summaryrefslogtreecommitdiff
path: root/fs
AgeCommit message (Collapse)Author
2026-04-02for_each_alias(): helper macro for iterating through dentries of given inodeAl Viro
Most of the places using d_alias are loops iterating through all aliases for given inode; introduce a helper macro (for_each_alias(dentry, inode)) and convert open-coded instances of such loop to it. They are easier to read that way and it reduces the noise on the next steps. You _must_ hold inode->i_lock over that thing. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2026-04-02fs/resctrl: Add "*" shorthand to set io_alloc CBM for all domainsAaron Tomlin
Configuring the io_alloc_cbm interface requires an explicit domain ID for each cache domain. On systems with high core counts and numerous cache clusters, this requirement becomes cumbersome for automation and management tasks that aim to apply a uniform policy. Introduce a wildcard domain ID selector "*" for the io_alloc_cbm interface. This enables users to set the same Capacity Bitmask (CBM) across all cache domains in a single operation. Signed-off-by: Aaron Tomlin <atomlin@atomlin.com> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Reviewed-by: Reinette Chatre <reinette.chatre@intel.com> Reviewed-by: Babu Moger <babu.moger@amd.com> Tested-by: Babu Moger <babu.moger@amd.com> Link: https://patch.msgid.link/20260325001159.447075-3-atomlin@atomlin.com
2026-04-02fs/resctrl: Report invalid domain ID when parsing io_alloc_cbmAaron Tomlin
The last_cmd_status file is intended to report details about the most recent resctrl filesystem operation, specifically to aid in diagnosing failures. However, when parsing io_alloc_cbm, if a user provides a domain ID that does not exist in the resource, the operation fails with -EINVAL without updating last_cmd_status. This results in inconsistent behaviour where the system call returns an error, but last_cmd_status misleadingly reports "ok", leaving the user unaware that the failure was caused by an invalid domain ID. Write an error message to last_cmd_status when the target domain ID cannot be found. Fixes: 28fa2cce7a83 ("fs/resctrl: Introduce interface to modify io_alloc capacity bitmasks") Suggested-by: Reinette Chatre <reinette.chatre@intel.com> Signed-off-by: Aaron Tomlin <atomlin@atomlin.com> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Reviewed-by: Reinette Chatre <reinette.chatre@intel.com> Reviewed-by: Babu Moger <babu.moger@amd.com> Tested-by: Babu Moger <babu.moger@amd.com> Link: https://patch.msgid.link/20260325001159.447075-2-atomlin@atomlin.com
2026-04-01exec: use strnlen() in __set_task_commThorsten Blum
Use strnlen() to limit source string scanning to 'TASK_COMM_LEN - 1' bytes. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://patch.msgid.link/20260401152039.724811-3-thorsten.blum@linux.dev Signed-off-by: Kees Cook <kees@kernel.org>
2026-04-01fuse: fix inode initialization raceHorst Birthelmer
Fix a race between fuse_iget() and fuse_reverse_inval_inode() where invalidation can arrive while an inode is being initialized, causing the invalidation to be lost. By keeping the inode state I_NEW as long as the attributes are not valid the invalidation can wait until the inode is fully initialized. Suggested-by: Joanne Koong <joannelkoong@gmail.com> Signed-off-by: Horst Birthelmer <hbirthelmer@ddn.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-03-31fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepathFredric Cover
When cifs_sanitize_prepath is called with an empty string or a string containing only delimiters (e.g., "/"), the current logic attempts to check *(cursor2 - 1) before cursor2 has advanced. This results in an out-of-bounds read. This patch adds an early exit check after stripping prepended delimiters. If no path content remains, the function returns NULL. The bug was identified via manual audit and verified using a standalone test case compiled with AddressSanitizer, which triggered a SEGV on affected inputs. Signed-off-by: Fredric Cover <FredTheDude@proton.me> Reviewed-by: Henrique Carvalho <[2]henrique.carvalho@suse.com> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-03-31pstore/ftrace: Keep ftrace module parameter and debugfs switch in syncGuilherme G. Piccoli
Commit a5d05b07961a ("pstore/ftrace: Allow immediate recording") introduced a kernel parameter to enable early-boot collection for ftrace frontend. But then, if we enable the debugfs later, the parameter remains set as N. This is not a biggie, things work fine; but at the same time, why not have both in sync if possible, right? Cc: Uwe Kleine-König <u.kleine-koenig@baylibre.com> Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com> Link: https://patch.msgid.link/20260301192704.1263589-1-gpiccoli@igalia.com Signed-off-by: Kees Cook <kees@kernel.org>
2026-03-31pstore/ram: fix resource leak when ioremap() failsCole Leavitt
In persistent_ram_iomap(), ioremap() or ioremap_wc() may return NULL on failure. Currently, if this happens, the function returns NULL without releasing the memory region acquired by request_mem_region(). This leads to a resource leak where the memory region remains reserved but unusable. Additionally, the caller persistent_ram_buffer_map() handles NULL correctly by returning -ENOMEM, but without this check, a NULL return combined with request_mem_region() succeeding leaves resources in an inconsistent state. This is the ioremap() counterpart to commit 05363abc7625 ("pstore: ram_core: fix incorrect success return when vmap() fails") which fixed a similar issue in the vmap() path. Fixes: 404a6043385d ("staging: android: persistent_ram: handle reserving and mapping memory") Signed-off-by: Cole Leavitt <cole@unwrap.rs> Link: https://patch.msgid.link/20260225235406.11790-1-cole@unwrap.rs Signed-off-by: Kees Cook <kees@kernel.org>
2026-03-31pstore/ramoops: Fix ECC parameter help textGuilherme G. Piccoli
In order to set ECC on ramoops, the parameter "ecc" should be used. The variable that carries this information is "ramoops_ecc". Due to some confusion in the parameter setting functions, modinfo ends-up showing both "ecc" and "ramoops_ecc" as valid parameters, but only "ecc" is the valid one, hence this fix to the parameter help text. Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com> Link: https://patch.msgid.link/20260218193940.912143-3-gpiccoli@igalia.com Signed-off-by: Kees Cook <kees@kernel.org>
2026-03-31pstore/ramoops: Remove useless memblock headerGuilherme G. Piccoli
Seems the linux/memblock.h inclusion was added early on due to usage of some memblock allocation routine. But that was removed, header was forgotten, hence let's remove that. Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com> Link: https://patch.msgid.link/20260218193940.912143-2-gpiccoli@igalia.com Signed-off-by: Kees Cook <kees@kernel.org>
2026-03-31pstore: fix ftrace dump, when ECC is enabledAndrey Skvortsov
total_size is sum of record->size and record->ecc_notice_size (ECC: No errors detected). When ECC is not used, then there is no problem. When ECC is enabled, then ftrace dump is decoded incorrectly after restart. First this affects starting offset calculation, that breaks reading of all ftrace records. CPU:66 ts:51646260179894273 3818ffff80008002 fe00ffff800080f0 0x3818ffff80008002 <- 0xfe00ffff800080f0 CPU:66 ts:56589664458375169 3818ffff80008002 ff02ffff800080f0 0x3818ffff80008002 <- 0xff02ffff800080f0 CPU:67 ts:13194139533313 afe4ffff80008002 1ffff800080f0 0xafe4ffff80008002 <- 0x1ffff800080f0 CPU:67 ts:13194139533313 b7d0ffff80008001 100ffff80008002 0xb7d0ffff80008001 <- 0x100ffff80008002 CPU:67 ts:51646260179894273 8de0ffff80008001 202ffff80008002 0x8de0ffff80008001 <- 0x202ffff80008002 Second ECC notice message is printed like ftrace record and as a result couple of last records are completely wrong. For example, when the starting offset is fixed: CPU:0 ts:113 ffffffc00879bd04 ffffffc0080dc08c cpuidle_enter <- do_idle+0x20c/0x290 CPU:0 ts:114 ffffffc00879bd04 ffffffc0080dc08c cpuidle_enter <- do_idle+0x20c/0x290 CPU:100 ts:28259048229270629 6f4e203a4343450a 2073726f72726520 0x6f4e203a4343450a <- 0x2073726f72726520 Signed-off-by: Andrey Skvortsov <andrej.skvortzov@gmail.com> Tested-by: Guilherme G. Piccoli <gpiccoli@igalia.com> Link: https://patch.msgid.link/20260215185156.317394-1-andrej.skvortzov@gmail.com Signed-off-by: Kees Cook <kees@kernel.org>
2026-03-31nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()Deepanshu Kartikey
nilfs_ioctl_mark_blocks_dirty() uses bd_oblocknr to detect dead blocks by comparing it with the current block number bd_blocknr. If they differ, the block is considered dead and skipped. However, bd_oblocknr should never be 0 since block 0 typically stores the primary superblock and is never a valid GC target block. A corrupted ioctl request with bd_oblocknr set to 0 causes the comparison to incorrectly match when the lookup returns -ENOENT and sets bd_blocknr to 0, bypassing the dead block check and calling nilfs_bmap_mark() on a non-existent block. This causes nilfs_btree_do_lookup() to return -ENOENT, triggering the WARN_ON(ret == -ENOENT). Fix this by rejecting ioctl requests with bd_oblocknr set to 0 at the beginning of each iteration. [ryusuke: slightly modified the commit message and comments for accuracy] Fixes: 7942b919f732 ("nilfs2: ioctl operations") Reported-by: syzbot+98a040252119df0506f8@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=98a040252119df0506f8 Suggested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com> Reported-by: syzbot+466a45fcfb0562f5b9a0@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=466a45fcfb0562f5b9a0 Cc: Junjie Cao <junjie.cao@linux.dev> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
2026-03-31Merge tag 'fs_for_v7.0-rc7' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs Pull udf fix from Jan Kara: "Fix for a race in UDF that can lead to memory corruption" * tag 'fs_for_v7.0-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs: udf: Fix race between file type conversion and writeback mpage: Provide variant of mpage_writepages() with own optional folio handler
2026-03-31exfat: fix s_maxbytesDavid Timber
With fallocate support, xfstest unit generic/213 fails with QA output created by 213 We should get: fallocate: No space left on device Strangely, xfs_io sometimes says "Success" when something went wrong -fallocate: No space left on device +fallocate: File too large because sb->s_maxbytes is set to the volume size. To be in line with other non-extent-based filesystems, set to max volume size possible with the cluster size of the volume. Signed-off-by: David Timber <dxdt@dev.snart.me> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
2026-03-31xfs: return default quota limits for IDs without a dquotRavi Singh
When an ID has no dquot on disk, Q_XGETQUOTA returns -ENOENT even though default quota limits are configured and enforced against that ID. This means unprivileged users who have never used any resources cannot see the limits that apply to them. When xfs_qm_dqget() returns -ENOENT for a non-zero ID, return a zero-usage response with the default limits filled in from m_quotainfo rather than propagating the error. This is consistent with the enforcement behavior in xfs_qm_adjust_dqlimits(), which pushes the same default limits into a dquot when it is first allocated. Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Ravi Singh <ravising@redhat.com> Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Darrick J. Wong <djwong@kernel.org> Signed-off-by: Carlos Maiolino <cem@kernel.org>
2026-03-31cachefiles: fix incorrect dentry refcount in cachefiles_cull()NeilBrown
The patch mentioned below changed cachefiles_bury_object() to expect 2 references to the 'rep' dentry. Three of the callers were changed to use start_removing_dentry() which takes an extra reference so in those cases the call gets the expected references. However there is another call to cachefiles_bury_object() in cachefiles_cull() which did not need to be changed to use start_removing_dentry() and so was not properly considered. It still passed the dentry with just one reference so the net result is that a reference is lost. To meet the expectations of cachefiles_bury_object(), cachefiles_cull() must take an extra reference before the call. It will be dropped by cachefiles_bury_object(). Reported-by: Marc Dionne <marc.dionne@auristor.com> Fixes: 7bb1eb45e43c ("VFS: introduce start_removing_dentry()") Signed-off-by: NeilBrown <neil@brown.name> Link: https://patch.msgid.link/177456350181.1851489.16359967086642190170@noble.neil.brown.name Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org> Signed-off-by: Christian Brauner <brauner@kernel.org>
2026-03-31fs: hide file and bfile caches behind runtime const machineryMateusz Guzik
s/cachep/cache/ for consistency with namei and dentry caches. Signed-off-by: Mateusz Guzik <mjguzik@gmail.com> Link: https://patch.msgid.link/20260328173728.3388070-1-mjguzik@gmail.com Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Christian Brauner <brauner@kernel.org>
2026-03-31fs: write a better comment in step_into() concerning .mnt assignmentMateusz Guzik
Signed-off-by: Mateusz Guzik <mjguzik@gmail.com> Link: https://patch.msgid.link/20260328175841.3390950-1-mjguzik@gmail.com Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Christian Brauner <brauner@kernel.org>
2026-03-31btrfs: fix incorrect return value after changing leaf in ↵robbieko
lookup_extent_data_ref() After commit 1618aa3c2e01 ("btrfs: simplify return variables in lookup_extent_data_ref()"), the err and ret variables were merged into a single ret variable. However, when btrfs_next_leaf() returns 0 (success), ret is overwritten from -ENOENT to 0. If the first key in the next leaf does not match (different objectid or type), the function returns 0 instead of -ENOENT, making the caller believe the lookup succeeded when it did not. This can lead to operations on the wrong extent tree item, potentially causing extent tree corruption. Fix this by returning -ENOENT directly when the key does not match, instead of relying on the ret variable. Fixes: 1618aa3c2e01 ("btrfs: simplify return variables in lookup_extent_data_ref()") CC: stable@vger.kernel.org # 6.12+ Reviewed-by: Filipe Manana <fdmanana@suse.com> Signed-off-by: robbieko <robbieko@synology.com> Signed-off-by: Filipe Manana <fdmanana@suse.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com>
2026-03-30nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_mapDeepanshu Kartikey
The DAT inode's btree node cache (i_assoc_inode) is initialized lazily during btree operations. However, nilfs_mdt_save_to_shadow_map() assumes i_assoc_inode is already initialized when copying dirty pages to the shadow map during GC. If NILFS_IOCTL_CLEAN_SEGMENTS is called immediately after mount before any btree operation has occurred on the DAT inode, i_assoc_inode is NULL leading to a general protection fault. Fix this by calling nilfs_attach_btree_node_cache() on the DAT inode in nilfs_dat_read() at mount time, ensuring i_assoc_inode is always initialized before any GC operation can use it. Reported-by: syzbot+4b4093b1f24ad789bf37@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=4b4093b1f24ad789bf37 Tested-by: syzbot+4b4093b1f24ad789bf37@syzkaller.appspotmail.com Fixes: e897be17a441 ("nilfs2: fix lockdep warnings in page operations for btree nodes") Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
2026-03-30xfs: start gc on zonegc_low_space attribute updatesHans Holmberg
Start gc if the agressiveness of zone garbage collection is changed by the user (if the file system is not read only). Without this change, the new setting will not be taken into account until the gc thread is woken up by e.g. a write. Cc: stable@vger.kernel.org # v6.15 Fixes: 845abeb1f06a8a ("xfs: add tunable threshold parameter for triggering zone GC") Signed-off-by: Hans Holmberg <hans.holmberg@wdc.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Damien Le Moal <dlemoal@kernel.org> Signed-off-by: Carlos Maiolino <cem@kernel.org>
2026-03-30xfs: don't decrement the buffer LRU count for in-use buffersChristoph Hellwig
XFS buffers are added to the LRU when they are unused, but are only removed from the LRU lazily when the LRU list scan finds a used buffer. So far this only happen when the LRU counter hits 0, which is suboptimal as buffers that were added to the LRU, but are in use again still consume LRU scanning resources and are aged while actually in use. Fix this by checking for in-use buffers and removing the from the LRU before decrementing the LRU counter. Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Darrick J. Wong <djwong@kernel.org> Signed-off-by: Carlos Maiolino <cem@kernel.org>
2026-03-30xfs: switch (back) to a per-buftarg buffer hashChristoph Hellwig
The per-AG buffer hashes were added when all buffer lookups took a per-hash look. Since then we've made lookups entirely lockless and removed the need for a hash-wide lock for inserts and removals as well. With this there is no need to sharding the hash, so reduce the used resources by using a per-buftarg hash for all buftargs. Long after writing this initially, syzbot found a problem in the buffer cache teardown order, which this happens to fix as well by doing the entire buffer cache teardown in one places instead of splitting it between destroying the buftarg and the perag structures. Link: https://lore.kernel.org/linux-xfs/aLeUdemAZ5wmtZel@dread.disaster.area/ Reported-by: syzbot+0391d34e801643e2809b@syzkaller.appspotmail.com Reviewed-by: Darrick J. Wong <djwong@kernel.org> Tested-by: syzbot+0391d34e801643e2809b@syzkaller.appspotmail.com Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Brian Foster <bfoster@redhat.com> Signed-off-by: Carlos Maiolino <cem@kernel.org>
2026-03-30xfs: use a lockref for the buffer reference countChristoph Hellwig
The lockref structure allows incrementing/decrementing counters like an atomic_t for the fast path, while still allowing complex slow path operations as if the counter was protected by a lock. The only slow path operations that actually need to take the lock are the final put, LRU evictions and marking a buffer stale. Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Brian Foster <bfoster@redhat.com> Reviewed-by: Darrick J. Wong <djwong@kernel.org> Signed-off-by: Carlos Maiolino <cem@kernel.org>
2026-03-30xfs: don't keep a reference for buffers on the LRUChristoph Hellwig
Currently the buffer cache adds a reference to b_hold for buffers that are on the LRU. This seems to go all the way back and allows releasing buffers from the LRU using xfs_buf_rele. But it makes xfs_buf_rele really complicated in differs from how other LRUs are implemented in Linux. Switch to not having a reference for buffers in the LRU, and use a separate negative hold value to mark buffers as dead. This simplifies xfs_buf_rele, which now just deal with the last "real" reference, and prepares for using the lockref primitive. This also removes the b_lock protection for removing buffers from the buffer hash. This is the desired outcome because the rhashtable is fully internally synchronized, and previously the lock was mostly held out of ordering constrains in xfs_buf_rele_cached. Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Brian Foster <bfoster@redhat.com> Reviewed-by: Darrick J. Wong <djwong@kernel.org> Signed-off-by: Carlos Maiolino <cem@kernel.org>
2026-03-30dax: add fsdev.c driver for fs-dax on character daxJohn Groves
The new fsdev driver provides pages/folios initialized compatibly with fsdax - normal rather than devdax-style refcounting, and starting out with order-0 folios. When fsdev binds to a daxdev, it is usually (always?) switching from the devdax mode (device.c), which pre-initializes compound folios according to its alignment. Fsdev uses fsdev_clear_folio_state() to switch the folios into a fsdax-compatible state. A side effect of this is that raw mmap doesn't (can't?) work on an fsdev dax instance. Accordingly, The fsdev driver does not provide raw mmap - devices must be put in 'devdax' mode (drivers/dax/device.c) to get raw mmap capability. In this commit is just the framework, which remaps pages/folios compatibly with fsdax. Enabling dax changes: - bus.h: add DAXDRV_FSDEV_TYPE driver type - bus.c: allow DAXDRV_FSDEV_TYPE drivers to bind to daxdevs - dax.h: prototype inode_dax(), which fsdev needs Suggested-by: Dan Williams <dan.j.williams@intel.com> Suggested-by: Gregory Price <gourry@gourry.net> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Signed-off-by: John Groves <john@groves.net> Link: https://patch.msgid.link/0100019d311cf904-419e9526-bdaf-4daa-97f1-5060b31a5c9f-000000@email.amazonses.com Signed-off-by: Ira Weiny <ira.weiny@intel.com>
2026-03-30dax: Factor out dax_folio_reset_order() helperJohn Groves
Both fs/dax.c:dax_folio_put() and drivers/dax/fsdev.c: fsdev_clear_folio_state() (the latter coming in the next commit after this one) contain nearly identical code to reset a compound DAX folio back to order-0 pages. Factor this out into a shared helper function. The new dax_folio_reset_order() function: - Clears the folio's mapping and share count - Resets compound folio state via folio_reset_order() - Clears PageHead and compound_head for each sub-page - Restores the pgmap pointer for each resulting order-0 folio - Returns the original folio order (for callers that need to advance by that many pages) Two intentional differences from the original dax_folio_put() logic: 1. folio->share is cleared unconditionally. This is correct because the DAX subsystem maintains the invariant that share != 0 only when mapping == NULL (enforced by dax_folio_make_shared()). dax_folio_put() ensures share has reached zero before calling this helper, so the unconditional clear is safe. 2. folio->pgmap is now explicitly restored for order-0 folios. For the dax_folio_put() caller this is a no-op (reads and writes back the same field). It is intentional for the upcoming fsdev_clear_folio_state() caller, which converts previously-compound folios and needs pgmap re-established for all pages regardless of order. This simplifies fsdev_clear_folio_state() from ~50 lines to ~15 lines. Suggested-by: Jonathan Cameron <jonathan.cameron@huawei.com> Reviewed-by: Ira Weiny <ira.weiny@intel.com> Reviewed-by: Dave Jiang <dave.jiang@intel.com> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Signed-off-by: John Groves <john@groves.net> Link: https://patch.msgid.link/0100019d311cc6b9-5be7428a-7f16-4774-8f90-a44b88ac5660-000000@email.amazonses.com Signed-off-by: Ira Weiny <ira.weiny@intel.com>
2026-03-30gfs2: bufdata allocation raceAndreas Gruenbacher
The locking in gfs2_trans_add_data() and gfs2_trans_add_meta() doesn't follow the usual coding pattern of checking bh->b_private under lock, allocating a new bufdata object with the locks dropped, and re-checking once the lock has been reacquired. Both functions set bh->b_private without holding the buffer lock. Fix that. Also, in gfs2_trans_add_meta(), taking the folio lock during the allocation doesn't actually do anything useful. Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2026-03-29ksmbd: fix OOB write in QUERY_INFO for compound requestsAsim Viladi Oglu Manizada
When a compound request such as READ + QUERY_INFO(Security) is received, and the first command (READ) consumes most of the response buffer, ksmbd could write beyond the allocated buffer while building a security descriptor. The root cause was that smb2_get_info_sec() checked buffer space using ppntsd_size from xattr, while build_sec_desc() often synthesized a significantly larger descriptor from POSIX ACLs. This patch introduces smb_acl_sec_desc_scratch_len() to accurately compute the final descriptor size beforehand, performs proper buffer checking with smb2_calc_max_out_buf_len(), and uses exact-sized allocation + iov pinning. Cc: stable@vger.kernel.org Fixes: e2b76ab8b5c9 ("ksmbd: add support for read compound") Signed-off-by: Asim Viladi Oglu Manizada <manizada@pm.me> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-03-30erofs: harden h_shared_count in erofs_init_inode_xattrs()Utkal Singh
`u8 h_shared_count` indicates the shared xattr count of an inode. It is read from the on-disk xattr ibody header, which should be corrupted if the size of the shared xattr array exceeds the space available in `xattr_isize`. It does not cause harmful consequence (e.g. crashes), since the image is already considered corrupted, it indeed results in the silent processing of garbage metadata. Let's harden it to report -EFSCORRUPTED earlier. Signed-off-by: Utkal Singh <singhutkal015@gmail.com> Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
2026-03-29NFSD: Sign filehandlesBenjamin Coddington
NFS clients may bypass restrictive directory permissions by using open_by_handle() (or other available OS system call) to guess the filehandles for files below that directory. In order to harden knfsd servers against this attack, create a method to sign and verify filehandles using SipHash-2-4 as a MAC (Message Authentication Code). According to https://cr.yp.to/siphash/siphash-20120918.pdf, SipHash can be used as a MAC, and our use of SipHash-2-4 provides a low 1 in 2^64 chance of forgery. Filehandles that have been signed cannot be tampered with, nor can clients reasonably guess correct filehandles and hashes that may exist in parts of the filesystem they cannot access due to directory permissions. Append the 8 byte SipHash to encoded filehandles for exports that have set the "sign_fh" export option. Filehandles received from clients are verified by comparing the appended hash to the expected hash. If the MAC does not match the server responds with NFS error _STALE. If unsigned filehandles are received for an export with "sign_fh" they are rejected with NFS error _STALE. Signed-off-by: Benjamin Coddington <bcodding@hammerspace.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2026-03-29NFSD/export: Add sign_fh export optionBenjamin Coddington
In order to signal that filehandles on this export should be signed, add a "sign_fh" export option. Filehandle signing can help the server defend against certain filehandle guessing attacks. Setting the "sign_fh" export option sets NFSEXP_SIGN_FH. In a future patch NFSD uses this signal to append a MAC onto filehandles for that export. While we're in here, tidy a few stray expflags to more closely align to the export flag order. Link: https://lore.kernel.org/linux-nfs/cover.1772022373.git.bcodding@hammerspace.com Signed-off-by: Benjamin Coddington <bcodding@hammerspace.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2026-03-29NFSD: Add a key for signing filehandlesBenjamin Coddington
A future patch will enable NFSD to sign filehandles by appending a Message Authentication Code(MAC). To do this, NFSD requires a secret 128-bit key that can persist across reboots. A persisted key allows the server to accept filehandles after a restart. Enable NFSD to be configured with this key via the netlink interface. Link: https://lore.kernel.org/linux-nfs/cover.1772022373.git.bcodding@hammerspace.com Signed-off-by: Benjamin Coddington <bcodding@hammerspace.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2026-03-29nfsd: use dynamic allocation for oversized NFSv4.0 replay cacheChuck Lever
Commit 1e8e9913672a ("nfsd: fix heap overflow in NFSv4.0 LOCK replay cache") capped the replay cache copy at NFSD4_REPLAY_ISIZE to prevent a heap overflow, but set rp_buflen to zero when the encoded response exceeded the inline buffer. A retransmitted LOCK reaching the replay path then produced only a status code with no operation body, resulting in a malformed XDR response. When the encoded response exceeds the 112-byte inline rp_ibuf, a buffer is kmalloc'd to hold it. If the allocation fails, rp_buflen remains zero, preserving the behavior from the capped-copy fix. The buffer is freed when the stateowner is released or when a subsequent operation's response fits in the inline buffer. Fixes: 1e8e9913672a ("nfsd: fix heap overflow in NFSv4.0 LOCK replay cache") Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2026-03-29nfsd: convert global state_lock to per-net deleg_lockJeff Layton
Replace the global state_lock spinlock with a per-nfsd_net deleg_lock. The state_lock was only used to protect delegation lifecycle operations (the del_recall_lru list and delegation hash/unhash), all of which are scoped to a single network namespace. Making the lock per-net removes a source of unnecessary contention between containers. Signed-off-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2026-03-29lockd: Remove dead code from fs/lockd/xdr4.cChuck Lever
Now that all NLMv4 server-side procedures use XDR encoder and decoder functions generated by xdrgen, the hand-written code in fs/lockd/xdr4.c is no longer needed. This file contained the original XDR processing logic that has been systematically replaced throughout this series. Remove the file and its Makefile reference to eliminate the dead code. The helper function nlm4svc_set_file_lock_range() is still needed by the generated code, so move it to xdr4.h as an inline function where it remains accessible. Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2026-03-29lockd: Remove C macros that are no longer usedChuck Lever
The conversion of all NLMv4 procedures to xdrgen-generated XDR functions is complete. The hand-rolled XDR size calculation macros (Ck, No, St, Rg) and the nlm_void structure definition served only the older implementations and are now unused. Also removes NLMDBG_FACILITY, which was set to the client debug flag in server-side code but never referenced, and corrects a comment to specify "NLMv4 Server procedures". Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2026-03-29lockd: Add LOCKD_SHARE_SVID constant for DOS sharing modeChuck Lever
Replace the magic value ~(u32)0 with a named constant. This value is used as a synthetic svid when looking up lockowners for DOS share operations, which have no real process ID associated with them. Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2026-03-29lockd: Use xdrgen XDR functions for the NLMv4 FREE_ALL procedureChuck Lever
With all other NLMv4 procedures now converted to xdrgen-generated XDR functions, the FREE_ALL procedure can be converted as well. This conversion allows the removal of nlm4svc_retrieve_args(), a 79-line helper function that was used only by FREE_ALL to retrieve client information from lockd's internal data structures. Replace the NLMPROC4_FREE_ALL entry in the nlm_procedures4 array with an entry that uses xdrgen-built XDR decoders and encoders. The procedure handler is updated to use the new wrapper structure (nlm4_notify_wrapper) and call nlm4svc_lookup_host() directly, eliminating the need for the now-removed helper function. The .pc_argzero field is set to zero because xdrgen decoders fully initialize all fields in argp->xdrgen, making the early defensive memset unnecessary. The remaining argp fields that fall outside the xdrgen structures are cleared explicitly as needed. Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2026-03-29lockd: Use xdrgen XDR functions for the NLMv4 NM_LOCK procedureChuck Lever
Now that nlm4svc_do_lock() has been introduced to handle both monitored and non-monitored lock requests, the NLMv4 NM_LOCK procedure can be converted to use xdrgen-generated XDR functions. This conversion allows the removal of __nlm4svc_proc_lock(), a helper function that was previously shared between the LOCK and NM_LOCK procedures. Replace the NLMPROC4_NM_LOCK entry in the nlm_procedures4 array with an entry that uses xdrgen-built XDR decoders and encoders. The procedure handler is updated to call nlm4svc_do_lock() directly and access arguments through the argp->xdrgen hierarchy. The .pc_argzero field is set to zero because xdrgen decoders fully initialize all fields in argp->xdrgen, making the early defensive memset unnecessary. The remaining argp fields that fall outside the xdrgen structures are cleared explicitly as needed. Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2026-03-29lockd: Use xdrgen XDR functions for the NLMv4 UNSHARE procedureChuck Lever
Now that the share helpers have been decoupled from the NLMv3-specific struct nlm_args and file_lock initialization has been hoisted into the procedure handler, the NLMv4 UNSHARE procedure can be converted to use xdrgen-generated XDR functions. Replace the NLMPROC4_UNSHARE entry in the nlm_procedures4 array with an entry that uses xdrgen-built XDR decoders and encoders. The procedure handler is updated to use the new wrapper structures (nlm4_shareargs_wrapper and nlm4_shareres_wrapper) and access arguments through the argp->xdrgen hierarchy. The .pc_argzero field is set to zero because xdrgen decoders fully initialize all fields in argp->xdrgen, making the early defensive memset unnecessary. The remaining argp fields that fall outside the xdrgen structures are cleared explicitly as needed. Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2026-03-29lockd: Use xdrgen XDR functions for the NLMv4 SHARE procedureChuck Lever
Now that the share helpers have been decoupled from the NLMv3-specific struct nlm_args and file_lock initialization has been hoisted into the procedure handler, the NLMv4 SHARE procedure can be converted to use xdrgen-generated XDR functions. Replace the NLMPROC4_SHARE entry in the nlm_procedures4 array with an entry that uses xdrgen-built XDR decoders and encoders. The procedure handler is updated to use the new wrapper structures (nlm4_shareargs_wrapper and nlm4_shareres_wrapper) and access arguments through the argp->xdrgen hierarchy. The .pc_argzero field is set to zero because xdrgen decoders fully initialize all fields in argp->xdrgen, making the early defensive memset unnecessary. The remaining argp fields that fall outside the xdrgen structures are cleared explicitly as needed. Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2026-03-29lockd: Prepare share helpers for xdrgen conversionChuck Lever
In order to convert the NLMv4 server-side XDR functions to use xdrgen, the internal share helpers need to be decoupled from the NLMv3-specific struct nlm_args. NLMv4 procedures will use different argument structures once they are converted. Refactor nlmsvc_share_file() and nlmsvc_unshare_file() to accept individual arguments (oh, access, mode) instead of the common struct nlm_args. This allows both protocol versions to call these helpers without forcing a common argument structure. While here, add kdoc comments to both functions and fix a comment typo in the unshare path. Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2026-03-29lockd: Hoist file_lock init out of nlm4svc_decode_shareargs()Chuck Lever
The xdrgen-generated XDR decoders cannot initialize the file_lock structure because it is an internal kernel type, not part of the wire protocol. To prepare for converting SHARE and UNSHARE procedures to use xdrgen, the file_lock initialization must be moved from nlm4svc_decode_shareargs() into the procedure handlers themselves. This change removes one more dependency on the "struct nlm_lock::fl" field in fs/lockd/xdr4.c, allowing the XDR decoder to focus solely on unmarshalling wire data. Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2026-03-29lockd: Convert server-side undefined procedures to xdrgenChuck Lever
The NLMv4 protocol defines several procedure slots that are not implemented. These undefined procedures need proper handling to return rpc_proc_unavail to clients that mistakenly invoke them. This patch converts the three undefined procedure entries (slots 17, 18, and 19) to use xdrgen functions nlm4_svc_decode_void and nlm4_svc_encode_void. The nlm4svc_proc_unused function is also moved earlier in the file to follow the convention of placing procedure implementations before the procedure table. The pc_argsize, pc_ressize, and pc_argzero fields are now correctly set to zero since no arguments or results are processed. The pc_xdrressize field is updated to XDR_void to accurately reflect the response size. This conversion completes the migration of all NLMv4 server-side procedures to use xdrgen-generated XDR functions, improving type safety and eliminating hand-written XDR code. Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2026-03-29lockd: Use xdrgen XDR functions for the NLMv4 SM_NOTIFY procedureChuck Lever
Convert the SM_NOTIFY procedure to use xdrgen functions nlm4_svc_decode_nlm4_notifyargs and nlm4_svc_encode_void. SM_NOTIFY is a private callback from statd to notify lockd when a remote host has rebooted. This patch introduces struct nlm4_notifyargs_wrapper to bridge between the xdrgen-generated nlm4_notifyargs and the nlm_reboot structure expected by nlm_host_rebooted(). The wrapper contains both the xdrgen-decoded arguments and a reboot field for the existing API. The pc_argzero field is set to zero because xdrgen decoders reliably initialize all arguments, making the early defensive memset unnecessary. This change also corrects the pc_xdrressize field, which previously contained a placeholder value. Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2026-03-29lockd: Use xdrgen XDR functions for the NLMv4 GRANTED_RES procedureChuck Lever
Convert the GRANTED_RES procedure to use xdrgen functions nlm4_svc_decode_nlm4_res and nlm4_svc_encode_void. GRANTED_RES is a callback procedure where the client sends granted lock results back to the server after an async GRANTED request. The pc_argzero field is set to zero because xdrgen decoders reliably initialize all arguments, making the early defensive memset unnecessary. This change also corrects the pc_xdrressize field, which previously contained a placeholder value. Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2026-03-29lockd: Use xdrgen XDR functions for the NLMv4 UNLOCK_RES procedureChuck Lever
Update the NLMPROC4_UNLOCK_RES entry in nlm_procedures4 to invoke xdrgen-generated XDR functions. Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2026-03-29lockd: Use xdrgen XDR functions for the NLMv4 CANCEL_RES procedureChuck Lever
Convert the CANCEL_RES procedure to use xdrgen functions nlm4_svc_decode_nlm4_res and nlm4_svc_encode_void. CANCEL_RES is a callback procedure where the client sends cancel results back to the server after an async CANCEL request. The pc_argzero field is set to zero because xdrgen decoders reliably initialize all arguments, making the early defensive memset unnecessary. This change also corrects the pc_xdrressize field, which previously contained a placeholder value. Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
2026-03-29lockd: Use xdrgen XDR functions for the NLMv4 LOCK_RES procedureChuck Lever
Convert the LOCK_RES procedure to use xdrgen functions nlm4_svc_decode_nlm4_res and nlm4_svc_encode_void. LOCK_RES is a callback procedure where the client sends lock results back to the server after an async LOCK request. The pc_argzero field is set to zero because xdrgen decoders reliably initialize all arguments, making the early defensive memset unnecessary. This change also corrects the pc_xdrressize field, which previously contained a placeholder value. Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>