00ed2147113e6 100644 +--- a/drivers/misc/lkdtm/fortify.c ++++ b/drivers/misc/lkdtm/fortify.c +@@ -44,6 +44,9 @@ static void lkdtm_FORTIFY_STR_MEMBER(void) + char *src; + + src = kmalloc(size, GFP_KERNEL); ++ if (!src) ++ return; ++ + strscpy(src, "over ten bytes", size); + size = strlen(src) + 1; + +@@ -109,6 +112,9 @@ static void lkdtm_FORTIFY_MEM_MEMBER(void) + char *src; + + src = kmalloc(size, GFP_KERNEL); ++ if (!src) ++ return; ++ + strscpy(src, "over ten bytes", size); + size = strlen(src) + 1; + +-- +2.51.0 + diff --git a/queue-6.12/m68k-bitops-fix-find_-_bit-signatures.patch b/queue-6.12/m68k-bitops-fix-find_-_bit-signatures.patch new file mode 100644 index 0000000000..2f5554bbf8 --- /dev/null +++ b/queue-6.12/m68k-bitops-fix-find_-_bit-signatures.patch @@ -0,0 +1,90 @@ +From e95d746e5a0b231d8b241742b22d151bc4549f59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 17:16:13 +0200 +Subject: m68k: bitops: Fix find_*_bit() signatures + +From: Geert Uytterhoeven + +[ Upstream commit 6d5674090543b89aac0c177d67e5fb32ddc53804 ] + +The function signatures of the m68k-optimized implementations of the +find_{first,next}_{,zero_}bit() helpers do not match the generic +variants. + +Fix this by changing all non-pointer inputs and outputs to "unsigned +long", and updating a few local variables. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202509092305.ncd9mzaZ-lkp@intel.com/ +Signed-off-by: Geert Uytterhoeven +Acked-by: "Yury Norov (NVIDIA)" +Link: https://patch.msgid.link/de6919554fbb4cd1427155c6bafbac8a9df822c8.1757517135.git.geert@linux-m68k.org +Signed-off-by: Sasha Levin +--- + arch/m68k/include/asm/bitops.h | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/arch/m68k/include/asm/bitops.h b/arch/m68k/include/asm/bitops.h +index 14c64a6f12176..50ec92651d5a5 100644 +--- a/arch/m68k/include/asm/bitops.h ++++ b/arch/m68k/include/asm/bitops.h +@@ -350,12 +350,12 @@ static inline bool xor_unlock_is_negative_byte(unsigned long mask, + #include + #else + +-static inline int find_first_zero_bit(const unsigned long *vaddr, +- unsigned size) ++static inline unsigned long find_first_zero_bit(const unsigned long *vaddr, ++ unsigned long size) + { + const unsigned long *p = vaddr; +- int res = 32; +- unsigned int words; ++ unsigned long res = 32; ++ unsigned long words; + unsigned long num; + + if (!size) +@@ -376,8 +376,9 @@ static inline int find_first_zero_bit(const unsigned long *vaddr, + } + #define find_first_zero_bit find_first_zero_bit + +-static inline int find_next_zero_bit(const unsigned long *vaddr, int size, +- int offset) ++static inline unsigned long find_next_zero_bit(const unsigned long *vaddr, ++ unsigned long size, ++ unsigned long offset) + { + const unsigned long *p = vaddr + (offset >> 5); + int bit = offset & 31UL, res; +@@ -406,11 +407,12 @@ static inline int find_next_zero_bit(const unsigned long *vaddr, int size, + } + #define find_next_zero_bit find_next_zero_bit + +-static inline int find_first_bit(const unsigned long *vaddr, unsigned size) ++static inline unsigned long find_first_bit(const unsigned long *vaddr, ++ unsigned long size) + { + const unsigned long *p = vaddr; +- int res = 32; +- unsigned int words; ++ unsigned long res = 32; ++ unsigned long words; + unsigned long num; + + if (!size) +@@ -431,8 +433,9 @@ static inline int find_first_bit(const unsigned long *vaddr, unsigned size) + } + #define find_first_bit find_first_bit + +-static inline int find_next_bit(const unsigned long *vaddr, int size, +- int offset) ++static inline unsigned long find_next_bit(const unsigned long *vaddr, ++ unsigned long size, ++ unsigned long offset) + { + const unsigned long *p = vaddr + (offset >> 5); + int bit = offset & 31UL, res; +-- +2.51.0 + diff --git a/queue-6.12/nios2-ensure-that-memblock.current_limit-is-set-when.patch b/queue-6.12/nios2-ensure-that-memblock.current_limit-is-set-when.patch new file mode 100644 index 0000000000..6343b392c7 --- /dev/null +++ b/queue-6.12/nios2-ensure-that-memblock.current_limit-is-set-when.patch @@ -0,0 +1,74 @@ +From a066d502cf9850b915ceba681ab2b61f4adc42a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Aug 2025 12:37:07 +0200 +Subject: nios2: ensure that memblock.current_limit is set when setting pfn + limits + +From: Simon Schuster + +[ Upstream commit a20b83cf45be2057f3d073506779e52c7fa17f94 ] + +On nios2, with CONFIG_FLATMEM set, the kernel relies on +memblock_get_current_limit() to determine the limits of mem_map, in +particular for max_low_pfn. +Unfortunately, memblock.current_limit is only default initialized to +MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading +to situations where max_low_pfn can erroneously exceed the value of +max_pfn and, thus, the valid range of available DRAM. + +This can in turn cause kernel-level paging failures, e.g.: + +[ 76.900000] Unable to handle kernel paging request at virtual address 20303000 +[ 76.900000] ea = c0080890, ra = c000462c, cause = 14 +[ 76.900000] Kernel panic - not syncing: Oops +[ 76.900000] ---[ end Kernel panic - not syncing: Oops ]--- + +This patch fixes this by pre-calculating memblock.current_limit +based on the upper limits of the available memory ranges via +adjust_lowmem_bounds, a simplified version of the equivalent +implementation within the arm architecture. + +Signed-off-by: Simon Schuster +Signed-off-by: Andreas Oetken +Signed-off-by: Dinh Nguyen +Signed-off-by: Sasha Levin +--- + arch/nios2/kernel/setup.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/arch/nios2/kernel/setup.c b/arch/nios2/kernel/setup.c +index da122a5fa43b2..8528ab1f222cd 100644 +--- a/arch/nios2/kernel/setup.c ++++ b/arch/nios2/kernel/setup.c +@@ -142,6 +142,20 @@ static void __init find_limits(unsigned long *min, unsigned long *max_low, + *max_high = PFN_DOWN(memblock_end_of_DRAM()); + } + ++static void __init adjust_lowmem_bounds(void) ++{ ++ phys_addr_t block_start, block_end; ++ u64 i; ++ phys_addr_t memblock_limit = 0; ++ ++ for_each_mem_range(i, &block_start, &block_end) { ++ if (block_end > memblock_limit) ++ memblock_limit = block_end; ++ } ++ ++ memblock_set_current_limit(memblock_limit); ++} ++ + void __init setup_arch(char **cmdline_p) + { + console_verbose(); +@@ -155,6 +169,7 @@ void __init setup_arch(char **cmdline_p) + /* Keep a copy of command line */ + *cmdline_p = boot_command_line; + ++ adjust_lowmem_bounds(); + find_limits(&min_low_pfn, &max_low_pfn, &max_pfn); + max_mapnr = max_low_pfn; + +-- +2.51.0 + diff --git a/queue-6.12/pci-test-for-bit-underflow-in-pcie_set_readrq.patch b/queue-6.12/pci-test-for-bit-underflow-in-pcie_set_readrq.patch new file mode 100644 index 0000000000..4fb55844fa --- /dev/null +++ b/queue-6.12/pci-test-for-bit-underflow-in-pcie_set_readrq.patch @@ -0,0 +1,67 @@ +From e7976d202a4cc2371da82f20995347603e1067af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Sep 2025 22:28:41 -0700 +Subject: PCI: Test for bit underflow in pcie_set_readrq() + +From: Kees Cook + +[ Upstream commit 00e58ff924b3a684b076f9512fe2753be87b50e1 ] + +In preparation for the future commit ("bitops: Add __attribute_const__ to generic +ffs()-family implementations"), which allows GCC's value range tracker +to see past ffs(), GCC 8 on ARM thinks that it might be possible that +"ffs(rq) - 8" used here: + + v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, ffs(rq) - 8); + +could wrap below 0, leading to a very large value, which would be out of +range for the FIELD_PREP() usage: + +drivers/pci/pci.c: In function 'pcie_set_readrq': +include/linux/compiler_types.h:572:38: error: call to '__compiletime_assert_471' declared with attribute error: FIELD_PREP: value too large for the field +... +drivers/pci/pci.c:5896:6: note: in expansion of macro 'FIELD_PREP' + v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, ffs(rq) - 8); + ^~~~~~~~~~ + +If the result of the ffs() is bounds checked before being used in +FIELD_PREP(), the value tracker seems happy again. :) + +Reported-by: Linux Kernel Functional Testing +Closes: https://lore.kernel.org/linux-pci/CA+G9fYuysVr6qT8bjF6f08WLyCJRG7aXAeSd2F7=zTaHHd7L+Q@mail.gmail.com/ +Acked-by: Bjorn Helgaas +Acked-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20250905052836.work.425-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 3d1365f558d3a..0dd548e2b3676 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -6048,6 +6048,7 @@ int pcie_set_readrq(struct pci_dev *dev, int rq) + { + u16 v; + int ret; ++ unsigned int firstbit; + struct pci_host_bridge *bridge = pci_find_host_bridge(dev->bus); + + if (rq < 128 || rq > 4096 || !is_power_of_2(rq)) +@@ -6065,7 +6066,10 @@ int pcie_set_readrq(struct pci_dev *dev, int rq) + rq = mps; + } + +- v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, ffs(rq) - 8); ++ firstbit = ffs(rq); ++ if (firstbit < 8) ++ return -EINVAL; ++ v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, firstbit - 8); + + if (bridge->no_inc_mrrs) { + int max_mrrs = pcie_get_readrq(dev); +-- +2.51.0 + diff --git a/queue-6.12/powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch b/queue-6.12/powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch new file mode 100644 index 0000000000..7cb1bd1ef1 --- /dev/null +++ b/queue-6.12/powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch @@ -0,0 +1,107 @@ +From 14e7f4f1d8560ddcafb9418e0efe922814066b2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Sep 2025 12:03:49 +0200 +Subject: powerpc/32: Remove PAGE_KERNEL_TEXT to fix startup failure + +From: Christophe Leroy + +[ Upstream commit 9316512b717f6f25c4649b3fdb0a905b6a318e9f ] + +PAGE_KERNEL_TEXT is an old macro that is used to tell kernel whether +kernel text has to be mapped read-only or read-write based on build +time options. + +But nowadays, with functionnalities like jump_labels, static links, +etc ... more only less all kernels need to be read-write at some +point, and some combinations of configs failed to work due to +innacurate setting of PAGE_KERNEL_TEXT. On the other hand, today +we have CONFIG_STRICT_KERNEL_RWX which implements a more controlled +access to kernel modifications. + +Instead of trying to keep PAGE_KERNEL_TEXT accurate with all +possible options that may imply kernel text modification, always +set kernel text read-write at startup and rely on +CONFIG_STRICT_KERNEL_RWX to provide accurate protection. + +Do this by passing PAGE_KERNEL_X to map_kernel_page() in +__maping_ram_chunk() instead of passing PAGE_KERNEL_TEXT. Once +this is done, the only remaining user of PAGE_KERNEL_TEXT is +mmu_mark_initmem_nx() which uses it in a call to setibat(). +As setibat() ignores the RW/RO, we can seamlessly replace +PAGE_KERNEL_TEXT by PAGE_KERNEL_X here as well and get rid of +PAGE_KERNEL_TEXT completely. + +Reported-by: Erhard Furtner +Closes: https://lore.kernel.org/all/342b4120-911c-4723-82ec-d8c9b03a8aef@mailbox.org/ +Signed-off-by: Christophe Leroy +Tested-by: Andrew Donnellan +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/8e2d793abf87ae3efb8f6dce10f974ac0eda61b8.1757412205.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/pgtable.h | 12 ------------ + arch/powerpc/mm/book3s32/mmu.c | 4 ++-- + arch/powerpc/mm/pgtable_32.c | 2 +- + 3 files changed, 3 insertions(+), 15 deletions(-) + +diff --git a/arch/powerpc/include/asm/pgtable.h b/arch/powerpc/include/asm/pgtable.h +index 2f72ad885332e..2ec5431ce1be2 100644 +--- a/arch/powerpc/include/asm/pgtable.h ++++ b/arch/powerpc/include/asm/pgtable.h +@@ -20,18 +20,6 @@ struct mm_struct; + #include + #endif /* !CONFIG_PPC_BOOK3S */ + +-/* +- * Protection used for kernel text. We want the debuggers to be able to +- * set breakpoints anywhere, so don't write protect the kernel text +- * on platforms where such control is possible. +- */ +-#if defined(CONFIG_KGDB) || defined(CONFIG_XMON) || defined(CONFIG_BDI_SWITCH) || \ +- defined(CONFIG_KPROBES) || defined(CONFIG_DYNAMIC_FTRACE) +-#define PAGE_KERNEL_TEXT PAGE_KERNEL_X +-#else +-#define PAGE_KERNEL_TEXT PAGE_KERNEL_ROX +-#endif +- + /* Make modules code happy. We don't set RO yet */ + #define PAGE_KERNEL_EXEC PAGE_KERNEL_X + +diff --git a/arch/powerpc/mm/book3s32/mmu.c b/arch/powerpc/mm/book3s32/mmu.c +index 2db167f4233f7..507e2ef50bd79 100644 +--- a/arch/powerpc/mm/book3s32/mmu.c ++++ b/arch/powerpc/mm/book3s32/mmu.c +@@ -204,7 +204,7 @@ int mmu_mark_initmem_nx(void) + + for (i = 0; i < nb - 1 && base < top;) { + size = bat_block_size(base, top); +- setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_TEXT); ++ setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_X); + base += size; + } + if (base < top) { +@@ -215,7 +215,7 @@ int mmu_mark_initmem_nx(void) + pr_warn("Some RW data is getting mapped X. " + "Adjust CONFIG_DATA_SHIFT to avoid that.\n"); + } +- setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_TEXT); ++ setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_X); + base += size; + } + for (; i < nb; i++) +diff --git a/arch/powerpc/mm/pgtable_32.c b/arch/powerpc/mm/pgtable_32.c +index 787b222063866..e52d036c7a831 100644 +--- a/arch/powerpc/mm/pgtable_32.c ++++ b/arch/powerpc/mm/pgtable_32.c +@@ -109,7 +109,7 @@ static void __init __mapin_ram_chunk(unsigned long offset, unsigned long top) + p = memstart_addr + s; + for (; s < top; s += PAGE_SIZE) { + ktext = core_kernel_text(v); +- map_kernel_page(v, p, ktext ? PAGE_KERNEL_TEXT : PAGE_KERNEL); ++ map_kernel_page(v, p, ktext ? PAGE_KERNEL_X : PAGE_KERNEL); + v += PAGE_SIZE; + p += PAGE_SIZE; + } +-- +2.51.0 + diff --git a/queue-6.12/s390-mm-use-__gfp_account-for-user-page-table-alloca.patch b/queue-6.12/s390-mm-use-__gfp_account-for-user-page-table-alloca.patch new file mode 100644 index 0000000000..3ddf2c3b32 --- /dev/null +++ b/queue-6.12/s390-mm-use-__gfp_account-for-user-page-table-alloca.patch @@ -0,0 +1,65 @@ +From 597398e954d73509b77226e2e865451e422c9565 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Sep 2025 17:24:05 +0200 +Subject: s390/mm: Use __GFP_ACCOUNT for user page table allocations + +From: Heiko Carstens + +[ Upstream commit 5671ce2a1fc6b4a16cff962423bc416b92cac3c8 ] + +Add missing kmemcg accounting of user page table allocations. + +Reviewed-by: Alexander Gordeev +Signed-off-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/mm/pgalloc.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/arch/s390/mm/pgalloc.c b/arch/s390/mm/pgalloc.c +index f5dece9353535..a2ec82ec78ac9 100644 +--- a/arch/s390/mm/pgalloc.c ++++ b/arch/s390/mm/pgalloc.c +@@ -43,9 +43,13 @@ __initcall(page_table_register_sysctl); + + unsigned long *crst_table_alloc(struct mm_struct *mm) + { +- struct ptdesc *ptdesc = pagetable_alloc(GFP_KERNEL, CRST_ALLOC_ORDER); ++ gfp_t gfp = GFP_KERNEL_ACCOUNT; ++ struct ptdesc *ptdesc; + unsigned long *table; + ++ if (mm == &init_mm) ++ gfp &= ~__GFP_ACCOUNT; ++ ptdesc = pagetable_alloc(gfp, CRST_ALLOC_ORDER); + if (!ptdesc) + return NULL; + table = ptdesc_to_virt(ptdesc); +@@ -142,7 +146,7 @@ struct ptdesc *page_table_alloc_pgste(struct mm_struct *mm) + struct ptdesc *ptdesc; + u64 *table; + +- ptdesc = pagetable_alloc(GFP_KERNEL, 0); ++ ptdesc = pagetable_alloc(GFP_KERNEL_ACCOUNT, 0); + if (ptdesc) { + table = (u64 *)ptdesc_to_virt(ptdesc); + __arch_set_page_dat(table, 1); +@@ -161,10 +165,13 @@ void page_table_free_pgste(struct ptdesc *ptdesc) + + unsigned long *page_table_alloc(struct mm_struct *mm) + { ++ gfp_t gfp = GFP_KERNEL_ACCOUNT; + struct ptdesc *ptdesc; + unsigned long *table; + +- ptdesc = pagetable_alloc(GFP_KERNEL, 0); ++ if (mm == &init_mm) ++ gfp &= ~__GFP_ACCOUNT; ++ ptdesc = pagetable_alloc(gfp, 0); + if (!ptdesc) + return NULL; + if (!pagetable_pte_ctor(ptdesc)) { +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series new file mode 100644 index 0000000000..bdfe200c49 --- /dev/null +++ b/queue-6.12/series @@ -0,0 +1,22 @@ +exec-fix-incorrect-type-for-ret.patch +nios2-ensure-that-memblock.current_limit-is-set-when.patch +hfs-clear-offset-and-space-out-of-valid-records-in-b.patch +hfs-make-proper-initalization-of-struct-hfs_find_dat.patch +hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch +hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch +hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch +dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch +hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch +hfsplus-return-eio-when-type-of-hidden-directory-mis.patch +binfmt_elf-preserve-original-elf-e_flags-for-core-du.patch +pci-test-for-bit-underflow-in-pcie_set_readrq.patch +lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch +arm64-sysreg-correct-sign-definitions-for-eiesb-and-.patch +gfs2-fix-unlikely-race-in-gdlm_put_lock.patch +m68k-bitops-fix-find_-_bit-signatures.patch +powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch +drivers-perf-hisi-relax-the-event-id-check-in-the-fr.patch +s390-mm-use-__gfp_account-for-user-page-table-alloca.patch +smb-server-let-smb_direct_flush_send_list-invalidate.patch +unbreak-make-tools-for-user-space-targets.patch +bpf-replace-bpf_map_kmalloc_node-with-kmalloc_nolock.patch diff --git a/queue-6.12/smb-server-let-smb_direct_flush_send_list-invalidate.patch b/queue-6.12/smb-server-let-smb_direct_flush_send_list-invalidate.patch new file mode 100644 index 0000000000..ce4a9a7cfd --- /dev/null +++ b/queue-6.12/smb-server-let-smb_direct_flush_send_list-invalidate.patch @@ -0,0 +1,52 @@ +From cda37e4c09e0c11f1567c964e7bb8291fcedfb1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Sep 2025 22:22:35 +0200 +Subject: smb: server: let smb_direct_flush_send_list() invalidate a remote key + first + +From: Stefan Metzmacher + +[ Upstream commit 1b53426334c3c942db47e0959a2527a4f815af50 ] + +If we want to invalidate a remote key we should do that as soon as +possible, so do it in the first send work request. + +Acked-by: Namjae Jeon +Cc: Steve French +Cc: Tom Talpey +Cc: linux-cifs@vger.kernel.org +Cc: samba-technical@lists.samba.org +Signed-off-by: Stefan Metzmacher +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/transport_rdma.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c +index 05dfef7ad67f5..bf79c066a982e 100644 +--- a/fs/smb/server/transport_rdma.c ++++ b/fs/smb/server/transport_rdma.c +@@ -938,12 +938,15 @@ static int smb_direct_flush_send_list(struct smb_direct_transport *t, + struct smb_direct_sendmsg, + list); + ++ if (send_ctx->need_invalidate_rkey) { ++ first->wr.opcode = IB_WR_SEND_WITH_INV; ++ first->wr.ex.invalidate_rkey = send_ctx->remote_key; ++ send_ctx->need_invalidate_rkey = false; ++ send_ctx->remote_key = 0; ++ } ++ + last->wr.send_flags = IB_SEND_SIGNALED; + last->wr.wr_cqe = &last->cqe; +- if (is_last && send_ctx->need_invalidate_rkey) { +- last->wr.opcode = IB_WR_SEND_WITH_INV; +- last->wr.ex.invalidate_rkey = send_ctx->remote_key; +- } + + ret = smb_direct_post_send(t, &first->wr); + if (!ret) { +-- +2.51.0 + diff --git a/queue-6.12/unbreak-make-tools-for-user-space-targets.patch b/queue-6.12/unbreak-make-tools-for-user-space-targets.patch new file mode 100644 index 0000000000..ec7c84e678 --- /dev/null +++ b/queue-6.12/unbreak-make-tools-for-user-space-targets.patch @@ -0,0 +1,62 @@ +From c58eca53b47ac8ecf38c74a40963084992aa210b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Sep 2025 12:24:20 -0700 +Subject: Unbreak 'make tools/*' for user-space targets + +From: Linus Torvalds + +[ Upstream commit ee916dccd4df6e2fd19c3606c4735282b72f1473 ] + +This pattern isn't very documented, and apparently not used much outside +of 'make tools/help', but it has existed for over a decade (since commit +ea01fa9f63ae: "tools: Connect to the kernel build system"). + +However, it doesn't work very well for most cases, particularly the +useful "tools/all" target, because it overrides the LDFLAGS value with +an empty one. + +And once overridden, 'make' will then not honor the tooling makefiles +trying to change it - which then makes any LDFLAGS use in the tooling +directory break, typically causing odd link errors. + +Remove that LDFLAGS override, since it seems to be entirely historical. +The core kernel makefiles no longer modify LDFLAGS as part of the build, +and use kernel-specific link flags instead (eg 'KBUILD_LDFLAGS' and +friends). + +This allows more of the 'make tools/*' cases to work. I say 'more', +because some of the tooling build rules make various other assumptions +or have other issues, so it's still a bit hit-or-miss. But those issues +tend to show up with the 'make -C tools xyz' pattern too, so now it's no +longer an issue of this particular 'tools/*' build rule being special. + +Acked-by: Nathan Chancellor +Cc: Nicolas Schier +Cc: Borislav Petkov +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index d4c679b2d4bcf..0aa9fd3ab9a1c 100644 +--- a/Makefile ++++ b/Makefile +@@ -1372,11 +1372,11 @@ endif + + tools/: FORCE + $(Q)mkdir -p $(objtree)/tools +- $(Q)$(MAKE) LDFLAGS= O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ ++ $(Q)$(MAKE) O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ + + tools/%: FORCE + $(Q)mkdir -p $(objtree)/tools +- $(Q)$(MAKE) LDFLAGS= O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ $* ++ $(Q)$(MAKE) O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ $* + + # --------------------------------------------------------------------------- + # Kernel selftest +-- +2.51.0 + diff --git a/queue-6.17/arm64-sysreg-correct-sign-definitions-for-eiesb-and-.patch b/queue-6.17/arm64-sysreg-correct-sign-definitions-for-eiesb-and-.patch new file mode 100644 index 0000000000..ae5928bbcb --- /dev/null +++ b/queue-6.17/arm64-sysreg-correct-sign-definitions-for-eiesb-and-.patch @@ -0,0 +1,53 @@ +From 6ecc89d497aeb1887ff783ba735702ffe113ae65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 10:51:42 +0100 +Subject: arm64: sysreg: Correct sign definitions for EIESB and DoubleLock + +From: Fuad Tabba + +[ Upstream commit f4d4ebc84995178273740f3e601e97fdefc561d2 ] + +The `ID_AA64MMFR4_EL1.EIESB` field, is an unsigned enumeration, but was +incorrectly defined as a `SignedEnum` when introduced in commit +cfc680bb04c5 ("arm64: sysreg: Add layout for ID_AA64MMFR4_EL1"). This is +corrected to `UnsignedEnum`. + +Conversely, the `ID_AA64DFR0_EL1.DoubleLock` field, is a signed +enumeration, but was incorrectly defined as an `UnsignedEnum`. This is +corrected to `SignedEnum`, which wasn't correctly set when annotated as +such in commit ad16d4cf0b4f ("arm64/sysreg: Initial unsigned annotations +for ID registers"). + +Signed-off-by: Fuad Tabba +Acked-by: Mark Rutland +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/tools/sysreg | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/tools/sysreg b/arch/arm64/tools/sysreg +index 696ab1f32a674..2a37d4c26d870 100644 +--- a/arch/arm64/tools/sysreg ++++ b/arch/arm64/tools/sysreg +@@ -1693,7 +1693,7 @@ UnsignedEnum 43:40 TraceFilt + 0b0000 NI + 0b0001 IMP + EndEnum +-UnsignedEnum 39:36 DoubleLock ++SignedEnum 39:36 DoubleLock + 0b0000 IMP + 0b1111 NI + EndEnum +@@ -2409,7 +2409,7 @@ UnsignedEnum 11:8 ASID2 + 0b0000 NI + 0b0001 IMP + EndEnum +-SignedEnum 7:4 EIESB ++UnsignedEnum 7:4 EIESB + 0b0000 NI + 0b0001 ToEL3 + 0b0010 ToELx +-- +2.51.0 + diff --git a/queue-6.17/binfmt_elf-preserve-original-elf-e_flags-for-core-du.patch b/queue-6.17/binfmt_elf-preserve-original-elf-e_flags-for-core-du.patch new file mode 100644 index 0000000000..610b7b3e1d --- /dev/null +++ b/queue-6.17/binfmt_elf-preserve-original-elf-e_flags-for-core-du.patch @@ -0,0 +1,162 @@ +From 003abdd5f1a8f9b0e54ded266150d4b13c26a1aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 20:53:50 +0700 +Subject: binfmt_elf: preserve original ELF e_flags for core dumps + +From: Svetlana Parfenova + +[ Upstream commit 8c94db0ae97c72c253a615f990bd466b456e94f6 ] + +Some architectures, such as RISC-V, use the ELF e_flags field to encode +ABI-specific information (e.g., ISA extensions, fpu support). Debuggers +like GDB rely on these flags in core dumps to correctly interpret +optional register sets. If the flags are missing or incorrect, GDB may +warn and ignore valid data, for example: + + warning: Unexpected size of section '.reg2/213' in core file. + +This can prevent access to fpu or other architecture-specific registers +even when they were dumped. + +Save the e_flags field during ELF binary loading (in load_elf_binary()) +into the mm_struct, and later retrieve it during core dump generation +(in fill_note_info()). Kconfig option CONFIG_ARCH_HAS_ELF_CORE_EFLAGS +is introduced for architectures that require this behaviour. + +Signed-off-by: Svetlana Parfenova +Link: https://lore.kernel.org/r/20250901135350.619485-1-svetlana.parfenova@syntacore.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + arch/riscv/Kconfig | 1 + + fs/Kconfig.binfmt | 9 +++++++++ + fs/binfmt_elf.c | 40 ++++++++++++++++++++++++++++++++++------ + include/linux/mm_types.h | 5 +++++ + 4 files changed, 49 insertions(+), 6 deletions(-) + +diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig +index 51dcd8eaa2435..74db054aa1b8b 100644 +--- a/arch/riscv/Kconfig ++++ b/arch/riscv/Kconfig +@@ -28,6 +28,7 @@ config RISCV + select ARCH_HAS_DEBUG_VIRTUAL if MMU + select ARCH_HAS_DEBUG_VM_PGTABLE + select ARCH_HAS_DEBUG_WX ++ select ARCH_HAS_ELF_CORE_EFLAGS + select ARCH_HAS_FAST_MULTIPLIER + select ARCH_HAS_FORTIFY_SOURCE + select ARCH_HAS_GCOV_PROFILE_ALL +diff --git a/fs/Kconfig.binfmt b/fs/Kconfig.binfmt +index bd2f530e57408..1949e25c7741b 100644 +--- a/fs/Kconfig.binfmt ++++ b/fs/Kconfig.binfmt +@@ -184,4 +184,13 @@ config EXEC_KUNIT_TEST + This builds the exec KUnit tests, which tests boundary conditions + of various aspects of the exec internals. + ++config ARCH_HAS_ELF_CORE_EFLAGS ++ bool ++ depends on BINFMT_ELF && ELF_CORE ++ default n ++ help ++ Select this option if the architecture makes use of the e_flags ++ field in the ELF header to store ABI or other architecture-specific ++ information that should be preserved in core dumps. ++ + endmenu +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index 264fba0d44bdf..c126e3d0e7018 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -103,6 +103,21 @@ static struct linux_binfmt elf_format = { + + #define BAD_ADDR(x) (unlikely((unsigned long)(x) >= TASK_SIZE)) + ++static inline void elf_coredump_set_mm_eflags(struct mm_struct *mm, u32 flags) ++{ ++#ifdef CONFIG_ARCH_HAS_ELF_CORE_EFLAGS ++ mm->saved_e_flags = flags; ++#endif ++} ++ ++static inline u32 elf_coredump_get_mm_eflags(struct mm_struct *mm, u32 flags) ++{ ++#ifdef CONFIG_ARCH_HAS_ELF_CORE_EFLAGS ++ flags = mm->saved_e_flags; ++#endif ++ return flags; ++} ++ + /* + * We need to explicitly zero any trailing portion of the page that follows + * p_filesz when it ends before the page ends (e.g. bss), otherwise this +@@ -1290,6 +1305,8 @@ static int load_elf_binary(struct linux_binprm *bprm) + mm->end_data = end_data; + mm->start_stack = bprm->p; + ++ elf_coredump_set_mm_eflags(mm, elf_ex->e_flags); ++ + /** + * DOC: "brk" handling + * +@@ -1804,6 +1821,8 @@ static int fill_note_info(struct elfhdr *elf, int phdrs, + struct elf_thread_core_info *t; + struct elf_prpsinfo *psinfo; + struct core_thread *ct; ++ u16 machine; ++ u32 flags; + + psinfo = kmalloc(sizeof(*psinfo), GFP_KERNEL); + if (!psinfo) +@@ -1831,17 +1850,26 @@ static int fill_note_info(struct elfhdr *elf, int phdrs, + return 0; + } + +- /* +- * Initialize the ELF file header. +- */ +- fill_elf_header(elf, phdrs, +- view->e_machine, view->e_flags); ++ machine = view->e_machine; ++ flags = view->e_flags; + #else + view = NULL; + info->thread_notes = 2; +- fill_elf_header(elf, phdrs, ELF_ARCH, ELF_CORE_EFLAGS); ++ machine = ELF_ARCH; ++ flags = ELF_CORE_EFLAGS; + #endif + ++ /* ++ * Override ELF e_flags with value taken from process, ++ * if arch needs that. ++ */ ++ flags = elf_coredump_get_mm_eflags(dump_task->mm, flags); ++ ++ /* ++ * Initialize the ELF file header. ++ */ ++ fill_elf_header(elf, phdrs, machine, flags); ++ + /* + * Allocate a structure for each thread. + */ +diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h +index a643fae8a3494..7f625c35128be 100644 +--- a/include/linux/mm_types.h ++++ b/include/linux/mm_types.h +@@ -1107,6 +1107,11 @@ struct mm_struct { + + unsigned long saved_auxv[AT_VECTOR_SIZE]; /* for /proc/PID/auxv */ + ++#ifdef CONFIG_ARCH_HAS_ELF_CORE_EFLAGS ++ /* the ABI-related flags from the ELF header. Used for core dump */ ++ unsigned long saved_e_flags; ++#endif ++ + struct percpu_counter rss_stat[NR_MM_COUNTERS]; + + struct linux_binfmt *binfmt; +-- +2.51.0 + diff --git a/queue-6.17/bpf-replace-bpf_map_kmalloc_node-with-kmalloc_nolock.patch b/queue-6.17/bpf-replace-bpf_map_kmalloc_node-with-kmalloc_nolock.patch new file mode 100644 index 0000000000..41e163008e --- /dev/null +++ b/queue-6.17/bpf-replace-bpf_map_kmalloc_node-with-kmalloc_nolock.patch @@ -0,0 +1,190 @@ +From 6bdff593fefe5d2206a689b580132e55189a3f47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Oct 2025 17:07:00 -0700 +Subject: bpf: Replace bpf_map_kmalloc_node() with kmalloc_nolock() to allocate + bpf_async_cb structures. + +From: Alexei Starovoitov + +[ Upstream commit 5fb750e8a9ae123b2034771b864b8a21dbef65cd ] + +The following kmemleak splat: + +[ 8.105530] kmemleak: Trying to color unknown object at 0xff11000100e918c0 as Black +[ 8.106521] Call Trace: +[ 8.106521] +[ 8.106521] dump_stack_lvl+0x4b/0x70 +[ 8.106521] kvfree_call_rcu+0xcb/0x3b0 +[ 8.106521] ? hrtimer_cancel+0x21/0x40 +[ 8.106521] bpf_obj_free_fields+0x193/0x200 +[ 8.106521] htab_map_update_elem+0x29c/0x410 +[ 8.106521] bpf_prog_cfc8cd0f42c04044_overwrite_cb+0x47/0x4b +[ 8.106521] bpf_prog_8c30cd7c4db2e963_overwrite_timer+0x65/0x86 +[ 8.106521] bpf_prog_test_run_syscall+0xe1/0x2a0 + +happens due to the combination of features and fixes, but mainly due to +commit 6d78b4473cdb ("bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()") +It's using __GFP_HIGH, which instructs slub/kmemleak internals to skip +kmemleak_alloc_recursive() on allocation, so subsequent kfree_rcu()-> +kvfree_call_rcu()->kmemleak_ignore() complains with the above splat. + +To fix this imbalance, replace bpf_map_kmalloc_node() with +kmalloc_nolock() and kfree_rcu() with call_rcu() + kfree_nolock() to +make sure that the objects allocated with kmalloc_nolock() are freed +with kfree_nolock() rather than the implicit kfree() that kfree_rcu() +uses internally. + +Note, the kmalloc_nolock() happens under bpf_spin_lock_irqsave(), so +it will always fail in PREEMPT_RT. This is not an issue at the moment, +since bpf_timers are disabled in PREEMPT_RT. In the future +bpf_spin_lock will be replaced with state machine similar to +bpf_task_work. + +Fixes: 6d78b4473cdb ("bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init()") +Signed-off-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +Reviewed-by: Shakeel Butt +Acked-by: Harry Yoo +Acked-by: Vlastimil Babka +Cc: linux-mm@kvack.org +Link: https://lore.kernel.org/bpf/20251015000700.28988-1-alexei.starovoitov@gmail.com +Signed-off-by: Sasha Levin +--- + include/linux/bpf.h | 4 ++++ + kernel/bpf/helpers.c | 25 ++++++++++++++----------- + kernel/bpf/syscall.c | 15 +++++++++++++++ + 3 files changed, 33 insertions(+), 11 deletions(-) + +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index 84826dc0a3268..6d6fbb057d431 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -2473,6 +2473,8 @@ int bpf_map_alloc_pages(const struct bpf_map *map, int nid, + #ifdef CONFIG_MEMCG + void *bpf_map_kmalloc_node(const struct bpf_map *map, size_t size, gfp_t flags, + int node); ++void *bpf_map_kmalloc_nolock(const struct bpf_map *map, size_t size, gfp_t flags, ++ int node); + void *bpf_map_kzalloc(const struct bpf_map *map, size_t size, gfp_t flags); + void *bpf_map_kvcalloc(struct bpf_map *map, size_t n, size_t size, + gfp_t flags); +@@ -2485,6 +2487,8 @@ void __percpu *bpf_map_alloc_percpu(const struct bpf_map *map, size_t size, + */ + #define bpf_map_kmalloc_node(_map, _size, _flags, _node) \ + kmalloc_node(_size, _flags, _node) ++#define bpf_map_kmalloc_nolock(_map, _size, _flags, _node) \ ++ kmalloc_nolock(_size, _flags, _node) + #define bpf_map_kzalloc(_map, _size, _flags) \ + kzalloc(_size, _flags) + #define bpf_map_kvcalloc(_map, _n, _size, _flags) \ +diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c +index 9c750a6a895bf..57129fd8ec544 100644 +--- a/kernel/bpf/helpers.c ++++ b/kernel/bpf/helpers.c +@@ -1216,13 +1216,20 @@ static void bpf_wq_work(struct work_struct *work) + rcu_read_unlock_trace(); + } + ++static void bpf_async_cb_rcu_free(struct rcu_head *rcu) ++{ ++ struct bpf_async_cb *cb = container_of(rcu, struct bpf_async_cb, rcu); ++ ++ kfree_nolock(cb); ++} ++ + static void bpf_wq_delete_work(struct work_struct *work) + { + struct bpf_work *w = container_of(work, struct bpf_work, delete_work); + + cancel_work_sync(&w->work); + +- kfree_rcu(w, cb.rcu); ++ call_rcu(&w->cb.rcu, bpf_async_cb_rcu_free); + } + + static void bpf_timer_delete_work(struct work_struct *work) +@@ -1231,13 +1238,13 @@ static void bpf_timer_delete_work(struct work_struct *work) + + /* Cancel the timer and wait for callback to complete if it was running. + * If hrtimer_cancel() can be safely called it's safe to call +- * kfree_rcu(t) right after for both preallocated and non-preallocated ++ * call_rcu() right after for both preallocated and non-preallocated + * maps. The async->cb = NULL was already done and no code path can see + * address 't' anymore. Timer if armed for existing bpf_hrtimer before + * bpf_timer_cancel_and_free will have been cancelled. + */ + hrtimer_cancel(&t->timer); +- kfree_rcu(t, cb.rcu); ++ call_rcu(&t->cb.rcu, bpf_async_cb_rcu_free); + } + + static int __bpf_async_init(struct bpf_async_kern *async, struct bpf_map *map, u64 flags, +@@ -1271,11 +1278,7 @@ static int __bpf_async_init(struct bpf_async_kern *async, struct bpf_map *map, u + goto out; + } + +- /* Allocate via bpf_map_kmalloc_node() for memcg accounting. Until +- * kmalloc_nolock() is available, avoid locking issues by using +- * __GFP_HIGH (GFP_ATOMIC & ~__GFP_RECLAIM). +- */ +- cb = bpf_map_kmalloc_node(map, size, __GFP_HIGH, map->numa_node); ++ cb = bpf_map_kmalloc_nolock(map, size, 0, map->numa_node); + if (!cb) { + ret = -ENOMEM; + goto out; +@@ -1316,7 +1319,7 @@ static int __bpf_async_init(struct bpf_async_kern *async, struct bpf_map *map, u + * or pinned in bpffs. + */ + WRITE_ONCE(async->cb, NULL); +- kfree(cb); ++ kfree_nolock(cb); + ret = -EPERM; + } + out: +@@ -1581,7 +1584,7 @@ void bpf_timer_cancel_and_free(void *val) + * timer _before_ calling us, such that failing to cancel it here will + * cause it to possibly use struct hrtimer after freeing bpf_hrtimer. + * Therefore, we _need_ to cancel any outstanding timers before we do +- * kfree_rcu, even though no more timers can be armed. ++ * call_rcu, even though no more timers can be armed. + * + * Moreover, we need to schedule work even if timer does not belong to + * the calling callback_fn, as on two different CPUs, we can end up in a +@@ -1608,7 +1611,7 @@ void bpf_timer_cancel_and_free(void *val) + * completion. + */ + if (hrtimer_try_to_cancel(&t->timer) >= 0) +- kfree_rcu(t, cb.rcu); ++ call_rcu(&t->cb.rcu, bpf_async_cb_rcu_free); + else + queue_work(system_unbound_wq, &t->cb.delete_work); + } else { +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 0fbfa8532c392..0002fd4e5ad3f 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -518,6 +518,21 @@ void *bpf_map_kmalloc_node(const struct bpf_map *map, size_t size, gfp_t flags, + return ptr; + } + ++void *bpf_map_kmalloc_nolock(const struct bpf_map *map, size_t size, gfp_t flags, ++ int node) ++{ ++ struct mem_cgroup *memcg, *old_memcg; ++ void *ptr; ++ ++ memcg = bpf_map_get_memcg(map); ++ old_memcg = set_active_memcg(memcg); ++ ptr = kmalloc_nolock(size, flags | __GFP_ACCOUNT, node); ++ set_active_memcg(old_memcg); ++ mem_cgroup_put(memcg); ++ ++ return ptr; ++} ++ + void *bpf_map_kzalloc(const struct bpf_map *map, size_t size, gfp_t flags) + { + struct mem_cgroup *memcg, *old_memcg; +-- +2.51.0 + diff --git a/queue-6.17/cgroup-misc-fix-misc_res_type-kernel-doc-warning.patch b/queue-6.17/cgroup-misc-fix-misc_res_type-kernel-doc-warning.patch new file mode 100644 index 0000000000..01097c4efc --- /dev/null +++ b/queue-6.17/cgroup-misc-fix-misc_res_type-kernel-doc-warning.patch @@ -0,0 +1,39 @@ +From fce158b82f4a31657511b44f93f2f45546f03d62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Oct 2025 00:07:42 -0700 +Subject: cgroup/misc: fix misc_res_type kernel-doc warning + +From: Randy Dunlap + +[ Upstream commit 0fbbcab7f9082cdc233da5e5e353f69830f11956 ] + +Format the kernel-doc for SCALE_HW_CALIB_INVALID correctly to +avoid a kernel-doc warning: + +Warning: include/linux/misc_cgroup.h:26 Enum value + 'MISC_CG_RES_TDX' not described in enum 'misc_res_type' + +Fixes: 7c035bea9407 ("KVM: TDX: Register TDX host key IDs to cgroup misc controller") +Signed-off-by: Randy Dunlap +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + include/linux/misc_cgroup.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/misc_cgroup.h b/include/linux/misc_cgroup.h +index 71cf5bfc6349d..0cb36a3ffc479 100644 +--- a/include/linux/misc_cgroup.h ++++ b/include/linux/misc_cgroup.h +@@ -19,7 +19,7 @@ enum misc_res_type { + MISC_CG_RES_SEV_ES, + #endif + #ifdef CONFIG_INTEL_TDX_HOST +- /* Intel TDX HKIDs resource */ ++ /** @MISC_CG_RES_TDX: Intel TDX HKIDs resource */ + MISC_CG_RES_TDX, + #endif + /** @MISC_CG_RES_TYPES: count of enum misc_res_type constants */ +-- +2.51.0 + diff --git a/queue-6.17/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch b/queue-6.17/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch new file mode 100644 index 0000000000..ad92def041 --- /dev/null +++ b/queue-6.17/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch @@ -0,0 +1,34 @@ +From b3d71f453687318b7e68d76930748caad33693f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 11:21:52 -0400 +Subject: dlm: check for defined force value in dlm_lockspace_release + +From: Alexander Aring + +[ Upstream commit 6af515c9f3ccec3eb8a262ca86bef2c499d07951 ] + +Force values over 3 are undefined, so don't treat them as 3. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lockspace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c +index 1929327ffbe1c..ee11a70def92d 100644 +--- a/fs/dlm/lockspace.c ++++ b/fs/dlm/lockspace.c +@@ -730,7 +730,7 @@ static int release_lockspace(struct dlm_ls *ls, int force) + + dlm_device_deregister(ls); + +- if (force < 3 && dlm_user_daemon_available()) ++ if (force != 3 && dlm_user_daemon_available()) + do_uevent(ls, 0); + + dlm_recoverd_stop(ls); +-- +2.51.0 + diff --git a/queue-6.17/dlm-move-to-rinfo-for-all-middle-conversion-cases.patch b/queue-6.17/dlm-move-to-rinfo-for-all-middle-conversion-cases.patch new file mode 100644 index 0000000000..c4f46bddf7 --- /dev/null +++ b/queue-6.17/dlm-move-to-rinfo-for-all-middle-conversion-cases.patch @@ -0,0 +1,53 @@ +From 2e08949a7a9fbe258ea679c0712498cb7dbbe4a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 11:22:12 -0400 +Subject: dlm: move to rinfo for all middle conversion cases + +From: Alexander Aring + +[ Upstream commit a8abcff174f7f9ce4587c6451b1a2450d01f52c9 ] + +Since commit f74dacb4c8116 ("dlm: fix recovery of middle conversions") +we introduced additional debugging information if we hit the middle +conversion by using log_limit(). The DLM log_limit() functionality +requires a DLM debug option being enabled. As this case is so rarely and +excempt any potential introduced new issue with recovery we switching it +to log_rinfo() ad this is ratelimited under normal DLM loglevel. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lock.c | 2 +- + fs/dlm/recover.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c +index 6dd3a524cd352..be938fdf17d96 100644 +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -5576,7 +5576,7 @@ static int receive_rcom_lock_args(struct dlm_ls *ls, struct dlm_lkb *lkb, + + if (rl->rl_status == DLM_LKSTS_CONVERT && middle_conversion(lkb)) { + /* We may need to adjust grmode depending on other granted locks. */ +- log_limit(ls, "%s %x middle convert gr %d rq %d remote %d %x", ++ log_rinfo(ls, "%s %x middle convert gr %d rq %d remote %d %x", + __func__, lkb->lkb_id, lkb->lkb_grmode, + lkb->lkb_rqmode, lkb->lkb_nodeid, lkb->lkb_remid); + rsb_set_flag(r, RSB_RECOVER_CONVERT); +diff --git a/fs/dlm/recover.c b/fs/dlm/recover.c +index be4240f09abd4..3ac020fb8139e 100644 +--- a/fs/dlm/recover.c ++++ b/fs/dlm/recover.c +@@ -842,7 +842,7 @@ static void recover_conversion(struct dlm_rsb *r) + */ + if (((lkb->lkb_grmode == DLM_LOCK_PR) && (other_grmode == DLM_LOCK_CW)) || + ((lkb->lkb_grmode == DLM_LOCK_CW) && (other_grmode == DLM_LOCK_PR))) { +- log_limit(ls, "%s %x gr %d rq %d, remote %d %x, other_lkid %u, other gr %d, set gr=NL", ++ log_rinfo(ls, "%s %x gr %d rq %d, remote %d %x, other_lkid %u, other gr %d, set gr=NL", + __func__, lkb->lkb_id, lkb->lkb_grmode, + lkb->lkb_rqmode, lkb->lkb_nodeid, + lkb->lkb_remid, other_lkid, other_grmode); +-- +2.51.0 + diff --git a/queue-6.17/drivers-perf-hisi-relax-the-event-id-check-in-the-fr.patch b/queue-6.17/drivers-perf-hisi-relax-the-event-id-check-in-the-fr.patch new file mode 100644 index 0000000000..4ab5fbdb3c --- /dev/null +++ b/queue-6.17/drivers-perf-hisi-relax-the-event-id-check-in-the-fr.patch @@ -0,0 +1,54 @@ +From 6f18e6ed0827db2c6d044a30d67eabe0bcca2ce0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 18:14:19 +0800 +Subject: drivers/perf: hisi: Relax the event ID check in the framework + +From: Yicong Yang + +[ Upstream commit 43de0ac332b815cf56dbdce63687de9acfd35d49 ] + +Event ID is only using the attr::config bit [7, 0] but we check the +event range using the whole 64bit field. It blocks the usage of the +rest field of attr::config. Relax the check by only using the +bit [7, 0]. + +Acked-by: Jonathan Cameron +Signed-off-by: Yicong Yang +Signed-off-by: Yushan Wang +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/hisilicon/hisi_uncore_pmu.c | 2 +- + drivers/perf/hisilicon/hisi_uncore_pmu.h | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/perf/hisilicon/hisi_uncore_pmu.c b/drivers/perf/hisilicon/hisi_uncore_pmu.c +index a449651f79c9f..6594d64b03a9e 100644 +--- a/drivers/perf/hisilicon/hisi_uncore_pmu.c ++++ b/drivers/perf/hisilicon/hisi_uncore_pmu.c +@@ -234,7 +234,7 @@ int hisi_uncore_pmu_event_init(struct perf_event *event) + return -EINVAL; + + hisi_pmu = to_hisi_pmu(event->pmu); +- if (event->attr.config > hisi_pmu->check_event) ++ if ((event->attr.config & HISI_EVENTID_MASK) > hisi_pmu->check_event) + return -EINVAL; + + if (hisi_pmu->on_cpu == -1) +diff --git a/drivers/perf/hisilicon/hisi_uncore_pmu.h b/drivers/perf/hisilicon/hisi_uncore_pmu.h +index 777675838b808..e69660f72be67 100644 +--- a/drivers/perf/hisilicon/hisi_uncore_pmu.h ++++ b/drivers/perf/hisilicon/hisi_uncore_pmu.h +@@ -43,7 +43,8 @@ + return FIELD_GET(GENMASK_ULL(hi, lo), event->attr.config); \ + } + +-#define HISI_GET_EVENTID(ev) (ev->hw.config_base & 0xff) ++#define HISI_EVENTID_MASK GENMASK(7, 0) ++#define HISI_GET_EVENTID(ev) ((ev)->hw.config_base & HISI_EVENTID_MASK) + + #define HISI_PMU_EVTYPE_BITS 8 + #define HISI_PMU_EVTYPE_SHIFT(idx) ((idx) % 4 * HISI_PMU_EVTYPE_BITS) +-- +2.51.0 + diff --git a/queue-6.17/exec-fix-incorrect-type-for-ret.patch b/queue-6.17/exec-fix-incorrect-type-for-ret.patch new file mode 100644 index 0000000000..fea8b489e8 --- /dev/null +++ b/queue-6.17/exec-fix-incorrect-type-for-ret.patch @@ -0,0 +1,38 @@ +From 71e2f237f283695de37cc95d28c2267d6cc98a8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 15:36:09 +0800 +Subject: exec: Fix incorrect type for ret + +From: Xichao Zhao + +[ Upstream commit 5e088248375d171b80c643051e77ade6b97bc386 ] + +In the setup_arg_pages(), ret is declared as an unsigned long. +The ret might take a negative value. Therefore, its type should +be changed to int. + +Signed-off-by: Xichao Zhao +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20250825073609.219855-1-zhao.xichao@vivo.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/exec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/exec.c b/fs/exec.c +index a69a2673f6311..1515e0585e259 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -599,7 +599,7 @@ int setup_arg_pages(struct linux_binprm *bprm, + unsigned long stack_top, + int executable_stack) + { +- unsigned long ret; ++ int ret; + unsigned long stack_shift; + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma = bprm->vma; +-- +2.51.0 + diff --git a/queue-6.17/expfs-fix-exportfs_can_encode_fh-for-export_fh_fid.patch b/queue-6.17/expfs-fix-exportfs_can_encode_fh-for-export_fh_fid.patch new file mode 100644 index 0000000000..d25234eced --- /dev/null +++ b/queue-6.17/expfs-fix-exportfs_can_encode_fh-for-export_fh_fid.patch @@ -0,0 +1,50 @@ +From ea41b9cbeae0df8de635bd8f66f2671017ab638b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Oct 2025 15:19:07 +0200 +Subject: expfs: Fix exportfs_can_encode_fh() for EXPORT_FH_FID + +From: Jan Kara + +[ Upstream commit 48b77733d0dbaf8cd0a122712072f92b2d95d894 ] + +After commit 5402c4d4d200 ("exportfs: require ->fh_to_parent() to encode +connectable file handles") we will fail to create non-decodable file +handles for filesystems without export operations. Fix it. + +Fixes: 5402c4d4d200 ("exportfs: require ->fh_to_parent() to encode connectable file handles") +Reviewed-by: Christian Brauner +Reviewed-by: Amir Goldstein +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + include/linux/exportfs.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/include/linux/exportfs.h b/include/linux/exportfs.h +index cfb0dd1ea49c7..b80286a73d0a9 100644 +--- a/include/linux/exportfs.h ++++ b/include/linux/exportfs.h +@@ -314,9 +314,6 @@ static inline bool exportfs_can_decode_fh(const struct export_operations *nop) + static inline bool exportfs_can_encode_fh(const struct export_operations *nop, + int fh_flags) + { +- if (!nop) +- return false; +- + /* + * If a non-decodeable file handle was requested, we only need to make + * sure that filesystem did not opt-out of encoding fid. +@@ -324,6 +321,10 @@ static inline bool exportfs_can_encode_fh(const struct export_operations *nop, + if (fh_flags & EXPORT_FH_FID) + return exportfs_can_encode_fid(nop); + ++ /* Normal file handles cannot be created without export ops */ ++ if (!nop) ++ return false; ++ + /* + * If a connectable file handle was requested, we need to make sure that + * filesystem can also decode connected file handles. +-- +2.51.0 + diff --git a/queue-6.17/gfs2-fix-unlikely-race-in-gdlm_put_lock.patch b/queue-6.17/gfs2-fix-unlikely-race-in-gdlm_put_lock.patch new file mode 100644 index 0000000000..c0078b9fbb --- /dev/null +++ b/queue-6.17/gfs2-fix-unlikely-race-in-gdlm_put_lock.patch @@ -0,0 +1,54 @@ +From b779efd620357797ddb956cd68d95debe4608a0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Aug 2025 23:34:03 +0200 +Subject: gfs2: Fix unlikely race in gdlm_put_lock + +From: Andreas Gruenbacher + +[ Upstream commit 28c4d9bc0708956c1a736a9e49fee71b65deee81 ] + +In gdlm_put_lock(), there is a small window of time in which the +DFL_UNMOUNT flag has been set but the lockspace hasn't been released, +yet. In that window, dlm may still call gdlm_ast() and gdlm_bast(). +To prevent it from dereferencing freed glock objects, only free the +glock if the lockspace has actually been released. + +Signed-off-by: Andreas Gruenbacher +Reviewed-by: Andrew Price +Signed-off-by: Sasha Levin +--- + fs/gfs2/lock_dlm.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/fs/gfs2/lock_dlm.c b/fs/gfs2/lock_dlm.c +index 6db37c20587d1..570e5ae6b73df 100644 +--- a/fs/gfs2/lock_dlm.c ++++ b/fs/gfs2/lock_dlm.c +@@ -361,12 +361,6 @@ static void gdlm_put_lock(struct gfs2_glock *gl) + gfs2_sbstats_inc(gl, GFS2_LKS_DCOUNT); + gfs2_update_request_times(gl); + +- /* don't want to call dlm if we've unmounted the lock protocol */ +- if (test_bit(DFL_UNMOUNT, &ls->ls_recover_flags)) { +- gfs2_glock_free(gl); +- return; +- } +- + /* + * When the lockspace is released, all remaining glocks will be + * unlocked automatically. This is more efficient than unlocking them +@@ -396,6 +390,11 @@ static void gdlm_put_lock(struct gfs2_glock *gl) + goto again; + } + ++ if (error == -ENODEV) { ++ gfs2_glock_free(gl); ++ return; ++ } ++ + if (error) { + fs_err(sdp, "gdlm_unlock %x,%llx err=%d\n", + gl->gl_name.ln_type, +-- +2.51.0 + diff --git a/queue-6.17/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch b/queue-6.17/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch new file mode 100644 index 0000000000..eee601aff9 --- /dev/null +++ b/queue-6.17/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch @@ -0,0 +1,94 @@ +From 10c4fa2d72b0c10e89eb23c1650d32f9e0f6bbb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Aug 2025 12:49:19 -0700 +Subject: hfs: clear offset and space out of valid records in b-tree node + +From: Viacheslav Dubeyko + +[ Upstream commit 18b07c44f245beb03588b00b212b38fce9af7cc9 ] + +Currently, hfs_brec_remove() executes moving records +towards the location of deleted record and it updates +offsets of moved records. However, the hfs_brec_remove() +logic ignores the "mess" of b-tree node's free space and +it doesn't touch the offsets out of records number. +Potentially, it could confuse fsck or driver logic or +to be a reason of potential corruption cases. + +This patch reworks the logic of hfs_brec_remove() +by means of clearing freed space of b-tree node +after the records moving. And it clear the last +offset that keeping old location of free space +because now the offset before this one is keeping +the actual offset to the free space after the record +deletion. + +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250815194918.38165-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/brec.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c +index 896396554bcc1..b01db1fae147c 100644 +--- a/fs/hfs/brec.c ++++ b/fs/hfs/brec.c +@@ -179,6 +179,7 @@ int hfs_brec_remove(struct hfs_find_data *fd) + struct hfs_btree *tree; + struct hfs_bnode *node, *parent; + int end_off, rec_off, data_off, size; ++ int src, dst, len; + + tree = fd->tree; + node = fd->bnode; +@@ -208,10 +209,14 @@ int hfs_brec_remove(struct hfs_find_data *fd) + } + hfs_bnode_write_u16(node, offsetof(struct hfs_bnode_desc, num_recs), node->num_recs); + +- if (rec_off == end_off) +- goto skip; + size = fd->keylength + fd->entrylength; + ++ if (rec_off == end_off) { ++ src = fd->keyoffset; ++ hfs_bnode_clear(node, src, size); ++ goto skip; ++ } ++ + do { + data_off = hfs_bnode_read_u16(node, rec_off); + hfs_bnode_write_u16(node, rec_off + 2, data_off - size); +@@ -219,9 +224,23 @@ int hfs_brec_remove(struct hfs_find_data *fd) + } while (rec_off >= end_off); + + /* fill hole */ +- hfs_bnode_move(node, fd->keyoffset, fd->keyoffset + size, +- data_off - fd->keyoffset - size); ++ dst = fd->keyoffset; ++ src = fd->keyoffset + size; ++ len = data_off - src; ++ ++ hfs_bnode_move(node, dst, src, len); ++ ++ src = dst + len; ++ len = data_off - src; ++ ++ hfs_bnode_clear(node, src, len); ++ + skip: ++ /* ++ * Remove the obsolete offset to free space. ++ */ ++ hfs_bnode_write_u16(node, end_off, 0); ++ + hfs_bnode_dump(node); + if (!fd->record) + hfs_brec_update_parent(fd); +-- +2.51.0 + diff --git a/queue-6.17/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch b/queue-6.17/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch new file mode 100644 index 0000000000..b3131e4dcb --- /dev/null +++ b/queue-6.17/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch @@ -0,0 +1,112 @@ +From c590875bc0905bece16cfd70414be46556206c9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Aug 2025 16:06:38 -0700 +Subject: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() + +From: Viacheslav Dubeyko + +[ Upstream commit 2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd ] + +The syzbot reported issue in hfs_find_set_zero_bits(): + +===================================================== +BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 + hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 + hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 + hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 + hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 + __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 + block_write_begin fs/buffer.c:2262 [inline] + cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 + hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 + cont_expand_zero fs/buffer.c:2528 [inline] + cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 + hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 + hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 + hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 + notify_change+0x1993/0x1aa0 fs/attr.c:552 + do_truncate+0x28f/0x310 fs/open.c:68 + do_ftruncate+0x698/0x730 fs/open.c:195 + do_sys_ftruncate fs/open.c:210 [inline] + __do_sys_ftruncate fs/open.c:215 [inline] + __se_sys_ftruncate fs/open.c:213 [inline] + __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 + x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:4154 [inline] + slab_alloc_node mm/slub.c:4197 [inline] + __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 + kmalloc_noprof include/linux/slab.h:905 [inline] + hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 + hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 + get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 + get_tree_bdev+0x38/0x50 fs/super.c:1704 + hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 + vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 + do_new_mount+0x738/0x1610 fs/namespace.c:3902 + path_mount+0x6db/0x1e90 fs/namespace.c:4226 + do_mount fs/namespace.c:4239 [inline] + __do_sys_mount fs/namespace.c:4450 [inline] + __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 + __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 + x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 +===================================================== + +The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): + +HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); + +Finally, it can trigger the reported issue because kmalloc() +doesn't clear the allocated memory. If allocated memory contains +only zeros, then everything will work pretty fine. +But if the allocated memory contains the "garbage", then +it can affect the bitmap operations and it triggers +the reported issue. + +This patch simply exchanges the kmalloc() on kzalloc() +with the goal to guarantee the correctness of bitmap operations. +Because, newly created allocation bitmap should have all +available blocks free. Potentially, initialization bitmap's read +operation could not fill the whole allocated memory and +"garbage" in the not initialized memory will be the reason of +volume coruptions and file system driver bugs. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=773fa9d79b29bd8b6831 +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250820230636.179085-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/mdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c +index 8082eb01127cd..bf811347bb07d 100644 +--- a/fs/hfs/mdb.c ++++ b/fs/hfs/mdb.c +@@ -172,7 +172,7 @@ int hfs_mdb_get(struct super_block *sb) + pr_warn("continuing without an alternate MDB\n"); + } + +- HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); ++ HFS_SB(sb)->bitmap = kzalloc(8192, GFP_KERNEL); + if (!HFS_SB(sb)->bitmap) + goto out; + +-- +2.51.0 + diff --git a/queue-6.17/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch b/queue-6.17/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch new file mode 100644 index 0000000000..28ba14c058 --- /dev/null +++ b/queue-6.17/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch @@ -0,0 +1,76 @@ +From 48666f713d14ab9c2913eb7192a9e25459d53361 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 15:52:52 -0700 +Subject: hfs: make proper initalization of struct hfs_find_data + +From: Viacheslav Dubeyko + +[ Upstream commit c62663a986acee7c4485c1fa9de5fc40194b6290 ] + +Potenatially, __hfs_ext_read_extent() could operate by +not initialized values of fd->key after hfs_brec_find() call: + +static inline int __hfs_ext_read_extent(struct hfs_find_data *fd, struct hfs_extent *extent, + u32 cnid, u32 block, u8 type) +{ + int res; + + hfs_ext_build_key(fd->search_key, cnid, block, type); + fd->key->ext.FNum = 0; + res = hfs_brec_find(fd); + if (res && res != -ENOENT) + return res; + if (fd->key->ext.FNum != fd->search_key->ext.FNum || + fd->key->ext.FkType != fd->search_key->ext.FkType) + return -ENOENT; + if (fd->entrylength != sizeof(hfs_extent_rec)) + return -EIO; + hfs_bnode_read(fd->bnode, extent, fd->entryoffset, sizeof(hfs_extent_rec)); + return 0; +} + +This patch changes kmalloc() on kzalloc() in hfs_find_init() +and intializes fd->record, fd->keyoffset, fd->keylength, +fd->entryoffset, fd->entrylength for the case if hfs_brec_find() +has been found nothing in the b-tree node. + +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250818225252.126427-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/bfind.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c +index 34e9804e0f360..e46f650b5e9c2 100644 +--- a/fs/hfs/bfind.c ++++ b/fs/hfs/bfind.c +@@ -21,7 +21,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) + + fd->tree = tree; + fd->bnode = NULL; +- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); ++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); + if (!ptr) + return -ENOMEM; + fd->search_key = ptr; +@@ -115,6 +115,12 @@ int hfs_brec_find(struct hfs_find_data *fd) + __be32 data; + int height, res; + ++ fd->record = -1; ++ fd->keyoffset = -1; ++ fd->keylength = -1; ++ fd->entryoffset = -1; ++ fd->entrylength = -1; ++ + tree = fd->tree; + if (fd->bnode) + hfs_bnode_put(fd->bnode); +-- +2.51.0 + diff --git a/queue-6.17/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch b/queue-6.17/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch new file mode 100644 index 0000000000..a91de59468 --- /dev/null +++ b/queue-6.17/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch @@ -0,0 +1,217 @@ +From ec3e3fa5867b38c44e0d21413f937a58dc743b74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 22:17:34 +0800 +Subject: hfs: validate record offset in hfsplus_bmap_alloc + +From: Yang Chenzhi + +[ Upstream commit 738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20 ] + +hfsplus_bmap_alloc can trigger a crash if a +record offset or length is larger than node_size + +[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0 +[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183 +[ 15.265949] +[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary) +[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 15.266167] Call Trace: +[ 15.266168] +[ 15.266169] dump_stack_lvl+0x53/0x70 +[ 15.266173] print_report+0xd0/0x660 +[ 15.266181] kasan_report+0xce/0x100 +[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0 +[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0 +[ 15.266217] hfsplus_brec_insert+0x870/0xb00 +[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570 +[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910 +[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200 +[ 15.266233] hfsplus_file_extend+0x5a7/0x1000 +[ 15.266237] hfsplus_get_block+0x12b/0x8c0 +[ 15.266238] __block_write_begin_int+0x36b/0x12c0 +[ 15.266251] block_write_begin+0x77/0x110 +[ 15.266252] cont_write_begin+0x428/0x720 +[ 15.266259] hfsplus_write_begin+0x51/0x100 +[ 15.266262] cont_write_begin+0x272/0x720 +[ 15.266270] hfsplus_write_begin+0x51/0x100 +[ 15.266274] generic_perform_write+0x321/0x750 +[ 15.266285] generic_file_write_iter+0xc3/0x310 +[ 15.266289] __kernel_write_iter+0x2fd/0x800 +[ 15.266296] dump_user_range+0x2ea/0x910 +[ 15.266301] elf_core_dump+0x2a94/0x2ed0 +[ 15.266320] vfs_coredump+0x1d85/0x45e0 +[ 15.266349] get_signal+0x12e3/0x1990 +[ 15.266357] arch_do_signal_or_restart+0x89/0x580 +[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110 +[ 15.266364] asm_exc_page_fault+0x26/0x30 +[ 15.266366] RIP: 0033:0x41bd35 +[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f +[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283 +[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000 +[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100 +[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000 +[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000 +[ 15.266376] + +When calling hfsplus_bmap_alloc to allocate a free node, this function +first retrieves the bitmap from header node and map node using node->page +together with the offset and length from hfs_brec_lenoff + +``` +len = hfs_brec_lenoff(node, 2, &off16); +off = off16; + +off += node->page_offset; +pagep = node->page + (off >> PAGE_SHIFT); +data = kmap_local_page(*pagep); +``` + +However, if the retrieved offset or length is invalid(i.e. exceeds +node_size), the code may end up accessing pages outside the allocated +range for this node. + +This patch adds proper validation of both offset and length before use, +preventing out-of-bounds page access. Move is_bnode_offset_valid and +check_and_correct_requested_length to hfsplus_fs.h, as they may be +required by other functions. + +Reported-by: syzbot+356aed408415a56543cd@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67bcb4a6.050a0220.bbfd1.008f.GAE@google.com/ +Signed-off-by: Yang Chenzhi +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250818141734.8559-2-yang.chenzhi@vivo.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/bnode.c | 41 ---------------------------------------- + fs/hfsplus/btree.c | 6 ++++++ + fs/hfsplus/hfsplus_fs.h | 42 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 48 insertions(+), 41 deletions(-) + +diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c +index 14f4995588ff0..407d5152eb411 100644 +--- a/fs/hfsplus/bnode.c ++++ b/fs/hfsplus/bnode.c +@@ -18,47 +18,6 @@ + #include "hfsplus_fs.h" + #include "hfsplus_raw.h" + +-static inline +-bool is_bnode_offset_valid(struct hfs_bnode *node, int off) +-{ +- bool is_valid = off < node->tree->node_size; +- +- if (!is_valid) { +- pr_err("requested invalid offset: " +- "NODE: id %u, type %#x, height %u, " +- "node_size %u, offset %d\n", +- node->this, node->type, node->height, +- node->tree->node_size, off); +- } +- +- return is_valid; +-} +- +-static inline +-int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len) +-{ +- unsigned int node_size; +- +- if (!is_bnode_offset_valid(node, off)) +- return 0; +- +- node_size = node->tree->node_size; +- +- if ((off + len) > node_size) { +- int new_len = (int)node_size - off; +- +- pr_err("requested length has been corrected: " +- "NODE: id %u, type %#x, height %u, " +- "node_size %u, offset %d, " +- "requested_len %d, corrected_len %d\n", +- node->this, node->type, node->height, +- node->tree->node_size, off, len, new_len); +- +- return new_len; +- } +- +- return len; +-} + + /* Copy a specified range of bytes from the raw data of a node */ + void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len) +diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c +index 9e1732a2b92a8..fe6a54c4083c3 100644 +--- a/fs/hfsplus/btree.c ++++ b/fs/hfsplus/btree.c +@@ -393,6 +393,12 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree) + len = hfs_brec_lenoff(node, 2, &off16); + off = off16; + ++ if (!is_bnode_offset_valid(node, off)) { ++ hfs_bnode_put(node); ++ return ERR_PTR(-EIO); ++ } ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + pagep = node->page + (off >> PAGE_SHIFT); + data = kmap_local_page(*pagep); +diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h +index 2311e4be4e865..9dd18de0bc891 100644 +--- a/fs/hfsplus/hfsplus_fs.h ++++ b/fs/hfsplus/hfsplus_fs.h +@@ -581,6 +581,48 @@ hfsplus_btree_lock_class(struct hfs_btree *tree) + return class; + } + ++static inline ++bool is_bnode_offset_valid(struct hfs_bnode *node, int off) ++{ ++ bool is_valid = off < node->tree->node_size; ++ ++ if (!is_valid) { ++ pr_err("requested invalid offset: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off); ++ } ++ ++ return is_valid; ++} ++ ++static inline ++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len) ++{ ++ unsigned int node_size; ++ ++ if (!is_bnode_offset_valid(node, off)) ++ return 0; ++ ++ node_size = node->tree->node_size; ++ ++ if ((off + len) > node_size) { ++ int new_len = (int)node_size - off; ++ ++ pr_err("requested length has been corrected: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, " ++ "requested_len %d, corrected_len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len, new_len); ++ ++ return new_len; ++ } ++ ++ return len; ++} ++ + /* compatibility */ + #define hfsp_mt2ut(t) (struct timespec64){ .tv_sec = __hfsp_mt2ut(t) } + #define hfsp_ut2mt(t) __hfsp_ut2mt((t).tv_sec) +-- +2.51.0 + diff --git a/queue-6.17/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch b/queue-6.17/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch new file mode 100644 index 0000000000..b2016ab35e --- /dev/null +++ b/queue-6.17/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch @@ -0,0 +1,214 @@ +From ca538d008e40b8e8ff2254bc4ba3478d0728a13d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 15:52:32 -0700 +Subject: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() + +From: Viacheslav Dubeyko + +[ Upstream commit 4840ceadef4290c56cc422f0fc697655f3cbf070 ] + +The syzbot reported issue in __hfsplus_ext_cache_extent(): + +[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 +[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 +[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 +[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 +[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 +[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 +[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 +[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 +[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 +[ 70.199771][ T9350] ksys_write+0x23e/0x490 +[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 +[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 +[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 +[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.202054][ T9350] +[ 70.202279][ T9350] Uninit was created at: +[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 +[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 +[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 +[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 +[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 +[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 +[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 +[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 +[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 +[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 +[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 +[ 70.207961][ T9350] ksys_write+0x23e/0x490 +[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 +[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 +[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 +[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.210230][ T9350] +[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 +[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.212115][ T9350] ===================================================== +[ 70.212734][ T9350] Disabling lock debugging due to kernel taint +[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... +[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 +[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE +[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.215999][ T9350] Call Trace: +[ 70.216309][ T9350] +[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 +[ 70.217025][ T9350] dump_stack+0x1e/0x30 +[ 70.217421][ T9350] panic+0x502/0xca0 +[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 + +[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... + kernel +:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +set ... +[ 70.221254][ T9350] ? __msan_warning+0x96/0x120 +[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 +[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 +[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 +[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 +[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 +[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 +[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 +[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 +[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 +[ 70.228997][ T9350] ? ksys_write+0x23e/0x490 +[ 70.229458][ T9350] ? __x64_sys_write+0x97/0xf0 +[ 70.229939][ T9350] ? x64_sys_call+0x3015/0x3cf0 +[ 70.230432][ T9350] ? do_syscall_64+0xd9/0x1d0 +[ 70.230941][ T9350] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.231926][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.232738][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110 +[ 70.233711][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.234516][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.235398][ T9350] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.236323][ T9350] ? hfsplus_brec_find+0x218/0x9f0 +[ 70.237090][ T9350] ? __pfx_hfs_find_rec_by_key+0x10/0x10 +[ 70.237938][ T9350] ? __msan_instrument_asm_store+0xbf/0xf0 +[ 70.238827][ T9350] ? __msan_metadata_ptr_for_store_4+0x27/0x40 +[ 70.239772][ T9350] ? __hfsplus_ext_write_extent+0x536/0x620 +[ 70.240666][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.241175][ T9350] __msan_warning+0x96/0x120 +[ 70.241645][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.242223][ T9350] hfsplus_file_extend+0x74f/0x1cf0 +[ 70.242748][ T9350] hfsplus_get_block+0xe16/0x17b0 +[ 70.243255][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110 +[ 70.243878][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.244400][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.244967][ T9350] __block_write_begin_int+0x962/0x2ce0 +[ 70.245531][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10 +[ 70.246079][ T9350] cont_write_begin+0x1000/0x1950 +[ 70.246598][ T9350] hfsplus_write_begin+0x85/0x130 +[ 70.247105][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10 +[ 70.247650][ T9350] ? __pfx_hfsplus_write_begin+0x10/0x10 +[ 70.248211][ T9350] generic_perform_write+0x3e8/0x1060 +[ 70.248752][ T9350] __generic_file_write_iter+0x215/0x460 +[ 70.249314][ T9350] generic_file_write_iter+0x109/0x5e0 +[ 70.249856][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110 +[ 70.250487][ T9350] vfs_write+0xb0f/0x14e0 +[ 70.250930][ T9350] ? __pfx_generic_file_write_iter+0x10/0x10 +[ 70.251530][ T9350] ksys_write+0x23e/0x490 +[ 70.251974][ T9350] __x64_sys_write+0x97/0xf0 +[ 70.252450][ T9350] x64_sys_call+0x3015/0x3cf0 +[ 70.252924][ T9350] do_syscall_64+0xd9/0x1d0 +[ 70.253384][ T9350] ? irqentry_exit+0x16/0x60 +[ 70.253844][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.254430][ T9350] RIP: 0033:0x7f7a92adffc9 +[ 70.254873][ T9350] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 +[ 70.256674][ T9350] RSP: 002b:00007fff0bca3188 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 +[ 70.257485][ T9350] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a92adffc9 +[ 70.258246][ T9350] RDX: 000000000208e24b RSI: 0000000020000100 RDI: 0000000000000004 +[ 70.258998][ T9350] RBP: 00007fff0bca31a0 R08: 00007fff0bca31a0 R09: 00007fff0bca31a0 +[ 70.259769][ T9350] R10: 0000000000000000 R11: 0000000000000202 R12: 000055e0d75f8250 +[ 70.260520][ T9350] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 70.261286][ T9350] +[ 70.262026][ T9350] Kernel Offset: disabled + +(gdb) l *__hfsplus_ext_cache_extent+0x7d0 +0xffffffff8318aef0 is in __hfsplus_ext_cache_extent (fs/hfsplus/extents.c:168). +163 fd->key->ext.cnid = 0; +164 res = hfs_brec_find(fd, hfs_find_rec_by_key); +165 if (res && res != -ENOENT) +166 return res; +167 if (fd->key->ext.cnid != fd->search_key->ext.cnid || +168 fd->key->ext.fork_type != fd->search_key->ext.fork_type) +169 return -ENOENT; +170 if (fd->entrylength != sizeof(hfsplus_extent_rec)) +171 return -EIO; +172 hfs_bnode_read(fd->bnode, extent, fd->entryoffset, + +The __hfsplus_ext_cache_extent() calls __hfsplus_ext_read_extent(): + +res = __hfsplus_ext_read_extent(fd, hip->cached_extents, inode->i_ino, + block, HFSPLUS_IS_RSRC(inode) ? + HFSPLUS_TYPE_RSRC : + HFSPLUS_TYPE_DATA); + +And if inode->i_ino could be equal to zero or any non-available CNID, +then hfs_brec_find() could not find the record in the tree. As a result, +fd->key could be compared with fd->search_key. But hfsplus_find_init() +uses kmalloc() for fd->key and fd->search_key allocation: + +int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) +{ + + ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); + if (!ptr) + return -ENOMEM; + fd->search_key = ptr; + fd->key = ptr + tree->max_key_len + 2; + +} + +Finally, fd->key is still not initialized if hfs_brec_find() +has found nothing. + +This patch changes kmalloc() on kzalloc() in hfs_find_init() +and intializes fd->record, fd->keyoffset, fd->keylength, +fd->entryoffset, fd->entrylength for the case if hfs_brec_find() +has been found nothing in the b-tree node. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=55ad87f38795d6787521 +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250818225232.126402-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/bfind.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/hfsplus/bfind.c b/fs/hfsplus/bfind.c +index 901e83d65d202..26ebac4c60424 100644 +--- a/fs/hfsplus/bfind.c ++++ b/fs/hfsplus/bfind.c +@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) + + fd->tree = tree; + fd->bnode = NULL; +- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); ++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); + if (!ptr) + return -ENOMEM; + fd->search_key = ptr; +@@ -158,6 +158,12 @@ int hfs_brec_find(struct hfs_find_data *fd, search_strategy_t do_key_compare) + __be32 data; + int height, res; + ++ fd->record = -1; ++ fd->keyoffset = -1; ++ fd->keylength = -1; ++ fd->entryoffset = -1; ++ fd->entrylength = -1; ++ + tree = fd->tree; + if (fd->bnode) + hfs_bnode_put(fd->bnode); +-- +2.51.0 + diff --git a/queue-6.17/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch b/queue-6.17/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch new file mode 100644 index 0000000000..06727ebfa7 --- /dev/null +++ b/queue-6.17/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch @@ -0,0 +1,198 @@ +From 5b888c10d8c8ea54e4e888f1f3581f5dcac21979 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 15:51:04 -0700 +Subject: hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat() + +From: Viacheslav Dubeyko + +[ Upstream commit 9b3d15a758910bb98ba8feb4109d99cc67450ee4 ] + +The syzbot reported issue in hfsplus_delete_cat(): + +[ 70.682285][ T9333] ===================================================== +[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0 +[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310 +[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810 +[ 70.685447][ T9333] do_rmdir+0x964/0xea0 +[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0 +[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0 +[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.687646][ T9333] +[ 70.687856][ T9333] Uninit was stored to memory at: +[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0 +[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800 +[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600 +[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70 +[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0 +[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30 +[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0 +[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0 +[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.692773][ T9333] +[ 70.692990][ T9333] Uninit was stored to memory at: +[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0 +[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800 +[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700 +[ 70.694911][ T9333] mount_bdev+0x37b/0x530 +[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60 +[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0 +[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0 +[ 70.696588][ T9333] do_new_mount+0x73e/0x1630 +[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0 +[ 70.697425][ T9333] __se_sys_mount+0x733/0x830 +[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150 +[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0 +[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.699730][ T9333] +[ 70.699946][ T9333] Uninit was created at: +[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60 +[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0 +[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0 +[ 70.701774][ T9333] allocate_slab+0x30e/0x1390 +[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0 +[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20 +[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0 +[ 70.703598][ T9333] alloc_inode+0x82/0x490 +[ 70.703984][ T9333] iget_locked+0x22e/0x1320 +[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0 +[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0 +[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700 +[ 70.705776][ T9333] mount_bdev+0x37b/0x530 +[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60 +[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0 +[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0 +[ 70.707444][ T9333] do_new_mount+0x73e/0x1630 +[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0 +[ 70.708270][ T9333] __se_sys_mount+0x733/0x830 +[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150 +[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0 +[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.710611][ T9333] +[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17 +[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.712490][ T9333] ===================================================== +[ 70.713085][ T9333] Disabling lock debugging due to kernel taint +[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ... +[ 70.714159][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Tainted: G B 6.12.0-rc6-dirty #17 +[ 70.715007][ T9333] Tainted: [B]=BAD_PAGE +[ 70.715365][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.716311][ T9333] Call Trace: +[ 70.716621][ T9333] +[ 70.716899][ T9333] dump_stack_lvl+0x1fd/0x2b0 +[ 70.717350][ T9333] dump_stack+0x1e/0x30 +[ 70.717743][ T9333] panic+0x502/0xca0 +[ 70.718116][ T9333] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.718611][ T9333] kmsan_report+0x296/0x2a0 +[ 70.719038][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.719859][ T9333] ? __msan_warning+0x96/0x120 +[ 70.720345][ T9333] ? hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.720881][ T9333] ? hfsplus_delete_cat+0x105d/0x12b0 +[ 70.721412][ T9333] ? hfsplus_rmdir+0x13d/0x310 +[ 70.721880][ T9333] ? vfs_rmdir+0x5ba/0x810 +[ 70.722458][ T9333] ? do_rmdir+0x964/0xea0 +[ 70.722883][ T9333] ? __x64_sys_rmdir+0x71/0xb0 +[ 70.723397][ T9333] ? x64_sys_call+0xcd8/0x3cf0 +[ 70.723915][ T9333] ? do_syscall_64+0xd9/0x1d0 +[ 70.724454][ T9333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.725110][ T9333] ? vprintk_emit+0xd1f/0xe60 +[ 70.725616][ T9333] ? vprintk_default+0x3f/0x50 +[ 70.726175][ T9333] ? vprintk+0xce/0xd0 +[ 70.726628][ T9333] ? _printk+0x17e/0x1b0 +[ 70.727129][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.727739][ T9333] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.728324][ T9333] __msan_warning+0x96/0x120 +[ 70.728854][ T9333] hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.729479][ T9333] hfsplus_delete_cat+0x105d/0x12b0 +[ 70.729984][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.730646][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.731296][ T9333] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.731863][ T9333] hfsplus_rmdir+0x13d/0x310 +[ 70.732390][ T9333] ? __pfx_hfsplus_rmdir+0x10/0x10 +[ 70.732919][ T9333] vfs_rmdir+0x5ba/0x810 +[ 70.733416][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.734044][ T9333] do_rmdir+0x964/0xea0 +[ 70.734537][ T9333] __x64_sys_rmdir+0x71/0xb0 +[ 70.735032][ T9333] x64_sys_call+0xcd8/0x3cf0 +[ 70.735579][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.736092][ T9333] ? irqentry_exit+0x16/0x60 +[ 70.736637][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.737269][ T9333] RIP: 0033:0x7fa9424eafc9 +[ 70.737775][ T9333] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 +[ 70.739844][ T9333] RSP: 002b:00007fff099cd8d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000054 +[ 70.740760][ T9333] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa9424eafc9 +[ 70.741642][ T9333] RDX: 006c6f72746e6f63 RSI: 000000000000000a RDI: 0000000020000100 +[ 70.742543][ T9333] RBP: 00007fff099cd8e0 R08: 00007fff099cd910 R09: 00007fff099cd910 +[ 70.743376][ T9333] R10: 0000000000000000 R11: 0000000000000202 R12: 0000565430642260 +[ 70.744247][ T9333] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 70.745082][ T9333] + +The main reason of the issue that struct hfsplus_inode_info +has not been properly initialized for the case of root folder. +In the case of root folder, hfsplus_fill_super() calls +the hfsplus_iget() that implements only partial initialization of +struct hfsplus_inode_info and subfolders field is not +initialized by hfsplus_iget() logic. + +This patch implements complete initialization of +struct hfsplus_inode_info in the hfsplus_iget() logic with +the goal to prevent likewise issues for the case of +root folder. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=fdedff847a0e5e84c39f +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250825225103.326401-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/super.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c +index 86351bdc89859..2f215d1daf6d9 100644 +--- a/fs/hfsplus/super.c ++++ b/fs/hfsplus/super.c +@@ -68,13 +68,26 @@ struct inode *hfsplus_iget(struct super_block *sb, unsigned long ino) + if (!(inode->i_state & I_NEW)) + return inode; + +- INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list); +- spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock); +- mutex_init(&HFSPLUS_I(inode)->extents_lock); +- HFSPLUS_I(inode)->flags = 0; ++ atomic_set(&HFSPLUS_I(inode)->opencnt, 0); ++ HFSPLUS_I(inode)->first_blocks = 0; ++ HFSPLUS_I(inode)->clump_blocks = 0; ++ HFSPLUS_I(inode)->alloc_blocks = 0; ++ HFSPLUS_I(inode)->cached_start = U32_MAX; ++ HFSPLUS_I(inode)->cached_blocks = 0; ++ memset(HFSPLUS_I(inode)->first_extents, 0, sizeof(hfsplus_extent_rec)); ++ memset(HFSPLUS_I(inode)->cached_extents, 0, sizeof(hfsplus_extent_rec)); + HFSPLUS_I(inode)->extent_state = 0; ++ mutex_init(&HFSPLUS_I(inode)->extents_lock); + HFSPLUS_I(inode)->rsrc_inode = NULL; +- atomic_set(&HFSPLUS_I(inode)->opencnt, 0); ++ HFSPLUS_I(inode)->create_date = 0; ++ HFSPLUS_I(inode)->linkid = 0; ++ HFSPLUS_I(inode)->flags = 0; ++ HFSPLUS_I(inode)->fs_blocks = 0; ++ HFSPLUS_I(inode)->userflags = 0; ++ HFSPLUS_I(inode)->subfolders = 0; ++ INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list); ++ spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock); ++ HFSPLUS_I(inode)->phys_size = 0; + + if (inode->i_ino >= HFSPLUS_FIRSTUSER_CNID || + inode->i_ino == HFSPLUS_ROOT_CNID) { +-- +2.51.0 + diff --git a/queue-6.17/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch b/queue-6.17/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch new file mode 100644 index 0000000000..bc2677e2cd --- /dev/null +++ b/queue-6.17/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch @@ -0,0 +1,39 @@ +From 7f430f205bd84d519c74758a6152e5af0ea40b30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Aug 2025 10:58:59 -0600 +Subject: hfsplus: return EIO when type of hidden directory mismatch in + hfsplus_fill_super() + +From: Yangtao Li + +[ Upstream commit 9282bc905f0949fab8cf86c0f620ca988761254c ] + +If Catalog File contains corrupted record for the case of +hidden directory's type, regard it as I/O error instead of +Invalid argument. + +Signed-off-by: Yangtao Li +Reviewed-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250805165905.3390154-1-frank.li@vivo.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c +index 2f215d1daf6d9..77ec048021a01 100644 +--- a/fs/hfsplus/super.c ++++ b/fs/hfsplus/super.c +@@ -537,7 +537,7 @@ static int hfsplus_fill_super(struct super_block *sb, struct fs_context *fc) + if (!hfs_brec_read(&fd, &entry, sizeof(entry))) { + hfs_find_exit(&fd); + if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) { +- err = -EINVAL; ++ err = -EIO; + goto out_put_root; + } + inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id)); +-- +2.51.0 + diff --git a/queue-6.17/lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch b/queue-6.17/lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch new file mode 100644 index 0000000000..164b5f7121 --- /dev/null +++ b/queue-6.17/lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch @@ -0,0 +1,47 @@ +From b33a92c3afb03c8d45bee92fb4460ab436517237 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 14:06:05 +0800 +Subject: lkdtm: fortify: Fix potential NULL dereference on kmalloc failure + +From: Junjie Cao + +[ Upstream commit 01c7344e21c2140e72282d9d16d79a61f840fc20 ] + +Add missing NULL pointer checks after kmalloc() calls in +lkdtm_FORTIFY_STR_MEMBER() and lkdtm_FORTIFY_MEM_MEMBER() functions. + +Signed-off-by: Junjie Cao +Link: https://lore.kernel.org/r/20250814060605.5264-1-junjie.cao@intel.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + drivers/misc/lkdtm/fortify.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/misc/lkdtm/fortify.c b/drivers/misc/lkdtm/fortify.c +index 0159276656780..00ed2147113e6 100644 +--- a/drivers/misc/lkdtm/fortify.c ++++ b/drivers/misc/lkdtm/fortify.c +@@ -44,6 +44,9 @@ static void lkdtm_FORTIFY_STR_MEMBER(void) + char *src; + + src = kmalloc(size, GFP_KERNEL); ++ if (!src) ++ return; ++ + strscpy(src, "over ten bytes", size); + size = strlen(src) + 1; + +@@ -109,6 +112,9 @@ static void lkdtm_FORTIFY_MEM_MEMBER(void) + char *src; + + src = kmalloc(size, GFP_KERNEL); ++ if (!src) ++ return; ++ + strscpy(src, "over ten bytes", size); + size = strlen(src) + 1; + +-- +2.51.0 + diff --git a/queue-6.17/m68k-bitops-fix-find_-_bit-signatures.patch b/queue-6.17/m68k-bitops-fix-find_-_bit-signatures.patch new file mode 100644 index 0000000000..311549e2e9 --- /dev/null +++ b/queue-6.17/m68k-bitops-fix-find_-_bit-signatures.patch @@ -0,0 +1,90 @@ +From 5a43c47579e215d287add268a61673a92d240d58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 17:16:13 +0200 +Subject: m68k: bitops: Fix find_*_bit() signatures + +From: Geert Uytterhoeven + +[ Upstream commit 6d5674090543b89aac0c177d67e5fb32ddc53804 ] + +The function signatures of the m68k-optimized implementations of the +find_{first,next}_{,zero_}bit() helpers do not match the generic +variants. + +Fix this by changing all non-pointer inputs and outputs to "unsigned +long", and updating a few local variables. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202509092305.ncd9mzaZ-lkp@intel.com/ +Signed-off-by: Geert Uytterhoeven +Acked-by: "Yury Norov (NVIDIA)" +Link: https://patch.msgid.link/de6919554fbb4cd1427155c6bafbac8a9df822c8.1757517135.git.geert@linux-m68k.org +Signed-off-by: Sasha Levin +--- + arch/m68k/include/asm/bitops.h | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/arch/m68k/include/asm/bitops.h b/arch/m68k/include/asm/bitops.h +index 14c64a6f12176..50ec92651d5a5 100644 +--- a/arch/m68k/include/asm/bitops.h ++++ b/arch/m68k/include/asm/bitops.h +@@ -350,12 +350,12 @@ static inline bool xor_unlock_is_negative_byte(unsigned long mask, + #include + #else + +-static inline int find_first_zero_bit(const unsigned long *vaddr, +- unsigned size) ++static inline unsigned long find_first_zero_bit(const unsigned long *vaddr, ++ unsigned long size) + { + const unsigned long *p = vaddr; +- int res = 32; +- unsigned int words; ++ unsigned long res = 32; ++ unsigned long words; + unsigned long num; + + if (!size) +@@ -376,8 +376,9 @@ static inline int find_first_zero_bit(const unsigned long *vaddr, + } + #define find_first_zero_bit find_first_zero_bit + +-static inline int find_next_zero_bit(const unsigned long *vaddr, int size, +- int offset) ++static inline unsigned long find_next_zero_bit(const unsigned long *vaddr, ++ unsigned long size, ++ unsigned long offset) + { + const unsigned long *p = vaddr + (offset >> 5); + int bit = offset & 31UL, res; +@@ -406,11 +407,12 @@ static inline int find_next_zero_bit(const unsigned long *vaddr, int size, + } + #define find_next_zero_bit find_next_zero_bit + +-static inline int find_first_bit(const unsigned long *vaddr, unsigned size) ++static inline unsigned long find_first_bit(const unsigned long *vaddr, ++ unsigned long size) + { + const unsigned long *p = vaddr; +- int res = 32; +- unsigned int words; ++ unsigned long res = 32; ++ unsigned long words; + unsigned long num; + + if (!size) +@@ -431,8 +433,9 @@ static inline int find_first_bit(const unsigned long *vaddr, unsigned size) + } + #define find_first_bit find_first_bit + +-static inline int find_next_bit(const unsigned long *vaddr, int size, +- int offset) ++static inline unsigned long find_next_bit(const unsigned long *vaddr, ++ unsigned long size, ++ unsigned long offset) + { + const unsigned long *p = vaddr + (offset >> 5); + int bit = offset & 31UL, res; +-- +2.51.0 + diff --git a/queue-6.17/nios2-ensure-that-memblock.current_limit-is-set-when.patch b/queue-6.17/nios2-ensure-that-memblock.current_limit-is-set-when.patch new file mode 100644 index 0000000000..a03e61a33e --- /dev/null +++ b/queue-6.17/nios2-ensure-that-memblock.current_limit-is-set-when.patch @@ -0,0 +1,74 @@ +From dc12285030dab824f4a6827f4153a0ebb44270c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Aug 2025 12:37:07 +0200 +Subject: nios2: ensure that memblock.current_limit is set when setting pfn + limits + +From: Simon Schuster + +[ Upstream commit a20b83cf45be2057f3d073506779e52c7fa17f94 ] + +On nios2, with CONFIG_FLATMEM set, the kernel relies on +memblock_get_current_limit() to determine the limits of mem_map, in +particular for max_low_pfn. +Unfortunately, memblock.current_limit is only default initialized to +MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading +to situations where max_low_pfn can erroneously exceed the value of +max_pfn and, thus, the valid range of available DRAM. + +This can in turn cause kernel-level paging failures, e.g.: + +[ 76.900000] Unable to handle kernel paging request at virtual address 20303000 +[ 76.900000] ea = c0080890, ra = c000462c, cause = 14 +[ 76.900000] Kernel panic - not syncing: Oops +[ 76.900000] ---[ end Kernel panic - not syncing: Oops ]--- + +This patch fixes this by pre-calculating memblock.current_limit +based on the upper limits of the available memory ranges via +adjust_lowmem_bounds, a simplified version of the equivalent +implementation within the arm architecture. + +Signed-off-by: Simon Schuster +Signed-off-by: Andreas Oetken +Signed-off-by: Dinh Nguyen +Signed-off-by: Sasha Levin +--- + arch/nios2/kernel/setup.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/arch/nios2/kernel/setup.c b/arch/nios2/kernel/setup.c +index 2a40150142c36..f43f01c4ab934 100644 +--- a/arch/nios2/kernel/setup.c ++++ b/arch/nios2/kernel/setup.c +@@ -142,6 +142,20 @@ static void __init find_limits(unsigned long *min, unsigned long *max_low, + *max_high = PFN_DOWN(memblock_end_of_DRAM()); + } + ++static void __init adjust_lowmem_bounds(void) ++{ ++ phys_addr_t block_start, block_end; ++ u64 i; ++ phys_addr_t memblock_limit = 0; ++ ++ for_each_mem_range(i, &block_start, &block_end) { ++ if (block_end > memblock_limit) ++ memblock_limit = block_end; ++ } ++ ++ memblock_set_current_limit(memblock_limit); ++} ++ + void __init setup_arch(char **cmdline_p) + { + console_verbose(); +@@ -157,6 +171,7 @@ void __init setup_arch(char **cmdline_p) + /* Keep a copy of command line */ + *cmdline_p = boot_command_line; + ++ adjust_lowmem_bounds(); + find_limits(&min_low_pfn, &max_low_pfn, &max_pfn); + + memblock_reserve(__pa_symbol(_stext), _end - _stext); +-- +2.51.0 + diff --git a/queue-6.17/pci-test-for-bit-underflow-in-pcie_set_readrq.patch b/queue-6.17/pci-test-for-bit-underflow-in-pcie_set_readrq.patch new file mode 100644 index 0000000000..f8d06aff7f --- /dev/null +++ b/queue-6.17/pci-test-for-bit-underflow-in-pcie_set_readrq.patch @@ -0,0 +1,67 @@ +From 8235a5ea6bc974a6c77d1f7cae5302c66ea0444d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Sep 2025 22:28:41 -0700 +Subject: PCI: Test for bit underflow in pcie_set_readrq() + +From: Kees Cook + +[ Upstream commit 00e58ff924b3a684b076f9512fe2753be87b50e1 ] + +In preparation for the future commit ("bitops: Add __attribute_const__ to generic +ffs()-family implementations"), which allows GCC's value range tracker +to see past ffs(), GCC 8 on ARM thinks that it might be possible that +"ffs(rq) - 8" used here: + + v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, ffs(rq) - 8); + +could wrap below 0, leading to a very large value, which would be out of +range for the FIELD_PREP() usage: + +drivers/pci/pci.c: In function 'pcie_set_readrq': +include/linux/compiler_types.h:572:38: error: call to '__compiletime_assert_471' declared with attribute error: FIELD_PREP: value too large for the field +... +drivers/pci/pci.c:5896:6: note: in expansion of macro 'FIELD_PREP' + v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, ffs(rq) - 8); + ^~~~~~~~~~ + +If the result of the ffs() is bounds checked before being used in +FIELD_PREP(), the value tracker seems happy again. :) + +Reported-by: Linux Kernel Functional Testing +Closes: https://lore.kernel.org/linux-pci/CA+G9fYuysVr6qT8bjF6f08WLyCJRG7aXAeSd2F7=zTaHHd7L+Q@mail.gmail.com/ +Acked-by: Bjorn Helgaas +Acked-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20250905052836.work.425-kees@kernel.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index b0f4d98036cdd..005b92e6585e9 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -5932,6 +5932,7 @@ int pcie_set_readrq(struct pci_dev *dev, int rq) + { + u16 v; + int ret; ++ unsigned int firstbit; + struct pci_host_bridge *bridge = pci_find_host_bridge(dev->bus); + + if (rq < 128 || rq > 4096 || !is_power_of_2(rq)) +@@ -5949,7 +5950,10 @@ int pcie_set_readrq(struct pci_dev *dev, int rq) + rq = mps; + } + +- v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, ffs(rq) - 8); ++ firstbit = ffs(rq); ++ if (firstbit < 8) ++ return -EINVAL; ++ v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, firstbit - 8); + + if (bridge->no_inc_mrrs) { + int max_mrrs = pcie_get_readrq(dev); +-- +2.51.0 + diff --git a/queue-6.17/powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch b/queue-6.17/powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch new file mode 100644 index 0000000000..82423127b0 --- /dev/null +++ b/queue-6.17/powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch @@ -0,0 +1,107 @@ +From eb9ad2d8179e35ff2199697751d22385789d8053 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Sep 2025 12:03:49 +0200 +Subject: powerpc/32: Remove PAGE_KERNEL_TEXT to fix startup failure + +From: Christophe Leroy + +[ Upstream commit 9316512b717f6f25c4649b3fdb0a905b6a318e9f ] + +PAGE_KERNEL_TEXT is an old macro that is used to tell kernel whether +kernel text has to be mapped read-only or read-write based on build +time options. + +But nowadays, with functionnalities like jump_labels, static links, +etc ... more only less all kernels need to be read-write at some +point, and some combinations of configs failed to work due to +innacurate setting of PAGE_KERNEL_TEXT. On the other hand, today +we have CONFIG_STRICT_KERNEL_RWX which implements a more controlled +access to kernel modifications. + +Instead of trying to keep PAGE_KERNEL_TEXT accurate with all +possible options that may imply kernel text modification, always +set kernel text read-write at startup and rely on +CONFIG_STRICT_KERNEL_RWX to provide accurate protection. + +Do this by passing PAGE_KERNEL_X to map_kernel_page() in +__maping_ram_chunk() instead of passing PAGE_KERNEL_TEXT. Once +this is done, the only remaining user of PAGE_KERNEL_TEXT is +mmu_mark_initmem_nx() which uses it in a call to setibat(). +As setibat() ignores the RW/RO, we can seamlessly replace +PAGE_KERNEL_TEXT by PAGE_KERNEL_X here as well and get rid of +PAGE_KERNEL_TEXT completely. + +Reported-by: Erhard Furtner +Closes: https://lore.kernel.org/all/342b4120-911c-4723-82ec-d8c9b03a8aef@mailbox.org/ +Signed-off-by: Christophe Leroy +Tested-by: Andrew Donnellan +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/8e2d793abf87ae3efb8f6dce10f974ac0eda61b8.1757412205.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/pgtable.h | 12 ------------ + arch/powerpc/mm/book3s32/mmu.c | 4 ++-- + arch/powerpc/mm/pgtable_32.c | 2 +- + 3 files changed, 3 insertions(+), 15 deletions(-) + +diff --git a/arch/powerpc/include/asm/pgtable.h b/arch/powerpc/include/asm/pgtable.h +index 93d77ad5a92fa..d8f944a5a0378 100644 +--- a/arch/powerpc/include/asm/pgtable.h ++++ b/arch/powerpc/include/asm/pgtable.h +@@ -20,18 +20,6 @@ struct mm_struct; + #include + #endif /* !CONFIG_PPC_BOOK3S */ + +-/* +- * Protection used for kernel text. We want the debuggers to be able to +- * set breakpoints anywhere, so don't write protect the kernel text +- * on platforms where such control is possible. +- */ +-#if defined(CONFIG_KGDB) || defined(CONFIG_XMON) || defined(CONFIG_BDI_SWITCH) || \ +- defined(CONFIG_KPROBES) || defined(CONFIG_DYNAMIC_FTRACE) +-#define PAGE_KERNEL_TEXT PAGE_KERNEL_X +-#else +-#define PAGE_KERNEL_TEXT PAGE_KERNEL_ROX +-#endif +- + /* Make modules code happy. We don't set RO yet */ + #define PAGE_KERNEL_EXEC PAGE_KERNEL_X + +diff --git a/arch/powerpc/mm/book3s32/mmu.c b/arch/powerpc/mm/book3s32/mmu.c +index be9c4106e22f0..c42ecdf94e48c 100644 +--- a/arch/powerpc/mm/book3s32/mmu.c ++++ b/arch/powerpc/mm/book3s32/mmu.c +@@ -204,7 +204,7 @@ int mmu_mark_initmem_nx(void) + + for (i = 0; i < nb - 1 && base < top;) { + size = bat_block_size(base, top); +- setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_TEXT); ++ setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_X); + base += size; + } + if (base < top) { +@@ -215,7 +215,7 @@ int mmu_mark_initmem_nx(void) + pr_warn("Some RW data is getting mapped X. " + "Adjust CONFIG_DATA_SHIFT to avoid that.\n"); + } +- setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_TEXT); ++ setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_X); + base += size; + } + for (; i < nb; i++) +diff --git a/arch/powerpc/mm/pgtable_32.c b/arch/powerpc/mm/pgtable_32.c +index 15276068f657d..0c9ef705803e9 100644 +--- a/arch/powerpc/mm/pgtable_32.c ++++ b/arch/powerpc/mm/pgtable_32.c +@@ -104,7 +104,7 @@ static void __init __mapin_ram_chunk(unsigned long offset, unsigned long top) + p = memstart_addr + s; + for (; s < top; s += PAGE_SIZE) { + ktext = core_kernel_text(v); +- map_kernel_page(v, p, ktext ? PAGE_KERNEL_TEXT : PAGE_KERNEL); ++ map_kernel_page(v, p, ktext ? PAGE_KERNEL_X : PAGE_KERNEL); + v += PAGE_SIZE; + p += PAGE_SIZE; + } +-- +2.51.0 + diff --git a/queue-6.17/riscv-cpufeature-add-validation-for-zfa-zfh-and-zfhm.patch b/queue-6.17/riscv-cpufeature-add-validation-for-zfa-zfh-and-zfhm.patch new file mode 100644 index 0000000000..d39d1462c7 --- /dev/null +++ b/queue-6.17/riscv-cpufeature-add-validation-for-zfa-zfh-and-zfhm.patch @@ -0,0 +1,73 @@ +From eac953ee2c397f36252a6eecbdd956c269165c93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 May 2025 12:00:00 +0200 +Subject: riscv: cpufeature: add validation for zfa, zfh and zfhmin +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Clément Léger + +[ Upstream commit 2e2cf5581fccc562f7faf174ffb9866fed5cafbd ] + +These extensions depends on the F one. Add a validation callback +checking for the F extension to be present. Now that extensions are +correctly reported using the F/D presence, we can remove the +has_fpu() check in hwprobe_isa_ext0(). + +Signed-off-by: Clément Léger +Reviewed-by: Conor Dooley +Link: https://lore.kernel.org/r/20250527100001.33284-1-cleger@rivosinc.com +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/cpufeature.c | 6 +++--- + arch/riscv/kernel/sys_hwprobe.c | 14 ++++++-------- + 2 files changed, 9 insertions(+), 11 deletions(-) + +diff --git a/arch/riscv/kernel/cpufeature.c b/arch/riscv/kernel/cpufeature.c +index 743d53415572e..67b59699357da 100644 +--- a/arch/riscv/kernel/cpufeature.c ++++ b/arch/riscv/kernel/cpufeature.c +@@ -474,10 +474,10 @@ const struct riscv_isa_ext_data riscv_isa_ext[] = { + __RISCV_ISA_EXT_DATA(zacas, RISCV_ISA_EXT_ZACAS), + __RISCV_ISA_EXT_DATA(zalrsc, RISCV_ISA_EXT_ZALRSC), + __RISCV_ISA_EXT_DATA(zawrs, RISCV_ISA_EXT_ZAWRS), +- __RISCV_ISA_EXT_DATA(zfa, RISCV_ISA_EXT_ZFA), ++ __RISCV_ISA_EXT_DATA_VALIDATE(zfa, RISCV_ISA_EXT_ZFA, riscv_ext_f_depends), + __RISCV_ISA_EXT_DATA_VALIDATE(zfbfmin, RISCV_ISA_EXT_ZFBFMIN, riscv_ext_f_depends), +- __RISCV_ISA_EXT_DATA(zfh, RISCV_ISA_EXT_ZFH), +- __RISCV_ISA_EXT_DATA(zfhmin, RISCV_ISA_EXT_ZFHMIN), ++ __RISCV_ISA_EXT_DATA_VALIDATE(zfh, RISCV_ISA_EXT_ZFH, riscv_ext_f_depends), ++ __RISCV_ISA_EXT_DATA_VALIDATE(zfhmin, RISCV_ISA_EXT_ZFHMIN, riscv_ext_f_depends), + __RISCV_ISA_EXT_DATA(zca, RISCV_ISA_EXT_ZCA), + __RISCV_ISA_EXT_DATA_VALIDATE(zcb, RISCV_ISA_EXT_ZCB, riscv_ext_zca_depends), + __RISCV_ISA_EXT_DATA_VALIDATE(zcd, RISCV_ISA_EXT_ZCD, riscv_ext_zcd_validate), +diff --git a/arch/riscv/kernel/sys_hwprobe.c b/arch/riscv/kernel/sys_hwprobe.c +index 0b170e18a2beb..3e9259790816e 100644 +--- a/arch/riscv/kernel/sys_hwprobe.c ++++ b/arch/riscv/kernel/sys_hwprobe.c +@@ -153,14 +153,12 @@ static void hwprobe_isa_ext0(struct riscv_hwprobe *pair, + EXT_KEY(ZVKT); + } + +- if (has_fpu()) { +- EXT_KEY(ZCD); +- EXT_KEY(ZCF); +- EXT_KEY(ZFA); +- EXT_KEY(ZFBFMIN); +- EXT_KEY(ZFH); +- EXT_KEY(ZFHMIN); +- } ++ EXT_KEY(ZCD); ++ EXT_KEY(ZCF); ++ EXT_KEY(ZFA); ++ EXT_KEY(ZFBFMIN); ++ EXT_KEY(ZFH); ++ EXT_KEY(ZFHMIN); + + if (IS_ENABLED(CONFIG_RISCV_ISA_SUPM)) + EXT_KEY(SUPM); +-- +2.51.0 + diff --git a/queue-6.17/riscv-mm-return-intended-satp-mode-for-noxlvl-option.patch b/queue-6.17/riscv-mm-return-intended-satp-mode-for-noxlvl-option.patch new file mode 100644 index 0000000000..90f8ddcbf2 --- /dev/null +++ b/queue-6.17/riscv-mm-return-intended-satp-mode-for-noxlvl-option.patch @@ -0,0 +1,61 @@ +From 34066c6032aff8e98d75e1793b606ac0e0d2fa26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Jul 2025 00:53:10 +0800 +Subject: riscv: mm: Return intended SATP mode for noXlvl options + +From: Junhui Liu + +[ Upstream commit f3243bed39c26ce0f13e6392a634f91d409b2d02 ] + +Change the return value of match_noXlvl() to return the SATP mode that +will be used, rather than the mode being disabled. This enables unified +logic for return value judgement with the function that obtains mmu-type +from the fdt, avoiding extra conversion. This only changes the naming, +with no functional impact. + +Signed-off-by: Junhui Liu +Reviewed-by: Alexandre Ghiti +Reviewed-by: Nutty Liu +Link: https://lore.kernel.org/r/20250722-satp-from-fdt-v1-1-5ba22218fa5f@pigmoral.tech +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/pi/cmdline_early.c | 4 ++-- + arch/riscv/mm/init.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/riscv/kernel/pi/cmdline_early.c b/arch/riscv/kernel/pi/cmdline_early.c +index fbcdc9e4e1432..389d086a07187 100644 +--- a/arch/riscv/kernel/pi/cmdline_early.c ++++ b/arch/riscv/kernel/pi/cmdline_early.c +@@ -41,9 +41,9 @@ static char *get_early_cmdline(uintptr_t dtb_pa) + static u64 match_noXlvl(char *cmdline) + { + if (strstr(cmdline, "no4lvl")) +- return SATP_MODE_48; ++ return SATP_MODE_39; + else if (strstr(cmdline, "no5lvl")) +- return SATP_MODE_57; ++ return SATP_MODE_48; + + return 0; + } +diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c +index 15683ae13fa5d..054265b3f2680 100644 +--- a/arch/riscv/mm/init.c ++++ b/arch/riscv/mm/init.c +@@ -864,9 +864,9 @@ static __init void set_satp_mode(uintptr_t dtb_pa) + + kernel_map.page_offset = PAGE_OFFSET_L5; + +- if (satp_mode_cmdline == SATP_MODE_57) { ++ if (satp_mode_cmdline == SATP_MODE_48) { + disable_pgtable_l5(); +- } else if (satp_mode_cmdline == SATP_MODE_48) { ++ } else if (satp_mode_cmdline == SATP_MODE_39) { + disable_pgtable_l5(); + disable_pgtable_l4(); + return; +-- +2.51.0 + diff --git a/queue-6.17/riscv-mm-use-mmu-type-from-fdt-to-limit-satp-mode.patch b/queue-6.17/riscv-mm-use-mmu-type-from-fdt-to-limit-satp-mode.patch new file mode 100644 index 0000000000..8c46a9cade --- /dev/null +++ b/queue-6.17/riscv-mm-use-mmu-type-from-fdt-to-limit-satp-mode.patch @@ -0,0 +1,146 @@ +From 3b56fd1881ce465e1cfedea8cd2d4ef70fde37ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Jul 2025 00:53:11 +0800 +Subject: riscv: mm: Use mmu-type from FDT to limit SATP mode + +From: Junhui Liu + +[ Upstream commit 17e9521044c9b3ee839f861d1ac35c5b5c20d16b ] + +Some RISC-V implementations may hang when attempting to write an +unsupported SATP mode, even though the latest RISC-V specification +states such writes should have no effect. To avoid this issue, the +logic for selecting SATP mode has been refined: + +The kernel now determines the SATP mode limit by taking the minimum of +the value specified by the kernel command line (noXlvl) and the +"mmu-type" property in the device tree (FDT). If only one is specified, +use that. +- If the resulting limit is sv48 or higher, the kernel will probe SATP + modes from this limit downward until a supported mode is found. +- If the limit is sv39, the kernel will directly use sv39 without + probing. + +This ensures SATP mode selection is safe and compatible with both +hardware and user configuration, minimizing the risk of hangs. + +Signed-off-by: Junhui Liu +Reviewed-by: Alexandre Ghiti +Reviewed-by: Nutty Liu +Link: https://lore.kernel.org/r/20250722-satp-from-fdt-v1-2-5ba22218fa5f@pigmoral.tech +Signed-off-by: Paul Walmsley +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/pi/fdt_early.c | 40 ++++++++++++++++++++++++++++++++ + arch/riscv/kernel/pi/pi.h | 1 + + arch/riscv/mm/init.c | 11 ++++++--- + 3 files changed, 49 insertions(+), 3 deletions(-) + +diff --git a/arch/riscv/kernel/pi/fdt_early.c b/arch/riscv/kernel/pi/fdt_early.c +index 9bdee2fafe47e..a12ff8090f190 100644 +--- a/arch/riscv/kernel/pi/fdt_early.c ++++ b/arch/riscv/kernel/pi/fdt_early.c +@@ -3,6 +3,7 @@ + #include + #include + #include ++#include + + #include "pi.h" + +@@ -183,3 +184,42 @@ bool fdt_early_match_extension_isa(const void *fdt, const char *ext_name) + + return ret; + } ++ ++/** ++ * set_satp_mode_from_fdt - determine SATP mode based on the MMU type in fdt ++ * ++ * @dtb_pa: physical address of the device tree blob ++ * ++ * Returns the SATP mode corresponding to the MMU type of the first enabled CPU, ++ * 0 otherwise ++ */ ++u64 set_satp_mode_from_fdt(uintptr_t dtb_pa) ++{ ++ const void *fdt = (const void *)dtb_pa; ++ const char *mmu_type; ++ int node, parent; ++ ++ parent = fdt_path_offset(fdt, "/cpus"); ++ if (parent < 0) ++ return 0; ++ ++ fdt_for_each_subnode(node, fdt, parent) { ++ if (!fdt_node_name_eq(fdt, node, "cpu")) ++ continue; ++ ++ if (!fdt_device_is_available(fdt, node)) ++ continue; ++ ++ mmu_type = fdt_getprop(fdt, node, "mmu-type", NULL); ++ if (!mmu_type) ++ break; ++ ++ if (!strcmp(mmu_type, "riscv,sv39")) ++ return SATP_MODE_39; ++ else if (!strcmp(mmu_type, "riscv,sv48")) ++ return SATP_MODE_48; ++ break; ++ } ++ ++ return 0; ++} +diff --git a/arch/riscv/kernel/pi/pi.h b/arch/riscv/kernel/pi/pi.h +index 21141d84fea60..3fee2cfddf7cf 100644 +--- a/arch/riscv/kernel/pi/pi.h ++++ b/arch/riscv/kernel/pi/pi.h +@@ -14,6 +14,7 @@ u64 get_kaslr_seed(uintptr_t dtb_pa); + u64 get_kaslr_seed_zkr(const uintptr_t dtb_pa); + bool set_nokaslr_from_cmdline(uintptr_t dtb_pa); + u64 set_satp_mode_from_cmdline(uintptr_t dtb_pa); ++u64 set_satp_mode_from_fdt(uintptr_t dtb_pa); + + bool fdt_early_match_extension_isa(const void *fdt, const char *ext_name); + +diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c +index 054265b3f2680..85cb70b10c071 100644 +--- a/arch/riscv/mm/init.c ++++ b/arch/riscv/mm/init.c +@@ -816,6 +816,7 @@ static __meminit pgprot_t pgprot_from_va(uintptr_t va) + + #if defined(CONFIG_64BIT) && !defined(CONFIG_XIP_KERNEL) + u64 __pi_set_satp_mode_from_cmdline(uintptr_t dtb_pa); ++u64 __pi_set_satp_mode_from_fdt(uintptr_t dtb_pa); + + static void __init disable_pgtable_l5(void) + { +@@ -855,18 +856,22 @@ static void __init set_mmap_rnd_bits_max(void) + * underlying hardware: establish 1:1 mapping in 4-level page table mode + * then read SATP to see if the configuration was taken into account + * meaning sv48 is supported. ++ * The maximum SATP mode is limited by both the command line and the "mmu-type" ++ * property in the device tree, since some platforms may hang if an unsupported ++ * SATP mode is attempted. + */ + static __init void set_satp_mode(uintptr_t dtb_pa) + { + u64 identity_satp, hw_satp; + uintptr_t set_satp_mode_pmd = ((unsigned long)set_satp_mode) & PMD_MASK; +- u64 satp_mode_cmdline = __pi_set_satp_mode_from_cmdline(dtb_pa); ++ u64 satp_mode_limit = min_not_zero(__pi_set_satp_mode_from_cmdline(dtb_pa), ++ __pi_set_satp_mode_from_fdt(dtb_pa)); + + kernel_map.page_offset = PAGE_OFFSET_L5; + +- if (satp_mode_cmdline == SATP_MODE_48) { ++ if (satp_mode_limit == SATP_MODE_48) { + disable_pgtable_l5(); +- } else if (satp_mode_cmdline == SATP_MODE_39) { ++ } else if (satp_mode_limit == SATP_MODE_39) { + disable_pgtable_l5(); + disable_pgtable_l4(); + return; +-- +2.51.0 + diff --git a/queue-6.17/s390-mm-use-__gfp_account-for-user-page-table-alloca.patch b/queue-6.17/s390-mm-use-__gfp_account-for-user-page-table-alloca.patch new file mode 100644 index 0000000000..7b7c889b30 --- /dev/null +++ b/queue-6.17/s390-mm-use-__gfp_account-for-user-page-table-alloca.patch @@ -0,0 +1,65 @@ +From 603e5c81bf149b04b935d003302f2ab781da6b74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Sep 2025 17:24:05 +0200 +Subject: s390/mm: Use __GFP_ACCOUNT for user page table allocations + +From: Heiko Carstens + +[ Upstream commit 5671ce2a1fc6b4a16cff962423bc416b92cac3c8 ] + +Add missing kmemcg accounting of user page table allocations. + +Reviewed-by: Alexander Gordeev +Signed-off-by: Heiko Carstens +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/mm/pgalloc.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/arch/s390/mm/pgalloc.c b/arch/s390/mm/pgalloc.c +index d2f6f1f6d2fcb..ad3e0f7f7fc1f 100644 +--- a/arch/s390/mm/pgalloc.c ++++ b/arch/s390/mm/pgalloc.c +@@ -16,9 +16,13 @@ + + unsigned long *crst_table_alloc(struct mm_struct *mm) + { +- struct ptdesc *ptdesc = pagetable_alloc(GFP_KERNEL, CRST_ALLOC_ORDER); ++ gfp_t gfp = GFP_KERNEL_ACCOUNT; ++ struct ptdesc *ptdesc; + unsigned long *table; + ++ if (mm == &init_mm) ++ gfp &= ~__GFP_ACCOUNT; ++ ptdesc = pagetable_alloc(gfp, CRST_ALLOC_ORDER); + if (!ptdesc) + return NULL; + table = ptdesc_to_virt(ptdesc); +@@ -117,7 +121,7 @@ struct ptdesc *page_table_alloc_pgste(struct mm_struct *mm) + struct ptdesc *ptdesc; + u64 *table; + +- ptdesc = pagetable_alloc(GFP_KERNEL, 0); ++ ptdesc = pagetable_alloc(GFP_KERNEL_ACCOUNT, 0); + if (ptdesc) { + table = (u64 *)ptdesc_to_virt(ptdesc); + __arch_set_page_dat(table, 1); +@@ -136,10 +140,13 @@ void page_table_free_pgste(struct ptdesc *ptdesc) + + unsigned long *page_table_alloc(struct mm_struct *mm) + { ++ gfp_t gfp = GFP_KERNEL_ACCOUNT; + struct ptdesc *ptdesc; + unsigned long *table; + +- ptdesc = pagetable_alloc(GFP_KERNEL, 0); ++ if (mm == &init_mm) ++ gfp &= ~__GFP_ACCOUNT; ++ ptdesc = pagetable_alloc(gfp, 0); + if (!ptdesc) + return NULL; + if (!pagetable_pte_ctor(mm, ptdesc)) { +-- +2.51.0 + diff --git a/queue-6.17/s390-pkey-forward-keygenflags-to-ep11_unwrapkey.patch b/queue-6.17/s390-pkey-forward-keygenflags-to-ep11_unwrapkey.patch new file mode 100644 index 0000000000..0d00725fe9 --- /dev/null +++ b/queue-6.17/s390-pkey-forward-keygenflags-to-ep11_unwrapkey.patch @@ -0,0 +1,49 @@ +From 89d55fd4e5ebd4ada91fcdce5cb0a1f5285da9aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Aug 2025 11:43:50 +0200 +Subject: s390/pkey: Forward keygenflags to ep11_unwrapkey + +From: Harald Freudenberger + +[ Upstream commit 11aa54ba4cfa5390ea47c9a1fc62502abce1f6b9 ] + +The pkey ioctl PKEY_CLR2SECK2 describes in the pkey.h header file +the parameter 'keygenflags' which is forwarded to the handler +functions which actually deal with the clear key to secure key +operation. The ep11 handler module function ep11_clr2keyblob() +function receives this parameter but does not forward it to the +underlying function ep11_unwrapkey() on invocation. So in the end +the user of this ioctl could not forward additional key generation +flags to the ep11 implementation and thus was unable to modify the +key generation process in any way. So now call ep11_unwrapkey() +with the real keygenflags instead of 0 and thus the user of this +ioctl can for example via keygenflags provide valid combinations +of XCP_BLOB_* flags. + +Suggested-by: Ingo Franzki +Signed-off-by: Harald Freudenberger +Reviewed-by: Ingo Franzki +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + drivers/s390/crypto/zcrypt_ep11misc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/s390/crypto/zcrypt_ep11misc.c b/drivers/s390/crypto/zcrypt_ep11misc.c +index 3bf09a89a0894..e92e2fd8ce5da 100644 +--- a/drivers/s390/crypto/zcrypt_ep11misc.c ++++ b/drivers/s390/crypto/zcrypt_ep11misc.c +@@ -1405,7 +1405,9 @@ int ep11_clr2keyblob(u16 card, u16 domain, u32 keybitsize, u32 keygenflags, + /* Step 3: import the encrypted key value as a new key */ + rc = ep11_unwrapkey(card, domain, kek, keklen, + encbuf, encbuflen, 0, def_iv, +- keybitsize, 0, keybuf, keybufsize, keytype, xflags); ++ keybitsize, keygenflags, ++ keybuf, keybufsize, ++ keytype, xflags); + if (rc) { + ZCRYPT_DBF_ERR("%s importing key value as new key failed, rc=%d\n", + __func__, rc); +-- +2.51.0 + diff --git a/queue-6.17/series b/queue-6.17/series index 9573e13e6a..1c31df7d9b 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -1 +1,33 @@ sched-fair-block-delayed-tasks-on-throttled-hierarchy-during-dequeue.patch +expfs-fix-exportfs_can_encode_fh-for-export_fh_fid.patch +cgroup-misc-fix-misc_res_type-kernel-doc-warning.patch +dlm-move-to-rinfo-for-all-middle-conversion-cases.patch +exec-fix-incorrect-type-for-ret.patch +nios2-ensure-that-memblock.current_limit-is-set-when.patch +s390-pkey-forward-keygenflags-to-ep11_unwrapkey.patch +hfs-clear-offset-and-space-out-of-valid-records-in-b.patch +hfs-make-proper-initalization-of-struct-hfs_find_dat.patch +hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch +hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch +hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch +dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch +hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch +hfsplus-return-eio-when-type-of-hidden-directory-mis.patch +binfmt_elf-preserve-original-elf-e_flags-for-core-du.patch +pci-test-for-bit-underflow-in-pcie_set_readrq.patch +lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch +arm64-sysreg-correct-sign-definitions-for-eiesb-and-.patch +gfs2-fix-unlikely-race-in-gdlm_put_lock.patch +m68k-bitops-fix-find_-_bit-signatures.patch +powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch +riscv-mm-return-intended-satp-mode-for-noxlvl-option.patch +riscv-mm-use-mmu-type-from-fdt-to-limit-satp-mode.patch +riscv-cpufeature-add-validation-for-zfa-zfh-and-zfhm.patch +drivers-perf-hisi-relax-the-event-id-check-in-the-fr.patch +s390-mm-use-__gfp_account-for-user-page-table-alloca.patch +smb-client-queue-post_recv_credits_work-also-if-the-.patch +smb-client-limit-the-range-of-info-receive_credit_ta.patch +smb-client-make-use-of-ib_wc_status_msg-and-skip-ib_.patch +smb-server-let-smb_direct_flush_send_list-invalidate.patch +unbreak-make-tools-for-user-space-targets.patch +bpf-replace-bpf_map_kmalloc_node-with-kmalloc_nolock.patch diff --git a/queue-6.17/smb-client-limit-the-range-of-info-receive_credit_ta.patch b/queue-6.17/smb-client-limit-the-range-of-info-receive_credit_ta.patch new file mode 100644 index 0000000000..f36e996560 --- /dev/null +++ b/queue-6.17/smb-client-limit-the-range-of-info-receive_credit_ta.patch @@ -0,0 +1,73 @@ +From 23e98a4673ee74e9d7ea69bb2971f109de6982ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 15:01:35 +0200 +Subject: smb: client: limit the range of info->receive_credit_target + +From: Stefan Metzmacher + +[ Upstream commit 9219f8cac296769324bbe8a28c289586114244c4 ] + +This simplifies further changes... + +Cc: Steve French +Cc: Tom Talpey +Cc: Long Li +Cc: linux-cifs@vger.kernel.org +Cc: samba-technical@lists.samba.org +Acked-by: Namjae Jeon +Signed-off-by: Stefan Metzmacher +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/smbdirect.c | 7 ++++++- + fs/smb/client/smbdirect.h | 2 +- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c +index b3e04b410afe6..cbf1deff11065 100644 +--- a/fs/smb/client/smbdirect.c ++++ b/fs/smb/client/smbdirect.c +@@ -429,6 +429,7 @@ static bool process_negotiation_response( + return false; + } + info->receive_credit_target = le16_to_cpu(packet->credits_requested); ++ info->receive_credit_target = min_t(u16, info->receive_credit_target, sp->recv_credit_max); + + if (packet->credits_granted == 0) { + log_rdma_event(ERR, "error: credits_granted==0\n"); +@@ -537,7 +538,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) + struct smbdirect_socket_parameters *sp = &sc->parameters; + struct smbd_connection *info = + container_of(sc, struct smbd_connection, socket); +- int old_recv_credit_target; ++ u16 old_recv_credit_target; + u32 data_offset = 0; + u32 data_length = 0; + u32 remaining_data_length = 0; +@@ -603,6 +604,10 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) + old_recv_credit_target = info->receive_credit_target; + info->receive_credit_target = + le16_to_cpu(data_transfer->credits_requested); ++ info->receive_credit_target = ++ min_t(u16, info->receive_credit_target, sp->recv_credit_max); ++ info->receive_credit_target = ++ max_t(u16, info->receive_credit_target, 1); + if (le16_to_cpu(data_transfer->credits_granted)) { + atomic_add(le16_to_cpu(data_transfer->credits_granted), + &info->send_credits); +diff --git a/fs/smb/client/smbdirect.h b/fs/smb/client/smbdirect.h +index 4ca9b2b2c57f9..ed362267dd11d 100644 +--- a/fs/smb/client/smbdirect.h ++++ b/fs/smb/client/smbdirect.h +@@ -63,7 +63,7 @@ struct smbd_connection { + int protocol; + atomic_t send_credits; + atomic_t receive_credits; +- int receive_credit_target; ++ u16 receive_credit_target; + + /* Memory registrations */ + /* Maximum number of RDMA read/write outstanding on this connection */ +-- +2.51.0 + diff --git a/queue-6.17/smb-client-make-use-of-ib_wc_status_msg-and-skip-ib_.patch b/queue-6.17/smb-client-make-use-of-ib_wc_status_msg-and-skip-ib_.patch new file mode 100644 index 0000000000..02a38c4b1b --- /dev/null +++ b/queue-6.17/smb-client-make-use-of-ib_wc_status_msg-and-skip-ib_.patch @@ -0,0 +1,77 @@ +From 7710c87e550d9baeacc5e0b67e39f643ae493446 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Aug 2025 09:44:07 +0200 +Subject: smb: client: make use of ib_wc_status_msg() and skip + IB_WC_WR_FLUSH_ERR logging + +From: Stefan Metzmacher + +[ Upstream commit a8e970358b31a5abba8b5737a67ba7b8d26f4258 ] + +There's no need to get log message for every IB_WC_WR_FLUSH_ERR +completion, but any other error should be logged at level ERR. + +Cc: Steve French +Cc: Tom Talpey +Cc: Long Li +Cc: linux-cifs@vger.kernel.org +Cc: samba-technical@lists.samba.org +Acked-by: Namjae Jeon +Signed-off-by: Stefan Metzmacher +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/smbdirect.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c +index cbf1deff11065..99fad70356c57 100644 +--- a/fs/smb/client/smbdirect.c ++++ b/fs/smb/client/smbdirect.c +@@ -362,8 +362,8 @@ static void send_done(struct ib_cq *cq, struct ib_wc *wc) + struct smbd_connection *info = + container_of(sc, struct smbd_connection, socket); + +- log_rdma_send(INFO, "smbdirect_send_io 0x%p completed wc->status=%d\n", +- request, wc->status); ++ log_rdma_send(INFO, "smbdirect_send_io 0x%p completed wc->status=%s\n", ++ request, ib_wc_status_msg(wc->status)); + + for (i = 0; i < request->num_sge; i++) + ib_dma_unmap_single(sc->ib.dev, +@@ -372,8 +372,9 @@ static void send_done(struct ib_cq *cq, struct ib_wc *wc) + DMA_TO_DEVICE); + + if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_SEND) { +- log_rdma_send(ERR, "wc->status=%d wc->opcode=%d\n", +- wc->status, wc->opcode); ++ if (wc->status != IB_WC_WR_FLUSH_ERR) ++ log_rdma_send(ERR, "wc->status=%s wc->opcode=%d\n", ++ ib_wc_status_msg(wc->status), wc->opcode); + mempool_free(request, sc->send_io.mem.pool); + smbd_disconnect_rdma_connection(info); + return; +@@ -543,13 +544,16 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) + u32 data_length = 0; + u32 remaining_data_length = 0; + +- log_rdma_recv(INFO, "response=0x%p type=%d wc status=%d wc opcode %d byte_len=%d pkey_index=%u\n", +- response, sc->recv_io.expected, wc->status, wc->opcode, ++ log_rdma_recv(INFO, ++ "response=0x%p type=%d wc status=%s wc opcode %d byte_len=%d pkey_index=%u\n", ++ response, sc->recv_io.expected, ++ ib_wc_status_msg(wc->status), wc->opcode, + wc->byte_len, wc->pkey_index); + + if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_RECV) { +- log_rdma_recv(INFO, "wc->status=%d opcode=%d\n", +- wc->status, wc->opcode); ++ if (wc->status != IB_WC_WR_FLUSH_ERR) ++ log_rdma_recv(ERR, "wc->status=%s opcode=%d\n", ++ ib_wc_status_msg(wc->status), wc->opcode); + goto error; + } + +-- +2.51.0 + diff --git a/queue-6.17/smb-client-queue-post_recv_credits_work-also-if-the-.patch b/queue-6.17/smb-client-queue-post_recv_credits_work-also-if-the-.patch new file mode 100644 index 0000000000..1d61e941c1 --- /dev/null +++ b/queue-6.17/smb-client-queue-post_recv_credits_work-also-if-the-.patch @@ -0,0 +1,62 @@ +From f7ded367e7e9696555e35471b3e58de69ce637d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Aug 2025 17:53:55 +0200 +Subject: smb: client: queue post_recv_credits_work also if the peer raises the + credit target + +From: Stefan Metzmacher + +[ Upstream commit 02548c477a90481c1fd0d6e7c84b4504ec2fcc12 ] + +This is already handled in the server, but currently it done +in a very complex way there. So we do it much simpler. + +Note that put_receive_buffer() will take care of it +in case data_length is 0. + +Cc: Steve French +Cc: Tom Talpey +Cc: Long Li +Cc: linux-cifs@vger.kernel.org +Cc: samba-technical@lists.samba.org +Acked-by: Namjae Jeon +Signed-off-by: Stefan Metzmacher +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/smbdirect.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/smb/client/smbdirect.c b/fs/smb/client/smbdirect.c +index 6480945c24592..b3e04b410afe6 100644 +--- a/fs/smb/client/smbdirect.c ++++ b/fs/smb/client/smbdirect.c +@@ -537,6 +537,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) + struct smbdirect_socket_parameters *sp = &sc->parameters; + struct smbd_connection *info = + container_of(sc, struct smbd_connection, socket); ++ int old_recv_credit_target; + u32 data_offset = 0; + u32 data_length = 0; + u32 remaining_data_length = 0; +@@ -599,6 +600,7 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) + } + + atomic_dec(&info->receive_credits); ++ old_recv_credit_target = info->receive_credit_target; + info->receive_credit_target = + le16_to_cpu(data_transfer->credits_requested); + if (le16_to_cpu(data_transfer->credits_granted)) { +@@ -629,6 +631,9 @@ static void recv_done(struct ib_cq *cq, struct ib_wc *wc) + * reassembly queue and wake up the reading thread + */ + if (data_length) { ++ if (info->receive_credit_target > old_recv_credit_target) ++ queue_work(info->workqueue, &info->post_send_credits_work); ++ + enqueue_reassembly(info, response, data_length); + wake_up_interruptible(&sc->recv_io.reassembly.wait_queue); + } else +-- +2.51.0 + diff --git a/queue-6.17/smb-server-let-smb_direct_flush_send_list-invalidate.patch b/queue-6.17/smb-server-let-smb_direct_flush_send_list-invalidate.patch new file mode 100644 index 0000000000..aeb7c8e3f7 --- /dev/null +++ b/queue-6.17/smb-server-let-smb_direct_flush_send_list-invalidate.patch @@ -0,0 +1,52 @@ +From cce44aca7a8d17ee6ae93fcc3ae3d221efecb82d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Sep 2025 22:22:35 +0200 +Subject: smb: server: let smb_direct_flush_send_list() invalidate a remote key + first + +From: Stefan Metzmacher + +[ Upstream commit 1b53426334c3c942db47e0959a2527a4f815af50 ] + +If we want to invalidate a remote key we should do that as soon as +possible, so do it in the first send work request. + +Acked-by: Namjae Jeon +Cc: Steve French +Cc: Tom Talpey +Cc: linux-cifs@vger.kernel.org +Cc: samba-technical@lists.samba.org +Signed-off-by: Stefan Metzmacher +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/transport_rdma.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c +index e1f659d3b4cf5..2363244ff5f75 100644 +--- a/fs/smb/server/transport_rdma.c ++++ b/fs/smb/server/transport_rdma.c +@@ -939,12 +939,15 @@ static int smb_direct_flush_send_list(struct smb_direct_transport *t, + struct smb_direct_sendmsg, + list); + ++ if (send_ctx->need_invalidate_rkey) { ++ first->wr.opcode = IB_WR_SEND_WITH_INV; ++ first->wr.ex.invalidate_rkey = send_ctx->remote_key; ++ send_ctx->need_invalidate_rkey = false; ++ send_ctx->remote_key = 0; ++ } ++ + last->wr.send_flags = IB_SEND_SIGNALED; + last->wr.wr_cqe = &last->cqe; +- if (is_last && send_ctx->need_invalidate_rkey) { +- last->wr.opcode = IB_WR_SEND_WITH_INV; +- last->wr.ex.invalidate_rkey = send_ctx->remote_key; +- } + + ret = smb_direct_post_send(t, &first->wr); + if (!ret) { +-- +2.51.0 + diff --git a/queue-6.17/unbreak-make-tools-for-user-space-targets.patch b/queue-6.17/unbreak-make-tools-for-user-space-targets.patch new file mode 100644 index 0000000000..e1ec6bc6f9 --- /dev/null +++ b/queue-6.17/unbreak-make-tools-for-user-space-targets.patch @@ -0,0 +1,62 @@ +From 01b4f8d8199edf6642f30d50002247e1aa38d0b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Sep 2025 12:24:20 -0700 +Subject: Unbreak 'make tools/*' for user-space targets + +From: Linus Torvalds + +[ Upstream commit ee916dccd4df6e2fd19c3606c4735282b72f1473 ] + +This pattern isn't very documented, and apparently not used much outside +of 'make tools/help', but it has existed for over a decade (since commit +ea01fa9f63ae: "tools: Connect to the kernel build system"). + +However, it doesn't work very well for most cases, particularly the +useful "tools/all" target, because it overrides the LDFLAGS value with +an empty one. + +And once overridden, 'make' will then not honor the tooling makefiles +trying to change it - which then makes any LDFLAGS use in the tooling +directory break, typically causing odd link errors. + +Remove that LDFLAGS override, since it seems to be entirely historical. +The core kernel makefiles no longer modify LDFLAGS as part of the build, +and use kernel-specific link flags instead (eg 'KBUILD_LDFLAGS' and +friends). + +This allows more of the 'make tools/*' cases to work. I say 'more', +because some of the tooling build rules make various other assumptions +or have other issues, so it's still a bit hit-or-miss. But those issues +tend to show up with the 'make -C tools xyz' pattern too, so now it's no +longer an issue of this particular 'tools/*' build rule being special. + +Acked-by: Nathan Chancellor +Cc: Nicolas Schier +Cc: Borislav Petkov +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index 072a3be625510..356bf65e5e7a2 100644 +--- a/Makefile ++++ b/Makefile +@@ -1444,11 +1444,11 @@ endif + + tools/: FORCE + $(Q)mkdir -p $(objtree)/tools +- $(Q)$(MAKE) LDFLAGS= O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ ++ $(Q)$(MAKE) O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ + + tools/%: FORCE + $(Q)mkdir -p $(objtree)/tools +- $(Q)$(MAKE) LDFLAGS= O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ $* ++ $(Q)$(MAKE) O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ $* + + # --------------------------------------------------------------------------- + # Kernel selftest +-- +2.51.0 + diff --git a/queue-6.6/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch b/queue-6.6/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch new file mode 100644 index 0000000000..ed082a5fba --- /dev/null +++ b/queue-6.6/dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch @@ -0,0 +1,34 @@ +From 0dbde2d11c9b9d3069a9e35e67c904b5be33c597 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jul 2025 11:21:52 -0400 +Subject: dlm: check for defined force value in dlm_lockspace_release + +From: Alexander Aring + +[ Upstream commit 6af515c9f3ccec3eb8a262ca86bef2c499d07951 ] + +Force values over 3 are undefined, so don't treat them as 3. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lockspace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/dlm/lockspace.c b/fs/dlm/lockspace.c +index 0455dddb0797c..0b17657690d4d 100644 +--- a/fs/dlm/lockspace.c ++++ b/fs/dlm/lockspace.c +@@ -802,7 +802,7 @@ static int release_lockspace(struct dlm_ls *ls, int force) + + dlm_device_deregister(ls); + +- if (force < 3 && dlm_user_daemon_available()) ++ if (force != 3 && dlm_user_daemon_available()) + do_uevent(ls, 0); + + dlm_recoverd_stop(ls); +-- +2.51.0 + diff --git a/queue-6.6/drivers-perf-hisi-relax-the-event-id-check-in-the-fr.patch b/queue-6.6/drivers-perf-hisi-relax-the-event-id-check-in-the-fr.patch new file mode 100644 index 0000000000..4ba85b273a --- /dev/null +++ b/queue-6.6/drivers-perf-hisi-relax-the-event-id-check-in-the-fr.patch @@ -0,0 +1,54 @@ +From 800564dd0c87c52056cc5ca180ec64dab83891e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Aug 2025 18:14:19 +0800 +Subject: drivers/perf: hisi: Relax the event ID check in the framework + +From: Yicong Yang + +[ Upstream commit 43de0ac332b815cf56dbdce63687de9acfd35d49 ] + +Event ID is only using the attr::config bit [7, 0] but we check the +event range using the whole 64bit field. It blocks the usage of the +rest field of attr::config. Relax the check by only using the +bit [7, 0]. + +Acked-by: Jonathan Cameron +Signed-off-by: Yicong Yang +Signed-off-by: Yushan Wang +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/perf/hisilicon/hisi_uncore_pmu.c | 2 +- + drivers/perf/hisilicon/hisi_uncore_pmu.h | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/perf/hisilicon/hisi_uncore_pmu.c b/drivers/perf/hisilicon/hisi_uncore_pmu.c +index 04031450d5fec..c3013059cca82 100644 +--- a/drivers/perf/hisilicon/hisi_uncore_pmu.c ++++ b/drivers/perf/hisilicon/hisi_uncore_pmu.c +@@ -212,7 +212,7 @@ int hisi_uncore_pmu_event_init(struct perf_event *event) + return -EINVAL; + + hisi_pmu = to_hisi_pmu(event->pmu); +- if (event->attr.config > hisi_pmu->check_event) ++ if ((event->attr.config & HISI_EVENTID_MASK) > hisi_pmu->check_event) + return -EINVAL; + + if (hisi_pmu->on_cpu == -1) +diff --git a/drivers/perf/hisilicon/hisi_uncore_pmu.h b/drivers/perf/hisilicon/hisi_uncore_pmu.h +index 92402aa69d70f..67d1c3d3a41c0 100644 +--- a/drivers/perf/hisilicon/hisi_uncore_pmu.h ++++ b/drivers/perf/hisilicon/hisi_uncore_pmu.h +@@ -43,7 +43,8 @@ + return FIELD_GET(GENMASK_ULL(hi, lo), event->attr.config); \ + } + +-#define HISI_GET_EVENTID(ev) (ev->hw.config_base & 0xff) ++#define HISI_EVENTID_MASK GENMASK(7, 0) ++#define HISI_GET_EVENTID(ev) ((ev)->hw.config_base & HISI_EVENTID_MASK) + + #define HISI_PMU_EVTYPE_BITS 8 + #define HISI_PMU_EVTYPE_SHIFT(idx) ((idx) % 4 * HISI_PMU_EVTYPE_BITS) +-- +2.51.0 + diff --git a/queue-6.6/exec-fix-incorrect-type-for-ret.patch b/queue-6.6/exec-fix-incorrect-type-for-ret.patch new file mode 100644 index 0000000000..36ec62961c --- /dev/null +++ b/queue-6.6/exec-fix-incorrect-type-for-ret.patch @@ -0,0 +1,38 @@ +From 100082a00ed73695cfdf985b7a290075429dfe8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 15:36:09 +0800 +Subject: exec: Fix incorrect type for ret + +From: Xichao Zhao + +[ Upstream commit 5e088248375d171b80c643051e77ade6b97bc386 ] + +In the setup_arg_pages(), ret is declared as an unsigned long. +The ret might take a negative value. Therefore, its type should +be changed to int. + +Signed-off-by: Xichao Zhao +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20250825073609.219855-1-zhao.xichao@vivo.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + fs/exec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/exec.c b/fs/exec.c +index ee71a315cc51f..a7dfac338a22c 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -748,7 +748,7 @@ int setup_arg_pages(struct linux_binprm *bprm, + unsigned long stack_top, + int executable_stack) + { +- unsigned long ret; ++ int ret; + unsigned long stack_shift; + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma = bprm->vma; +-- +2.51.0 + diff --git a/queue-6.6/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch b/queue-6.6/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch new file mode 100644 index 0000000000..848dfdf196 --- /dev/null +++ b/queue-6.6/hfs-clear-offset-and-space-out-of-valid-records-in-b.patch @@ -0,0 +1,94 @@ +From 26f1d58b79533996ad8284a9c06b426c6c0fb92d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Aug 2025 12:49:19 -0700 +Subject: hfs: clear offset and space out of valid records in b-tree node + +From: Viacheslav Dubeyko + +[ Upstream commit 18b07c44f245beb03588b00b212b38fce9af7cc9 ] + +Currently, hfs_brec_remove() executes moving records +towards the location of deleted record and it updates +offsets of moved records. However, the hfs_brec_remove() +logic ignores the "mess" of b-tree node's free space and +it doesn't touch the offsets out of records number. +Potentially, it could confuse fsck or driver logic or +to be a reason of potential corruption cases. + +This patch reworks the logic of hfs_brec_remove() +by means of clearing freed space of b-tree node +after the records moving. And it clear the last +offset that keeping old location of free space +because now the offset before this one is keeping +the actual offset to the free space after the record +deletion. + +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250815194918.38165-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/brec.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c +index 896396554bcc1..b01db1fae147c 100644 +--- a/fs/hfs/brec.c ++++ b/fs/hfs/brec.c +@@ -179,6 +179,7 @@ int hfs_brec_remove(struct hfs_find_data *fd) + struct hfs_btree *tree; + struct hfs_bnode *node, *parent; + int end_off, rec_off, data_off, size; ++ int src, dst, len; + + tree = fd->tree; + node = fd->bnode; +@@ -208,10 +209,14 @@ int hfs_brec_remove(struct hfs_find_data *fd) + } + hfs_bnode_write_u16(node, offsetof(struct hfs_bnode_desc, num_recs), node->num_recs); + +- if (rec_off == end_off) +- goto skip; + size = fd->keylength + fd->entrylength; + ++ if (rec_off == end_off) { ++ src = fd->keyoffset; ++ hfs_bnode_clear(node, src, size); ++ goto skip; ++ } ++ + do { + data_off = hfs_bnode_read_u16(node, rec_off); + hfs_bnode_write_u16(node, rec_off + 2, data_off - size); +@@ -219,9 +224,23 @@ int hfs_brec_remove(struct hfs_find_data *fd) + } while (rec_off >= end_off); + + /* fill hole */ +- hfs_bnode_move(node, fd->keyoffset, fd->keyoffset + size, +- data_off - fd->keyoffset - size); ++ dst = fd->keyoffset; ++ src = fd->keyoffset + size; ++ len = data_off - src; ++ ++ hfs_bnode_move(node, dst, src, len); ++ ++ src = dst + len; ++ len = data_off - src; ++ ++ hfs_bnode_clear(node, src, len); ++ + skip: ++ /* ++ * Remove the obsolete offset to free space. ++ */ ++ hfs_bnode_write_u16(node, end_off, 0); ++ + hfs_bnode_dump(node); + if (!fd->record) + hfs_brec_update_parent(fd); +-- +2.51.0 + diff --git a/queue-6.6/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch b/queue-6.6/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch new file mode 100644 index 0000000000..8fa3a84fb0 --- /dev/null +++ b/queue-6.6/hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch @@ -0,0 +1,112 @@ +From 848851eb3e41f90a6dd3ca247c47e8d5ef5a88ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Aug 2025 16:06:38 -0700 +Subject: hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() + +From: Viacheslav Dubeyko + +[ Upstream commit 2048ec5b98dbdfe0b929d2e42dc7a54c389c53dd ] + +The syzbot reported issue in hfs_find_set_zero_bits(): + +===================================================== +BUG: KMSAN: uninit-value in hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 + hfs_find_set_zero_bits+0x74d/0xb60 fs/hfs/bitmap.c:45 + hfs_vbm_search_free+0x13c/0x5b0 fs/hfs/bitmap.c:151 + hfs_extend_file+0x6a5/0x1b00 fs/hfs/extent.c:408 + hfs_get_block+0x435/0x1150 fs/hfs/extent.c:353 + __block_write_begin_int+0xa76/0x3030 fs/buffer.c:2151 + block_write_begin fs/buffer.c:2262 [inline] + cont_write_begin+0x10e1/0x1bc0 fs/buffer.c:2601 + hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 + cont_expand_zero fs/buffer.c:2528 [inline] + cont_write_begin+0x35a/0x1bc0 fs/buffer.c:2591 + hfs_write_begin+0x85/0x130 fs/hfs/inode.c:52 + hfs_file_truncate+0x1d6/0xe60 fs/hfs/extent.c:494 + hfs_inode_setattr+0x964/0xaa0 fs/hfs/inode.c:654 + notify_change+0x1993/0x1aa0 fs/attr.c:552 + do_truncate+0x28f/0x310 fs/open.c:68 + do_ftruncate+0x698/0x730 fs/open.c:195 + do_sys_ftruncate fs/open.c:210 [inline] + __do_sys_ftruncate fs/open.c:215 [inline] + __se_sys_ftruncate fs/open.c:213 [inline] + __x64_sys_ftruncate+0x11b/0x250 fs/open.c:213 + x64_sys_call+0xfe3/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:78 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Uninit was created at: + slab_post_alloc_hook mm/slub.c:4154 [inline] + slab_alloc_node mm/slub.c:4197 [inline] + __kmalloc_cache_noprof+0x7f7/0xed0 mm/slub.c:4354 + kmalloc_noprof include/linux/slab.h:905 [inline] + hfs_mdb_get+0x1cc8/0x2a90 fs/hfs/mdb.c:175 + hfs_fill_super+0x3d0/0xb80 fs/hfs/super.c:337 + get_tree_bdev_flags+0x6e3/0x920 fs/super.c:1681 + get_tree_bdev+0x38/0x50 fs/super.c:1704 + hfs_get_tree+0x35/0x40 fs/hfs/super.c:388 + vfs_get_tree+0xb0/0x5c0 fs/super.c:1804 + do_new_mount+0x738/0x1610 fs/namespace.c:3902 + path_mount+0x6db/0x1e90 fs/namespace.c:4226 + do_mount fs/namespace.c:4239 [inline] + __do_sys_mount fs/namespace.c:4450 [inline] + __se_sys_mount+0x6eb/0x7d0 fs/namespace.c:4427 + __x64_sys_mount+0xe4/0x150 fs/namespace.c:4427 + x64_sys_call+0xfa7/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:166 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +CPU: 1 UID: 0 PID: 12609 Comm: syz.1.2692 Not tainted 6.16.0-syzkaller #0 PREEMPT(none) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 +===================================================== + +The HFS_SB(sb)->bitmap buffer is allocated in hfs_mdb_get(): + +HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); + +Finally, it can trigger the reported issue because kmalloc() +doesn't clear the allocated memory. If allocated memory contains +only zeros, then everything will work pretty fine. +But if the allocated memory contains the "garbage", then +it can affect the bitmap operations and it triggers +the reported issue. + +This patch simply exchanges the kmalloc() on kzalloc() +with the goal to guarantee the correctness of bitmap operations. +Because, newly created allocation bitmap should have all +available blocks free. Potentially, initialization bitmap's read +operation could not fill the whole allocated memory and +"garbage" in the not initialized memory will be the reason of +volume coruptions and file system driver bugs. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=773fa9d79b29bd8b6831 +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250820230636.179085-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/mdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/hfs/mdb.c b/fs/hfs/mdb.c +index 8082eb01127cd..bf811347bb07d 100644 +--- a/fs/hfs/mdb.c ++++ b/fs/hfs/mdb.c +@@ -172,7 +172,7 @@ int hfs_mdb_get(struct super_block *sb) + pr_warn("continuing without an alternate MDB\n"); + } + +- HFS_SB(sb)->bitmap = kmalloc(8192, GFP_KERNEL); ++ HFS_SB(sb)->bitmap = kzalloc(8192, GFP_KERNEL); + if (!HFS_SB(sb)->bitmap) + goto out; + +-- +2.51.0 + diff --git a/queue-6.6/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch b/queue-6.6/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch new file mode 100644 index 0000000000..9830bf9b8d --- /dev/null +++ b/queue-6.6/hfs-make-proper-initalization-of-struct-hfs_find_dat.patch @@ -0,0 +1,76 @@ +From 9cc9d53afa975fec7cc2c8fb47ce9e02522dbc7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 15:52:52 -0700 +Subject: hfs: make proper initalization of struct hfs_find_data + +From: Viacheslav Dubeyko + +[ Upstream commit c62663a986acee7c4485c1fa9de5fc40194b6290 ] + +Potenatially, __hfs_ext_read_extent() could operate by +not initialized values of fd->key after hfs_brec_find() call: + +static inline int __hfs_ext_read_extent(struct hfs_find_data *fd, struct hfs_extent *extent, + u32 cnid, u32 block, u8 type) +{ + int res; + + hfs_ext_build_key(fd->search_key, cnid, block, type); + fd->key->ext.FNum = 0; + res = hfs_brec_find(fd); + if (res && res != -ENOENT) + return res; + if (fd->key->ext.FNum != fd->search_key->ext.FNum || + fd->key->ext.FkType != fd->search_key->ext.FkType) + return -ENOENT; + if (fd->entrylength != sizeof(hfs_extent_rec)) + return -EIO; + hfs_bnode_read(fd->bnode, extent, fd->entryoffset, sizeof(hfs_extent_rec)); + return 0; +} + +This patch changes kmalloc() on kzalloc() in hfs_find_init() +and intializes fd->record, fd->keyoffset, fd->keylength, +fd->entryoffset, fd->entrylength for the case if hfs_brec_find() +has been found nothing in the b-tree node. + +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250818225252.126427-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfs/bfind.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c +index 34e9804e0f360..e46f650b5e9c2 100644 +--- a/fs/hfs/bfind.c ++++ b/fs/hfs/bfind.c +@@ -21,7 +21,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) + + fd->tree = tree; + fd->bnode = NULL; +- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); ++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); + if (!ptr) + return -ENOMEM; + fd->search_key = ptr; +@@ -115,6 +115,12 @@ int hfs_brec_find(struct hfs_find_data *fd) + __be32 data; + int height, res; + ++ fd->record = -1; ++ fd->keyoffset = -1; ++ fd->keylength = -1; ++ fd->entryoffset = -1; ++ fd->entrylength = -1; ++ + tree = fd->tree; + if (fd->bnode) + hfs_bnode_put(fd->bnode); +-- +2.51.0 + diff --git a/queue-6.6/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch b/queue-6.6/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch new file mode 100644 index 0000000000..bb4ba3c7dd --- /dev/null +++ b/queue-6.6/hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch @@ -0,0 +1,217 @@ +From 564a3a37a03dc8cb1d67b33a034c843cc86f0f2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 22:17:34 +0800 +Subject: hfs: validate record offset in hfsplus_bmap_alloc + +From: Yang Chenzhi + +[ Upstream commit 738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20 ] + +hfsplus_bmap_alloc can trigger a crash if a +record offset or length is larger than node_size + +[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0 +[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183 +[ 15.265949] +[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary) +[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 15.266167] Call Trace: +[ 15.266168] +[ 15.266169] dump_stack_lvl+0x53/0x70 +[ 15.266173] print_report+0xd0/0x660 +[ 15.266181] kasan_report+0xce/0x100 +[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0 +[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0 +[ 15.266217] hfsplus_brec_insert+0x870/0xb00 +[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570 +[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910 +[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200 +[ 15.266233] hfsplus_file_extend+0x5a7/0x1000 +[ 15.266237] hfsplus_get_block+0x12b/0x8c0 +[ 15.266238] __block_write_begin_int+0x36b/0x12c0 +[ 15.266251] block_write_begin+0x77/0x110 +[ 15.266252] cont_write_begin+0x428/0x720 +[ 15.266259] hfsplus_write_begin+0x51/0x100 +[ 15.266262] cont_write_begin+0x272/0x720 +[ 15.266270] hfsplus_write_begin+0x51/0x100 +[ 15.266274] generic_perform_write+0x321/0x750 +[ 15.266285] generic_file_write_iter+0xc3/0x310 +[ 15.266289] __kernel_write_iter+0x2fd/0x800 +[ 15.266296] dump_user_range+0x2ea/0x910 +[ 15.266301] elf_core_dump+0x2a94/0x2ed0 +[ 15.266320] vfs_coredump+0x1d85/0x45e0 +[ 15.266349] get_signal+0x12e3/0x1990 +[ 15.266357] arch_do_signal_or_restart+0x89/0x580 +[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110 +[ 15.266364] asm_exc_page_fault+0x26/0x30 +[ 15.266366] RIP: 0033:0x41bd35 +[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f +[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283 +[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000 +[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100 +[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000 +[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000 +[ 15.266376] + +When calling hfsplus_bmap_alloc to allocate a free node, this function +first retrieves the bitmap from header node and map node using node->page +together with the offset and length from hfs_brec_lenoff + +``` +len = hfs_brec_lenoff(node, 2, &off16); +off = off16; + +off += node->page_offset; +pagep = node->page + (off >> PAGE_SHIFT); +data = kmap_local_page(*pagep); +``` + +However, if the retrieved offset or length is invalid(i.e. exceeds +node_size), the code may end up accessing pages outside the allocated +range for this node. + +This patch adds proper validation of both offset and length before use, +preventing out-of-bounds page access. Move is_bnode_offset_valid and +check_and_correct_requested_length to hfsplus_fs.h, as they may be +required by other functions. + +Reported-by: syzbot+356aed408415a56543cd@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/67bcb4a6.050a0220.bbfd1.008f.GAE@google.com/ +Signed-off-by: Yang Chenzhi +Reviewed-by: Viacheslav Dubeyko +Signed-off-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250818141734.8559-2-yang.chenzhi@vivo.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/bnode.c | 41 ---------------------------------------- + fs/hfsplus/btree.c | 6 ++++++ + fs/hfsplus/hfsplus_fs.h | 42 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 48 insertions(+), 41 deletions(-) + +diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c +index 14f4995588ff0..407d5152eb411 100644 +--- a/fs/hfsplus/bnode.c ++++ b/fs/hfsplus/bnode.c +@@ -18,47 +18,6 @@ + #include "hfsplus_fs.h" + #include "hfsplus_raw.h" + +-static inline +-bool is_bnode_offset_valid(struct hfs_bnode *node, int off) +-{ +- bool is_valid = off < node->tree->node_size; +- +- if (!is_valid) { +- pr_err("requested invalid offset: " +- "NODE: id %u, type %#x, height %u, " +- "node_size %u, offset %d\n", +- node->this, node->type, node->height, +- node->tree->node_size, off); +- } +- +- return is_valid; +-} +- +-static inline +-int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len) +-{ +- unsigned int node_size; +- +- if (!is_bnode_offset_valid(node, off)) +- return 0; +- +- node_size = node->tree->node_size; +- +- if ((off + len) > node_size) { +- int new_len = (int)node_size - off; +- +- pr_err("requested length has been corrected: " +- "NODE: id %u, type %#x, height %u, " +- "node_size %u, offset %d, " +- "requested_len %d, corrected_len %d\n", +- node->this, node->type, node->height, +- node->tree->node_size, off, len, new_len); +- +- return new_len; +- } +- +- return len; +-} + + /* Copy a specified range of bytes from the raw data of a node */ + void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len) +diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c +index 9e1732a2b92a8..fe6a54c4083c3 100644 +--- a/fs/hfsplus/btree.c ++++ b/fs/hfsplus/btree.c +@@ -393,6 +393,12 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree) + len = hfs_brec_lenoff(node, 2, &off16); + off = off16; + ++ if (!is_bnode_offset_valid(node, off)) { ++ hfs_bnode_put(node); ++ return ERR_PTR(-EIO); ++ } ++ len = check_and_correct_requested_length(node, off, len); ++ + off += node->page_offset; + pagep = node->page + (off >> PAGE_SHIFT); + data = kmap_local_page(*pagep); +diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h +index 1473b04fc0f31..e67b35cb5ccc7 100644 +--- a/fs/hfsplus/hfsplus_fs.h ++++ b/fs/hfsplus/hfsplus_fs.h +@@ -574,6 +574,48 @@ hfsplus_btree_lock_class(struct hfs_btree *tree) + return class; + } + ++static inline ++bool is_bnode_offset_valid(struct hfs_bnode *node, int off) ++{ ++ bool is_valid = off < node->tree->node_size; ++ ++ if (!is_valid) { ++ pr_err("requested invalid offset: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off); ++ } ++ ++ return is_valid; ++} ++ ++static inline ++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len) ++{ ++ unsigned int node_size; ++ ++ if (!is_bnode_offset_valid(node, off)) ++ return 0; ++ ++ node_size = node->tree->node_size; ++ ++ if ((off + len) > node_size) { ++ int new_len = (int)node_size - off; ++ ++ pr_err("requested length has been corrected: " ++ "NODE: id %u, type %#x, height %u, " ++ "node_size %u, offset %d, " ++ "requested_len %d, corrected_len %d\n", ++ node->this, node->type, node->height, ++ node->tree->node_size, off, len, new_len); ++ ++ return new_len; ++ } ++ ++ return len; ++} ++ + /* compatibility */ + #define hfsp_mt2ut(t) (struct timespec64){ .tv_sec = __hfsp_mt2ut(t) } + #define hfsp_ut2mt(t) __hfsp_ut2mt((t).tv_sec) +-- +2.51.0 + diff --git a/queue-6.6/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch b/queue-6.6/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch new file mode 100644 index 0000000000..51174e8385 --- /dev/null +++ b/queue-6.6/hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch @@ -0,0 +1,214 @@ +From 3f85fb1aa37a35bd39237b46ff5706a6918b7554 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Aug 2025 15:52:32 -0700 +Subject: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() + +From: Viacheslav Dubeyko + +[ Upstream commit 4840ceadef4290c56cc422f0fc697655f3cbf070 ] + +The syzbot reported issue in __hfsplus_ext_cache_extent(): + +[ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 +[ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 +[ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 +[ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 +[ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 +[ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 +[ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 +[ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 +[ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 +[ 70.199771][ T9350] ksys_write+0x23e/0x490 +[ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 +[ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 +[ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 +[ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.202054][ T9350] +[ 70.202279][ T9350] Uninit was created at: +[ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 +[ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 +[ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 +[ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 +[ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 +[ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 +[ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 +[ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 +[ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 +[ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 +[ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 +[ 70.207961][ T9350] ksys_write+0x23e/0x490 +[ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 +[ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 +[ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 +[ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.210230][ T9350] +[ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 +[ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.212115][ T9350] ===================================================== +[ 70.212734][ T9350] Disabling lock debugging due to kernel taint +[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... +[ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 +[ 70.214679][ T9350] Tainted: [B]=BAD_PAGE +[ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.215999][ T9350] Call Trace: +[ 70.216309][ T9350] +[ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 +[ 70.217025][ T9350] dump_stack+0x1e/0x30 +[ 70.217421][ T9350] panic+0x502/0xca0 +[ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 + +[ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... + kernel +:[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +set ... +[ 70.221254][ T9350] ? __msan_warning+0x96/0x120 +[ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 +[ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 +[ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 +[ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 +[ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 +[ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 +[ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 +[ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 +[ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 +[ 70.228997][ T9350] ? ksys_write+0x23e/0x490 +[ 70.229458][ T9350] ? __x64_sys_write+0x97/0xf0 +[ 70.229939][ T9350] ? x64_sys_call+0x3015/0x3cf0 +[ 70.230432][ T9350] ? do_syscall_64+0xd9/0x1d0 +[ 70.230941][ T9350] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.231926][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.232738][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110 +[ 70.233711][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.234516][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.235398][ T9350] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.236323][ T9350] ? hfsplus_brec_find+0x218/0x9f0 +[ 70.237090][ T9350] ? __pfx_hfs_find_rec_by_key+0x10/0x10 +[ 70.237938][ T9350] ? __msan_instrument_asm_store+0xbf/0xf0 +[ 70.238827][ T9350] ? __msan_metadata_ptr_for_store_4+0x27/0x40 +[ 70.239772][ T9350] ? __hfsplus_ext_write_extent+0x536/0x620 +[ 70.240666][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.241175][ T9350] __msan_warning+0x96/0x120 +[ 70.241645][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 +[ 70.242223][ T9350] hfsplus_file_extend+0x74f/0x1cf0 +[ 70.242748][ T9350] hfsplus_get_block+0xe16/0x17b0 +[ 70.243255][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110 +[ 70.243878][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.244400][ T9350] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.244967][ T9350] __block_write_begin_int+0x962/0x2ce0 +[ 70.245531][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10 +[ 70.246079][ T9350] cont_write_begin+0x1000/0x1950 +[ 70.246598][ T9350] hfsplus_write_begin+0x85/0x130 +[ 70.247105][ T9350] ? __pfx_hfsplus_get_block+0x10/0x10 +[ 70.247650][ T9350] ? __pfx_hfsplus_write_begin+0x10/0x10 +[ 70.248211][ T9350] generic_perform_write+0x3e8/0x1060 +[ 70.248752][ T9350] __generic_file_write_iter+0x215/0x460 +[ 70.249314][ T9350] generic_file_write_iter+0x109/0x5e0 +[ 70.249856][ T9350] ? kmsan_internal_set_shadow_origin+0x77/0x110 +[ 70.250487][ T9350] vfs_write+0xb0f/0x14e0 +[ 70.250930][ T9350] ? __pfx_generic_file_write_iter+0x10/0x10 +[ 70.251530][ T9350] ksys_write+0x23e/0x490 +[ 70.251974][ T9350] __x64_sys_write+0x97/0xf0 +[ 70.252450][ T9350] x64_sys_call+0x3015/0x3cf0 +[ 70.252924][ T9350] do_syscall_64+0xd9/0x1d0 +[ 70.253384][ T9350] ? irqentry_exit+0x16/0x60 +[ 70.253844][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.254430][ T9350] RIP: 0033:0x7f7a92adffc9 +[ 70.254873][ T9350] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 +[ 70.256674][ T9350] RSP: 002b:00007fff0bca3188 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 +[ 70.257485][ T9350] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a92adffc9 +[ 70.258246][ T9350] RDX: 000000000208e24b RSI: 0000000020000100 RDI: 0000000000000004 +[ 70.258998][ T9350] RBP: 00007fff0bca31a0 R08: 00007fff0bca31a0 R09: 00007fff0bca31a0 +[ 70.259769][ T9350] R10: 0000000000000000 R11: 0000000000000202 R12: 000055e0d75f8250 +[ 70.260520][ T9350] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 70.261286][ T9350] +[ 70.262026][ T9350] Kernel Offset: disabled + +(gdb) l *__hfsplus_ext_cache_extent+0x7d0 +0xffffffff8318aef0 is in __hfsplus_ext_cache_extent (fs/hfsplus/extents.c:168). +163 fd->key->ext.cnid = 0; +164 res = hfs_brec_find(fd, hfs_find_rec_by_key); +165 if (res && res != -ENOENT) +166 return res; +167 if (fd->key->ext.cnid != fd->search_key->ext.cnid || +168 fd->key->ext.fork_type != fd->search_key->ext.fork_type) +169 return -ENOENT; +170 if (fd->entrylength != sizeof(hfsplus_extent_rec)) +171 return -EIO; +172 hfs_bnode_read(fd->bnode, extent, fd->entryoffset, + +The __hfsplus_ext_cache_extent() calls __hfsplus_ext_read_extent(): + +res = __hfsplus_ext_read_extent(fd, hip->cached_extents, inode->i_ino, + block, HFSPLUS_IS_RSRC(inode) ? + HFSPLUS_TYPE_RSRC : + HFSPLUS_TYPE_DATA); + +And if inode->i_ino could be equal to zero or any non-available CNID, +then hfs_brec_find() could not find the record in the tree. As a result, +fd->key could be compared with fd->search_key. But hfsplus_find_init() +uses kmalloc() for fd->key and fd->search_key allocation: + +int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) +{ + + ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); + if (!ptr) + return -ENOMEM; + fd->search_key = ptr; + fd->key = ptr + tree->max_key_len + 2; + +} + +Finally, fd->key is still not initialized if hfs_brec_find() +has found nothing. + +This patch changes kmalloc() on kzalloc() in hfs_find_init() +and intializes fd->record, fd->keyoffset, fd->keylength, +fd->entryoffset, fd->entrylength for the case if hfs_brec_find() +has been found nothing in the b-tree node. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=55ad87f38795d6787521 +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250818225232.126402-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/bfind.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/hfsplus/bfind.c b/fs/hfsplus/bfind.c +index 901e83d65d202..26ebac4c60424 100644 +--- a/fs/hfsplus/bfind.c ++++ b/fs/hfsplus/bfind.c +@@ -18,7 +18,7 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd) + + fd->tree = tree; + fd->bnode = NULL; +- ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); ++ ptr = kzalloc(tree->max_key_len * 2 + 4, GFP_KERNEL); + if (!ptr) + return -ENOMEM; + fd->search_key = ptr; +@@ -158,6 +158,12 @@ int hfs_brec_find(struct hfs_find_data *fd, search_strategy_t do_key_compare) + __be32 data; + int height, res; + ++ fd->record = -1; ++ fd->keyoffset = -1; ++ fd->keylength = -1; ++ fd->entryoffset = -1; ++ fd->entrylength = -1; ++ + tree = fd->tree; + if (fd->bnode) + hfs_bnode_put(fd->bnode); +-- +2.51.0 + diff --git a/queue-6.6/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch b/queue-6.6/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch new file mode 100644 index 0000000000..dd269c14b0 --- /dev/null +++ b/queue-6.6/hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch @@ -0,0 +1,198 @@ +From e0dceaeccfb2cd43f936c8bcddffc7d0f4d0848f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Aug 2025 15:51:04 -0700 +Subject: hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat() + +From: Viacheslav Dubeyko + +[ Upstream commit 9b3d15a758910bb98ba8feb4109d99cc67450ee4 ] + +The syzbot reported issue in hfsplus_delete_cat(): + +[ 70.682285][ T9333] ===================================================== +[ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0 +[ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310 +[ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810 +[ 70.685447][ T9333] do_rmdir+0x964/0xea0 +[ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0 +[ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0 +[ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.687646][ T9333] +[ 70.687856][ T9333] Uninit was stored to memory at: +[ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0 +[ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800 +[ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600 +[ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70 +[ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0 +[ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30 +[ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0 +[ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0 +[ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.692773][ T9333] +[ 70.692990][ T9333] Uninit was stored to memory at: +[ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0 +[ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800 +[ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700 +[ 70.694911][ T9333] mount_bdev+0x37b/0x530 +[ 70.695320][ T9333] hfsplus_mount+0x4d/0x60 +[ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0 +[ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0 +[ 70.696588][ T9333] do_new_mount+0x73e/0x1630 +[ 70.697013][ T9333] path_mount+0x6e3/0x1eb0 +[ 70.697425][ T9333] __se_sys_mount+0x733/0x830 +[ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150 +[ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0 +[ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.699730][ T9333] +[ 70.699946][ T9333] Uninit was created at: +[ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60 +[ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0 +[ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0 +[ 70.701774][ T9333] allocate_slab+0x30e/0x1390 +[ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0 +[ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20 +[ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0 +[ 70.703598][ T9333] alloc_inode+0x82/0x490 +[ 70.703984][ T9333] iget_locked+0x22e/0x1320 +[ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0 +[ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0 +[ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700 +[ 70.705776][ T9333] mount_bdev+0x37b/0x530 +[ 70.706171][ T9333] hfsplus_mount+0x4d/0x60 +[ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0 +[ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0 +[ 70.707444][ T9333] do_new_mount+0x73e/0x1630 +[ 70.707865][ T9333] path_mount+0x6e3/0x1eb0 +[ 70.708270][ T9333] __se_sys_mount+0x733/0x830 +[ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150 +[ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0 +[ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.710611][ T9333] +[ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17 +[ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.712490][ T9333] ===================================================== +[ 70.713085][ T9333] Disabling lock debugging due to kernel taint +[ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ... +[ 70.714159][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Tainted: G B 6.12.0-rc6-dirty #17 +[ 70.715007][ T9333] Tainted: [B]=BAD_PAGE +[ 70.715365][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 +[ 70.716311][ T9333] Call Trace: +[ 70.716621][ T9333] +[ 70.716899][ T9333] dump_stack_lvl+0x1fd/0x2b0 +[ 70.717350][ T9333] dump_stack+0x1e/0x30 +[ 70.717743][ T9333] panic+0x502/0xca0 +[ 70.718116][ T9333] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.718611][ T9333] kmsan_report+0x296/0x2a0 +[ 70.719038][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.719859][ T9333] ? __msan_warning+0x96/0x120 +[ 70.720345][ T9333] ? hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.720881][ T9333] ? hfsplus_delete_cat+0x105d/0x12b0 +[ 70.721412][ T9333] ? hfsplus_rmdir+0x13d/0x310 +[ 70.721880][ T9333] ? vfs_rmdir+0x5ba/0x810 +[ 70.722458][ T9333] ? do_rmdir+0x964/0xea0 +[ 70.722883][ T9333] ? __x64_sys_rmdir+0x71/0xb0 +[ 70.723397][ T9333] ? x64_sys_call+0xcd8/0x3cf0 +[ 70.723915][ T9333] ? do_syscall_64+0xd9/0x1d0 +[ 70.724454][ T9333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.725110][ T9333] ? vprintk_emit+0xd1f/0xe60 +[ 70.725616][ T9333] ? vprintk_default+0x3f/0x50 +[ 70.726175][ T9333] ? vprintk+0xce/0xd0 +[ 70.726628][ T9333] ? _printk+0x17e/0x1b0 +[ 70.727129][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.727739][ T9333] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.728324][ T9333] __msan_warning+0x96/0x120 +[ 70.728854][ T9333] hfsplus_subfolders_dec+0x1d7/0x220 +[ 70.729479][ T9333] hfsplus_delete_cat+0x105d/0x12b0 +[ 70.729984][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.730646][ T9333] ? __msan_metadata_ptr_for_load_4+0x24/0x40 +[ 70.731296][ T9333] ? kmsan_get_metadata+0x13e/0x1c0 +[ 70.731863][ T9333] hfsplus_rmdir+0x13d/0x310 +[ 70.732390][ T9333] ? __pfx_hfsplus_rmdir+0x10/0x10 +[ 70.732919][ T9333] vfs_rmdir+0x5ba/0x810 +[ 70.733416][ T9333] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 +[ 70.734044][ T9333] do_rmdir+0x964/0xea0 +[ 70.734537][ T9333] __x64_sys_rmdir+0x71/0xb0 +[ 70.735032][ T9333] x64_sys_call+0xcd8/0x3cf0 +[ 70.735579][ T9333] do_syscall_64+0xd9/0x1d0 +[ 70.736092][ T9333] ? irqentry_exit+0x16/0x60 +[ 70.736637][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f +[ 70.737269][ T9333] RIP: 0033:0x7fa9424eafc9 +[ 70.737775][ T9333] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48 +[ 70.739844][ T9333] RSP: 002b:00007fff099cd8d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000054 +[ 70.740760][ T9333] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa9424eafc9 +[ 70.741642][ T9333] RDX: 006c6f72746e6f63 RSI: 000000000000000a RDI: 0000000020000100 +[ 70.742543][ T9333] RBP: 00007fff099cd8e0 R08: 00007fff099cd910 R09: 00007fff099cd910 +[ 70.743376][ T9333] R10: 0000000000000000 R11: 0000000000000202 R12: 0000565430642260 +[ 70.744247][ T9333] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 70.745082][ T9333] + +The main reason of the issue that struct hfsplus_inode_info +has not been properly initialized for the case of root folder. +In the case of root folder, hfsplus_fill_super() calls +the hfsplus_iget() that implements only partial initialization of +struct hfsplus_inode_info and subfolders field is not +initialized by hfsplus_iget() logic. + +This patch implements complete initialization of +struct hfsplus_inode_info in the hfsplus_iget() logic with +the goal to prevent likewise issues for the case of +root folder. + +Reported-by: syzbot +Closes: https://syzkaller.appspot.com/bug?extid=fdedff847a0e5e84c39f +Signed-off-by: Viacheslav Dubeyko +cc: John Paul Adrian Glaubitz +cc: Yangtao Li +cc: linux-fsdevel@vger.kernel.org +Link: https://lore.kernel.org/r/20250825225103.326401-1-slava@dubeyko.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/super.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c +index 1986b4f18a901..8c086f16dd589 100644 +--- a/fs/hfsplus/super.c ++++ b/fs/hfsplus/super.c +@@ -67,13 +67,26 @@ struct inode *hfsplus_iget(struct super_block *sb, unsigned long ino) + if (!(inode->i_state & I_NEW)) + return inode; + +- INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list); +- spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock); +- mutex_init(&HFSPLUS_I(inode)->extents_lock); +- HFSPLUS_I(inode)->flags = 0; ++ atomic_set(&HFSPLUS_I(inode)->opencnt, 0); ++ HFSPLUS_I(inode)->first_blocks = 0; ++ HFSPLUS_I(inode)->clump_blocks = 0; ++ HFSPLUS_I(inode)->alloc_blocks = 0; ++ HFSPLUS_I(inode)->cached_start = U32_MAX; ++ HFSPLUS_I(inode)->cached_blocks = 0; ++ memset(HFSPLUS_I(inode)->first_extents, 0, sizeof(hfsplus_extent_rec)); ++ memset(HFSPLUS_I(inode)->cached_extents, 0, sizeof(hfsplus_extent_rec)); + HFSPLUS_I(inode)->extent_state = 0; ++ mutex_init(&HFSPLUS_I(inode)->extents_lock); + HFSPLUS_I(inode)->rsrc_inode = NULL; +- atomic_set(&HFSPLUS_I(inode)->opencnt, 0); ++ HFSPLUS_I(inode)->create_date = 0; ++ HFSPLUS_I(inode)->linkid = 0; ++ HFSPLUS_I(inode)->flags = 0; ++ HFSPLUS_I(inode)->fs_blocks = 0; ++ HFSPLUS_I(inode)->userflags = 0; ++ HFSPLUS_I(inode)->subfolders = 0; ++ INIT_LIST_HEAD(&HFSPLUS_I(inode)->open_dir_list); ++ spin_lock_init(&HFSPLUS_I(inode)->open_dir_lock); ++ HFSPLUS_I(inode)->phys_size = 0; + + if (inode->i_ino >= HFSPLUS_FIRSTUSER_CNID || + inode->i_ino == HFSPLUS_ROOT_CNID) { +-- +2.51.0 + diff --git a/queue-6.6/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch b/queue-6.6/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch new file mode 100644 index 0000000000..4b0a811daf --- /dev/null +++ b/queue-6.6/hfsplus-return-eio-when-type-of-hidden-directory-mis.patch @@ -0,0 +1,39 @@ +From f4181d677e4f50123ff4a1ed83193eaca5d34c2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Aug 2025 10:58:59 -0600 +Subject: hfsplus: return EIO when type of hidden directory mismatch in + hfsplus_fill_super() + +From: Yangtao Li + +[ Upstream commit 9282bc905f0949fab8cf86c0f620ca988761254c ] + +If Catalog File contains corrupted record for the case of +hidden directory's type, regard it as I/O error instead of +Invalid argument. + +Signed-off-by: Yangtao Li +Reviewed-by: Viacheslav Dubeyko +Link: https://lore.kernel.org/r/20250805165905.3390154-1-frank.li@vivo.com +Signed-off-by: Viacheslav Dubeyko +Signed-off-by: Sasha Levin +--- + fs/hfsplus/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/hfsplus/super.c b/fs/hfsplus/super.c +index 8c086f16dd589..7e889820a63d0 100644 +--- a/fs/hfsplus/super.c ++++ b/fs/hfsplus/super.c +@@ -538,7 +538,7 @@ static int hfsplus_fill_super(struct super_block *sb, void *data, int silent) + if (!hfs_brec_read(&fd, &entry, sizeof(entry))) { + hfs_find_exit(&fd); + if (entry.type != cpu_to_be16(HFSPLUS_FOLDER)) { +- err = -EINVAL; ++ err = -EIO; + goto out_put_root; + } + inode = hfsplus_iget(sb, be32_to_cpu(entry.folder.id)); +-- +2.51.0 + diff --git a/queue-6.6/lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch b/queue-6.6/lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch new file mode 100644 index 0000000000..93029e8c5e --- /dev/null +++ b/queue-6.6/lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch @@ -0,0 +1,47 @@ +From 0f01557fb50cb8b50f5e74837c4f377d834680d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Aug 2025 14:06:05 +0800 +Subject: lkdtm: fortify: Fix potential NULL dereference on kmalloc failure + +From: Junjie Cao + +[ Upstream commit 01c7344e21c2140e72282d9d16d79a61f840fc20 ] + +Add missing NULL pointer checks after kmalloc() calls in +lkdtm_FORTIFY_STR_MEMBER() and lkdtm_FORTIFY_MEM_MEMBER() functions. + +Signed-off-by: Junjie Cao +Link: https://lore.kernel.org/r/20250814060605.5264-1-junjie.cao@intel.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + drivers/misc/lkdtm/fortify.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/misc/lkdtm/fortify.c b/drivers/misc/lkdtm/fortify.c +index 0159276656780..00ed2147113e6 100644 +--- a/drivers/misc/lkdtm/fortify.c ++++ b/drivers/misc/lkdtm/fortify.c +@@ -44,6 +44,9 @@ static void lkdtm_FORTIFY_STR_MEMBER(void) + char *src; + + src = kmalloc(size, GFP_KERNEL); ++ if (!src) ++ return; ++ + strscpy(src, "over ten bytes", size); + size = strlen(src) + 1; + +@@ -109,6 +112,9 @@ static void lkdtm_FORTIFY_MEM_MEMBER(void) + char *src; + + src = kmalloc(size, GFP_KERNEL); ++ if (!src) ++ return; ++ + strscpy(src, "over ten bytes", size); + size = strlen(src) + 1; + +-- +2.51.0 + diff --git a/queue-6.6/m68k-bitops-fix-find_-_bit-signatures.patch b/queue-6.6/m68k-bitops-fix-find_-_bit-signatures.patch new file mode 100644 index 0000000000..41397baac3 --- /dev/null +++ b/queue-6.6/m68k-bitops-fix-find_-_bit-signatures.patch @@ -0,0 +1,90 @@ +From 2b88dcbaee68a0633a43d006b528a20c18c804e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 17:16:13 +0200 +Subject: m68k: bitops: Fix find_*_bit() signatures + +From: Geert Uytterhoeven + +[ Upstream commit 6d5674090543b89aac0c177d67e5fb32ddc53804 ] + +The function signatures of the m68k-optimized implementations of the +find_{first,next}_{,zero_}bit() helpers do not match the generic +variants. + +Fix this by changing all non-pointer inputs and outputs to "unsigned +long", and updating a few local variables. + +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202509092305.ncd9mzaZ-lkp@intel.com/ +Signed-off-by: Geert Uytterhoeven +Acked-by: "Yury Norov (NVIDIA)" +Link: https://patch.msgid.link/de6919554fbb4cd1427155c6bafbac8a9df822c8.1757517135.git.geert@linux-m68k.org +Signed-off-by: Sasha Levin +--- + arch/m68k/include/asm/bitops.h | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/arch/m68k/include/asm/bitops.h b/arch/m68k/include/asm/bitops.h +index e984af71df6be..d86aa744cb8fc 100644 +--- a/arch/m68k/include/asm/bitops.h ++++ b/arch/m68k/include/asm/bitops.h +@@ -329,12 +329,12 @@ arch___test_and_change_bit(unsigned long nr, volatile unsigned long *addr) + #include + #else + +-static inline int find_first_zero_bit(const unsigned long *vaddr, +- unsigned size) ++static inline unsigned long find_first_zero_bit(const unsigned long *vaddr, ++ unsigned long size) + { + const unsigned long *p = vaddr; +- int res = 32; +- unsigned int words; ++ unsigned long res = 32; ++ unsigned long words; + unsigned long num; + + if (!size) +@@ -355,8 +355,9 @@ static inline int find_first_zero_bit(const unsigned long *vaddr, + } + #define find_first_zero_bit find_first_zero_bit + +-static inline int find_next_zero_bit(const unsigned long *vaddr, int size, +- int offset) ++static inline unsigned long find_next_zero_bit(const unsigned long *vaddr, ++ unsigned long size, ++ unsigned long offset) + { + const unsigned long *p = vaddr + (offset >> 5); + int bit = offset & 31UL, res; +@@ -385,11 +386,12 @@ static inline int find_next_zero_bit(const unsigned long *vaddr, int size, + } + #define find_next_zero_bit find_next_zero_bit + +-static inline int find_first_bit(const unsigned long *vaddr, unsigned size) ++static inline unsigned long find_first_bit(const unsigned long *vaddr, ++ unsigned long size) + { + const unsigned long *p = vaddr; +- int res = 32; +- unsigned int words; ++ unsigned long res = 32; ++ unsigned long words; + unsigned long num; + + if (!size) +@@ -410,8 +412,9 @@ static inline int find_first_bit(const unsigned long *vaddr, unsigned size) + } + #define find_first_bit find_first_bit + +-static inline int find_next_bit(const unsigned long *vaddr, int size, +- int offset) ++static inline unsigned long find_next_bit(const unsigned long *vaddr, ++ unsigned long size, ++ unsigned long offset) + { + const unsigned long *p = vaddr + (offset >> 5); + int bit = offset & 31UL, res; +-- +2.51.0 + diff --git a/queue-6.6/nios2-ensure-that-memblock.current_limit-is-set-when.patch b/queue-6.6/nios2-ensure-that-memblock.current_limit-is-set-when.patch new file mode 100644 index 0000000000..62b73cd751 --- /dev/null +++ b/queue-6.6/nios2-ensure-that-memblock.current_limit-is-set-when.patch @@ -0,0 +1,74 @@ +From af76b9c7a3c4a648322a29592a4cb881a019bffd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Aug 2025 12:37:07 +0200 +Subject: nios2: ensure that memblock.current_limit is set when setting pfn + limits + +From: Simon Schuster + +[ Upstream commit a20b83cf45be2057f3d073506779e52c7fa17f94 ] + +On nios2, with CONFIG_FLATMEM set, the kernel relies on +memblock_get_current_limit() to determine the limits of mem_map, in +particular for max_low_pfn. +Unfortunately, memblock.current_limit is only default initialized to +MEMBLOCK_ALLOC_ANYWHERE at this point of the bootup, potentially leading +to situations where max_low_pfn can erroneously exceed the value of +max_pfn and, thus, the valid range of available DRAM. + +This can in turn cause kernel-level paging failures, e.g.: + +[ 76.900000] Unable to handle kernel paging request at virtual address 20303000 +[ 76.900000] ea = c0080890, ra = c000462c, cause = 14 +[ 76.900000] Kernel panic - not syncing: Oops +[ 76.900000] ---[ end Kernel panic - not syncing: Oops ]--- + +This patch fixes this by pre-calculating memblock.current_limit +based on the upper limits of the available memory ranges via +adjust_lowmem_bounds, a simplified version of the equivalent +implementation within the arm architecture. + +Signed-off-by: Simon Schuster +Signed-off-by: Andreas Oetken +Signed-off-by: Dinh Nguyen +Signed-off-by: Sasha Levin +--- + arch/nios2/kernel/setup.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/arch/nios2/kernel/setup.c b/arch/nios2/kernel/setup.c +index 8582ed9658447..5308c76122817 100644 +--- a/arch/nios2/kernel/setup.c ++++ b/arch/nios2/kernel/setup.c +@@ -147,6 +147,20 @@ static void __init find_limits(unsigned long *min, unsigned long *max_low, + *max_high = PFN_DOWN(memblock_end_of_DRAM()); + } + ++static void __init adjust_lowmem_bounds(void) ++{ ++ phys_addr_t block_start, block_end; ++ u64 i; ++ phys_addr_t memblock_limit = 0; ++ ++ for_each_mem_range(i, &block_start, &block_end) { ++ if (block_end > memblock_limit) ++ memblock_limit = block_end; ++ } ++ ++ memblock_set_current_limit(memblock_limit); ++} ++ + void __init setup_arch(char **cmdline_p) + { + console_verbose(); +@@ -160,6 +174,7 @@ void __init setup_arch(char **cmdline_p) + /* Keep a copy of command line */ + *cmdline_p = boot_command_line; + ++ adjust_lowmem_bounds(); + find_limits(&min_low_pfn, &max_low_pfn, &max_pfn); + max_mapnr = max_low_pfn; + +-- +2.51.0 + diff --git a/queue-6.6/powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch b/queue-6.6/powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch new file mode 100644 index 0000000000..06f8cd15d4 --- /dev/null +++ b/queue-6.6/powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch @@ -0,0 +1,107 @@ +From 5eecfe4b1809895352aeb3523d0e24d7e36332a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Sep 2025 12:03:49 +0200 +Subject: powerpc/32: Remove PAGE_KERNEL_TEXT to fix startup failure + +From: Christophe Leroy + +[ Upstream commit 9316512b717f6f25c4649b3fdb0a905b6a318e9f ] + +PAGE_KERNEL_TEXT is an old macro that is used to tell kernel whether +kernel text has to be mapped read-only or read-write based on build +time options. + +But nowadays, with functionnalities like jump_labels, static links, +etc ... more only less all kernels need to be read-write at some +point, and some combinations of configs failed to work due to +innacurate setting of PAGE_KERNEL_TEXT. On the other hand, today +we have CONFIG_STRICT_KERNEL_RWX which implements a more controlled +access to kernel modifications. + +Instead of trying to keep PAGE_KERNEL_TEXT accurate with all +possible options that may imply kernel text modification, always +set kernel text read-write at startup and rely on +CONFIG_STRICT_KERNEL_RWX to provide accurate protection. + +Do this by passing PAGE_KERNEL_X to map_kernel_page() in +__maping_ram_chunk() instead of passing PAGE_KERNEL_TEXT. Once +this is done, the only remaining user of PAGE_KERNEL_TEXT is +mmu_mark_initmem_nx() which uses it in a call to setibat(). +As setibat() ignores the RW/RO, we can seamlessly replace +PAGE_KERNEL_TEXT by PAGE_KERNEL_X here as well and get rid of +PAGE_KERNEL_TEXT completely. + +Reported-by: Erhard Furtner +Closes: https://lore.kernel.org/all/342b4120-911c-4723-82ec-d8c9b03a8aef@mailbox.org/ +Signed-off-by: Christophe Leroy +Tested-by: Andrew Donnellan +Signed-off-by: Madhavan Srinivasan +Link: https://patch.msgid.link/8e2d793abf87ae3efb8f6dce10f974ac0eda61b8.1757412205.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/pgtable.h | 12 ------------ + arch/powerpc/mm/book3s32/mmu.c | 4 ++-- + arch/powerpc/mm/pgtable_32.c | 2 +- + 3 files changed, 3 insertions(+), 15 deletions(-) + +diff --git a/arch/powerpc/include/asm/pgtable.h b/arch/powerpc/include/asm/pgtable.h +index d0ee46de248ea..74502f91ed936 100644 +--- a/arch/powerpc/include/asm/pgtable.h ++++ b/arch/powerpc/include/asm/pgtable.h +@@ -20,18 +20,6 @@ struct mm_struct; + #include + #endif /* !CONFIG_PPC_BOOK3S */ + +-/* +- * Protection used for kernel text. We want the debuggers to be able to +- * set breakpoints anywhere, so don't write protect the kernel text +- * on platforms where such control is possible. +- */ +-#if defined(CONFIG_KGDB) || defined(CONFIG_XMON) || defined(CONFIG_BDI_SWITCH) || \ +- defined(CONFIG_KPROBES) || defined(CONFIG_DYNAMIC_FTRACE) +-#define PAGE_KERNEL_TEXT PAGE_KERNEL_X +-#else +-#define PAGE_KERNEL_TEXT PAGE_KERNEL_ROX +-#endif +- + /* Make modules code happy. We don't set RO yet */ + #define PAGE_KERNEL_EXEC PAGE_KERNEL_X + +diff --git a/arch/powerpc/mm/book3s32/mmu.c b/arch/powerpc/mm/book3s32/mmu.c +index 850783cfa9c73..1b1848761a000 100644 +--- a/arch/powerpc/mm/book3s32/mmu.c ++++ b/arch/powerpc/mm/book3s32/mmu.c +@@ -204,7 +204,7 @@ void mmu_mark_initmem_nx(void) + + for (i = 0; i < nb - 1 && base < top;) { + size = bat_block_size(base, top); +- setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_TEXT); ++ setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_X); + base += size; + } + if (base < top) { +@@ -215,7 +215,7 @@ void mmu_mark_initmem_nx(void) + pr_warn("Some RW data is getting mapped X. " + "Adjust CONFIG_DATA_SHIFT to avoid that.\n"); + } +- setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_TEXT); ++ setibat(i++, PAGE_OFFSET + base, base, size, PAGE_KERNEL_X); + base += size; + } + for (; i < nb; i++) +diff --git a/arch/powerpc/mm/pgtable_32.c b/arch/powerpc/mm/pgtable_32.c +index 5c02fd08d61ef..69fac96c2dcd1 100644 +--- a/arch/powerpc/mm/pgtable_32.c ++++ b/arch/powerpc/mm/pgtable_32.c +@@ -109,7 +109,7 @@ static void __init __mapin_ram_chunk(unsigned long offset, unsigned long top) + p = memstart_addr + s; + for (; s < top; s += PAGE_SIZE) { + ktext = core_kernel_text(v); +- map_kernel_page(v, p, ktext ? PAGE_KERNEL_TEXT : PAGE_KERNEL); ++ map_kernel_page(v, p, ktext ? PAGE_KERNEL_X : PAGE_KERNEL); + v += PAGE_SIZE; + p += PAGE_SIZE; + } +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series new file mode 100644 index 0000000000..e8110fa27a --- /dev/null +++ b/queue-6.6/series @@ -0,0 +1,16 @@ +exec-fix-incorrect-type-for-ret.patch +nios2-ensure-that-memblock.current_limit-is-set-when.patch +hfs-clear-offset-and-space-out-of-valid-records-in-b.patch +hfs-make-proper-initalization-of-struct-hfs_find_dat.patch +hfsplus-fix-kmsan-uninit-value-issue-in-__hfsplus_ex.patch +hfs-validate-record-offset-in-hfsplus_bmap_alloc.patch +hfsplus-fix-kmsan-uninit-value-issue-in-hfsplus_dele.patch +dlm-check-for-defined-force-value-in-dlm_lockspace_r.patch +hfs-fix-kmsan-uninit-value-issue-in-hfs_find_set_zer.patch +hfsplus-return-eio-when-type-of-hidden-directory-mis.patch +lkdtm-fortify-fix-potential-null-dereference-on-kmal.patch +m68k-bitops-fix-find_-_bit-signatures.patch +powerpc-32-remove-page_kernel_text-to-fix-startup-fa.patch +drivers-perf-hisi-relax-the-event-id-check-in-the-fr.patch +smb-server-let-smb_direct_flush_send_list-invalidate.patch +unbreak-make-tools-for-user-space-targets.patch diff --git a/queue-6.6/smb-server-let-smb_direct_flush_send_list-invalidate.patch b/queue-6.6/smb-server-let-smb_direct_flush_send_list-invalidate.patch new file mode 100644 index 0000000000..fb5d4c7f70 --- /dev/null +++ b/queue-6.6/smb-server-let-smb_direct_flush_send_list-invalidate.patch @@ -0,0 +1,52 @@ +From 51e8e248c1308c1673b1465b20876de64ec1d44b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Sep 2025 22:22:35 +0200 +Subject: smb: server: let smb_direct_flush_send_list() invalidate a remote key + first + +From: Stefan Metzmacher + +[ Upstream commit 1b53426334c3c942db47e0959a2527a4f815af50 ] + +If we want to invalidate a remote key we should do that as soon as +possible, so do it in the first send work request. + +Acked-by: Namjae Jeon +Cc: Steve French +Cc: Tom Talpey +Cc: linux-cifs@vger.kernel.org +Cc: samba-technical@lists.samba.org +Signed-off-by: Stefan Metzmacher +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/server/transport_rdma.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/fs/smb/server/transport_rdma.c b/fs/smb/server/transport_rdma.c +index 31c1ac256e1be..91e85a1a154fd 100644 +--- a/fs/smb/server/transport_rdma.c ++++ b/fs/smb/server/transport_rdma.c +@@ -938,12 +938,15 @@ static int smb_direct_flush_send_list(struct smb_direct_transport *t, + struct smb_direct_sendmsg, + list); + ++ if (send_ctx->need_invalidate_rkey) { ++ first->wr.opcode = IB_WR_SEND_WITH_INV; ++ first->wr.ex.invalidate_rkey = send_ctx->remote_key; ++ send_ctx->need_invalidate_rkey = false; ++ send_ctx->remote_key = 0; ++ } ++ + last->wr.send_flags = IB_SEND_SIGNALED; + last->wr.wr_cqe = &last->cqe; +- if (is_last && send_ctx->need_invalidate_rkey) { +- last->wr.opcode = IB_WR_SEND_WITH_INV; +- last->wr.ex.invalidate_rkey = send_ctx->remote_key; +- } + + ret = smb_direct_post_send(t, &first->wr); + if (!ret) { +-- +2.51.0 + diff --git a/queue-6.6/unbreak-make-tools-for-user-space-targets.patch b/queue-6.6/unbreak-make-tools-for-user-space-targets.patch new file mode 100644 index 0000000000..5c6db4d3b1 --- /dev/null +++ b/queue-6.6/unbreak-make-tools-for-user-space-targets.patch @@ -0,0 +1,62 @@ +From 61b79a073d706c05876699604548efc05200180f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Sep 2025 12:24:20 -0700 +Subject: Unbreak 'make tools/*' for user-space targets + +From: Linus Torvalds + +[ Upstream commit ee916dccd4df6e2fd19c3606c4735282b72f1473 ] + +This pattern isn't very documented, and apparently not used much outside +of 'make tools/help', but it has existed for over a decade (since commit +ea01fa9f63ae: "tools: Connect to the kernel build system"). + +However, it doesn't work very well for most cases, particularly the +useful "tools/all" target, because it overrides the LDFLAGS value with +an empty one. + +And once overridden, 'make' will then not honor the tooling makefiles +trying to change it - which then makes any LDFLAGS use in the tooling +directory break, typically causing odd link errors. + +Remove that LDFLAGS override, since it seems to be entirely historical. +The core kernel makefiles no longer modify LDFLAGS as part of the build, +and use kernel-specific link flags instead (eg 'KBUILD_LDFLAGS' and +friends). + +This allows more of the 'make tools/*' cases to work. I say 'more', +because some of the tooling build rules make various other assumptions +or have other issues, so it's still a bit hit-or-miss. But those issues +tend to show up with the 'make -C tools xyz' pattern too, so now it's no +longer an issue of this particular 'tools/*' build rule being special. + +Acked-by: Nathan Chancellor +Cc: Nicolas Schier +Cc: Borislav Petkov +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index ad3952fb542d3..de7b2f9a50338 100644 +--- a/Makefile ++++ b/Makefile +@@ -1358,11 +1358,11 @@ endif + + tools/: FORCE + $(Q)mkdir -p $(objtree)/tools +- $(Q)$(MAKE) LDFLAGS= O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ ++ $(Q)$(MAKE) O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ + + tools/%: FORCE + $(Q)mkdir -p $(objtree)/tools +- $(Q)$(MAKE) LDFLAGS= O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ $* ++ $(Q)$(MAKE) O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ $* + + # --------------------------------------------------------------------------- + # Kernel selftest +-- +2.51.0 + -- 2.47.3