Linux-stable-mirror

linux-stable-mirror@lists.linaro.org

284 participants
124114 discussions

[PATCH AUTOSEL 6.18-5.15] smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe()

by Sasha Levin

From: ZhangGuoDong <zhangguodong(a)kylinos.cn> [ Upstream commit 7c28f8eef5ac5312794d8a52918076dcd787e53b ] When ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close(). Signed-off-by: ZhangGuoDong <zhangguodong(a)kylinos.cn> Signed-off-by: ChenXiaoSong <chenxiaosong(a)kylinos.cn> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: ### 3. CLASSIFICATION **Bug Type:** Resource leak - This is clearly a **bug fix**, not a feature addition - When `ksmbd_iov_pin_rsp()` fails after `ksmbd_session_rpc_open()` succeeds, the RPC session is never closed - Resources leaked include: - The `ksmbd_session_rpc` structure memory - The IPC ID allocated via `ksmbd_ipc_id_alloc()` - Entry remains in the session's `rpc_handle_list` xarray ### 4. SCOPE AND RISK ASSESSMENT **Size:** Very small - 4 lines of actual code change - Line 1: `int id;` → `int id = -1;` (initialization to enable cleanup check) - Lines 2-3: Added `if (id >= 0) ksmbd_session_rpc_close(work->sess, id);` in error path **Risk:** Very low - Only affects the error path when `ksmbd_iov_pin_rsp()` fails - Standard cleanup pattern already used elsewhere in the codebase - Cannot affect normal (successful) operation **Subsystem:** ksmbd (kernel SMB server) - Mature component, been in mainline since Linux 5.15 - Has an active maintainer (Namjae Jeon) ### 5. USER IMPACT - **Who is affected:** Users running ksmbd as their SMB server - **Trigger condition:** Any time `ksmbd_iov_pin_rsp()` fails after opening an RPC pipe - **Severity:** Medium - resource leaks accumulate over time, can lead to system degradation or resource exhaustion under sustained error conditions - **Real-world likelihood:** Moderate - `ksmbd_iov_pin_rsp()` can fail with -ENOMEM under memory pressure ### 6. STABILITY INDICATORS - **Acked-by:** Namjae Jeon (ksmbd maintainer) - **Signed-off-by:** Steve French (SMB/CIFS maintainer) - The fix follows the existing pattern in the codebase (similar cleanup is done for `name` in the same error path) ### 7. DEPENDENCY CHECK - No dependencies on other commits - Uses `ksmbd_session_rpc_close()` which exists in all kernel versions with ksmbd (5.15+) - The affected code (`create_smb2_pipe()` and `ksmbd_iov_pin_rsp()`) exists in stable trees --- ## Conclusion This commit fixes a clear resource leak in the ksmbd SMB server. When the final step of creating an SMB pipe (`ksmbd_iov_pin_rsp()`) fails, the previously opened RPC session was never cleaned up, causing memory and ID leaks. **Why it should be backported:** 1. **Fixes a real bug** - Resource leaks are a well-known category of bugs that accumulate over time 2. **Obviously correct** - Standard error path cleanup pattern, mirrors how `name` is freed in the same path 3. **Small and surgical** - Only 4 lines changed, localized to one function 4. **Low risk** - Only affects error path, cannot break normal operation 5. **Maintainer acknowledgment** - Acked by ksmbd maintainer 6. **Affects stable trees** - ksmbd has been in-kernel since 5.15, stable users can hit this bug **Concerns:** None significant. The fix is trivial and follows established patterns. **YES** fs/smb/server/smb2pdu.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 6a94cda0927d..e052dcb9a14c 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -2291,7 +2291,7 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) { struct smb2_create_rsp *rsp; struct smb2_create_req *req; - int id; + int id = -1; int err; char *name; @@ -2348,6 +2348,9 @@ static noinline int create_smb2_pipe(struct ksmbd_work *work) break; } + if (id >= 0) + ksmbd_session_rpc_close(work->sess, id); + if (!IS_ERR(name)) kfree(name); -- 2.51.0

2 days, 8 hours

FAILED: patch "[PATCH] drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg()" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x be729f9de6c64240645dc80a24162ac4d3fe00a8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2026010529-blade-subsoil-11e8@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From be729f9de6c64240645dc80a24162ac4d3fe00a8 Mon Sep 17 00:00:00 2001 From: Thomas Zimmermann <tzimmermann(a)suse.de> Date: Mon, 29 Sep 2025 10:23:23 +0200 Subject: [PATCH] drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg() Remove psb_fbdev_fb_setcolreg(), which hasn't been called in almost a decade. Gma500 commit 4d8d096e9ae8 ("gma500: introduce the framebuffer support code") added the helper psb_fbdev_fb_setcolreg() for setting the fbdev palette via fbdev's fb_setcolreg callback. Later commit 3da6c2f3b730 ("drm/gma500: use DRM_FB_HELPER_DEFAULT_OPS for fb_ops") set several default helpers for fbdev emulation, including fb_setcmap. The fbdev subsystem always prefers fb_setcmap over fb_setcolreg. [1] Hence, the gma500 code is no longer in use and gma500 has been using drm_fb_helper_setcmap() for several years without issues. Fixes: 3da6c2f3b730 ("drm/gma500: use DRM_FB_HELPER_DEFAULT_OPS for fb_ops") Cc: Patrik Jakobsson <patrik.r.jakobsson(a)gmail.com> Cc: Stefan Christ <contact(a)stefanchrist.eu> Cc: Daniel Vetter <daniel.vetter(a)ffwll.ch> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v4.10+ Link: https://elixir.bootlin.com/linux/v6.16.9/source/drivers/video/fbdev/core/fb… # [1] Signed-off-by: Thomas Zimmermann <tzimmermann(a)suse.de> Acked-by: Patrik Jakobsson <patrik.r.jakobsson(a)gmail.com> Link: https://lore.kernel.org/r/20250929082338.18845-1-tzimmermann@suse.de diff --git a/drivers/gpu/drm/gma500/fbdev.c b/drivers/gpu/drm/gma500/fbdev.c index 32d31e5f5f1a..a6af21514cff 100644 --- a/drivers/gpu/drm/gma500/fbdev.c +++ b/drivers/gpu/drm/gma500/fbdev.c @@ -50,48 +50,6 @@ static const struct vm_operations_struct psb_fbdev_vm_ops = { * struct fb_ops */ -#define CMAP_TOHW(_val, _width) ((((_val) << (_width)) + 0x7FFF - (_val)) >> 16) - -static int psb_fbdev_fb_setcolreg(unsigned int regno, - unsigned int red, unsigned int green, - unsigned int blue, unsigned int transp, - struct fb_info *info) -{ - struct drm_fb_helper *fb_helper = info->par; - struct drm_framebuffer *fb = fb_helper->fb; - uint32_t v; - - if (!fb) - return -ENOMEM; - - if (regno > 255) - return 1; - - red = CMAP_TOHW(red, info->var.red.length); - blue = CMAP_TOHW(blue, info->var.blue.length); - green = CMAP_TOHW(green, info->var.green.length); - transp = CMAP_TOHW(transp, info->var.transp.length); - - v = (red << info->var.red.offset) | - (green << info->var.green.offset) | - (blue << info->var.blue.offset) | - (transp << info->var.transp.offset); - - if (regno < 16) { - switch (fb->format->cpp[0] * 8) { - case 16: - ((uint32_t *) info->pseudo_palette)[regno] = v; - break; - case 24: - case 32: - ((uint32_t *) info->pseudo_palette)[regno] = v; - break; - } - } - - return 0; -} - static int psb_fbdev_fb_mmap(struct fb_info *info, struct vm_area_struct *vma) { if (vma->vm_pgoff != 0) @@ -135,7 +93,6 @@ static const struct fb_ops psb_fbdev_fb_ops = { .owner = THIS_MODULE, __FB_DEFAULT_IOMEM_OPS_RDWR, DRM_FB_HELPER_DEFAULT_OPS, - .fb_setcolreg = psb_fbdev_fb_setcolreg, __FB_DEFAULT_IOMEM_OPS_DRAW, .fb_mmap = psb_fbdev_fb_mmap, .fb_destroy = psb_fbdev_fb_destroy,

2 days, 9 hours

FAILED: patch "[PATCH] drm/mediatek: Fix probe resource leaks" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x 07c7c640a8eb9e196f357d15d88a59602a947197 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2026010554-disliking-demeanor-118d@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 07c7c640a8eb9e196f357d15d88a59602a947197 Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan(a)kernel.org> Date: Tue, 23 Sep 2025 17:23:36 +0200 Subject: [PATCH] drm/mediatek: Fix probe resource leaks Make sure to unmap and release the component iomap and clock on probe failure (e.g. probe deferral) and on driver unbind. Note that unlike of_iomap(), devm_of_iomap() also checks whether the region is already mapped. Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") Cc: stable(a)vger.kernel.org # 4.7 Cc: CK Hu <ck.hu(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Link: https://patchwork.kernel.org/project/dri-devel/patch/20250923152340.18234-2… Signed-off-by: Chun-Kuang Hu <chunkuang.hu(a)kernel.org> diff --git a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c index ac6620e10262..0264017806ad 100644 --- a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c +++ b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c @@ -621,15 +621,20 @@ int mtk_find_possible_crtcs(struct drm_device *drm, struct device *dev) return ret; } -int mtk_ddp_comp_init(struct device_node *node, struct mtk_ddp_comp *comp, +static void mtk_ddp_comp_clk_put(void *_clk) +{ + struct clk *clk = _clk; + + clk_put(clk); +} + +int mtk_ddp_comp_init(struct device *dev, struct device_node *node, struct mtk_ddp_comp *comp, unsigned int comp_id) { struct platform_device *comp_pdev; enum mtk_ddp_comp_type type; struct mtk_ddp_comp_dev *priv; -#if IS_REACHABLE(CONFIG_MTK_CMDQ) int ret; -#endif if (comp_id >= DDP_COMPONENT_DRM_ID_MAX) return -EINVAL; @@ -670,11 +675,18 @@ int mtk_ddp_comp_init(struct device_node *node, struct mtk_ddp_comp *comp, if (!priv) return -ENOMEM; - priv->regs = of_iomap(node, 0); + priv->regs = devm_of_iomap(dev, node, 0, NULL); + if (IS_ERR(priv->regs)) + return PTR_ERR(priv->regs); + priv->clk = of_clk_get(node, 0); if (IS_ERR(priv->clk)) return PTR_ERR(priv->clk); + ret = devm_add_action_or_reset(dev, mtk_ddp_comp_clk_put, priv->clk); + if (ret) + return ret; + #if IS_REACHABLE(CONFIG_MTK_CMDQ) ret = cmdq_dev_get_client_reg(comp->dev, &priv->cmdq_reg, 0); if (ret) diff --git a/drivers/gpu/drm/mediatek/mtk_ddp_comp.h b/drivers/gpu/drm/mediatek/mtk_ddp_comp.h index 7289b3dcf22f..3f3d43f4330d 100644 --- a/drivers/gpu/drm/mediatek/mtk_ddp_comp.h +++ b/drivers/gpu/drm/mediatek/mtk_ddp_comp.h @@ -350,7 +350,7 @@ static inline void mtk_ddp_comp_encoder_index_set(struct mtk_ddp_comp *comp) int mtk_ddp_comp_get_id(struct device_node *node, enum mtk_ddp_comp_type comp_type); int mtk_find_possible_crtcs(struct drm_device *drm, struct device *dev); -int mtk_ddp_comp_init(struct device_node *comp_node, struct mtk_ddp_comp *comp, +int mtk_ddp_comp_init(struct device *dev, struct device_node *comp_node, struct mtk_ddp_comp *comp, unsigned int comp_id); enum mtk_ddp_comp_type mtk_ddp_comp_get_type(unsigned int comp_id); void mtk_ddp_write(struct cmdq_pkt *cmdq_pkt, unsigned int value, diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c index eb5537f0ac90..384b0510272c 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c @@ -1133,7 +1133,7 @@ static int mtk_drm_probe(struct platform_device *pdev) (void *)private->mmsys_dev, sizeof(*private->mmsys_dev)); private->ddp_comp[DDP_COMPONENT_DRM_OVL_ADAPTOR].dev = &ovl_adaptor->dev; - mtk_ddp_comp_init(NULL, &private->ddp_comp[DDP_COMPONENT_DRM_OVL_ADAPTOR], + mtk_ddp_comp_init(dev, NULL, &private->ddp_comp[DDP_COMPONENT_DRM_OVL_ADAPTOR], DDP_COMPONENT_DRM_OVL_ADAPTOR); component_match_add(dev, &match, compare_dev, &ovl_adaptor->dev); } @@ -1199,7 +1199,7 @@ static int mtk_drm_probe(struct platform_device *pdev) node); } - ret = mtk_ddp_comp_init(node, &private->ddp_comp[comp_id], comp_id); + ret = mtk_ddp_comp_init(dev, node, &private->ddp_comp[comp_id], comp_id); if (ret) { of_node_put(node); goto err_node;

2 days, 9 hours

[PATCH] ext4: publish jinode after initialization

by Li Chen

ext4_inode_attach_jinode() publishes ei->jinode to concurrent users. It assigned ei->jinode before calling jbd2_journal_init_jbd_inode(). This allows another thread to observe a non-NULL jinode with i_vfs_inode still unset. The fast commit flush path can then pass this jinode to jbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping and may crash. Below is the crash I observe: ``` BUG: unable to handle page fault for address: 000000010beb47f4 PGD 110e51067 P4D 110e51067 PUD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 4850 Comm: fc_fsync_bench_ Not tainted 6.18.0-00764-g795a690c06a5 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014 RIP: 0010:xas_find_marked+0x3d/0x2e0 Code: e0 03 48 83 f8 02 0f 84 f0 01 00 00 48 8b 47 08 48 89 c3 48 39 c6 0f 82 fd 01 00 00 48 85 c9 74 3d 48 83 f9 03 77 63 4c 8b 0f <49> 8b 71 08 48 c7 47 18 00 00 00 00 48 89 f1 83 e1 03 48 83 f9 02 RSP: 0018:ffffbbee806e7bf0 EFLAGS: 00010246 RAX: 000000000010beb4 RBX: 000000000010beb4 RCX: 0000000000000003 RDX: 0000000000000001 RSI: 0000002000300000 RDI: ffffbbee806e7c10 RBP: 0000000000000001 R08: 0000002000300000 R09: 000000010beb47ec R10: ffff9ea494590090 R11: 0000000000000000 R12: 0000002000300000 R13: ffffbbee806e7c90 R14: ffff9ea494513788 R15: ffffbbee806e7c88 FS: 00007fc2f9e3e6c0(0000) GS:ffff9ea6b1444000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000010beb47f4 CR3: 0000000119ac5000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> filemap_get_folios_tag+0x87/0x2a0 __filemap_fdatawait_range+0x5f/0xd0 ? srso_alias_return_thunk+0x5/0xfbef5 ? __schedule+0x3e7/0x10c0 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ? srso_alias_return_thunk+0x5/0xfbef5 ? cap_safe_nice+0x37/0x70 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ? srso_alias_return_thunk+0x5/0xfbef5 filemap_fdatawait_range_keep_errors+0x12/0x40 ext4_fc_commit+0x697/0x8b0 ? ext4_file_write_iter+0x64b/0x950 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ? srso_alias_return_thunk+0x5/0xfbef5 ? vfs_write+0x356/0x480 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ext4_sync_file+0xf7/0x370 do_fsync+0x3b/0x80 ? syscall_trace_enter+0x108/0x1d0 __x64_sys_fdatasync+0x16/0x20 do_syscall_64+0x62/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ... ``` To fix this issue, initialize the jbd2_inode first and only then publish the pointer with smp_store_release(). Use smp_load_acquire() at the read sites to pair with the release and ensure the initialized fields are visible. On x86 (TSO), the crash should primarily be due to the logical early publish window (another CPU can run between the store and initialization). x86 also relies on compiler ordering; the acquire/release helpers include the necessary compiler barriers while keeping the fast-path cheap. On weakly-ordered architectures (e.g. arm64/ppc), plain "init; store ptr" is not sufficient: without release/acquire, a reader may observe the pointer while still missing prior initialization stores. The explicit pairing makes this publish/consume relationship correct under LKMM. Fixes: a361293f5fede ("jbd2: Fix oops in jbd2_journal_file_inode()") Cc: stable(a)vger.kernel.org Signed-off-by: Li Chen <me(a)linux.beauty> --- fs/ext4/ext4_jbd2.h | 18 ++++++++++++++---- fs/ext4/fast_commit.c | 9 +++++++-- fs/ext4/inode.c | 15 +++++++++++---- fs/ext4/super.c | 10 +++++++--- 4 files changed, 39 insertions(+), 13 deletions(-) diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h index 63d17c5201b5..3bc79b894130 100644 --- a/fs/ext4/ext4_jbd2.h +++ b/fs/ext4/ext4_jbd2.h @@ -336,18 +336,28 @@ static inline int ext4_journal_force_commit(journal_t *journal) static inline int ext4_jbd2_inode_add_write(handle_t *handle, struct inode *inode, loff_t start_byte, loff_t length) { - if (ext4_handle_valid(handle)) + if (ext4_handle_valid(handle)) { + struct jbd2_inode *jinode; + + /* Pairs with smp_store_release() in ext4_inode_attach_jinode(). */ + jinode = smp_load_acquire(&EXT4_I(inode)->jinode); return jbd2_journal_inode_ranged_write(handle, - EXT4_I(inode)->jinode, start_byte, length); + jinode, start_byte, length); + } return 0; } static inline int ext4_jbd2_inode_add_wait(handle_t *handle, struct inode *inode, loff_t start_byte, loff_t length) { - if (ext4_handle_valid(handle)) + if (ext4_handle_valid(handle)) { + struct jbd2_inode *jinode; + + /* Pairs with smp_store_release() in ext4_inode_attach_jinode(). */ + jinode = smp_load_acquire(&EXT4_I(inode)->jinode); return jbd2_journal_inode_ranged_wait(handle, - EXT4_I(inode)->jinode, start_byte, length); + jinode, start_byte, length); + } return 0; } diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c index a6e79b3f1b48..3f148c048a6f 100644 --- a/fs/ext4/fast_commit.c +++ b/fs/ext4/fast_commit.c @@ -1087,16 +1087,21 @@ static int ext4_fc_flush_data(journal_t *journal) struct super_block *sb = journal->j_private; struct ext4_sb_info *sbi = EXT4_SB(sb); struct ext4_inode_info *ei; + struct jbd2_inode *jinode; int ret = 0; list_for_each_entry(ei, &sbi->s_fc_q[FC_Q_MAIN], i_fc_list) { - ret = jbd2_submit_inode_data(journal, ei->jinode); + /* Pairs with smp_store_release() in ext4_inode_attach_jinode(). */ + jinode = smp_load_acquire(&ei->jinode); + ret = jbd2_submit_inode_data(journal, jinode); if (ret) return ret; } list_for_each_entry(ei, &sbi->s_fc_q[FC_Q_MAIN], i_fc_list) { - ret = jbd2_wait_inode_data(journal, ei->jinode); + /* Pairs with smp_store_release() in ext4_inode_attach_jinode(). */ + jinode = smp_load_acquire(&ei->jinode); + ret = jbd2_wait_inode_data(journal, jinode); if (ret) return ret; } diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 78ea864fa8cd..74b189c10f2b 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -126,6 +126,9 @@ void ext4_inode_csum_set(struct inode *inode, struct ext4_inode *raw, static inline int ext4_begin_ordered_truncate(struct inode *inode, loff_t new_size) { + /* Pairs with smp_store_release() in ext4_inode_attach_jinode(). */ + struct jbd2_inode *jinode = smp_load_acquire(&EXT4_I(inode)->jinode); + trace_ext4_begin_ordered_truncate(inode, new_size); /* * If jinode is zero, then we never opened the file for @@ -133,10 +136,10 @@ static inline int ext4_begin_ordered_truncate(struct inode *inode, * jbd2_journal_begin_ordered_truncate() since there's no * outstanding writes we need to flush. */ - if (!EXT4_I(inode)->jinode) + if (!jinode) return 0; return jbd2_journal_begin_ordered_truncate(EXT4_JOURNAL(inode), - EXT4_I(inode)->jinode, + jinode, new_size); } @@ -4497,8 +4500,12 @@ int ext4_inode_attach_jinode(struct inode *inode) spin_unlock(&inode->i_lock); return -ENOMEM; } - ei->jinode = jinode; - jbd2_journal_init_jbd_inode(ei->jinode, inode); + jbd2_journal_init_jbd_inode(jinode, inode); + /* + * Publish ->jinode only after it is fully initialized so that + * readers never observe a partially initialized jbd2_inode. + */ + smp_store_release(&ei->jinode, jinode); jinode = NULL; } spin_unlock(&inode->i_lock); diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 43f1ac6e8559..a3f015129c00 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -1513,16 +1513,20 @@ static void destroy_inodecache(void) void ext4_clear_inode(struct inode *inode) { + struct jbd2_inode *jinode; + ext4_fc_del(inode); invalidate_inode_buffers(inode); clear_inode(inode); ext4_discard_preallocations(inode); ext4_es_remove_extent(inode, 0, EXT_MAX_BLOCKS); dquot_drop(inode); - if (EXT4_I(inode)->jinode) { + /* Pairs with smp_store_release() in ext4_inode_attach_jinode(). */ + jinode = smp_load_acquire(&EXT4_I(inode)->jinode); + if (jinode) { jbd2_journal_release_jbd_inode(EXT4_JOURNAL(inode), - EXT4_I(inode)->jinode); - jbd2_free_inode(EXT4_I(inode)->jinode); + jinode); + jbd2_free_inode(jinode); EXT4_I(inode)->jinode = NULL; } fscrypt_put_encryption_info(inode); -- 2.52.0

2 days, 9 hours

FAILED: patch "[PATCH] drm/mediatek: Fix probe memory leak" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 5e49200593f331cd0629b5376fab9192f698e8ef # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2026010516-unfrosted-serotonin-e7b7@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 5e49200593f331cd0629b5376fab9192f698e8ef Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan(a)kernel.org> Date: Tue, 23 Sep 2025 17:23:37 +0200 Subject: [PATCH] drm/mediatek: Fix probe memory leak The Mediatek DRM driver allocates private data for components without a platform driver but as the lifetime is tied to each component device, the memory is never freed. Tie the allocation lifetime to the DRM platform device so that the memory is released on probe failure (e.g. probe deferral) and when the driver is unbound. Fixes: c0d36de868a6 ("drm/mediatek: Move clk info from struct mtk_ddp_comp to sub driver private data") Cc: stable(a)vger.kernel.org # 5.12 Cc: CK Hu <ck.hu(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Link: https://patchwork.kernel.org/project/dri-devel/patch/20250923152340.18234-3… Signed-off-by: Chun-Kuang Hu <chunkuang.hu(a)kernel.org> diff --git a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c index 0264017806ad..31d67a131c50 100644 --- a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c +++ b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c @@ -671,7 +671,7 @@ int mtk_ddp_comp_init(struct device *dev, struct device_node *node, struct mtk_d type == MTK_DSI) return 0; - priv = devm_kzalloc(comp->dev, sizeof(*priv), GFP_KERNEL); + priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL); if (!priv) return -ENOMEM;

2 days, 12 hours

FAILED: patch "[PATCH] drm/mediatek: Fix probe memory leak" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

2 days, 12 hours

FAILED: patch "[PATCH] drm/mediatek: Fix probe memory leak" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

2 days, 12 hours

FAILED: patch "[PATCH] drm/amdgpu: add missing lock to amdgpu_ttm_access_memory_sdma" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

2 days, 12 hours

FAILED: patch "[PATCH] drm/amdgpu: Forward VMID reservation errors" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

2 days, 12 hours

FAILED: patch "[PATCH] wifi: mac80211: Discard Beacon frames to non-broadcast" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 193d18f60588e95d62e0f82b6a53893e5f2f19f8 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2026010524-editor-spinner-7ecb@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 193d18f60588e95d62e0f82b6a53893e5f2f19f8 Mon Sep 17 00:00:00 2001 From: Jouni Malinen <jouni.malinen(a)oss.qualcomm.com> Date: Mon, 15 Dec 2025 17:11:34 +0200 Subject: [PATCH] wifi: mac80211: Discard Beacon frames to non-broadcast address Beacon frames are required to be sent to the broadcast address, see IEEE Std 802.11-2020, 11.1.3.1 ("The Address 1 field of the Beacon .. frame shall be set to the broadcast address"). A unicast Beacon frame might be used as a targeted attack to get one of the associated STAs to do something (e.g., using CSA to move it to another channel). As such, it is better have strict filtering for this on the received side and discard all Beacon frames that are sent to an unexpected address. This is even more important for cases where beacon protection is used. The current implementation in mac80211 is correctly discarding unicast Beacon frames if the Protected Frame bit in the Frame Control field is set to 0. However, if that bit is set to 1, the logic used for checking for configured BIGTK(s) does not actually work. If the driver does not have logic for dropping unicast Beacon frames with Protected Frame bit 1, these frames would be accepted in mac80211 processing as valid Beacon frames even though they are not protected. This would allow beacon protection to be bypassed. While the logic for checking beacon protection could be extended to cover this corner case, a more generic check for discard all Beacon frames based on A1=unicast address covers this without needing additional changes. Address all these issues by dropping received Beacon frames if they are sent to a non-broadcast address. Cc: stable(a)vger.kernel.org Fixes: af2d14b01c32 ("mac80211: Beacon protection using the new BIGTK (STA)") Signed-off-by: Jouni Malinen <jouni.malinen(a)oss.qualcomm.com> Link: https://patch.msgid.link/20251215151134.104501-1-jouni.malinen@oss.qualcomm… Signed-off-by: Johannes Berg <johannes.berg(a)intel.com> diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 6a1899512d07..e0ccd9749853 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -3511,6 +3511,11 @@ ieee80211_rx_h_mgmt_check(struct ieee80211_rx_data *rx) rx->skb->len < IEEE80211_MIN_ACTION_SIZE) return RX_DROP_U_RUNT_ACTION; + /* Drop non-broadcast Beacon frames */ + if (ieee80211_is_beacon(mgmt->frame_control) && + !is_broadcast_ether_addr(mgmt->da)) + return RX_DROP; + if (rx->sdata->vif.type == NL80211_IFTYPE_AP && ieee80211_is_beacon(mgmt->frame_control) && !(rx->flags & IEEE80211_RX_BEACON_REPORTED)) {

2 days, 12 hours

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror