November 2024 - Linux-stable-mirror

[PATCH 6.1] ipvs: properly dereference pe in ip_vs_add_service

by Bin Lan

From: Chen Hanxiao <chenhx.fnst(a)fujitsu.com> [ Upstream commit cbd070a4ae62f119058973f6d2c984e325bce6e7 ] Use pe directly to resolve sparse warning: net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression Fixes: 39b972231536 ("ipvs: handle connections started by real-servers") Signed-off-by: Chen Hanxiao <chenhx.fnst(a)fujitsu.com> Acked-by: Julian Anastasov <ja(a)ssi.bg> Acked-by: Simon Horman <horms(a)kernel.org> Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org> [ Resolve minor conflicts to fix CVE-2024-42322 ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- net/netfilter/ipvs/ip_vs_ctl.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index 17a1b731a76b..18e37b32a5d6 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -1382,18 +1382,18 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u, sched = NULL; } - /* Bind the ct retriever */ - RCU_INIT_POINTER(svc->pe, pe); - pe = NULL; - /* Update the virtual service counters */ if (svc->port == FTPPORT) atomic_inc(&ipvs->ftpsvc_counter); else if (svc->port == 0) atomic_inc(&ipvs->nullsvc_counter); - if (svc->pe && svc->pe->conn_out) + if (pe && pe->conn_out) atomic_inc(&ipvs->conn_out_counter); + /* Bind the ct retriever */ + RCU_INIT_POINTER(svc->pe, pe); + pe = NULL; + ip_vs_start_estimator(ipvs, &svc->stats); /* Count only IPv4 services for old get/setsockopt interface */ -- 2.43.0

5 months, 1 week

1
0
0 0

[PATCH v4 1/3] drm: adv7511: Fix use-after-free in adv7533_attach_dsi()

by Biju Das

The host_node pointer was assigned and freed in adv7533_parse_dt(), and later, adv7533_attach_dsi() used the same. Fix this use-after-free issue with the below changes: 1. Drop host_node from struct adv7511 and instead use a local pointer in adv7511_probe(). 2. Update adv7533_parse_dt() to return the host_node. 3. Pass the host_node as a parameter to adv7533_attach_dsi(). 4. Call of_node_put() after use. Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable(a)vger.kernel.org Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> --- Changes in v4: - Updated commit description. - Dropped host_node from struct adv7511 and instead used a local pointer in probe(). Also freeing of host_node pointer after use is done in probe(). Changes in v3: - Replace __free construct with readable of_node_put(). Changes in v2: - Added the tag "Cc: stable(a)vger.kernel.org" in the sign-off area. - Dropped Archit Taneja invalid Mail address --- drivers/gpu/drm/bridge/adv7511/adv7511.h | 6 +++--- drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 22 ++++++++++++++------ drivers/gpu/drm/bridge/adv7511/adv7533.c | 20 +++++++++--------- 3 files changed, 29 insertions(+), 19 deletions(-) diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511.h b/drivers/gpu/drm/bridge/adv7511/adv7511.h index ec0b7f3d889c..9f3fae7cc597 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7511.h +++ b/drivers/gpu/drm/bridge/adv7511/adv7511.h @@ -383,7 +383,6 @@ struct adv7511 { struct regulator_bulk_data *supplies; /* ADV7533 DSI RX related params */ - struct device_node *host_node; struct mipi_dsi_device *dsi; u8 num_dsi_lanes; bool use_timing_gen; @@ -417,8 +416,9 @@ enum drm_mode_status adv7533_mode_valid(struct adv7511 *adv, const struct drm_display_mode *mode); int adv7533_patch_registers(struct adv7511 *adv); int adv7533_patch_cec_registers(struct adv7511 *adv); -int adv7533_attach_dsi(struct adv7511 *adv); -int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv); +int adv7533_attach_dsi(struct adv7511 *adv, struct device_node *host_node); +struct device_node *adv7533_parse_dt(struct device_node *np, + struct adv7511 *adv); #ifdef CONFIG_DRM_I2C_ADV7511_AUDIO int adv7511_audio_init(struct device *dev, struct adv7511 *adv7511); diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c index eb5919b38263..3f1f309791a5 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c @@ -1209,6 +1209,7 @@ static int adv7511_parse_dt(struct device_node *np, static int adv7511_probe(struct i2c_client *i2c) { struct adv7511_link_config link_config; + struct device_node *host_node = NULL; struct adv7511 *adv7511; struct device *dev = &i2c->dev; unsigned int val; @@ -1233,12 +1234,17 @@ static int adv7511_probe(struct i2c_client *i2c) if (ret && ret != -ENODEV) return ret; - if (adv7511->info->link_config) + if (adv7511->info->link_config) { ret = adv7511_parse_dt(dev->of_node, &link_config); - else - ret = adv7533_parse_dt(dev->of_node, adv7511); - if (ret) - return ret; + if (ret) + return ret; + } + + if (adv7511->info->has_dsi) { + host_node = adv7533_parse_dt(dev->of_node, adv7511); + if (IS_ERR(host_node)) + return PTR_ERR(host_node); + } ret = adv7511_init_regulators(adv7511); if (ret) @@ -1343,9 +1349,11 @@ static int adv7511_probe(struct i2c_client *i2c) } if (adv7511->info->has_dsi) { - ret = adv7533_attach_dsi(adv7511); + ret = adv7533_attach_dsi(adv7511, host_node); if (ret) goto err_unregister_audio; + + of_node_put(host_node); } return 0; @@ -1362,6 +1370,8 @@ static int adv7511_probe(struct i2c_client *i2c) err_i2c_unregister_edid: i2c_unregister_device(adv7511->i2c_edid); uninit_regulators: + if (host_node) + of_node_put(host_node); adv7511_uninit_regulators(adv7511); return ret; diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c index 4481489aaf5e..5d0e55ef4028 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -131,7 +131,7 @@ int adv7533_patch_cec_registers(struct adv7511 *adv) ARRAY_SIZE(adv7533_cec_fixed_registers)); } -int adv7533_attach_dsi(struct adv7511 *adv) +int adv7533_attach_dsi(struct adv7511 *adv, struct device_node *host_node) { struct device *dev = &adv->i2c_main->dev; struct mipi_dsi_host *host; @@ -142,7 +142,7 @@ int adv7533_attach_dsi(struct adv7511 *adv) .node = NULL, }; - host = of_find_mipi_dsi_host_by_node(adv->host_node); + host = of_find_mipi_dsi_host_by_node(host_node); if (!host) return dev_err_probe(dev, -EPROBE_DEFER, "failed to find dsi host\n"); @@ -166,22 +166,22 @@ int adv7533_attach_dsi(struct adv7511 *adv) return 0; } -int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) +struct device_node *adv7533_parse_dt(struct device_node *np, + struct adv7511 *adv) { + struct device_node *host_node; u32 num_lanes; of_property_read_u32(np, "adi,dsi-lanes", &num_lanes); if (num_lanes < 1 || num_lanes > 4) - return -EINVAL; + return ERR_PTR(-EINVAL); adv->num_dsi_lanes = num_lanes; - adv->host_node = of_graph_get_remote_node(np, 0, 0); - if (!adv->host_node) - return -ENODEV; - - of_node_put(adv->host_node); + host_node = of_graph_get_remote_node(np, 0, 0); + if (!host_node) + return ERR_PTR(-ENODEV); adv->use_timing_gen = !of_property_read_bool(np, "adi,disable-timing-generator"); @@ -190,5 +190,5 @@ int adv7533_parse_dt(struct device_node *np, struct adv7511 *adv) adv->rgb = true; adv->embedded_sync = false; - return 0; + return host_node; } -- 2.43.0

5 months, 1 week

2
2
0 0

[Patch v] drivers/card_reader/rtsx_usb: Restore interrupt based detection

by Sean Rhodes

This commit reintroduces interrupt-based card detection previously used in the rts5139 driver. This functionality was removed in commit 00d8521dcd23 ("staging: remove rts5139 driver code"). Reintroducing this mechanism fixes presence detection for certain card readers, which with the current driver, will taken approximately 20 seconds to enter S3 as `mmc_rescan` has to be frozen. Fixes: 00d8521dcd23 ("staging: remove rts5139 driver code") Cc: stable(a)vger.kernel.org Cc: Arnd Bergmann <arnd(a)arndb.de> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sean Rhodes <sean(a)starlabs.systems> --- drivers/misc/cardreader/rtsx_usb.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/drivers/misc/cardreader/rtsx_usb.c b/drivers/misc/cardreader/rtsx_usb.c index f150d8769f19..285a748748d7 100644 --- a/drivers/misc/cardreader/rtsx_usb.c +++ b/drivers/misc/cardreader/rtsx_usb.c @@ -286,6 +286,7 @@ static int rtsx_usb_get_status_with_bulk(struct rtsx_ucr *ucr, u16 *status) int rtsx_usb_get_card_status(struct rtsx_ucr *ucr, u16 *status) { int ret; + u8 interrupt_val = 0; u16 *buf; if (!status) @@ -308,6 +309,20 @@ int rtsx_usb_get_card_status(struct rtsx_ucr *ucr, u16 *status) ret = rtsx_usb_get_status_with_bulk(ucr, status); } + rtsx_usb_read_register(ucr, CARD_INT_PEND, &interrupt_val); + /* Cross check presence with interrupts */ + if (*status & XD_CD) + if (!(interrupt_val & XD_INT)) + *status &= ~XD_CD; + + if (*status & SD_CD) + if (!(interrupt_val & SD_INT)) + *status &= ~SD_CD; + + if (*status & MS_CD) + if (!(interrupt_val & MS_INT)) + *status &= ~MS_CD; + /* usb_control_msg may return positive when success */ if (ret < 0) return ret; -- 2.45.2

5 months, 1 week

1
0
0 0

[PATCH 6.1.y 0/2] Backport to fix CVE-2024-36478

by Xiangyu Chen

From: Xiangyu Chen <xiangyu.chen(a)windriver.com> Backport to fix CVE-2024-36478 https://lore.kernel.org/linux-cve-announce/2024062136-CVE-2024-36478-d249@g… The CVE fix is "null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'" This required 1 extra commit to make sure the picks are clean: null_blk: Remove usage of the deprecated ida_simple_xx() API Christophe JAILLET (1): null_blk: Remove usage of the deprecated ida_simple_xx() API Yu Kuai (1): null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues' drivers/block/null_blk/main.c | 44 ++++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 16 deletions(-) -- 2.43.0

5 months, 1 week

2
4
0 0

[PATCH 6.6] leds: mlxreg: Use devm_mutex_init() for mutex initialization

by Bin Lan

From: George Stark <gnstark(a)salutedevices.com> [ Upstream commit efc347b9efee1c2b081f5281d33be4559fa50a16 ] In this driver LEDs are registered using devm_led_classdev_register() so they are automatically unregistered after module's remove() is done. led_classdev_unregister() calls module's led_set_brightness() to turn off the LEDs and that callback uses mutex which was destroyed already in module's remove() so use devm API instead. Signed-off-by: George Stark <gnstark(a)salutedevices.com> Reviewed-by: Andy Shevchenko <andy.shevchenko(a)gmail.com> Link: https://lore.kernel.org/r/20240411161032.609544-8-gnstark@salutedevices.com Signed-off-by: Lee Jones <lee(a)kernel.org> [ Resolve minor conflicts to fix CVE-2024-42129 ] Signed-off-by: Bin Lan <bin.lan.cn(a)windriver.com> --- drivers/leds/leds-mlxreg.c | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/drivers/leds/leds-mlxreg.c b/drivers/leds/leds-mlxreg.c index 39210653acf7..b1510cd32e47 100644 --- a/drivers/leds/leds-mlxreg.c +++ b/drivers/leds/leds-mlxreg.c @@ -257,6 +257,7 @@ static int mlxreg_led_probe(struct platform_device *pdev) { struct mlxreg_core_platform_data *led_pdata; struct mlxreg_led_priv_data *priv; + int err; led_pdata = dev_get_platdata(&pdev->dev); if (!led_pdata) { @@ -268,28 +269,21 @@ static int mlxreg_led_probe(struct platform_device *pdev) if (!priv) return -ENOMEM; - mutex_init(&priv->access_lock); + err = devm_mutex_init(&pdev->dev, &priv->access_lock); + if (err) + return err; + priv->pdev = pdev; priv->pdata = led_pdata; return mlxreg_led_config(priv); } -static int mlxreg_led_remove(struct platform_device *pdev) -{ - struct mlxreg_led_priv_data *priv = dev_get_drvdata(&pdev->dev); - - mutex_destroy(&priv->access_lock); - - return 0; -} - static struct platform_driver mlxreg_led_driver = { .driver = { .name = "leds-mlxreg", }, .probe = mlxreg_led_probe, - .remove = mlxreg_led_remove, }; module_platform_driver(mlxreg_led_driver); -- 2.43.0

5 months, 1 week

1
0
0 0

[PATCH 6.1.y] net/sched: taprio: extend minimum interval restriction to entire cycle too

by Xiangyu Chen

From: Vladimir Oltean <vladimir.oltean(a)nxp.com> [ Upstream commit fb66df20a7201e60f2b13d7f95d031b31a8831d3 ] It is possible for syzbot to side-step the restriction imposed by the blamed commit in the Fixes: tag, because the taprio UAPI permits a cycle-time different from (and potentially shorter than) the sum of entry intervals. We need one more restriction, which is that the cycle time itself must be larger than N * ETH_ZLEN bit times, where N is the number of schedule entries. This restriction needs to apply regardless of whether the cycle time came from the user or was the implicit, auto-calculated value, so we move the existing "cycle == 0" check outside the "if "(!new->cycle_time)" branch. This way covers both conditions and scenarios. Add a selftest which illustrates the issue triggered by syzbot. Fixes: b5b73b26b3ca ("taprio: Fix allowing too small intervals") Reported-by: syzbot+a7d2b1d5d1af83035567(a)syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/0000000000007d66bc06196e7c66@google.com/ Signed-off-by: Vladimir Oltean <vladimir.oltean(a)nxp.com> Link: https://lore.kernel.org/r/20240527153955.553333-2-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- net/sched/sch_taprio.c | 10 ++++----- .../tc-testing/tc-tests/qdiscs/taprio.json | 22 +++++++++++++++++++ 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c index 1d5cdc987abd..62219f23f76a 100644 --- a/net/sched/sch_taprio.c +++ b/net/sched/sch_taprio.c @@ -915,11 +915,6 @@ static int parse_taprio_schedule(struct taprio_sched *q, struct nlattr **tb, list_for_each_entry(entry, &new->entries, list) cycle = ktime_add_ns(cycle, entry->interval); - if (!cycle) { - NL_SET_ERR_MSG(extack, "'cycle_time' can never be 0"); - return -EINVAL; - } - if (cycle < 0 || cycle > INT_MAX) { NL_SET_ERR_MSG(extack, "'cycle_time' is too big"); return -EINVAL; @@ -928,6 +923,11 @@ static int parse_taprio_schedule(struct taprio_sched *q, struct nlattr **tb, new->cycle_time = cycle; } + if (new->cycle_time < new->num_entries * length_to_duration(q, ETH_ZLEN)) { + NL_SET_ERR_MSG(extack, "'cycle_time' is too small"); + return -EINVAL; + } + return 0; } diff --git a/tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json index 08d4861c2e78..d04fed83332c 100644 --- a/tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json +++ b/tools/testing/selftests/tc-testing/tc-tests/qdiscs/taprio.json @@ -132,6 +132,28 @@ "echo \"1\" > /sys/bus/netdevsim/del_device" ] }, + { + "id": "831f", + "name": "Add taprio Qdisc with too short cycle-time", + "category": [ + "qdisc", + "taprio" + ], + "plugins": { + "requires": "nsPlugin" + }, + "setup": [ + "echo \"1 1 8\" > /sys/bus/netdevsim/new_device" + ], + "cmdUnderTest": "$TC qdisc add dev $ETH root handle 1: taprio num_tc 2 queues 1@0 1@1 sched-entry S 01 200000 sched-entry S 02 200000 cycle-time 100 clockid CLOCK_TAI", + "expExitCode": "2", + "verifyCmd": "$TC qdisc show dev $ETH", + "matchPattern": "qdisc taprio 1: root refcnt", + "matchCount": "0", + "teardown": [ + "echo \"1\" > /sys/bus/netdevsim/del_device" + ] + }, { "id": "3e1e", "name": "Add taprio Qdisc with an invalid cycle-time", -- 2.43.0

5 months, 1 week

1
0
0 0

[PATCH 6.1.y] net: fec: remove .ndo_poll_controller to avoid deadlocks

by Xiangyu Chen

From: Wei Fang <wei.fang(a)nxp.com> [ Upstream commit c2e0c58b25a0a0c37ec643255558c5af4450c9f5 ] There is a deadlock issue found in sungem driver, please refer to the commit ac0a230f719b ("eth: sungem: remove .ndo_poll_controller to avoid deadlocks"). The root cause of the issue is that netpoll is in atomic context and disable_irq() is called by .ndo_poll_controller interface of sungem driver, however, disable_irq() might sleep. After analyzing the implementation of fec_poll_controller(), the fec driver should have the same issue. Due to the fec driver uses NAPI for TX completions, the .ndo_poll_controller is unnecessary to be implemented in the fec driver, so fec_poll_controller() can be safely removed. Fixes: 7f5c6addcdc0 ("net/fec: add poll controller function for fec nic") Signed-off-by: Wei Fang <wei.fang(a)nxp.com> Link: https://lore.kernel.org/r/20240511062009.652918-1-wei.fang@nxp.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Xiangyu Chen <xiangyu.chen(a)windriver.com> --- drivers/net/ethernet/freescale/fec_main.c | 26 ----------------------- 1 file changed, 26 deletions(-) diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c index 0a5c3d27ed3b..aeab6c28892f 100644 --- a/drivers/net/ethernet/freescale/fec_main.c +++ b/drivers/net/ethernet/freescale/fec_main.c @@ -3508,29 +3508,6 @@ fec_set_mac_address(struct net_device *ndev, void *p) return 0; } -#ifdef CONFIG_NET_POLL_CONTROLLER -/** - * fec_poll_controller - FEC Poll controller function - * @dev: The FEC network adapter - * - * Polled functionality used by netconsole and others in non interrupt mode - * - */ -static void fec_poll_controller(struct net_device *dev) -{ - int i; - struct fec_enet_private *fep = netdev_priv(dev); - - for (i = 0; i < FEC_IRQ_NUM; i++) { - if (fep->irq[i] > 0) { - disable_irq(fep->irq[i]); - fec_enet_interrupt(fep->irq[i], dev); - enable_irq(fep->irq[i]); - } - } -} -#endif - static inline void fec_enet_set_netdev_features(struct net_device *netdev, netdev_features_t features) { @@ -3604,9 +3581,6 @@ static const struct net_device_ops fec_netdev_ops = { .ndo_tx_timeout = fec_timeout, .ndo_set_mac_address = fec_set_mac_address, .ndo_eth_ioctl = fec_enet_ioctl, -#ifdef CONFIG_NET_POLL_CONTROLLER - .ndo_poll_controller = fec_poll_controller, -#endif .ndo_set_features = fec_set_features, }; -- 2.43.0

5 months, 1 week

1
0
0 0

[PATCHSET] xfs: bug fixes for 6.13

by Darrick J. Wong

Hi all, Bug fixes for 6.13. If you're going to start using this code, I strongly recommend pulling from my git trees, which are linked below. With a bit of luck, this should all go splendidly. Comments and questions are, as always, welcome. --D kernel git tree: https://git.kernel.org/cgit/linux/kernel/git/djwong/xfs-linux.git/log/?h=xf… --- Commits in this patchset: * xfs: fix off-by-one error in fsmap's end_daddr usage * xfs: metapath scrubber should use the already loaded inodes * xfs: keep quota directory inode loaded * xfs: return a 64-bit block count from xfs_btree_count_blocks * xfs: don't drop errno values when we fail to ficlone the entire range * xfs: separate healthy clearing mask during repair * xfs: set XFS_SICK_INO_SYMLINK_ZAPPED explicitly when zapping a symlink * xfs: mark metadir repair tempfiles with IRECOVERY * xfs: fix null bno_hint handling in xfs_rtallocate_rtg * xfs: fix error bailout in xfs_rtginode_create --- fs/xfs/libxfs/xfs_btree.c | 4 +- fs/xfs/libxfs/xfs_btree.h | 2 + fs/xfs/libxfs/xfs_ialloc_btree.c | 4 ++ fs/xfs/libxfs/xfs_rtgroup.c | 2 + fs/xfs/scrub/agheader.c | 6 ++- fs/xfs/scrub/agheader_repair.c | 6 ++- fs/xfs/scrub/fscounters.c | 2 + fs/xfs/scrub/health.c | 57 ++++++++++++++++++-------------- fs/xfs/scrub/ialloc.c | 4 +- fs/xfs/scrub/metapath.c | 68 +++++++++++++++----------------------- fs/xfs/scrub/refcount.c | 2 + fs/xfs/scrub/scrub.h | 6 +++ fs/xfs/scrub/symlink_repair.c | 3 +- fs/xfs/scrub/tempfile.c | 10 ++++-- fs/xfs/xfs_bmap_util.c | 2 + fs/xfs/xfs_file.c | 8 ++++ fs/xfs/xfs_fsmap.c | 38 ++++++++++++--------- fs/xfs/xfs_inode.h | 2 + fs/xfs/xfs_qm.c | 47 ++++++++++++++------------ fs/xfs/xfs_qm.h | 1 + fs/xfs/xfs_rtalloc.c | 2 + 21 files changed, 151 insertions(+), 125 deletions(-)

5 months, 1 week

2
11
0 0

[PATCH 0/2] Backport fix of CVE-2024-36923 to 6.1 and 6.6

by Xiangyu Chen

From: Xiangyu Chen <xiangyu.chen(a)windriver.com> Following series is a backport of CVE-2024-36923 One for kernel 6.1 with [PATCH 6.1.y] header One for kernel 6.6 with [PATCH 6.6.y] header Eric Van Hensbergen (1): fs/9p: fix uninitialized values during inode evict fs/9p/vfs_inode.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) -- 2.43.0

5 months, 1 week

1
2
0 0

[PATCH 5.10 0/5] Address CVE-2024-49974

by cel＠kernel.org

From: Chuck Lever <chuck.lever(a)oracle.com> Backport the set of upstream patches that cap the number of concurrent background NFSv4.2 COPY operations. Chuck Lever (4): NFSD: Async COPY result needs to return a write verifier NFSD: Limit the number of concurrent async COPY operations NFSD: Initialize struct nfsd4_copy earlier NFSD: Never decrement pending_async_copies on error Dai Ngo (1): NFSD: initialize copy->cp_clp early in nfsd4_copy for use by trace point fs/nfsd/netns.h | 1 + fs/nfsd/nfs4proc.c | 36 +++++++++++++++++------------------- fs/nfsd/nfs4state.c | 1 + fs/nfsd/xdr4.h | 1 + 4 files changed, 20 insertions(+), 19 deletions(-) -- 2.47.0

5 months, 1 week

1
5
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror November 2024