- Linux-stable-mirror - lists.linaro.org

Inquiry from Varelt SRL Company Sales Order

by VARELT IMPORT SRL

1 month, 1 week

1
0
0 0

[PATCH 6.6.y] Revert "perf dso: Add missed dso__put to dso__load_kcore"

by jingxian.li

This reverts commit e5de9ea7796e79f3cd082624f788cc3442bff2a8. The patch introduced `map__zput(new_node->map)` in the kcore load path, causing a segmentation fault when running `perf c2c report`. The issue arises because `maps__merge_in` directly modifies and inserts the caller's `new_map`, causing it to be freed prematurely while still referenced by kmaps. Later branchs (6.12, 6.15, 6.16) are not affected because they use a different merge approach with a lazily sorted array, which avoids modifying the original `new_map`. Fixes: e5de9ea7796e ("perf dso: Add missed dso__put to dso__load_kcore") Signed-off-by: jingxian.li <jingxian.li(a)shopee.com> --- tools/perf/util/symbol.c | 1 - 1 file changed, 1 deletion(-) diff --git a/tools/perf/util/symbol.c b/tools/perf/util/symbol.c index 4f0bbebcb6d6..ea24f21aafc3 100644 --- a/tools/perf/util/symbol.c +++ b/tools/perf/util/symbol.c @@ -1366,7 +1366,6 @@ static int dso__load_kcore(struct dso *dso, struct map *map, goto out_err; } } - map__zput(new_node->map); free(new_node); } -- 2.43.0

1 month, 1 week

2
1
0 0

[PATCH] EDAC/igen6: Fix error handling in igen6_edac driver

by Ma Ke

The igen6_edac driver fails to release reference for non-primary memory controllers during both error handling and normal shutdown. After device_initialize() is called in igen6_register_mci(), missing put_device() calls in error paths and igen6_unregister_mcis() cause reference count leaks, resulting in memory leaks and improper device cleanup. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 10590a9d4f23 ("EDAC/igen6: Add EDAC driver for Intel client SoCs using IBECC") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/edac/igen6_edac.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/edac/igen6_edac.c b/drivers/edac/igen6_edac.c index 2fc59f9eed69..ee2f00b204bb 100644 --- a/drivers/edac/igen6_edac.c +++ b/drivers/edac/igen6_edac.c @@ -1300,6 +1300,8 @@ static int igen6_register_mci(int mc, void __iomem *window, struct pci_dev *pdev imc->mci = mci; return 0; fail3: + if (mc != 0) + put_device(&imc->dev); mci->pvt_info = NULL; kfree(mci->ctl_name); fail2: @@ -1326,6 +1328,8 @@ static void igen6_unregister_mcis(void) kfree(mci->ctl_name); mci->pvt_info = NULL; edac_mc_free(mci); + if (imc->mc != 0) + put_device(&imc->dev); iounmap(imc->window); } } -- 2.17.1

1 month, 1 week

2
1
0 0

[PATCH] dccp: validate incoming Reset/Close/CloseReq in DCCP_REQUESTING

by Yizhou Zhao

DCCP sockets in DCCP_REQUESTING state do not check the sequence number or acknowledgment number for incoming Reset, CloseReq, and Close packets. As a result, an attacker can send a spoofed Reset packet while the client is in the requesting state. The client will accept the packet without any verification before receiving the reply from server and immediately close the connection, causing a denial of service (DoS) attack. The vulnerability makes the attacker able to drop the pending connection for a specific 5-tuple. Moreover, an off-path attacker with modestly higher outbound bandwidth can continually inject forged control packets to the victim client and prevent connection establishment to a given destination port on a server, causing a port-level DoS. This patch moves the processing of Reset, Close, and CloseReq packets into dccp_rcv_request_sent_state_process() and validates the ack number before accepting them. This patch should be applied to stable versions *only* before Linux 6.16, since DCCP implementation is removed in Linux 6.16. Affected versions include: - 3.1-3.19 - 4.0-4.20 - 5.0-5.19 - 6.0-6.15 We tested it on Ubuntu 24.04 LTS (Linux 6.8) and it worked as expected. Fixes: c0c2015056d7b ("dccp: Clean up slow-path input processing") Signed-off-by: Yizhou Zhao <zhaoyz24(a)mails.tsinghua.edu.cn> --- net/dccp/input.c | 54 ++++++++++++++++++++++++++++-------------------- 1 file changed, 32 insertions(+), 22 deletions(-) diff --git a/net/dccp/input.c b/net/dccp/input.c index 2cbb757a8..0b1ffb044 100644 --- a/net/dccp/input.c +++ b/net/dccp/input.c @@ -397,21 +397,22 @@ static int dccp_rcv_request_sent_state_process(struct sock *sk, * / * Response processing continues in Step 10; Reset * processing continues in Step 9 * / */ + struct dccp_sock *dp = dccp_sk(sk); + + if (!between48(DCCP_SKB_CB(skb)->dccpd_ack_seq, + dp->dccps_awl, dp->dccps_awh)) { + dccp_pr_debug("invalid ackno: S.AWL=%llu, " + "P.ackno=%llu, S.AWH=%llu\n", + (unsigned long long)dp->dccps_awl, + (unsigned long long)DCCP_SKB_CB(skb)->dccpd_ack_seq, + (unsigned long long)dp->dccps_awh); + goto out_invalid_packet; + } + if (dh->dccph_type == DCCP_PKT_RESPONSE) { const struct inet_connection_sock *icsk = inet_csk(sk); - struct dccp_sock *dp = dccp_sk(sk); - long tstamp = dccp_timestamp(); - - if (!between48(DCCP_SKB_CB(skb)->dccpd_ack_seq, - dp->dccps_awl, dp->dccps_awh)) { - dccp_pr_debug("invalid ackno: S.AWL=%llu, " - "P.ackno=%llu, S.AWH=%llu\n", - (unsigned long long)dp->dccps_awl, - (unsigned long long)DCCP_SKB_CB(skb)->dccpd_ack_seq, - (unsigned long long)dp->dccps_awh); - goto out_invalid_packet; - } + long tstamp = dccp_timestamp(); /* * If option processing (Step 8) failed, return 1 here so that * dccp_v4_do_rcv() sends a Reset. The Reset code depends on @@ -496,6 +497,13 @@ static int dccp_rcv_request_sent_state_process(struct sock *sk, } dccp_send_ack(sk); return -1; + } else if (dh->dccph_type == DCCP_PKT_RESET) { + dccp_rcv_reset(sk, skb); + return 0; + } else if (dh->dccph_type == DCCP_PKT_CLOSEREQ) { + return dccp_rcv_closereq(sk, skb); + } else if (dh->dccph_type == DCCP_PKT_CLOSE) { + return dccp_rcv_close(sk, skb); } out_invalid_packet: @@ -658,17 +666,19 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, * Set TIMEWAIT timer * Drop packet and return */ - if (dh->dccph_type == DCCP_PKT_RESET) { - dccp_rcv_reset(sk, skb); - return 0; - } else if (dh->dccph_type == DCCP_PKT_CLOSEREQ) { /* Step 13 */ - if (dccp_rcv_closereq(sk, skb)) - return 0; - goto discard; - } else if (dh->dccph_type == DCCP_PKT_CLOSE) { /* Step 14 */ - if (dccp_rcv_close(sk, skb)) + if (sk->sk_state != DCCP_REQUESTING) { + if (dh->dccph_type == DCCP_PKT_RESET) { + dccp_rcv_reset(sk, skb); return 0; - goto discard; + } else if (dh->dccph_type == DCCP_PKT_CLOSEREQ) { /* Step 13 */ + if (dccp_rcv_closereq(sk, skb)) + return 0; + goto discard; + } else if (dh->dccph_type == DCCP_PKT_CLOSE) { /* Step 14 */ + if (dccp_rcv_close(sk, skb)) + return 0; + goto discard; + } } switch (sk->sk_state) { -- 2.34.1

1 month, 1 week

2
3
0 0

[PATCH] EDAC/ie31200: Fix error handling in ie31200_register_mci

by Ma Ke

When mc > 0, ie31200_register_mci() initializes priv->dev but fails to call put_device() on it in the error path, causing a memory leak. Add proper put_device() call for priv->dev in the error handling path to balance device_initialize(). Found by code review. Cc: stable(a)vger.kernel.org Fixes: d0742284ec6d ("EDAC/ie31200: Add Intel Raptor Lake-S SoCs support") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/edac/ie31200_edac.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c index 5a080ab65476..a5a4bb24b72a 100644 --- a/drivers/edac/ie31200_edac.c +++ b/drivers/edac/ie31200_edac.c @@ -528,6 +528,8 @@ static int ie31200_register_mci(struct pci_dev *pdev, struct res_config *cfg, in fail_unmap: iounmap(window); fail_free: + if (mc > 0) + put_device(&priv->dev); edac_mc_free(mci); return ret; } -- 2.17.1

1 month, 1 week

2
2
0 0

[PATCH] ksmbd: fix leak of transform buffer on encrypt_resp() failure

by Qianchang Zhao

When encrypt_resp() fails at the send path, we only set STATUS_DATA_ERROR but leave the transform buffer allocated (work->tr_buf in this tree). Repeating this path leaks kernel memory and can lead to OOM (DoS) when encryption is required. Reproduced on: Linux v6.18-rc2 (self-built test kernel) Fix by freeing the transform buffer and forcing plaintext error reply. Reported-by: Qianchang Zhao <pioooooooooip(a)gmail.com> Reported-by: Zhitong Liu <liuzhitong1993(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Qianchang Zhao <pioooooooooip(a)gmail.com> --- fs/smb/server/server.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c index 40420544c..15dd13e76 100644 --- a/fs/smb/server/server.c +++ b/fs/smb/server/server.c @@ -244,8 +244,14 @@ static void __handle_ksmbd_work(struct ksmbd_work *work, if (work->sess && work->sess->enc && work->encrypted && conn->ops->encrypt_resp) { rc = conn->ops->encrypt_resp(work); - if (rc < 0) + if (rc < 0) { conn->ops->set_rsp_status(work, STATUS_DATA_ERROR); + work->encrypted = false; + if (work->tr_buf) { + kvfree(work->tr_buf); + work->tr_buf = NULL; + } + } } if (work->sess) ksmbd_user_session_put(work->sess); -- 2.34.1

1 month, 1 week

1
0
0 0

[PATCH] ksmbd: fix leak of transform buffer on encrypt_resp() failure

by Qianchang Zhao

When encrypt_resp() fails at the send path, we only set STATUS_DATA_ERROR but leave the transform buffer allocated (work->tr_buf in this tree). Repeating this path leaks kernel memory and can lead to OOM (DoS) when encryption is required. Reproduced on: Linux v6.18-rc2 (self-built test kernel) Fix by freeing the transform buffer and forcing plaintext error reply. Reported-by: Qianchang Zhao <pioooooooooip(a)gmail.com> Reported-by: Zhitong Liu <liuzhitong1993(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Qianchang Zhao <pioooooooooip(a)gmail.com> --- fs/smb/server/server.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/fs/smb/server/server.c b/fs/smb/server/server.c index 40420544c..15dd13e76 100644 --- a/fs/smb/server/server.c +++ b/fs/smb/server/server.c @@ -244,8 +244,14 @@ static void __handle_ksmbd_work(struct ksmbd_work *work, if (work->sess && work->sess->enc && work->encrypted && conn->ops->encrypt_resp) { rc = conn->ops->encrypt_resp(work); - if (rc < 0) + if (rc < 0) { conn->ops->set_rsp_status(work, STATUS_DATA_ERROR); + work->encrypted = false; + if (work->tr_buf) { + kvfree(work->tr_buf); + work->tr_buf = NULL; + } + } } if (work->sess) ksmbd_user_session_put(work->sess); -- 2.34.1

1 month, 1 week

1
0
0 0

[PATCH] btrfs: fix resource leak in do_walk_down()

by Zhen Ni

When check_next_block_uptodate() fails, do_walk_down() returns directly without cleaning up the locked extent buffer allocated earlier, causing memory and lock leaks. Fix by using the existing out_unlock cleanup path instead of direct return. Fixes: 562d425454e8 ("btrfs: factor out eb uptodate check from do_walk_down()") Cc: stable(a)vger.kernel.org Signed-off-by: Zhen Ni <zhen.ni(a)easystack.cn> --- fs/btrfs/extent-tree.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c index dc4ca98c3780..742e476bf815 100644 --- a/fs/btrfs/extent-tree.c +++ b/fs/btrfs/extent-tree.c @@ -5770,7 +5770,7 @@ static noinline int do_walk_down(struct btrfs_trans_handle *trans, ret = check_next_block_uptodate(trans, root, path, wc, next); if (ret) - return ret; + goto out_unlock; level--; ASSERT(level == btrfs_header_level(next)); -- 2.20.1

1 month, 1 week

2
1
0 0

Re: Patch "rust: kunit: allow `cfg` on `test`s" has been added to the 6.17-stable tree

by Miguel Ojeda

On Tue, Nov 4, 2025 at 2:16 PM Sasha Levin <sashal(a)kernel.org> wrote: > > This is a note to let you know that I've just added the patch titled > > rust: kunit: allow `cfg` on `test`s > > to the 6.17-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > rust-kunit-allow-cfg-on-test-s.patch > and it can be found in the queue-6.17 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. It probably doesn't hurt, but if we don't have any test that needs it, then we could skip it, i.e. it is essentially a feature. Thanks! Cheers, Miguel

1 month, 1 week

1
0
0 0

[PATCH RFC 6.1/6.6 CANDIDATE] mm: introduce memalloc_flags_{save,restore}

by Long Li

From: Kent Overstreet <kent.overstreet(a)linux.dev> commit 3f6d5e6a468d02676244b868b210433831846127 upstream. Our proliferation of memalloc_*_{save,restore} APIs is getting a bit silly, this adds a generic version and converts the existing save/restore functions to wrappers. Signed-off-by: Kent Overstreet <kent.overstreet(a)linux.dev> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: Darrick J. Wong <djwong(a)kernel.org> Cc: linux-mm(a)kvack.org Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- We encountered a deadlock issue in our internal version caused by PF_MEMALLOC_NOFS being unexpectedly cleared during inode inactive transaction. This issue appears to still exist in 6.1/6.6 lts version. In the mainline kernel, before commit [2] f2e812c1522d ("xfs: don't use current->journal_info") was merged, we relied on current->journal_info to check for transaction recursion. During transaction rollback/commit, only the last transaction commit would call xfs_trans_clear_context(tp) to restore the nofs flag, which worked correctly. After this patch was merged, we no longer check for transaction recursion, so each transaction rollback/commit calls xfs_trans_clear_context(tp) to restore the nofs flag. At this point, tp->t_pflags is set to 0 (except for the last one tp), and memalloc_nofs_restore(0) will not clear the PF_MEMALLOC_NOFS flag during transaction rollback, this is also correct. However, this also implies that the above patch depends on commit [1] 3f6d5e6a468d ("mm: introduce memalloc_flags_{save,restore}"), because that patch modified the semantics of the memalloc_nofs_{save,restore} interface, and only after this modification can it ensure that memalloc_nofs_restore(0) won't clear the PF_MEMALLOC_NOFS flag. In our 6.1/6.6 LTS versions, we directly backported commit [2] without backporting commit [1], which leads to confusion with the PF_MEMALLOC_NOFS flag during transaction rollback, for example as follows: xfs_inodegc_worker nofs_flag = memalloc_nofs_save(); //set PF_MEMALLOC_NOFS in current->flags xfs_inactive xfs_attr_inactive(ip) xfs_trans_alloc(mp, &M_RES(mp)->tr_attrinval, 0, 0, 0, &trans) xfs_trans_set_context(tp) //tp->t_pflags ==> 1 xfs_trans_commit(trans) __xfs_trans_commit(tp) xfs_defer_trans_roll xfs_trans_roll *tpp = xfs_trans_dup(trans) xfs_trans_switch_context(tp, ntp) new_tp->t_pflags = old_tp->t_pflags; //new_tp->t_pflags ==> 1 old_tp->t_pflags = 0; //old_tp->t_pflags ==> 0 __xfs_trans_commit(trans) //commit old_tp xfs_trans_free(tp); //free old_tp xfs_trans_clear_context(tp) memalloc_nofs_restore(0) //clear PF_MEMALLOC_NOFS in current->flags ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ < commit new_tp > xfs_trans_free(tp) //free new_tp memalloc_nofs_restore(1) //set PF_MEMALLOC_NOFS in current->flags memalloc_nofs_restore(nofs_flag); //clear PF_MEMALLOC_NOFS in current->flags So backport commit [1] 3f6d5e6a468d ("mm: introduce memalloc_flags_{save,restore}") to 6.1/6.6 lts. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… include/linux/sched/mm.h | 43 ++++++++++++++++++++++++---------------- 1 file changed, 26 insertions(+), 17 deletions(-) diff --git a/include/linux/sched/mm.h b/include/linux/sched/mm.h index 8d89c8c4fac1..10792d374785 100644 --- a/include/linux/sched/mm.h +++ b/include/linux/sched/mm.h @@ -306,6 +306,24 @@ static inline void might_alloc(gfp_t gfp_mask) might_sleep_if(gfpflags_allow_blocking(gfp_mask)); } +/** + * memalloc_flags_save - Add a PF_* flag to current->flags, save old value + * + * This allows PF_* flags to be conveniently added, irrespective of current + * value, and then the old version restored with memalloc_flags_restore(). + */ +static inline unsigned memalloc_flags_save(unsigned flags) +{ + unsigned oldflags = ~current->flags & flags; + current->flags |= flags; + return oldflags; +} + +static inline void memalloc_flags_restore(unsigned flags) +{ + current->flags &= ~flags; +} + /** * memalloc_noio_save - Marks implicit GFP_NOIO allocation scope. * @@ -319,9 +337,7 @@ static inline void might_alloc(gfp_t gfp_mask) */ static inline unsigned int memalloc_noio_save(void) { - unsigned int flags = current->flags & PF_MEMALLOC_NOIO; - current->flags |= PF_MEMALLOC_NOIO; - return flags; + return memalloc_flags_save(PF_MEMALLOC_NOIO); } /** @@ -334,7 +350,7 @@ static inline unsigned int memalloc_noio_save(void) */ static inline void memalloc_noio_restore(unsigned int flags) { - current->flags = (current->flags & ~PF_MEMALLOC_NOIO) | flags; + memalloc_flags_restore(flags); } /** @@ -350,9 +366,7 @@ static inline void memalloc_noio_restore(unsigned int flags) */ static inline unsigned int memalloc_nofs_save(void) { - unsigned int flags = current->flags & PF_MEMALLOC_NOFS; - current->flags |= PF_MEMALLOC_NOFS; - return flags; + return memalloc_flags_save(PF_MEMALLOC_NOFS); } /** @@ -365,32 +379,27 @@ static inline unsigned int memalloc_nofs_save(void) */ static inline void memalloc_nofs_restore(unsigned int flags) { - current->flags = (current->flags & ~PF_MEMALLOC_NOFS) | flags; + memalloc_flags_restore(flags); } static inline unsigned int memalloc_noreclaim_save(void) { - unsigned int flags = current->flags & PF_MEMALLOC; - current->flags |= PF_MEMALLOC; - return flags; + return memalloc_flags_save(PF_MEMALLOC); } static inline void memalloc_noreclaim_restore(unsigned int flags) { - current->flags = (current->flags & ~PF_MEMALLOC) | flags; + memalloc_flags_restore(flags); } static inline unsigned int memalloc_pin_save(void) { - unsigned int flags = current->flags & PF_MEMALLOC_PIN; - - current->flags |= PF_MEMALLOC_PIN; - return flags; + return memalloc_flags_save(PF_MEMALLOC_PIN); } static inline void memalloc_pin_restore(unsigned int flags) { - current->flags = (current->flags & ~PF_MEMALLOC_PIN) | flags; + memalloc_flags_restore(flags); } #ifdef CONFIG_MEMCG -- 2.39.2

1 month, 1 week

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror