From b2135d1cb0e368dcdb8631ed2f232caefbd7711f Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Fri, 28 Nov 2025 10:17:07 +0300 Subject: [PATCH 01/16] liveupdate: luo_file: don't use invalid list iterator If we exit a list_for_each_entry() without hitting a break then the list iterator points to an offset from the list_head. It's a non-NULL but invalid pointer and dereferencing it isn't allowed. Introduce a new "found" variable to test instead. Link: https://lkml.kernel.org/r/aSlMc4SS09Re4_xn@stanley.mountain Fixes: 3ee1d673194e ("liveupdate: luo_file: implement file systems callbacks") Signed-off-by: Dan Carpenter Reported-by: kernel test robot Closes: https://lore.kernel.org/r/202511280420.y9O4fyhX-lkp@intel.com/ Reviewed-by: Mike Rapoport (Microsoft) Reviewed-by: Pasha Tatashin Cc: Pratyush Yadav Signed-off-by: Andrew Morton --- kernel/liveupdate/luo_file.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/kernel/liveupdate/luo_file.c b/kernel/liveupdate/luo_file.c index ddff87917b21..a32a777f6df8 100644 --- a/kernel/liveupdate/luo_file.c +++ b/kernel/liveupdate/luo_file.c @@ -554,17 +554,20 @@ int luo_retrieve_file(struct luo_file_set *file_set, u64 token, { struct liveupdate_file_op_args args = {0}; struct luo_file *luo_file; + bool found = false; int err; if (list_empty(&file_set->files_list)) return -ENOENT; list_for_each_entry(luo_file, &file_set->files_list, list) { - if (luo_file->token == token) + if (luo_file->token == token) { + found = true; break; + } } - if (luo_file->token != token) + if (!found) return -ENOENT; guard(mutex)(&luo_file->mutex); From 4ac577ae741e745ecfb64c5a9c7f52fc36aca022 Mon Sep 17 00:00:00 2001 From: Edward Adam Davis Date: Thu, 27 Nov 2025 11:26:40 +0800 Subject: [PATCH 02/16] ocfs2: check tl_used after reading it from trancate log inode The fuzz image has a truncate log inode whose tl_used is bigger than tl_count so it triggers the BUG in ocfs2_truncate_log_needs_flush() [1]. As what the check in ocfs2_truncate_log_needs_flush() does, just do same check into ocfs2_get_truncate_log_info() when truncate log inode is reading in so we can bail out earlier. [1] (syz.0.17,5491,0):ocfs2_truncate_log_needs_flush:5830 ERROR: bug expression: le16_to_cpu(tl->tl_used) > le16_to_cpu(tl->tl_count) kernel BUG at fs/ocfs2/alloc.c:5830! RIP: 0010:ocfs2_truncate_log_needs_flush fs/ocfs2/alloc.c:5827 [inline] Call Trace: ocfs2_commit_truncate+0xb64/0x21d0 fs/ocfs2/alloc.c:7372 ocfs2_truncate_file+0xca2/0x1420 fs/ocfs2/file.c:509 ocfs2_setattr+0x1520/0x1b40 fs/ocfs2/file.c:1212 notify_change+0xc1a/0xf40 fs/attr.c:546 do_truncate+0x1a4/0x220 fs/open.c:68 Link: https://lkml.kernel.org/r/tencent_B24B1C1BE225DCBA44BB6933AB9E1B1B0708@qq.com Reported-by: syzbot+f82afc4d4e74d0ef7a89@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f82afc4d4e74d0ef7a89 Tested-by: syzbot+f82afc4d4e74d0ef7a89@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Jun Piao Signed-off-by: Andrew Morton --- fs/ocfs2/alloc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c index 162711cc5b20..ba26d21344bd 100644 --- a/fs/ocfs2/alloc.c +++ b/fs/ocfs2/alloc.c @@ -6164,7 +6164,7 @@ static int ocfs2_get_truncate_log_info(struct ocfs2_super *osb, struct buffer_head *bh = NULL; struct ocfs2_dinode *di; struct ocfs2_truncate_log *tl; - unsigned int tl_count; + unsigned int tl_count, tl_used; inode = ocfs2_get_system_file_inode(osb, TRUNCATE_LOG_SYSTEM_INODE, @@ -6185,8 +6185,10 @@ static int ocfs2_get_truncate_log_info(struct ocfs2_super *osb, di = (struct ocfs2_dinode *)bh->b_data; tl = &di->id2.i_dealloc; tl_count = le16_to_cpu(tl->tl_count); + tl_used = le16_to_cpu(tl->tl_used); if (unlikely(tl_count > ocfs2_truncate_recs_per_inode(osb->sb) || - tl_count == 0)) { + tl_count == 0 || + tl_used > tl_count)) { status = -EFSCORRUPTED; iput(inode); brelse(bh); From d86fea4294cb7878e3866eb567ee803d180a159b Mon Sep 17 00:00:00 2001 From: Thorsten Blum Date: Wed, 26 Nov 2025 12:44:15 +0100 Subject: [PATCH 03/16] ocfs2: replace deprecated strcpy with strscpy strcpy() has been deprecated [1] because it performs no bounds checking on the destination buffer, which can lead to buffer overflows. Replace it with the safer strscpy(). No functional changes. Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strcpy [1] Link: https://lkml.kernel.org/r/20251126114419.92539-1-thorsten.blum@linux.dev Signed-off-by: Thorsten Blum Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Jun Piao Signed-off-by: Andrew Morton --- fs/ocfs2/alloc.c | 5 +++-- fs/ocfs2/cluster/nodemanager.c | 3 ++- fs/ocfs2/dir.c | 10 +++++----- fs/ocfs2/namei.c | 3 ++- fs/ocfs2/stackglue.c | 3 ++- fs/ocfs2/suballoc.c | 3 ++- 6 files changed, 16 insertions(+), 11 deletions(-) diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c index ba26d21344bd..46da66a883e4 100644 --- a/fs/ocfs2/alloc.c +++ b/fs/ocfs2/alloc.c @@ -10,6 +10,7 @@ #include #include #include +#include #include #include #include @@ -1037,7 +1038,7 @@ static int ocfs2_create_new_meta_bhs(handle_t *handle, memset(bhs[i]->b_data, 0, osb->sb->s_blocksize); eb = (struct ocfs2_extent_block *) bhs[i]->b_data; /* Ok, setup the minimal stuff here. */ - strcpy(eb->h_signature, OCFS2_EXTENT_BLOCK_SIGNATURE); + strscpy(eb->h_signature, OCFS2_EXTENT_BLOCK_SIGNATURE); eb->h_blkno = cpu_to_le64(first_blkno); eb->h_fs_generation = cpu_to_le32(osb->fs_generation); eb->h_suballoc_slot = @@ -6746,7 +6747,7 @@ static int ocfs2_reuse_blk_from_dealloc(handle_t *handle, /* We can't guarantee that buffer head is still cached, so * polutlate the extent block again. */ - strcpy(eb->h_signature, OCFS2_EXTENT_BLOCK_SIGNATURE); + strscpy(eb->h_signature, OCFS2_EXTENT_BLOCK_SIGNATURE); eb->h_blkno = cpu_to_le64(bf->free_blk); eb->h_fs_generation = cpu_to_le32(osb->fs_generation); eb->h_suballoc_slot = cpu_to_le16(real_slot); diff --git a/fs/ocfs2/cluster/nodemanager.c b/fs/ocfs2/cluster/nodemanager.c index 2f61d39e4e50..6bc4e064ace4 100644 --- a/fs/ocfs2/cluster/nodemanager.c +++ b/fs/ocfs2/cluster/nodemanager.c @@ -4,6 +4,7 @@ */ #include +#include #include #include #include @@ -590,7 +591,7 @@ static struct config_item *o2nm_node_group_make_item(struct config_group *group, if (node == NULL) return ERR_PTR(-ENOMEM); - strcpy(node->nd_name, name); /* use item.ci_namebuf instead? */ + strscpy(node->nd_name, name); /* use item.ci_namebuf instead? */ config_item_init_type_name(&node->nd_item, name, &o2nm_node_type); spin_lock_init(&node->nd_lock); diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c index 2785ff245e79..782afd9fa934 100644 --- a/fs/ocfs2/dir.c +++ b/fs/ocfs2/dir.c @@ -136,7 +136,7 @@ static void ocfs2_init_dir_trailer(struct inode *inode, struct ocfs2_dir_block_trailer *trailer; trailer = ocfs2_trailer_from_bh(bh, inode->i_sb); - strcpy(trailer->db_signature, OCFS2_DIR_TRAILER_SIGNATURE); + strscpy(trailer->db_signature, OCFS2_DIR_TRAILER_SIGNATURE); trailer->db_compat_rec_len = cpu_to_le16(sizeof(struct ocfs2_dir_block_trailer)); trailer->db_parent_dinode = cpu_to_le64(OCFS2_I(inode)->ip_blkno); @@ -2213,14 +2213,14 @@ static struct ocfs2_dir_entry *ocfs2_fill_initial_dirents(struct inode *inode, de->name_len = 1; de->rec_len = cpu_to_le16(OCFS2_DIR_REC_LEN(de->name_len)); - strcpy(de->name, "."); + strscpy(de->name, "."); ocfs2_set_de_type(de, S_IFDIR); de = (struct ocfs2_dir_entry *) ((char *)de + le16_to_cpu(de->rec_len)); de->inode = cpu_to_le64(OCFS2_I(parent)->ip_blkno); de->rec_len = cpu_to_le16(size - OCFS2_DIR_REC_LEN(1)); de->name_len = 2; - strcpy(de->name, ".."); + strscpy(de->name, ".."); ocfs2_set_de_type(de, S_IFDIR); return de; @@ -2378,7 +2378,7 @@ static int ocfs2_dx_dir_attach_index(struct ocfs2_super *osb, dx_root = (struct ocfs2_dx_root_block *)dx_root_bh->b_data; memset(dx_root, 0, osb->sb->s_blocksize); - strcpy(dx_root->dr_signature, OCFS2_DX_ROOT_SIGNATURE); + strscpy(dx_root->dr_signature, OCFS2_DX_ROOT_SIGNATURE); dx_root->dr_suballoc_slot = cpu_to_le16(meta_ac->ac_alloc_slot); dx_root->dr_suballoc_loc = cpu_to_le64(suballoc_loc); dx_root->dr_suballoc_bit = cpu_to_le16(dr_suballoc_bit); @@ -2454,7 +2454,7 @@ static int ocfs2_dx_dir_format_cluster(struct ocfs2_super *osb, dx_leaf = (struct ocfs2_dx_leaf *) bh->b_data; memset(dx_leaf, 0, osb->sb->s_blocksize); - strcpy(dx_leaf->dl_signature, OCFS2_DX_LEAF_SIGNATURE); + strscpy(dx_leaf->dl_signature, OCFS2_DX_LEAF_SIGNATURE); dx_leaf->dl_fs_generation = cpu_to_le32(osb->fs_generation); dx_leaf->dl_blkno = cpu_to_le64(bh->b_blocknr); dx_leaf->dl_list.de_count = diff --git a/fs/ocfs2/namei.c b/fs/ocfs2/namei.c index c90b254da75e..4ec6dbed65a8 100644 --- a/fs/ocfs2/namei.c +++ b/fs/ocfs2/namei.c @@ -23,6 +23,7 @@ #include #include #include +#include #include #include #include @@ -568,7 +569,7 @@ static int __ocfs2_mknod_locked(struct inode *dir, ocfs2_set_links_count(fe, inode->i_nlink); fe->i_last_eb_blk = 0; - strcpy(fe->i_signature, OCFS2_INODE_SIGNATURE); + strscpy(fe->i_signature, OCFS2_INODE_SIGNATURE); fe->i_flags |= cpu_to_le32(OCFS2_VALID_FL); ktime_get_coarse_real_ts64(&ts); fe->i_atime = fe->i_ctime = fe->i_mtime = diff --git a/fs/ocfs2/stackglue.c b/fs/ocfs2/stackglue.c index a28c127b9934..fca2fd07c881 100644 --- a/fs/ocfs2/stackglue.c +++ b/fs/ocfs2/stackglue.c @@ -10,6 +10,7 @@ #include #include +#include #include #include #include @@ -670,7 +671,7 @@ static int __init ocfs2_stack_glue_init(void) { int ret; - strcpy(cluster_stack_name, OCFS2_STACK_PLUGIN_O2CB); + strscpy(cluster_stack_name, OCFS2_STACK_PLUGIN_O2CB); ocfs2_table_header = register_sysctl("fs/ocfs2/nm", ocfs2_nm_table); if (!ocfs2_table_header) { diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c index 6ac4dcd54588..4b9d0ecd0981 100644 --- a/fs/ocfs2/suballoc.c +++ b/fs/ocfs2/suballoc.c @@ -11,6 +11,7 @@ #include #include #include +#include #include #include @@ -372,7 +373,7 @@ static int ocfs2_block_group_fill(handle_t *handle, } memset(bg, 0, sb->s_blocksize); - strcpy(bg->bg_signature, OCFS2_GROUP_DESC_SIGNATURE); + strscpy(bg->bg_signature, OCFS2_GROUP_DESC_SIGNATURE); bg->bg_generation = cpu_to_le32(osb->fs_generation); bg->bg_size = cpu_to_le16(ocfs2_group_bitmap_size(sb, 1, osb->s_feature_incompat)); From acce46aaf8c65612b2933e739b3a929986b5642b Mon Sep 17 00:00:00 2001 From: Lalit Shankar Chowdhury Date: Thu, 27 Nov 2025 17:54:31 +0000 Subject: [PATCH 04/16] fs/fat: remove unnecessary wrapper fat_max_cache() fat_max_cache() always returned FAT_MAX_CACHE and did not use the inode parameter. So, use the FAT_MAX_CACHE constant directly. Link: https://lkml.kernel.org/r/20251127175431.126516-1-lalitshankarch@gmail.com Signed-off-by: Lalit Shankar Chowdhury Acked-by: OGAWA Hirofumi Cc: Christian Brauner Signed-off-by: Andrew Morton --- fs/fat/cache.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/fs/fat/cache.c b/fs/fat/cache.c index 2af424e200b3..630f3056658e 100644 --- a/fs/fat/cache.c +++ b/fs/fat/cache.c @@ -29,11 +29,6 @@ struct fat_cache_id { int dcluster; }; -static inline int fat_max_cache(struct inode *inode) -{ - return FAT_MAX_CACHE; -} - static struct kmem_cache *fat_cache_cachep; static void init_once(void *foo) @@ -145,7 +140,7 @@ static void fat_cache_add(struct inode *inode, struct fat_cache_id *new) cache = fat_cache_merge(inode, new); if (cache == NULL) { - if (MSDOS_I(inode)->nr_caches < fat_max_cache(inode)) { + if (MSDOS_I(inode)->nr_caches < FAT_MAX_CACHE) { MSDOS_I(inode)->nr_caches++; spin_unlock(&MSDOS_I(inode)->cache_lru_lock); From 2a4f33430e96d0bebfa37b1d586098f61f030b06 Mon Sep 17 00:00:00 2001 From: Deepanshu Kartikey Date: Thu, 20 Nov 2025 09:41:45 +0530 Subject: [PATCH 05/16] ocfs2: validate inline xattr size and entry count in ocfs2_xattr_ibody_list Add comprehensive validation of inline xattr metadata in ocfs2_xattr_ibody_list() to prevent out-of-bounds access and use-after-free bugs when processing corrupted inline xattrs. The patch adds two critical validations: 1. Validates i_xattr_inline_size before use: - Ensures it does not exceed block size - Ensures it is at least large enough for xattr header - Prevents pointer arithmetic with corrupted size values that could point outside the inode block 2. Validates xattr entry count (xh_count): - Calculates maximum entries that can fit in the inline space - Rejects counts that exceed this limit - Prevents out-of-bounds array access in subsequent code Without these checks, a corrupted filesystem with invalid inline xattr metadata can cause the code to access memory beyond the allocated space. For example: - A corrupted i_xattr_inline_size of 0 would cause header pointer calculation to point past the end of the block - A corrupted xh_count of 22 with inline_size of 256 would cause array access 7 entries beyond the 15 that actually fit (the syzbot reproducer used xh_count of 20041), leading to use-after-free when accessing freed memory pages The validation uses the correct inline_size (from di->i_xattr_inline_size) rather than block size, ensuring accurate bounds checking for inline xattrs specifically. Link: https://lkml.kernel.org/r/20251120041145.33176-1-kartikey406@gmail.com Link: https://lore.kernel.org/all/20251111073831.2027072-1-kartikey406@gmail.com/ [v1] Link: https://lore.kernel.org/all/20251117063217.5690-1-kartikey406@gmail.com/ [v2] Link: https://lore.kernel.org/all/20251117114224.12948-1-kartikey406@gmail.com/ [v3] Signed-off-by: Deepanshu Kartikey Reported-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ab0ad25088673470d2d9 Tested-by: syzbot+ab0ad25088673470d2d9@syzkaller.appspotmail.com Suggested-by: Heming Zhao Reviewed-by: Heming Zhao Acked-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Jun Piao Signed-off-by: Andrew Morton --- fs/ocfs2/xattr.c | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c index 73c028f452ac..610f1a89d962 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -971,13 +971,39 @@ static int ocfs2_xattr_ibody_list(struct inode *inode, struct ocfs2_xattr_header *header = NULL; struct ocfs2_inode_info *oi = OCFS2_I(inode); int ret = 0; + u16 xattr_count; + size_t max_entries; + u16 inline_size; if (!(oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL)) return ret; + inline_size = le16_to_cpu(di->i_xattr_inline_size); + + /* Validate inline size is reasonable */ + if (inline_size > inode->i_sb->s_blocksize || + inline_size < sizeof(struct ocfs2_xattr_header)) { + ocfs2_error(inode->i_sb, + "Invalid xattr inline size %u in inode %llu\n", + inline_size, + (unsigned long long)OCFS2_I(inode)->ip_blkno); + return -EFSCORRUPTED; + } + header = (struct ocfs2_xattr_header *) - ((void *)di + inode->i_sb->s_blocksize - - le16_to_cpu(di->i_xattr_inline_size)); + ((void *)di + inode->i_sb->s_blocksize - inline_size); + + xattr_count = le16_to_cpu(header->xh_count); + max_entries = (inline_size - sizeof(struct ocfs2_xattr_header)) / + sizeof(struct ocfs2_xattr_entry); + + if (xattr_count > max_entries) { + ocfs2_error(inode->i_sb, + "xattr entry count %u exceeds maximum %zu in inode %llu\n", + xattr_count, max_entries, + (unsigned long long)OCFS2_I(inode)->ip_blkno); + return -EFSCORRUPTED; + } ret = ocfs2_xattr_list_entries(inode, header, buffer, buffer_size); From bf2c7bf5c48303b76f20537238292571e6aa29f3 Mon Sep 17 00:00:00 2001 From: Pasha Tatashin Date: Sat, 29 Nov 2025 20:09:19 -0500 Subject: [PATCH 06/16] liveupdate: luo_core: fix redundant bound check in luo_ioctl() The kernel test robot reported a Smatch warning: kernel/liveupdate/luo_core.c:402 luo_ioctl() warn: unsigned 'nr' is never less than zero. This occurs because 'nr' is unsigned and LIVEUPDATE_CMD_BASE is currently defined as 0, making the check (nr < LIVEUPDATE_CMD_BASE) always false. Remove the explicit lower bound check. The logic remains correct because 'nr' is unsigned; if nr is less than LIVEUPDATE_CMD_BASE, the expression (nr - LIVEUPDATE_CMD_BASE) will wrap around to a large positive value. This will inevitably be larger than ARRAY_SIZE(luo_ioctl_ops) and be caught by the upper bound check. Link: https://lkml.kernel.org/r/20251130010919.1488230-1-pasha.tatashin@soleen.com Signed-off-by: Pasha Tatashin Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202511280300.6pvBmXUS-lkp@intel.com/ Reviewed-by: Mike Rapoport (Microsoft) Cc: David Matlack Cc: Pratyush Yadav Signed-off-by: Andrew Morton --- kernel/liveupdate/luo_core.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/kernel/liveupdate/luo_core.c b/kernel/liveupdate/luo_core.c index f7ecaf7740d1..944663d99dd9 100644 --- a/kernel/liveupdate/luo_core.c +++ b/kernel/liveupdate/luo_core.c @@ -399,10 +399,8 @@ static long luo_ioctl(struct file *filep, unsigned int cmd, unsigned long arg) int err; nr = _IOC_NR(cmd); - if (nr < LIVEUPDATE_CMD_BASE || - (nr - LIVEUPDATE_CMD_BASE) >= ARRAY_SIZE(luo_ioctl_ops)) { + if (nr - LIVEUPDATE_CMD_BASE >= ARRAY_SIZE(luo_ioctl_ops)) return -EINVAL; - } ucmd.ubuffer = (void __user *)arg; err = get_user(ucmd.user_size, (u32 __user *)ucmd.ubuffer); From 039bef30e320827bac8990c9f29d2a68cd8adb5f Mon Sep 17 00:00:00 2001 From: Prithvi Tambewagh Date: Mon, 1 Dec 2025 18:37:11 +0530 Subject: [PATCH 07/16] ocfs2: fix kernel BUG in ocfs2_find_victim_chain syzbot reported a kernel BUG in ocfs2_find_victim_chain() because the `cl_next_free_rec` field of the allocation chain list (next free slot in the chain list) is 0, triggring the BUG_ON(!cl->cl_next_free_rec) condition in ocfs2_find_victim_chain() and panicking the kernel. To fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(), just before calling ocfs2_find_victim_chain(), the code block in it being executed when either of the following conditions is true: 1. `cl_next_free_rec` is equal to 0, indicating that there are no free chains in the allocation chain list 2. `cl_next_free_rec` is greater than `cl_count` (the total number of chains in the allocation chain list) Either of them being true is indicative of the fact that there are no chains left for usage. This is addressed using ocfs2_error(), which prints the error log for debugging purposes, rather than panicking the kernel. Link: https://lkml.kernel.org/r/20251201130711.143900-1-activprithvi@gmail.com Signed-off-by: Prithvi Tambewagh Reported-by: syzbot+96d38c6e1655c1420a72@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=96d38c6e1655c1420a72 Tested-by: syzbot+96d38c6e1655c1420a72@syzkaller.appspotmail.com Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Jun Piao Cc: Heming Zhao Cc: Signed-off-by: Andrew Morton --- fs/ocfs2/suballoc.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c index 4b9d0ecd0981..8e6e5235b30c 100644 --- a/fs/ocfs2/suballoc.c +++ b/fs/ocfs2/suballoc.c @@ -1993,6 +1993,16 @@ static int ocfs2_claim_suballoc_bits(struct ocfs2_alloc_context *ac, } cl = (struct ocfs2_chain_list *) &fe->id2.i_chain; + if (!le16_to_cpu(cl->cl_next_free_rec) || + le16_to_cpu(cl->cl_next_free_rec) > le16_to_cpu(cl->cl_count)) { + status = ocfs2_error(ac->ac_inode->i_sb, + "Chain allocator dinode %llu has invalid next " + "free chain record %u, but only %u total\n", + (unsigned long long)le64_to_cpu(fe->i_blkno), + le16_to_cpu(cl->cl_next_free_rec), + le16_to_cpu(cl->cl_count)); + goto bail; + } victim = ocfs2_find_victim_chain(cl); ac->ac_chain = victim; From e6b4d264c8c883d8451c7b5f20cd96ddf94af3ef Mon Sep 17 00:00:00 2001 From: Andy Shevchenko Date: Mon, 1 Dec 2025 21:10:18 +0100 Subject: [PATCH 08/16] args: fix documentation to reflect the correct numbers The macro uses up to 15 arguments. Reflect this in the top level comment. Link: https://lkml.kernel.org/r/20251201201018.765475-1-andriy.shevchenko@linux.intel.com Fixes: d51e783c17ba ("lsm: count the LSMs enabled at compile time") Signed-off-by: Andy Shevchenko Reviewed-by: Randy Dunlap Signed-off-by: Andrew Morton --- include/linux/args.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/linux/args.h b/include/linux/args.h index 2e8e65d975c7..0562dc51435e 100644 --- a/include/linux/args.h +++ b/include/linux/args.h @@ -6,9 +6,9 @@ /* * How do these macros work? * - * In __COUNT_ARGS() _0 to _12 are just placeholders from the start + * In __COUNT_ARGS() _0 to _15 are just placeholders from the start * in order to make sure _n is positioned over the correct number - * from 12 to 0 (depending on X, which is a variadic argument list). + * from 15 to 0 (depending on X, which is a variadic argument list). * They serve no purpose other than occupying a position. Since each * macro parameter must have a distinct identifier, those identifiers * are as good as any. From 01da5216c572f6f8fca4e272451aad6c273b0d57 Mon Sep 17 00:00:00 2001 From: Ally Heev Date: Wed, 3 Dec 2025 20:58:49 +0530 Subject: [PATCH 09/16] checkpatch: add uninitialized pointer with __free attribute check Uinitialized pointers with __free attribute can cause undefined behavior as the memory randomly assigned to the pointer is freed automatically when the pointer goes out of scope. add check in checkpatch to detect such issues. Link: https://lkml.kernel.org/r/20251203-aheev-checkpatch-uninitialized-free-v7-1-841e3b31d8f3@gmail.com Signed-off-by: Ally Heev Suggested-by: Dan Carpenter Link: https://lore.kernel.org/all/8a4c0b43-cf63-400d-b33d-d9c447b7e0b9@suswa.mountain/ Link: https://lore.kernel.org/all/58fd478f408a34b578ee8d949c5c4b4da4d4f41d.camel@HansenPartnership.com/ Acked-by: Dan Williams Reviewed-by: Krzysztof Kozlowski Acked-by: Joe Perches Cc: Andy Whitcroft Cc: David Hunter Cc: Dwaipayan Ray Cc: Geert Uytterhoeven Cc: James Bottomley Cc: Jonathan Corbet Cc: Lukas Bulwahn Cc: Menon, Nishanth Cc: Stephen Boyd Cc: Viresh Kumar Signed-off-by: Andrew Morton --- Documentation/dev-tools/checkpatch.rst | 23 +++++++++++++++++++++++ scripts/checkpatch.pl | 6 ++++++ 2 files changed, 29 insertions(+) diff --git a/Documentation/dev-tools/checkpatch.rst b/Documentation/dev-tools/checkpatch.rst index 4dccd1036870..84ccb52e120b 100644 --- a/Documentation/dev-tools/checkpatch.rst +++ b/Documentation/dev-tools/checkpatch.rst @@ -1009,6 +1009,29 @@ Functions and Variables return bar; + **UNINITIALIZED_PTR_WITH_FREE** + Pointers with __free attribute should be declared at the place of use + and initialized (see include/linux/cleanup.h). In this case + declarations at the top of the function rule can be relaxed. Not doing + so may lead to undefined behavior as the memory assigned (garbage, + in case not initialized) to the pointer is freed automatically when + the pointer goes out of scope. + + Also see: https://lore.kernel.org/lkml/58fd478f408a34b578ee8d949c5c4b4da4d4f41d.camel@HansenPartnership.com/ + + Example:: + + type var __free(free_func); + ... // var not used, but, in future someone might add a return here + var = malloc(var_size); + ... + + should be initialized as:: + + ... + type var __free(free_func) = malloc(var_size); + ... + Permissions ----------- diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl index d58ca9655ab7..c0250244cf7a 100755 --- a/scripts/checkpatch.pl +++ b/scripts/checkpatch.pl @@ -7732,6 +7732,12 @@ sub process { ERROR("MISSING_SENTINEL", "missing sentinel in ID array\n" . "$here\n$stat\n"); } } + +# check for uninitialized pointers with __free attribute + while ($line =~ /\*\s*($Ident)\s+__free\s*\(\s*$Ident\s*\)\s*[,;]/g) { + ERROR("UNINITIALIZED_PTR_WITH_FREE", + "pointer '$1' with __free attribute should be initialized\n" . $herecurr); + } } # If we have no input at all, then there is nothing to report on From 752ba0976b25d69cfac55137573298bd5dd88aa2 Mon Sep 17 00:00:00 2001 From: Ahmet Eray Karadag Date: Wed, 3 Dec 2025 06:34:25 +0300 Subject: [PATCH 10/16] ocfs2: add ocfs2_emergency_state helper and apply to setattr Patch series "ocfs2: Refactor read-only checks to use ocfs2_emergency_state", v4. Following the fix for the `make_bad_inode` validation failure (syzbot ID: b93b65ee321c97861072), this separate series introduces a new helper function, `ocfs2_emergency_state()`, to improve and centralize read-only and error state checking. This is modeled after the `ext4_emergency_state()` pattern, providing a single, unified location for checking all filesystem-level emergency conditions. This makes the code cleaner and ensures that any future checks (e.g., for fatal error states) can be added in one place. This series is structured as follows: 1. The first patch introduces the `ocfs2_emergency_state()` helper (currently checking for -EROFS) and applies it to `ocfs2_setattr` to provide a "fail-fast" mechanism, as suggested by Albin Babu Varghese. 2. The second patch completes the refactoring by converting all remaining read-only checks throughout OCFS2 to use this new helper. This patch (of 2): To centralize error checking, follow the pattern of other filesystems like ext4 (which uses `ext4_emergency_state()`), and prepare for future enhancements, this patch introduces a new helper function: `ocfs2_emergency_state()`. The purpose of this helper is to provide a single, unified location for checking all filesystem-level emergency conditions. In this initial implementation, the function only checks for the existing hard and soft read-only modes, returning -EROFS if either is set. This provides a foundation where future checks (e.g., for fatal error states returning -EIO, or shutdown states) can be easily added in one place. This patch also adds this new check to the beginning of `ocfs2_setattr()`. This ensures that operations like `ftruncate` (which triggered the original BUG) fail-fast with -EROFS when the filesystem is already in a read-only state. Link: https://lkml.kernel.org/r/cover.1764728893.git.eraykrdg1@gmail.com Link: https://lkml.kernel.org/r/e9e975bcaaff8dbc155b70fbc1b2798a2e36e96f.1764728893.git.eraykrdg1@gmail.com Co-developed-by: Albin Babu Varghese Signed-off-by: Albin Babu Varghese Signed-off-by: Ahmet Eray Karadag Suggested-by: Heming Zhao Reviewed-by: Heming Zhao Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Jun Piao Cc: David Hunter Signed-off-by: Andrew Morton --- fs/ocfs2/file.c | 6 ++++++ fs/ocfs2/ocfs2.h | 18 ++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c index 21d797ccccd0..ddca292944d7 100644 --- a/fs/ocfs2/file.c +++ b/fs/ocfs2/file.c @@ -1136,6 +1136,12 @@ int ocfs2_setattr(struct mnt_idmap *idmap, struct dentry *dentry, attr->ia_valid & ATTR_GID ? from_kgid(&init_user_ns, attr->ia_gid) : 0); + status = ocfs2_emergency_state(osb); + if (unlikely(status)) { + mlog_errno(status); + goto bail; + } + /* ensuring we don't even attempt to truncate a symlink */ if (S_ISLNK(inode->i_mode)) attr->ia_valid &= ~ATTR_SIZE; diff --git a/fs/ocfs2/ocfs2.h b/fs/ocfs2/ocfs2.h index 6aaa94c554c1..7b50e03dfa66 100644 --- a/fs/ocfs2/ocfs2.h +++ b/fs/ocfs2/ocfs2.h @@ -680,6 +680,24 @@ static inline int ocfs2_is_soft_readonly(struct ocfs2_super *osb) return ret; } +static inline int ocfs2_is_readonly(struct ocfs2_super *osb) +{ + int ret; + spin_lock(&osb->osb_lock); + ret = osb->osb_flags & (OCFS2_OSB_SOFT_RO | OCFS2_OSB_HARD_RO); + spin_unlock(&osb->osb_lock); + + return ret; +} + +static inline int ocfs2_emergency_state(struct ocfs2_super *osb) +{ + if (ocfs2_is_readonly(osb)) + return -EROFS; + + return 0; +} + static inline int ocfs2_clusterinfo_valid(struct ocfs2_super *osb) { return (osb->s_feature_incompat & From 7eff54dfd245fb4bf398334be663478b9ae4bb99 Mon Sep 17 00:00:00 2001 From: Ahmet Eray Karadag Date: Wed, 3 Dec 2025 06:34:26 +0300 Subject: [PATCH 11/16] ocfs2: convert remaining read-only checks to ocfs2_emergency_state Now that the centralized `ocfs2_emergency_state()` helper is available, refactor remaining filesystem-wide checks for `ocfs2_is_soft_readonly` and `ocfs2_is_hard_readonly` to use this new function. To ensure strict consistency with the previous behavior and guarantee no functional changes, the call sites continue to explicitly return -EROFS when the emergency state is detected. This standardizes the check logic while preserving the existing error handling flow. Link: https://lkml.kernel.org/r/3421641b54ad6b6e4ffca052351b518eacc1bd08.1764728893.git.eraykrdg1@gmail.com Co-developed-by: Albin Babu Varghese Signed-off-by: Albin Babu Varghese Signed-off-by: Ahmet Eray Karadag Reviewed-by: Heming Zhao Reviewed-by: Joseph Qi Cc: Changwei Ge Cc: David Hunter Cc: Joel Becker Cc: Jun Piao Cc: Junxiao Bi Cc: Mark Fasheh Signed-off-by: Andrew Morton --- fs/ocfs2/buffer_head_io.c | 2 +- fs/ocfs2/file.c | 8 ++++---- fs/ocfs2/inode.c | 3 +-- fs/ocfs2/move_extents.c | 2 +- fs/ocfs2/resize.c | 4 ++-- fs/ocfs2/super.c | 2 +- 6 files changed, 10 insertions(+), 11 deletions(-) diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c index 8f714406528d..701d27d908d4 100644 --- a/fs/ocfs2/buffer_head_io.c +++ b/fs/ocfs2/buffer_head_io.c @@ -434,7 +434,7 @@ int ocfs2_write_super_or_backup(struct ocfs2_super *osb, BUG_ON(buffer_jbd(bh)); ocfs2_check_super_or_backup(osb->sb, bh->b_blocknr); - if (ocfs2_is_hard_readonly(osb) || ocfs2_is_soft_readonly(osb)) { + if (unlikely(ocfs2_emergency_state(osb))) { ret = -EROFS; mlog_errno(ret); goto out; diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c index ddca292944d7..732c61599159 100644 --- a/fs/ocfs2/file.c +++ b/fs/ocfs2/file.c @@ -179,7 +179,7 @@ static int ocfs2_sync_file(struct file *file, loff_t start, loff_t end, file->f_path.dentry->d_name.name, (unsigned long long)datasync); - if (ocfs2_is_hard_readonly(osb) || ocfs2_is_soft_readonly(osb)) + if (unlikely(ocfs2_emergency_state(osb))) return -EROFS; err = file_write_and_wait_range(file, start, end); @@ -209,7 +209,7 @@ int ocfs2_should_update_atime(struct inode *inode, struct timespec64 now; struct ocfs2_super *osb = OCFS2_SB(inode->i_sb); - if (ocfs2_is_hard_readonly(osb) || ocfs2_is_soft_readonly(osb)) + if (unlikely(ocfs2_emergency_state(osb))) return 0; if ((inode->i_flags & S_NOATIME) || @@ -1949,7 +1949,7 @@ static int __ocfs2_change_file_space(struct file *file, struct inode *inode, handle_t *handle; unsigned long long max_off = inode->i_sb->s_maxbytes; - if (ocfs2_is_hard_readonly(osb) || ocfs2_is_soft_readonly(osb)) + if (unlikely(ocfs2_emergency_state(osb))) return -EROFS; inode_lock(inode); @@ -2713,7 +2713,7 @@ static loff_t ocfs2_remap_file_range(struct file *file_in, loff_t pos_in, return -EINVAL; if (!ocfs2_refcount_tree(osb)) return -EOPNOTSUPP; - if (ocfs2_is_hard_readonly(osb) || ocfs2_is_soft_readonly(osb)) + if (unlikely(ocfs2_emergency_state(osb))) return -EROFS; /* Lock both files against IO */ diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c index 613636789503..5986d90b007e 100644 --- a/fs/ocfs2/inode.c +++ b/fs/ocfs2/inode.c @@ -1623,8 +1623,7 @@ static int ocfs2_filecheck_repair_inode_block(struct super_block *sb, trace_ocfs2_filecheck_repair_inode_block( (unsigned long long)bh->b_blocknr); - if (ocfs2_is_hard_readonly(OCFS2_SB(sb)) || - ocfs2_is_soft_readonly(OCFS2_SB(sb))) { + if (unlikely(ocfs2_emergency_state(OCFS2_SB(sb)))) { mlog(ML_ERROR, "Filecheck: cannot repair dinode #%llu " "on readonly filesystem\n", diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c index ce978a2497d9..99637e34d9da 100644 --- a/fs/ocfs2/move_extents.c +++ b/fs/ocfs2/move_extents.c @@ -909,7 +909,7 @@ static int ocfs2_move_extents(struct ocfs2_move_extents_context *context) struct buffer_head *di_bh = NULL; struct ocfs2_super *osb = OCFS2_SB(inode->i_sb); - if (ocfs2_is_hard_readonly(osb) || ocfs2_is_soft_readonly(osb)) + if (unlikely(ocfs2_emergency_state(osb))) return -EROFS; inode_lock(inode); diff --git a/fs/ocfs2/resize.c b/fs/ocfs2/resize.c index b0733c08ed13..ac3ec2c21119 100644 --- a/fs/ocfs2/resize.c +++ b/fs/ocfs2/resize.c @@ -276,7 +276,7 @@ int ocfs2_group_extend(struct inode * inode, int new_clusters) u32 first_new_cluster; u64 lgd_blkno; - if (ocfs2_is_hard_readonly(osb) || ocfs2_is_soft_readonly(osb)) + if (unlikely(ocfs2_emergency_state(osb))) return -EROFS; if (new_clusters < 0) @@ -466,7 +466,7 @@ int ocfs2_group_add(struct inode *inode, struct ocfs2_new_group_input *input) u16 cl_bpc; u64 bg_ptr; - if (ocfs2_is_hard_readonly(osb) || ocfs2_is_soft_readonly(osb)) + if (unlikely(ocfs2_emergency_state(osb))) return -EROFS; main_bm_inode = ocfs2_get_system_file_inode(osb, diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c index 53daa4482406..c6019d260efc 100644 --- a/fs/ocfs2/super.c +++ b/fs/ocfs2/super.c @@ -2487,7 +2487,7 @@ static int ocfs2_handle_error(struct super_block *sb) rv = -EIO; } else { /* default option */ rv = -EROFS; - if (sb_rdonly(sb) && (ocfs2_is_soft_readonly(osb) || ocfs2_is_hard_readonly(osb))) + if (sb_rdonly(sb) && ocfs2_emergency_state(osb)) return rv; pr_crit("OCFS2: File system is now read-only.\n"); From 76b9701a54a23fe45dc15aacace616cca9671823 Mon Sep 17 00:00:00 2001 From: "Gustavo A. R. Silva" Date: Tue, 11 Nov 2025 12:01:19 +0900 Subject: [PATCH 12/16] ocfs2: avoid -Wflex-array-member-not-at-end warning -Wflex-array-member-not-at-end was introduced in GCC-14, and we are getting ready to enable it, globally. Use the new TRAILING_OVERLAP() helper to fix the following warning: fs/ocfs2/xattr.c:52:41: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end] This helper creates a union between a flexible-array member (FAM) and a set of MEMBERS that would otherwise follow it. This overlays the trailing MEMBER struct ocfs2_extent_rec er; onto the FAM struct ocfs2_xattr_value_root::xr_list.l_recs[], while keeping the FAM and the start of MEMBER aligned. The static_assert() ensures this alignment remains, and it's intentionally placed inmediately after the related structure --no blank line in between. Link: https://lkml.kernel.org/r/aRKm_7aN7Smc3J5L@kspp Signed-off-by: Gustavo A. R. Silva Reviewed-by: Heming Zhao Acked-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Jun Piao Signed-off-by: Andrew Morton --- fs/ocfs2/xattr.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/fs/ocfs2/xattr.c b/fs/ocfs2/xattr.c index 610f1a89d962..55508389ce56 100644 --- a/fs/ocfs2/xattr.c +++ b/fs/ocfs2/xattr.c @@ -49,9 +49,13 @@ #include "ocfs2_trace.h" struct ocfs2_xattr_def_value_root { - struct ocfs2_xattr_value_root xv; - struct ocfs2_extent_rec er; + /* Must be last as it ends in a flexible-array member. */ + TRAILING_OVERLAP(struct ocfs2_xattr_value_root, xv, xr_list.l_recs, + struct ocfs2_extent_rec er; + ); }; +static_assert(offsetof(struct ocfs2_xattr_def_value_root, xv.xr_list.l_recs) == + offsetof(struct ocfs2_xattr_def_value_root, er)); struct ocfs2_xattr_bucket { /* The inode these xattrs are associated with */ From 7efb45f9685fd9292413f15ea1212f7077c4a35f Mon Sep 17 00:00:00 2001 From: Ahmet Eray Karadag Date: Wed, 3 Dec 2025 01:45:08 +0300 Subject: [PATCH 13/16] ocfs2: invalidate inode if i_mode is zero after block read A panic occurs in ocfs2_unlink due to WARN_ON(inode->i_nlink == 0) when handling a corrupted inode with i_mode=0 and i_nlink=0 in memory. This "zombie" inode is created because ocfs2_read_locked_inode proceeds even after ocfs2_validate_inode_block successfully validates a block that structurally looks okay (passes checksum, signature etc.) but contains semantically invalid data (specifically i_mode=0). The current validation function doesn't check for i_mode being zero. This results in an in-memory inode with i_mode=0 being added to the VFS cache, which later triggers the panic during unlink. Prevent this by adding an explicit check for (i_mode == 0, i_nlink == 0, non-orphan) within ocfs2_validate_inode_block. If the check is true, return -EFSCORRUPTED to signal corruption. This causes the caller (ocfs2_read_locked_inode) to invoke make_bad_inode(), correctly preventing the zombie inode from entering the cache. Link: https://lkml.kernel.org/r/20251202224507.53452-2-eraykrdg1@gmail.com Co-developed-by: Albin Babu Varghese Signed-off-by: Albin Babu Varghese Signed-off-by: Ahmet Eray Karadag Reported-by: syzbot+55c40ae8a0e5f3659f2b@syzkaller.appspotmail.com Fixes: https://syzkaller.appspot.com/bug?extid=55c40ae8a0e5f3659f2b Link: https://lore.kernel.org/all/20251022222752.46758-2-eraykrdg1@gmail.com/T/ Reviewed-by: Joseph Qi Cc: David Hunter Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Jun Piao Cc: Heming Zhao Signed-off-by: Andrew Morton --- fs/ocfs2/inode.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c index 5986d90b007e..ae938fb7c521 100644 --- a/fs/ocfs2/inode.c +++ b/fs/ocfs2/inode.c @@ -1461,6 +1461,14 @@ int ocfs2_validate_inode_block(struct super_block *sb, goto bail; } + if ((!di->i_links_count && !di->i_links_count_hi) || !di->i_mode) { + mlog(ML_ERROR, "Invalid dinode #%llu: " + "Corrupt state (nlink = %u or mode = %u) detected!\n", + (unsigned long long)bh->b_blocknr, + ocfs2_read_links_count(di), le16_to_cpu(di->i_mode)); + rc = -EFSCORRUPTED; + goto bail; + } /* * Errors after here are fatal. */ From 2214ec4bf89d0fd27717322d3983a2f3b469c7f3 Mon Sep 17 00:00:00 2001 From: Dmitry Antipov Date: Fri, 5 Dec 2025 09:51:59 +0300 Subject: [PATCH 14/16] ocfs2: fix memory leak in ocfs2_merge_rec_left() In 'ocfs2_merge_rec_left()', do not reset 'left_path' to NULL after move, thus allowing 'ocfs2_free_path()' to free it before return. Link: https://lkml.kernel.org/r/20251205065159.392749-1-dmantipov@yandex.ru Fixes: 677b975282e4 ("ocfs2: Add support for cross extent block") Signed-off-by: Dmitry Antipov Reported-by: syzbot+cfc7cab3bb6eaa7c4de2@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=cfc7cab3bb6eaa7c4de2 Reviewed-by: Heming Zhao Acked-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Jun Piao Signed-off-by: Andrew Morton --- fs/ocfs2/alloc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c index 46da66a883e4..e3195b7e0cd0 100644 --- a/fs/ocfs2/alloc.c +++ b/fs/ocfs2/alloc.c @@ -3655,7 +3655,6 @@ static int ocfs2_merge_rec_left(struct ocfs2_path *right_path, * So we use the new rightmost path. */ ocfs2_mv_path(right_path, left_path); - left_path = NULL; } else ocfs2_complete_edge_insert(handle, left_path, right_path, subtree_index); From 402736a591b040360d36cfc27f6c371103177641 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Thu, 4 Dec 2025 11:28:59 +0100 Subject: [PATCH 15/16] mm: shmem: avoid build warning for CONFIG_SHMEM=n The newly added 'flags' variable is unused and causes a warning if CONFIG_SHMEM is disabled, since the shmem_acct_size() macro it is passed into does nothing: mm/shmem.c: In function '__shmem_file_setup': mm/shmem.c:5816:23: error: unused variable 'flags' [-Werror=unused-variable] 5816 | unsigned long flags = (vm_flags & VM_NORESERVE) ? SHMEM_F_NORESERVE : 0; | ^~~~~ Replace the two macros with equivalent inline functions to get the argument checking. Link: https://lkml.kernel.org/r/20251204102905.1048000-1-arnd@kernel.org Fixes: 6ff1610ced56 ("mm: shmem: use SHMEM_F_* flags instead of VM_* flags") Signed-off-by: Arnd Bergmann Acked-by: David Hildenbrand (Red Hat) Acked-by: Mike Rapoport (Microsoft) Reviewed-by: Baolin Wang Reviewed-by: Pratyush Yadav Reviewed-by: Pasha Tatashin Cc: Christian Brauner Cc: guoweikang Cc: Hugh Dickins Cc: Kairui Song Cc: Kemeng Shi Cc: Lorenzo Stoakes Signed-off-by: Andrew Morton --- mm/shmem.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/mm/shmem.c b/mm/shmem.c index 679721e48a87..3c0601d76317 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -5799,8 +5799,15 @@ EXPORT_SYMBOL_GPL(shmem_truncate_range); #define shmem_vm_ops generic_file_vm_ops #define shmem_anon_vm_ops generic_file_vm_ops #define shmem_file_operations ramfs_file_operations -#define shmem_acct_size(flags, size) 0 -#define shmem_unacct_size(flags, size) do {} while (0) + +static inline int shmem_acct_size(unsigned long flags, loff_t size) +{ + return 0; +} + +static inline void shmem_unacct_size(unsigned long flags, loff_t size) +{ +} static inline struct inode *shmem_get_inode(struct mnt_idmap *idmap, struct super_block *sb, struct inode *dir, From 601cc399a01049efa76be8f496541315dc9cf914 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Thu, 4 Dec 2025 11:01:58 +0100 Subject: [PATCH 16/16] mm: memfd_luo: add CONFIG_SHMEM dependency The new memfd code fails to link without SHMEM: aarch64-linux-ld: mm/memfd_luo.o: in function `memfd_luo_retrieve_folios': memfd_luo.c:(.text.memfd_luo_retrieve_folios+0xdc): undefined reference to `shmem_add_to_page_cache' memfd_luo.c:(.text.memfd_luo_retrieve_folios+0x11c): undefined reference to `shmem_inode_acct_blocks' memfd_luo.c:(.text.memfd_luo_retrieve_folios+0x134): undefined reference to `shmem_recalc_inode' Add a Kconfig dependency to disallow that configuration. Link: https://lkml.kernel.org/r/20251204100203.1034394-1-arnd@kernel.org Fixes: b3749f174d68 ("mm: memfd_luo: allow preserving memfd") Signed-off-by: Arnd Bergmann Reviewed-by: Pratyush Yadav Acked-by: Mike Rapoport (Microsoft) Reviewed-by: Pasha Tatashin Signed-off-by: Andrew Morton --- kernel/liveupdate/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/liveupdate/Kconfig b/kernel/liveupdate/Kconfig index 9b2515f31afb..d2aeaf13c3ac 100644 --- a/kernel/liveupdate/Kconfig +++ b/kernel/liveupdate/Kconfig @@ -54,6 +54,7 @@ config KEXEC_HANDOVER_ENABLE_DEFAULT config LIVEUPDATE bool "Live Update Orchestrator" depends on KEXEC_HANDOVER + depends on SHMEM help Enable the Live Update Orchestrator. Live Update is a mechanism, typically based on kexec, that allows the kernel to be updated