summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-06-16smb: add common SMB2 compression transform helpersNamjae Jeon
Implement common validation, compression and decompression for SMB2 compression transforms. Support unchained LZ77 and chained NONE, LZ77 and Pattern_V1 payloads. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-16smb: move LZ77 compression into common codeNamjae Jeon
Move the LZ77 codec in cifs.ko to smb/common/ so both the SMB client and ksmbd can use it. Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-16ksmbd: add per-handle permission check to FILE_LINK_INFORMATIONGil Portnoy
The FILE_LINK_INFORMATION arm of smb2_set_info_file() calls smb2_create_link() with no per-handle fp->daccess check. On the ReplaceIfExists path smb2_create_link() unlinks an existing file at the target name (ksmbd_vfs_remove_file) and creates a hardlink (ksmbd_vfs_link); neither helper checks daccess. A handle opened with FILE_READ_DATA only (no FILE_DELETE, no FILE_WRITE_DATA) can therefore delete an arbitrary file in the share and plant a hardlink over its name. The sibling delete/move arms in the same switch already gate: FILE_RENAME_INFORMATION and FILE_DISPOSITION_INFORMATION both require FILE_DELETE_LE; FILE_FULL_EA_INFORMATION requires FILE_WRITE_EA_LE. Gate the link arm the same way as its closest analogue (rename), since it mutates the namespace and, on replace, deletes an existing entry. This is a sibling of commit cc57232cae23 ("ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE"). Cc: stable@vger.kernel.org Signed-off-by: Gil Portnoy <dddhkts1@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-16ksmbd: add a permission check for FSCTL_SET_ZERO_DATAGil Portnoy
FSCTL_SET_ZERO_DATA in smb2_ioctl() destroys file data via ksmbd_vfs_zero_data() -> vfs_fallocate(PUNCH_HOLE/ZERO_RANGE) after checking only the share-level KSMBD_TREE_CONN_FLAG_WRITABLE, with no per-handle access check. A handle opened with only FILE_WRITE_ATTRIBUTES still yields an FMODE_WRITE filp (FILE_WRITE_ATTRIBUTES is part of FILE_WRITE_DESIRE_ACCESS_LE, so smb2_create_open_flags() opens it O_WRONLY), so the vfs_fallocate FMODE_WRITE check does not stop it; only the missing fp->daccess gate would. Reproduced on mainline 7.1-rc7 with KASAN by an authenticated SMB client: a FILE_WRITE_ATTRIBUTES-only handle zeroed 4096 bytes of file data it had no FILE_WRITE_DATA right to (6/6; a FILE_READ_DATA-only handle was correctly denied). This is the unfixed sibling of commit cc57232cae23 ("ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE"). Because SET_ZERO_DATA writes data (not an attribute), require FILE_WRITE_DATA. Cc: stable@vger.kernel.org Signed-off-by: Gil Portnoy <dddhkts1@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-16ksmbd: add a WRITE_DAC/WRITE_OWNER check to SMB2 SET_INFO SECURITYGil Portnoy
commit cc57232cae23 ("ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE") added a fp->daccess gate to fsctl_set_sparse and noted that "similar handle-level checks exist in other functions but are missing here." The SMB2 SET_INFO SECURITY arm is one of the missing ones, and the most security-relevant: smb2_set_info_sec() calls set_info_sec() with no per-handle access check. set_info_sec() (fs/smb/server/smbacl.c) re-permissions the file: it rewrites owner/group/mode via notify_change(), rewrites the POSIX ACL via set_posix_acl(), and on KSMBD_SHARE_FLAG_ACL_XATTR shares removes and rewrites the Windows security descriptor via ksmbd_vfs_set_sd_xattr(). Every other persistent-mutation arm of the sibling handler smb2_set_info_file() checks fp->daccess first (FILE_WRITE_DATA / FILE_DELETE / FILE_WRITE_EA / FILE_WRITE_ATTRIBUTES); the SECURITY arm — which mutates the access control itself — is the only one with no gate. A client can therefore open a handle with FILE_WRITE_ATTRIBUTES only (no FILE_WRITE_DAC / FILE_WRITE_OWNER) and use SMB2_SET_INFO with InfoType SMB2_O_INFO_SECURITY to rewrite the file's DACL and owner, granting itself access the handle's daccess never carried. Unlike the FSCTL data arms this is a metadata/xattr operation, so there is no FMODE_WRITE VFS backstop — the missing fp->daccess check is the entire gate. Setting a security descriptor is the WRITE_DAC / WRITE_OWNER operation, so require at least one of those on the handle before re-permissioning the file. -EACCES is mapped to STATUS_ACCESS_DENIED by smb2_set_info(). Cc: stable@vger.kernel.org Signed-off-by: Gil Portnoy <dddhkts1@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-16ksmbd: fix use-after-free of a deferred file_lock on SMB2_CLOSE then SMB2_CANCELGil Portnoy
Commit f580d27e8928 ("ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL") made smb2_cancel() skip a work whose state is KSMBD_WORK_CANCELLED, so its cancel_fn cannot be fired a second time. But KSMBD_WORK has three states (ACTIVE, CANCELLED, CLOSED), and the same freeing producer path is reached for CLOSED too: SMB2_CLOSE on the locking handle -> set_close_state_blocked_works() sets the deferred work's state to KSMBD_WORK_CLOSED and wakes the smb2_lock() worker. The worker takes the non-ACTIVE early-exit, locks_free_lock()s the file_lock and, because the state is not KSMBD_WORK_CANCELLED, takes the STATUS_RANGE_NOT_LOCKED branch with "goto out2" -- which, like the cancelled branch, skips release_async_work(). The work stays on conn->async_requests with a live cancel_fn = smb2_remove_blocked_lock pointing at the freed file_lock. A subsequent SMB2_CANCEL for the same AsyncId then passes the KSMBD_WORK_CANCELLED-only guard (its state is KSMBD_WORK_CLOSED), so smb2_cancel() fires cancel_fn again over the freed file_lock -- the same use-after-free fixed, via SMB2_CLOSE instead of a first SMB2_CANCEL: BUG: KASAN: slab-use-after-free in __locks_delete_block __locks_delete_block locks_delete_block ksmbd_vfs_posix_lock_unblock smb2_remove_blocked_lock smb2_cancel <- 2nd SMB2_CANCEL fires cancel_fn handle_ksmbd_work Allocated by ...: locks_alloc_lock <- smb2_lock Freed by ...: locks_free_lock <- smb2_lock (non-ACTIVE early-exit) ... cache file_lock_cache of size 192 Reproduced on mainline 7.1-rc7 (which already contains f580d27e8928) with KASAN by an authenticated SMB client; the double-SMB2_CANCEL control is silent on that kernel, so the splat is attributable to the CLOSE trigger. Only an ACTIVE deferred work may have its cancel_fn fired: both terminal states (CANCELLED and CLOSED) reach the smb2_lock() early-exit that frees the file_lock and skips release_async_work(). Guard on KSMBD_WORK_ACTIVE so any non-active work is skipped. Fixes: f580d27e8928 ("ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL") Cc: stable@vger.kernel.org Signed-off-by: Gil Portnoy <dddhkts1@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-16smb: server: remove code guarded by nonexistent config optionEthan Nelson-Moore
A small piece of code in fs/smb/server/smb_common.c depends on CONFIG_SMB_INSECURE_SERVER, which has never been defined in the mainline kernel, but was present in old out-of-tree versions of ksmbd. Remove this dead code. Discovered while searching for CONFIG_* symbols referenced in code but not defined in any Kconfig file. Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-16smb/server: fix incorrect file size in get_file_compression_info()ChenXiaoSong
Before this patch, we got the wrong file size: - client: touch /mnt/file - client: smbinfo setcompression default /mnt/file - client: dd if=/dev/zero of=/mnt/file bs=1 count=1000 - client: smbinfo filecompressioninfo /mnt/file Compressed File Size: 4096 Compression Format: 2 (LZNT1) After this patch, we get the correct file size: - client: smbinfo filecompressioninfo /mnt/file Compressed File Size: 1000 Compression Format: 2 (LZNT1) Note that the actual compressed file size must be got by other methods. For Btrfs, use the following command to get actual compressed file size: - server: compsize /export/file Processed 1 file, 0 regular extents (0 refs), 1 inline. Type Perc Disk Usage Uncompressed Referenced TOTAL 4% 47B 1000B 1000B zlib 4% 47B 1000B 1000B Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-16smb/server: get compression format in get_file_compression_info()ChenXiaoSong
I have added `filecompressioninfo` subcommand to `smbinfo` in cifs-utils.git. Example: 1. client: smbinfo setcompression lznt1 /mnt/file 2. client: smbinfo filecompressioninfo /mnt/file Compressed File Size: 104857600 Compression Format: 2 (LZNT1) Compression Unit Shift: 0 Chunk Shift: 0 Cluster Shift: 0 Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-16smb/server: implement FSCTL_SET_COMPRESSION ioctl handlerChenXiaoSong
Example: 1. client: smbinfo setcompression no /mnt/file 2. client: smbinfo getcompression /mnt/file Compression: 0 (NONE) 3. client: smbinfo setcompression lznt1 /mnt/file 4. client: smbinfo getcompression /mnt/file Compression: 2 (LZNT1) 5. client: smbinfo setcompression default /mnt/file 6. client: smbinfo getcompression /mnt/file Compression: 2 (LZNT1) Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-16smb/server: implement FSCTL_GET_COMPRESSION ioctl handlerChenXiaoSong
Example: 1. server: chattr +c /export/file 2. client: smbinfo getcompression /mnt/file Compression: 2 (LZNT1) Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-16smb/server: get compression file attribute on openChenXiaoSong
Example: 1. server: chattr +c /export/file 2. client: lsattr /mnt/file --------c------------- /mnt/file Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-16smb: move compression definitions into common/fscc.hChenXiaoSong
These definitions will also be used by ksmbd, move them into common header file. Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-16smb: remove duplicate server/smbfsctl.hChenXiaoSong
Rename the following places: - FSCTL_COPYCHUNK -> FSCTL_SRV_COPYCHUNK - FSCTL_COPYCHUNK_WRITE -> FSCTL_SRV_COPYCHUNK_WRITE - FSCTL_REQUEST_RESUME_KEY -> FSCTL_SRV_REQUEST_RESUME_KEY server/smbfsctl.h contains the following additional definitions compared to common/smbfsctl.h: - IO_REPARSE_TAG_LX_SYMLINK_LE - IO_REPARSE_TAG_AF_UNIX_LE - IO_REPARSE_TAG_LX_FIFO_LE - IO_REPARSE_TAG_LX_CHR_LE - IO_REPARSE_TAG_LX_BLK_LE Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-16ksmbd: prevent path traversal bypass by restricting caseless retryNamjae Jeon
ksmbd_vfs_path_lookup() enforces LOOKUP_BENEATH to restrict path resolution within the share root. When a crafted path attempts to escape the share boundary using parent-directory components ('..'), vfs_path_parent_lookup() detects this and immediately fails, returning -EXDEV. However, a bug exists in __ksmbd_vfs_kern_path() under caseless mode. The function fails to intercept the -EXDEV error and erroneously falls through to the caseless retry logic, which is intended only for genuinely missing files. During this retry process, the path is reconstructed, leading to an unintended LOOKUP_BENEATH bypass that allows write-capable users to create zero-length files or directories outside the exported share. Fix this by ensuring that the execution only proceeds to the caseless lookup retry when the error is specifically -ENOENT. Any other errors, such as -EXDEV from a path traversal attempt, must be returned immediately. Cc: stable@vger.kernel.org Reported-by: Y s65 <yu4ys@outlook.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-16ksmbd: fix UAF of struct file_lock in SMB2_LOCK deferred-lock cancellationDavide Ornaghi
When a blocking byte-range lock request is deferred in the FILE_LOCK_DEFERRED path, ksmbd registers the asynchronous work into the connection's async_requests list via setup_async_work(). The cancel callback smb2_remove_blocked_lock() holds a reference to the flock. If the lock waiter is subsequently woken up but the work state is no longer KSMBD_WORK_ACTIVE (e.g., due to a concurrent cancellation), the cleanup path calls locks_free_lock(flock) without dequeuing the work from the async_requests list. Concurrently, smb2_cancel() walks the list under conn->request_lock and invokes the cancel callback, which then dereferences the already freed 'flock'. This leads to a slab-use-after-free inside __wake_up_common. Fix this by restructuring the cleanup logic after the worker returns from ksmbd_vfs_posix_lock_wait(). Move list_del(&smb_lock->llist) and release_async_work(work) to the top of the cleanup block. This guarantees that the async work is completely dequeued and serialized under conn->request_lock before locks_free_lock(flock) is called, rendering the flock unreachable for any concurrent smb2_cancel(). Cc: stable@vger.kernel.org Signed-off-by: Davide Ornaghi <d.ornaghi97@gmail.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-16ksmbd: fix use-after-free in same_client_has_lease()Guangshuo Li
same_client_has_lease() returns an opinfo pointer from ci->m_op_list after dropping ci->m_lock without taking a reference. smb_grant_oplock() then dereferences that pointer in copy_lease() and when checking breaking_cnt. A concurrent close can remove the old lease from ci->m_op_list and drop the last reference before the caller uses the returned pointer, leading to a use-after-free. Take a reference when same_client_has_lease() selects an existing lease, drop any previous match while scanning, and release the returned reference in smb_grant_oplock() after copying the lease state. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-16ksmbd: fix out-of-bounds read in smb_check_perm_dacl()Hem Parekh
The permission-check ACE walk in smb_check_perm_dacl() validates the ACE header size and caps sid.num_subauth at SID_MAX_SUB_AUTHORITIES, but it never checks that ace->size is actually large enough to contain num_subauth sub-authorities before compare_sids() dereferences them. CIFS_SID_BASE_SIZE covers the SID header up to but excluding the sub_auth[] array, and offsetof(struct smb_ace, sid) is the ACE header, so the existing guards only guarantee the 8-byte SID base, i.e. zero sub-authorities. compare_sids() then reads ace->sid.sub_auth[i] for i < min(local_sid->num_subauth, ace->sid.num_subauth). The local comparison SIDs (sid_everyone, sid_unix_NFS_mode, and the id_to_sid() result) always have at least one sub-authority, and an attacker controls the ACE revision and authority bytes (which lie within the in-bounds SID base), so they can match one of those SIDs and force the sub_auth read. A crafted ACE with size == 16 and num_subauth >= 1 placed at the tail of the security descriptor therefore causes a heap out-of-bounds read of up to SID_MAX_SUB_AUTHORITIES * sizeof(__le32) bytes past the pntsd allocation. The security descriptor is loaded by ksmbd_vfs_get_sd_xattr() into a buffer sized exactly to the on-disk data (kzalloc(sd_size) in ndr_decode_v4_ntacl()), so the read lands past the allocation. The malformed descriptor can be stored verbatim via SMB2_SET_INFO (the DACL is not normalised before being written to the security.NTACL xattr) and the read fires on a subsequent SMB2_CREATE access check, making this reachable by an authenticated client on a share that uses ACL xattrs. Add the missing num_subauth-versus-ace_size check, mirroring the identical guards already present in the sibling parsers parse_dacl() and smb_inherit_dacl(). Fixes: d07b26f39246 ("ksmbd: require minimum ACE size in smb_check_perm_dacl()") Cc: stable@vger.kernel.org Signed-off-by: Hem Parekh <hemparekh1596@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
2026-06-17dt-bindings: i2c: microchip,corei2c: permit resetsConor Dooley
Both CoreI2C and the hardened versions of it on mpfs and pic64gx have a reset pin. For the former, usually this is wired to a common fabric reset not managed by software and for the latter two the platform firmware takes them out of reset on first-party boards (or those using modified versions of the vendor firmware), but not all boards may take this approach. Permit providing a reset in devicetree for Linux, or other devicetree-consuming software, to use. Signed-off-by: Conor Dooley <conor.dooley@microchip.com> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Signed-off-by: Andi Shyti <andi.shyti@kernel.org> Link: https://lore.kernel.org/r/20260506-bronchial-kitten-e3697fb66ba7@spud
2026-06-17rust: bitfield: mark `Debug` impl as `#[inline]`Gary Guo
A `Debug` impl is for debugging and is normally not used, and therefore should ideally not be code-generated unless used. However, Rust has no way of knowing if a dependent crate is going to use the trait impl or not, so unless it is marked as `#[inline]`, it will be code-generated in the defining crate (as it is not generic). Mark the impl generated by bitfield macro `#[inline]`, so they do not stay in the binary unless used. This reduces nova-core.o .text by 17% (from 151922 bytes to 125676 bytes). Signed-off-by: Gary Guo <gary@garyguo.net> Fixes: b7b8b4ccdad4 ("rust: extract `bitfield!` macro from `register!`") Acked-by: Alexandre Courbot <acourbot@nvidia.com> Reviewed-by: Alice Ryhl <aliceryhl@google.com> Link: https://patch.msgid.link/20260611190555.2298991-1-gary@kernel.org Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
2026-06-17i2c: qcom: Unify user-visible "Qualcomm" nameKrzysztof Kozlowski
Various names for Qualcomm as a company are used in user-visible config options: QCOM, Qualcomm and Qualcomm Technologies. Switch to unified "Qualcomm" so it will be easier for users to identify the options when for example running menuconfig. Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Link: https://lore.kernel.org/r/20260423173550.92317-2-krzysztof.kozlowski@oss.qualcomm.com Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
2026-06-17i2c: ls2x-v2: return IRQ_HANDLED after servicing an errorDavid Carlier
The event ISR reads SR1 and, when an error flag (ARLO/AF/BERR) is set, calls loongson2_i2c_isr_error() which clears the offending flag, issues STOP for the AF case, records msg->result, masks every CR2 interrupt enable and completes the waiter. The handler then returns IRQ_NONE, declaring to the IRQ core that the device did not interrupt. That report is wrong. The device did interrupt and the handler fully serviced it. Because the IRQ is requested with IRQF_SHARED, the genirq spurious-IRQ tracker counts each error as unhandled. A bus that emits sporadic NACKs, arbitration losses or bus errors will therefore march toward the spurious-IRQ threshold and the line can end up disabled, wedging the controller. Return IRQ_HANDLED on this path. The other IRQ_NONE site, taken when neither an event nor an error bit is set, remains correct. Fixes: 6d1b0785f6d5 ("i2c: ls2x-v2: Add driver for Loongson-2K0300 I2C controller") Signed-off-by: David Carlier <devnexen@gmail.com> Assisted-by: Codex:GPT-5.5 Reviewed-by: Binbin Zhou <zhoubinbin@loongson.cn> Tested-by: Binbin Zhou <zhoubinbin@loongson.cn> Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by: Andi Shyti <andi.shyti@kernel.org> Link: https://lore.kernel.org/r/20260506154015.94815-1-devnexen@gmail.com
2026-06-16ipv4: fib_rule: Move fib4_rules_exit() to ->exit().Kuniyuki Iwashima
syzbot reported use-after-free of net->ipv4.rules_ops. [0] It can be reproduced with these commands: while true; do ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/24 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 address add 198.51.100.1/24 dev dummy1 ip -n ns1 rule add ipproto tcp sport 12345 table 12345 ip -n ns1 fou add port 5555 ipproto 47 local 192.0.2.1 peer 198.51.100.2 peer_port 54321 ip netns del ns1 done The cited commit moved fib4_rules_exit() earlier to ->exit_rtnl(), but the kernel socket destroyed in ->exit() could eventually reach __fib_lookup(). I left fib4_rules_exit() in ->exit_rtnl() because fib4_rule_delete() calls fib_unmerge(), which requires RTNL. However, when ->delete() is called, ->configure() has already been called, thus fib_unmerge() in ->delete() has no effect. Let's remove fib_unmerge() in fib4_rule_delete() and move fib4_rules_exit() to ->exit(). Many thanks to Ido Schimmel for providing the nice repro very quickly. Note that we can make fib_rules_ops.delete() return void once net-next opens. [0]: BUG: KASAN: slab-use-after-free in fib_rules_lookup+0x15e/0xeb0 net/core/fib_rules.c:321 Read of size 8 at addr ffff88804ec4c680 by task kworker/u8:21/12641 CPU: 0 UID: 0 PID: 12641 Comm: kworker/u8:21 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Workqueue: netns cleanup_net Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 fib_rules_lookup+0x15e/0xeb0 net/core/fib_rules.c:321 __fib_lookup+0x106/0x210 net/ipv4/fib_rules.c:96 ip_route_output_key_hash_rcu+0x294/0x2720 net/ipv4/route.c:2811 ip_route_output_key_hash+0x18d/0x2a0 net/ipv4/route.c:2702 __ip_route_output_key include/net/route.h:169 [inline] ip_route_output_flow+0x2a/0x150 net/ipv4/route.c:2929 ip4_datagram_release_cb+0x89d/0xbe0 net/ipv4/datagram.c:118 release_sock+0x206/0x260 net/core/sock.c:3861 inet_shutdown+0x2b1/0x390 net/ipv4/af_inet.c:950 udp_tunnel_sock_release+0x6d/0x80 net/ipv4/udp_tunnel_core.c:197 fou_release net/ipv4/fou_core.c:562 [inline] fou_exit_net+0x17d/0x1f0 net/ipv4/fou_core.c:1230 ops_exit_list net/core/net_namespace.c:199 [inline] ops_undo_list+0x43d/0x8d0 net/core/net_namespace.c:252 cleanup_net+0x572/0x810 net/core/net_namespace.c:702 process_one_work kernel/workqueue.c:3314 [inline] process_scheduled_works+0xa8e/0x14e0 kernel/workqueue.c:3397 worker_thread+0xa47/0xfb0 kernel/workqueue.c:3478 kthread+0x389/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Fixes: 759923cf03b0 ("ipv4: fib: Convert fib_net_exit_batch() to ->exit_rtnl().") Reported-by: syzbot+965506b59a2de0b6905c@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/6a315824.b0403584.28d0ff.0000.GAE@google.com/ Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20260616191359.4142661-1-kuniyu@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-16net: serialize netif_running() check in enqueue_to_backlog()Eric Dumazet
Syzbot reported a KASAN slab-use-after-free in fib_rules_lookup(). The root cause is a race condition where packets can escape the backlog flushing during device unregistration (e.g., during netns exit). Commit e9e4dd3267d0 ("net: do not process device backlog during unregistration") introduced a lockless netif_running() check in enqueue_to_backlog() to prevent queuing packets to an unregistering device. However, this creates a TOCTOU race window. A lockless transmitter (like veth_xmit) can pass the check before dev_close() clears IFF_UP. If the transmitter is then delayed, flush_all_backlogs() can run and finish before the transmitter grabs the backlog lock and queues the packet. The packet then escapes the flush and triggers UAF later when processed. Fix this by moving the netif_running() check inside the backlog lock. This serializes the check with the flush work (which also grabs the lock). We then either queue the packet before the flush runs (so it gets flushed), or check netif_running() after the flush/close completes (so it gets dropped). Fixes: e9e4dd3267d0 ("net: do not process device backlog during unregistration") Reported-by: syzbot+965506b59a2de0b6905c@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6a315824.b0403584.28d0ff.0000.GAE@google.com/T/#u Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Julian Anastasov <ja@ssi.bg> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20260616141317.407791-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-17rust: prelude: add `zerocopy{,_derive}::IntoBytes`Gary Guo
In order to easily use `IntoBytes`, add it to the prelude. This adds both the trait (`zerocopy::IntoBytes`) as well as the derive macro (`zerocopy_derive::IntoBytes`). [ This patch will simplify using the feature in several trees next cycle. Gary writes: This is wanted because I want to convert the upcoming I/O projection series to use `zerocopy` traits rather than keep using transmute module. It is most helpful for derives in doc tests; I do not want to explicitly use `#[derive(zerocopy_derive::IntoBytes)]` in the doc tests. For reference, the upcoming I/O projection series is at: https://lore.kernel.org/rust-for-linux/20260611-io_projection-v4-0-1f7224b02dcb@garyguo.net/ - Miguel ] Signed-off-by: Gary Guo <gary@garyguo.net> Link: https://patch.msgid.link/20260611134802.2052296-1-gary@kernel.org Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
2026-06-17i2c: atr: annotate i2c_atr_adap_desc->aliases with __counted_by_ptrThorsten Blum
Add the __counted_by_ptr() compiler attribute to ->aliases to improve bounds checking via CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Andi Shyti <andi.shyti@kernel.org> Link: https://lore.kernel.org/r/20260611215501.464405-3-thorsten.blum@linux.dev
2026-06-16Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/netJakub Kicinski
Merge in late fixes in preparation for the net-next PR. Conflicts: net/tls/tls_sw.c 406e8a651a7b ("net: skmsg: preserve sg.copy across SG transforms") 79511603a65b ("tls: remove dead sockmap (psock) handling from the SW path") drivers/net/ethernet/microsoft/mana/mana_en.c f8fd56977eeea ("net: mana: guard TX wq object destroy with INVALID_MANA_HANDLE check") d07efe5a6e641 ("net: mana: Use per-queue allocation for tx_qp to reduce allocation size") https://lore.kernel.org/ajAPXu-C_PuTgV-a@sirena.org.uk No adjacent changes. Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-16io_uring: Use system_dfl_wq instead of system_unbound_wqNathan Chancellor
Commit de7341ffe49e ("io_uring: switch normal task_work to a mpscq") added a use of system_unbound_wq, which is deprecated in favor of system_dfl_wq added by commit 128ea9f6ccfb ("workqueue: Add system_percpu_wq and system_dfl_wq"). An upcoming warning in the workqueue tree flags this with: workqueue: work func io_tctx_fallback_work enqueued on deprecated workqueue. Use system_{percpu|dfl}_wq instead. Switch to system_dfl_wq to clear up the warning. Fixes: de7341ffe49e ("io_uring: switch normal task_work to a mpscq") Signed-off-by: Nathan Chancellor <nathan@kernel.org> Link: https://patch.msgid.link/20260616-io_uring-fix-wq-warning-v1-1-cfc9d934eedb@kernel.org Signed-off-by: Jens Axboe <axboe@kernel.dk>
2026-06-16i2c: algo: bit: use str_plural helper in bit_xferThorsten Blum
Replace the manual ternary "s" pluralizations with str_plural() to simplify the code. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: Andi Shyti <andi.shyti@kernel.org> Link: https://lore.kernel.org/r/20260511104911.183606-3-thorsten.blum@linux.dev
2026-06-16net: skmsg: preserve sg.copy across SG transformsYiming Qian
The sk_msg sg.copy bitmap is part of the scatterlist entry ownership state. A set bit tells sk_msg_compute_data_pointers() not to expose the entry through writable BPF ctx->data. This protects entries backed by pages that are not private to the sk_msg, such as splice-backed file page-cache pages. Several sk_msg transform paths move, copy, split, or compact msg->sg.data[] entries without moving the matching sg.copy bit. This can make an externally backed entry arrive at a new slot with a clear copy bit. A later SK_MSG verdict can then expose sg_virt(sge) as writable ctx->data and BPF stores can modify the original page cache. Keep sg.copy synchronized with sg.data[] whenever entries are transferred, shifted, split, or copied into a new sk_msg. Clear the bit when an entry is replaced by a newly allocated private page or freed. This covers the BPF pull/push/pop helpers, sk_msg_shift_left/right(), sk_msg_xfer(), and tls_split_open_record(), including the partial tail entry created during TLS open-record splitting. Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling") Cc: stable@vger.kernel.org Reported-by: Yiming Qian <yimingqian591@gmail.com> Reported-by: Keenan Dong <keenanat2000@gmail.com> Signed-off-by: Yiming Qian <yimingqian591@gmail.com> Link: https://patch.msgid.link/20260610062137.49075-1-yimingqian591@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-16Merge branch 'appletalk-move-the-protocol-out-of-tree'Jakub Kicinski
Jakub Kicinski says: ==================== appletalk: move the protocol out of tree This tiny series moves appletalk out of tree, to: https://github.com/linux-netdev/mod-orphan Core maintainainers are unable to keep up with the rate of security bug reports and fixes. Nobody seems to care about appletalk enough to review the patches. As Eric pointed out Mac OS dropped AppleTalk over a decade ago. ==================== Link: https://patch.msgid.link/20260615222935.947233-1-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-16appletalk: move the protocol out of treeJakub Kicinski
AppleTalk has been removed in MacOS X 10.6 (Snow Leopard), in 2009, according to Wikipedia. We recently got a burst of AI generated fixes to this protocol which nobody is reviewing. Let AppleTalk follow AX.25 and hamradio out of the Linux tree. We we will maintain the code at: github.com/linux-netdev/mod-orphan for anyone interested in playing with it. Retain the uAPI for now. No strong reason, simply because I suspect keeping it will be less controversial. Acked-by: Stephen Hemminger <stephen@networkplumber.org> Link: https://patch.msgid.link/20260615222935.947233-3-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-16appletalk: stop storing per-interface state in struct net_deviceJakub Kicinski
AppleTalk keeps its per-interface control block (struct atalk_iface) directly in struct netdevice (dev->atalk_ptr). This is the only thing tying the protocol into the core net_device layout and is the sole blocker to moving AppleTalk out of tree. Replace dev->atalk_ptr with a small ifindex-keyed hashtable internal to ddp.c. The existing atalk_interfaces list stays the owner of the iface objects; the hashtable is purely a fast dev->iface index and reuses the same atalk_interfaces_lock. AFAICT this patch does not make this code any more racy than it already is, I'm sure Sashiko will point out some basically existing bugs. AFAICT atalk_interfaces_lock is the innermost lock already. Acked-by: Stephen Hemminger <stephen@networkplumber.org> Link: https://patch.msgid.link/20260615222935.947233-2-kuba@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-06-16i3c: mipi-i3c-hci: Use named initializers for platform_device_id's .driver_dataUwe Kleine-König (The Capable Hub)
The assignment in this driver uses a mixed way to initialize the platform_device_id array. .name is assigned by name and .driver_data by position. Unify that to use named assignment for both struct members. This is needed for a planned change to struct platform_device_id replacing .driver_data by an anonymous union. Signed-off-by: Uwe Kleine-König (The Capable Hub) <u.kleine-koenig@baylibre.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Reviewed-by: Adrian Hunter <adrian.hunter@intel.com> Link: https://patch.msgid.link/7c006616f72748fb4deccd197ca2b6427c006f79.1781620397.git.ukleinek@kernel.org Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-16i3c: master: Use unsigned int for dev_nack_retry_count consistentlyAdrian Hunter
Use unsigned int for dev_nack_retry_count across the core and controller drivers to match the type of master->dev_nack_retry_count. Update the sysfs store path to use kstrtouint() and adjust the ->set_dev_nack_retry() callback prototype and callers accordingly. Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260616113752.196140-4-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-16i3c: master: Add missing runtime PM get in dev_nack_retry_count_store()Adrian Hunter
Ensure the device is runtime resumed while updating the retry configuration to avoid accessing the controller while suspended. Call i3c_master_rpm_get() before accessing the controller in dev_nack_retry_count_store() and release it with i3c_master_rpm_put() afterwards. Fixes: 990c149c61ee4 ("i3c: master: Introduce optional Runtime PM support") Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260616113752.196140-3-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-16i3c: master: Update dev_nack_retry_count under maintenance lockAdrian Hunter
Protect master->dev_nack_retry_count against concurrent sysfs updates by updating it while holding the bus maintenance lock. Consequently, combine adjacent return statements into one. For consistency, read dev_nack_retry_count while holding the bus normaluse lock. Fixes: b58f47eb39268 ("i3c: add sysfs entry and attribute for Device NACK Retry count") Signed-off-by: Adrian Hunter <adrian.hunter@intel.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260616113752.196140-2-adrian.hunter@intel.com Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
2026-06-16block: respect iov_iter::nofault flag in bio_iov_iter_bounce_write()Qu Wenruo
For the incoming usage of IOMAP_DIO_BOUNCE in btrfs, btrfs has set iov_iter::nofault to prevent deadlock when a page fault is needed to read out the buffer. However bio_iov_iter_bounce_write() doesn't respect iov_iter::nofault flag, and just call a plain copy_from_iter() so it can still trigger page fault and cause deadlock in btrfs. Fix it by utilizing copy_folio_from_iter_atomic() if nofault flag is set, otherwise use copy_folio_from_iter(). Signed-off-by: Qu Wenruo <wqu@suse.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Link: https://patch.msgid.link/9c165a314022b61566eb247852eb773ca6c70889.1781597506.git.wqu@suse.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
2026-06-16block: revert the iov_iter after a short copy in bio_iov_iter_bounce_write()Qu Wenruo
For the incoming IOMAP_DIO_BOUNCE flag usage inside btrfs, it's pretty easy to hit short copy inside bio_iov_iter_bounce_write(). This is because btrfs has disabled page fault to avoid certain deadlock during direct writes, and instead btrfs manually fault in the pages then retry. And inside bio_iov_iter_bounce_write(), if we hit a short write, we didn't revert the iov_iter, which can cause problems like unexpected garbage for the next retry. Revert the iov_iter after a short copy. One thing to note is that, the folio is allocated then immediately queued into the bio, so the proper revert size should be (bi_size - this_len + copied). Fixes: 8dd5e7c75d7b ("block: add helpers to bounce buffer an iov_iter into bios") Signed-off-by: Qu Wenruo <wqu@suse.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Link: https://patch.msgid.link/c400989f227343b134110773d5acaaacf7024574.1781597506.git.wqu@suse.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
2026-06-16spi: dw: fix wrong BAUDR setting after resumeJisheng Zhang
After resuming from suspend to ram, spi transfer stops working. Further debugging shows that the BAUDR register isn't correctly set, this is due to dws->current_freq doesn't match the HW BAUDR setting, specifically, the dws->current_freq equals to speed_hz, but BAUDR is 0. so the dw_spi_set_clk() in below code won't be called: if (dws->current_freq != speed_hz) { dw_spi_set_clk(dws, clk_div); dws->current_freq = speed_hz; } The mismatch comes from dw_spi_shutdown_chip() when suspending. Fix this mismatch by setting dws->current_freq to 0 as well when clearing BAUDR reg in dw_spi_shutdown_chip(). Fixes: e24c74527207 ("spi: controller driver for Designware SPI core") Signed-off-by: Jisheng Zhang <jszhang@kernel.org> Link: https://patch.msgid.link/20260612002835.5240-1-jszhang@kernel.org Signed-off-by: Mark Brown <broonie@kernel.org>
2026-06-16spi: uniphier: Fix completion initialization order before devm_request_irq()Kunihiko Hayashi
The driver calls devm_request_irq() before initializing the completion used by the interrupt handler. Because the interrupt may occur immediately after devm_request_irq(), the handler may execute before init_completion(). This may result in calling complete() on an uninitialized completion, causing undefined behavior. This has been observed with KASAN. Fix this by initializing the completion before registering the IRQ. Reported-by: Sangyun Kim <sangyun.kim@snu.ac.kr> Reported-by: Kyungwook Boo <bookyungwook@gmail.com> Fixes: 5ba155a4d4cc ("spi: add SPI controller driver for UniPhier SoC") Cc: stable@vger.kernel.org Cc: Masami Hiramatsu <mhiramat@kernel.org> Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com> Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Link: https://patch.msgid.link/20260616011223.201357-1-hayashi.kunihiko@socionext.com Signed-off-by: Mark Brown <broonie@kernel.org>
2026-06-16spi: Add NULL check for spi_get_device_id() in spi_get_device_match_data()guoqi0226
Prevent NULL pointer dereference when spi_get_device_id() returns NULL, which can happen when using driver_override without matching SPI ID entry. Signed-off-by: guoqi0226 <guoqi0226@163.com> Link: https://patch.msgid.link/20260616103018.105612-3-guoqi0226@163.com Signed-off-by: Mark Brown <broonie@kernel.org>
2026-06-16accel/amdxdna: Use caller client for debug BO syncShuvam Pandey
amdxdna_drm_sync_bo_ioctl() looks up args->handle in the ioctl caller's drm_file. For SYNC_DIRECT_FROM_DEVICE, it then calls amdxdna_hwctx_sync_debug_bo(), but passes abo->client. amdxdna_hwctx_sync_debug_bo() uses the passed client both as the handle namespace for debug_bo_hdl and as the owner of the hardware context xarray. Those must match the file that supplied args->handle. The BO's stored client pointer is object state, not the ioctl context. Pass filp->driver_priv instead, matching the original handle lookup. Fixes: 7ea046838021 ("accel/amdxdna: Support firmware debug buffer") Cc: stable@vger.kernel.org # v6.19+ Signed-off-by: Shuvam Pandey <shuvampandey1@gmail.com> Reviewed-by: Lizhi Hou <lizhi.hou@amd.com> Signed-off-by: Lizhi Hou <lizhi.hou@amd.com> Link: https://patch.msgid.link/178155468039.81818.12173237984867749651@gmail.com
2026-06-16Merge branch 'for-7.2/bpf' into for-linusJiri Kosina
2026-06-16Merge branch 'for-7.2/cleanup_driver_data' into for-linusJiri Kosina
- semantic cleanup fixes for 'hid_device_id::driver_data' (Pawel Zalewski)
2026-06-16Merge branch 'for-7.2/core' into for-linusJiri Kosina
2026-06-16Merge branch 'for-7.2/cp2112' into for-linusJiri Kosina
- fwnode support for cp2112 (Danny Kaehn) - fix for cp2112 firmware-based speed configuration, if available (Danny Kaehn)
2026-06-16Merge branch 'for-7.2/i2c-hid' into for-linusJiri Kosina
2026-06-16Merge branch 'for-7.2/logitech' into for-linusJiri Kosina
- fix for high resolution scrolling for Logitech HID++ 2.0 devices (Lauri Saurus)
2026-06-16Merge branch 'for-7.2/multitouch' into for-linusJiri Kosina
- UX improvement fixes for Yoga Book 9 (Dave Carey)