<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/linux.git/net/9p, branch v7.2-rc1</title>
<subtitle>Linux kernel stable tree (mirror)</subtitle>
<id>https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1</id>
<link rel='self' href='https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1'/>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/'/>
<updated>2026-06-21T05:22:57+00:00</updated>
<entry>
<title>9p: Add missing read barrier in virtio zero-copy path</title>
<updated>2026-06-21T05:22:57+00:00</updated>
<author>
<name>Gui-Dong Han</name>
<email>hanguidong02@gmail.com</email>
</author>
<published>2026-05-29T07:54:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=aa88278693cbfaf7a2acf961379973fbb63b165c'/>
<id>urn:sha1:aa88278693cbfaf7a2acf961379973fbb63b165c</id>
<content type='text'>
Commit 2b6e72ed747f ("9P: Add memory barriers to protect request
fields over cb/rpc threads handoff") added a read barrier after
p9_client_rpc() waits for req-&gt;status, pairing with the write barrier in
p9_client_cb(). The virtio zero-copy wait path was missed.

Add the same read barrier after the zero-copy wait before reading the
completed request.

Fixes: 2b6e72ed747f ("9P: Add memory barriers to protect request fields over cb/rpc threads handoff")
Signed-off-by: Gui-Dong Han &lt;hanguidong02@gmail.com&gt;
Message-ID: &lt;20260529075441.233369-1-hanguidong02@gmail.com&gt;
Signed-off-by: Dominique Martinet &lt;asmadeus@codewreck.org&gt;
</content>
</entry>
<entry>
<title>net/9p: Replace strlen() strcpy() pair with strscpy()</title>
<updated>2026-06-21T05:22:57+00:00</updated>
<author>
<name>David Laight</name>
<email>david.laight.linux@gmail.com</email>
</author>
<published>2026-06-06T20:27:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=cc8b15a2c435bd1caf19741ba85286846a115764'/>
<id>urn:sha1:cc8b15a2c435bd1caf19741ba85286846a115764</id>
<content type='text'>
Use the result of strscpy() for the overflow check.

Signed-off-by: David Laight &lt;david.laight.linux@gmail.com&gt;
Message-ID: &lt;20260606202744.5113-3-david.laight.linux@gmail.com&gt;
Signed-off-by: Dominique Martinet &lt;asmadeus@codewreck.org&gt;
</content>
</entry>
<entry>
<title>net/9p: fix race condition on rdma-&gt;state in trans_rdma.c</title>
<updated>2026-06-21T05:22:57+00:00</updated>
<author>
<name>Yizhou Zhao</name>
<email>zhaoyz24@mails.tsinghua.edu.cn</email>
</author>
<published>2026-05-29T07:39:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=7d54894a1ee265a72d70f7cae1da6cc774cccc71'/>
<id>urn:sha1:7d54894a1ee265a72d70f7cae1da6cc774cccc71</id>
<content type='text'>
The rdma-&gt;state field is modified without holding req_lock in both
recv_done() and p9_cm_event_handler(), while rdma_request() accesses
the same field under the req_lock spinlock. This inconsistent locking
creates a race condition:

- recv_done() running in softirq completion context sets
  rdma-&gt;state = P9_RDMA_FLUSHING without acquiring req_lock

- p9_cm_event_handler() modifies rdma-&gt;state at multiple points
  (ADDR_RESOLVED, ROUTE_RESOLVED, ESTABLISHED, CLOSED) without
  req_lock

- rdma_request() uses spin_lock_irqsave(&amp;rdma-&gt;req_lock, flags) to
  protect the read-modify-write of rdma-&gt;state

The race can cause lost state transitions: recv_done() or the CM
event handler could set state to FLUSHING/CLOSED while rdma_request()
is concurrently checking or modifying state under the lock, leading to
the FLUSHING transition being silently overwritten by CLOSING. This
corrupts the connection state machine and can cause use-after-free on
RDMA request objects during teardown.

Fix by adding req_lock protection to all rdma-&gt;state modifications in
recv_done() and p9_cm_event_handler(), matching the pattern already
used in rdma_request(). Use spin_lock_irqsave/spin_unlock_irqrestore
in the CM event handler since it can race with recv_done() which runs
in softirq context.

Tested with a kernel module that races two threads (simulating
rdma_request and recv_done/CM handler) on rdma-&gt;state with proper
locking: 5.5M+ FLUSHING writes over 27M iterations with 0 lost
transitions.

Fixes: 473c7dd1d7b5 ("9p/rdma: remove useless check in cm_event_handler")
Reported-by: Yizhou Zhao &lt;zhaoyz24@mails.tsinghua.edu.cn&gt;
Reported-by: Yuxiang Yang &lt;yangyx22@mails.tsinghua.edu.cn&gt;
Reported-by: Ao Wang &lt;wangao@seu.edu.cn&gt;
Reported-by: Xuewei Feng &lt;fengxw06@126.com&gt;
Reported-by: Qi Li &lt;qli01@tsinghua.edu.cn&gt;
Reported-by: Ke Xu &lt;xuke@tsinghua.edu.cn&gt;
Assisted-by: GLM:GLM-5.1
Signed-off-by: Yizhou Zhao &lt;zhaoyz24@mails.tsinghua.edu.cn&gt;
Message-ID: &lt;20260529073933.77315-1-zhaoyz24@mails.tsinghua.edu.cn&gt;
Signed-off-by: Dominique Martinet &lt;asmadeus@codewreck.org&gt;
</content>
</entry>
<entry>
<title>9p: avoid putting oldfid in p9_client_walk() error path</title>
<updated>2026-06-21T05:22:56+00:00</updated>
<author>
<name>Yizhou Zhao</name>
<email>zhaoyz24@mails.tsinghua.edu.cn</email>
</author>
<published>2026-05-28T05:39:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=1a3860d46e3eb47dbd60339783cdad7904486b9f'/>
<id>urn:sha1:1a3860d46e3eb47dbd60339783cdad7904486b9f</id>
<content type='text'>
When p9_client_walk() is called with clone set to false, fid aliases
oldfid. If the walk subsequently fails after the request has been sent,
the error path jumps to clunk_fid, which currently calls p9_fid_put(fid)
unconditionally.

This drops a reference to oldfid even though ownership of oldfid remains
with the caller. If this is the last reference, oldfid can be clunked and
destroyed while the caller still expects it to be valid. A later use or
put of oldfid can then trigger a use-after-free or refcount underflow.

Fix this by only putting fid in the clunk_fid error path when it does not
alias oldfid, matching the existing guard in the error path below.

This can be triggered when a multi-component walk is split into multiple
p9_client_walk() calls and a later non-cloning walk fails. A reproducer
and refcount warning logs are available on request.

Fixes: b48dbb998d70 ("9p fid refcount: add p9_fid_get/put wrappers")
Cc: stable@vger.kernel.org
Reported-by: Yuxiang Yang &lt;yangyx22@mails.tsinghua.edu.cn&gt;
Reported-by: Ao Wang &lt;wangao@seu.edu.cn&gt;
Reported-by: Xuewei Feng &lt;fengxw06@126.com&gt;
Reported-by: Qi Li &lt;qli01@tsinghua.edu.cn&gt;
Reported-by: Ke Xu &lt;xuke@tsinghua.edu.cn&gt;
Assisted-by: GLM 5.1
Signed-off-by: Yizhou Zhao &lt;zhaoyz24@mails.tsinghua.edu.cn&gt;
Message-ID: &lt;20260528053918.53550-1-zhaoyz24@mails.tsinghua.edu.cn&gt;
Signed-off-by: Dominique Martinet &lt;asmadeus@codewreck.org&gt;
</content>
</entry>
<entry>
<title>net/9p: fix infinite loop in p9_client_rpc on fatal signal</title>
<updated>2026-05-29T02:16:39+00:00</updated>
<author>
<name>Vasiliy Kovalev</name>
<email>kovalev@altlinux.org</email>
</author>
<published>2026-04-15T15:52:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=6b4f48728faa8bb514368f7eacda05565dea8696'/>
<id>urn:sha1:6b4f48728faa8bb514368f7eacda05565dea8696</id>
<content type='text'>
When p9_client_rpc() is called with type P9_TFLUSH and the transport
has no peer (e.g. fd transport backed by pipes with no 9p server),
a fatal signal causes an infinite loop:

  again:
	err = io_wait_event_killable(req-&gt;wq, ...)
	/* SIGKILL wakes the task, returns -ERESTARTSYS */

	if (err == -ERESTARTSYS &amp;&amp; c-&gt;status == Connected &amp;&amp;
		type == P9_TFLUSH) {
		sigpending = 1;
		clear_thread_flag(TIF_SIGPENDING);
		goto again;
	}

clear_thread_flag() clears TIF_SIGPENDING before jumping back to
io_wait_event_killable(). signal_pending_state() checks TIF_SIGPENDING,
finds it zero, and the task goes to sleep again. The task can only wake
on the next signal delivery that calls signal_wake_up() and sets
TIF_SIGPENDING again. When that happens the loop repeats, clears
TIF_SIGPENDING, and sleeps again indefinitely.

This is triggered in practice by coredump_wait(): when a thread in a
multi-threaded process causes a coredump (e.g. via SIGSYS from Syscall
User Dispatch), coredump_wait() sends SIGKILL to all other threads and
waits for them to call mm_release(). If one of those threads is blocked
in p9_client_rpc() over an fd transport with no peer, it enters the
P9_TFLUSH loop and never calls mm_release(), so coredump_wait() stalls
forever:

INFO: task syz.0.18:676 blocked for more than 143 seconds.
      Not tainted 6.12.77+ #1
task:syz.0.18 state:D stack:27600 pid:676 tgid:673 ppid:630 flags:0x00000004
Call Trace:
 &lt;TASK&gt;
 context_switch kernel/sched/core.c:5344 [inline]
 __schedule+0xcb4/0x5d50 kernel/sched/core.c:6724
 __schedule_loop kernel/sched/core.c:6801 [inline]
 schedule+0xe5/0x350 kernel/sched/core.c:6816
 schedule_timeout+0x253/0x290 kernel/time/timer.c:2593
 do_wait_for_common kernel/sched/completion.c:95 [inline]
 __wait_for_common+0x409/0x600 kernel/sched/completion.c:116
 wait_for_common kernel/sched/completion.c:127 [inline]
 wait_for_completion_state+0x1d/0x40 kernel/sched/completion.c:264
 coredump_wait fs/coredump.c:448 [inline]
 do_coredump+0x854/0x4350 fs/coredump.c:629
 get_signal+0x1425/0x2730 kernel/signal.c:2903
 arch_do_signal_or_restart+0x81/0x880 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xf9/0x160 kernel/entry/common.c:218
 do_syscall_64+0x102/0x220 arch/x86/entry/common.c:84
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
 &lt;/TASK&gt;

Fix: check fatal_signal_pending() before clearing TIF_SIGPENDING in the
P9_TFLUSH retry loop. At that point TIF_SIGPENDING is still set, so
fatal_signal_pending() works correctly. If a fatal signal is pending,
jump to recalc_sigpending to restore TIF_SIGPENDING and return
-ERESTARTSYS to the caller.

The same defect is present in stable kernels back to 5.4. On those
kernels the infinite loop is broken earlier by a second SIGKILL from
the parent process (e.g. kill_and_wait() retrying after a timeout),
resulting in a zombie process and a shutdown delay rather than a
permanent D-state hang, but the underlying flaw is the same.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Fixes: 91b8534fa8f5 ("9p: make rpc code common and rework flush code")
Closes: https://syzkaller.appspot.com/bug?extid=3ce7863f8fc836a427e7
Cc: stable@vger.kernel.org
Signed-off-by: Vasiliy Kovalev &lt;kovalev@altlinux.org&gt;
Message-ID: &lt;20260415155237.182891-1-kovalev@altlinux.org&gt;
Signed-off-by: Dominique Martinet &lt;asmadeus@codewreck.org&gt;
</content>
</entry>
<entry>
<title>9p: use kvzalloc for readdir buffer</title>
<updated>2026-05-19T11:58:18+00:00</updated>
<author>
<name>Pierre Barre</name>
<email>pierre@barre.sh</email>
</author>
<published>2026-05-12T13:20:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=b4d71bea144550ff4a0917f8c4b06d4063eb27a6'/>
<id>urn:sha1:b4d71bea144550ff4a0917f8c4b06d4063eb27a6</id>
<content type='text'>
The readdir buffer is sized to msize, so kzalloc() can fail under
fragmentation with a page allocation failure in v9fs_alloc_rdir_buf()
/ v9fs_dir_readdir_dotl().

The buffer is only a response sink and is never pack_sg_list()'d,
so kvzalloc() is safe for all transports, unlike the fcall buffers
fixed in e21d451a82f3 ("9p: Use kvmalloc for message buffers on
supported transports").

Signed-off-by: Pierre Barre &lt;pierre@barre.sh&gt;
Message-ID: &lt;20260512132032.369281-1-pierre@barre.sh&gt;
Signed-off-by: Dominique Martinet &lt;asmadeus@codewreck.org&gt;
</content>
</entry>
<entry>
<title>net/9p/usbg: Constify struct configfs_item_operations</title>
<updated>2026-05-19T11:55:53+00:00</updated>
<author>
<name>Christophe JAILLET</name>
<email>christophe.jaillet@wanadoo.fr</email>
</author>
<published>2026-05-16T09:08:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=9061075b4f0a897e25ce46c396698dd24f92f5cb'/>
<id>urn:sha1:9061075b4f0a897e25ce46c396698dd24f92f5cb</id>
<content type='text'>
'struct configfs_item_operations' is not modified in this driver.

Constifying this structure moves some data to a read-only section, so
increases overall security, especially when the structure holds some
function pointers.

On a x86_64, with allmodconfig:
Before:
======
   text	   data	    bss	    dec	    hex	filename
  25167	   9336	    256	  34759	   87c7	net/9p/trans_usbg.o

After:
=====
   text	   data	    bss	    dec	    hex	filename
  25231	   9272	    256	  34759	   87c7	net/9p/trans_usbg.o

Signed-off-by: Christophe JAILLET &lt;christophe.jaillet@wanadoo.fr&gt;
Message-ID: &lt;2478bdabd7d169a686879c049f11dc307b5debbd.1778922467.git.christophe.jaillet@wanadoo.fr&gt;
Signed-off-by: Dominique Martinet &lt;asmadeus@codewreck.org&gt;
</content>
</entry>
<entry>
<title>9p/trans_xen: replace simple_strto* with kstrtouint</title>
<updated>2026-04-16T02:57:01+00:00</updated>
<author>
<name>Yufan Chen</name>
<email>ericterminal@gmail.com</email>
</author>
<published>2026-03-24T15:30:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=8fc518e489c1386fd0cf7f4256d055960ed6a2e4'/>
<id>urn:sha1:8fc518e489c1386fd0cf7f4256d055960ed6a2e4</id>
<content type='text'>
In xen_9pfs_front_init(), parse the backend version list as comma-separated
tokens with kstrtouint(), keep strict token validation, and explicitly
require protocol version 1 to be present.

This replaces the deprecated simple_strtoul(), improves error reporting
consistency, and avoids partially parsed values in control paths.

Signed-off-by: Yufan Chen &lt;ericterminal@gmail.com&gt;
Reviewed-by: Stefano Stabellini &lt;sstabellini@kernel.org&gt;
Message-ID: &lt;20260324153023.86853-3-ericterminal@gmail.com&gt;
Signed-off-by: Dominique Martinet &lt;asmadeus@codewreck.org&gt;
</content>
</entry>
<entry>
<title>9p/trans_xen: make cleanup idempotent after dataring alloc errors</title>
<updated>2026-04-16T02:57:01+00:00</updated>
<author>
<name>Yufan Chen</name>
<email>ericterminal@gmail.com</email>
</author>
<published>2026-03-24T15:30:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=72cb9ee4f6d80962df17c9763b14e62e28fd85a2'/>
<id>urn:sha1:72cb9ee4f6d80962df17c9763b14e62e28fd85a2</id>
<content type='text'>
xen_9pfs_front_alloc_dataring() tears down resources on failure but
leaves ring fields stale. If xen_9pfs_front_init() later jumps to the
common error path, xen_9pfs_front_free() may touch the same resources
again, causing duplicate/invalid gnttab_end_foreign_access() calls and
potentially dereferencing a freed intf pointer.

Initialize dataring sentinels before allocation, gate teardown on those
sentinels, and clear ref/intf/data/irq immediately after each release.

This keeps cleanup idempotent for partially initialized rings and
prevents repeated teardown during init failure handling.

Signed-off-by: Yufan Chen &lt;ericterminal@gmail.com&gt;
Reviewed-by: Stefano Stabellini &lt;sstabellini@kernel.org&gt;
Message-ID: &lt;20260324153023.86853-2-ericterminal@gmail.com&gt;
Signed-off-by: Dominique Martinet &lt;asmadeus@codewreck.org&gt;
</content>
</entry>
<entry>
<title>Convert 'alloc_obj' family to use the new default GFP_KERNEL argument</title>
<updated>2026-02-22T01:09:51+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-02-22T00:37:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=bf4afc53b77aeaa48b5409da5c8da6bb4eff7f43'/>
<id>urn:sha1:bf4afc53b77aeaa48b5409da5c8da6bb4eff7f43</id>
<content type='text'>
This was done entirely with mindless brute force, using

    git grep -l '\&lt;k[vmz]*alloc_objs*(.*, GFP_KERNEL)' |
        xargs sed -i 's/\(alloc_objs*(.*\), GFP_KERNEL)/\1)/'

to convert the new alloc_obj() users that had a simple GFP_KERNEL
argument to just drop that argument.

Note that due to the extreme simplicity of the scripting, any slightly
more complex cases spread over multiple lines would not be triggered:
they definitely exist, but this covers the vast bulk of the cases, and
the resulting diff is also then easier to check automatically.

For the same reason the 'flex' versions will be done as a separate
conversion.

Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
</entry>
</feed>
