May 2022 - Linux-stable-mirror

[PATCH 5.4] floppy: use a statically allocated error counter

by Denis Efremov

From: Willy Tarreau <w(a)1wt.eu> commit f71f01394f742fc4558b3f9f4c7ef4c4cf3b07c8 upstream. Interrupt handler bad_flp_intr() may cause a UAF on the recently freed request just to increment the error count. There's no point keeping that one in the request anyway, and since the interrupt handler uses a static pointer to the error which cannot be kept in sync with the pending request, better make it use a static error counter that's reset for each new request. This reset now happens when entering redo_fd_request() for a new request via set_next_request(). One initial concern about a single error counter was that errors on one floppy drive could be reported on another one, but this problem is not real given that the driver uses a single drive at a time, as that PC-compatible controllers also have this limitation by using shared signals. As such the error count is always for the "current" drive. Reported-by: Minh Yuan <yuanmingbuaa(a)gmail.com> Suggested-by: Linus Torvalds <torvalds(a)linuxfoundation.org> Tested-by: Denis Efremov <efremov(a)linux.com> Signed-off-by: Willy Tarreau <w(a)1wt.eu> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Denis Efremov <efremov(a)linux.com> --- drivers/block/floppy.c | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index f24e3791e840..e133ff5fa596 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -521,8 +521,8 @@ static unsigned long fdc_busy; static DECLARE_WAIT_QUEUE_HEAD(fdc_wait); static DECLARE_WAIT_QUEUE_HEAD(command_done); -/* Errors during formatting are counted here. */ -static int format_errors; +/* errors encountered on the current (or last) request */ +static int floppy_errors; /* Format request descriptor. */ static struct format_descr format_req; @@ -542,7 +542,6 @@ static struct format_descr format_req; static char *floppy_track_buffer; static int max_buffer_sectors; -static int *errors; typedef void (*done_f)(int); static const struct cont_t { void (*interrupt)(void); @@ -1435,7 +1434,7 @@ static int interpret_errors(void) if (DP->flags & FTD_MSG) DPRINT("Over/Underrun - retrying\n"); bad = 0; - } else if (*errors >= DP->max_errors.reporting) { + } else if (floppy_errors >= DP->max_errors.reporting) { print_errors(); } if (ST2 & ST2_WC || ST2 & ST2_BC) @@ -2055,7 +2054,7 @@ static void bad_flp_intr(void) if (!next_valid_format()) return; } - err_count = ++(*errors); + err_count = ++floppy_errors; INFBOUND(DRWE->badness, err_count); if (err_count > DP->max_errors.abort) cont->done(0); @@ -2200,9 +2199,8 @@ static int do_format(int drive, struct format_descr *tmp_format_req) return -EINVAL; } format_req = *tmp_format_req; - format_errors = 0; cont = &format_cont; - errors = &format_errors; + floppy_errors = 0; ret = wait_til_done(redo_format, true); if (ret == -EINTR) return -EINTR; @@ -2677,7 +2675,7 @@ static int make_raw_rw_request(void) */ if (!direct || (indirect * 2 > direct * 3 && - *errors < DP->max_errors.read_track && + floppy_errors < DP->max_errors.read_track && ((!probing || (DP->read_track & (1 << DRS->probed_format)))))) { max_size = blk_rq_sectors(current_req); @@ -2801,10 +2799,11 @@ static int set_next_request(void) current_req = list_first_entry_or_null(&floppy_reqs, struct request, queuelist); if (current_req) { - current_req->error_count = 0; + floppy_errors = 0; list_del_init(&current_req->queuelist); + return 1; } - return current_req != NULL; + return 0; } static void redo_fd_request(void) @@ -2860,7 +2859,6 @@ static void redo_fd_request(void) _floppy = floppy_type + DP->autodetect[DRS->probed_format]; } else probing = 0; - errors = &(current_req->error_count); tmp = make_raw_rw_request(); if (tmp < 2) { request_done(tmp); -- 2.35.3

3 years, 1 month

1
0
0 0

[PATCH 5.10] floppy: use a statically allocated error counter

by Denis Efremov

From: Willy Tarreau <w(a)1wt.eu> commit f71f01394f742fc4558b3f9f4c7ef4c4cf3b07c8 upstream. Interrupt handler bad_flp_intr() may cause a UAF on the recently freed request just to increment the error count. There's no point keeping that one in the request anyway, and since the interrupt handler uses a static pointer to the error which cannot be kept in sync with the pending request, better make it use a static error counter that's reset for each new request. This reset now happens when entering redo_fd_request() for a new request via set_next_request(). One initial concern about a single error counter was that errors on one floppy drive could be reported on another one, but this problem is not real given that the driver uses a single drive at a time, as that PC-compatible controllers also have this limitation by using shared signals. As such the error count is always for the "current" drive. Reported-by: Minh Yuan <yuanmingbuaa(a)gmail.com> Suggested-by: Linus Torvalds <torvalds(a)linuxfoundation.org> Tested-by: Denis Efremov <efremov(a)linux.com> Signed-off-by: Willy Tarreau <w(a)1wt.eu> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Denis Efremov <efremov(a)linux.com> --- Handled *errors in make_raw_rw_request(). drivers/block/floppy.c | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c index c9411fe2f0af..4ef407a33996 100644 --- a/drivers/block/floppy.c +++ b/drivers/block/floppy.c @@ -509,8 +509,8 @@ static unsigned long fdc_busy; static DECLARE_WAIT_QUEUE_HEAD(fdc_wait); static DECLARE_WAIT_QUEUE_HEAD(command_done); -/* Errors during formatting are counted here. */ -static int format_errors; +/* errors encountered on the current (or last) request */ +static int floppy_errors; /* Format request descriptor. */ static struct format_descr format_req; @@ -530,7 +530,6 @@ static struct format_descr format_req; static char *floppy_track_buffer; static int max_buffer_sectors; -static int *errors; typedef void (*done_f)(int); static const struct cont_t { void (*interrupt)(void); @@ -1455,7 +1454,7 @@ static int interpret_errors(void) if (drive_params[current_drive].flags & FTD_MSG) DPRINT("Over/Underrun - retrying\n"); bad = 0; - } else if (*errors >= drive_params[current_drive].max_errors.reporting) { + } else if (floppy_errors >= drive_params[current_drive].max_errors.reporting) { print_errors(); } if (reply_buffer[ST2] & ST2_WC || reply_buffer[ST2] & ST2_BC) @@ -2095,7 +2094,7 @@ static void bad_flp_intr(void) if (!next_valid_format(current_drive)) return; } - err_count = ++(*errors); + err_count = ++floppy_errors; INFBOUND(write_errors[current_drive].badness, err_count); if (err_count > drive_params[current_drive].max_errors.abort) cont->done(0); @@ -2240,9 +2239,8 @@ static int do_format(int drive, struct format_descr *tmp_format_req) return -EINVAL; } format_req = *tmp_format_req; - format_errors = 0; cont = &format_cont; - errors = &format_errors; + floppy_errors = 0; ret = wait_til_done(redo_format, true); if (ret == -EINTR) return -EINTR; @@ -2721,7 +2719,7 @@ static int make_raw_rw_request(void) */ if (!direct || (indirect * 2 > direct * 3 && - *errors < drive_params[current_drive].max_errors.read_track && + floppy_errors < drive_params[current_drive].max_errors.read_track && ((!probing || (drive_params[current_drive].read_track & (1 << drive_state[current_drive].probed_format)))))) { max_size = blk_rq_sectors(current_req); @@ -2846,10 +2844,11 @@ static int set_next_request(void) current_req = list_first_entry_or_null(&floppy_reqs, struct request, queuelist); if (current_req) { - current_req->error_count = 0; + floppy_errors = 0; list_del_init(&current_req->queuelist); + return 1; } - return current_req != NULL; + return 0; } /* Starts or continues processing request. Will automatically unlock the @@ -2908,7 +2907,6 @@ static void redo_fd_request(void) _floppy = floppy_type + drive_params[current_drive].autodetect[drive_state[current_drive].probed_format]; } else probing = 0; - errors = &(current_req->error_count); tmp = make_raw_rw_request(); if (tmp < 2) { request_done(tmp); -- 2.35.3

3 years, 1 month

1
0
0 0

[PATCH 5.15 000/102] 5.15.41-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.15.41 release. There are 102 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 18 May 2022 19:36:02 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.41-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.15.41-rc1 Dan Vacura <w36195(a)motorola.com> usb: gadget: uvc: allow for application to cleanly shutdown Michael Tretter <m.tretter(a)pengutronix.de> usb: gadget: uvc: rename function to be more consistent Nicolas Dichtel <nicolas.dichtel(a)6wind.com> ping: fix address binding wrt vrf Trond Myklebust <trond.myklebust(a)hammerspace.com> SUNRPC: Ensure we flush any closed sockets before xs_xprt_free() Naoya Horiguchi <naoya.horiguchi(a)nec.com> mm/hwpoison: use pr_err() instead of dump_page() in get_any_page() Charan Teja Reddy <quic_charante(a)quicinc.com> dma-buf: call dma_buf_stats_setup after dmabuf is in valid list Alex Deucher <alexander.deucher(a)amd.com> Revert "drm/amd/pm: keep the BACO feature enabled for suspend" Zack Rusin <zackr(a)vmware.com> drm/vmwgfx: Initialize drm_mode_fb_cmd2 Trond Myklebust <trond.myklebust(a)hammerspace.com> SUNRPC: Ensure that the gssproxy client can start in a connected state Fabio Estevam <festevam(a)denx.de> net: phy: micrel: Pass .probe for KS8737 Fabio Estevam <festevam(a)denx.de> net: phy: micrel: Do not use kszphy_suspend/resume for KSZ8061 Mike Rapoport <rppt(a)kernel.org> arm[64]/memremap: don't abuse pfn_valid() to ensure presence of linear map Waiman Long <longman(a)redhat.com> cgroup/cpuset: Remove cpus_allowed/mems_allowed setup in cpuset_init_smp() Jing Xia <jing.xia(a)unisoc.com> writeback: Avoid skipping inode writeback Francesco Dolcini <francesco.dolcini(a)toradex.com> net: phy: Fix race condition on link status change Manuel Ullmann <labre(a)posteo.de> net: atlantic: always deep reset on pm op, fixing up my null deref regression Xiaomeng Tong <xiam0nd.tong(a)gmail.com> i40e: i40e_main: fix a missing check on list iterator Robin Murphy <robin.murphy(a)arm.com> drm/nouveau/tegra: Stop using iommu_present() Zack Rusin <zackr(a)vmware.com> drm/vmwgfx: Disable command buffers on svga3 without gbobjects Xu Yu <xuyu(a)linux.alibaba.com> mm/huge_memory: do not overkill when splitting huge_zero_page Xu Yu <xuyu(a)linux.alibaba.com> Revert "mm/memory-failure.c: skip huge_zero_page in memory_failure()" Jeff Layton <jlayton(a)kernel.org> ceph: fix setting of xattrs on async created inodes AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> serial: 8250_mtk: Fix register address for XON/XOFF character AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> serial: 8250_mtk: Fix UART_EFR register address Indan Zupancic <Indan.Zupancic(a)mep-info.com> fsl_lpuart: Don't enable interrupts too early Miaoqian Lin <linmq006(a)gmail.com> slimbus: qcom: Fix IRQ check in qcom_slim_probe Sven Schwermer <sven.schwermer(a)disruptive-technologies.com> USB: serial: option: add Fibocom MA510 modem Sven Schwermer <sven.schwermer(a)disruptive-technologies.com> USB: serial: option: add Fibocom L610 modem Ethan Yang <etyang(a)sierrawireless.com> USB: serial: qcserial: add support for Sierra Wireless EM7590 Scott Chen <scott(a)labau.com.tw> USB: serial: pl2303: add device id for HP LM930 Display ChiYuan Huang <cy_huang(a)richtek.com> usb: typec: tcpci_mt6360: Update for BMC PHY setting Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> usb: typec: tcpci: Don't skip cleanup in .remove() on error Sergey Ryazanov <ryazanov.s.a(a)gmail.com> usb: cdc-wdm: fix reading stuck on device close Daniel Starke <daniel.starke(a)siemens.com> tty: n_gsm: fix mux activation issues in gsm_config() Daniel Starke <daniel.starke(a)siemens.com> tty: n_gsm: fix buffer over-read in gsm_dlci_data() Yang Yingliang <yangyingliang(a)huawei.com> tty/serial: digicolor: fix possible null-ptr-deref in digicolor_uart_probe() Adrian-Ken Rueegsegger <ken(a)codelabs.ch> x86/mm: Fix marking of unused sub-pmd ranges Chunfeng Yun <chunfeng.yun(a)mediatek.com> usb: xhci-mtk: fix fs isoc's transfer error Alexander Graf <graf(a)amazon.com> KVM: PPC: Book3S PR: Enable MSR_DR for switch_mmu_context() Thiébaud Weksteen <tweek(a)google.com> firmware_loader: use kernel credentials when reading firmware Stephen Boyd <swboyd(a)chromium.org> interconnect: Restore sync state by ignoring ipa-virt in provider count Willy Tarreau <w(a)1wt.eu> tcp: drop the hash_32() part from the index calculation Willy Tarreau <w(a)1wt.eu> tcp: increase source port perturb table to 2^16 Willy Tarreau <w(a)1wt.eu> tcp: dynamically allocate the perturb table used by source ports Willy Tarreau <w(a)1wt.eu> tcp: add small random increments to the source port Eric Dumazet <edumazet(a)google.com> tcp: resalt the secret every 10 seconds Willy Tarreau <w(a)1wt.eu> tcp: use different parts of the port_offset for index and offset Willy Tarreau <w(a)1wt.eu> secure_seq: use the 64 bits of the siphash for port offset calculation Matthew Hagan <mnhagan88(a)gmail.com> net: sfp: Add tx-fault workaround for Huawei MA5671A SFP ONT Shravya Kumbham <shravya.kumbham(a)xilinx.com> net: emaclite: Don't advertise 1000BASE-T and do auto negotiation Ajit Kumar Pandey <AjitKumar.Pandey(a)amd.com> ASoC: SOF: Fix NULL pointer exception in sof_pci_probe callback Sven Schnelle <svens(a)linux.ibm.com> s390: disable -Warray-bounds Mark Brown <broonie(a)kernel.org> ASoC: ops: Validate input values in snd_soc_put_volsw_range() Mark Brown <broonie(a)kernel.org> ASoC: max98090: Generate notifications on changes for custom control Mark Brown <broonie(a)kernel.org> ASoC: max98090: Reject invalid values in custom control put() Ashish Mhetre <amhetre(a)nvidia.com> iommu: arm-smmu: disable large page mappings for Nvidia arm-smmu Duoming Zhou <duoming(a)zju.edu.cn> RDMA/irdma: Fix deadlock in irdma_cleanup_cm_core() Ji-Ze Hong (Peter Hong) <hpeter(a)gmail.com> hwmon: (f71882fg) Fix negative temperature Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Fix filesystem block deallocation for short writes Zack Rusin <zackr(a)vmware.com> drm/vmwgfx: Fix fencing on SVGAv3 Maxim Mikityanskiy <maximmi(a)nvidia.com> tls: Fix context leak on tls_device_down Taehee Yoo <ap420073(a)gmail.com> net: sfc: ef10: fix memory leak in efx_ef10_mtd_probe() Guangguan Wang <guangguan.wang(a)linux.alibaba.com> net/smc: non blocking recvmsg() return -EAGAIN when no data and signal_pending Florian Fainelli <f.fainelli(a)gmail.com> net: dsa: bcm_sf2: Fix Wake-on-LAN with mac_link_down() Hui Tang <tanghui20(a)huawei.com> drm/vc4: hdmi: Fix build error for implicit function declaration Florian Fainelli <f.fainelli(a)gmail.com> net: bcmgenet: Check for Wake-on-LAN interrupt probe deferral Yang Yingliang <yangyingliang(a)huawei.com> net: ethernet: mediatek: ppe: fix wrong size passed to memset() Paolo Abeni <pabeni(a)redhat.com> net/sched: act_pedit: really ensure the skb is writable Alexandra Winter <wintera(a)linux.ibm.com> s390/lcs: fix variable dereferenced before check Alexandra Winter <wintera(a)linux.ibm.com> s390/ctcm: fix potential memory leak Alexandra Winter <wintera(a)linux.ibm.com> s390/ctcm: fix variable dereferenced before check Shunsuke Mie <mie(a)igel.co.jp> virtio: fix virtio transitional ids Joey Gouly <joey.gouly(a)arm.com> arm64: vdso: fix makefile dependency on vdso.so Joel Savitz <jsavitz(a)redhat.com> selftests: vm: Makefile: rename TARGETS to VMTARGETS Kalesh Singh <kaleshsingh(a)google.com> procfs: prevent unprivileged processes accessing fdinfo dir Randy Dunlap <rdunlap(a)infradead.org> hwmon: (ltq-cputemp) restrict it to SOC_XWAY Jesse Brandeburg <jesse.brandeburg(a)intel.com> dim: initialize all struct fields Yang Yingliang <yangyingliang(a)huawei.com> ionic: fix missing pci_release_regions() on error in ionic_probe() Dan Aloni <dan.aloni(a)vastdata.com> nfs: fix broken handling of the softreval mount option Johannes Berg <johannes.berg(a)intel.com> mac80211_hwsim: call ieee80211_tx_prepare_skb under RCU protection Taehee Yoo <ap420073(a)gmail.com> net: sfc: fix memory leak due to ptp channel Jiapeng Chong <jiapeng.chong(a)linux.alibaba.com> sfc: Use swap() instead of open coding it Javier Martinez Canillas <javierm(a)redhat.com> fbdev: efifb: Fix a use-after-free due early fb_info cleanup Kees Cook <keescook(a)chromium.org> net: chelsio: cxgb4: Avoid potential negative array offset Eric Dumazet <edumazet(a)google.com> netlink: do not reset transport header in netlink_recvmsg() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> drm/nouveau: Fix a potential theorical leak in nouveau_get_backlight_name() Lokesh Dhoundiyal <lokesh.dhoundiyal(a)alliedtelesis.co.nz> ipv4: drop dst in multicast routing path Michal Michalik <michal.michalik(a)intel.com> ice: fix PTP stale Tx timestamps cleanup Ivan Vecera <ivecera(a)redhat.com> ice: Fix race during aux device (un)plugging Maximilian Luz <luzmaximilian(a)gmail.com> platform/surface: aggregator: Fix initialization order when compiling as builtin module Javier Martinez Canillas <javierm(a)redhat.com> fbdev: vesafb: Cleanup fb_info in .fb_destroy rather than .remove Javier Martinez Canillas <javierm(a)redhat.com> fbdev: efifb: Cleanup fb_info in .fb_destroy rather than .remove Javier Martinez Canillas <javierm(a)redhat.com> fbdev: simplefb: Cleanup fb_info in .fb_destroy rather than .remove Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: avoid corrupting hardware counters when moving VCAP filters Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: restrict tc-trap actions to VCAP IS2 lookup 0 Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: fix VCAP IS2 filters matching on both lookups Vladimir Oltean <vladimir.oltean(a)nxp.com> net: mscc: ocelot: fix last VCAP IS1/IS2 filter persisting in hardware when deleted Tariq Toukan <tariqt(a)nvidia.com> net: Fix features skip in for_each_netdev_feature() Manikanta Pubbisetty <quic_mpubbise(a)quicinc.com> mac80211: Reset MBSSID parameters upon connection Camel Guo <camel.guo(a)axis.com> hwmon: (tmp401) Add OF device ID table Guenter Roeck <linux(a)roeck-us.net> iwlwifi: iwl-dbg: Use del_timer_sync() before freeing Sven Eckelmann <sven(a)narfation.org> batman-adv: Don't skb_split skbuffs with frag_list ------------- Diffstat: Makefile | 4 +- arch/arm/include/asm/io.h | 3 ++ arch/arm/mm/ioremap.c | 8 ++++ arch/arm64/include/asm/io.h | 4 ++ arch/arm64/kernel/Makefile | 4 ++ arch/arm64/kernel/vdso/Makefile | 3 -- arch/arm64/kernel/vdso32/Makefile | 3 -- arch/arm64/mm/ioremap.c | 8 ++++ arch/powerpc/kvm/book3s_32_sr.S | 26 ++++++++++--- arch/s390/Makefile | 10 +++++ arch/x86/mm/init_64.c | 5 ++- drivers/base/firmware_loader/main.c | 17 +++++++++ drivers/dma-buf/dma-buf.c | 8 ++-- drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 8 +--- drivers/gpu/drm/nouveau/nouveau_backlight.c | 9 +++-- drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c | 2 +- drivers/gpu/drm/vc4/vc4_hdmi.c | 1 + drivers/gpu/drm/vmwgfx/vmwgfx_cmd.c | 13 ++++--- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 8 ++++ drivers/gpu/drm/vmwgfx/vmwgfx_fb.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 28 ++++++++++---- drivers/gpu/drm/vmwgfx/vmwgfx_irq.c | 26 +++++++++---- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 8 ++-- drivers/hwmon/Kconfig | 2 +- drivers/hwmon/f71882fg.c | 5 ++- drivers/hwmon/tmp401.c | 11 ++++++ drivers/infiniband/hw/irdma/cm.c | 7 +--- drivers/interconnect/core.c | 8 +++- drivers/iommu/arm/arm-smmu/arm-smmu-nvidia.c | 30 +++++++++++++++ drivers/net/dsa/bcm_sf2.c | 3 ++ .../net/ethernet/aquantia/atlantic/aq_pci_func.c | 4 +- drivers/net/ethernet/broadcom/genet/bcmgenet.c | 4 ++ drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 10 ++--- drivers/net/ethernet/intel/i40e/i40e_main.c | 27 ++++++------- drivers/net/ethernet/intel/ice/ice.h | 1 + drivers/net/ethernet/intel/ice/ice_idc.c | 25 ++++++++---- drivers/net/ethernet/intel/ice/ice_main.c | 2 + drivers/net/ethernet/intel/ice/ice_ptp.c | 10 ++++- drivers/net/ethernet/mediatek/mtk_ppe.c | 2 +- drivers/net/ethernet/mscc/ocelot_flower.c | 5 ++- drivers/net/ethernet/mscc/ocelot_vcap.c | 9 ++++- .../net/ethernet/pensando/ionic/ionic_bus_pci.c | 3 +- drivers/net/ethernet/sfc/ef10.c | 5 +++ drivers/net/ethernet/sfc/efx_channels.c | 21 +++++------ drivers/net/ethernet/sfc/ptp.c | 14 ++++++- drivers/net/ethernet/sfc/ptp.h | 1 + drivers/net/ethernet/xilinx/xilinx_emaclite.c | 15 -------- drivers/net/phy/micrel.c | 5 ++- drivers/net/phy/phy.c | 7 +++- drivers/net/phy/sfp.c | 12 +++++- drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c | 2 +- drivers/net/wireless/mac80211_hwsim.c | 3 ++ drivers/platform/surface/aggregator/core.c | 2 +- drivers/s390/net/ctcm_mpc.c | 6 +-- drivers/s390/net/ctcm_sysfs.c | 5 ++- drivers/s390/net/lcs.c | 7 ++-- drivers/slimbus/qcom-ctrl.c | 4 +- drivers/tty/n_gsm.c | 13 +++++-- drivers/tty/serial/8250/8250_mtk.c | 22 ++++++----- drivers/tty/serial/digicolor-usart.c | 5 +-- drivers/tty/serial/fsl_lpuart.c | 18 ++++----- drivers/usb/class/cdc-wdm.c | 1 + drivers/usb/gadget/function/f_uvc.c | 32 ++++++++++++++-- drivers/usb/gadget/function/uvc.h | 2 + drivers/usb/gadget/function/uvc_v4l2.c | 3 +- drivers/usb/host/xhci-mtk-sch.c | 16 ++++---- drivers/usb/serial/option.c | 4 ++ drivers/usb/serial/pl2303.c | 1 + drivers/usb/serial/pl2303.h | 1 + drivers/usb/serial/qcserial.c | 2 + drivers/usb/typec/tcpm/tcpci.c | 2 +- drivers/usb/typec/tcpm/tcpci_mt6360.c | 26 +++++++++++++ drivers/video/fbdev/efifb.c | 9 ++++- drivers/video/fbdev/simplefb.c | 8 +++- drivers/video/fbdev/vesafb.c | 8 +++- fs/ceph/file.c | 16 ++++++-- fs/file_table.c | 1 + fs/fs-writeback.c | 4 ++ fs/gfs2/bmap.c | 11 +++--- fs/nfs/fs_context.c | 2 +- fs/proc/fd.c | 23 ++++++++++- include/linux/netdev_features.h | 4 +- include/linux/sunrpc/clnt.h | 1 + include/net/inet_hashtables.h | 2 +- include/net/secure_seq.h | 4 +- include/net/tc_act/tc_pedit.h | 1 + include/trace/events/sunrpc.h | 1 - include/uapi/linux/virtio_ids.h | 14 +++---- kernel/cgroup/cpuset.c | 7 +++- lib/dim/net_dim.c | 44 +++++++++++----------- mm/huge_memory.c | 7 +++- mm/memory-failure.c | 15 +------- net/batman-adv/fragmentation.c | 11 ++++++ net/core/secure_seq.c | 16 +++++--- net/ipv4/inet_hashtables.c | 42 +++++++++++++-------- net/ipv4/ping.c | 15 +++++++- net/ipv4/route.c | 1 + net/ipv6/inet6_hashtables.c | 4 +- net/mac80211/mlme.c | 6 +++ net/netlink/af_netlink.c | 1 - net/sched/act_pedit.c | 26 +++++++++++-- net/smc/smc_rx.c | 4 +- net/sunrpc/auth_gss/gss_rpc_upcall.c | 1 + net/sunrpc/clnt.c | 33 ++++++++++++++++ net/sunrpc/xprt.c | 7 +--- net/sunrpc/xprtsock.c | 16 ++++++-- net/tls/tls_device.c | 3 ++ sound/soc/codecs/max98090.c | 5 ++- sound/soc/soc-ops.c | 18 ++++++++- sound/soc/sof/sof-pci-dev.c | 5 +++ tools/testing/selftests/vm/Makefile | 10 ++--- 111 files changed, 742 insertions(+), 297 deletions(-)

3 years, 1 month

9
110
0 0

[PATCH 5.4 00/43] 5.4.195-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.195 release. There are 43 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 18 May 2022 19:36:02 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.195-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.195-rc1 Yang Yingliang <yangyingliang(a)huawei.com> tty/serial: digicolor: fix possible null-ptr-deref in digicolor_uart_probe() Nicolas Dichtel <nicolas.dichtel(a)6wind.com> ping: fix address binding wrt vrf Mike Rapoport <rppt(a)linux.ibm.com> arm[64]/memremap: don't abuse pfn_valid() to ensure presence of linear map Francesco Dolcini <francesco.dolcini(a)toradex.com> net: phy: Fix race condition on link status change Sudip Mukherjee <sudipm.mukherjee(a)gmail.com> MIPS: fix build with gcc-12 Zack Rusin <zackr(a)vmware.com> drm/vmwgfx: Initialize drm_mode_fb_cmd2 Waiman Long <longman(a)redhat.com> cgroup/cpuset: Remove cpus_allowed/mems_allowed setup in cpuset_init_smp() Xiaomeng Tong <xiam0nd.tong(a)gmail.com> i40e: i40e_main: fix a missing check on list iterator Robin Murphy <robin.murphy(a)arm.com> drm/nouveau/tegra: Stop using iommu_present() AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> serial: 8250_mtk: Fix register address for XON/XOFF character AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> serial: 8250_mtk: Fix UART_EFR register address Miaoqian Lin <linmq006(a)gmail.com> slimbus: qcom: Fix IRQ check in qcom_slim_probe Sven Schwermer <sven.schwermer(a)disruptive-technologies.com> USB: serial: option: add Fibocom MA510 modem Sven Schwermer <sven.schwermer(a)disruptive-technologies.com> USB: serial: option: add Fibocom L610 modem Ethan Yang <etyang(a)sierrawireless.com> USB: serial: qcserial: add support for Sierra Wireless EM7590 Scott Chen <scott(a)labau.com.tw> USB: serial: pl2303: add device id for HP LM930 Display Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> usb: typec: tcpci: Don't skip cleanup in .remove() on error Sergey Ryazanov <ryazanov.s.a(a)gmail.com> usb: cdc-wdm: fix reading stuck on device close Daniel Starke <daniel.starke(a)siemens.com> tty: n_gsm: fix mux activation issues in gsm_config() Eric Dumazet <edumazet(a)google.com> tcp: resalt the secret every 10 seconds Shravya Kumbham <shravya.kumbham(a)xilinx.com> net: emaclite: Don't advertise 1000BASE-T and do auto negotiation Sven Schnelle <svens(a)linux.ibm.com> s390: disable -Warray-bounds Mark Brown <broonie(a)kernel.org> ASoC: ops: Validate input values in snd_soc_put_volsw_range() Mark Brown <broonie(a)kernel.org> ASoC: max98090: Generate notifications on changes for custom control Mark Brown <broonie(a)kernel.org> ASoC: max98090: Reject invalid values in custom control put() Ji-Ze Hong (Peter Hong) <hpeter(a)gmail.com> hwmon: (f71882fg) Fix negative temperature Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: Fix filesystem block deallocation for short writes Taehee Yoo <ap420073(a)gmail.com> net: sfc: ef10: fix memory leak in efx_ef10_mtd_probe() Guangguan Wang <guangguan.wang(a)linux.alibaba.com> net/smc: non blocking recvmsg() return -EAGAIN when no data and signal_pending Paolo Abeni <pabeni(a)redhat.com> net/sched: act_pedit: really ensure the skb is writable Alexandra Winter <wintera(a)linux.ibm.com> s390/lcs: fix variable dereferenced before check Alexandra Winter <wintera(a)linux.ibm.com> s390/ctcm: fix potential memory leak Alexandra Winter <wintera(a)linux.ibm.com> s390/ctcm: fix variable dereferenced before check Randy Dunlap <rdunlap(a)infradead.org> hwmon: (ltq-cputemp) restrict it to SOC_XWAY Jesse Brandeburg <jesse.brandeburg(a)intel.com> dim: initialize all struct fields Johannes Berg <johannes.berg(a)intel.com> mac80211_hwsim: call ieee80211_tx_prepare_skb under RCU protection Eric Dumazet <edumazet(a)google.com> netlink: do not reset transport header in netlink_recvmsg() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> drm/nouveau: Fix a potential theorical leak in nouveau_get_backlight_name() Lokesh Dhoundiyal <lokesh.dhoundiyal(a)alliedtelesis.co.nz> ipv4: drop dst in multicast routing path Tariq Toukan <tariqt(a)nvidia.com> net: Fix features skip in for_each_netdev_feature() Manikanta Pubbisetty <quic_mpubbise(a)quicinc.com> mac80211: Reset MBSSID parameters upon connection Camel Guo <camel.guo(a)axis.com> hwmon: (tmp401) Add OF device ID table Sven Eckelmann <sven(a)narfation.org> batman-adv: Don't skb_split skbuffs with frag_list ------------- Diffstat: Makefile | 4 +- arch/arm/include/asm/io.h | 3 ++ arch/arm/mm/ioremap.c | 8 ++++ arch/arm64/include/asm/io.h | 4 ++ arch/arm64/mm/ioremap.c | 9 +++++ arch/mips/jz4740/setup.c | 2 +- arch/s390/Makefile | 10 +++++ drivers/gpu/drm/nouveau/nouveau_backlight.c | 9 +++-- drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fb.c | 2 +- drivers/hwmon/Kconfig | 2 +- drivers/hwmon/f71882fg.c | 5 ++- drivers/hwmon/tmp401.c | 11 ++++++ drivers/net/ethernet/intel/i40e/i40e_main.c | 27 ++++++------- drivers/net/ethernet/sfc/ef10.c | 5 +++ drivers/net/ethernet/xilinx/xilinx_emaclite.c | 15 -------- drivers/net/phy/phy.c | 45 +++++++++++++++++++--- drivers/net/wireless/mac80211_hwsim.c | 3 ++ drivers/s390/net/ctcm_mpc.c | 6 +-- drivers/s390/net/ctcm_sysfs.c | 5 ++- drivers/s390/net/lcs.c | 7 ++-- drivers/slimbus/qcom-ctrl.c | 4 +- drivers/tty/n_gsm.c | 12 ++++-- drivers/tty/serial/8250/8250_mtk.c | 22 ++++++----- drivers/tty/serial/digicolor-usart.c | 2 +- drivers/usb/class/cdc-wdm.c | 1 + drivers/usb/serial/option.c | 4 ++ drivers/usb/serial/pl2303.c | 1 + drivers/usb/serial/pl2303.h | 1 + drivers/usb/serial/qcserial.c | 2 + drivers/usb/typec/tcpm/tcpci.c | 2 +- fs/gfs2/bmap.c | 11 +++--- include/linux/netdev_features.h | 4 +- include/net/tc_act/tc_pedit.h | 1 + kernel/cgroup/cpuset.c | 7 +++- lib/dim/net_dim.c | 44 ++++++++++----------- net/batman-adv/fragmentation.c | 11 ++++++ net/core/secure_seq.c | 12 ++++-- net/ipv4/ping.c | 12 +++++- net/ipv4/route.c | 1 + net/mac80211/mlme.c | 6 +++ net/netlink/af_netlink.c | 1 - net/sched/act_pedit.c | 26 +++++++++++-- net/smc/smc_rx.c | 4 +- sound/soc/codecs/max98090.c | 5 ++- sound/soc/soc-ops.c | 18 ++++++++- 46 files changed, 281 insertions(+), 117 deletions(-)

3 years, 1 month

8
50
0 0

[PATCH stable 4.9 0/3] MMC timeout back ports

by Florian Fainelli

These 3 commits from upstream allow us to have more fine grained control over the MMC command timeouts and this solves the following timeouts that we have seen on our systems across suspend/resume cycles: [ 14.907496] usb usb2: root hub lost power or was reset [ 15.216232] usb 1-1: reset high-speed USB device number 2 using xhci-hcd [ 15.485812] bcmgenet 8f00000.ethernet eth0: Link is Down [ 15.525328] mmc1: error -110 doing runtime resume [ 15.531864] OOM killer enabled. Thanks! Ulf Hansson (3): mmc: core: Specify timeouts for BKOPS and CACHE_FLUSH for eMMC mmc: block: Use generic_cmd6_time when modifying INAND_CMD38_ARG_EXT_CSD mmc: core: Default to generic_cmd6_time as timeout in __mmc_switch() drivers/mmc/card/block.c | 6 +++--- drivers/mmc/core/core.c | 5 ++++- drivers/mmc/core/mmc_ops.c | 9 +++++---- 3 files changed, 12 insertions(+), 8 deletions(-) -- 2.25.1

3 years, 1 month

1
3
0 0

[PATCH stable 4.14 0/3] MMC timeout back ports

by Florian Fainelli

These 3 commits from upstream allow us to have more fine grained control over the MMC command timeouts and this solves the following timeouts that we have seen on our systems across suspend/resume cycles: [ 14.907496] usb usb2: root hub lost power or was reset [ 15.216232] usb 1-1: reset high-speed USB device number 2 using xhci-hcd [ 15.485812] bcmgenet 8f00000.ethernet eth0: Link is Down [ 15.525328] mmc1: error -110 doing runtime resume [ 15.531864] OOM killer enabled. Thanks! Ulf Hansson (3): mmc: core: Specify timeouts for BKOPS and CACHE_FLUSH for eMMC mmc: block: Use generic_cmd6_time when modifying INAND_CMD38_ARG_EXT_CSD mmc: core: Default to generic_cmd6_time as timeout in __mmc_switch() drivers/mmc/core/block.c | 6 +++--- drivers/mmc/core/mmc_ops.c | 27 ++++++++++++++------------- 2 files changed, 17 insertions(+), 16 deletions(-) -- 2.25.1

3 years, 1 month

1
3
0 0

[PATCH V3 0/5] SGX shmem backing store issue

by Reinette Chatre

V2: https://lore.kernel.org/linux-sgx/cover.1652131695.git.reinette.chatre@inte… Changes since V2: - Expand audience of series to include stable team, x86 maintainers, and lkml. - Mark pages as dirty after receiving important data, not before. (Dave) - Improve changelogs. - Add Haitao and Jarkko's tags. - Fix incorrect exit if address does not have enclave page associated. (Dave) - See individual patches for detailed changes. First version of series was submitted with incomplete fixes as RFC V1: https://lore.kernel.org/linux-sgx/cover.1651171455.git.reinette.chatre@inte… Changes since RFC V1: - Remaining issue was root-caused with debugging help from Dave. Patch 4/5 is new and eliminates all occurences of the ENCLS[ELDU] related WARN. - Drop "x86/sgx: Do not free backing memory on ENCLS[ELDU] failure" from series. ENCLS[ELDU] failure is not recoverable so it serves no purpose to keep the backing memory that could not be restored to the enclave. - Patch 1/5 is new and refactors sgx_encl_put_backing() to only put references to pages and not also mark the pages as dirty. (Dave) - Mark PCMD page dirty before (not after) writing data to it. (Dave) - Patch 5/5 is new and adds debug code to WARN if PCMD page is ever found to contain data after it is truncated. (Dave) == Cover Letter == Hi Everybody, Haitao reported encountering the following WARN while stress testing SGX with the SGX2 series [1] applied: ELDU returned 1073741837 (0x4000000d) WARNING: CPU: 72 PID: 24407 at arch/x86/kernel/cpu/sgx/encl.c:81 sgx_encl_eldu+0x3cf/0x400 ... Call Trace: <TASK> ? xa_load+0x6e/0xa0 __sgx_encl_load_page+0x3d/0x80 sgx_encl_load_page_in_vma+0x4a/0x60 sgx_vma_fault+0x7f/0x3b0 ? sysvec_call_function_single+0x66/0xd0 ? asm_sysvec_call_function_single+0x12/0x20 __do_fault+0x39/0x110 __handle_mm_fault+0x1222/0x15a0 handle_mm_fault+0xdb/0x2c0 do_user_addr_fault+0x1d1/0x650 ? exit_to_user_mode_prepare+0x45/0x170 exc_page_fault+0x76/0x170 ? asm_exc_page_fault+0x8/0x30 asm_exc_page_fault+0x1e/0x30 ... </TASK> ENCLS[ELDU] is returning a #GP when attempting to load an enclave page from the backing store into the enclave. Haitao's stress testing involves running two concurrent loops of the SGX2 selftests on a system with 4GB EPC memory. One of the tests is modified to reduce the oversubscription heap size: diff --git a/tools/testing/selftests/sgx/main.c b/tools/testing/selftests/sgx/main.c index d480c2dd2858..12008789325b 100644 --- a/tools/testing/selftests/sgx/main.c +++ b/tools/testing/selftests/sgx/main.c @@ -398,7 +398,7 @@ TEST_F_TIMEOUT(enclave, unclobbered_vdso_oversubscribed_remove, 900) * Create enclave with additional heap that is as big as all * available physical SGX memory. */ - total_mem = get_total_epc_mem(); + total_mem = get_total_epc_mem()/16; ASSERT_NE(total_mem, 0); TH_LOG("Creating an enclave with %lu bytes heap may take a while ...", total_mem); If the the test compiled with above snippet is renamed as "test_sgx_small" and the original renamed as "test_sgx_large" the two concurrent loops are run as follows: (for i in $(seq 1 999); do echo "Iteration $i"; sudo ./test_sgx_large; done ) > log.large 2>&1 (for i in $(seq 1 9999); do echo "Iteration $i"; sudo ./test_sgx_small; done ) > log.small 2>&1 If the SGX driver is modified to always WARN when ENCLS[ELDU] encounters a #GP (see below) then the WARN appears after a few iterations of "test_sgx_large" and shows up throughout the testing. diff --git a/arch/x86/kernel/cpu/sgx/encls.h b/arch/x86/kernel/cpu/sgx/encls.h index 99004b02e2ed..68c1dbc84ed3 100644 --- a/arch/x86/kernel/cpu/sgx/encls.h +++ b/arch/x86/kernel/cpu/sgx/encls.h @@ -18,7 +18,7 @@ #define ENCLS_WARN(r, name) { \ do { \ int _r = (r); \ - WARN_ONCE(_r, "%s returned %d (0x%x)\n", (name), _r, _r); \ + WARN(_r, "%s returned %d (0x%x)\n", (name), _r, _r); \ } while (0); \ } I learned the following during investigation of the issue: * Reverting commit 08999b2489b4 ("x86/sgx: Free backing memory after faulting the enclave page") resolves the issue. With that commit reverted the concurrent selftest loops can run to completion without encountering any WARNs. * The issue is also resolved if only the calls (introduced by commit 08999b2489b4 ("x86/sgx: Free backing memory after faulting the enclave page") ) to sgx_encl_truncate_backing_page() within __sgx_encl_eldu() are disabled. * ENCLS[ELDU] faults with #GP when the provided PCMD data is all zeroes. It does so because of a check that is not documented in the SDM. In this check a page type of zero indicates an SECS page is being loaded into the enclave, but since the SECS data is not empty the instruction faults with #GP. The fixes in this series address scenarios where the PCMD data in the backing store may not be correct. While the SGX2 tests uncovered these issues, the fixes are not related to SGX2 and apply on top of v5.18-rc6. There are no occurences of the WARN when the stress testing is performed with this series applied. Thank you very much Reinette [1] https://lore.kernel.org/lkml/cover.1649878359.git.reinette.chatre@intel.com/ Reinette Chatre (5): x86/sgx: Disconnect backing page references from dirty status x86/sgx: Mark PCMD page as dirty when modifying contents x86/sgx: Obtain backing storage page with enclave mutex held x86/sgx: Fix race between reclaimer and page fault handler x86/sgx: Ensure no data in PCMD page after truncate arch/x86/kernel/cpu/sgx/encl.c | 113 ++++++++++++++++++++++++++++++--- arch/x86/kernel/cpu/sgx/encl.h | 2 +- arch/x86/kernel/cpu/sgx/main.c | 13 ++-- 3 files changed, 114 insertions(+), 14 deletions(-) base-commit: c5eb0a61238dd6faf37f58c9ce61c9980aaffd7a -- 2.25.1

3 years, 1 month

3
13
0 0

[PATCH] USB: serial: pl2303: fix type detection for odd device

by Johan Hovold

At least one pl2303 device has a bcdUSB of 1.0.1 which most likely was was intended as 1.1. Allow bcdDevice 1.0.1 but interpret it as 1.1. Fixes: 1e9faef4d26d ("USB: serial: pl2303: fix HX type detection") Cc: stable(a)vger.kernel.org # 5.13 Signed-off-by: Johan Hovold <johan(a)kernel.org> --- Bus 001 Device 004: ID 067b:2303 Prolific Technology, Inc. PL2303 Serial Port Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.01 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x067b Prolific Technology, Inc. idProduct 0x2303 PL2303 Serial Port bcdDevice 3.00 iManufacturer 1 Prolific Technology Inc. iProduct 2 USB-Serial Controller iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x0027 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0xa0 (Bus Powered) Remote Wakeup MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 3 bInterfaceClass 255 Vendor Specific Class bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 1 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0020 1x 32 bytes bInterval 0 Device Status: 0x0000 (Bus Powered) drivers/usb/serial/pl2303.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c index 1d878d05a658..3506c47e1eef 100644 --- a/drivers/usb/serial/pl2303.c +++ b/drivers/usb/serial/pl2303.c @@ -421,6 +421,9 @@ static int pl2303_detect_type(struct usb_serial *serial) bcdUSB = le16_to_cpu(desc->bcdUSB); switch (bcdUSB) { + case 0x101: + /* USB 1.0.1? Let's assume they meant 1.1... */ + fallthrough; case 0x110: switch (bcdDevice) { case 0x300: -- 2.35.1

3 years, 1 month

1
0
0 0

[PATCH v3] crypto: ccp - Use kzalloc for sev ioctl interfaces to prevent kernel memory leak

by John Allen

For some sev ioctl interfaces, input may be passed that is less than or equal to SEV_FW_BLOB_MAX_SIZE, but larger than the data that PSP firmware returns. In this case, kmalloc will allocate memory that is the size of the input rather than the size of the data. Since PSP firmware doesn't fully overwrite the buffer, the sev ioctl interfaces with the issue may return uninitialized slab memory. Currently, all of the ioctl interfaces in the ccp driver are safe, but to prevent future problems, change all ioctl interfaces that allocate memory with kmalloc to use kzalloc and memset the data buffer to zero in sev_ioctl_do_platform_status. Fixes: e799035609e15 ("crypto: ccp: Implement SEV_PEK_CSR ioctl command") Fixes: 76a2b524a4b1d ("crypto: ccp: Implement SEV_PDH_CERT_EXPORT ioctl command") Fixes: d6112ea0cb344 ("crypto: ccp - introduce SEV_GET_ID2 command") Cc: stable(a)vger.kernel.org Reported-by: Andy Nguyen <theflow(a)google.com> Suggested-by: David Rientjes <rientjes(a)google.com> Suggested-by: Peter Gonda <pgonda(a)google.com> Signed-off-by: John Allen <john.allen(a)amd.com> --- v2: - Add fixes tags and CC stable(a)vger.kernel.org v3: - memset data buffer to zero in sev_ioctl_do_platform_status --- drivers/crypto/ccp/sev-dev.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c index 6ab93dfd478a..da143cc3a8f5 100644 --- a/drivers/crypto/ccp/sev-dev.c +++ b/drivers/crypto/ccp/sev-dev.c @@ -551,6 +551,8 @@ static int sev_ioctl_do_platform_status(struct sev_issue_cmd *argp) struct sev_user_data_status data; int ret; + memset(&data, 0, sizeof(data)); + ret = __sev_do_cmd_locked(SEV_CMD_PLATFORM_STATUS, &data, &argp->error); if (ret) return ret; @@ -604,7 +606,7 @@ static int sev_ioctl_do_pek_csr(struct sev_issue_cmd *argp, bool writable) if (input.length > SEV_FW_BLOB_MAX_SIZE) return -EFAULT; - blob = kmalloc(input.length, GFP_KERNEL); + blob = kzalloc(input.length, GFP_KERNEL); if (!blob) return -ENOMEM; @@ -828,7 +830,7 @@ static int sev_ioctl_do_get_id2(struct sev_issue_cmd *argp) input_address = (void __user *)input.address; if (input.address && input.length) { - id_blob = kmalloc(input.length, GFP_KERNEL); + id_blob = kzalloc(input.length, GFP_KERNEL); if (!id_blob) return -ENOMEM; @@ -947,14 +949,14 @@ static int sev_ioctl_do_pdh_export(struct sev_issue_cmd *argp, bool writable) if (input.cert_chain_len > SEV_FW_BLOB_MAX_SIZE) return -EFAULT; - pdh_blob = kmalloc(input.pdh_cert_len, GFP_KERNEL); + pdh_blob = kzalloc(input.pdh_cert_len, GFP_KERNEL); if (!pdh_blob) return -ENOMEM; data.pdh_cert_address = __psp_pa(pdh_blob); data.pdh_cert_len = input.pdh_cert_len; - cert_blob = kmalloc(input.cert_chain_len, GFP_KERNEL); + cert_blob = kzalloc(input.cert_chain_len, GFP_KERNEL); if (!cert_blob) { ret = -ENOMEM; goto e_free_pdh; -- 2.34.1

3 years, 1 month

2
2
0 0

[PATCH 1/1] staging: fix a potential infinite loop

by Yuanjun Gong

From: Gong Yuanjun <ruc_gongyuanjun(a)163.com> In the for-loop in _rtl92e_update_rxcounts(), i is a u8 counter while priv->rtllib->LinkDetectInfo.SlotNum is a u16 num, there is a potential infinite loop if SlotNum is larger than u8_max. Change the u8 loop counter i into u16. Signed-off-by: Gong Yuanjun <ruc_gongyuanjun(a)163.com> --- drivers/staging/rtl8192e/rtl8192e/rtl_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c index b9ce71848023..3c5082abc583 100644 --- a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c +++ b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c @@ -1342,7 +1342,7 @@ static void _rtl92e_update_rxcounts(struct r8192_priv *priv, u32 *TotalRxBcnNum, u32 *TotalRxDataNum) { u16 SlotIndex; - u8 i; + u16 i; *TotalRxBcnNum = 0; *TotalRxDataNum = 0; -- 2.17.1

3 years, 1 month

2
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror May 2022