Skip to content

Merge pull request #1 from torvalds/master #114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

Merge pull request #1 from torvalds/master #114

wants to merge 3 commits into from

Conversation

@e-mailky
Copy link

@e-mailky e-mailky commented Aug 18, 2014 

Merge pull request #1 from torvalds/master

@frankcash
Copy link

frankcash commented Aug 18, 2014

Linus doesn't accept pull requests on GitHub.

@Patrick-Edouard
Copy link

Patrick-Edouard commented Aug 18, 2014

You should take a look at https://www.kernel.org/doc/Documentation/SubmittingPatches

@e-mailky e-mailky closed this Aug 20, 2014
koenkooi pushed a commit to koenkooi/linux that referenced this pull request Aug 27, 2014
@ozbenh
powerpc/hugetlb: Replace __get_cpu_var with get_cpu_var
94b09d7 
Replace __get_cpu_var safely with get_cpu_var to avoid
the following call trace:

[ 7253.637591] BUG: using smp_processor_id() in preemptible [00000000 00000000]
code: hugemmap01/9048
[ 7253.637601] caller is free_hugepd_range.constprop.25+0x88/0x1a8
[ 7253.637605] CPU: 1 PID: 9048 Comm: hugemmap01 Not tainted 3.10.20-rt14+ torvalds#114
[ 7253.637606] Call Trace:
[ 7253.637617] [cb049d80] [c0007ea4] show_stack+0x4c/0x168 (unreliable)
[ 7253.637624] [cb049dc0] [c031c674] debug_smp_processor_id+0x114/0x134
[ 7253.637628] [cb049de0] [c0016d28] free_hugepd_range.constprop.25+0x88/0x1a8
[ 7253.637632] [cb049e0] [c001711c] hugetlb_free_pgd_range+0x6c/0x168
[ 7253.637639] [cb049e40] [c0117408] free_pgtables+0x12c/0x150
[ 7253.637646] [cb049e70] [c011ce38] unmap_region+0xa0/0x11c
[ 7253.637671] [cb049ef0] [c011f03c] do_munmap+0x224/0x3bc
[ 7253.637676] [cb049f2] [c011f2e0] vm_munmap+0x38/0x5c
[ 7253.637682] [cb049f40] [c000ef88] ret_from_syscall+0x0/0x3c
[ 7253.637686] --- Exception: c01 at 0xff16004

Signed-off-by: Tiejun Chen<[email protected]>
Signed-off-by: Benjamin Herrenschmidt <[email protected]>
mikey pushed a commit to mikey/linux that referenced this pull request Sep 18, 2014
@bp3tk0v
x86/boot: Further compress CPUs bootup message
a17bce4 
Turn it into (for example):

[    0.073380] x86: Booting SMP configuration:
[    0.074005] .... node   #0, CPUs:          #1   #2   #3   #4   #5   torvalds#6   torvalds#7
[    0.603005] .... node   #1, CPUs:     torvalds#8   torvalds#9  torvalds#10  torvalds#11  torvalds#12  torvalds#13  torvalds#14  torvalds#15
[    1.200005] .... node   #2, CPUs:    torvalds#16  torvalds#17  torvalds#18  torvalds#19  torvalds#20  torvalds#21  torvalds#22  torvalds#23
[    1.796005] .... node   #3, CPUs:    torvalds#24  torvalds#25  torvalds#26  torvalds#27  torvalds#28  torvalds#29  torvalds#30  torvalds#31
[    2.393005] .... node   #4, CPUs:    torvalds#32  torvalds#33  torvalds#34  torvalds#35  torvalds#36  torvalds#37  torvalds#38  torvalds#39
[    2.996005] .... node   #5, CPUs:    torvalds#40  torvalds#41  torvalds#42  torvalds#43  torvalds#44  torvalds#45  torvalds#46  torvalds#47
[    3.600005] .... node   torvalds#6, CPUs:    torvalds#48  torvalds#49  torvalds#50  torvalds#51  #52  #53  torvalds#54  torvalds#55
[    4.202005] .... node   torvalds#7, CPUs:    torvalds#56  torvalds#57  #58  torvalds#59  torvalds#60  torvalds#61  torvalds#62  torvalds#63
[    4.811005] .... node   torvalds#8, CPUs:    torvalds#64  torvalds#65  torvalds#66  torvalds#67  torvalds#68  torvalds#69  #70  torvalds#71
[    5.421006] .... node   torvalds#9, CPUs:    torvalds#72  torvalds#73  torvalds#74  torvalds#75  torvalds#76  torvalds#77  torvalds#78  torvalds#79
[    6.032005] .... node  torvalds#10, CPUs:    torvalds#80  torvalds#81  torvalds#82  torvalds#83  torvalds#84  torvalds#85  torvalds#86  torvalds#87
[    6.648006] .... node  torvalds#11, CPUs:    torvalds#88  torvalds#89  torvalds#90  torvalds#91  torvalds#92  torvalds#93  torvalds#94  torvalds#95
[    7.262005] .... node  torvalds#12, CPUs:    torvalds#96  torvalds#97  torvalds#98  torvalds#99 torvalds#100 torvalds#101 torvalds#102 torvalds#103
[    7.865005] .... node  torvalds#13, CPUs:   torvalds#104 torvalds#105 torvalds#106 torvalds#107 torvalds#108 torvalds#109 torvalds#110 torvalds#111
[    8.466005] .... node  torvalds#14, CPUs:   torvalds#112 torvalds#113 torvalds#114 torvalds#115 torvalds#116 torvalds#117 torvalds#118 torvalds#119
[    9.073006] .... node  torvalds#15, CPUs:   torvalds#120 torvalds#121 torvalds#122 torvalds#123 torvalds#124 torvalds#125 torvalds#126 torvalds#127
[    9.679901] x86: Booted up 16 nodes, 128 CPUs

and drop useless elements.

Change num_digits() to hpa's division-avoiding, cell-phone-typed
version which he went at great lengths and pains to submit on a
Saturday evening.

Signed-off-by: Borislav Petkov <[email protected]>
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: Linus Torvalds <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Ingo Molnar <[email protected]>
torvalds pushed a commit that referenced this pull request Apr 26, 2015
@Andre-ARM
KVM: arm/arm64: check IRQ number on userland injection
fd1d0dd 
When userland injects a SPI via the KVM_IRQ_LINE ioctl we currently
only check it against a fixed limit, which historically is set
to 127. With the new dynamic IRQ allocation the effective limit may
actually be smaller (64).
So when now a malicious or buggy userland injects a SPI in that
range, we spill over on our VGIC bitmaps and bytemaps memory.
I could trigger a host kernel NULL pointer dereference with current
mainline by injecting some bogus IRQ number from a hacked kvmtool:
-----------------
....
DEBUG: kvm_vgic_inject_irq(kvm, cpu=0, irq=114, level=1)
DEBUG: vgic_update_irq_pending(kvm, cpu=0, irq=114, level=1)
DEBUG: IRQ #114 still in the game, writing to bytemap now...
Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = ffffffc07652e000
[00000000] *pgd=00000000f658b003, *pud=00000000f658b003, *pmd=0000000000000000
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 1053 Comm: lkvm-msi-irqinj Not tainted 4.0.0-rc7+ #3027
Hardware name: FVP Base (DT)
task: ffffffc0774e9680 ti: ffffffc0765a8000 task.ti: ffffffc0765a8000
PC is at kvm_vgic_inject_irq+0x234/0x310
LR is at kvm_vgic_inject_irq+0x30c/0x310
pc : [<ffffffc0000ae0a8>] lr : [<ffffffc0000ae180>] pstate: 8000014
.....

So this patch fixes this by checking the SPI number against the
actual limit. Also we remove the former legacy hard limit of
127 in the ioctl code.

Signed-off-by: Andre Przywara <[email protected]>
Reviewed-by: Christoffer Dall <[email protected]>
CC: <[email protected]> # 4.0, 3.19, 3.18
[maz: wrap KVM_ARM_IRQ_GIC_MAX with #ifndef __KERNEL__,
as suggested by Christopher Covington]
Signed-off-by: Marc Zyngier <[email protected]>
damentz referenced this pull request in zen-kernel/zen-kernel May 7, 2015
@Andre-ARM @gregkh
KVM: arm/arm64: check IRQ number on userland injection
fb124f8 
commit fd1d0dd upstream.

When userland injects a SPI via the KVM_IRQ_LINE ioctl we currently
only check it against a fixed limit, which historically is set
to 127. With the new dynamic IRQ allocation the effective limit may
actually be smaller (64).
So when now a malicious or buggy userland injects a SPI in that
range, we spill over on our VGIC bitmaps and bytemaps memory.
I could trigger a host kernel NULL pointer dereference with current
mainline by injecting some bogus IRQ number from a hacked kvmtool:
-----------------
....
DEBUG: kvm_vgic_inject_irq(kvm, cpu=0, irq=114, level=1)
DEBUG: vgic_update_irq_pending(kvm, cpu=0, irq=114, level=1)
DEBUG: IRQ #114 still in the game, writing to bytemap now...
Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = ffffffc07652e000
[00000000] *pgd=00000000f658b003, *pud=00000000f658b003, *pmd=0000000000000000
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 1053 Comm: lkvm-msi-irqinj Not tainted 4.0.0-rc7+ #3027
Hardware name: FVP Base (DT)
task: ffffffc0774e9680 ti: ffffffc0765a8000 task.ti: ffffffc0765a8000
PC is at kvm_vgic_inject_irq+0x234/0x310
LR is at kvm_vgic_inject_irq+0x30c/0x310
pc : [<ffffffc0000ae0a8>] lr : [<ffffffc0000ae180>] pstate: 8000014
.....

So this patch fixes this by checking the SPI number against the
actual limit. Also we remove the former legacy hard limit of
127 in the ioctl code.

Signed-off-by: Andre Przywara <[email protected]>
Reviewed-by: Christoffer Dall <[email protected]>
[maz: wrap KVM_ARM_IRQ_GIC_MAX with #ifndef __KERNEL__,
as suggested by Christopher Covington]
Signed-off-by: Marc Zyngier <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
abusse pushed a commit to abusse/linux that referenced this pull request May 29, 2015
@Andre-ARM @sashalevin
KVM: arm/arm64: check IRQ number on userland injection
e580744 
[ Upstream commit fd1d0dd ]

When userland injects a SPI via the KVM_IRQ_LINE ioctl we currently
only check it against a fixed limit, which historically is set
to 127. With the new dynamic IRQ allocation the effective limit may
actually be smaller (64).
So when now a malicious or buggy userland injects a SPI in that
range, we spill over on our VGIC bitmaps and bytemaps memory.
I could trigger a host kernel NULL pointer dereference with current
mainline by injecting some bogus IRQ number from a hacked kvmtool:
-----------------
....
DEBUG: kvm_vgic_inject_irq(kvm, cpu=0, irq=114, level=1)
DEBUG: vgic_update_irq_pending(kvm, cpu=0, irq=114, level=1)
DEBUG: IRQ torvalds#114 still in the game, writing to bytemap now...
Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = ffffffc07652e000
[00000000] *pgd=00000000f658b003, *pud=00000000f658b003, *pmd=0000000000000000
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 1053 Comm: lkvm-msi-irqinj Not tainted 4.0.0-rc7+ #3027
Hardware name: FVP Base (DT)
task: ffffffc0774e9680 ti: ffffffc0765a8000 task.ti: ffffffc0765a8000
PC is at kvm_vgic_inject_irq+0x234/0x310
LR is at kvm_vgic_inject_irq+0x30c/0x310
pc : [<ffffffc0000ae0a8>] lr : [<ffffffc0000ae180>] pstate: 8000014
.....

So this patch fixes this by checking the SPI number against the
actual limit. Also we remove the former legacy hard limit of
127 in the ioctl code.

Signed-off-by: Andre Przywara <[email protected]>
Reviewed-by: Christoffer Dall <[email protected]>
CC: <[email protected]> # 4.0, 3.19, 3.18
[maz: wrap KVM_ARM_IRQ_GIC_MAX with #ifndef __KERNEL__,
as suggested by Christopher Covington]
Signed-off-by: Marc Zyngier <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
xin3liang pushed a commit to xin3liang/linux that referenced this pull request Oct 16, 2015
@ldts
Merge pull request torvalds#114 from Leo-Yan/enable_suspend_0820
5f7b98b 
arm64: add system suspend support
@causten causten mentioned this pull request Dec 3, 2015
Closed
0day-ci pushed a commit to 0day-ci/linux that referenced this pull request May 6, 2016
net: arc/emac: Move arc_emac_tx_clean() into arc_emac_tx() and disabl…
03a7c8b 
…e tx interrut

Doing tx_clean() inside poll() may scramble the tx ring buffer if
tx() is running. This will cause tx to stop working, which can be
reproduced by simultaneously downloading two large files at high speed.

Moving tx_clean() into tx() will prevent this. And tx interrupt is no
longer needed now.

Picked the Shuyu's patch up, the patch is sent on
https://patchwork.kernel.org/patch/8356821/, since that make sense for
rockchip platform.
Note: Many people feedback the cransh problems with rk3036/rk3188 emac when
download the heavy loading and this patch is indeed can fix the crash.

The crash log as the followings:
...
[ 2191.996127 ] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.0-rc6 torvalds#114
[ 2192.002475 ] Hardware name: Rockchip (Device Tree)
[ 2192.007174 ] Backtrace:
[ 2192.009658 ] [<c00134d4>] (dump_backtrace) from [<c0013680>]
    (show_stack+0x18/0x1c)
[ 2192.017220 ]  r7:c051c4f8 r6:ef463180 r5:c05b7000 r4:00000000
[ 2192.022948 ] [<c0013668>] (show_stack) from [<c0219d90>]
    (dump_stack+0x90/0xa0)
[ 2192.030176 ] [<c0219d00>] (dump_stack) from [<c00b2cd4>]
    (bad_page+0xdc/0x12c)
[ 2192.037302 ]  r5:c059a100 r4:c05f430c
[ 2192.040913 ] [<c00b2bf8>] (bad_page) from [<c00b606c>]
    (get_page_from_freelist+0x388/0x95c)
[ 2192.049166 ]  r9:00000008 r8:ef463180 r7:c051c4d0 r6:00000000
    r5:00000000 r4:c051c4e4
[ 2192.056982 ] [<c00b5ce4>] (get_page_from_freelist) from
[<c00b6880>] (__alloc_pages_nodemask+0xd8/0x8e8)
[ 2192.066362 ]  r10:c001b068 r9:00000000 r8:ee0b02b0 r7:60000113
    r6:00000003 r5:02095220
[ 2192.074254 ]  r4:c05ca1c0
[ 2192.076809 ] [<c00b67a8>] (__alloc_pages_nodemask) from
[<c00b7140>] (__alloc_page_frag+0xb0/0x160)
[ 2192.085757 ]  r10:c001b068 r9:00000000 r8:ee0b02b0 r7:60000113
    r6:02080020 r5:00000740
[ 2192.093650 ]  r4:eedbc884
[ 2192.096207 ] [<c00b7090>] (__alloc_page_frag) from [<c03273b4>]
    (__netdev_alloc_skb+0xa0/0x104)
[ 2192.104806 ]  r7:60000113 r6:eedbc884 r5:ee0b0000 r4:00000740
[ 2192.110525 ] [<c0327314>] (__netdev_alloc_skb) from [<c02aac00>]
    (arc_emac_poll+0x318/0x57c)
[ 2192.118865 ]  r9:00000000 r8:ee0b02b0 r7:0000019c r6:ee163780
    r5:00000670 r4:ee0b0000
[ 2192.126683 ] [<c02aa8e8>] (arc_emac_poll) from [<c0339ed8>]
    (net_rx_action+0x1f0/0x2ec)
[ 2192.134590 ]  r10:c0599df8 r9:c059a100 r8:00073760 r7:0000012c
    r6:00000028 r5:c02aa8e8
[ 2192.142483 ]  r4:ee0b04e0
[ 2192.145040 ] [<c0339ce8>] (net_rx_action) from [<c0026f5c>]
    (__do_softirq+0x134/0x258)
[ 2192.152860 ]  r10:c059a080 r9:40000003 r8:00000003 r7:00000100
    r6:c0598000 r5:c059a08c
[ 2192.160751 ]  r4:00000000
...

Signed-off-by: Shuyu Wei <[email protected]>
Tested-by: Michael Niewoehner <[email protected]>
Tested-by: Xing Zheng <[email protected]>
Cc: "David S. Miller" <[email protected]>
Cc: Alexander Kochetkov <[email protected]>
Cc: [email protected]
Signed-off-by: Caesar Wang <[email protected]>
fengguang pushed a commit to 0day-ci/linux that referenced this pull request Dec 2, 2016
@akpm00 @hnaz
vfs-make-may_umount_tree-mount-propogation-aware-checkpatch-fixes
5ebc2ba 
WARNING: 'minumum' may be misspelled - perhaps 'minimum'?
torvalds#114: FILE: fs/namespace.c:1367:
+	 * to the tree at mnt is one greater than the minumum

WARNING: function definition argument 'struct mount *' should also have an identifier name
torvalds#168: FILE: fs/pnode.h:41:
+struct mount *propagation_next(struct mount *, struct mount *);

WARNING: function definition argument 'struct mount *' should also have an identifier name
torvalds#168: FILE: fs/pnode.h:41:
+struct mount *propagation_next(struct mount *, struct mount *);

total: 0 errors, 3 warnings, 125 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

./patches/vfs-make-may_umount_tree-mount-propogation-aware.patch has style problems, please review.

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Ian Kent <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
fengguang pushed a commit to 0day-ci/linux that referenced this pull request Dec 8, 2016
@akpm00 @hnaz
vfs-make-may_umount_tree-mount-propogation-aware-checkpatch-fixes
76f28dc 
WARNING: 'minumum' may be misspelled - perhaps 'minimum'?
torvalds#114: FILE: fs/namespace.c:1367:
+	 * to the tree at mnt is one greater than the minumum

WARNING: function definition argument 'struct mount *' should also have an identifier name
torvalds#168: FILE: fs/pnode.h:41:
+struct mount *propagation_next(struct mount *, struct mount *);

WARNING: function definition argument 'struct mount *' should also have an identifier name
torvalds#168: FILE: fs/pnode.h:41:
+struct mount *propagation_next(struct mount *, struct mount *);

total: 0 errors, 3 warnings, 125 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

./patches/vfs-make-may_umount_tree-mount-propogation-aware.patch has style problems, please review.

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Ian Kent <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
fengguang pushed a commit to 0day-ci/linux that referenced this pull request Dec 8, 2016
@akpm00 @sfrothwell
vfs-make-may_umount_tree-mount-propogation-aware-checkpatch-fixes
97d6a93 
WARNING: 'minumum' may be misspelled - perhaps 'minimum'?
torvalds#114: FILE: fs/namespace.c:1367:
+	 * to the tree at mnt is one greater than the minumum

WARNING: function definition argument 'struct mount *' should also have an identifier name
torvalds#168: FILE: fs/pnode.h:41:
+struct mount *propagation_next(struct mount *, struct mount *);

WARNING: function definition argument 'struct mount *' should also have an identifier name
torvalds#168: FILE: fs/pnode.h:41:
+struct mount *propagation_next(struct mount *, struct mount *);

total: 0 errors, 3 warnings, 125 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

./patches/vfs-make-may_umount_tree-mount-propogation-aware.patch has style problems, please review.

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Ian Kent <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
fengguang pushed a commit to 0day-ci/linux that referenced this pull request Dec 10, 2016
@akpm00 @sfrothwell
vfs-make-may_umount_tree-mount-propogation-aware-checkpatch-fixes
9052ff5 
WARNING: 'minumum' may be misspelled - perhaps 'minimum'?
torvalds#114: FILE: fs/namespace.c:1367:
+	 * to the tree at mnt is one greater than the minumum

WARNING: function definition argument 'struct mount *' should also have an identifier name
torvalds#168: FILE: fs/pnode.h:41:
+struct mount *propagation_next(struct mount *, struct mount *);

WARNING: function definition argument 'struct mount *' should also have an identifier name
torvalds#168: FILE: fs/pnode.h:41:
+struct mount *propagation_next(struct mount *, struct mount *);

total: 0 errors, 3 warnings, 125 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

./patches/vfs-make-may_umount_tree-mount-propogation-aware.patch has style problems, please review.

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Ian Kent <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
laijs pushed a commit to laijs/linux that referenced this pull request Feb 13, 2017
Merge pull request torvalds#114 from pscollins/atomic-thread-counter
b43930b 
lkl: Replace threads_counter_lock with atomic ops
vthanki pushed a commit to raumfeld/linux that referenced this pull request Jul 6, 2017
@Andre-ARM
KVM: arm/arm64: check IRQ number on userland injection
7a1c4b3 
commit fd1d0dd upstream.

When userland injects a SPI via the KVM_IRQ_LINE ioctl we currently
only check it against a fixed limit, which historically is set
to 127. With the new dynamic IRQ allocation the effective limit may
actually be smaller (64).
So when now a malicious or buggy userland injects a SPI in that
range, we spill over on our VGIC bitmaps and bytemaps memory.
I could trigger a host kernel NULL pointer dereference with current
mainline by injecting some bogus IRQ number from a hacked kvmtool:
-----------------
....
DEBUG: kvm_vgic_inject_irq(kvm, cpu=0, irq=114, level=1)
DEBUG: vgic_update_irq_pending(kvm, cpu=0, irq=114, level=1)
DEBUG: IRQ torvalds#114 still in the game, writing to bytemap now...
Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = ffffffc07652e000
[00000000] *pgd=00000000f658b003, *pud=00000000f658b003, *pmd=0000000000000000
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 1053 Comm: lkvm-msi-irqinj Not tainted 4.0.0-rc7+ #3027
Hardware name: FVP Base (DT)
task: ffffffc0774e9680 ti: ffffffc0765a8000 task.ti: ffffffc0765a8000
PC is at kvm_vgic_inject_irq+0x234/0x310
LR is at kvm_vgic_inject_irq+0x30c/0x310
pc : [<ffffffc0000ae0a8>] lr : [<ffffffc0000ae180>] pstate: 8000014
.....

So this patch fixes this by checking the SPI number against the
actual limit. Also we remove the former legacy hard limit of
127 in the ioctl code.

Signed-off-by: Andre Przywara <[email protected]>
Reviewed-by: Christoffer Dall <[email protected]>
[maz: wrap KVM_ARM_IRQ_GIC_MAX with #ifndef __KERNEL__,
as suggested by Christopher Covington]
Signed-off-by: Marc Zyngier <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
craigdickman pushed a commit to WEMS/linux that referenced this pull request Jan 11, 2018
@gthouret
Change i.MX21 host driver default USB Interrupt Transfer polling inte…
2461c38 
…rval to 1ms

Prevent the host from being set to poll every frame as this causes excessive polling resulting in excessive EMC emissions
Fixes torvalds#114
cminyard pushed a commit to cminyard/linux-ipmi that referenced this pull request Jan 17, 2018
@cminyard
ipmi: use dynamic memory for DMI driver override
f0caa1e 
Currently a crash can be seen if we reach the "err"
label in dmi_add_platform_ipmi(), calling
platform_device_put(), like here:
[    7.270584]  (null): ipmi:dmi: Unable to add resources: -16
[    7.330229] ------------[ cut here ]------------
[    7.334889] kernel BUG at mm/slub.c:3894!
[    7.338936] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[    7.344475] Modules linked in:
[    7.347556] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2-00004-gbe9cb7b-dirty torvalds#114
[    7.355907] Hardware name: Huawei Taishan 2280 /D05, BIOS Hisilicon D05 IT17 Nemo 2.0 RC0 11/29/2017
[    7.365137] task: 00000000c211f6d3 task.stack: 00000000f276e9af
[    7.371116] pstate: 60000005 (nZCv daif -PAN -UAO)
[    7.375957] pc : kfree+0x194/0x1b4
[    7.379389] lr : platform_device_release+0xcc/0xd8
[    7.384225] sp : ffff0000092dba90
[    7.387567] x29: ffff0000092dba90 x28: ffff000008a83000
[    7.392933] x27: ffff0000092dbc10 x26: 00000000000000e6
[    7.398297] x25: 0000000000000003 x24: ffff0000085b51e8
[    7.403662] x23: 0000000000000100 x22: ffff7e0000234cc0
[    7.409027] x21: ffff000008af3660 x20: ffff8017d21acc10
[    7.414392] x19: ffff8017d21acc00 x18: 0000000000000002
[    7.419757] x17: 0000000000000001 x16: 0000000000000008
[    7.425121] x15: 0000000000000001 x14: 6666666678303d65
[    7.430486] x13: 6469727265766f5f x12: 7265766972642e76
[    7.435850] x11: 6564703e2d617020 x10: 6530326435373638
[    7.441215] x9 : 3030303030303030 x8 : 3d76656420657361
[    7.446580] x7 : ffff000008f59df8 x6 : ffff8017fbe0ea50
[    7.451945] x5 : 0000000000000000 x4 : 0000000000000000
[    7.457309] x3 : ffffffffffffffff x2 : 0000000000000000
[    7.462674] x1 : 0fffc00000000800 x0 : ffff7e0000234ce0
[    7.468039] Process swapper/0 (pid: 1, stack limit = 0x00000000f276e9af)
[    7.474809] Call trace:
[    7.477272]  kfree+0x194/0x1b4
[    7.480351]  platform_device_release+0xcc/0xd8
[    7.484837]  device_release+0x34/0x90
[    7.488531]  kobject_put+0x70/0xcc
[    7.491961]  put_device+0x14/0x1c
[    7.495304]  platform_device_put+0x14/0x1c
[    7.499439]  dmi_add_platform_ipmi+0x348/0x3ac
[    7.503923]  scan_for_dmi_ipmi+0xfc/0x10c
[    7.507970]  do_one_initcall+0x38/0x124
[    7.511840]  kernel_init_freeable+0x188/0x228
[    7.516238]  kernel_init+0x10/0x100
[    7.519756]  ret_from_fork+0x10/0x18
[    7.523362] Code: f94002c0 37780080 f94012c0 37000040 (d4210000)
[    7.529552] ---[ end trace 11750e4787deef9e ]---
[    7.534228] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
[    7.534228]

This is because when the device is released in
platform_device_release(), we try to free
pdev.driver_override. This is a const string, hence
the crash.
Fix by using dynamic memory for pdev->driver_override.

Signed-off-by: John Garry <[email protected]>
Signed-off-by: Corey Minyard <[email protected]>
Cc: <[email protected]> # 4.14.x
cminyard pushed a commit to cminyard/linux-ipmi that referenced this pull request Jan 22, 2018
@cminyard
ipmi: use dynamic memory for DMI driver override
5516e21 
Currently a crash can be seen if we reach the "err"
label in dmi_add_platform_ipmi(), calling
platform_device_put(), like here:
[    7.270584]  (null): ipmi:dmi: Unable to add resources: -16
[    7.330229] ------------[ cut here ]------------
[    7.334889] kernel BUG at mm/slub.c:3894!
[    7.338936] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[    7.344475] Modules linked in:
[    7.347556] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2-00004-gbe9cb7b-dirty torvalds#114
[    7.355907] Hardware name: Huawei Taishan 2280 /D05, BIOS Hisilicon D05 IT17 Nemo 2.0 RC0 11/29/2017
[    7.365137] task: 00000000c211f6d3 task.stack: 00000000f276e9af
[    7.371116] pstate: 60000005 (nZCv daif -PAN -UAO)
[    7.375957] pc : kfree+0x194/0x1b4
[    7.379389] lr : platform_device_release+0xcc/0xd8
[    7.384225] sp : ffff0000092dba90
[    7.387567] x29: ffff0000092dba90 x28: ffff000008a83000
[    7.392933] x27: ffff0000092dbc10 x26: 00000000000000e6
[    7.398297] x25: 0000000000000003 x24: ffff0000085b51e8
[    7.403662] x23: 0000000000000100 x22: ffff7e0000234cc0
[    7.409027] x21: ffff000008af3660 x20: ffff8017d21acc10
[    7.414392] x19: ffff8017d21acc00 x18: 0000000000000002
[    7.419757] x17: 0000000000000001 x16: 0000000000000008
[    7.425121] x15: 0000000000000001 x14: 6666666678303d65
[    7.430486] x13: 6469727265766f5f x12: 7265766972642e76
[    7.435850] x11: 6564703e2d617020 x10: 6530326435373638
[    7.441215] x9 : 3030303030303030 x8 : 3d76656420657361
[    7.446580] x7 : ffff000008f59df8 x6 : ffff8017fbe0ea50
[    7.451945] x5 : 0000000000000000 x4 : 0000000000000000
[    7.457309] x3 : ffffffffffffffff x2 : 0000000000000000
[    7.462674] x1 : 0fffc00000000800 x0 : ffff7e0000234ce0
[    7.468039] Process swapper/0 (pid: 1, stack limit = 0x00000000f276e9af)
[    7.474809] Call trace:
[    7.477272]  kfree+0x194/0x1b4
[    7.480351]  platform_device_release+0xcc/0xd8
[    7.484837]  device_release+0x34/0x90
[    7.488531]  kobject_put+0x70/0xcc
[    7.491961]  put_device+0x14/0x1c
[    7.495304]  platform_device_put+0x14/0x1c
[    7.499439]  dmi_add_platform_ipmi+0x348/0x3ac
[    7.503923]  scan_for_dmi_ipmi+0xfc/0x10c
[    7.507970]  do_one_initcall+0x38/0x124
[    7.511840]  kernel_init_freeable+0x188/0x228
[    7.516238]  kernel_init+0x10/0x100
[    7.519756]  ret_from_fork+0x10/0x18
[    7.523362] Code: f94002c0 37780080 f94012c0 37000040 (d4210000)
[    7.529552] ---[ end trace 11750e4787deef9e ]---
[    7.534228] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
[    7.534228]

This is because when the device is released in
platform_device_release(), we try to free
pdev.driver_override. This is a const string, hence
the crash.
Fix by using dynamic memory for pdev->driver_override.

Signed-off-by: John Garry <[email protected]>
[Removed the free of driver_override from ipmi_si_remove_by_dev().  The
 free is done in platform_device_release(), and would result in a double
 free, and ipmi_si_remove_by_dev() is called by non-platform devices.]
Signed-off-by: Corey Minyard <[email protected]>
Cc: <[email protected]> # 4.14+
iaguis pushed a commit to kinvolk/linux that referenced this pull request Feb 6, 2018
@bgilbert
Merge pull request torvalds#114 from bgilbert/v4.13.16-coreos
1327d7d 
Fix CVE-2017-1000405 and mptsas hotplug in 4.13
fengguang pushed a commit to 0day-ci/linux that referenced this pull request Jul 4, 2018
@akpm00 @sfrothwell
ocfs2-return-erofs-when-filesystem-becomes-read-only-checkpatch-fixes
de205cc 
WARNING: line over 80 characters
torvalds#34: FILE: fs/ocfs2/alloc.c:1484:
+			status = ocfs2_error(ocfs2_metadata_cache_get_super(et->et_ci),

ERROR: code indent should use tabs where possible
torvalds#35: FILE: fs/ocfs2/alloc.c:1485:
+^I^I^I^I             "Owner %llu has empty extent list (next_free_rec == 0)\n",$

WARNING: line over 80 characters
torvalds#36: FILE: fs/ocfs2/alloc.c:1486:
+				             (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci));

ERROR: code indent should use tabs where possible
torvalds#36: FILE: fs/ocfs2/alloc.c:1486:
+^I^I^I^I             (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci));$

WARNING: line over 80 characters
torvalds#46: FILE: fs/ocfs2/alloc.c:1492:
+			status = ocfs2_error(ocfs2_metadata_cache_get_super(et->et_ci),

ERROR: code indent should use tabs where possible
torvalds#47: FILE: fs/ocfs2/alloc.c:1493:
+^I^I^I^I             "Owner %llu has extent list where extent # %d has no physical block start\n",$

WARNING: line over 80 characters
torvalds#48: FILE: fs/ocfs2/alloc.c:1494:
+				             (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci), i);

ERROR: code indent should use tabs where possible
torvalds#48: FILE: fs/ocfs2/alloc.c:1494:
+^I^I^I^I             (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci), i);$

WARNING: line over 80 characters
torvalds#61: FILE: fs/ocfs2/alloc.c:3215:
+			ret = ocfs2_error(ocfs2_metadata_cache_get_super(et->et_ci),

ERROR: code indent should use tabs where possible
torvalds#62: FILE: fs/ocfs2/alloc.c:3216:
+^I^I^I^I          "Owner %llu has empty extent block at %llu\n",$

WARNING: line over 80 characters
torvalds#63: FILE: fs/ocfs2/alloc.c:3217:
+				          (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci),

ERROR: code indent should use tabs where possible
torvalds#63: FILE: fs/ocfs2/alloc.c:3217:
+^I^I^I^I          (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci),$

WARNING: line over 80 characters
torvalds#64: FILE: fs/ocfs2/alloc.c:3218:
+				          (unsigned long long)le64_to_cpu(eb->h_blkno));

ERROR: code indent should use tabs where possible
torvalds#64: FILE: fs/ocfs2/alloc.c:3218:
+^I^I^I^I          (unsigned long long)le64_to_cpu(eb->h_blkno));$

ERROR: code indent should use tabs where possible
torvalds#79: FILE: fs/ocfs2/alloc.c:4412:
+^I^I^I^I^I             "Extent block #%llu has an invalid l_next_free_rec of %d.  It should have matched the l_count of %d\n",$

WARNING: line over 80 characters
torvalds#80: FILE: fs/ocfs2/alloc.c:4413:
+					             (unsigned long long)le64_to_cpu(eb->h_blkno),

ERROR: code indent should use tabs where possible
torvalds#80: FILE: fs/ocfs2/alloc.c:4413:
+^I^I^I^I^I             (unsigned long long)le64_to_cpu(eb->h_blkno),$

WARNING: line over 80 characters
torvalds#81: FILE: fs/ocfs2/alloc.c:4414:
+					             le16_to_cpu(new_el->l_next_free_rec),

ERROR: code indent should use tabs where possible
torvalds#81: FILE: fs/ocfs2/alloc.c:4414:
+^I^I^I^I^I             le16_to_cpu(new_el->l_next_free_rec),$

WARNING: line over 80 characters
torvalds#82: FILE: fs/ocfs2/alloc.c:4415:
+					             le16_to_cpu(new_el->l_count));

ERROR: code indent should use tabs where possible
torvalds#82: FILE: fs/ocfs2/alloc.c:4415:
+^I^I^I^I^I             le16_to_cpu(new_el->l_count));$

ERROR: code indent should use tabs where possible
torvalds#96: FILE: fs/ocfs2/alloc.c:4466:
+^I^I^I^I^I             "Extent block #%llu has an invalid l_next_free_rec of %d\n",$

WARNING: line over 80 characters
torvalds#97: FILE: fs/ocfs2/alloc.c:4467:
+					             (unsigned long long)le64_to_cpu(eb->h_blkno),

ERROR: code indent should use tabs where possible
torvalds#97: FILE: fs/ocfs2/alloc.c:4467:
+^I^I^I^I^I             (unsigned long long)le64_to_cpu(eb->h_blkno),$

WARNING: line over 80 characters
torvalds#98: FILE: fs/ocfs2/alloc.c:4468:
+					             le16_to_cpu(new_el->l_next_free_rec));

ERROR: code indent should use tabs where possible
torvalds#98: FILE: fs/ocfs2/alloc.c:4468:
+^I^I^I^I^I             le16_to_cpu(new_el->l_next_free_rec));$

WARNING: line over 80 characters
torvalds#114: FILE: fs/ocfs2/localalloc.c:666:
+		status = ocfs2_error(osb->sb, "local alloc inode %llu says it has %u used bits, but a count shows %u\n",

WARNING: line over 80 characters
torvalds#115: FILE: fs/ocfs2/localalloc.c:667:
+			             (unsigned long long)le64_to_cpu(alloc->i_blkno),

ERROR: code indent should use tabs where possible
torvalds#115: FILE: fs/ocfs2/localalloc.c:667:
+^I^I^I             (unsigned long long)le64_to_cpu(alloc->i_blkno),$

ERROR: code indent should use tabs where possible
torvalds#116: FILE: fs/ocfs2/localalloc.c:668:
+^I^I^I             le32_to_cpu(alloc->id1.bitmap1.i_used),$

ERROR: code indent should use tabs where possible
torvalds#117: FILE: fs/ocfs2/localalloc.c:669:
+^I^I^I             ocfs2_local_alloc_count_bits(alloc));$

ERROR: code indent should use tabs where possible
torvalds#138: FILE: fs/ocfs2/quota_local.c:142:
+^I^I^I           "Quota file %llu is probably corrupted! Requested to read block %Lu but file has size only %Lu\n",$

WARNING: %Lu is non-standard C, use %llu
torvalds#138: FILE: fs/ocfs2/quota_local.c:142:
+			           "Quota file %llu is probably corrupted! Requested to read block %Lu but file has size only %Lu\n",

ERROR: code indent should use tabs where possible
torvalds#139: FILE: fs/ocfs2/quota_local.c:143:
+^I^I^I           (unsigned long long)OCFS2_I(inode)->ip_blkno,$

ERROR: code indent should use tabs where possible
torvalds#140: FILE: fs/ocfs2/quota_local.c:144:
+^I^I^I           (unsigned long long)v_block,$

ERROR: code indent should use tabs where possible
torvalds#141: FILE: fs/ocfs2/quota_local.c:145:
+^I^I^I           (unsigned long long)i_size_read(inode));$

total: 21 errors, 15 warnings, 108 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

NOTE: Whitespace errors detected.
      You may wish to use scripts/cleanpatch or scripts/cleanfile

./patches/ocfs2-return-erofs-when-filesystem-becomes-read-only.patch has style problems, please review.

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Jun Piao <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Stephen Rothwell <[email protected]>
fengguang pushed a commit to 0day-ci/linux that referenced this pull request Jul 11, 2018
@akpm00 @sfrothwell
ocfs2-return-erofs-when-filesystem-becomes-read-only-checkpatch-fixes
9cad80e 
WARNING: line over 80 characters
torvalds#34: FILE: fs/ocfs2/alloc.c:1484:
+			status = ocfs2_error(ocfs2_metadata_cache_get_super(et->et_ci),

ERROR: code indent should use tabs where possible
torvalds#35: FILE: fs/ocfs2/alloc.c:1485:
+^I^I^I^I             "Owner %llu has empty extent list (next_free_rec == 0)\n",$

WARNING: line over 80 characters
torvalds#36: FILE: fs/ocfs2/alloc.c:1486:
+				             (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci));

ERROR: code indent should use tabs where possible
torvalds#36: FILE: fs/ocfs2/alloc.c:1486:
+^I^I^I^I             (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci));$

WARNING: line over 80 characters
torvalds#46: FILE: fs/ocfs2/alloc.c:1492:
+			status = ocfs2_error(ocfs2_metadata_cache_get_super(et->et_ci),

ERROR: code indent should use tabs where possible
torvalds#47: FILE: fs/ocfs2/alloc.c:1493:
+^I^I^I^I             "Owner %llu has extent list where extent # %d has no physical block start\n",$

WARNING: line over 80 characters
torvalds#48: FILE: fs/ocfs2/alloc.c:1494:
+				             (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci), i);

ERROR: code indent should use tabs where possible
torvalds#48: FILE: fs/ocfs2/alloc.c:1494:
+^I^I^I^I             (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci), i);$

WARNING: line over 80 characters
torvalds#61: FILE: fs/ocfs2/alloc.c:3215:
+			ret = ocfs2_error(ocfs2_metadata_cache_get_super(et->et_ci),

ERROR: code indent should use tabs where possible
torvalds#62: FILE: fs/ocfs2/alloc.c:3216:
+^I^I^I^I          "Owner %llu has empty extent block at %llu\n",$

WARNING: line over 80 characters
torvalds#63: FILE: fs/ocfs2/alloc.c:3217:
+				          (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci),

ERROR: code indent should use tabs where possible
torvalds#63: FILE: fs/ocfs2/alloc.c:3217:
+^I^I^I^I          (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci),$

WARNING: line over 80 characters
torvalds#64: FILE: fs/ocfs2/alloc.c:3218:
+				          (unsigned long long)le64_to_cpu(eb->h_blkno));

ERROR: code indent should use tabs where possible
torvalds#64: FILE: fs/ocfs2/alloc.c:3218:
+^I^I^I^I          (unsigned long long)le64_to_cpu(eb->h_blkno));$

ERROR: code indent should use tabs where possible
torvalds#79: FILE: fs/ocfs2/alloc.c:4412:
+^I^I^I^I^I             "Extent block #%llu has an invalid l_next_free_rec of %d.  It should have matched the l_count of %d\n",$

WARNING: line over 80 characters
torvalds#80: FILE: fs/ocfs2/alloc.c:4413:
+					             (unsigned long long)le64_to_cpu(eb->h_blkno),

ERROR: code indent should use tabs where possible
torvalds#80: FILE: fs/ocfs2/alloc.c:4413:
+^I^I^I^I^I             (unsigned long long)le64_to_cpu(eb->h_blkno),$

WARNING: line over 80 characters
torvalds#81: FILE: fs/ocfs2/alloc.c:4414:
+					             le16_to_cpu(new_el->l_next_free_rec),

ERROR: code indent should use tabs where possible
torvalds#81: FILE: fs/ocfs2/alloc.c:4414:
+^I^I^I^I^I             le16_to_cpu(new_el->l_next_free_rec),$

WARNING: line over 80 characters
torvalds#82: FILE: fs/ocfs2/alloc.c:4415:
+					             le16_to_cpu(new_el->l_count));

ERROR: code indent should use tabs where possible
torvalds#82: FILE: fs/ocfs2/alloc.c:4415:
+^I^I^I^I^I             le16_to_cpu(new_el->l_count));$

ERROR: code indent should use tabs where possible
torvalds#96: FILE: fs/ocfs2/alloc.c:4466:
+^I^I^I^I^I             "Extent block #%llu has an invalid l_next_free_rec of %d\n",$

WARNING: line over 80 characters
torvalds#97: FILE: fs/ocfs2/alloc.c:4467:
+					             (unsigned long long)le64_to_cpu(eb->h_blkno),

ERROR: code indent should use tabs where possible
torvalds#97: FILE: fs/ocfs2/alloc.c:4467:
+^I^I^I^I^I             (unsigned long long)le64_to_cpu(eb->h_blkno),$

WARNING: line over 80 characters
torvalds#98: FILE: fs/ocfs2/alloc.c:4468:
+					             le16_to_cpu(new_el->l_next_free_rec));

ERROR: code indent should use tabs where possible
torvalds#98: FILE: fs/ocfs2/alloc.c:4468:
+^I^I^I^I^I             le16_to_cpu(new_el->l_next_free_rec));$

WARNING: line over 80 characters
torvalds#114: FILE: fs/ocfs2/localalloc.c:666:
+		status = ocfs2_error(osb->sb, "local alloc inode %llu says it has %u used bits, but a count shows %u\n",

WARNING: line over 80 characters
torvalds#115: FILE: fs/ocfs2/localalloc.c:667:
+			             (unsigned long long)le64_to_cpu(alloc->i_blkno),

ERROR: code indent should use tabs where possible
torvalds#115: FILE: fs/ocfs2/localalloc.c:667:
+^I^I^I             (unsigned long long)le64_to_cpu(alloc->i_blkno),$

ERROR: code indent should use tabs where possible
torvalds#116: FILE: fs/ocfs2/localalloc.c:668:
+^I^I^I             le32_to_cpu(alloc->id1.bitmap1.i_used),$

ERROR: code indent should use tabs where possible
torvalds#117: FILE: fs/ocfs2/localalloc.c:669:
+^I^I^I             ocfs2_local_alloc_count_bits(alloc));$

ERROR: code indent should use tabs where possible
torvalds#138: FILE: fs/ocfs2/quota_local.c:142:
+^I^I^I           "Quota file %llu is probably corrupted! Requested to read block %Lu but file has size only %Lu\n",$

WARNING: %Lu is non-standard C, use %llu
torvalds#138: FILE: fs/ocfs2/quota_local.c:142:
+			           "Quota file %llu is probably corrupted! Requested to read block %Lu but file has size only %Lu\n",

ERROR: code indent should use tabs where possible
torvalds#139: FILE: fs/ocfs2/quota_local.c:143:
+^I^I^I           (unsigned long long)OCFS2_I(inode)->ip_blkno,$

ERROR: code indent should use tabs where possible
torvalds#140: FILE: fs/ocfs2/quota_local.c:144:
+^I^I^I           (unsigned long long)v_block,$

ERROR: code indent should use tabs where possible
torvalds#141: FILE: fs/ocfs2/quota_local.c:145:
+^I^I^I           (unsigned long long)i_size_read(inode));$

total: 21 errors, 15 warnings, 108 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

NOTE: Whitespace errors detected.
      You may wish to use scripts/cleanpatch or scripts/cleanfile

./patches/ocfs2-return-erofs-when-filesystem-becomes-read-only.patch has style problems, please review.

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Jun Piao <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Stephen Rothwell <[email protected]>
fengguang pushed a commit to 0day-ci/linux that referenced this pull request Jul 16, 2018
@akpm00 @sfrothwell
ocfs2-return-erofs-when-filesystem-becomes-read-only-checkpatch-fixes
cd77dc1 
WARNING: line over 80 characters
torvalds#34: FILE: fs/ocfs2/alloc.c:1484:
+			status = ocfs2_error(ocfs2_metadata_cache_get_super(et->et_ci),

ERROR: code indent should use tabs where possible
torvalds#35: FILE: fs/ocfs2/alloc.c:1485:
+^I^I^I^I             "Owner %llu has empty extent list (next_free_rec == 0)\n",$

WARNING: line over 80 characters
torvalds#36: FILE: fs/ocfs2/alloc.c:1486:
+				             (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci));

ERROR: code indent should use tabs where possible
torvalds#36: FILE: fs/ocfs2/alloc.c:1486:
+^I^I^I^I             (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci));$

WARNING: line over 80 characters
torvalds#46: FILE: fs/ocfs2/alloc.c:1492:
+			status = ocfs2_error(ocfs2_metadata_cache_get_super(et->et_ci),

ERROR: code indent should use tabs where possible
torvalds#47: FILE: fs/ocfs2/alloc.c:1493:
+^I^I^I^I             "Owner %llu has extent list where extent # %d has no physical block start\n",$

WARNING: line over 80 characters
torvalds#48: FILE: fs/ocfs2/alloc.c:1494:
+				             (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci), i);

ERROR: code indent should use tabs where possible
torvalds#48: FILE: fs/ocfs2/alloc.c:1494:
+^I^I^I^I             (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci), i);$

WARNING: line over 80 characters
torvalds#61: FILE: fs/ocfs2/alloc.c:3215:
+			ret = ocfs2_error(ocfs2_metadata_cache_get_super(et->et_ci),

ERROR: code indent should use tabs where possible
torvalds#62: FILE: fs/ocfs2/alloc.c:3216:
+^I^I^I^I          "Owner %llu has empty extent block at %llu\n",$

WARNING: line over 80 characters
torvalds#63: FILE: fs/ocfs2/alloc.c:3217:
+				          (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci),

ERROR: code indent should use tabs where possible
torvalds#63: FILE: fs/ocfs2/alloc.c:3217:
+^I^I^I^I          (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci),$

WARNING: line over 80 characters
torvalds#64: FILE: fs/ocfs2/alloc.c:3218:
+				          (unsigned long long)le64_to_cpu(eb->h_blkno));

ERROR: code indent should use tabs where possible
torvalds#64: FILE: fs/ocfs2/alloc.c:3218:
+^I^I^I^I          (unsigned long long)le64_to_cpu(eb->h_blkno));$

ERROR: code indent should use tabs where possible
torvalds#79: FILE: fs/ocfs2/alloc.c:4412:
+^I^I^I^I^I             "Extent block #%llu has an invalid l_next_free_rec of %d.  It should have matched the l_count of %d\n",$

WARNING: line over 80 characters
torvalds#80: FILE: fs/ocfs2/alloc.c:4413:
+					             (unsigned long long)le64_to_cpu(eb->h_blkno),

ERROR: code indent should use tabs where possible
torvalds#80: FILE: fs/ocfs2/alloc.c:4413:
+^I^I^I^I^I             (unsigned long long)le64_to_cpu(eb->h_blkno),$

WARNING: line over 80 characters
torvalds#81: FILE: fs/ocfs2/alloc.c:4414:
+					             le16_to_cpu(new_el->l_next_free_rec),

ERROR: code indent should use tabs where possible
torvalds#81: FILE: fs/ocfs2/alloc.c:4414:
+^I^I^I^I^I             le16_to_cpu(new_el->l_next_free_rec),$

WARNING: line over 80 characters
torvalds#82: FILE: fs/ocfs2/alloc.c:4415:
+					             le16_to_cpu(new_el->l_count));

ERROR: code indent should use tabs where possible
torvalds#82: FILE: fs/ocfs2/alloc.c:4415:
+^I^I^I^I^I             le16_to_cpu(new_el->l_count));$

ERROR: code indent should use tabs where possible
torvalds#96: FILE: fs/ocfs2/alloc.c:4466:
+^I^I^I^I^I             "Extent block #%llu has an invalid l_next_free_rec of %d\n",$

WARNING: line over 80 characters
torvalds#97: FILE: fs/ocfs2/alloc.c:4467:
+					             (unsigned long long)le64_to_cpu(eb->h_blkno),

ERROR: code indent should use tabs where possible
torvalds#97: FILE: fs/ocfs2/alloc.c:4467:
+^I^I^I^I^I             (unsigned long long)le64_to_cpu(eb->h_blkno),$

WARNING: line over 80 characters
torvalds#98: FILE: fs/ocfs2/alloc.c:4468:
+					             le16_to_cpu(new_el->l_next_free_rec));

ERROR: code indent should use tabs where possible
torvalds#98: FILE: fs/ocfs2/alloc.c:4468:
+^I^I^I^I^I             le16_to_cpu(new_el->l_next_free_rec));$

WARNING: line over 80 characters
torvalds#114: FILE: fs/ocfs2/localalloc.c:666:
+		status = ocfs2_error(osb->sb, "local alloc inode %llu says it has %u used bits, but a count shows %u\n",

WARNING: line over 80 characters
torvalds#115: FILE: fs/ocfs2/localalloc.c:667:
+			             (unsigned long long)le64_to_cpu(alloc->i_blkno),

ERROR: code indent should use tabs where possible
torvalds#115: FILE: fs/ocfs2/localalloc.c:667:
+^I^I^I             (unsigned long long)le64_to_cpu(alloc->i_blkno),$

ERROR: code indent should use tabs where possible
torvalds#116: FILE: fs/ocfs2/localalloc.c:668:
+^I^I^I             le32_to_cpu(alloc->id1.bitmap1.i_used),$

ERROR: code indent should use tabs where possible
torvalds#117: FILE: fs/ocfs2/localalloc.c:669:
+^I^I^I             ocfs2_local_alloc_count_bits(alloc));$

ERROR: code indent should use tabs where possible
torvalds#138: FILE: fs/ocfs2/quota_local.c:142:
+^I^I^I           "Quota file %llu is probably corrupted! Requested to read block %Lu but file has size only %Lu\n",$

WARNING: %Lu is non-standard C, use %llu
torvalds#138: FILE: fs/ocfs2/quota_local.c:142:
+			           "Quota file %llu is probably corrupted! Requested to read block %Lu but file has size only %Lu\n",

ERROR: code indent should use tabs where possible
torvalds#139: FILE: fs/ocfs2/quota_local.c:143:
+^I^I^I           (unsigned long long)OCFS2_I(inode)->ip_blkno,$

ERROR: code indent should use tabs where possible
torvalds#140: FILE: fs/ocfs2/quota_local.c:144:
+^I^I^I           (unsigned long long)v_block,$

ERROR: code indent should use tabs where possible
torvalds#141: FILE: fs/ocfs2/quota_local.c:145:
+^I^I^I           (unsigned long long)i_size_read(inode));$

total: 21 errors, 15 warnings, 108 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

NOTE: Whitespace errors detected.
      You may wish to use scripts/cleanpatch or scripts/cleanfile

./patches/ocfs2-return-erofs-when-filesystem-becomes-read-only.patch has style problems, please review.

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Jun Piao <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Stephen Rothwell <[email protected]>
fengguang pushed a commit to 0day-ci/linux that referenced this pull request Jul 24, 2018
@akpm00 @sfrothwell
ocfs2-return-erofs-when-filesystem-becomes-read-only-checkpatch-fixes
4a9e5c9 
WARNING: line over 80 characters
torvalds#34: FILE: fs/ocfs2/alloc.c:1484:
+			status = ocfs2_error(ocfs2_metadata_cache_get_super(et->et_ci),

ERROR: code indent should use tabs where possible
torvalds#35: FILE: fs/ocfs2/alloc.c:1485:
+^I^I^I^I             "Owner %llu has empty extent list (next_free_rec == 0)\n",$

WARNING: line over 80 characters
torvalds#36: FILE: fs/ocfs2/alloc.c:1486:
+				             (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci));

ERROR: code indent should use tabs where possible
torvalds#36: FILE: fs/ocfs2/alloc.c:1486:
+^I^I^I^I             (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci));$

WARNING: line over 80 characters
torvalds#46: FILE: fs/ocfs2/alloc.c:1492:
+			status = ocfs2_error(ocfs2_metadata_cache_get_super(et->et_ci),

ERROR: code indent should use tabs where possible
torvalds#47: FILE: fs/ocfs2/alloc.c:1493:
+^I^I^I^I             "Owner %llu has extent list where extent # %d has no physical block start\n",$

WARNING: line over 80 characters
torvalds#48: FILE: fs/ocfs2/alloc.c:1494:
+				             (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci), i);

ERROR: code indent should use tabs where possible
torvalds#48: FILE: fs/ocfs2/alloc.c:1494:
+^I^I^I^I             (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci), i);$

WARNING: line over 80 characters
torvalds#61: FILE: fs/ocfs2/alloc.c:3215:
+			ret = ocfs2_error(ocfs2_metadata_cache_get_super(et->et_ci),

ERROR: code indent should use tabs where possible
torvalds#62: FILE: fs/ocfs2/alloc.c:3216:
+^I^I^I^I          "Owner %llu has empty extent block at %llu\n",$

WARNING: line over 80 characters
torvalds#63: FILE: fs/ocfs2/alloc.c:3217:
+				          (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci),

ERROR: code indent should use tabs where possible
torvalds#63: FILE: fs/ocfs2/alloc.c:3217:
+^I^I^I^I          (unsigned long long)ocfs2_metadata_cache_owner(et->et_ci),$

WARNING: line over 80 characters
torvalds#64: FILE: fs/ocfs2/alloc.c:3218:
+				          (unsigned long long)le64_to_cpu(eb->h_blkno));

ERROR: code indent should use tabs where possible
torvalds#64: FILE: fs/ocfs2/alloc.c:3218:
+^I^I^I^I          (unsigned long long)le64_to_cpu(eb->h_blkno));$

ERROR: code indent should use tabs where possible
torvalds#79: FILE: fs/ocfs2/alloc.c:4412:
+^I^I^I^I^I             "Extent block #%llu has an invalid l_next_free_rec of %d.  It should have matched the l_count of %d\n",$

WARNING: line over 80 characters
torvalds#80: FILE: fs/ocfs2/alloc.c:4413:
+					             (unsigned long long)le64_to_cpu(eb->h_blkno),

ERROR: code indent should use tabs where possible
torvalds#80: FILE: fs/ocfs2/alloc.c:4413:
+^I^I^I^I^I             (unsigned long long)le64_to_cpu(eb->h_blkno),$

WARNING: line over 80 characters
torvalds#81: FILE: fs/ocfs2/alloc.c:4414:
+					             le16_to_cpu(new_el->l_next_free_rec),

ERROR: code indent should use tabs where possible
torvalds#81: FILE: fs/ocfs2/alloc.c:4414:
+^I^I^I^I^I             le16_to_cpu(new_el->l_next_free_rec),$

WARNING: line over 80 characters
torvalds#82: FILE: fs/ocfs2/alloc.c:4415:
+					             le16_to_cpu(new_el->l_count));

ERROR: code indent should use tabs where possible
torvalds#82: FILE: fs/ocfs2/alloc.c:4415:
+^I^I^I^I^I             le16_to_cpu(new_el->l_count));$

ERROR: code indent should use tabs where possible
torvalds#96: FILE: fs/ocfs2/alloc.c:4466:
+^I^I^I^I^I             "Extent block #%llu has an invalid l_next_free_rec of %d\n",$

WARNING: line over 80 characters
torvalds#97: FILE: fs/ocfs2/alloc.c:4467:
+					             (unsigned long long)le64_to_cpu(eb->h_blkno),

ERROR: code indent should use tabs where possible
torvalds#97: FILE: fs/ocfs2/alloc.c:4467:
+^I^I^I^I^I             (unsigned long long)le64_to_cpu(eb->h_blkno),$

WARNING: line over 80 characters
torvalds#98: FILE: fs/ocfs2/alloc.c:4468:
+					             le16_to_cpu(new_el->l_next_free_rec));

ERROR: code indent should use tabs where possible
torvalds#98: FILE: fs/ocfs2/alloc.c:4468:
+^I^I^I^I^I             le16_to_cpu(new_el->l_next_free_rec));$

WARNING: line over 80 characters
torvalds#114: FILE: fs/ocfs2/localalloc.c:666:
+		status = ocfs2_error(osb->sb, "local alloc inode %llu says it has %u used bits, but a count shows %u\n",

WARNING: line over 80 characters
torvalds#115: FILE: fs/ocfs2/localalloc.c:667:
+			             (unsigned long long)le64_to_cpu(alloc->i_blkno),

ERROR: code indent should use tabs where possible
torvalds#115: FILE: fs/ocfs2/localalloc.c:667:
+^I^I^I             (unsigned long long)le64_to_cpu(alloc->i_blkno),$

ERROR: code indent should use tabs where possible
torvalds#116: FILE: fs/ocfs2/localalloc.c:668:
+^I^I^I             le32_to_cpu(alloc->id1.bitmap1.i_used),$

ERROR: code indent should use tabs where possible
torvalds#117: FILE: fs/ocfs2/localalloc.c:669:
+^I^I^I             ocfs2_local_alloc_count_bits(alloc));$

ERROR: code indent should use tabs where possible
torvalds#138: FILE: fs/ocfs2/quota_local.c:142:
+^I^I^I           "Quota file %llu is probably corrupted! Requested to read block %Lu but file has size only %Lu\n",$

WARNING: %Lu is non-standard C, use %llu
torvalds#138: FILE: fs/ocfs2/quota_local.c:142:
+			           "Quota file %llu is probably corrupted! Requested to read block %Lu but file has size only %Lu\n",

ERROR: code indent should use tabs where possible
torvalds#139: FILE: fs/ocfs2/quota_local.c:143:
+^I^I^I           (unsigned long long)OCFS2_I(inode)->ip_blkno,$

ERROR: code indent should use tabs where possible
torvalds#140: FILE: fs/ocfs2/quota_local.c:144:
+^I^I^I           (unsigned long long)v_block,$

ERROR: code indent should use tabs where possible
torvalds#141: FILE: fs/ocfs2/quota_local.c:145:
+^I^I^I           (unsigned long long)i_size_read(inode));$

total: 21 errors, 15 warnings, 108 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

NOTE: Whitespace errors detected.
      You may wish to use scripts/cleanpatch or scripts/cleanfile

./patches/ocfs2-return-erofs-when-filesystem-becomes-read-only.patch has style problems, please review.

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Jun Piao <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Stephen Rothwell <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Sep 21, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
1202db5 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Sep 23, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
3ac09d4 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Sep 23, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
9f9c45c 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Sep 23, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
6711849 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Sep 23, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
d5ab409 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Sep 24, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
38c83a0 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Sep 24, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
2386b1a 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Sep 25, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
ac3f908 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Sep 27, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
ea5ace0 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Sep 27, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
1300696 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Oct 1, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
3cc527b 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Oct 10, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
6e25847 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Oct 11, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
8cf91fd 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Oct 15, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
2237590 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Oct 20, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
789a418 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Oct 21, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
436c0e8 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Oct 21, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
f3c26f6 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Oct 21, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
70e2b38 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
aotot pushed a commit to jove-decompiler/linux that referenced this pull request Oct 26, 2025
@tdz
drm/ast: Move modesetting code to CRTC's atomic_flush()
29e0bb5 
When enabling the CRTC after waking up from a power-saving mode, the
primary plane's framebuffer might be NULL, which leads to a stack trace
as shown below.

  [  632.624608] BUG: kernel NULL pointer dereference, address: 0000000000000048
  [  632.624631] #PF: supervisor read access in kernel mode
  [  632.624639] #PF: error_code(0x0000) - not-present page
  [  632.624647] PGD 0 P4D 0
  [  632.624654] Oops: 0000 [#1] SMP PTI
  [  632.624662] CPU: 0 PID: 2082 Comm: gnome-shell Tainted: G            E     5.4.0-rc7-1-default+ torvalds#114
  [  632.624673] Hardware name: Sun Microsystems SUN FIRE X2270 M2/SUN FIRE X2270 M2, BIOS 2.05    07/01/2010
  [  632.624689] RIP: 0010:ast_crtc_helper_atomic_enable+0x7d/0x680 [ast]
  [  632.624698] Code: 48 8b 80 e0 02 00 00 4c 8b 60 10 31 c0 f3 48 ab 48 8b 83 78 04 00 00 4c 89 ef 48 8d 70 18 e8 9a e9 55 ce 48 8b 83 78 04 00 00 <49> 8b 7c 24 48 4c 89 ea 4c 8d 44 24 28 48 8d 4c 24 20 48 8d 70 18
  [  632.624718] RSP: 0018:ffffbe9ec123fa40 EFLAGS: 00010246
  [  632.624726] RAX: ffff95a13cfd3400 RBX: ffff95a13cf32000 RCX: 0000000000000000
  [  632.624735] RDX: 0000000000000000 RSI: ffff95a13cfd34e8 RDI: ffffbe9ec123fb40
  [  632.624744] RBP: ffffbe9ec123fb80 R08: 0000000000000000 R09: 0000000000000003
  [  632.624753] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
  [  632.624762] R13: ffffbe9ec123fa70 R14: ffff95a13beb7000 R15: ffff95a13cf32800
  [  632.624772] FS:  00007f6d2763e140(0000) GS:ffff95a134000000(0000) knlGS:0000000000000000
  [  632.624782] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [  632.624790] CR2: 0000000000000048 CR3: 00000001192f8004 CR4: 00000000000206f0
  [  632.624800] Call Trace:
  [  632.624811]  ? __lock_acquire+0x409/0x7c0
  [  632.624830]  drm_atomic_helper_commit_modeset_enables+0x1af/0x200
  [  632.624840]  drm_atomic_helper_commit_tail+0x32/0x70
  [  632.624849]  commit_tail+0xc7/0x110
  [  632.624857]  drm_atomic_helper_commit+0x121/0x130
  [  632.624867]  drm_atomic_connector_commit_dpms+0xd7/0x100
  [  632.624878]  set_property_atomic+0xaf/0x110
  [  632.624890]  drm_mode_obj_set_property_ioctl+0xbb/0x190
  [  632.624899]  ? drm_mode_obj_find_prop_id+0x40/0x40
  [  632.624909]  drm_ioctl_kernel+0x86/0xd0
  [  632.624918]  drm_ioctl+0x1e4/0x36b
  [  632.624925]  ? drm_mode_obj_find_prop_id+0x40/0x40
  [  632.624939]  do_vfs_ioctl+0x4bd/0x6e0
  [  632.624949]  ksys_ioctl+0x5e/0x90
  [  632.624957]  __x64_sys_ioctl+0x16/0x20
  [  632.624966]  do_syscall_64+0x5a/0x220
  [  632.624976]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
  [  632.624984] RIP: 0033:0x7f6d2b0de387
  [  632.624991] Code: 00 00 90 48 8b 05 f9 9a 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c9 9a 0c 00 f7 d8 64 89 01 48
  [  632.625011] RSP: 002b:00007fffb49def38 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
  [  632.625021] RAX: ffffffffffffffda RBX: 00007fffb49def70 RCX: 00007f6d2b0de387
  [  632.625030] RDX: 00007fffb49def70 RSI: 00000000c01864ba RDI: 0000000000000009
  [  632.625040] RBP: 00000000c01864ba R08: 0000000000000000 R09: 00000000c0c0c0c0
  [  632.625049] R10: 0000000000000030 R11: 0000000000000246 R12: 000055bc367eb920
  [  632.625058] R13: 0000000000000009 R14: 0000000000000002 R15: 0000000000000000
  [  632.625071] Modules linked in: ebtable_filter(E) ebtables(E) ip6table_filter(E) ip6_tables(E) iptable_filter(E) ip_tables(E) x_tables(E) af_packet(E) scsi_transport_iscsi(E) dmi_sysfs(E) msr(E) xfs(E) intel_powerclamp(E) coretemp(E) k)
  [  632.625185] CR2: 0000000000000048

The STR is

	* start gdm and wait for it to switch off the display
	* wake up the display by pressing a key

CRTC modesetting depends on the new state of the CRTC and the primary
plane's framebuffer. The bugfix moves the modesetting code into the
CRTC's atomic_flush() function, where it is protected from the plane's
framebuffer being NULL.

The CRTC's atomic-enable function, which is the modesetting's original
location, still contains DPMS state handling. It's exactly the inverse
of the atomic-disable function.

v3:
	* protect modesetting from from fb == NULL
v2:
	* do an atomic check for plane
	* reject invisible primary planes

Signed-off-by: Thomas Zimmermann <[email protected]>
Acked-by: Gerd Hoffmann <[email protected]>
Fixes: 43040f1 ("drm/ast: Add CRTC helpers for atomic modesetting")
Cc: Gerd Hoffmann <[email protected]>
Cc: Dave Airlie <[email protected]>
Cc: Daniel Vetter <[email protected]>
Cc: "Y.C. Chen" <[email protected]>
Cc: Sam Ravnborg <[email protected]>
Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Oct 27, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
bedaa7e 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Oct 27, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
25c554f 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Oct 27, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
ee61b75 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Oct 27, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
73f57d5 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Oct 27, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
aa28cb3 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Oct 28, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
b466afc 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Oct 30, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
2e686b1 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Nov 3, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
1dc7b71 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Nov 5, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
c6e6d9c 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Nov 5, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
adc895b 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
guidosarducci added a commit to guidosarducci/linux that referenced this pull request Nov 7, 2025
@guidosarducci
net, bpf: Fix sk_user_data pointer corruption on 32-bit
0d23966 
The Fixes: commit made use of the lower 3 bits of (void *)sk->sk_user_data
for flags, and refactored to simplify adding even more.

This change immediately broke 32-bit usage: in BPF's reuseport_array for
example, 'struct reuseport_array' has an array 'struct sock __rcu *ptrs[]'
whose members must be cleared on socket close via now-broken references
from sk->sk_user_data. This leads to subtle memory corruption and lock
issues that result in kernel hangs and panics while running BPF selftests:

root@qemu-armhf:/usr/libexec/kselftests-bpf# test_progs -a select_reuseport
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_config:PASS:netns_new 0 nsec
torvalds#356/1   select_reuseport/reuseport_sockarray IPv4/TCP LOOPBACK test_err_inner_map:OK
[...]
------------[ cut here ]------------
WARNING: CPU: 0 PID: 87 at kernel/locking/lockdep.c:238 __lock_acquire+0xac0/0xd1c
DEBUG_LOCKS_WARN_ON(1)
Modules linked in: bpf_testmod(OE) bpf_preload
CPU: 0 UID: 0 PID: 87 Comm: test_progs Tainted: G           OE       6.17.0-rc1-00233-ge37b36224f81-dirty torvalds#114 NONE
Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
Hardware name: Generic DT based system
Call trace:
 dump_backtrace from show_stack+0x20/0x24
 r7:c01e2ebc r6:00000080 r5:60010093 r4:c14d3d80
 show_stack from dump_stack_lvl+0x90/0xc0
 dump_stack_lvl from dump_stack+0x18/0x1c
 r7:c01e2ebc r6:00000009 r5:000000ee r4:c14c5bc4
 dump_stack from __warn+0x8c/0x1b4
 __warn from warn_slowpath_fmt+0x130/0x1a4
 r8:c01e2ebc r7:c14bd144 r6:c14c5bc4 r5:c3cad400 r4:c1cf8a04
 warn_slowpath_fmt from __lock_acquire+0xac0/0xd1c
 r8:c2896b50 r7:00000000 r6:c58863b8 r5:c3cad400 r4:c3cadcc0
 __lock_acquire from lock_acquire.part.0+0xbc/0x240
 r10:00000000 r9:1c0ed000 r8:00000000 r7:60010013 r6:c1b902f0 r5:c1b902f0
 r4:df865cd0
 lock_acquire.part.0 from lock_acquire+0x90/0x168
 r10:c5886100 r9:c46a6c04 r8:00000000 r7:00000000 r6:00000000 r5:00000000
 r4:c58863b8
 lock_acquire from _raw_write_lock_bh+0x54/0x90
 r9:c46a6c04 r8:00000000 r7:00000055 r6:c58863b8 r5:c58863a8 r4:c0394774
 _raw_write_lock_bh from bpf_fd_reuseport_array_update_elem+0x16c/0x26c
 r6:c59a4000 r5:c5191400 r4:c58863a8
 bpf_fd_reuseport_array_update_elem from bpf_map_update_value+0x454/0x5dc
 r10:c329a901 r9:c329a900 r8:c1cf72f0 r7:c3cad400 r6:c595dc00 r5:00000000
 r4:00000000
 bpf_map_update_value from map_update_elem+0x210/0x430
 r10:c329a901 r9:00000004 r8:c595df40 r7:df865ec0 r6:c329a900 r5:c46a6c00
 r4:c46a6cf8
 map_update_elem from __sys_bpf+0x594/0xc94
 r10:00000000 r9:befb18b0 r8:00000051 r7:00000000 r6:00000002 r5:df865eb0
 r4:00000020
 __sys_bpf from sys_bpf+0x34/0x3c
 r10:00000182 r9:c3cad400 r8:c0100234 r7:00000182 r6:00000002 r5:befb18b0
 r4:00000020
 sys_bpf from ret_fast_syscall+0x0/0x1c
Exception stack(0xdf865fa8 to 0xdf865ff0)
5fa0:                   00000020 befb18b0 00000002 befb18b0 00000020 00000000
5fc0: 00000020 befb18b0 00000002 00000182 00839395 b6fa3ce0 00000000 012ac774
5fe0: befb1880 befb1870 00863133 b6ec3312
irq event stamp: 260676
hardirqs last  enabled at (260676): [<c0149fac>] __local_bh_enable_ip+0xc4/0x1b0
hardirqs last disabled at (260675): [<c014a024>] __local_bh_enable_ip+0x13c/0x1b0
softirqs last  enabled at (260668): [<c0a1c31c>] release_sock+0x94/0x98
softirqs last disabled at (260674): [<c03946f4>] bpf_fd_reuseport_array_update_elem+0xec/0x26c
---[ end trace 0000000000000000 ]---

Reviewing kernel usage of sk->sk_user_data and the current flag bits:

    #define SK_USER_DATA_NOCOPY    1UL
    #define SK_USER_DATA_BPF       2UL
    #define SK_USER_DATA_PSOCK     4UL

reveals that SK_USER_DATA_PSOCK and SK_USER_DATA_BPF both imply
SK_USER_DATA_NOCOPY, and suggests we can instead use an equivalent
2-bit enum like:

    enum sk_user_data {
        SK_USER_DATA_NONE       = 0,
        SK_USER_DATA_NOCOPY     = 1,
        SK_USER_DATA_BPF        = 2,
        SK_USER_DATA_PSOCK      = 3,
    };

Implement this to fix the pointer corruption, and update related call
signatures and comments to clarify the change from multiple flag bits to
an enum value, with a note highlighting the 2-bit limitation.

Fixes: 2a01337 ("net: fix refcount bug in sk_psock_get (2)")
Signed-off-by: Tony Ambardar <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@e-mailky @frankcash @Patrick-Edouard