Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=master 2026-04-24T00:08:04+00:00 2026-04-24T00:08:04+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-04-24T00:08:04+00:00 urn:sha1:dd6c438c3e64a5ff0b5d7e78f7f9be547803ef1b Pull vfs fixes from Christian Brauner: - eventpoll: fix ep_remove() UAF and follow-up cleanup - fs: aio: set VMA_DONTCOPY_BIT in mmap to fix NULL-pointer-dereference error - writeback: Fix use after free in inode_switch_wbs_work_fn() - fuse: reject oversized dirents in page cache - fs: aio: reject partial mremap to avoid Null-pointer-dereference error - nstree: fix func. parameter kernel-doc warnings - fs: Handle multiply claimed blocks more gracefully with mmb * tag 'vfs-7.1-rc1.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: eventpoll: drop vestigial epi->dying flag eventpoll: drop dead bool return from ep_remove_epi() eventpoll: refresh eventpoll_release() fast-path comment eventpoll: move f_lock acquisition into ep_remove_file() eventpoll: fix ep_remove struct eventpoll / struct file UAF eventpoll: move epi_fget() up eventpoll: rename ep_remove_safe() back to ep_remove() eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}() eventpoll: kill __ep_remove() eventpoll: split __ep_remove() eventpoll: use hlist_is_singular_node() in __ep_remove() fs: Handle multiply claimed blocks more gracefully with mmb nstree: fix func. parameter kernel-doc warnings fs: aio: reject partial mremap to avoid Null-pointer-dereference error fuse: reject oversized dirents in page cache writeback: Fix use after free in inode_switch_wbs_work_fn() fs: aio: set VMA_DONTCOPY_BIT in mmap to fix NULL-pointer-dereference error 2026-04-23T22:34:58+00:00 Samuel Page sam@bynar.io 2026-04-20T09:01:37+00:00 urn:sha1:51a8de6c50bf947c8f534cd73da4c8f0a13e7bed fuse_add_dirent_to_cache() computes a serialized dirent size from the server-controlled namelen field and copies the dirent into a single page-cache page. The existing logic only checks whether the dirent fits in the remaining space of the current page and advances to a fresh page if not. It never checks whether the dirent itself exceeds PAGE_SIZE. As a result, a malicious FUSE server can return a dirent with namelen=4095, producing a serialized record size of 4120 bytes. On 4 KiB page systems this causes memcpy() to overflow the cache page by 24 bytes into the following kernel page. Reject dirents that cannot fit in a single page before copying them into the readdir cache. Fixes: 69e34551152a ("fuse: allow caching readdir") Cc: stable@vger.kernel.org # v6.16+ Assisted-by: Bynario AI Signed-off-by: Samuel Page <sam@bynar.io> Reported-by: Qi Tang <tpluszz77@gmail.com> Reported-by: Zijun Hu <nightu@northwestern.edu> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Link: https://patch.msgid.link/20260420090139.662772-1-mszeredi@redhat.com Signed-off-by: Christian Brauner <brauner@kernel.org> 2026-04-16T02:04:21+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-04-16T02:04:21+00:00 urn:sha1:acf6c670e476304c89b5e9320ca8f9d20c9e0aa8 Pull fuse update from Miklos Szeredi: - Fix possible hang in virtiofs when cleaning up a DAX inode (Sergio Lopez) - Fix a warning when using large folio as the source of SPLICE_F_MOVE on the fuse device (Bernd) - Fix uninitialized value found by KMSAN (Luis Henriques) - Fix synchronous INIT hang (Miklos) - Fix race between inode initialization and FUSE_NOTIFY_INVAL_INODE (Horst) - Allow fd to be closed after passing fuse device fd to fsconfig(..., "fd", ...) (Miklos) - Support FSCONFIG_SET_FD for "fd" option (Miklos) - Misc fixes and cleanups * tag 'fuse-update-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse: (21 commits) fuse: support FSCONFIG_SET_FD for "fd" option fuse: clean up device cloning fuse: don't require /dev/fuse fd to be kept open during mount fuse: add refcount to fuse_dev fuse: create fuse_dev on /dev/fuse open instead of mount fuse: check connection state on notification fuse: fuse_dev_ioctl_clone() should wait for device file to be initialized fuse: fix inode initialization race fuse: abort on fatal signal during sync init fuse: fix uninit-value in fuse_dentry_revalidate() fuse: use offset_in_page() for page offset calculations fuse: use DIV_ROUND_UP() for page count calculations fuse: simplify logic in fuse_notify_store() and fuse_retrieve() fuse: validate outarg offset and size in notify store/retrieve fuse: Check for large folio with SPLICE_F_MOVE fuse: quiet down complaints in fuse_conn_limit_write fuse: drop unnecessary argument from fuse_lookup_init() fuse: fix premature writetrhough request for large folio fuse: refactor duplicate queue teardown operation virtiofs: add FUSE protocol validation ... 2026-04-13T22:17:28+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-04-13T22:17:28+00:00 urn:sha1:3ba310f2a3ca70f0497aab5c2e8aa85a12e19406 Pull LSM updates from Paul Moore: "We only have five patches in the LSM tree, but three of the five are for an important bugfix relating to overlayfs and the mmap() and mprotect() access controls for LSMs. Highlights below: - Fix problems with the mmap() and mprotect() LSM hooks on overlayfs As we are dealing with problems both in mmap() and mprotect() there are essentially two components to this fix, spread across three patches with all marked for stable. The simplest portion of the fix is the creation of a new LSM hook, security_mmap_backing_file(), that is used to enforce LSM mmap() access controls on backing files in the stacked/overlayfs case. The existing security_mmap_file() does not have visibility past the user file. You can see from the associated SELinux hook callback the code is fairly straightforward. The mprotect() fix is a bit more complicated as there is no way in the mprotect() code path to inspect both the user and backing files, and bolting on a second file reference to vm_area_struct wasn't really an option. The solution taken here adds a LSM security blob and associated hooks to the backing_file struct that LSMs can use to capture and store relevant information from the user file. While the necessary SELinux information is relatively small, a single u32, I expect other LSMs to require more than that, and a dedicated backing_file LSM blob provides a storage mechanism without negatively impacting other filesystems. I want to note that other LSMs beyond SELinux have been involved in the discussion of the fixes presented here and they are working on their own related changes using these new hooks, but due to other issues those patches will be coming at a later date. - Use kstrdup_const()/kfree_const() for securityfs symlink targets - Resolve a handful of kernel-doc warnings in cred.h" * tag 'lsm-pr-20260410' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/lsm: selinux: fix overlayfs mmap() and mprotect() access checks lsm: add backing_file LSM hooks fs: prepare for adding LSM blob to backing_file securityfs: use kstrdup_const() to manage symlink targets cred: fix kernel-doc warnings in cred.h 2026-04-13T17:40:26+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-04-13T17:40:26+00:00 urn:sha1:0f00132132937ca01a99feaf8985109a9087c9ff Pull vfs integrity updates from Christian Brauner: "This adds support to generate and verify integrity information (aka T10 PI) in the file system, instead of the automatic below the covers support that is currently used. The implementation is based on refactoring the existing block layer PI code to be reusable for this use case, and then adding relatively small wrappers for the file system use case. These are then used in iomap to implement the semantics, and wired up in XFS with a small amount of glue code. Compared to the baseline this does not change performance for writes, but increases read performance up to 15% for 4k I/O, with the benefit decreasing with larger I/O sizes as even the baseline maxes out the device quickly on my older enterprise SSD" * tag 'vfs-7.1-rc1.integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: xfs: support T10 protection information iomap: support T10 protection information iomap: support ioends for buffered reads iomap: add a bioset pointer to iomap_read_folio_ops ntfs3: remove copy and pasted iomap code iomap: allow file systems to hook into buffered read bio submission iomap: only call into ->submit_read when there is a read_ctx iomap: pass the iomap_iter to ->submit_read iomap: refactor iomap_bio_read_folio_range block: pass a maxlen argument to bio_iov_iter_bounce block: add fs_bio_integrity helpers block: make max_integrity_io_size public block: prepare generation / verification helpers for fs usage block: add a bdev_has_integrity_csum helper block: factor out a bio_integrity_setup_default helper block: factor out a bio_integrity_action helper 2026-04-03T20:53:50+00:00 Paul Moore paul@paul-moore.com 2025-12-19T18:18:22+00:00 urn:sha1:6af36aeb147a06dea47c49859cd6ca5659aeb987 Stacked filesystems such as overlayfs do not currently provide the necessary mechanisms for LSMs to properly enforce access controls on the mmap() and mprotect() operations. In order to resolve this gap, a LSM security blob is being added to the backing_file struct and the following new LSM hooks are being created: security_backing_file_alloc() security_backing_file_free() security_mmap_backing_file() The first two hooks are to manage the lifecycle of the LSM security blob in the backing_file struct, while the third provides a new mmap() access control point for the underlying backing file. It is also expected that LSMs will likely want to update their security_file_mprotect() callback to address issues with their mprotect() controls, but that does not require a change to the security_file_mprotect() LSM hook. There are a three other small changes to support these new LSM hooks: * Pass the user file associated with a backing file down to alloc_empty_backing_file() so it can be included in the security_backing_file_alloc() hook. * Add getter and setter functions for the backing_file struct LSM blob as the backing_file struct remains private to fs/file_table.c. * Constify the file struct field in the LSM common_audit_data struct to better support LSMs that need to pass a const file struct pointer into the common LSM audit code. Thanks to Arnd Bergmann for identifying the missing EXPORT_SYMBOL_GPL() and supplying a fixup. Cc: stable@vger.kernel.org Cc: linux-fsdevel@vger.kernel.org Cc: linux-unionfs@vger.kernel.org Cc: linux-erofs@lists.ozlabs.org Reviewed-by: Amir Goldstein <amir73il@gmail.com> Reviewed-by: Serge Hallyn <serge@hallyn.com> Reviewed-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Paul Moore <paul@paul-moore.com> 2026-04-02T18:53:00+00:00 Miklos Szeredi mszeredi@redhat.com 2026-03-12T19:30:08+00:00 urn:sha1:2339f9cc9f080eff40432c0343d358ead39a4988 This is not only cleaner to use in userspace (no need to sprintf the fd to a string) but also allows userspace to detect that the devfd can be closed after the fsconfig call. Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Reviewed-by: "Darrick J. Wong" <djwong@kernel.org> 2026-04-02T18:52:59+00:00 Miklos Szeredi mszeredi@redhat.com 2026-03-12T11:19:10+00:00 urn:sha1:4ae404afd92e36be378eb120a2dc13031cdac7a6 - fuse_mutex is not needed for device cloning, because fuse_dev_install() uses cmpxcg() to set fud->fc, which prevents races between clone/mount or clone/clone. This makes the logic simpler - Drop fc->dev_count. This is only used to check in release if the device is the last clone, but checking list_empty(&fc->devices) is equivalent after removing the released device from the list. Removing the fuse_dev before calling fuse_abort_conn() is okay, since the processing and io lists are now empty for this device. Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> 2026-04-02T18:43:25+00:00 Miklos Szeredi mszeredi@redhat.com 2026-03-11T21:27:44+00:00 urn:sha1:d42eb23b2ef9fbe66ea7fd4b3153c3244818d47c With the new mount API the sequence of syscalls would be: fs_fd = fsopen("fuse", 0); snprintf(opt, sizeof(opt), "%i", devfd); fsconfig(fs_fd, FSCONFIG_SET_STRING, "fd", opt, 0); /* ... */ fsconfig(fs_fd, FSCONFIG_CMD_CREATE, 0, 0, 0); Current mount code just stores the value of devfd in the fs_context and uses it in during FSCONFIG_CMD_CREATE, which is inelegant. Instead grab a reference to the underlying fuse_dev, and use that during the filesystem creation. Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> 2026-04-02T18:43:24+00:00 Miklos Szeredi mszeredi@redhat.com 2026-03-11T21:05:17+00:00 urn:sha1:e9bf38500ed9aec7cfdf9219c75d353645b41168 This will make it possible to grab the fuse_dev and subsequently release the file that it came from. In the above case, fud->fc will be set to FUSE_DEV_FC_DISCONNECTED to indicate that this is no longer a functional device. When trying to assign an fc to such a disconnected fuse_dev, the fc is set to the disconnected state. Use atomic operations xchg() and cmpxchg() to prevent races. Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>