November 2024 - Linux-stable-mirror

by Hemdan, Hagar Gamal Halim

Hi, Please backport commit: 0faf84caee63 ("cpufreq: Replace deprecated strncpy() with strscpy()") to stable trees 5.10.y, 5.15.y, 6.1.y and 6.6.y. This commit fixes possible Buffer not null terminated of "policy->last_governor" and "default_governor" in __cpufreq_offline() and cpufreq_core_init(). This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. Amazon Web Services Development Center Germany GmbH Krausenstr. 38 10117 Berlin Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

5 months, 1 week

2
1
0 0

[PATCH v4 3/3] drm: adv7511: Drop dsi single lane support

by Biju Das

As per [1] and [2], ADV7535/7533 supports only 2-, 3-, or 4-lane. Drop unsupported 1-lane. [1] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7535… [2] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7533… Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Reported-by: Hien Huynh <hien.huynh.px(a)renesas.com> Cc: stable(a)vger.kernel.org Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> --- Changes in v4: - Added link to ADV7533 data sheet. - Collected tags Changes in v3: - Updated commit header and description - Updated fixes tag - Dropped single lane support Changes in v2: - Added the tag "Cc: stable(a)vger.kernel.org" in the sign-off area. - Dropped Archit Taneja invalid Mail address --- drivers/gpu/drm/bridge/adv7511/adv7533.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c index 5d0e55ef4028..51ddd935b568 100644 --- a/drivers/gpu/drm/bridge/adv7511/adv7533.c +++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c @@ -174,7 +174,7 @@ struct device_node *adv7533_parse_dt(struct device_node *np, of_property_read_u32(np, "adi,dsi-lanes", &num_lanes); - if (num_lanes < 1 || num_lanes > 4) + if (num_lanes < 2 || num_lanes > 4) return ERR_PTR(-EINVAL); adv->num_dsi_lanes = num_lanes; -- 2.43.0

5 months, 1 week

1
0
0 0

[PATCH v4 2/3] dt-bindings: display: adi,adv7533: Drop single lane support

by Biju Das

As per [1] and [2], ADV7535/7533 supports only 2-, 3-, or 4-lane. Drop unsupported 1-lane from bindings. [1] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7535… [2] https://www.analog.com/media/en/technical-documentation/data-sheets/ADV7533… Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") Cc: stable(a)vger.kernel.org Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> Reviewed-by: Geert Uytterhoeven <geert+renesas(a)glider.be> Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> Signed-off-by: Biju Das <biju.das.jz(a)bp.renesas.com> --- v3->v4: * Added link to ADV7533 data sheet. * Collected tags. v3: * New patch. --- .../devicetree/bindings/display/bridge/adi,adv7533.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml b/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml index df20a3c9c744..ec89115c74e4 100644 --- a/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml +++ b/Documentation/devicetree/bindings/display/bridge/adi,adv7533.yaml @@ -90,7 +90,7 @@ properties: adi,dsi-lanes: description: Number of DSI data lanes connected to the DSI host. $ref: /schemas/types.yaml#/definitions/uint32 - enum: [ 1, 2, 3, 4 ] + enum: [ 2, 3, 4 ] "#sound-dai-cells": const: 0 -- 2.43.0

5 months, 1 week

1
0
0 0

[RFC PATCH 0/6 6.6] Address rename/readdir bugs in fs/libfs.c

by cel＠kernel.org

From: Chuck Lever <chuck.lever(a)oracle.com> Address several bugs in v6.6's libfs/shmemfs, including CVE-2024-46701. Link: https://lore.kernel.org/stable/976C0DD5-4337-4C7D-92C6-A38C2EC335A4@oracle.… I'm still running the usual set of regression tests, but so far this set looks stable. I'm interested in hearing review comments and test results. Branch for testing: https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git/log/?h=nfsd-6… Chuck Lever (5): libfs: Define a minimum directory offset libfs: Add simple_offset_empty() libfs: Fix simple_offset_rename_exchange() libfs: Add simple_offset_rename() API shmem: Fix shmem_rename2() yangerkun (1): libfs: fix infinite directory reads for offset dir fs/libfs.c | 135 +++++++++++++++++++++++++++++++++++++-------- include/linux/fs.h | 3 + mm/shmem.c | 7 +-- 3 files changed, 119 insertions(+), 26 deletions(-) -- 2.47.0

5 months, 1 week

5
14
0 0

[PATCHv2 5.15] udf: Allocate name buffer in directory iterator on heap

by Sergey Senozhatsky

From: Jan Kara <jack(a)suse.cz> [ Upstream commit 0aba4860b0d0216a1a300484ff536171894d49d8 ] Currently we allocate name buffer in directory iterators (struct udf_fileident_iter) on stack. These structures are relatively large (some 360 bytes on 64-bit architectures). For udf_rename() which needs to keep three of these structures in parallel the stack usage becomes rather heavy - 1536 bytes in total. Allocate the name buffer in the iterator from heap to avoid excessive stack usage. Link: https://lore.kernel.org/all/202212200558.lK9x1KW0-lkp@intel.com Reported-by: kernel test robot <lkp(a)intel.com> Signed-off-by: Jan Kara <jack(a)suse.cz> [ senozhatsky: explicitly include slab.h to address build failure reported by sashal@ ] Signed-off-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> --- fs/udf/directory.c | 24 ++++++++++++++++-------- fs/udf/udfdecl.h | 2 +- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/fs/udf/directory.c b/fs/udf/directory.c index e97ffae07833..a30898debdd1 100644 --- a/fs/udf/directory.c +++ b/fs/udf/directory.c @@ -19,6 +19,7 @@ #include <linux/bio.h> #include <linux/crc-itu-t.h> #include <linux/iversion.h> +#include <linux/slab.h> static int udf_verify_fi(struct udf_fileident_iter *iter) { @@ -248,9 +249,14 @@ int udf_fiiter_init(struct udf_fileident_iter *iter, struct inode *dir, iter->elen = 0; iter->epos.bh = NULL; iter->name = NULL; + iter->namebuf = kmalloc(UDF_NAME_LEN_CS0, GFP_KERNEL); + if (!iter->namebuf) + return -ENOMEM; - if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) - return udf_copy_fi(iter); + if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { + err = udf_copy_fi(iter); + goto out; + } if (inode_bmap(dir, iter->pos >> dir->i_blkbits, &iter->epos, &iter->eloc, &iter->elen, &iter->loffset) != @@ -260,17 +266,17 @@ int udf_fiiter_init(struct udf_fileident_iter *iter, struct inode *dir, udf_err(dir->i_sb, "position %llu not allocated in directory (ino %lu)\n", (unsigned long long)pos, dir->i_ino); - return -EFSCORRUPTED; + err = -EFSCORRUPTED; + goto out; } err = udf_fiiter_load_bhs(iter); if (err < 0) - return err; + goto out; err = udf_copy_fi(iter); - if (err < 0) { +out: + if (err < 0) udf_fiiter_release(iter); - return err; - } - return 0; + return err; } int udf_fiiter_advance(struct udf_fileident_iter *iter) @@ -307,6 +313,8 @@ void udf_fiiter_release(struct udf_fileident_iter *iter) brelse(iter->bh[0]); brelse(iter->bh[1]); iter->bh[0] = iter->bh[1] = NULL; + kfree(iter->namebuf); + iter->namebuf = NULL; } static void udf_copy_to_bufs(void *buf1, int len1, void *buf2, int len2, diff --git a/fs/udf/udfdecl.h b/fs/udf/udfdecl.h index f764b4d15094..d35aa42bb577 100644 --- a/fs/udf/udfdecl.h +++ b/fs/udf/udfdecl.h @@ -99,7 +99,7 @@ struct udf_fileident_iter { struct extent_position epos; /* Position after the above extent */ struct fileIdentDesc fi; /* Copied directory entry */ uint8_t *name; /* Pointer to entry name */ - uint8_t namebuf[UDF_NAME_LEN_CS0]; /* Storage for entry name in case + uint8_t *namebuf; /* Storage for entry name in case * the name is split between two blocks */ }; -- 2.47.0.338.g60cca15819-goog

5 months, 1 week

2
2
0 0

[PATCH] ALSA: usb-audio: Fix control names for Plantronics/Poly Headsets

by Wade Wang

Add a control name fixer for all headsets with VID 0x047F. Signed-off-by: Terry Junge <linuxhid(a)cosmicgizmosystems.com> Signed-off-by: Wade Wang <wade.wang(a)hp.com> --- sound/usb/mixer.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c index bd67027c7677..110d43ace4d8 100644 --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -1664,6 +1664,33 @@ static void check_no_speaker_on_headset(struct snd_kcontrol *kctl, snd_ctl_rename(card, kctl, "Headphone"); } +static void fix_plt_control_name(struct snd_kcontrol *kctl) +{ + static const char * const names_to_remove[] = { + "Earphone", + "Microphone", + "Receive", + "Transmit", + NULL + }; + const char * const *n2r; + char *dst, *src; + size_t len; + + for (n2r = names_to_remove; *n2r; ++n2r) { + dst = strstr(kctl->id.name, *n2r); + if (dst != NULL) { + src = dst + strlen(*n2r); + len = strlen(src) + 1; + if ((char *)kctl->id.name != dst && *(dst - 1) == ' ') + --dst; + memmove(dst, src, len); + } + } + if (kctl->id.name[0] == '\0') + strscpy(kctl->id.name, "Headset", SNDRV_CTL_ELEM_ID_NAME_MAXLEN); +} + static const struct usb_feature_control_info *get_feature_control_info(int control) { int i; @@ -1780,6 +1807,9 @@ static void __build_feature_ctl(struct usb_mixer_interface *mixer, if (!mapped_name) check_no_speaker_on_headset(kctl, mixer->chip->card); + if (USB_ID_VENDOR(mixer->chip->usb_id) == 0x047f) + fix_plt_control_name(kctl); + /* * determine the stream direction: * if the connected output is USB stream, then it's likely a -- 2.43.0

5 months, 1 week

5
5
0 0

+ mm-revert-mm-shmem-fix-data-race-in-shmem_getattr.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: mm: revert "mm: shmem: fix data-race in shmem_getattr()" has been added to the -mm mm-hotfixes-unstable branch. Its filename is mm-revert-mm-shmem-fix-data-race-in-shmem_getattr.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Andrew Morton <akpm(a)linux-foundation.org> Subject: mm: revert "mm: shmem: fix data-race in shmem_getattr()" Date: Fri Nov 15 04:57:24 PM PST 2024 Revert d949d1d14fa2 ("mm: shmem: fix data-race in shmem_getattr()") as suggested by Chuck [1]. It is causing deadlocks when accessing tmpfs over NFS. Link: https://lkml.kernel.org/r/ZzdxKF39VEmXSSyN@tissot.1015granger.net [1] Fixes: https://lkml.kernel.org/r/ZzdxKF39VEmXSSyN@tissot.1015granger.net Cc: Chuck Lever <chuck.lever(a)oracle.com> Cc: Hugh Dickins <hughd(a)google.com> Cc: Jeongjun Park <aha310510(a)gmail.com> Cc: Yu Zhao <yuzhao(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/shmem.c | 2 -- 1 file changed, 2 deletions(-) --- a/mm/shmem.c~mm-revert-mm-shmem-fix-data-race-in-shmem_getattr +++ a/mm/shmem.c @@ -1166,9 +1166,7 @@ static int shmem_getattr(struct mnt_idma stat->attributes_mask |= (STATX_ATTR_APPEND | STATX_ATTR_IMMUTABLE | STATX_ATTR_NODUMP); - inode_lock_shared(inode); generic_fillattr(idmap, request_mask, inode, stat); - inode_unlock_shared(inode); if (shmem_huge_global_enabled(inode, 0, 0, false, NULL, 0)) stat->blksize = HPAGE_PMD_SIZE; _ Patches currently in -mm which might be from akpm(a)linux-foundation.org are fs-proc-vmcorec-fix-warning-when-config_mmu=n.patch mm-revert-mm-shmem-fix-data-race-in-shmem_getattr.patch

5 months, 1 week

2
1
0 0

[PATCH net V2] gve: Flow steering trigger reset only for timeout error

by Jeroen de Borst

From: Ziwei Xiao <ziweixiao(a)google.com> When configuring flow steering rules, the driver is currently going through a reset for all errors from the device. Instead, the driver should only reset when there's a timeout error from the device. Fixes: 57718b60df9b ("gve: Add flow steering adminq commands") Cc: stable(a)vger.kernel.org Signed-off-by: Ziwei Xiao <ziweixiao(a)google.com> Signed-off-by: Jeroen de Borst <jeroendb(a)google.com> Reviewed-by: Harshitha Ramamurthy <hramamurthy(a)google.com> --- v2: Added missing Signed-off-by drivers/net/ethernet/google/gve/gve_adminq.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/google/gve/gve_adminq.c b/drivers/net/ethernet/google/gve/gve_adminq.c index e44e8b139633..060e0e674938 100644 --- a/drivers/net/ethernet/google/gve/gve_adminq.c +++ b/drivers/net/ethernet/google/gve/gve_adminq.c @@ -1248,10 +1248,10 @@ gve_adminq_configure_flow_rule(struct gve_priv *priv, sizeof(struct gve_adminq_configure_flow_rule), flow_rule_cmd); - if (err) { + if (err == -ETIME) { dev_err(&priv->pdev->dev, "Timeout to configure the flow rule, trigger reset"); gve_reset(priv, true); - } else { + } else if (!err) { priv->flow_rules_cache.rules_cache_synced = false; } -- 2.47.0.277.g8800431eea-goog

5 months, 1 week

3
2
0 0

[PATCH net v3] netdev-genl: Hold rcu_read_lock in napi_get

by Joe Damato

Hold rcu_read_lock in netdev_nl_napi_get_doit, which calls napi_by_id and is required to be called under rcu_read_lock. Cc: stable(a)vger.kernel.org Fixes: 27f91aaf49b3 ("netdev-genl: Add netlink framework functions for napi") Signed-off-by: Joe Damato <jdamato(a)fastly.com> --- v3: - Separate the patches that were a series in v2 (and earlier) as they target different trees. v2: - Simplified by removing the helper and calling rcu_read_lock / unlock directly instead. net/core/netdev-genl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/core/netdev-genl.c b/net/core/netdev-genl.c index 1cb954f2d39e..d2baa1af9df0 100644 --- a/net/core/netdev-genl.c +++ b/net/core/netdev-genl.c @@ -215,6 +215,7 @@ int netdev_nl_napi_get_doit(struct sk_buff *skb, struct genl_info *info) return -ENOMEM; rtnl_lock(); + rcu_read_lock(); napi = napi_by_id(napi_id); if (napi) { @@ -224,6 +225,7 @@ int netdev_nl_napi_get_doit(struct sk_buff *skb, struct genl_info *info) err = -ENOENT; } + rcu_read_unlock(); rtnl_unlock(); if (err) base-commit: 5b366eae71937ae7412365340b431064625f9617 -- 2.25.1

5 months, 1 week

2
1
0 0

[PATCH v2] kunit: Fix potential null dereference in kunit_device_driver_test()

by Gax-c

From: Zichen Xie <zichenxie0106(a)gmail.com> kunit_kzalloc() may return a NULL pointer, dereferencing it without NULL check may lead to NULL dereference. Add a NULL check for test_state. Fixes: d03c720e03bd ("kunit: Add APIs for managing devices") Signed-off-by: Zichen Xie <zichenxie0106(a)gmail.com> Cc: stable(a)vger.kernel.org --- v2: Add Cc tag. --- lib/kunit/kunit-test.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/kunit/kunit-test.c b/lib/kunit/kunit-test.c index 37e02be1e710..d9c781c859fd 100644 --- a/lib/kunit/kunit-test.c +++ b/lib/kunit/kunit-test.c @@ -805,6 +805,8 @@ static void kunit_device_driver_test(struct kunit *test) struct device *test_device; struct driver_test_state *test_state = kunit_kzalloc(test, sizeof(*test_state), GFP_KERNEL); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, test_state); + test->priv = test_state; test_driver = kunit_driver_create(test, "my_driver"); -- 2.34.1

5 months, 1 week

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror November 2024