April 2024 - Linux-stable-mirror

[PATCH v2] fbdev: fix incorrect address computation in deferred IO

by Nam Cao

With deferred IO enabled, a page fault happens when data is written to the framebuffer device. Then driver determines which page is being updated by calculating the offset of the written virtual address within the virtual memory area, and uses this offset to get the updated page within the internal buffer. This page is later copied to hardware (thus the name "deferred IO"). This offset calculation is only correct if the virtual memory area is mapped to the beginning of the internal buffer. Otherwise this is wrong. For example, if users do: mmap(ptr, 4096, PROT_WRITE, MAP_FIXED | MAP_SHARED, fd, 0xff000); Then the virtual memory area will mapped at offset 0xff000 within the internal buffer. This offset 0xff000 is not accounted for, and wrong page is updated. Correct the calculation by using vmf->pgoff instead. With this change, the variable "offset" will no longer hold the exact offset value, but it is rounded down to multiples of PAGE_SIZE. But this is still correct, because this variable is only used to calculate the page offset. Reported-by: Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> Closes: https://lore.kernel.org/linux-fbdev/271372d6-e665-4e7f-b088-dee5f4ab341a@or… Fixes: 56c134f7f1b5 ("fbdev: Track deferred-I/O pages in pageref struct") Cc: <stable(a)vger.kernel.org> Signed-off-by: Nam Cao <namcao(a)linutronix.de> --- v2: - simplify the patch by using vfg->pgoff - remove tested-by tag, as the patch is now different drivers/video/fbdev/core/fb_defio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c index 1ae1d35a5942..b9607d5a370d 100644 --- a/drivers/video/fbdev/core/fb_defio.c +++ b/drivers/video/fbdev/core/fb_defio.c @@ -196,7 +196,7 @@ static vm_fault_t fb_deferred_io_track_page(struct fb_info *info, unsigned long */ static vm_fault_t fb_deferred_io_page_mkwrite(struct fb_info *info, struct vm_fault *vmf) { - unsigned long offset = vmf->address - vmf->vma->vm_start; + unsigned long offset = vmf->pgoff << PAGE_SHIFT; struct page *page = vmf->page; file_update_time(vmf->vma->vm_file); -- 2.39.2

8 months, 2 weeks

3
4
0 0

[PATCH 5/6] arm64: dts: qcom: sc8280xp-x13s: fix touchscreen power on

by Johan Hovold

The Elan eKTH5015M touch controller on the X13s requires a 300 ms delay before sending commands after having deasserted reset during power on. Switch to the Elan specific binding so that the OS can determine the required power-on sequence and make sure that the controller is always detected during boot. Note that the always-on 1.8 V supply (s10b) is not used by the controller directly and should not be described. Fixes: 32c231385ed4 ("arm64: dts: qcom: sc8280xp: add Lenovo Thinkpad X13s devicetree") Cc: stable(a)vger.kernel.org # 6.0 Signed-off-by: Johan Hovold <johan+linaro(a)kernel.org> --- .../dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts b/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts index b220ba4fba23..e27c8a21125c 100644 --- a/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts +++ b/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts @@ -674,15 +674,16 @@ &i2c4 { status = "okay"; - /* FIXME: verify */ touchscreen@10 { - compatible = "hid-over-i2c"; + compatible = "elan,ekth5015m", "elan,ekth6915"; reg = <0x10>; - hid-descr-addr = <0x1>; interrupts-extended = <&tlmm 175 IRQ_TYPE_LEVEL_LOW>; - vdd-supply = <&vreg_misc_3p3>; - vddl-supply = <&vreg_s10b>; + reset-gpios = <&tlmm 99 (GPIO_ACTIVE_LOW | GPIO_OPEN_DRAIN)>; + no-reset-on-power-off; + + vcc33-supply = <&vreg_misc_3p3>; + vccio-supply = <&vreg_misc_3p3>; pinctrl-names = "default"; pinctrl-0 = <&ts0_default>; @@ -1637,8 +1638,8 @@ int-n-pins { reset-n-pins { pins = "gpio99"; function = "gpio"; - output-high; - drive-strength = <16>; + drive-strength = <2>; + bias-disable; }; }; -- 2.43.2

8 months, 2 weeks

1
0
0 0

[PATCH] efi: libstub: only free priv.runtime_map when allocated

by Hagar Hemdan

priv.runtime_map is only allocated when efi_novamap is not set. Otherwise, it is an uninitialized value. In the error path, it is freed unconditionally. Avoid passing an uninitialized value to free_pool. Free priv.runtime_map only when it was allocated. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. Fixes: f80d26043af9 ("efi: libstub: avoid efi_get_memory_map() for allocating the virt map") Signed-off-by: Hagar Hemdan <hagarhem(a)amazon.com> --- drivers/firmware/efi/libstub/fdt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/firmware/efi/libstub/fdt.c b/drivers/firmware/efi/libstub/fdt.c index 70e9789ff9de..6a337f1f8787 100644 --- a/drivers/firmware/efi/libstub/fdt.c +++ b/drivers/firmware/efi/libstub/fdt.c @@ -335,8 +335,8 @@ efi_status_t allocate_new_fdt_and_exit_boot(void *handle, fail: efi_free(fdt_size, fdt_addr); - - efi_bs_call(free_pool, priv.runtime_map); + if (!efi_novamap) + efi_bs_call(free_pool, priv.runtime_map); return EFI_LOAD_ERROR; } -- 2.40.1

8 months, 2 weeks

2
1
0 0

FAILED: patch "[PATCH] drm/vmwgfx: Fix crtc's atomic check conditional" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x a60ccade88f926e871a57176e86a34bbf0db0098 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024042326-stubbed-gauze-ca0a@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: a60ccade88f9 ("drm/vmwgfx: Fix crtc's atomic check conditional") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From a60ccade88f926e871a57176e86a34bbf0db0098 Mon Sep 17 00:00:00 2001 From: Zack Rusin <zack.rusin(a)broadcom.com> Date: Thu, 11 Apr 2024 22:55:10 -0400 Subject: [PATCH] drm/vmwgfx: Fix crtc's atomic check conditional The conditional was supposed to prevent enabling of a crtc state without a set primary plane. Accidently it also prevented disabling crtc state with a set primary plane. Neither is correct. Fix the conditional and just driver-warn when a crtc state has been enabled without a primary plane which will help debug broken userspace. Fixes IGT's kms_atomic_interruptible and kms_atomic_transition tests. Signed-off-by: Zack Rusin <zack.rusin(a)broadcom.com> Fixes: 06ec41909e31 ("drm/vmwgfx: Add and connect CRTC helper functions") Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list(a)broadcom.com> Cc: dri-devel(a)lists.freedesktop.org Cc: <stable(a)vger.kernel.org> # v4.12+ Reviewed-by: Ian Forbes <ian.forbes(a)broadcom.com> Reviewed-by: Martin Krastev <martin.krastev(a)broadcom.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240412025511.78553-5-zack.r… diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c index cd4925346ed4..84ae4e10a2eb 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c @@ -933,6 +933,7 @@ int vmw_du_cursor_plane_atomic_check(struct drm_plane *plane, int vmw_du_crtc_atomic_check(struct drm_crtc *crtc, struct drm_atomic_state *state) { + struct vmw_private *vmw = vmw_priv(crtc->dev); struct drm_crtc_state *new_state = drm_atomic_get_new_crtc_state(state, crtc); struct vmw_display_unit *du = vmw_crtc_to_du(new_state->crtc); @@ -940,9 +941,13 @@ int vmw_du_crtc_atomic_check(struct drm_crtc *crtc, bool has_primary = new_state->plane_mask & drm_plane_mask(crtc->primary); - /* We always want to have an active plane with an active CRTC */ - if (has_primary != new_state->enable) - return -EINVAL; + /* + * This is fine in general, but broken userspace might expect + * some actual rendering so give a clue as why it's blank. + */ + if (new_state->enable && !has_primary) + drm_dbg_driver(&vmw->drm, + "CRTC without a primary plane will be blank.\n"); if (new_state->connector_mask != connector_mask &&

8 months, 2 weeks

1
0
0 0

[PATCH 5.4 000/215] 5.4.274-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.274 release. There are 215 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 13 Apr 2024 09:53:55 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.274-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.274-rc1 Zhang Shurong <zhang_shurong(a)foxmail.com> firmware: meson_sm: fix to avoid potential NULL pointer dereference Hangbin Liu <liuhangbin(a)gmail.com> ip_gre: do not report erspan version on GRE interface William Tu <u9012063(a)gmail.com> erspan: Check IFLA_GRE_ERSPAN_VER is set. Vasiliy Kovalev <kovalev(a)altlinux.org> VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler() Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: btintel: Fixe build regression Juergen Gross <jgross(a)suse.com> x86/alternative: Don't call text_poke() in lazy TLB mode Chris Wilson <chris(a)chris-wilson.co.uk> drm/i915/gt: Reset queue_priority_hint on parking David Hildenbrand <david(a)redhat.com> x86/mm/pat: fix VM_PAT handling in COW mappings David Hildenbrand <david(a)redhat.com> virtio: reenable config if freezing device failed Guo Mengqi <guomengqi3(a)huawei.com> drm/vkms: call drm_atomic_helper_shutdown before drm_dev_put() Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: discard table flag update with pending basechain deletion Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: release batch on table validation from abort path Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: reject new basechain after table flag update Roman Smirnov <r.smirnov(a)omp.ru> fbmon: prevent division by zero in fb_videomode_from_videomode() Aleksandr Burakov <a.burakov(a)rosalinux.ru> fbdev: viafb: fix typo in hw_bitblt_1 and hw_bitblt_2 Colin Ian King <colin.i.king(a)gmail.com> usb: sl811-hcd: only defined function checkdone if QUIRK2 is defined Marco Felsch <m.felsch(a)pengutronix.de> usb: typec: tcpci: add generic tcpci fallback compatible Petre Rodan <petre.rodan(a)subdimension.ro> tools: iio: replace seekdir() in iio_generic_buffer Ricardo B. Marliere <ricardo(a)marliere.net> ktest: force $buildonly = 1 for 'make_warnings_file' test type Gergo Koteles <soyer(a)irl.hu> Input: allocate keycode for Display refresh rate toggle Roman Smirnov <r.smirnov(a)omp.ru> block: prevent division by zero in blk_rq_stat_sum() Daniel Drake <drake(a)endlessos.org> Revert "ACPI: PM: Block ASUS B1400CEAE from suspend to idle by default" Dai Ngo <dai.ngo(a)oracle.com> SUNRPC: increase size of rpc_wait_queue.qlen from unsigned short to unsigned int Aric Cyr <aric.cyr(a)amd.com> drm/amd/display: Fix nanosec stat overflow Arnd Bergmann <arnd(a)arndb.de> media: sta2x11: fix irq handler cast Alex Henrie <alexhenrie24(a)gmail.com> isofs: handle CDs with bad root inode but good Joliet root directory Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc() Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> sysv: don't call sb_bread() with pointers_lock held Kunwu Chan <chentao(a)kylinos.cn> Input: synaptics-rmi4 - fail probing if memory allocation for "phys" fails Edward Adam Davis <eadavis(a)qq.com> Bluetooth: btintel: Fix null ptr deref in btintel_read_version David Sterba <dsterba(a)suse.com> btrfs: send: handle path ref underflow in header iterate_inode_ref() David Sterba <dsterba(a)suse.com> btrfs: export: handle invalid inode or root reference in btrfs_get_parent() David Sterba <dsterba(a)suse.com> btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks() Samasth Norway Ananda <samasth.norway.ananda(a)oracle.com> tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num() Shannon Nelson <shannon.nelson(a)amd.com> ionic: set adminq irq affinity Johan Jonker <jbx6244(a)gmail.com> arm64: dts: rockchip: fix rk3399 hdmi ports node Johan Jonker <jbx6244(a)gmail.com> arm64: dts: rockchip: fix rk3328 hdmi ports node John Ogness <john.ogness(a)linutronix.de> panic: Flush kernel log buffer at the end Harshit Mogalapalli <harshit.m.mogalapalli(a)oracle.com> VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() Markus Elfring <elfring(a)users.sourceforge.net> batman-adv: Improve exception handling in batadv_throw_uevent() Markus Elfring <elfring(a)users.sourceforge.net> batman-adv: Return directly after a failed batadv_dat_select_candidates() in batadv_dat_forward_data() Dmitry Antipov <dmantipov(a)yandex.ru> wifi: ath9k: fix LNA selection in ath_ant_try_scan() Sumanth Korikkar <sumanthk(a)linux.ibm.com> s390/entry: align system call table on 8 bytes Borislav Petkov (AMD) <bp(a)alien8.de> x86/mce: Make sure to grab mce_sysfs_mutex in set_bank() I Gede Agastya Darma Laksana <gedeagas22(a)gmail.com> ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with microphone Arnd Bergmann <arnd(a)arndb.de> ata: sata_mv: Fix PCI device ID table declaration compilation warning Arnd Bergmann <arnd(a)arndb.de> scsi: mylex: Fix sysfs buffer lengths Arnd Bergmann <arnd(a)arndb.de> ata: sata_sx4: fix pdc20621_get_from_dimm() on 64-bit Stephen Lee <slee08177(a)gmail.com> ASoC: ops: Fix wraparound for mask in snd_soc_get_volsw Paul Barker <paul.barker.ct(a)bp.renesas.com> net: ravb: Always process TX descriptor ring Eric Dumazet <edumazet(a)google.com> erspan: make sure erspan_base_hdr is present in skb->head William Tu <u9012063(a)gmail.com> erspan: Add type I version 0 support. John Sperbeck <jsperbeck(a)google.com> init: open /initrd.image with O_LARGEFILE Christoph Hellwig <hch(a)lst.de> initramfs: switch initramfs unpacking to struct file based APIs Christoph Hellwig <hch(a)lst.de> fs: add a vfs_fchmod helper Christoph Hellwig <hch(a)lst.de> fs: add a vfs_fchown helper Dan Carpenter <dan.carpenter(a)linaro.org> staging: vc04_services: fix information leak in create_component() Arnd Bergmann <arnd(a)arndb.de> staging: vc04_services: changen strncpy() to strscpy_pad() Dave Stevenson <dave.stevenson(a)raspberrypi.org> staging: mmal-vchiq: Fix client_component for 64 bit kernel Dave Stevenson <dave.stevenson(a)raspberrypi.org> staging: mmal-vchiq: Allocate and free components as required Aleksandr Loktionov <aleksandr.loktionov(a)intel.com> i40e: fix vf may be used uninitialized in this function warning Kuniyuki Iwashima <kuniyu(a)amazon.com> ipv6: Fix infinite recursion in fib6_dump_done(). Jakub Kicinski <kuba(a)kernel.org> selftests: reuseaddr_conflict: add missing new line at the end of the output Piotr Wejman <piotrwejman90(a)gmail.com> net: stmmac: fix rx queue priority assignment Eric Dumazet <edumazet(a)google.com> net/sched: act_skbmod: prevent kernel-infoleak Jakub Sitnicki <jakub(a)cloudflare.com> bpf, sockmap: Prevent lock inversion deadlock in map delete elem Ziyang Xuan <william.xuanziyang(a)huawei.com> netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: flush pending destroy work before exit_net release Vlastimil Babka <vbabka(a)suse.cz> mm, vmscan: prevent infinite loop for costly GFP_NOIO | __GFP_RETRY_MAYFAIL allocations Ingo Molnar <mingo(a)kernel.org> Revert "x86/mm/ident_map: Use gbpages only where full GB page should be mapped." Alex Williamson <alex.williamson(a)redhat.com> vfio/platform: Create persistent IRQ handlers Alex Williamson <alex.williamson(a)redhat.com> vfio/pci: Create persistent INTx handler Alex Williamson <alex.williamson(a)redhat.com> vfio: Introduce interface to flush virqfd inject workqueue Alex Williamson <alex.williamson(a)redhat.com> vfio/pci: Lock external INTx masking ops Alex Williamson <alex.williamson(a)redhat.com> vfio/pci: Disable auto-enable of exclusive INTx IRQ Mahmoud Adam <mngyadam(a)amazon.com> net/rds: fix possible cp null dereference Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: disallow timeout for anonymous sets Bastien Nocera <hadess(a)hadess.net> Bluetooth: Fix TOCTOU in HCI debugfs implementation Hui Wang <hui.wang(a)canonical.com> Bluetooth: hci_event: set the conn encrypted before conn establishes Sandipan Das <sandipan.das(a)amd.com> x86/cpufeatures: Add new word for scattered features Heiner Kallweit <hkallweit1(a)gmail.com> r8169: fix issue caused by buggy BIOS on certain boards with RTL8168d Arnd Bergmann <arnd(a)arndb.de> dm integrity: fix out-of-range warning Eric Dumazet <edumazet(a)google.com> tcp: properly terminate timers for kernel sockets Przemek Kitszel <przemyslaw.kitszel(a)intel.com> ixgbe: avoid sleeping allocation in ixgbe_ipsec_vf_add_sa() Ryosuke Yasuoka <ryasuoka(a)redhat.com> nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet Alan Stern <stern(a)rowland.harvard.edu> USB: core: Fix deadlock in usb_deauthorize_interface() Muhammad Usama Anjum <usama.anjum(a)collabora.com> scsi: lpfc: Correct size for wqe for memset() Kim Phillips <kim.phillips(a)amd.com> x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled Quinn Tran <qutran(a)marvell.com> scsi: qla2xxx: Fix command flush on cable pull yuan linyu <yuanlinyu(a)hihonor.com> usb: udc: remove warning when queue disabled ep Minas Harutyunyan <Minas.Harutyunyan(a)synopsys.com> usb: dwc2: gadget: LPM flow fix Minas Harutyunyan <Minas.Harutyunyan(a)synopsys.com> usb: dwc2: host: Fix ISOC flow in DDMA mode Minas Harutyunyan <Minas.Harutyunyan(a)synopsys.com> usb: dwc2: host: Fix hibernation flow Minas Harutyunyan <Minas.Harutyunyan(a)synopsys.com> usb: dwc2: host: Fix remote wakeup from hibernation Guilherme G. Piccoli <gpiccoli(a)igalia.com> scsi: core: Fix unremoved procfs host directory regression Duoming Zhou <duoming(a)zju.edu.cn> ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs Oliver Neukum <oneukum(a)suse.com> usb: cdc-wdm: close race between read and workqueue Mikko Rapeli <mikko.rapeli(a)linaro.org> mmc: core: Avoid negative index with array access Mikko Rapeli <mikko.rapeli(a)linaro.org> mmc: core: Initialize mmc_blk_ioc_data Max Filippov <jcmvbkbc(a)gmail.com> exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack() Felix Fietkau <nbd(a)nbd.name> wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes Zi Yan <ziy(a)nvidia.com> mm/migrate: set swap entry values of THP tail pages properly. Liu Shixin <liushixin2(a)huawei.com> mm/memory-failure: fix an incorrect use of tail pages Yangxi Xiang <xyangxi5(a)gmail.com> vt: fix memory overlapping when deleting chars in the buffer Matthew Wilcox (Oracle) <willy(a)infradead.org> bounds: support non-power-of-two CONFIG_NR_CPUS Nathan Chancellor <nathan(a)kernel.org> powerpc: xor_vmx: Add '-mhard-float' to CFLAGS Tim Schumacher <timschumi(a)gmx.de> efivarfs: Request at most 512 bytes for variable names Yang Jihong <yangjihong1(a)huawei.com> perf/core: Fix reentry problem in perf_output_read_group() Zhong Jinghua <zhongjinghua(a)huawei.com> loop: loop_set_status_from_info() check before assignment Siddh Raman Pant <code(a)siddh.me> loop: Check for overflow while configuring loop Martijn Coenen <maco(a)android.com> loop: Factor out configuring loop from status Martijn Coenen <maco(a)android.com> loop: Refactor loop_set_status() size calculation Martijn Coenen <maco(a)android.com> loop: Factor out setting loop device size Martijn Coenen <maco(a)android.com> loop: Remove sector_t truncation checks Martijn Coenen <maco(a)android.com> loop: Call loop_config_discard() only after new config is applied Genjian Zhang <zhanggenjian(a)kylinos.cn> Revert "loop: Check for overflow while configuring loop" Goldwyn Rodrigues <rgoldwyn(a)suse.com> btrfs: allocate btrfs_ioctl_defrag_range_args on stack John Ogness <john.ogness(a)linutronix.de> printk: Update @console_may_schedule in console_trylock_spinning() Maximilian Heyne <mheyne(a)amazon.de> xen/events: close evtchn after mapping cleanup Rui Qi <qirui.001(a)bytedance.com> x86/speculation: Support intra-function call validation Alexandre Chartre <alexandre.chartre(a)oracle.com> objtool: Add support for intra-function calls Alexandre Chartre <alexandre.chartre(a)oracle.com> objtool: is_fentry_call() crashes if call has no destination Bart Van Assche <bvanassche(a)acm.org> fs/aio: Check IOCB_AIO_RW before the struct aio_kiocb conversion Nicolas Pitre <nico(a)fluxnic.net> vt: fix unicode buffer corruption when deleting characters Sherry Sun <sherry.sun(a)nxp.com> tty: serial: fsl_lpuart: avoid idle preamble pending if CTS is enabled Mathias Nyman <mathias.nyman(a)linux.intel.com> usb: port: Don't try to peer unused USB ports based on location Krishna Kurapati <quic_kriskura(a)quicinc.com> usb: gadget: ncm: Fix handling of zero block length packets Alan Stern <stern(a)rowland.harvard.edu> USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Fix headset Mic no show at resume back for Lenovo ALC897 platform Nathan Chancellor <nathan(a)kernel.org> xfrm: Avoid clang fortify warning in copy_to_user_tmpl() Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: reject constant set with timeout Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: disallow anonymous set with timeout flag Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout Ian Abbott <abbotti(a)mev.co.uk> comedi: comedi_test: Prevent timers rescheduling during deletion Mikulas Patocka <mpatocka(a)redhat.com> dm snapshot: fix lockup in dm_exception_table_exit Conrad Kostecki <conikost(a)gentoo.org> ahci: asm1064: asm1166: don't limit reported ports Andrey Jr. Melnikov <temnota.am(a)gmail.com> ahci: asm1064: correct count of reported ports Borislav Petkov (AMD) <bp(a)alien8.de> x86/CPU/AMD: Update the Zenbleed microcode revisions Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: prevent kernel bug at submit_bh_wbc() Joe Perches <joe(a)perches.com> nilfs2: use a more common logging style Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: fix failure to detect DAT corruption in btree and direct mappings Qiang Zhang <qiang4.zhang(a)intel.com> memtest: use {READ,WRITE}_ONCE in memory scanning Jani Nikula <jani.nikula(a)intel.com> drm/vc4: hdmi: do not return negative values from .get_modes() Jani Nikula <jani.nikula(a)intel.com> drm/imx/ipuv3: do not return negative values from .get_modes() Jani Nikula <jani.nikula(a)intel.com> drm/exynos: do not return negative values from .get_modes() Harald Freudenberger <freude(a)linux.ibm.com> s390/zcrypt: fix reference counting on zcrypt card objects Sean Anderson <sean.anderson(a)linux.dev> soc: fsl: qbman: Use raw spinlock for cgr_lock Sean Anderson <sean.anderson(a)seco.com> soc: fsl: qbman: Add CGR update function Sean Anderson <sean.anderson(a)seco.com> soc: fsl: qbman: Add helper for sanity checking cgr ops Sean Anderson <sean.anderson(a)linux.dev> soc: fsl: qbman: Always disable interrupts when taking cgr_lock Steven Rostedt (Google) <rostedt(a)goodmis.org> ring-buffer: Fix full_waiters_pending in poll Steven Rostedt (Google) <rostedt(a)goodmis.org> ring-buffer: Fix resetting of shortest_full Alex Williamson <alex.williamson(a)redhat.com> vfio/platform: Disable virqfds on cleanup Nathan Chancellor <nathan(a)kernel.org> kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1 Samuel Thibault <samuel.thibault(a)ens-lyon.org> speakup: Fix 8bit characters from direct synth Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> slimbus: core: Remove usage of the deprecated ida_simple_xx() API Jerome Brunet <jbrunet(a)baylibre.com> nvmem: meson-efuse: fix function pointer type mismatch Carlo Caione <ccaione(a)baylibre.com> firmware: meson_sm: Rework driver as a proper platform driver Maximilian Heyne <mheyne(a)amazon.de> ext4: fix corruption during on-line resize Josua Mayer <josua(a)solid-run.com> hwmon: (amc6821) add of_match table Dominique Martinet <dominique.martinet(a)atmark-techno.com> mmc: core: Fix switch on gp3 partition Yu Kuai <yukuai3(a)huawei.com> dm-raid: fix lockdep waring in "pers->hot_add_disk" Song Liu <song(a)kernel.org> Revert "Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"" Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PCI/PM: Drain runtime-idle callbacks before driver removal Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> PCI: Drop pci_device_remove() test of pci_dev->driver Filipe Manana <fdmanana(a)suse.com> btrfs: fix off-by-one chunk length calculation at contains_pending_extent() Miklos Szeredi <mszeredi(a)redhat.com> fuse: don't unhash root Max Reitz <mreitz(a)redhat.com> fuse: drop fuse_conn parameter where possible Max Reitz <mreitz(a)redhat.com> fuse: store fuse_conn in fuse_req Wolfram Sang <wsa+renesas(a)sang-engineering.com> mmc: tmio: avoid concurrent runs of mmc_request_done() Qingliang Li <qingliang.li(a)mediatek.com> PM: sleep: wakeirq: fix wake irq warning in system suspend Toru Katagiri <Toru.Katagiri(a)tdk.com> USB: serial: cp210x: add pid/vid for TDK NC0110013M and MM0110113M Aurélien Jacobs <aurel(a)gnuage.org> USB: serial: option: add MeiG Smart SLM320 product Christian Häggström <christian.haggstrom(a)orexplore.com> USB: serial: cp210x: add ID for MGP Instruments PDS100 Cameron Williams <cang1(a)live.co.uk> USB: serial: add device ID for VeriFone adapter Daniel Vogelbacher <daniel(a)chaospixel.com> USB: serial: ftdi_sio: add support for GMC Z216C Adapter IR-USB Michael Ellerman <mpe(a)ellerman.id.au> powerpc/fsl: Fix mfpmr build errors with newer binutils Gabor Juhos <j4g8y7(a)gmail.com> clk: qcom: mmcc-msm8974: fix terminating of frequency table arrays Gabor Juhos <j4g8y7(a)gmail.com> clk: qcom: mmcc-apq8084: fix terminating of frequency table arrays Gabor Juhos <j4g8y7(a)gmail.com> clk: qcom: gcc-ipq8074: fix terminating of frequency table arrays Maulik Shah <quic_mkshah(a)quicinc.com> PM: suspend: Set mem_sleep_current during kernel command line setup Guenter Roeck <linux(a)roeck-us.net> parisc: Strip upper 32 bit of sum in csum_ipv6_magic for 64-bit builds Guenter Roeck <linux(a)roeck-us.net> parisc: Fix csum_ipv6_magic on 64-bit systems Guenter Roeck <linux(a)roeck-us.net> parisc: Fix csum_ipv6_magic on 32-bit systems Guenter Roeck <linux(a)roeck-us.net> parisc: Fix ip_fast_csum Helge Deller <deller(a)gmx.de> parisc: Do not hardcode registers in checksum functions Arseniy Krasnov <avkrasnov(a)salutedevices.com> mtd: rawnand: meson: fix scrambling mode value in command macro Zhang Yi <yi.zhang(a)huawei.com> ubi: correct the calculation of fastmap size Richard Weinberger <richard(a)nod.at> ubi: Check for too small LEB size in VTBL code Matthew Wilcox (Oracle) <willy(a)infradead.org> ubifs: Set page uptodate in the correct place Jan Kara <jack(a)suse.cz> fat: fix uninitialized field in nostale filehandles Baokun Li <libaokun1(a)huawei.com> ext4: correct best extent lstart adjustment logic SeongJae Park <sj(a)kernel.org> selftests/mqueue: Set timeout to 180 seconds Damian Muszynski <damian.muszynski(a)intel.com> crypto: qat - resolve race condition during AER recovery Svyatoslav Pankratov <svyatoslav.pankratov(a)intel.com> crypto: qat - fix double free during reset Randy Dunlap <rdunlap(a)infradead.org> sparc: vDSO: fix return value of __setup handler Randy Dunlap <rdunlap(a)infradead.org> sparc64: NMI watchdog: fix return value of __setup handler Sean Christopherson <seanjc(a)google.com> KVM: Always flush async #PF workqueue when vCPU is being destroyed Gui-Dong Han <2045gemini(a)gmail.com> media: xc4000: Fix atomicity violation in xc4000_get_frequency Hugo Villeneuve <hvilleneuve(a)dimonoff.com> serial: max310x: fix NULL pointer dereference in I2C instantiation Duje Mihanović <duje.mihanovic(a)skole.hr> arm: dts: marvell: Fix maxium->maxim typo in brownstone dts Lubomir Rintel <lkundrak(a)v3.sk> ARM: dts: mmp2-brownstone: Don't redeclare phandle references Roberto Sassu <roberto.sassu(a)huawei.com> smack: Handle SMACK64TRANSMUTE in smack_inode_setsecurity() Roberto Sassu <roberto.sassu(a)huawei.com> smack: Set SMACK64TRANSMUTE only for dirs in smack_inode_setxattr() Amit Pundir <amit.pundir(a)linaro.org> clk: qcom: gcc-sdm845: Add soft dependency on rpmhpd Hidenori Kobayashi <hidenorik(a)chromium.org> media: staging: ipu3-imgu: Set fields before media_entity_pads_init() Zheng Wang <zyytlz.wz(a)163.com> wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach Thomas Gleixner <tglx(a)linutronix.de> timers: Rename del_timer_sync() to timer_delete_sync() Thomas Gleixner <tglx(a)linutronix.de> timers: Use del_timer_sync() even on UP Thomas Gleixner <tglx(a)linutronix.de> timers: Update kernel-doc for various functions Borislav Petkov <bp(a)suse.de> x86/bugs: Use sysfs_emit() Kim Phillips <kim.phillips(a)amd.com> x86/cpu: Support AMD Automatic IBRS Lin Yujun <linyujun809(a)huawei.com> Documentation/hw-vuln: Update spectre doc ------------- Diffstat: Documentation/admin-guide/hw-vuln/spectre.rst | 18 +- Documentation/admin-guide/kernel-parameters.txt | 6 +- Makefile | 4 +- arch/arm/boot/dts/mmp2-brownstone.dts | 330 ++++++++++----------- arch/arm64/boot/dts/rockchip/rk3328.dtsi | 11 +- arch/arm64/boot/dts/rockchip/rk3399.dtsi | 12 +- arch/parisc/include/asm/checksum.h | 107 +++---- arch/powerpc/include/asm/reg_fsl_emb.h | 11 +- arch/powerpc/lib/Makefile | 2 +- arch/s390/kernel/entry.S | 1 + arch/sparc/kernel/nmi.c | 2 +- arch/sparc/vdso/vma.c | 7 +- arch/x86/include/asm/cpufeature.h | 6 +- arch/x86/include/asm/cpufeatures.h | 4 +- arch/x86/include/asm/disabled-features.h | 3 +- arch/x86/include/asm/mmu_context.h | 9 + arch/x86/include/asm/msr-index.h | 2 + arch/x86/include/asm/nospec-branch.h | 7 + arch/x86/include/asm/required-features.h | 3 +- arch/x86/include/asm/unwind_hints.h | 2 +- arch/x86/kernel/cpu/amd.c | 10 +- arch/x86/kernel/cpu/bugs.c | 117 ++++---- arch/x86/kernel/cpu/common.c | 19 +- arch/x86/kernel/cpu/mce/core.c | 4 +- arch/x86/mm/ident_map.c | 23 +- arch/x86/mm/pat.c | 50 +++- block/blk-stat.c | 2 +- drivers/acpi/sleep.c | 12 - drivers/ata/ahci.c | 5 - drivers/ata/sata_mv.c | 63 ++-- drivers/ata/sata_sx4.c | 6 +- drivers/base/power/wakeirq.c | 4 +- drivers/block/loop.c | 187 +++++++----- drivers/bluetooth/btintel.c | 2 +- drivers/clk/qcom/gcc-ipq8074.c | 2 + drivers/clk/qcom/gcc-sdm845.c | 1 + drivers/clk/qcom/mmcc-apq8084.c | 2 + drivers/clk/qcom/mmcc-msm8974.c | 2 + drivers/crypto/qat/qat_common/adf_aer.c | 23 +- drivers/firmware/efi/vars.c | 17 +- drivers/firmware/meson/meson_sm.c | 96 ++++-- .../gpu/drm/amd/display/modules/inc/mod_stats.h | 4 +- drivers/gpu/drm/exynos/exynos_drm_vidi.c | 4 +- drivers/gpu/drm/exynos/exynos_hdmi.c | 4 +- drivers/gpu/drm/i915/gt/intel_engine_pm.c | 3 - drivers/gpu/drm/i915/gt/intel_lrc.c | 3 + drivers/gpu/drm/imx/parallel-display.c | 4 +- drivers/gpu/drm/vc4/vc4_hdmi.c | 2 +- drivers/gpu/drm/vkms/vkms_drv.c | 2 +- drivers/hwmon/amc6821.c | 11 + drivers/input/rmi4/rmi_driver.c | 6 +- drivers/md/dm-integrity.c | 2 +- drivers/md/dm-raid.c | 2 + drivers/md/dm-snap.c | 4 +- drivers/md/raid5.c | 12 + drivers/media/pci/sta2x11/sta2x11_vip.c | 9 +- drivers/media/tuners/xc4000.c | 4 +- drivers/misc/vmw_vmci/vmci_datagram.c | 6 +- drivers/mmc/core/block.c | 14 +- drivers/mmc/host/tmio_mmc_core.c | 2 + drivers/mtd/nand/raw/meson_nand.c | 2 +- drivers/mtd/ubi/fastmap.c | 7 +- drivers/mtd/ubi/vtbl.c | 6 + drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 34 +-- drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 16 +- drivers/net/ethernet/pensando/ionic/ionic_lif.c | 5 +- drivers/net/ethernet/realtek/r8169_main.c | 9 + drivers/net/ethernet/renesas/ravb_main.c | 7 +- drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 40 ++- .../net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 38 ++- drivers/net/wireless/ath/ath9k/antenna.c | 2 +- .../broadcom/brcm80211/brcmfmac/cfg80211.c | 4 +- drivers/nvmem/meson-efuse.c | 43 ++- drivers/pci/pci-driver.c | 23 +- drivers/s390/crypto/zcrypt_api.c | 2 + drivers/scsi/hosts.c | 7 +- drivers/scsi/lpfc/lpfc_nportdisc.c | 6 +- drivers/scsi/lpfc/lpfc_nvmet.c | 2 +- drivers/scsi/myrb.c | 20 +- drivers/scsi/myrs.c | 24 +- drivers/scsi/qla2xxx/qla_target.c | 10 + drivers/slimbus/core.c | 4 +- drivers/soc/fsl/qbman/qman.c | 98 ++++-- drivers/staging/comedi/drivers/comedi_test.c | 30 +- drivers/staging/media/ipu3/ipu3-v4l2.c | 16 +- drivers/staging/speakup/synth.c | 4 +- .../vc04_services/bcm2835-camera/mmal-vchiq.c | 40 ++- .../vc04_services/bcm2835-camera/mmal-vchiq.h | 2 + drivers/tty/n_gsm.c | 3 + drivers/tty/serial/fsl_lpuart.c | 7 +- drivers/tty/serial/max310x.c | 7 +- drivers/tty/vt/vt.c | 4 +- drivers/usb/class/cdc-wdm.c | 6 +- drivers/usb/core/port.c | 5 +- drivers/usb/core/sysfs.c | 16 +- drivers/usb/dwc2/core.h | 14 + drivers/usb/dwc2/core_intr.c | 63 ++-- drivers/usb/dwc2/gadget.c | 4 + drivers/usb/dwc2/hcd.c | 47 ++- drivers/usb/dwc2/hcd_ddma.c | 17 +- drivers/usb/dwc2/hw.h | 2 +- drivers/usb/gadget/function/f_ncm.c | 2 +- drivers/usb/gadget/udc/core.c | 4 +- drivers/usb/host/sl811-hcd.c | 2 + drivers/usb/serial/cp210x.c | 4 + drivers/usb/serial/ftdi_sio.c | 2 + drivers/usb/serial/ftdi_sio_ids.h | 6 + drivers/usb/serial/option.c | 6 + drivers/usb/storage/isd200.c | 23 +- drivers/usb/typec/tcpm/tcpci.c | 1 + drivers/vfio/pci/vfio_pci_intrs.c | 188 +++++++----- drivers/vfio/platform/vfio_platform_irq.c | 106 ++++--- drivers/vfio/virqfd.c | 21 ++ drivers/video/fbdev/core/fbmon.c | 7 +- drivers/video/fbdev/via/accel.c | 4 +- drivers/virtio/virtio.c | 10 +- drivers/xen/events/events_base.c | 5 +- fs/aio.c | 8 +- fs/btrfs/export.c | 9 +- fs/btrfs/ioctl.c | 25 +- fs/btrfs/send.c | 10 +- fs/btrfs/volumes.c | 14 +- fs/exec.c | 1 + fs/ext4/mballoc.c | 17 +- fs/ext4/resize.c | 3 +- fs/fat/nfs.c | 6 + fs/fuse/dev.c | 83 +++--- fs/fuse/fuse_i.h | 6 +- fs/fuse/inode.c | 7 +- fs/fuse/virtio_fs.c | 8 +- fs/isofs/inode.c | 18 +- fs/nilfs2/alloc.c | 38 +-- fs/nilfs2/btree.c | 51 ++-- fs/nilfs2/cpfile.c | 10 +- fs/nilfs2/dat.c | 14 +- fs/nilfs2/direct.c | 23 +- fs/nilfs2/gcinode.c | 2 +- fs/nilfs2/ifile.c | 4 +- fs/nilfs2/inode.c | 31 +- fs/nilfs2/ioctl.c | 37 ++- fs/nilfs2/mdt.c | 2 +- fs/nilfs2/namei.c | 6 +- fs/nilfs2/nilfs.h | 9 + fs/nilfs2/page.c | 11 +- fs/nilfs2/recovery.c | 32 +- fs/nilfs2/segbuf.c | 2 +- fs/nilfs2/segment.c | 38 +-- fs/nilfs2/sufile.c | 29 +- fs/nilfs2/super.c | 57 ++-- fs/nilfs2/sysfs.c | 29 +- fs/nilfs2/the_nilfs.c | 85 +++--- fs/open.c | 38 ++- fs/sysv/itree.c | 10 +- fs/ubifs/file.c | 13 +- include/linux/firmware/meson/meson_sm.h | 15 +- include/linux/frame.h | 11 + include/linux/fs.h | 3 + include/linux/gfp.h | 9 + include/linux/sunrpc/sched.h | 2 +- include/linux/timer.h | 18 +- include/linux/vfio.h | 2 + include/net/erspan.h | 19 +- include/net/inet_connection_sock.h | 1 + include/net/sock.h | 7 + include/soc/fsl/qman.h | 9 + include/uapi/linux/input-event-codes.h | 1 + init/initramfs.c | 45 +-- kernel/bounds.c | 2 +- kernel/events/core.c | 9 + kernel/panic.c | 8 + kernel/power/suspend.c | 1 + kernel/printk/printk.c | 6 + kernel/time/timer.c | 160 ++++++---- kernel/trace/ring_buffer.c | 51 +++- mm/compaction.c | 7 +- mm/memory-failure.c | 2 +- mm/memory.c | 4 + mm/memtest.c | 4 +- mm/migrate.c | 6 +- mm/page_alloc.c | 10 +- mm/vmscan.c | 5 +- net/batman-adv/distributed-arp-table.c | 3 +- net/batman-adv/main.c | 14 +- net/bluetooth/hci_debugfs.c | 64 ++-- net/bluetooth/hci_event.c | 25 ++ net/core/sock_map.c | 6 + net/ipv4/inet_connection_sock.c | 14 + net/ipv4/ip_gre.c | 104 +++++-- net/ipv4/tcp.c | 2 + net/ipv6/ip6_fib.c | 14 +- net/ipv6/ip6_gre.c | 3 + net/mac80211/cfg.c | 5 +- net/netfilter/nf_tables_api.c | 74 ++++- net/nfc/nci/core.c | 5 + net/rds/rdma.c | 2 +- net/sched/act_skbmod.c | 10 +- net/xfrm/xfrm_user.c | 3 + scripts/Makefile.extrawarn | 2 + security/smack/smack_lsm.c | 12 +- sound/pci/hda/patch_realtek.c | 9 +- sound/sh/aica.c | 17 +- sound/soc/soc-ops.c | 2 +- tools/iio/iio_utils.c | 2 +- tools/objtool/Documentation/stack-validation.txt | 8 + tools/objtool/arch/x86/decode.c | 6 + tools/objtool/check.c | 64 +++- .../x86_energy_perf_policy.c | 1 + tools/testing/ktest/ktest.pl | 1 + tools/testing/selftests/mqueue/setting | 1 + tools/testing/selftests/net/reuseaddr_conflict.c | 2 +- virt/kvm/async_pf.c | 31 +- 211 files changed, 2599 insertions(+), 1489 deletions(-)

8 months, 2 weeks

9
228
0 0

FAILED: patch "[PATCH] Squashfs: check the inode number is not the invalid value of" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x 9253c54e01b6505d348afbc02abaa4d9f8a01395 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024042310-nylon-condense-e215@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: 9253c54e01b6 ("Squashfs: check the inode number is not the invalid value of zero") a1f13ed8c748 ("squashfs: convert to new timestamp accessors") 280345d0d03b ("squashfs: convert to ctime accessor functions") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9253c54e01b6505d348afbc02abaa4d9f8a01395 Mon Sep 17 00:00:00 2001 From: Phillip Lougher <phillip(a)squashfs.org.uk> Date: Mon, 8 Apr 2024 23:02:06 +0100 Subject: [PATCH] Squashfs: check the inode number is not the invalid value of zero Syskiller has produced an out of bounds access in fill_meta_index(). That out of bounds access is ultimately caused because the inode has an inode number with the invalid value of zero, which was not checked. The reason this causes the out of bounds access is due to following sequence of events: 1. Fill_meta_index() is called to allocate (via empty_meta_index()) and fill a metadata index. It however suffers a data read error and aborts, invalidating the newly returned empty metadata index. It does this by setting the inode number of the index to zero, which means unused (zero is not a valid inode number). 2. When fill_meta_index() is subsequently called again on another read operation, locate_meta_index() returns the previous index because it matches the inode number of 0. Because this index has been returned it is expected to have been filled, and because it hasn't been, an out of bounds access is performed. This patch adds a sanity check which checks that the inode number is not zero when the inode is created and returns -EINVAL if it is. [phillip(a)squashfs.org.uk: whitespace fix] Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk Link: https://lkml.kernel.org/r/20240408220206.435788-1-phillip@squashfs.org.uk Signed-off-by: Phillip Lougher <phillip(a)squashfs.org.uk> Reported-by: "Ubisectech Sirius" <bugreport(a)ubisectech.com> Closes: https://lore.kernel.org/lkml/87f5c007-b8a5-41ae-8b57-431e924c5915.bugreport… Cc: Christian Brauner <brauner(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c index aa3411354e66..16bd693d0b3a 100644 --- a/fs/squashfs/inode.c +++ b/fs/squashfs/inode.c @@ -48,6 +48,10 @@ static int squashfs_new_inode(struct super_block *sb, struct inode *inode, gid_t i_gid; int err; + inode->i_ino = le32_to_cpu(sqsh_ino->inode_number); + if (inode->i_ino == 0) + return -EINVAL; + err = squashfs_get_id(sb, le16_to_cpu(sqsh_ino->uid), &i_uid); if (err) return err; @@ -58,7 +62,6 @@ static int squashfs_new_inode(struct super_block *sb, struct inode *inode, i_uid_write(inode, i_uid); i_gid_write(inode, i_gid); - inode->i_ino = le32_to_cpu(sqsh_ino->inode_number); inode_set_mtime(inode, le32_to_cpu(sqsh_ino->mtime), 0); inode_set_atime(inode, inode_get_mtime_sec(inode), 0); inode_set_ctime(inode, inode_get_mtime_sec(inode), 0);

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] Squashfs: check the inode number is not the invalid value of" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x 9253c54e01b6505d348afbc02abaa4d9f8a01395 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024042308-reassign-skylight-6cfd@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: 9253c54e01b6 ("Squashfs: check the inode number is not the invalid value of zero") a1f13ed8c748 ("squashfs: convert to new timestamp accessors") 280345d0d03b ("squashfs: convert to ctime accessor functions") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9253c54e01b6505d348afbc02abaa4d9f8a01395 Mon Sep 17 00:00:00 2001 From: Phillip Lougher <phillip(a)squashfs.org.uk> Date: Mon, 8 Apr 2024 23:02:06 +0100 Subject: [PATCH] Squashfs: check the inode number is not the invalid value of zero Syskiller has produced an out of bounds access in fill_meta_index(). That out of bounds access is ultimately caused because the inode has an inode number with the invalid value of zero, which was not checked. The reason this causes the out of bounds access is due to following sequence of events: 1. Fill_meta_index() is called to allocate (via empty_meta_index()) and fill a metadata index. It however suffers a data read error and aborts, invalidating the newly returned empty metadata index. It does this by setting the inode number of the index to zero, which means unused (zero is not a valid inode number). 2. When fill_meta_index() is subsequently called again on another read operation, locate_meta_index() returns the previous index because it matches the inode number of 0. Because this index has been returned it is expected to have been filled, and because it hasn't been, an out of bounds access is performed. This patch adds a sanity check which checks that the inode number is not zero when the inode is created and returns -EINVAL if it is. [phillip(a)squashfs.org.uk: whitespace fix] Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk Link: https://lkml.kernel.org/r/20240408220206.435788-1-phillip@squashfs.org.uk Signed-off-by: Phillip Lougher <phillip(a)squashfs.org.uk> Reported-by: "Ubisectech Sirius" <bugreport(a)ubisectech.com> Closes: https://lore.kernel.org/lkml/87f5c007-b8a5-41ae-8b57-431e924c5915.bugreport… Cc: Christian Brauner <brauner(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c index aa3411354e66..16bd693d0b3a 100644 --- a/fs/squashfs/inode.c +++ b/fs/squashfs/inode.c @@ -48,6 +48,10 @@ static int squashfs_new_inode(struct super_block *sb, struct inode *inode, gid_t i_gid; int err; + inode->i_ino = le32_to_cpu(sqsh_ino->inode_number); + if (inode->i_ino == 0) + return -EINVAL; + err = squashfs_get_id(sb, le16_to_cpu(sqsh_ino->uid), &i_uid); if (err) return err; @@ -58,7 +62,6 @@ static int squashfs_new_inode(struct super_block *sb, struct inode *inode, i_uid_write(inode, i_uid); i_gid_write(inode, i_gid); - inode->i_ino = le32_to_cpu(sqsh_ino->inode_number); inode_set_mtime(inode, le32_to_cpu(sqsh_ino->mtime), 0); inode_set_atime(inode, inode_get_mtime_sec(inode), 0); inode_set_ctime(inode, inode_get_mtime_sec(inode), 0);

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] Squashfs: check the inode number is not the invalid value of" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 9253c54e01b6505d348afbc02abaa4d9f8a01395 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024042302-prepaid-rural-046c@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: 9253c54e01b6 ("Squashfs: check the inode number is not the invalid value of zero") a1f13ed8c748 ("squashfs: convert to new timestamp accessors") 280345d0d03b ("squashfs: convert to ctime accessor functions") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9253c54e01b6505d348afbc02abaa4d9f8a01395 Mon Sep 17 00:00:00 2001 From: Phillip Lougher <phillip(a)squashfs.org.uk> Date: Mon, 8 Apr 2024 23:02:06 +0100 Subject: [PATCH] Squashfs: check the inode number is not the invalid value of zero Syskiller has produced an out of bounds access in fill_meta_index(). That out of bounds access is ultimately caused because the inode has an inode number with the invalid value of zero, which was not checked. The reason this causes the out of bounds access is due to following sequence of events: 1. Fill_meta_index() is called to allocate (via empty_meta_index()) and fill a metadata index. It however suffers a data read error and aborts, invalidating the newly returned empty metadata index. It does this by setting the inode number of the index to zero, which means unused (zero is not a valid inode number). 2. When fill_meta_index() is subsequently called again on another read operation, locate_meta_index() returns the previous index because it matches the inode number of 0. Because this index has been returned it is expected to have been filled, and because it hasn't been, an out of bounds access is performed. This patch adds a sanity check which checks that the inode number is not zero when the inode is created and returns -EINVAL if it is. [phillip(a)squashfs.org.uk: whitespace fix] Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk Link: https://lkml.kernel.org/r/20240408220206.435788-1-phillip@squashfs.org.uk Signed-off-by: Phillip Lougher <phillip(a)squashfs.org.uk> Reported-by: "Ubisectech Sirius" <bugreport(a)ubisectech.com> Closes: https://lore.kernel.org/lkml/87f5c007-b8a5-41ae-8b57-431e924c5915.bugreport… Cc: Christian Brauner <brauner(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c index aa3411354e66..16bd693d0b3a 100644 --- a/fs/squashfs/inode.c +++ b/fs/squashfs/inode.c @@ -48,6 +48,10 @@ static int squashfs_new_inode(struct super_block *sb, struct inode *inode, gid_t i_gid; int err; + inode->i_ino = le32_to_cpu(sqsh_ino->inode_number); + if (inode->i_ino == 0) + return -EINVAL; + err = squashfs_get_id(sb, le16_to_cpu(sqsh_ino->uid), &i_uid); if (err) return err; @@ -58,7 +62,6 @@ static int squashfs_new_inode(struct super_block *sb, struct inode *inode, i_uid_write(inode, i_uid); i_gid_write(inode, i_gid); - inode->i_ino = le32_to_cpu(sqsh_ino->inode_number); inode_set_mtime(inode, le32_to_cpu(sqsh_ino->mtime), 0); inode_set_atime(inode, inode_get_mtime_sec(inode), 0); inode_set_ctime(inode, inode_get_mtime_sec(inode), 0);

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] Squashfs: check the inode number is not the invalid value of" failed to apply to 5.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y git checkout FETCH_HEAD git cherry-pick -x 9253c54e01b6505d348afbc02abaa4d9f8a01395 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024042357-second-squishier-5617@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^.. Possible dependencies: 9253c54e01b6 ("Squashfs: check the inode number is not the invalid value of zero") a1f13ed8c748 ("squashfs: convert to new timestamp accessors") 280345d0d03b ("squashfs: convert to ctime accessor functions") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9253c54e01b6505d348afbc02abaa4d9f8a01395 Mon Sep 17 00:00:00 2001 From: Phillip Lougher <phillip(a)squashfs.org.uk> Date: Mon, 8 Apr 2024 23:02:06 +0100 Subject: [PATCH] Squashfs: check the inode number is not the invalid value of zero Syskiller has produced an out of bounds access in fill_meta_index(). That out of bounds access is ultimately caused because the inode has an inode number with the invalid value of zero, which was not checked. The reason this causes the out of bounds access is due to following sequence of events: 1. Fill_meta_index() is called to allocate (via empty_meta_index()) and fill a metadata index. It however suffers a data read error and aborts, invalidating the newly returned empty metadata index. It does this by setting the inode number of the index to zero, which means unused (zero is not a valid inode number). 2. When fill_meta_index() is subsequently called again on another read operation, locate_meta_index() returns the previous index because it matches the inode number of 0. Because this index has been returned it is expected to have been filled, and because it hasn't been, an out of bounds access is performed. This patch adds a sanity check which checks that the inode number is not zero when the inode is created and returns -EINVAL if it is. [phillip(a)squashfs.org.uk: whitespace fix] Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk Link: https://lkml.kernel.org/r/20240408220206.435788-1-phillip@squashfs.org.uk Signed-off-by: Phillip Lougher <phillip(a)squashfs.org.uk> Reported-by: "Ubisectech Sirius" <bugreport(a)ubisectech.com> Closes: https://lore.kernel.org/lkml/87f5c007-b8a5-41ae-8b57-431e924c5915.bugreport… Cc: Christian Brauner <brauner(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c index aa3411354e66..16bd693d0b3a 100644 --- a/fs/squashfs/inode.c +++ b/fs/squashfs/inode.c @@ -48,6 +48,10 @@ static int squashfs_new_inode(struct super_block *sb, struct inode *inode, gid_t i_gid; int err; + inode->i_ino = le32_to_cpu(sqsh_ino->inode_number); + if (inode->i_ino == 0) + return -EINVAL; + err = squashfs_get_id(sb, le16_to_cpu(sqsh_ino->uid), &i_uid); if (err) return err; @@ -58,7 +62,6 @@ static int squashfs_new_inode(struct super_block *sb, struct inode *inode, i_uid_write(inode, i_uid); i_gid_write(inode, i_gid); - inode->i_ino = le32_to_cpu(sqsh_ino->inode_number); inode_set_mtime(inode, le32_to_cpu(sqsh_ino->mtime), 0); inode_set_atime(inode, inode_get_mtime_sec(inode), 0); inode_set_ctime(inode, inode_get_mtime_sec(inode), 0);

8 months, 2 weeks

1
0
0 0

FAILED: patch "[PATCH] Squashfs: check the inode number is not the invalid value of" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 9253c54e01b6505d348afbc02abaa4d9f8a01395 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024042355-elk-rumor-538b@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: 9253c54e01b6 ("Squashfs: check the inode number is not the invalid value of zero") a1f13ed8c748 ("squashfs: convert to new timestamp accessors") 280345d0d03b ("squashfs: convert to ctime accessor functions") thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 9253c54e01b6505d348afbc02abaa4d9f8a01395 Mon Sep 17 00:00:00 2001 From: Phillip Lougher <phillip(a)squashfs.org.uk> Date: Mon, 8 Apr 2024 23:02:06 +0100 Subject: [PATCH] Squashfs: check the inode number is not the invalid value of zero Syskiller has produced an out of bounds access in fill_meta_index(). That out of bounds access is ultimately caused because the inode has an inode number with the invalid value of zero, which was not checked. The reason this causes the out of bounds access is due to following sequence of events: 1. Fill_meta_index() is called to allocate (via empty_meta_index()) and fill a metadata index. It however suffers a data read error and aborts, invalidating the newly returned empty metadata index. It does this by setting the inode number of the index to zero, which means unused (zero is not a valid inode number). 2. When fill_meta_index() is subsequently called again on another read operation, locate_meta_index() returns the previous index because it matches the inode number of 0. Because this index has been returned it is expected to have been filled, and because it hasn't been, an out of bounds access is performed. This patch adds a sanity check which checks that the inode number is not zero when the inode is created and returns -EINVAL if it is. [phillip(a)squashfs.org.uk: whitespace fix] Link: https://lkml.kernel.org/r/20240409204723.446925-1-phillip@squashfs.org.uk Link: https://lkml.kernel.org/r/20240408220206.435788-1-phillip@squashfs.org.uk Signed-off-by: Phillip Lougher <phillip(a)squashfs.org.uk> Reported-by: "Ubisectech Sirius" <bugreport(a)ubisectech.com> Closes: https://lore.kernel.org/lkml/87f5c007-b8a5-41ae-8b57-431e924c5915.bugreport… Cc: Christian Brauner <brauner(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c index aa3411354e66..16bd693d0b3a 100644 --- a/fs/squashfs/inode.c +++ b/fs/squashfs/inode.c @@ -48,6 +48,10 @@ static int squashfs_new_inode(struct super_block *sb, struct inode *inode, gid_t i_gid; int err; + inode->i_ino = le32_to_cpu(sqsh_ino->inode_number); + if (inode->i_ino == 0) + return -EINVAL; + err = squashfs_get_id(sb, le16_to_cpu(sqsh_ino->uid), &i_uid); if (err) return err; @@ -58,7 +62,6 @@ static int squashfs_new_inode(struct super_block *sb, struct inode *inode, i_uid_write(inode, i_uid); i_gid_write(inode, i_gid); - inode->i_ino = le32_to_cpu(sqsh_ino->inode_number); inode_set_mtime(inode, le32_to_cpu(sqsh_ino->mtime), 0); inode_set_atime(inode, inode_get_mtime_sec(inode), 0); inode_set_ctime(inode, inode_get_mtime_sec(inode), 0);

8 months, 2 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror April 2024