May 2024 - Linux-stable-mirror

FAILED: patch "[PATCH] tty: n_gsm: fix possible out-of-bounds in gsm0_receive()" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 47388e807f85948eefc403a8a5fdc5b406a65d5a # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2024052537-payday-enjoyably-a5a8@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 47388e807f85948eefc403a8a5fdc5b406a65d5a Mon Sep 17 00:00:00 2001 From: Daniel Starke <daniel.starke(a)siemens.com> Date: Wed, 24 Apr 2024 07:48:41 +0200 Subject: [PATCH] tty: n_gsm: fix possible out-of-bounds in gsm0_receive() Assuming the following: - side A configures the n_gsm in basic option mode - side B sends the header of a basic option mode frame with data length 1 - side A switches to advanced option mode - side B sends 2 data bytes which exceeds gsm->len Reason: gsm->len is not used in advanced option mode. - side A switches to basic option mode - side B keeps sending until gsm0_receive() writes past gsm->buf Reason: Neither gsm->state nor gsm->len have been reset after reconfiguration. Fix this by changing gsm->count to gsm->len comparison from equal to less than. Also add upper limit checks against the constant MAX_MRU in gsm0_receive() and gsm1_receive() to harden against memory corruption of gsm->len and gsm->mru. All other checks remain as we still need to limit the data according to the user configuration and actual payload size. Reported-by: j51569436(a)gmail.com Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218708 Tested-by: j51569436(a)gmail.com Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") Cc: stable(a)vger.kernel.org Signed-off-by: Daniel Starke <daniel.starke(a)siemens.com> Link: https://lore.kernel.org/r/20240424054842.7741-1-daniel.starke@siemens.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c index 4036566febcb..72b82bf1c280 100644 --- a/drivers/tty/n_gsm.c +++ b/drivers/tty/n_gsm.c @@ -2913,7 +2913,10 @@ static void gsm0_receive(struct gsm_mux *gsm, u8 c) break; case GSM_DATA: /* Data */ gsm->buf[gsm->count++] = c; - if (gsm->count == gsm->len) { + if (gsm->count >= MAX_MRU) { + gsm->bad_size++; + gsm->state = GSM_SEARCH; + } else if (gsm->count >= gsm->len) { /* Calculate final FCS for UI frames over all data */ if ((gsm->control & ~PF) != UIH) { gsm->fcs = gsm_fcs_add_block(gsm->fcs, gsm->buf, @@ -3026,7 +3029,7 @@ static void gsm1_receive(struct gsm_mux *gsm, u8 c) gsm->state = GSM_DATA; break; case GSM_DATA: /* Data */ - if (gsm->count > gsm->mru) { /* Allow one for the FCS */ + if (gsm->count > gsm->mru || gsm->count > MAX_MRU) { /* Allow one for the FCS */ gsm->state = GSM_OVERRUN; gsm->bad_size++; } else

1 year, 6 months

1
0
0 0

Linux 6.8.11

by Greg Kroah-Hartman

I'm announcing the release of the 6.8.11 kernel. All users of the 6.8 kernel series must upgrade. The updated 6.8.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.8.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/ABI/stable/sysfs-block | 10 + Documentation/admin-guide/hw-vuln/core-scheduling.rst | 4 Documentation/admin-guide/mm/damon/usage.rst | 2 Documentation/sphinx/kernel_include.py | 1 Makefile | 2 block/genhd.c | 15 +- block/partitions/core.c | 5 drivers/android/binder.c | 2 drivers/android/binder_internal.h | 2 drivers/gpu/drm/amd/display/dc/dsc/dc_dsc.c | 7 - drivers/net/ethernet/intel/ice/ice_virtchnl.c | 22 +-- drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c | 3 drivers/net/ethernet/micrel/ks8851_common.c | 18 -- drivers/net/usb/ax88179_178a.c | 37 +++-- drivers/remoteproc/mtk_scp.c | 10 + drivers/tty/serial/kgdboc.c | 30 ++++ drivers/usb/dwc3/gadget.c | 4 drivers/usb/typec/tipd/core.c | 51 +++++-- drivers/usb/typec/tipd/tps6598x.h | 11 + drivers/usb/typec/ucsi/displayport.c | 4 fs/erofs/internal.h | 7 - fs/erofs/super.c | 124 +++++++----------- include/linux/blkdev.h | 13 + include/net/bluetooth/hci.h | 9 + include/net/bluetooth/hci_core.h | 1 net/bluetooth/hci_conn.c | 71 +++++++--- net/bluetooth/hci_event.c | 31 ++-- net/bluetooth/iso.c | 2 net/bluetooth/l2cap_core.c | 38 +---- net/bluetooth/sco.c | 6 security/keys/trusted-keys/trusted_tpm2.c | 25 ++- 31 files changed, 338 insertions(+), 229 deletions(-) Akira Yokosawa (1): docs: kernel_include.py: Cope with docutils 0.21 AngeloGioacchino Del Regno (1): remoteproc: mediatek: Make sure IPI buffer fits in L2TCM Baokun Li (1): erofs: get rid of erofs_fs_context Carlos Llamas (1): binder: fix max_thread type inconsistency Christian Brauner (1): erofs: reliably distinguish block based and fscache mode Christoph Hellwig (2): block: add a disk_has_partscan helper block: add a partscan sysfs attribute for disks Daniel Thompson (1): serial: kgdboc: Fix NMI-safety problems from keyboard reset code Greg Kroah-Hartman (1): Linux 6.8.11 Heikki Krogerus (1): usb: typec: ucsi: displayport: Fix potential deadlock Jacob Keller (2): ice: pass VSI pointer into ice_vc_isvalid_q_id ice: remove unnecessary duplicate checks for VF VSI ID Jarkko Sakkinen (2): KEYS: trusted: Fix memory leak in tpm2_key_encode() KEYS: trusted: Do not use WARN when encode fails Javier Carrasco (2): usb: typec: tipd: fix event checking for tps25750 usb: typec: tipd: fix event checking for tps6598x Jose Fernandez (1): drm/amd/display: Fix division by zero in setup_dsc_config Jose Ignacio Tornos Martinez (1): net: usb: ax88179_178a: fix link status when link is set to down/up Prashanth K (1): usb: dwc3: Wait unconditionally after issuing EndXfer command Ronald Wahl (1): net: ks8851: Fix another TX stall caused by wrong ISR flag handling SeongJae Park (1): Docs/admin-guide/mm/damon/usage: fix wrong example of DAMOS filter matching sysfs file Sungwoo Kim (2): Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect() Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init() Thomas Weißschuh (1): admin-guide/hw-vuln/core-scheduling: fix return type of PR_SCHED_CORE_GET

1 year, 6 months

1
1
0 0

Linux 6.6.32

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.32 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/ABI/stable/sysfs-block | 10 Documentation/admin-guide/hw-vuln/core-scheduling.rst | 4 Documentation/admin-guide/mm/damon/usage.rst | 2 Documentation/sphinx/kernel_include.py | 1 Makefile | 2 block/genhd.c | 15 block/partitions/core.c | 5 drivers/android/binder.c | 2 drivers/android/binder_internal.h | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 3 drivers/gpu/drm/amd/display/dc/dsc/dc_dsc.c | 7 drivers/mmc/core/mmc.c | 9 drivers/net/ethernet/intel/ice/ice_virtchnl.c | 22 drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c | 3 drivers/net/ethernet/micrel/ks8851_common.c | 18 drivers/net/usb/ax88179_178a.c | 37 drivers/remoteproc/mtk_scp.c | 10 drivers/tty/serial/kgdboc.c | 30 drivers/usb/dwc3/gadget.c | 4 drivers/usb/typec/tipd/core.c | 45 drivers/usb/typec/tipd/tps6598x.h | 11 drivers/usb/typec/ucsi/displayport.c | 4 fs/erofs/internal.h | 7 fs/erofs/super.c | 124 - fs/smb/client/Makefile | 2 fs/smb/client/cached_dir.c | 24 fs/smb/client/cifs_debug.c | 38 fs/smb/client/cifsfs.c | 10 fs/smb/client/cifsglob.h | 93 - fs/smb/client/cifsproto.h | 39 fs/smb/client/cifssmb.c | 18 fs/smb/client/connect.c | 57 fs/smb/client/dir.c | 14 fs/smb/client/file.c | 39 fs/smb/client/fs_context.c | 43 fs/smb/client/fs_context.h | 13 fs/smb/client/fscache.c | 7 fs/smb/client/inode.c | 235 +-- fs/smb/client/ioctl.c | 6 fs/smb/client/link.c | 41 fs/smb/client/misc.c | 47 fs/smb/client/ntlmssp.h | 4 fs/smb/client/readdir.c | 32 fs/smb/client/reparse.c | 532 ++++++ fs/smb/client/reparse.h | 113 + fs/smb/client/sess.c | 73 fs/smb/client/smb1ops.c | 80 - fs/smb/client/smb2glob.h | 27 fs/smb/client/smb2inode.c | 1396 +++++++++++------- fs/smb/client/smb2maperror.c | 2 fs/smb/client/smb2misc.c | 10 fs/smb/client/smb2ops.c | 589 ++----- fs/smb/client/smb2pdu.c | 336 +++- fs/smb/client/smb2pdu.h | 46 fs/smb/client/smb2proto.h | 37 fs/smb/client/smb2status.h | 2 fs/smb/client/smb2transport.c | 2 fs/smb/client/smbdirect.c | 4 fs/smb/client/smbencrypt.c | 7 fs/smb/client/trace.h | 137 + fs/smb/common/smb2pdu.h | 116 - fs/smb/common/smbfsctl.h | 6 fs/smb/server/auth.c | 14 fs/smb/server/ksmbd_netlink.h | 36 fs/smb/server/mgmt/user_session.c | 28 fs/smb/server/mgmt/user_session.h | 3 fs/smb/server/misc.c | 1 fs/smb/server/oplock.c | 96 + fs/smb/server/oplock.h | 7 fs/smb/server/smb2misc.c | 26 fs/smb/server/smb2ops.c | 6 fs/smb/server/smb2pdu.c | 338 +++- fs/smb/server/smb2pdu.h | 31 fs/smb/server/transport_tcp.c | 2 fs/smb/server/vfs.c | 28 fs/smb/server/vfs_cache.c | 137 + fs/smb/server/vfs_cache.h | 9 include/linux/blkdev.h | 13 include/linux/bpf_types.h | 3 include/net/bluetooth/hci.h | 9 include/net/bluetooth/hci_core.h | 1 net/bluetooth/hci_conn.c | 71 net/bluetooth/hci_event.c | 31 net/bluetooth/iso.c | 2 net/bluetooth/l2cap_core.c | 38 net/bluetooth/sco.c | 6 security/keys/trusted-keys/trusted_tpm2.c | 25 tools/testing/selftests/kselftest.h | 14 88 files changed, 3907 insertions(+), 1722 deletions(-) Akira Yokosawa (1): docs: kernel_include.py: Cope with docutils 0.21 Alexey Dobriyan (1): smb: client: delete "true", "false" defines AngeloGioacchino Del Regno (1): remoteproc: mediatek: Make sure IPI buffer fits in L2TCM Baokun Li (1): erofs: get rid of erofs_fs_context Bharath SM (2): cifs: defer close file handles having RH lease cifs: remove redundant variable assignment Carlos Llamas (1): binder: fix max_thread type inconsistency Christian Brauner (1): erofs: reliably distinguish block based and fscache mode Christoph Hellwig (2): block: add a disk_has_partscan helper block: add a partscan sysfs attribute for disks Colin Ian King (2): cifs: remove redundant variable tcon_exist ksmbd: Fix spelling mistake "connction" -> "connection" Dan Carpenter (1): smb: client: Fix a NULL vs IS_ERR() check in wsl_set_xattrs() Daniel Thompson (1): serial: kgdboc: Fix NMI-safety problems from keyboard reset code David Howells (2): cifs: Pass unbyteswapped eof value into SMB2_set_eof() cifs: Add tracing for the cifs_tcon struct refcounting Enzo Matsumiya (3): smb: client: negotiate compression algorithms smb: common: fix fields sizes in compression_pattern_payload_v1 smb: common: simplify compression headers Eric Biggers (1): smb: use crypto_shash_digest() in symlink_hash() Greg Kroah-Hartman (1): Linux 6.6.32 Gustavo A. R. Silva (1): smb: smb2pdu.h: Avoid -Wflex-array-member-not-at-end warnings Heikki Krogerus (1): usb: typec: ucsi: displayport: Fix potential deadlock Jacob Keller (2): ice: pass VSI pointer into ice_vc_isvalid_q_id ice: remove unnecessary duplicate checks for VF VSI ID Jarkko Sakkinen (2): KEYS: trusted: Fix memory leak in tpm2_key_encode() KEYS: trusted: Do not use WARN when encode fails Javier Carrasco (1): usb: typec: tipd: fix event checking for tps6598x Jiri Olsa (1): bpf: Add missing BPF_LINK_TYPE invocations Jose Fernandez (1): drm/amd/display: Fix division by zero in setup_dsc_config Jose Ignacio Tornos Martinez (1): net: usb: ax88179_178a: fix link status when link is set to down/up Marios Makassikis (1): ksmbd: fix possible null-deref in smb_lazy_parent_lease_break_close Mark Brown (1): kselftest: Add a ksft_perror() helper Markus Elfring (1): smb3: Improve exception handling in allocate_mr_list() Meetakshi Setiya (4): cifs: Add client version details to NTLM authenticate message smb: client: reuse file lease key in compound operations smb: client: retry compound request without reusing lease cifs: fixes for get_inode_info Mengqi Zhang (1): mmc: core: Add HS400 tuning in HS400es initialization Namjae Jeon (5): ksmbd: mark SMB2_SESSION_EXPIRED to session when destroying previous session ksmbd: add support for durable handles v1/v2 ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16() ksmbd: fix potencial out-of-bounds when buffer offset is invalid ksmbd: add continuous availability share parameter Paulo Alcantara (17): smb: client: allow creating symlinks via reparse points smb: client: cleanup smb2_query_reparse_point() smb: client: handle special files and symlinks in SMB3 POSIX cifs: get rid of dup length check in parse_reparse_point() smb: client: don't clobber ->i_rdev from cached reparse points smb: client: handle path separator of created SMB symlinks smb: client: get rid of smb311_posix_query_path_info() smb: client: introduce reparse mount option smb: client: move most of reparse point handling code to common file smb: client: fix potential broken compound request smb: client: reduce number of parameters in smb2_compound_op() smb: client: add support for WSL reparse points smb: client: parse uid, gid, mode and dev from WSL reparse points smb: client: set correct d_type for reparse DFS/DFSR and mount point smb: client: return reparse type in /proc/mounts smb: client: fix NULL ptr deref in cifs_mark_open_handles_for_deleted_file() smb: client: instantiate when creating SFU files Pierre Mariani (1): smb: client: Fix minor whitespace errors and warnings Prashanth K (1): usb: dwc3: Wait unconditionally after issuing EndXfer command Randy Dunlap (2): ksmbd: auth: fix most kernel-doc warnings ksmbd: vfs: fix all kernel-doc warnings Ritvik Budhiraja (1): cifs: fix use after free for iface while disabling secondary channels Ronald Wahl (1): net: ks8851: Fix another TX stall caused by wrong ISR flag handling SeongJae Park (1): Docs/admin-guide/mm/damon/usage: fix wrong example of DAMOS filter matching sysfs file Shyam Prasad N (6): cifs: print server capabilities in DebugData cifs: pick channel for tcon and tdis cifs: new nt status codes from MS-SMB2 cifs: new mount option called retrans cifs: commands that are retried should have replay flag set cifs: set replay flag for retries of write command Srinivasan Shanmugam (1): drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper() Steve French (23): SMB3: clarify some of the unused CreateOption flags Add definition for new smb3.1.1 command type smb3: minor RDMA cleanup smb3: more minor cleanups for session handling routines smb3: minor cleanup of session handling code Missing field not being returned in ioctl CIFS_IOC_GET_MNT_INFO smb: client: introduce cifs_sfu_make_node() smb: client: extend smb2_compound_op() to accept more commands smb: client: allow creating special files via reparse points smb: client: optimise reparse point querying cifs: fix in logging in cifs_chan_update_iface cifs: remove unneeded return statement cifs: minor comment cleanup cifs: update the same create_guid on replay smb3: update allocation size more accurately on write completion smb: client: parse owner/group when creating reparse points smb: client: do not defer close open handles to deleted files smb: client: introduce SMB2_OP_QUERY_WSL_EA smb3: add dynamic trace point for ioctls cifs: Move some extern decls from .c files to .h smb311: correct incorrect offset field in compression header smb311: additional compression flag defined in updated protocol spec smb3: add trace event for mknod Sungwoo Kim (2): Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect() Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init() Thomas Weißschuh (1): admin-guide/hw-vuln/core-scheduling: fix return type of PR_SCHED_CORE_GET Yang Li (2): smb: Fix some kernel-doc comments ksmbd: Add kernel-doc for ksmbd_extract_sharename() function

1 year, 6 months

1
1
0 0

Linux 6.1.92

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.92 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/admin-guide/hw-vuln/core-scheduling.rst | 4 Documentation/sphinx/kernel_include.py | 1 Makefile | 2 arch/arm64/Kconfig | 1 arch/arm64/include/asm/lse.h | 1 drivers/android/binder.c | 2 drivers/android/binder_internal.h | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 3 drivers/gpu/drm/amd/display/dc/dsc/dc_dsc.c | 7 drivers/mfd/stpmic1.c | 5 drivers/mmc/core/mmc.c | 9 drivers/net/ethernet/intel/ice/ice_virtchnl.c | 22 - drivers/net/ethernet/intel/ice/ice_virtchnl_fdir.c | 3 drivers/net/ethernet/micrel/ks8851_common.c | 18 - drivers/net/usb/ax88179_178a.c | 37 +- drivers/pinctrl/core.c | 14 drivers/remoteproc/mtk_scp.c | 10 drivers/tty/serial/kgdboc.c | 30 ++ drivers/usb/dwc3/gadget.c | 4 drivers/usb/typec/tipd/core.c | 45 ++- drivers/usb/typec/tipd/tps6598x.h | 11 drivers/usb/typec/ucsi/displayport.c | 4 fs/iomap/buffered-io.c | 254 +++++++++++++++++- fs/iomap/iter.c | 19 + fs/nfs/callback.c | 9 fs/nfsd/nfs4proc.c | 5 fs/nfsd/nfssvc.c | 12 fs/xfs/libxfs/xfs_bmap.c | 8 fs/xfs/libxfs/xfs_errortag.h | 12 fs/xfs/libxfs/xfs_refcount.c | 146 +++++++++- fs/xfs/libxfs/xfs_sb.c | 7 fs/xfs/xfs_aops.c | 37 +- fs/xfs/xfs_bmap_util.c | 10 fs/xfs/xfs_bmap_util.h | 2 fs/xfs/xfs_buf.c | 1 fs/xfs/xfs_buf_item.c | 2 fs/xfs/xfs_error.c | 27 + fs/xfs/xfs_file.c | 2 fs/xfs/xfs_fsops.c | 4 fs/xfs/xfs_icache.c | 6 fs/xfs/xfs_inode.c | 16 - fs/xfs/xfs_ioctl.c | 4 fs/xfs/xfs_iomap.c | 177 +++++++----- fs/xfs/xfs_iomap.h | 6 fs/xfs/xfs_log.c | 53 +-- fs/xfs/xfs_mount.c | 15 + fs/xfs/xfs_pnfs.c | 6 include/linux/iomap.h | 47 ++- net/sunrpc/svc_xprt.c | 16 - security/keys/trusted-keys/trusted_tpm2.c | 25 + 50 files changed, 865 insertions(+), 298 deletions(-) Aidan MacDonald (1): mfd: stpmic1: Fix swapped mask/unmask in irq chip Akira Yokosawa (1): docs: kernel_include.py: Cope with docutils 0.21 AngeloGioacchino Del Regno (1): remoteproc: mediatek: Make sure IPI buffer fits in L2TCM Carlos Llamas (1): binder: fix max_thread type inconsistency Daniel Thompson (1): serial: kgdboc: Fix NMI-safety problems from keyboard reset code Darrick J. Wong (8): xfs: fix incorrect error-out in xfs_remove xfs: invalidate block device page cache during unmount xfs: attach dquots to inode before reading data/cow fork mappings xfs: hoist refcount record merge predicates xfs: estimate post-merge refcounts correctly xfs: invalidate xfs_bufs when allocating cow extents xfs: allow inode inactivation during a ro mount log recovery xfs: fix log recovery when unknown rocompat bits are set Dave Chinner (10): xfs: write page faults in iomap are not buffered writes xfs: punching delalloc extents on write failure is racy xfs: use byte ranges for write cleanup ranges xfs,iomap: move delalloc punching to iomap iomap: buffered write failure should not truncate the page cache xfs: xfs_bmap_punch_delalloc_range() should take a byte range iomap: write iomap validity checks xfs: use iomap_valid method to detect stale cached iomaps xfs: drop write error injection is unfixable, remove it xfs: fix off-by-one-block in xfs_discard_folio() Eric Sandeen (1): xfs: short circuit xfs_growfs_data_private() if delta is zero Greg Kroah-Hartman (1): Linux 6.1.92 Guo Xuenan (2): xfs: wait iclog complete before tearing down AIL xfs: fix super block buf log item UAF during force shutdown Heikki Krogerus (1): usb: typec: ucsi: displayport: Fix potential deadlock Hironori Shiina (1): xfs: get root inode correctly at bulkstat Jacob Keller (2): ice: pass VSI pointer into ice_vc_isvalid_q_id ice: remove unnecessary duplicate checks for VF VSI ID Jarkko Sakkinen (2): KEYS: trusted: Fix memory leak in tpm2_key_encode() KEYS: trusted: Do not use WARN when encode fails Javier Carrasco (1): usb: typec: tipd: fix event checking for tps6598x Jose Fernandez (1): drm/amd/display: Fix division by zero in setup_dsc_config Jose Ignacio Tornos Martinez (1): net: usb: ax88179_178a: fix link status when link is set to down/up Long Li (2): xfs: fix sb write verify for lazysbcount xfs: fix incorrect i_nlink caused by inode racing Mark Rutland (1): arm64: atomics: lse: remove stale dependency on JUMP_LABEL Mengqi Zhang (1): mmc: core: Add HS400 tuning in HS400es initialization NeilBrown (1): nfsd: don't allow nfsd threads to be signalled. Prashanth K (1): usb: dwc3: Wait unconditionally after issuing EndXfer command Ronald Wahl (1): net: ks8851: Fix another TX stall caused by wrong ISR flag handling Sergey Shtylyov (1): pinctrl: core: handle radix_tree_insert() errors in pinctrl_register_one_pin() Srinivasan Shanmugam (1): drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper() Thomas Weißschuh (1): admin-guide/hw-vuln/core-scheduling: fix return type of PR_SCHED_CORE_GET

1 year, 6 months

1
1
0 0

Linux 5.15.160

by Greg Kroah-Hartman

I'm announcing the release of the 5.15.160 kernel. All users of the 5.15 kernel series must upgrade. The updated 5.15.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.15.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/admin-guide/hw-vuln/core-scheduling.rst | 4 Documentation/sphinx/kernel_include.py | 1 Makefile | 2 arch/x86/kvm/x86.c | 11 drivers/android/binder.c | 2 drivers/android/binder_internal.h | 2 drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 3 drivers/gpu/drm/amd/display/dc/dsc/dc_dsc.c | 7 drivers/net/ethernet/broadcom/genet/bcmgenet.c | 12 - drivers/net/ethernet/broadcom/genet/bcmgenet.h | 2 drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 6 drivers/net/ethernet/broadcom/genet/bcmmii.c | 4 drivers/pinctrl/core.c | 14 - drivers/remoteproc/mtk_scp.c | 10 drivers/tty/serial/kgdboc.c | 30 ++ drivers/usb/typec/ucsi/displayport.c | 4 fs/nfs/callback.c | 9 fs/nfsd/nfs4proc.c | 5 fs/nfsd/nfssvc.c | 12 - include/net/tls.h | 6 net/netlink/af_netlink.c | 23 +- net/sunrpc/svc_xprt.c | 16 - net/tls/tls_sw.c | 199 +++++++++--------- security/keys/trusted-keys/trusted_tpm2.c | 25 +- tools/testing/selftests/vm/map_hugetlb.c | 7 25 files changed, 242 insertions(+), 174 deletions(-) Akira Yokosawa (1): docs: kernel_include.py: Cope with docutils 0.21 AngeloGioacchino Del Regno (1): remoteproc: mediatek: Make sure IPI buffer fits in L2TCM Carlos Llamas (1): binder: fix max_thread type inconsistency Daniel Thompson (1): serial: kgdboc: Fix NMI-safety problems from keyboard reset code Doug Berger (2): net: bcmgenet: synchronize EXT_RGMII_OOB_CTRL access net: bcmgenet: synchronize UMAC_CMD access Eric Dumazet (2): netlink: annotate lockless accesses to nlk->max_recvmsg_len netlink: annotate data-races around sk->sk_err Greg Kroah-Hartman (1): Linux 5.15.160 Harshit Mogalapalli (1): Revert "selftests: mm: fix map_hugetlb failure on 64K page size systems" Heikki Krogerus (1): usb: typec: ucsi: displayport: Fix potential deadlock Jakub Kicinski (4): tls: rx: simplify async wait net: tls: factor out tls_*crypt_async_wait() tls: fix race between async notify and socket close net: tls: handle backlogging of crypto requests Jarkko Sakkinen (2): KEYS: trusted: Fix memory leak in tpm2_key_encode() KEYS: trusted: Do not use WARN when encode fails Jose Fernandez (1): drm/amd/display: Fix division by zero in setup_dsc_config NeilBrown (1): nfsd: don't allow nfsd threads to be signalled. Sabrina Dubroca (1): tls: extract context alloc/initialization out of tls_set_sw_offload Sean Christopherson (1): KVM: x86: Clear "has_error_code", not "error_code", for RM exception injection Sergey Shtylyov (1): pinctrl: core: handle radix_tree_insert() errors in pinctrl_register_one_pin() Srinivasan Shanmugam (1): drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper() Thomas Weißschuh (1): admin-guide/hw-vuln/core-scheduling: fix return type of PR_SCHED_CORE_GET

1 year, 6 months

1
1
0 0

Linux 5.10.218

by Greg Kroah-Hartman

I'm announcing the release of the 5.10.218 kernel. All users of the 5.10 kernel series must upgrade. The updated 5.10.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.10.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/sphinx/kernel_include.py | 1 Makefile | 2 - arch/x86/entry/entry_64.S | 17 +++++------ arch/x86/include/asm/irqflags.h | 7 ---- arch/x86/include/asm/paravirt.h | 5 --- arch/x86/include/asm/paravirt_types.h | 8 ----- arch/x86/kernel/asm-offsets_64.c | 2 - arch/x86/kernel/paravirt.c | 5 --- arch/x86/kernel/paravirt_patch.c | 4 -- arch/x86/kvm/x86.c | 11 ++++++- arch/x86/xen/enlighten_pv.c | 1 arch/x86/xen/xen-asm.S | 21 -------------- arch/x86/xen/xen-ops.h | 2 - drivers/firmware/arm_scmi/reset.c | 6 +++- drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 3 ++ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 12 +++++++- drivers/net/ethernet/broadcom/genet/bcmgenet.h | 2 + drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 6 ++++ drivers/net/ethernet/broadcom/genet/bcmmii.c | 4 ++ drivers/pinctrl/core.c | 14 +++++++-- drivers/tty/serial/kgdboc.c | 30 ++++++++++++++++++++- drivers/usb/typec/ucsi/displayport.c | 4 -- fs/btrfs/volumes.c | 1 net/mptcp/protocol.c | 2 + net/netlink/af_netlink.c | 15 ++++++---- security/integrity/ima/ima_policy.c | 29 ++++++++++++++------ tools/testing/selftests/vm/map_hugetlb.c | 7 ---- 27 files changed, 122 insertions(+), 99 deletions(-) Akira Yokosawa (1): docs: kernel_include.py: Cope with docutils 0.21 Cristian Marussi (1): firmware: arm_scmi: Harden accesses to the reset domains Daniel Thompson (1): serial: kgdboc: Fix NMI-safety problems from keyboard reset code Dominique Martinet (1): btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks() Doug Berger (2): net: bcmgenet: synchronize EXT_RGMII_OOB_CTRL access net: bcmgenet: synchronize UMAC_CMD access Eric Dumazet (1): netlink: annotate lockless accesses to nlk->max_recvmsg_len Greg Kroah-Hartman (1): Linux 5.10.218 Harshit Mogalapalli (1): Revert "selftests: mm: fix map_hugetlb failure on 64K page size systems" Heikki Krogerus (1): usb: typec: ucsi: displayport: Fix potential deadlock Juergen Gross (1): x86/xen: Drop USERGS_SYSRET64 paravirt call Paolo Abeni (1): mptcp: ensure snd_nxt is properly initialized on connect Sean Christopherson (1): KVM: x86: Clear "has_error_code", not "error_code", for RM exception injection Sergey Shtylyov (1): pinctrl: core: handle radix_tree_insert() errors in pinctrl_register_one_pin() Srinivasan Shanmugam (1): drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper() liqiong (1): ima: fix deadlock when traversing "ima_default_rules".

1 year, 6 months

1
1
0 0

Linux 5.4.277

by Greg Kroah-Hartman

I'm announcing the release of the 5.4.277 kernel. All users of the 5.4 kernel series must upgrade. The updated 5.4.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.4.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/sphinx/kernel_include.py | 1 Makefile | 2 arch/arm64/boot/dts/qcom/msm8998.dtsi | 8 +- drivers/firmware/arm_scmi/reset.c | 6 + drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 3 drivers/net/ethernet/broadcom/genet/bcmgenet.c | 22 ++++- drivers/net/ethernet/broadcom/genet/bcmgenet.h | 2 drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 12 ++- drivers/net/ethernet/broadcom/genet/bcmmii.c | 43 ++--------- drivers/pinctrl/core.c | 14 ++- drivers/tty/serial/kgdboc.c | 30 +++++++ drivers/usb/typec/ucsi/displayport.c | 4 - fs/btrfs/volumes.c | 1 fs/cifs/smb2ops.c | 4 - fs/cifs/smb2pdu.c | 81 +++++++++++++-------- fs/cifs/smb2proto.h | 10 +- fs/ext4/extents.c | 10 +- tools/testing/selftests/vm/map_hugetlb.c | 7 - 18 files changed, 161 insertions(+), 99 deletions(-) Akira Yokosawa (1): docs: kernel_include.py: Cope with docutils 0.21 Baokun Li (1): ext4: fix bug_on in __es_tree_search Cristian Marussi (1): firmware: arm_scmi: Harden accesses to the reset domains Daniel Thompson (1): serial: kgdboc: Fix NMI-safety problems from keyboard reset code Dominique Martinet (1): btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks() Doug Berger (5): Revert "net: bcmgenet: use RGMII loopback for MAC reset" net: bcmgenet: keep MAC in reset until PHY is up net: bcmgenet: synchronize EXT_RGMII_OOB_CTRL access net: bcmgenet: synchronize use of bcmgenet_set_rx_mode() net: bcmgenet: synchronize UMAC_CMD access Greg Kroah-Hartman (1): Linux 5.4.277 Harshit Mogalapalli (1): Revert "selftests: mm: fix map_hugetlb failure on 64K page size systems" Heikki Krogerus (1): usb: typec: ucsi: displayport: Fix potential deadlock Paulo Alcantara (1): smb: client: fix potential OOBs in smb2_parse_contexts() Rob Herring (1): arm64: dts: qcom: Fix 'interrupt-map' parent address cells Sergey Shtylyov (1): pinctrl: core: handle radix_tree_insert() errors in pinctrl_register_one_pin() Srinivasan Shanmugam (1): drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()

1 year, 6 months

1
1
0 0

Linux 4.19.315

by Greg Kroah-Hartman

I'm announcing the release of the 4.19.315 kernel. All users of the 4.19 kernel series must upgrade. The updated 4.19.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.19.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/sphinx/kernel_include.py | 1 Makefile | 2 drivers/md/dm-core.h | 2 drivers/md/dm-ioctl.c | 3 drivers/md/dm-table.c | 9 drivers/tty/serial/kgdboc.c | 30 fs/btrfs/volumes.c | 1 include/linux/string.h | 20 include/linux/trace_events.h | 2 kernel/trace/Kconfig | 4 kernel/trace/Makefile | 1 kernel/trace/trace.c | 26 kernel/trace/trace_dynevent.c | 210 ++++++ kernel/trace/trace_dynevent.h | 119 +++ kernel/trace/trace_events.c | 32 kernel/trace/trace_events_hist.c | 1048 ++++++++++++++++++------------- kernel/trace/trace_probe.c | 2 kernel/trace/trace_stack.c | 2 tools/testing/selftests/vm/map_hugetlb.c | 7 19 files changed, 1050 insertions(+), 471 deletions(-) Akira Yokosawa (1): docs: kernel_include.py: Cope with docutils 0.21 Daniel Thompson (1): serial: kgdboc: Fix NMI-safety problems from keyboard reset code Dominique Martinet (1): btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks() Greg Kroah-Hartman (1): Linux 4.19.315 Harshit Mogalapalli (1): Revert "selftests: mm: fix map_hugetlb failure on 64K page size systems" Masami Hiramatsu (4): tracing: Simplify creation and deletion of synthetic events tracing: Add unified dynamic event framework tracing: Use dyn_event framework for synthetic events tracing: Remove unneeded synth_event_mutex Mikulas Patocka (1): dm: limit the number of targets and parameter size area Steven Rostedt (VMware) (5): tracing: Consolidate trace_add/remove_event_call back to the nolock functions string.h: Add str_has_prefix() helper function tracing: Use str_has_prefix() helper for histogram code tracing: Use str_has_prefix() instead of using fixed sizes tracing: Have the historgram use the result of str_has_prefix() for len of prefix Tom Zanussi (4): tracing: Refactor hist trigger action code tracing: Split up onmatch action data tracing: Generalize hist trigger onmax and save action tracing: Remove unnecessary var_ref destroy in track_data_destroy()

1 year, 6 months

1
1
0 0

cherry-pick request for "arm64/fpsimd: Avoid erroneous elide of user state reload"

by Florian Klink

Hey, I got encouraged to send another email here from https://github.com/tpwrules/nixos-apple-silicon/issues/200. "arm64/fpsimd: Avoid erroneous elide of user state reload" / https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… fixes a data corruption issue with dm-crypt on aarch64, reproducible on the mainline Linux kernel (not just asahi specific!). This list has been included as Cc on this commit, but it'd be very nice to make sure this already lands in 6.9.2, due to its data corruption nature. Thanks, Florian

1 year, 6 months

2
1
0 0

[tip: irq/urgent] genirq/irqdesc: Prevent use-after-free in irq_find_at_or_after()

by tip-bot2 for dicken.ding

The following commit has been merged into the irq/urgent branch of tip: Commit-ID: b84a8aba806261d2f759ccedf4a2a6a80a5e55ba Gitweb: https://git.kernel.org/tip/b84a8aba806261d2f759ccedf4a2a6a80a5e55ba Author: dicken.ding <dicken.ding(a)mediatek.com> AuthorDate: Fri, 24 May 2024 17:17:39 +08:00 Committer: Thomas Gleixner <tglx(a)linutronix.de> CommitterDate: Fri, 24 May 2024 12:49:35 +02:00 genirq/irqdesc: Prevent use-after-free in irq_find_at_or_after() irq_find_at_or_after() dereferences the interrupt descriptor which is returned by mt_find() while neither holding sparse_irq_lock nor RCU read lock, which means the descriptor can be freed between mt_find() and the dereference: CPU0 CPU1 desc = mt_find() delayed_free_desc(desc) irq_desc_get_irq(desc) The use-after-free is reported by KASAN: Call trace: irq_get_next_irq+0x58/0x84 show_stat+0x638/0x824 seq_read_iter+0x158/0x4ec proc_reg_read_iter+0x94/0x12c vfs_read+0x1e0/0x2c8 Freed by task 4471: slab_free_freelist_hook+0x174/0x1e0 __kmem_cache_free+0xa4/0x1dc kfree+0x64/0x128 irq_kobj_release+0x28/0x3c kobject_put+0xcc/0x1e0 delayed_free_desc+0x14/0x2c rcu_do_batch+0x214/0x720 Guard the access with a RCU read lock section. Fixes: 721255b9826b ("genirq: Use a maple tree for interrupt descriptor management") Signed-off-by: dicken.ding <dicken.ding(a)mediatek.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20240524091739.31611-1-dicken.ding@mediatek.com --- kernel/irq/irqdesc.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kernel/irq/irqdesc.c b/kernel/irq/irqdesc.c index 88ac365..07e99c9 100644 --- a/kernel/irq/irqdesc.c +++ b/kernel/irq/irqdesc.c @@ -160,7 +160,10 @@ static int irq_find_free_area(unsigned int from, unsigned int cnt) static unsigned int irq_find_at_or_after(unsigned int offset) { unsigned long index = offset; - struct irq_desc *desc = mt_find(&sparse_irqs, &index, nr_irqs); + struct irq_desc *desc; + + guard(rcu)(); + desc = mt_find(&sparse_irqs, &index, nr_irqs); return desc ? irq_desc_get_irq(desc) : nr_irqs; }

1 year, 6 months

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror May 2024