summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-06-15HID: hidpp: fix potential UAF in hidpp_connect_event()Jiri Kosina
If input_register_device() fails, we call input_free_device(), but keep stale pointer to the old device in hidpp->input, which could potentially lead to UAF. Fix that by resetting it to NULL before returning from hidpp_connect_event(). Reported-by: zdi-disclosures@trendmicro.com Signed-off-by: Jiri Kosina <jkosina@suse.com>
2026-06-15fuse-uring: clear ent->fuse_req in commit_fetch error pathZhenghang Xiao
fuse_uring_commit_fetch() error path called fuse_request_end(req) without clearing ent->fuse_req when fuse_ring_ent_set_commit() fails. The still-pending fuse_uring_send_in_task() task-work later dereferences the dangling pointer through fuse_uring_prepare_send(), causing a use-after-free. End the request with fuse_uring_req_end(), which handles all conditions already. Annotation/edition by Bernd: The UAF should be fixed by other means already and actually has to be avoided that way. Just checking for ent->fuse_req == NULL in fuse_uring_send_in_task() would be prone to race conditions, because if malicious userspace would commit requests that have passed the NULL check, but are in doing args copy, it would still trigger a use-after-free. Setting ent->fuse_req = NULL in fuse_uring_commit_fetch() still makes sense, though. Reported-by: Shuvam Pandey <shuvampandey1@gmail.com> Reported-by: Berkant Koc <me@berkoc.com> Signed-off-by: Zhenghang Xiao <kipreyyy@gmail.com> Signed-off-by: Bernd Schubert <bernd@bsbernd.com> Reviewed-by: Joanne Koong <joannelkoong@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15keys: keyctl_pkey: replace BUG with return -EOPNOTSUPPMohammed EL Kadiri
Replace two BUG() calls in keyctl_pkey_params_get_2() and keyctl_pkey_e_d_s() default cases with -EOPNOTSUPP, matching the error style already used in these functions. Signed-off-by: Mohammed EL Kadiri <med08elkadiri@gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-15keys: request_key: replace BUG with return -EINVALMohammed EL Kadiri
Replace BUG() in construct_get_dest_keyring() default case with return -EINVAL to handle the unimplemented group keyring destination gracefully. Signed-off-by: Mohammed EL Kadiri <med08elkadiri@gmail.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Link: https://lore.kernel.org/r/20260613130408.13709-2-med08elkadiri@gmail.com Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-15keys: Pin request_key_auth payload in instantiate pathsShaomin Chen
A: request_key() B: KEYCTL_INSTANTIATE_IOV ================ ========================= create auth key store rka in auth key wait for helper get auth key load rka from auth key copy user payload sleep on #PF helper completed detach and free rka destroy auth key wake up use rka->target_key **USE-AFTER-FREE** Give request_key_auth payloads a refcount. Take a payload reference while authkey->sem stabilizes the payload and revocation state. Hold that reference across the instantiate and reject paths. Drop the auth key owning reference from revoke and destroy. [jarkko: Replaced the first two paragraphs of text with an actual concurrency scenario.] Cc: stable@vger.kernel.org # v5.10+ Fixes: b5f545c880a2 ("[PATCH] keys: Permit running process to instantiate keys") Reported-by: Shaomin Chen <eeesssooo020@gmail.com> Closes: https://lore.kernel.org/r/20260519144403.436694-1-eeesssooo020@gmail.com Signed-off-by: Shaomin Chen <eeesssooo020@gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-15keys: prevent slab cache merging for key_jarMohammed EL Kadiri
Add SLAB_NO_MERGE to key_jar to prevent the allocator from merging it with other similarly-sized caches. This hardens struct key isolation by ensuring dedicated slab pages. Acked-by: Vlastimil Babka (SUSE) <vbabka@kernel.org> Signed-off-by: Mohammed EL Kadiri <med08elkadiri@gmail.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Link: https://lore.kernel.org/r/20260610065052.9120-1-med08elkadiri@gmail.com Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-15keys: Replace strcpy(derived_buf, "AUTH_KEY") with strscpy(..., HASH_SIZE)David Laight
derived_buf is guaranteed to be HASH_SIZE - and it is more than enough. The strscpy() degenerates into an memcpy() (as did the strcpy()). Do the same for the associated "ENC_KEY" copy. Removes a possibly unbounded strcpy(). Signed-off-by: David Laight <david.laight.linux@gmail.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Link: https://lore.kernel.org/r/20260606202633.5018-9-david.laight.linux@gmail.com Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-15KEYS: Use acquire when reading state in keyring searchGui-Dong Han
The negative-key race fix added release/acquire ordering for key use. Publish payload before state; read state before payload. keyring_search_iterator() still uses READ_ONCE() before match callbacks. An asymmetric match callback calls asymmetric_key_ids(), which reads key->payload.data[asym_key_ids]. Use key_read_state() there to complete that ordering. Fixes: 363b02dab09b ("KEYS: Fix race between updating and finding a negative key") Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Link: https://lore.kernel.org/r/20260529033406.20673-1-hanguidong02@gmail.com Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-15keys/trusted_keys: mark 'migratable' as __ro_after_initLen Bao
The 'migratable' variable is initialized only during the init phase in the 'init_trusted' function and never changed. So, mark it as __ro_after_init. Signed-off-by: Len Bao <len.bao@gmx.us> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Link: https://lore.kernel.org/r/20260516152249.41851-1-len.bao@gmx.us Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-15keys: use kmalloc_flex in user_preparseThorsten Blum
Use kmalloc_flex() when allocating a new struct user_key_payload in user_preparse() to replace the open-coded size arithmetic and to keep the size type-safe. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Link: https://lore.kernel.org/r/20260504093058.49720-3-thorsten.blum@linux.dev Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-15KEYS: trusted: Debugging as a featureJarkko Sakkinen
TPM_DEBUG, and other similar flags, are a non-standard way to specify a feature in Linux kernel. Introduce CONFIG_TRUSTED_KEYS_DEBUG for trusted keys, and use it to replace these ad-hoc feature flags. Given that trusted keys debug dumps can contain sensitive data, harden the feature as follows: 1. In the Kconfig description postulate that pr_debug() statements must be used. 2. Use pr_debug() statements in TPM 1.x driver to print the protocol dump. 3. Require trusted.debug=1 on the kernel command line (default: 0) to activate dumps at runtime, even when CONFIG_TRUSTED_KEYS_DEBUG=y. Traces, when actually needed, can be easily enabled by providing trusted.dyndbg='+p' and trusted.debug=1 in the kernel command-line. Reported-by: Nayna Jain <nayna@linux.ibm.com> Closes: https://lore.kernel.org/all/7f8b8478-5cd8-4d97-bfd0-341fd5cf10f9@linux.ibm.com/ Reviewed-by: Nayna Jain <nayna@linux.ibm.com> Tested-by: Srish Srinivasan <ssrish@linux.ibm.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-15KEYS: encrypted: Remove unnecessary selection of CRYPTO_RNGEric Biggers
encrypted-keys uses the regular Linux RNG (get_random_bytes()), not the duplicative crypto_rng one. So it does not need to select CRYPTO_RNG. Signed-off-by: Eric Biggers <ebiggers@kernel.org> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-15KEYS: fix overflow in keyctl_pkey_params_get_2()Jarkko Sakkinen
The length for the internal output buffer is calculated incorrectly, which can result overflow when a too small buffer is provided. Fix the bug by allocating internal output with the size of the maximum length of the cryptographic primitive instead of caller provided size. Link: https://lore.kernel.org/keyrings/20260531024914.3712130-1-jarkko@kernel.org/ Cc: stable@vger.kernel.org # v4.20+ Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]") Reported-by: Alessandro Groppo <ale.grpp@gmail.com> Tested-by: Alessandro Groppo <ale.grpp@gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2026-06-15KVM: s390: Introducing kvm_arch_set_irq_inatomic fast injectDouglas Freimuth
s390 needs a fast path for irq injection, and along those lines we introduce kvm_arch_set_irq_inatomic. Instead of placing all interrupts on the global work queue as it does today, this patch provides a fast path for irq injection. The inatomic fast path cannot lose control since it is running with interrupts disabled. This meant making the following changes that exist on the slow path today. First, the adapter_indicators page needs to be mapped since it is accessed with interrupts disabled, so we added map/unmap functions. Second, access to shared resources between the fast and slow paths needed to be changed from mutex and semaphores to spin_lock's. Finally, the memory allocation on the slow path utilizes GFP_KERNEL_ACCOUNT but we had to implement the fast path with GFP_ATOMIC allocation. Each of these enhancements were required to prevent blocking on the fast inject path. Fencing of Fast Inject in Secure Execution environments is enabled in the patch series by not mapping adapter indicator pages. In Secure Execution environments the path of execution available before this patch is followed. Statistical counters have been added to enable analysis of irq injection on the fast path and slow path including io_390_inatomic, io_flic_inject_airq, io_set_adapter_int and io_390_inatomic_no_inject. The no inject counter captures adapter masked, coalesced and suppressed interrupts. Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com> Signed-off-by: Douglas Freimuth <freimuth@linux.ibm.com> Acked-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Message-ID: <20260604192755.203143-4-freimuth@linux.ibm.com>
2026-06-15KVM: s390: Enable adapter_indicators_set to use mapped pagesDouglas Freimuth
The s390 adapter_indicators_set function can now be optimized to use long-term mapped pages when available so that work can be processed on a fast path when interrupts are disabled. If adapter indicator pages are not mapped then local mapping is done on a slow path as it is prior to this patch. For example, Secure Execution environments will take the local mapping path as it does prior to this patch. Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com> Signed-off-by: Douglas Freimuth <freimuth@linux.ibm.com> Acked-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Message-ID: <20260604192755.203143-3-freimuth@linux.ibm.com>
2026-06-15KVM: s390: Add map/unmap ioctl and clean mappings post-guestDouglas Freimuth
s390 needs map/unmap ioctls, which map the adapter set indicator pages, so the pages can be accessed when interrupts are disabled. The mappings are cleaned up when the guest is removed. pin_user_pages_remote is used for both the ioctl as well as the pin-on-demand logic in adapter_indicators_set(). Map/Unmap ioctls are fenced in order to avoid the longterm pinning in Secure Execution environments. In Secure Execution environments the path of execution available before this patch is followed. Statistical counters to count map/unmap functions for adapter indicator pages are added. The counters can be used to analyze map/unmap functions in non-Secure Execution environments and similarly can be used to analyze Secure Execution environments where the counters will not be incremented as the adapter indicator pages are not mapped. Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com> Signed-off-by: Douglas Freimuth <freimuth@linux.ibm.com> Acked-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Signed-off-by: Claudio Imbrenda <imbrenda@linux.ibm.com> Message-ID: <20260604192755.203143-2-freimuth@linux.ibm.com>
2026-06-15fuse-uring: use named constants for io-uring iovec indicesJoanne Koong
Replace magic indices 0 and 1 for the iovec array with named constants FUSE_URING_IOV_HEADERS and FUSE_URING_IOV_PAYLOAD. This makes the usages self-documenting and prepares for buffer ring support which will also reference these iovec slots by index. Reviewed-by: Bernd Schubert <bernd@bsbernd.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: Baokun Li <libaokun@linux.alibaba.com> Signed-off-by: Joanne Koong <joannelkoong@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse-uring: refactor setting up copy state for payload copyingJoanne Koong
Add a new helper function setup_fuse_copy_state() to contain the logic for setting up the copy state for payload copying. Reviewed-by: Bernd Schubert <bschubert@ddn.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: Baokun Li <libaokun@linux.alibaba.com> Signed-off-by: Joanne Koong <joannelkoong@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse-uring: use enum types for header copyingJoanne Koong
Use enum types to identify which part of the header needs to be copied. This improves the interface and will simplify both kernel-space and user-space header addresses copying when buffer rings are added. Reviewed-by: Bernd Schubert <bschubert@ddn.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: Baokun Li <libaokun@linux.alibaba.com> Signed-off-by: Joanne Koong <joannelkoong@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse-uring: refactor io-uring header copying from ringJoanne Koong
Move header copying from ring logic into a new copy_header_from_ring() function. This makes the copy_from_user() logic more clear and centralizes error handling / rate-limited logging. Reviewed-by: Bernd Schubert <bschubert@ddn.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: Baokun Li <libaokun@linux.alibaba.com> Signed-off-by: Joanne Koong <joannelkoong@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse-uring: refactor io-uring header copying to ringJoanne Koong
Move header copying to ring logic into a new copy_header_to_ring() function. This makes the copy_to_user() logic more clear and centralizes error handling / rate-limited logging. Reviewed-by: Bernd Schubert <bschubert@ddn.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: Baokun Li <libaokun@linux.alibaba.com> Signed-off-by: Joanne Koong <joannelkoong@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse-uring: separate next request fetching from sending logicJoanne Koong
Simplify the logic for fetching + sending off the next request. This gets rid of fuse_uring_send_next_to_ring() which contained duplicated logic from fuse_uring_send(). This decouples request fetching from the send operation, which makes the control flow clearer and reduces unnecessary parameter passing. Reviewed-by: Bernd Schubert <bschubert@ddn.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: Baokun Li <libaokun@linux.alibaba.com> Signed-off-by: Joanne Koong <joannelkoong@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: invalidate readdir cache on epoch bumpJun Wu
FUSE_NOTIFY_INC_EPOCH invalidates dentries, but does not invalidate cached readdir results. A process with cwd inside a FUSE mount can therefore observe stale readdir(".") output after an epoch bump. Fix this by recording epoch in the readdir cache and checking it on reuse. Minimal reproducer: - mount a tiny FUSE fs with an empty root directory - on opendir, enable fi->cache_readdir and fi->keep_cache - chdir into the mount and call readdir(".") to populate readdir cache - make the FUSE server report one file in the root directory - send only FUSE_NOTIFY_INC_EPOCH - call readdir(".") again; before this change it stays stale, after this change it sees the new file Fixes: 2396356a945b ("fuse: add more control over cache invalidation behaviour") Signed-off-by: Jun Wu <quark@meta.com> Reviewed-by: Joanne Koong <joannelkoong@gmail.com> Reviewed-by: Luis Henriques <luis@igalia.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15virtio-fs: avoid double-free on failed queue setupYung-Tse Cheng
virtio_fs_setup_vqs() allocates fs->vqs and fs->mq_map before calling virtio_find_vqs(). If virtio_find_vqs() fails, the error path frees both pointers and returns an error to virtio_fs_probe(). virtio_fs_probe() then drops the last kobject reference, and virtio_fs_ktype_release() frees fs->vqs and fs->mq_map again. This leaves dangling pointers in struct virtio_fs and can trigger a double-free during probe failure cleanup. Set fs->vqs and fs->mq_map to NULL immediately after kfree() in the virtio_fs_setup_vqs() error path so that the later kobject release sees an uninitialized state and kfree(NULL) becomes harmless. This can be reproduced when a broken virtio-fs device advertises more request queues than the transport actually provides. In that case virtio_find_vqs() fails while setting up the extra queue, and the probe path reaches the double-free cleanup sequence. Signed-off-by: Yung-Tse Cheng <mes900903@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: invalidate page cache after DIO and async DIO writesCheng Ding
This fixe does page cache invalidation after DIO and async DIO writes for both O_DIRECT and FOPEN_DIRECT_IO cases. Commit b359af8275a9 ("fuse: Invalidate the page cache after FOPEN_DIRECT_IO write") fixed xfstests generic/209 for DIO writes in the FOPEN_DIRECT_IO path. DIO writes without FOPEN_DIRECT_IO are already handled by generic_file_direct_write(). However, async DIO writes (xfstests generic/451) remain unhandled. After this fix: - Async write with FUSE_ASYNC_DIO: invalidate in fuse_aio_invalidate_worker() - Otherwise (Sync or async write without FUSE_ASYNC_DIO): - With FOPEN_DIRECT_IO: invalidate in fuse_direct_write_iter() - Without FOPEN_DIRECT_IO: invalidate in generic_file_direct_write() Workqueue is required for async write invalidation to prevent deadlock: calling it directly in the I/O end routine (which is in fuse worker thread context) can block on a folio lock held by a buffered I/O thread waiting for the same fuse worker thread. Co-developed-by: Jingbo Xu <jefflexu@linux.alibaba.com> Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com> Signed-off-by: Cheng Ding <cding@ddn.com> Reviewed-by: Jingbo Xu <jefflexu@linux.alibaba.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: set ff->flock only on successZhang Tianci
If FUSE_SETLK fails (e.g., due to EWOULDBLOCK), we shall not set FUSE_RELEASE_FLOCK_UNLOCK in fuse_file_release(). Reported-by: Li Yichao <liyichao.1@bytedance.com> Signed-off-by: Zhang Tianci <zhangtianci.1997@bytedance.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: clean up interrupt readingJoanne Koong
Clean up interrupt reading logic. Remove passing the pointer to the fuse request as an arg and make the header initializations more readable. Signed-off-by: Joanne Koong <joannelkoong@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: remove stray newline in fuse_dev_do_read()Joanne Koong
Remove stray newline that shouldn't be there. Signed-off-by: Joanne Koong <joannelkoong@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: use READ_ONCE in fuse_chan_num_background()Li Wang
fuse_chan_num_background() is called without holding fch->bg_lock (for example from fuse_writepages() to compare against fc->congestion_threshold), while fch->num_background is updated under bg_lock in dev.c and dev_uring.c. This is the same locked-write/lockless-read pattern already used for max_background in fuse_chan_max_background(). Use READ_ONCE() on the read side so that: - The compiler does not cache or coalesce loads of a value that may change concurrently on another CPU. - Prevent KCSAN from reporting an unexpected race. Signed-off-by: Li Wang <liwang@kylinos.cn> Fixes: 670d21c6e17f ("fuse: remove reliance on bdi congestion") Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: dax: Move long delayed work on system_dfl_long_wqMarco Crivellari
Currently the code enqueue work items using {queue|mod}_delayed_work(), using system_long_wq. This workqueue should be used when long works are expected and it is a per-cpu workqueue. The function(s) end up calling __queue_delayed_work(), which set a global timer that could fire anywhere, enqueuing the work where the timer fired. Unbound works could benefit from scheduler task placement, to optimize performance and power consumption. Long work shouldn't stick to a single CPU. Recently, a new unbound workqueue specific for long running work has been added: c116737e972e ("workqueue: Add system_dfl_long_wq for long unbound works") Since the workqueue work doesn't rely on per-cpu variables, there is no obvious reason that justify the use of a per-cpu workqueue. So change system_long_wq with system_dfl_long_wq so that the work may benefit from scheduler task placement. Signed-off-by: Marco Crivellari <marco.crivellari@suse.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: add fuse_request_sent tracepointAmir Goldstein
This new tracepoint complements fuse_request_send (enqueue) and fuse_request_end (completion). It fires after the request has been successfully copied to the daemon's buffer, just before the daemon can start to process it. fuse_request_sent does not fire if the copy of the request fails. It also does not fire for NOTIFY_REPLY, which fires the _end tracepoint at the end of copy. This is needed for tools tracking the in-flight state of user initiated fuse requests. Signed-off-by: Amir Goldstein <amir73il@gmail.com> Reviewed-by: Joanne Koong <joannelkoong@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: Add SPDX ID lines to some filesTim Bird
Some fuse source files are missing SPDX-License-Identifier lines. Add appropriate IDs to these files, and remove old license references from the headers. Signed-off-by: Tim Bird <tim.bird@sony.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: use QSTR() instead of QSTR_INIT() in fuse_get_dentryThorsten Blum
Drop the hard-coded length argument and use the simpler QSTR(). Inline the code and drop the local variable. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: convert page array allocation to kcalloc()William Theesfeld
fuse_get_user_pages() allocates the temporary pages[] array used by iov_iter_extract_pages() with the open-coded kzalloc(n * sizeof(*p), ...) form. max_pages is derived from the inbound iov_iter and is not bounded at compile time, so the multiplication can overflow on sufficiently large iter counts; the resulting too-small allocation would then be written past by iov_iter_extract_pages(). Switch to kcalloc(), which carries the same zero-on-allocation semantics and adds the standard size_mul overflow check. No functional change for non-overflow inputs. Signed-off-by: William Theesfeld <william@theesfeld.net> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: use current creds for backing filesGuoHan Zhao
FUSE backing files only need a stable snapshot of the current credentials for later backing-file I/O. prepare_creds() allocates a mutable copy and can fail, but this code never modifies or commits the result. Use get_current_cred() instead and store it as a const pointer. This matches the rest of the backing-file helpers and avoids an unnecessary allocation and failure path. Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn> Reviewed-by: Amir Goldstein <amir73il@gmail.com> Acked-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: expand MAINTAINERS with subsystem info, update mailing listMiklos Szeredi
- Bernd and Joanne are maintainers for fuse-uring - Amir is maintainer for passthrough - mailing list is now officially <fuse-devel@lists.linux.dev> - change status of fuse-core to be "Supported" Reviewed-by: Bernd Schubert <bernd@bsbernd.com> Reviewed-by: Joanne Koong <joannelkoong@gmail.com> Reviewed-by: Amir Goldstein <amir73il@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: remove redundant buffer size checks for interrupt and forget requestsJoanne Koong
In fuse_dev_do_read(), there is already logic that ensures the buffer is a minimum of at least FUSE_MIN_READ_BUFFER (8k) bytes. This makes the buffer size checks for interrupt and forget requests redundant as sizeof(struct fuse_in_header) + sizeof(struct fuse_interrupt_in) and sizeof(struct fuse_in_header) + sizeof(struct fuse_forget_in) are both less than FUSE_MIN_READ_BUFFER. We can get rid of these checks. Signed-off-by: Joanne Koong <joannelkoong@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: drop redundant check in fuse_sync_bucket_alloc()Li Wang
kzalloc_obj with __GFP_NOFAIL is documented to never return failure, and checking for NULL is redundant (__GFP_NOFAIL in gfp_types.h). Signed-off-by: Li Wang <liwang@kylinos.cn> Reviewed-by: Joanne Koong <joannelkoong@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: reduce attributes invalidated on directory changeKonrad Sztyber
When the contents of a directory is modified, some of its attributes may also change, so they need to be invalidated. But this isn't the case for every attribute. For instance, unlinking or creating a file doesn't change the uid/gid of its parent directory. This can cause unnecessary FUSE_GETATTRs to be sent to user-space. For example, fuse_permission() checks if mode, uid, and gid are valid and will issue a FUSE_GETATTR if they're not, which results in an extra FUSE_GETATTR request for every FUSE_UNLINK when removing files in the same directory. Signed-off-by: Konrad Sztyber <ksztyber@nvidia.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: drop redundant err assignment in fuse_create_open()Li Wang
In fuse_create_open(), err is initialized to -ENOMEM immediately before the fuse_alloc_forget() NULL check. If forget allocation fails, it branches to out_err with that value. If it succeeds, it falls through without modifying err, so err is still -ENOMEM at the point where fuse_file_alloc() is called. The second err = -ENOMEM before fuse_file_alloc() therefore is redundant. Signed-off-by: Li Wang <liwang@kylinos.cn> Reviewed-by: Joanne Koong <joannelkoong@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: fuse_i.h: clean up kernel-doc commentsRandy Dunlap
Convert many comments to kernel-doc format to eliminate around 20 kernel-doc warnings like these: Warning: fs/fuse/fuse_i.h:374 This comment starts with '/**', but isn't a kernel-doc comment. Refer to Documentation/doc-guide/kernel-doc.rst * A Fuse connection. Warning: fs/fuse/fuse_i.h:817 This comment starts with '/**', but isn't a kernel-doc comment. Refer to Documentation/doc-guide/kernel-doc.rst * Get a filled in inode Warning: fs/fuse/fuse_i.h:859 This comment starts with '/**', but isn't a kernel-doc comment. Refer to Documentation/doc-guide/kernel-doc.rst * Send RELEASE or RELEASEDIR request and more like this. Also add struct member and function parameter descriptions to avoid these warnings: Warning: fs/fuse/fuse_i.h:1071 struct member 'epoch_work' not described in 'fuse_conn' Warning: fs/fuse/fuse_i.h:1071 struct member 'rcu' not described in 'fuse_conn' Warning: fs/fuse/fuse_i.h:1423 function parameter 'fc' not described in 'fuse_reverse_inval_inode' Warning: fs/fuse/fuse_i.h:1423 function parameter 'nodeid' not described in 'fuse_reverse_inval_inode' Warning: fs/fuse/fuse_i.h:1423 function parameter 'offset' not described in 'fuse_reverse_inval_inode' Warning: fs/fuse/fuse_i.h:1423 function parameter 'len' not described in 'fuse_reverse_inval_inode' Warning: fs/fuse/fuse_i.h:1436 function parameter 'fc' not described in 'fuse_reverse_inval_entry' Warning: fs/fuse/fuse_i.h:1436 function parameter 'parent_nodeid' not described in 'fuse_reverse_inval_entry' Warning: fs/fuse/fuse_i.h:1436 function parameter 'child_nodeid' not described in 'fuse_reverse_inval_entry' Warning: fs/fuse/fuse_i.h:1436 function parameter 'name' not described in 'fuse_reverse_inval_entry' Warning: fs/fuse/fuse_i.h:1436 function parameter 'flags' not described in 'fuse_reverse_inval_entry' Convert struct fuse_file, struct fuse_submount_lookup, struct fuse_inode, and struct fuse_conn to kernel-doc. Convert these to plain comments: Warning: fs/fuse/fuse_i.h:1423 expecting prototype for File(). Prototype was for fuse_reverse_inval_inode() instead Warning: fs/fuse/fuse_i.h:1436 expecting prototype for File(). Prototype was for fuse_reverse_inval_entry() instead Change some "/**" to "/*" since they are not kernel-doc comments. The changes above fix most kernel-doc warnings in this file but these warnings are not fixed and still remain: Warning: fs/fuse/fuse_i.h:1428 No description found for return value of 'fuse_fill_super_common' Warning: fs/fuse/fuse_i.h:1455 No description found for return value of 'fuse_ctl_add_conn' Binary build output is the same before and after these changes. Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: fuse_dev_i.h: clean up kernel-doc warningsRandy Dunlap
Change some "/**" to "/*" since they are not kernel-doc comments: Warning: fs/fuse/fuse_dev_i.h:25 This comment starts with '/**', but isn't a kernel-doc comment. Refer to Documentation/doc-guide/kernel-doc.rst * Request flags Warning: fs/fuse/fuse_dev_i.h:58 This comment starts with '/**', but isn't a kernel-doc comment. Refer to Documentation/doc-guide/kernel-doc.rst * A request to the client Warning: fs/fuse/fuse_dev_i.h:117 This comment starts with '/**', but isn't a kernel-doc comment. Refer to Documentation/doc-guide/kernel-doc.rst * Input queue callbacks Warning: fs/fuse/fuse_dev_i.h:289 This comment starts with '/**', but isn't a kernel-doc comment. Refer to Documentation/doc-guide/kernel-doc.rst * Fuse device instance and more like this. Convert enum fuse_req_flag to kernel-doc format. Convert struct fuse_req, struct fuse_iqueue_ops, and struct fuse_dev to kernel-doc format. These warnings remain: Warning: fs/fuse/fuse_dev_i.h:115 struct member 'ring_entry' not described in 'fuse_req' Warning: fs/fuse/fuse_dev_i.h:115 struct member 'ring_queue' not described in 'fuse_req' Binary build output is the same before and after these changes. Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse-uring: drop kernel-doc notation for a commentRandy Dunlap
Use regular C comment syntax for a non-kernel-doc comment to avoid a kernel-doc warning: Warning: fs/fuse/dev_uring_i.h:104 This comment starts with '/**', but isn't a kernel-doc comment. * Describes if uring is for communication and holds alls the data needed Binary build output is the same before and after this change. Signed-off-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: simplify fuse_dev_ioctl_clone()Miklos Szeredi
Don't need to check if the new device file is already initialized, since fuse_dev_install_with_pq() will do that anyway. Make fuse_dev_install_with_pq() return a boolean value indicating success so that fuse_dev_ioctl_clone() can return an error in case of failure. Move aborting the connection (setting fc->connected to zero) to fuse_dev_install(), because it is not needed when the clone ioctl fails. Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: alloc pqueue before installing fch in fuse_devMiklos Szeredi
Prior to this patchset, fuse_dev (containing fuse_pqueue) was allocated on mount. But now fuse_dev is allocated when opening /dev/fuse, even though the queues are not needed at that time. Delay allocation of the pqueue (4k worth of list_head) just before mounting or cloning a device. Various distributions (e.g. Debian/Fedora) configure /dev/fuse as world writable, so the pqueue allocation should be deferred to a privileged operation (mount) to prevent unprivileged userspace from consuming pinned kernel memory. [Li Wang: fix kernel NULL pointer dereference in fuse_uring_add_to_pq()] [Fix race in fuse_dev_release()] Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: remove #include "fuse_i.h" from dev.c and dev_uring.cMiklos Szeredi
Move a couple of function declarations from fuse_i.h to dev.h and fuse_dev_i.h. Add fuse_conn_get_id() helper that retrieves the connection ID (s_dev) from fuse_conn. With the exception of cuse.c, virtio_fs.c and trace.c source files now either include fuse_i.h or fuse_dev_i/dev_uring_i.h but not both. Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: change ring->fc to ring->chanMiklos Szeredi
Store pointer to struct fuse_chan instead of struct fuse_conn in fuse_ring. Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: remove fuse_mutex protection from fuse_dev_ioctl_sync_init()Miklos Szeredi
In normal use ioctl(FUSE_DEV_IOC_SYNC_INIT) comes before the mount() or fsconfig() syscalls, they are executed strictly serially. If ioctl and mount are performed in parallel, the behavior is nondeterministic. Removing the mutex does not change this. Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: set params in fuse_chan_set_initialized()Miklos Szeredi
Set minor, max_write and max_pages in the fuse_chan. These match the same fields in fuse_conn but are needed in both layers. [Dongyang Jin: Pointers should use NULL instead of explicit '0'] Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2026-06-15fuse: create notify.cMiklos Szeredi
Move FUSE_NOTIFY_* handling into a separate source file. Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>