Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.19.11 2026-03-04T12:21:30+00:00 2026-03-04T12:21:30+00:00 Heming Zhao heming.zhao@suse.com 2025-12-10T01:57:24+00:00 urn:sha1:2f4daccd9d9b8b2952df7878df8c2e8ba6439398 [ Upstream commit 5138c936c2c82c9be8883921854bc6f7e1177d8c ] commit c06c303832ec ("ocfs2: fix xattr array entry __counted_by error") doesn't handle all cases and the cleanup job for preserved xattr entries still has bug: - the 'last' pointer should be shifted by one unit after cleanup an array entry. - current code logic doesn't cleanup the first entry when xh_count is 1. Note, commit c06c303832ec is also a bug fix for 0fe9b66c65f3. Link: https://lkml.kernel.org/r/20251210015725.8409-2-heming.zhao@suse.com Fixes: 0fe9b66c65f3 ("ocfs2: Add preserve to reflink.") Signed-off-by: Heming Zhao <heming.zhao@suse.com> Cc: Mark Fasheh <mark@fasheh.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Junxiao Bi <junxiao.bi@oracle.com> Cc: Joseph Qi <jiangqi903@gmail.com> Cc: Changwei Ge <gechangwei@live.cn> Cc: Jun Piao <piaojun@huawei.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2025-12-13T08:55:12+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-12-13T08:55:12+00:00 urn:sha1:9d9c1cfec01cdbf24bd9322ed555713a20422115 Pull misc updates from Andrew Morton: "There are no significant series in this small merge. Please see the individual changelogs for details" [ Editor's note: it's mainly ocfs2 and a couple of random fixes ] * tag 'mm-nonmm-stable-2025-12-11-11-47' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: mm: memfd_luo: add CONFIG_SHMEM dependency mm: shmem: avoid build warning for CONFIG_SHMEM=n ocfs2: fix memory leak in ocfs2_merge_rec_left() ocfs2: invalidate inode if i_mode is zero after block read ocfs2: avoid -Wflex-array-member-not-at-end warning ocfs2: convert remaining read-only checks to ocfs2_emergency_state ocfs2: add ocfs2_emergency_state helper and apply to setattr checkpatch: add uninitialized pointer with __free attribute check args: fix documentation to reflect the correct numbers ocfs2: fix kernel BUG in ocfs2_find_victim_chain liveupdate: luo_core: fix redundant bound check in luo_ioctl() ocfs2: validate inline xattr size and entry count in ocfs2_xattr_ibody_list fs/fat: remove unnecessary wrapper fat_max_cache() ocfs2: replace deprecated strcpy with strscpy ocfs2: check tl_used after reading it from trancate log inode liveupdate: luo_file: don't use invalid list iterator 2025-12-11T00:07:43+00:00 Dmitry Antipov dmantipov@yandex.ru 2025-12-05T06:51:59+00:00 urn:sha1:2214ec4bf89d0fd27717322d3983a2f3b469c7f3 In 'ocfs2_merge_rec_left()', do not reset 'left_path' to NULL after move, thus allowing 'ocfs2_free_path()' to free it before return. Link: https://lkml.kernel.org/r/20251205065159.392749-1-dmantipov@yandex.ru Fixes: 677b975282e4 ("ocfs2: Add support for cross extent block") Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> Reported-by: syzbot+cfc7cab3bb6eaa7c4de2@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=cfc7cab3bb6eaa7c4de2 Reviewed-by: Heming Zhao <heming.zhao@suse.com> Acked-by: Joseph Qi <joseph.qi@linux.alibaba.com> Cc: Mark Fasheh <mark@fasheh.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Junxiao Bi <junxiao.bi@oracle.com> Cc: Changwei Ge <gechangwei@live.cn> Cc: Jun Piao <piaojun@huawei.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> 2025-12-11T00:07:43+00:00 Ahmet Eray Karadag eraykrdg1@gmail.com 2025-12-02T22:45:08+00:00 urn:sha1:7efb45f9685fd9292413f15ea1212f7077c4a35f A panic occurs in ocfs2_unlink due to WARN_ON(inode->i_nlink == 0) when handling a corrupted inode with i_mode=0 and i_nlink=0 in memory. This "zombie" inode is created because ocfs2_read_locked_inode proceeds even after ocfs2_validate_inode_block successfully validates a block that structurally looks okay (passes checksum, signature etc.) but contains semantically invalid data (specifically i_mode=0). The current validation function doesn't check for i_mode being zero. This results in an in-memory inode with i_mode=0 being added to the VFS cache, which later triggers the panic during unlink. Prevent this by adding an explicit check for (i_mode == 0, i_nlink == 0, non-orphan) within ocfs2_validate_inode_block. If the check is true, return -EFSCORRUPTED to signal corruption. This causes the caller (ocfs2_read_locked_inode) to invoke make_bad_inode(), correctly preventing the zombie inode from entering the cache. Link: https://lkml.kernel.org/r/20251202224507.53452-2-eraykrdg1@gmail.com Co-developed-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com> Signed-off-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com> Signed-off-by: Ahmet Eray Karadag <eraykrdg1@gmail.com> Reported-by: syzbot+55c40ae8a0e5f3659f2b@syzkaller.appspotmail.com Fixes: https://syzkaller.appspot.com/bug?extid=55c40ae8a0e5f3659f2b Link: https://lore.kernel.org/all/20251022222752.46758-2-eraykrdg1@gmail.com/T/ Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> Cc: David Hunter <david.hunter.linux@gmail.com> Cc: Mark Fasheh <mark@fasheh.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Junxiao Bi <junxiao.bi@oracle.com> Cc: Changwei Ge <gechangwei@live.cn> Cc: Jun Piao <piaojun@huawei.com> Cc: Heming Zhao <heming.zhao@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> 2025-12-11T00:07:43+00:00 Gustavo A. R. Silva gustavoars@kernel.org 2025-11-11T03:01:19+00:00 urn:sha1:76b9701a54a23fe45dc15aacace616cca9671823 -Wflex-array-member-not-at-end was introduced in GCC-14, and we are getting ready to enable it, globally. Use the new TRAILING_OVERLAP() helper to fix the following warning: fs/ocfs2/xattr.c:52:41: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end] This helper creates a union between a flexible-array member (FAM) and a set of MEMBERS that would otherwise follow it. This overlays the trailing MEMBER struct ocfs2_extent_rec er; onto the FAM struct ocfs2_xattr_value_root::xr_list.l_recs[], while keeping the FAM and the start of MEMBER aligned. The static_assert() ensures this alignment remains, and it's intentionally placed inmediately after the related structure --no blank line in between. Link: https://lkml.kernel.org/r/aRKm_7aN7Smc3J5L@kspp Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Reviewed-by: Heming Zhao <heming.zhao@suse.com> Acked-by: Joseph Qi <joseph.qi@linux.alibaba.com> Cc: Mark Fasheh <mark@fasheh.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Junxiao Bi <junxiao.bi@oracle.com> Cc: Changwei Ge <gechangwei@live.cn> Cc: Jun Piao <piaojun@huawei.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> 2025-12-11T00:07:43+00:00 Ahmet Eray Karadag eraykrdg1@gmail.com 2025-12-03T03:34:26+00:00 urn:sha1:7eff54dfd245fb4bf398334be663478b9ae4bb99 Now that the centralized `ocfs2_emergency_state()` helper is available, refactor remaining filesystem-wide checks for `ocfs2_is_soft_readonly` and `ocfs2_is_hard_readonly` to use this new function. To ensure strict consistency with the previous behavior and guarantee no functional changes, the call sites continue to explicitly return -EROFS when the emergency state is detected. This standardizes the check logic while preserving the existing error handling flow. Link: https://lkml.kernel.org/r/3421641b54ad6b6e4ffca052351b518eacc1bd08.1764728893.git.eraykrdg1@gmail.com Co-developed-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com> Signed-off-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com> Signed-off-by: Ahmet Eray Karadag <eraykrdg1@gmail.com> Reviewed-by: Heming Zhao <heming.zhao@suse.com> Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> Cc: Changwei Ge <gechangwei@live.cn> Cc: David Hunter <david.hunter.linux@gmail.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Jun Piao <piaojun@huawei.com> Cc: Junxiao Bi <junxiao.bi@oracle.com> Cc: Mark Fasheh <mark@fasheh.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> 2025-12-11T00:07:43+00:00 Ahmet Eray Karadag eraykrdg1@gmail.com 2025-12-03T03:34:25+00:00 urn:sha1:752ba0976b25d69cfac55137573298bd5dd88aa2 Patch series "ocfs2: Refactor read-only checks to use ocfs2_emergency_state", v4. Following the fix for the `make_bad_inode` validation failure (syzbot ID: b93b65ee321c97861072), this separate series introduces a new helper function, `ocfs2_emergency_state()`, to improve and centralize read-only and error state checking. This is modeled after the `ext4_emergency_state()` pattern, providing a single, unified location for checking all filesystem-level emergency conditions. This makes the code cleaner and ensures that any future checks (e.g., for fatal error states) can be added in one place. This series is structured as follows: 1. The first patch introduces the `ocfs2_emergency_state()` helper (currently checking for -EROFS) and applies it to `ocfs2_setattr` to provide a "fail-fast" mechanism, as suggested by Albin Babu Varghese. 2. The second patch completes the refactoring by converting all remaining read-only checks throughout OCFS2 to use this new helper. This patch (of 2): To centralize error checking, follow the pattern of other filesystems like ext4 (which uses `ext4_emergency_state()`), and prepare for future enhancements, this patch introduces a new helper function: `ocfs2_emergency_state()`. The purpose of this helper is to provide a single, unified location for checking all filesystem-level emergency conditions. In this initial implementation, the function only checks for the existing hard and soft read-only modes, returning -EROFS if either is set. This provides a foundation where future checks (e.g., for fatal error states returning -EIO, or shutdown states) can be easily added in one place. This patch also adds this new check to the beginning of `ocfs2_setattr()`. This ensures that operations like `ftruncate` (which triggered the original BUG) fail-fast with -EROFS when the filesystem is already in a read-only state. Link: https://lkml.kernel.org/r/cover.1764728893.git.eraykrdg1@gmail.com Link: https://lkml.kernel.org/r/e9e975bcaaff8dbc155b70fbc1b2798a2e36e96f.1764728893.git.eraykrdg1@gmail.com Co-developed-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com> Signed-off-by: Albin Babu Varghese <albinbabuvarghese20@gmail.com> Signed-off-by: Ahmet Eray Karadag <eraykrdg1@gmail.com> Suggested-by: Heming Zhao <heming.zhao@suse.com> Reviewed-by: Heming Zhao <heming.zhao@suse.com> Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> Cc: Mark Fasheh <mark@fasheh.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Junxiao Bi <junxiao.bi@oracle.com> Cc: Changwei Ge <gechangwei@live.cn> Cc: Jun Piao <piaojun@huawei.com> Cc: David Hunter <david.hunter.linux@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> 2025-12-11T00:07:42+00:00 Prithvi Tambewagh activprithvi@gmail.com 2025-12-01T13:07:11+00:00 urn:sha1:039bef30e320827bac8990c9f29d2a68cd8adb5f syzbot reported a kernel BUG in ocfs2_find_victim_chain() because the `cl_next_free_rec` field of the allocation chain list (next free slot in the chain list) is 0, triggring the BUG_ON(!cl->cl_next_free_rec) condition in ocfs2_find_victim_chain() and panicking the kernel. To fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(), just before calling ocfs2_find_victim_chain(), the code block in it being executed when either of the following conditions is true: 1. `cl_next_free_rec` is equal to 0, indicating that there are no free chains in the allocation chain list 2. `cl_next_free_rec` is greater than `cl_count` (the total number of chains in the allocation chain list) Either of them being true is indicative of the fact that there are no chains left for usage. This is addressed using ocfs2_error(), which prints the error log for debugging purposes, rather than panicking the kernel. Link: https://lkml.kernel.org/r/20251201130711.143900-1-activprithvi@gmail.com Signed-off-by: Prithvi Tambewagh <activprithvi@gmail.com> Reported-by: syzbot+96d38c6e1655c1420a72@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=96d38c6e1655c1420a72 Tested-by: syzbot+96d38c6e1655c1420a72@syzkaller.appspotmail.com Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> Cc: Mark Fasheh <mark@fasheh.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Junxiao Bi <junxiao.bi@oracle.com> Cc: Changwei Ge <gechangwei@live.cn> Cc: Jun Piao <piaojun@huawei.com> Cc: Heming Zhao <heming.zhao@suse.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> 2025-12-11T00:07:42+00:00 Deepanshu Kartikey kartikey406@gmail.com 2025-11-20T04:11:45+00:00 urn:sha1:2a4f33430e96d0bebfa37b1d586098f61f030b06 Add comprehensive validation of inline xattr metadata in ocfs2_xattr_ibody_list() to prevent out-of-bounds access and use-after-free bugs when processing corrupted inline xattrs. The patch adds two critical validations: 1. Validates i_xattr_inline_size before use: - Ensures it does not exceed block size - Ensures it is at least large enough for xattr header - Prevents pointer arithmetic with corrupted size values that could point outside the inode block 2. Validates xattr entry count (xh_count): - Calculates maximum entries that can fit in the inline space - Rejects counts that exceed this limit - Prevents out-of-bounds array access in subsequent code Without these checks, a corrupted filesystem with invalid inline xattr metadata can cause the code to access memory beyond the allocated space. For example: - A corrupted i_xattr_inline_size of 0 would cause header pointer calculation to point past the end of the block - A corrupted xh_count of 22 with inline_size of 256 would cause array access 7 entries beyond the 15 that actually fit (the syzbot reproducer used xh_count of 20041), leading to use-after-free when accessing freed memory pages The validation uses the correct inline_size (from di->i_xattr_inline_size) rather than block size, ensuring accurate bounds checking for inline xattrs specifically. Link: https://lkml.kernel.org/r/20251120041145.33176-1-kartikey406@gmail.com Link: https://lore.kernel.org/all/20251111073831.2027072-1-kartikey406@gmail.com/ [v1] Link: https://lore.kernel.org/all/20251117063217.5690-1-kartikey406@gmail.com/ [v2] Link: https://lore.kernel.org/all/20251117114224.12948-1-kartikey406@gmail.com/ [v3] Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> Reported-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9 Tested-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com Suggested-by: Heming Zhao <heming.zhao@suse.com> Reviewed-by: Heming Zhao <heming.zhao@suse.com> Acked-by: Joseph Qi <joseph.qi@linux.alibaba.com> Cc: Mark Fasheh <mark@fasheh.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Junxiao Bi <junxiao.bi@oracle.com> Cc: Changwei Ge <gechangwei@live.cn> Cc: Jun Piao <piaojun@huawei.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> 2025-12-11T00:07:42+00:00 Thorsten Blum thorsten.blum@linux.dev 2025-11-26T11:44:15+00:00 urn:sha1:d86fea4294cb7878e3866eb567ee803d180a159b strcpy() has been deprecated [1] because it performs no bounds checking on the destination buffer, which can lead to buffer overflows. Replace it with the safer strscpy(). No functional changes. Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strcpy [1] Link: https://lkml.kernel.org/r/20251126114419.92539-1-thorsten.blum@linux.dev Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> Cc: Mark Fasheh <mark@fasheh.com> Cc: Joel Becker <jlbec@evilplan.org> Cc: Junxiao Bi <junxiao.bi@oracle.com> Cc: Changwei Ge <gechangwei@live.cn> Cc: Jun Piao <piaojun@huawei.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>