- Linux-stable-mirror - lists.linaro.org

[PATCH] comedi: Fix initialization of data for instructions that write to subdevice

by Ian Abbott

Some Comedi subdevice instruction handlers are known to access instruction data elements beyond the first `insn->n` elements in some cases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions allocate at least `MIN_SAMPLES` (16) data elements to deal with this, but they do not initialize all of that. For Comedi instruction codes that write to the subdevice, the first `insn->n` data elements are copied from user-space, but the remaining elements are left uninitialized. That could be a problem if the subdevice instruction handler reads the uninitialized data. Ensure that the first `MIN_SAMPLES` elements are initialized before calling these instruction handlers, filling the uncopied elements with 0. For `do_insnlist_ioctl()`, the same data buffer elements are used for handling a list of instructions, so ensure the first `MIN_SAMPLES` elements are initialized for each instruction that writes to the subdevice. Fixes: ed9eccbe8970 ("Staging: add comedi core") Cc: <stable(a)vger.kernel.org> # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- Patch does not apply cleanly to longterm kernels 5.4.x and 5.10.x. --- drivers/comedi/comedi_fops.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c index 3383a7ce27ff..0f8b471d5032 100644 --- a/drivers/comedi/comedi_fops.c +++ b/drivers/comedi/comedi_fops.c @@ -1556,21 +1556,27 @@ static int do_insnlist_ioctl(struct comedi_device *dev, } for (i = 0; i < n_insns; ++i) { + unsigned int n = insns[i].n; + if (insns[i].insn & INSN_MASK_WRITE) { if (copy_from_user(data, insns[i].data, - insns[i].n * sizeof(unsigned int))) { + n * sizeof(unsigned int))) { dev_dbg(dev->class_dev, "copy_from_user failed\n"); ret = -EFAULT; goto error; } + if (n < MIN_SAMPLES) { + memset(&data[n], 0, (MIN_SAMPLES - n) * + sizeof(unsigned int)); + } } ret = parse_insn(dev, insns + i, data, file); if (ret < 0) goto error; if (insns[i].insn & INSN_MASK_READ) { if (copy_to_user(insns[i].data, data, - insns[i].n * sizeof(unsigned int))) { + n * sizeof(unsigned int))) { dev_dbg(dev->class_dev, "copy_to_user failed\n"); ret = -EFAULT; @@ -1633,6 +1639,10 @@ static int do_insn_ioctl(struct comedi_device *dev, ret = -EFAULT; goto error; } + if (insn->n < MIN_SAMPLES) { + memset(&data[insn->n], 0, + (MIN_SAMPLES - insn->n) * sizeof(unsigned int)); + } } ret = parse_insn(dev, insn, data, file); if (ret < 0) -- 2.47.2

2 months, 1 week

1
0
0 0

[PATCH 5.4 000/215] 5.4.295-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.295 release. There are 215 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri, 27 Jun 2025 08:52:04 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.295-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.295-rc2 Tengda Wu <wutengda(a)huaweicloud.com> arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() Peter Zijlstra <peterz(a)infradead.org> perf: Fix sample vs do_exit() Heiko Carstens <hca(a)linux.ibm.com> s390/pci: Fix __pcilg_mio_inuser() inline assembly David Gow <davidgow(a)google.com> rtc: test: Fix invalid format specifier. Jeongjun Park <aha310510(a)gmail.com> jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() Gavin Guo <gavinguo(a)igalia.com> mm/huge_memory: fix dereferencing invalid pmd migration entry Alexandre Mergnat <amergnat(a)baylibre.com> rtc: Make rtc_time64_to_tm() support dates before 1970 Cassio Neri <cassio.neri(a)gmail.com> rtc: Improve performance of rtc_time64_to_tm(). Add tests. Dan Aloni <dan.aloni(a)vastdata.com> xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create Oleg Nesterov <oleg(a)redhat.com> posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() Geert Uytterhoeven <geert+renesas(a)glider.be> ARM: dts: am335x-bone-common: Increase MDIO reset deassert delay to 50ms Colin Foster <colin.foster(a)in-advantage.com> ARM: dts: am335x-bone-common: Increase MDIO reset deassert time Shengyu Qu <wiagn233(a)outlook.com> ARM: dts: am335x-bone-common: Add GPIO PHY reset on revision C3 board Eric Dumazet <edumazet(a)google.com> net: atm: fix /proc/net/atm/lec handling Eric Dumazet <edumazet(a)google.com> net: atm: add lec_mutex Kuniyuki Iwashima <kuniyu(a)google.com> calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). Haixia Qu <hxqu(a)hillstonenet.com> tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer Neal Cardwell <ncardwell(a)google.com> tcp: fix tcp_packet_delayed() for tcp_is_non_sack_preventing_reopen() behavior Kuniyuki Iwashima <kuniyu(a)google.com> atm: atmtcp: Free invalid length skb in atmtcp_c_send(). Kuniyuki Iwashima <kuniyu(a)google.com> mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). Dmitry Antipov <dmantipov(a)yandex.ru> wifi: carl9170: do not ping device which has failed to load firmware Justin Sanders <jsanders.devel(a)gmail.com> aoe: clean device rq_list in aoedev_downdev() Arnd Bergmann <arnd(a)arndb.de> hwmon: (occ) fix unaligned accesses Jacob Keller <jacob.e.keller(a)intel.com> drm/nouveau/bl: increase buffer size to avoid truncate warning Gao Xiang <hsiangkao(a)linux.alibaba.com> erofs: remove unused trace event erofs_destroy_inode Jonathan Lane <jon(a)borg.moe> ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged Takashi Iwai <tiwai(a)suse.de> ALSA: hda/intel: Add Thinkpad E15 to PM deny list WangYuli <wangyuli(a)uniontech.com> Input: sparcspkr - avoid unannotated fall-through Terry Junge <linuxhid(a)cosmicgizmosystems.com> HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Kuniyuki Iwashima <kuniyu(a)google.com> atm: Revert atm_account_tx() if copy_from_iter_full() fails. Stephen Smalley <stephen.smalley.work(a)gmail.com> selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len Peter Oberparleiter <oberpar(a)linux.ibm.com> scsi: s390: zfcp: Ensure synchronous unit_add Dexuan Cui <decui(a)microsoft.com> scsi: storvsc: Increase the timeouts to storvsc_timeout Fedor Pchelkin <pchelkin(a)ispras.ru> jffs2: check jffs2_prealloc_raw_node_refs() result in few other places Artem Sadovnikov <a.sadovnikov(a)ispras.ru> jffs2: check that raw node were preallocated before writing summary Andrew Morton <akpm(a)linux-foundation.org> drivers/rapidio/rio_cm.c: prevent possible heap overwrite Breno Leitao <leitao(a)debian.org> Revert "x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2" on v6.6 and older Narayana Murty N <nnmlinux(a)linux.ibm.com> powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery Stuart Hayes <stuart.w.hayes(a)gmail.com> platform/x86: dell_rbu: Stop overwriting data buffer Maximilian Luz <luzmaximilian(a)gmail.com> platform: Add Surface platform directory Alexander Sverdlin <alexander.sverdlin(a)siemens.com> Revert "bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first" Jann Horn <jannh(a)google.com> tee: Prevent size calculation wraparound on 32-bit kernels Sukrut Bellary <sbellary(a)baylibre.com> ARM: OMAP2+: Fix l4ls clk domain handling in STANDBY Laurentiu Tudor <laurentiu.tudor(a)nxp.com> bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value Marcus Folkesson <marcus.folkesson(a)gmail.com> watchdog: da9052_wdt: respect TWDMIN Kyungwook Boo <bookyungwook(a)gmail.com> i40e: fix MMIO write access to an invalid page in i40e_clear_hw Zijun Hu <quic_zijuhu(a)quicinc.com> sock: Correct error checking condition for (assign|release)_proto_idx() Daniel Wagner <wagi(a)kernel.org> scsi: lpfc: Use memcpy() for BIOS version Ido Schimmel <idosch(a)nvidia.com> vxlan: Do not treat dst cache initialization errors as fatal Heiko Stuebner <heiko(a)sntech.de> clk: rockchip: rk3036: mark ddrphy as critical Benjamin Berg <benjamin(a)sipsolutions.net> wifi: mac80211: do not offer a mesh path if forwarding is disabled Jason Xing <kernelxing(a)tencent.com> net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT Eric Dumazet <edumazet(a)google.com> tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows Eric Dumazet <edumazet(a)google.com> tcp: always seek for minimal rtt in tcp_rcv_rtt_update() Moon Yeounsu <yyyynoom(a)gmail.com> net: dlink: add synchronization for stats update Petr Malat <oss(a)malat.biz> sctp: Do not wake readers in __sctp_write_space() Alok Tiwari <alok.a.tiwari(a)oracle.com> emulex/benet: correct command version selection in be_cmd_get_stats() Tan En De <ende.tan(a)starfivetech.com> i2c: designware: Invoke runtime suspend on quick slave re-registration Sergio Perez Gonzalez <sperezglz(a)gmail.com> net: macb: Check return value of dma_set_mask_and_coherent() Viresh Kumar <viresh.kumar(a)linaro.org> cpufreq: Force sync policy boost with global boost on sysfs update Simon Schuster <schuster.simon(a)siemens-energy.com> nios2: force update_mmu_cache on spurious tlb-permission--related pagefaults Wentao Liang <vulab(a)iscas.ac.cn> media: platform: exynos4-is: Add hardware sync wait to fimc_is_hw_change_mode() Hans Verkuil <hverkuil(a)xs4all.nl> media: tc358743: ignore video while HPD is low Amber Lin <Amber.Lin(a)amd.com> drm/amdkfd: Set SDMA_RLCx_IB_CNTL/SWITCH_INSIDE_IB Dylan Wolff <wolffd(a)comp.nus.edu.sg> jfs: Fix null-ptr-deref in jfs_ioc_trim Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx9: fix CSIB handling Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx8: fix CSIB handling Aditya Dutt <duttaditya18(a)gmail.com> jfs: fix array-index-out-of-bounds read in add_missing_indices Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx7: fix CSIB handling Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx10: fix CSIB handling Akhil P Oommen <quic_akhilpo(a)quicinc.com> drm/msm/a6xx: Increase HFI response timeout Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> drm/amd/display: Add NULL pointer checks in dm_force_atomic_commit() Nas Chung <nas.chung(a)chipsnmedia.com> media: uapi: v4l: Fix V4L2_TYPE_IS_OUTPUT condition Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> drm/msm/hdmi: add runtime PM calls to DDC transfer function Damon Ding <damon.ding(a)rock-chips.com> drm/bridge: analogix_dp: Add irq flag IRQF_NO_AUTOEN instead of calling disable_irq() Long Li <leo.lilong(a)huawei.com> sunrpc: update nextcheck time when adding new cache entries Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx6: fix CSIB handling Peter Marheine <pmarheine(a)chromium.org> ACPI: battery: negate current when discharging Charan Teja Kalla <quic_charante(a)quicinc.com> PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() Jerry Lv <Jerry.Lv(a)axis.com> power: supply: bq27xxx: Retrieve again when busy Seunghun Han <kkamagui(a)gmail.com> ACPICA: fix acpi parse and parseext cache leaks Ahmed Salem <x0rw3ll(a)gmail.com> ACPICA: Avoid sequence overread in call to strncmp() Seunghun Han <kkamagui(a)gmail.com> ACPICA: fix acpi operand cache leak in dswstate.c David Lechner <dlechner(a)baylibre.com> iio: adc: ad7606_spi: fix reg write value mask Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> PCI: Fix lock symmetry in pci_slot_unlock() Huacai Chen <chenhuacai(a)loongson.cn> PCI: Add ACS quirk for Loongson PCIe Long Li <longli(a)microsoft.com> uio_hv_generic: Use correct size for interrupt and monitor pages Wentao Liang <vulab(a)iscas.ac.cn> regulator: max14577: Add error check for max14577_read_reg() Khem Raj <raj.khem(a)gmail.com> mips: Add -std= flag specified in KBUILD_CFLAGS to vdso CFLAGS Gabriel Shahrouzi <gshahrouzi(a)gmail.com> staging: iio: ad5933: Correct settling cycles encoding per datasheet Qasim Ijaz <qasdev00(a)gmail.com> net: ch9200: fix uninitialised access during mii_nway_restart Ye Bin <yebin10(a)huawei.com> ftrace: Fix UAF when lookup kallsym after ftrace disabled Mikulas Patocka <mpatocka(a)redhat.com> dm-mirror: fix a tiny race condition Wentao Liang <vulab(a)iscas.ac.cn> mtd: nand: sunxi: Add randomizer configuration before randomizer enable Wentao Liang <vulab(a)iscas.ac.cn> mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk Jinliang Zheng <alexjlzheng(a)tencent.com> mm: fix ratelimit_pages update error in dirty_ratio_handler() Jeongjun Park <aha310510(a)gmail.com> ipc: fix to protect IPCS lookups using RCU Arnd Bergmann <arnd(a)arndb.de> parisc: fix building with gcc-15 GONG Ruiqi <gongruiqi1(a)huawei.com> vgacon: Add check for vc_origin address range in vgacon_scroll() Murad Masimov <m.masimov(a)mt-integration.ru> fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var Niravkumar L Rabara <niravkumar.l.rabara(a)intel.com> EDAC/altera: Use correct write width with the INTTEST register Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> NFC: nci: uart: Set tty->disc_data only in success path Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: prevent kernel warning due to negative i_nlink from corrupted image Dan Carpenter <dan.carpenter(a)linaro.org> Input: ims-pcu - check record size in ims_pcu_flash_firmware() Jan Kara <jack(a)suse.cz> ext4: fix calculation of credits for extent tree modification Thadeu Lima de Souza Cascardo <cascardo(a)igalia.com> ext4: inline: fix len overflow in ext4_prepare_inline_data Ioana Ciornei <ioana.ciornei(a)nxp.com> bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device Tasos Sahanidis <tasos(a)tasossah.com> ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 Ross Stutterheim <ross.stutterheim(a)garmin.com> ARM: 9447/1: arm/memremap: fix arch_memremap_can_ram_remap() Ma Ke <make24(a)iscas.ac.cn> media: v4l2-dev: fix error handling in __video_register_device() Wentao Liang <vulab(a)iscas.ac.cn> media: gspca: Add error handling for stv06xx_read_sensor() Mingcong Bai <jeffbai(a)aosc.io> wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 NeilBrown <neil(a)brown.name> nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request Christian Lamparter <chunkeey(a)gmail.com> wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() Alexander Aring <aahringo(a)redhat.com> gfs2: move msleep to sleepable context Zijun Hu <quic_zijuhu(a)quicinc.com> configfs: Do not override creating attribute file failure in populate_attrs() Oliver Neukum <oneukum(a)suse.com> net: usb: aqc111: debug info before sanitation Eric Dumazet <edumazet(a)google.com> calipso: unlock rcu before returning -EAFNOSUPPORT Stefano Stabellini <stefano.stabellini(a)amd.com> xen/arm: call uaccess_ttbr0_enable for dm_op hypercall Mathias Nyman <mathias.nyman(a)linux.intel.com> usb: Flush altsetting 0 endpoints before reinitializating them after reset. Zijun Hu <quic_zijuhu(a)quicinc.com> fs/filesystems: Fix potential unsigned integer underflow in fs_name() Jakub Raczynski <j.raczynski(a)samsung.com> net/mdiobus: Fix potential out-of-bounds read/write access Nathan Chancellor <nathan(a)kernel.org> drm/amd/display: Do not add '-mhard-float' to dcn2{1,0}_resource.o for clang Nathan Chancellor <nathan(a)kernel.org> drm/amd/display: Do not add '-mhard-float' to dml_ccflags for clang Nathan Chancellor <nathan(a)kernel.org> MIPS: Move '-Wa,-msoft-float' check from as-option to cc-option Nick Desaulniers <ndesaulniers(a)google.com> x86/boot/compressed: prefer cc-option for CFLAGS additions Andrew Lunn <andrew(a)lunn.ch> net: mdio: C22 is now optional, EOPNOTSUPP if not provided Eric Dumazet <edumazet(a)google.com> net_sched: tbf: fix a race in tbf_change() Eric Dumazet <edumazet(a)google.com> net_sched: red: fix a race in __red_change() Eric Dumazet <edumazet(a)google.com> net_sched: prio: fix a race in prio_tune() Patrisious Haddad <phaddad(a)nvidia.com> net/mlx5: Fix return value when searching for existing flow group Paul Blakey <paulb(a)mellanox.com> net/mlx5: Wait for inactive autogroups Robert Malz <robert.malz(a)canonical.com> i40e: retry VFLR handling if there is ongoing VF reset Robert Malz <robert.malz(a)canonical.com> i40e: return false from i40e_reset_vf if reset is in progress Eric Dumazet <edumazet(a)google.com> net_sched: sch_sfq: fix a potential crash on gso_skb handling Alok Tiwari <alok.a.tiwari(a)oracle.com> scsi: iscsi: Fix incorrect error path labels for flashnode operations Chuck Lever <chuck.lever(a)oracle.com> NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes Chuck Lever <chuck.lever(a)oracle.com> NFSD: Fix ia_size underflow Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: synaptics-rmi - fix crash with unsupported versions of F34 zhang songyi <zhang.songyi(a)zte.com.cn> Input: synaptics-rmi4 - convert to use sysfs_emit() APIs Dan Carpenter <dan.carpenter(a)linaro.org> pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id() Al Viro <viro(a)zeniv.linux.org.uk> do_change_type(): refuse to operate on unmounted/not ours mounts Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: sleep: Fix power.is_suspended cleanup for direct-complete devices Michal Kubiak <michal.kubiak(a)intel.com> ice: create new Tx scheduler nodes for new queues only Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION Dan Carpenter <dan.carpenter(a)linaro.org> net/mlx4_en: Prevent potential integer overflow calculating Hz Nicolas Pitre <npitre(a)baylibre.com> vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() Henry Martin <bsdhenrymartin(a)gmail.com> serial: Fix potential null-ptr-deref in mlb_usio_probe() Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> usb: renesas_usbhs: Reorder clock handling and power management in probe Alexandre Mergnat <amergnat(a)baylibre.com> rtc: Fix offset calculation for .start_secs < 0 Wolfram Sang <wsa+renesas(a)sang-engineering.com> rtc: sh: assign correct interrupts with DT Dapeng Mi <dapeng1.mi(a)linux.intel.com> perf record: Fix incorrect --user-regs comments Leo Yan <leo.yan(a)arm.com> perf tests switch-tracking: Fix timestamp comparison Alexey Gladkov <legion(a)kernel.org> mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() Dan Carpenter <dan.carpenter(a)linaro.org> rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send() Adrian Hunter <adrian.hunter(a)intel.com> perf scripts python: exported-sql-viewer.py: Fix pattern matching with Python 3 Arnaldo Carvalho de Melo <acme(a)redhat.com> perf ui browser hists: Set actions->thread before calling do_zoom_thread() Sergey Shtylyov <s.shtylyov(a)omp.ru> fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() Henry Martin <bsdhenrymartin(a)gmail.com> soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() Su Hui <suhui(a)nfschina.com> soc: aspeed: lpc: Fix impossible judgment condition Quentin Schulz <quentin.schulz(a)cherry.de> arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon device Ioana Ciornei <ioana.ciornei(a)nxp.com> bus: fsl-mc: fix double-free on mc_dev Ryusuke Konishi <konishi.ryusuke(a)gmail.com> nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() Wentao Liang <vulab(a)iscas.ac.cn> nilfs2: add pointer check for nilfs_direct_propagate() Phillip Lougher <phillip(a)squashfs.org.uk> Squashfs: check return result of sb_min_blocksize Wolfram Sang <wsa+renesas(a)sang-engineering.com> ARM: dts: at91: at91sam9263: fix NAND chip selects Wolfram Sang <wsa+renesas(a)sang-engineering.com> ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select Zhiguo Niu <zhiguo.niu(a)unisoc.com> f2fs: fix to correct check conditions in f2fs_cross_rename Zhiguo Niu <zhiguo.niu(a)unisoc.com> f2fs: use d_inode(dentry) cleanup dentry->d_inode Kuniyuki Iwashima <kuniyu(a)amazon.com> calipso: Don't call calipso functions for AF_INET sk. Thangaraj Samynathan <thangaraj.s(a)microchip.com> net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy Nikita Zhandarovich <n.zhandarovich(a)fintech.ru> net: usb: aqc111: fix error handling of usbnet read calls Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy Toke Høiland-Jørgensen <toke(a)toke.dk> wifi: ath9k_htc: Abort software beacon handling if disabled Tao Chen <chen.dylane(a)linux.dev> bpf: Fix WARN() in get_bpf_raw_tp_regs Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> pinctrl: at91: Fix possible out-of-boundary access Jiayuan Chen <jiayuan.chen(a)linux.dev> ktls, sockmap: Fix missing uncharge operation Huajian Yang <huajianyang(a)asrmicro.com> netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it Chao Yu <chao(a)kernel.org> f2fs: clean up w/ fscrypt_is_bounce_page() Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h Dmitry Antipov <dmantipov(a)yandex.ru> wifi: rtw88: do not ignore hardware read error during DPK Hari Kalavakunta <kalavakunta.hari.prasad(a)gmail.com> net: ncsi: Fix GCPS 64-bit member variables Chao Yu <chao(a)kernel.org> f2fs: fix to do sanity check on sbi->total_valid_block_count Biju Das <biju.das.jz(a)bp.renesas.com> drm/tegra: rgb: Fix the unbound reference count Kees Cook <kees(a)kernel.org> drm/vkms: Adjust vkms_state->active_planes allocation type Biju Das <biju.das.jz(a)bp.renesas.com> drm: rcar-du: Fix memory leak in rcar_du_vsps_init() Neill Kapron <nkapron(a)google.com> selftests/seccomp: fix syscall_restart test for arm compat Miaoqian Lin <linmq006(a)gmail.com> firmware: psci: Fix refcount leak in psci_dt_init Finn Thain <fthain(a)linux-m68k.org> m68k: mac: Fix macintosh_config for Mac II Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Add seqno waiter for sync_files Geert Uytterhoeven <geert+renesas(a)glider.be> spi: sh-msiof: Fix maximum DMA transfer size Armin Wolf <W_Armin(a)gmx.de> ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions" Jiaqing Zhao <jiaqing.zhao(a)linux.intel.com> x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges() Zijun Hu <quic_zijuhu(a)quicinc.com> PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() Qiuxu Zhuo <qiuxu.zhuo(a)intel.com> EDAC/skx_common: Fix general protection fault Herbert Xu <herbert(a)gondor.apana.org.au> crypto: marvell/cesa - Avoid empty transfer descriptor Herbert Xu <herbert(a)gondor.apana.org.au> crypto: marvell/cesa - Handle zero-length skcipher requests Ahmed S. Darwish <darwi(a)linutronix.de> x86/cpu: Sanitize CPUID(0x80000000) output Qing Wang <wangqing7171(a)gmail.com> perf/core: Fix broken throttling when max_samples_per_tick=1 Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: gfs2_create_inode error handling fix Florian Westphal <fw(a)strlen.de> netfilter: nft_socket: fix sk refcount leaks Sergey Senozhatsky <senozhatsky(a)chromium.org> thunderbolt: Do not double dequeue a configuration request Dave Penkler <dpenkler(a)gmail.com> usb: usbtmc: Fix timeout value in get_stb Hongyu Xie <xiehongyu1(a)kylinos.cn> usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device Jiayi Li <lijiayi(a)kylinos.cn> usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: set GPIO output value before setting direction Gabor Juhos <j4g8y7(a)gmail.com> pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 Pan Taixi <pantaixi(a)huaweicloud.com> tracing: Fix compilation warning on arm32 ------------- Diffstat: Documentation/admin-guide/kernel-parameters.txt | 2 - MAINTAINERS | 9 ++ Makefile | 4 +- arch/arm/boot/dts/am335x-bone-common.dtsi | 8 ++ arch/arm/boot/dts/at91sam9263ek.dts | 2 +- arch/arm/boot/dts/qcom-apq8064.dtsi | 13 +- arch/arm/boot/dts/tny_a9263.dts | 2 +- arch/arm/boot/dts/usb_a9263.dts | 4 +- arch/arm/mach-omap2/clockdomain.h | 1 + arch/arm/mach-omap2/clockdomains33xx_data.c | 2 +- arch/arm/mach-omap2/cm33xx.c | 14 ++- arch/arm/mm/ioremap.c | 4 +- .../arm64/boot/dts/rockchip/rk3399-puma-haikou.dts | 8 -- arch/arm64/kernel/ptrace.c | 2 +- arch/arm64/xen/hypercall.S | 21 +++- arch/m68k/mac/config.c | 2 +- arch/mips/Makefile | 2 +- arch/mips/vdso/Makefile | 1 + arch/nios2/include/asm/pgtable.h | 16 +++ arch/parisc/boot/compressed/Makefile | 1 + arch/powerpc/kernel/eeh.c | 2 + arch/s390/pci/pci_mmio.c | 2 +- arch/x86/boot/compressed/Makefile | 2 +- arch/x86/kernel/cpu/bugs.c | 10 +- arch/x86/kernel/cpu/common.c | 17 +-- arch/x86/kernel/cpu/mtrr/generic.c | 2 +- drivers/acpi/acpica/dsutils.c | 9 +- drivers/acpi/acpica/psobject.c | 52 +++----- drivers/acpi/battery.c | 19 ++- drivers/acpi/osi.c | 1 - drivers/ata/pata_via.c | 3 +- drivers/atm/atmtcp.c | 4 +- drivers/base/power/domain.c | 2 +- drivers/base/power/main.c | 3 +- drivers/base/power/runtime.c | 2 +- drivers/block/aoe/aoedev.c | 8 ++ drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +- drivers/bus/fsl-mc/mc-io.c | 19 ++- drivers/bus/fsl-mc/mc-sys.c | 2 +- drivers/bus/ti-sysc.c | 49 -------- drivers/clk/rockchip/clk-rk3036.c | 1 + drivers/cpufreq/cpufreq.c | 6 +- drivers/crypto/marvell/cipher.c | 3 + drivers/crypto/marvell/hash.c | 2 +- drivers/edac/altera_edac.c | 6 +- drivers/edac/skx_common.c | 1 + drivers/firmware/psci/psci.c | 4 +- drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 2 - drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c | 2 - drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c | 2 - drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 2 - drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 - drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v9.c | 4 + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 18 ++- drivers/gpu/drm/amd/display/dc/dcn20/Makefile | 2 +- drivers/gpu/drm/amd/display/dc/dcn21/Makefile | 2 +- drivers/gpu/drm/amd/display/dc/dml/Makefile | 3 +- drivers/gpu/drm/bridge/analogix/analogix_dp_core.c | 5 +- drivers/gpu/drm/msm/adreno/a6xx_hfi.c | 2 +- drivers/gpu/drm/msm/hdmi/hdmi_i2c.c | 14 ++- drivers/gpu/drm/nouveau/nouveau_backlight.c | 2 +- drivers/gpu/drm/rcar-du/rcar_du_kms.c | 10 +- drivers/gpu/drm/tegra/rgb.c | 14 ++- drivers/gpu/drm/vkms/vkms_crtc.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 26 ++++ drivers/hid/hid-hyperv.c | 5 +- drivers/hid/usbhid/hid-core.c | 25 ++-- drivers/hwmon/occ/common.c | 28 ++--- drivers/i2c/busses/i2c-designware-slave.c | 2 +- drivers/iio/adc/ad7606_spi.c | 2 +- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 1 - drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 1 + drivers/infiniband/hw/hns/hns_roce_restrack.c | 1 - drivers/input/misc/ims-pcu.c | 6 + drivers/input/misc/sparcspkr.c | 22 +++- drivers/input/rmi4/rmi_f34.c | 135 ++++++++++++--------- drivers/md/dm-raid1.c | 5 +- drivers/media/i2c/tc358743.c | 4 + drivers/media/platform/exynos4-is/fimc-is-regs.c | 1 + drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c | 7 +- drivers/media/v4l2-core/v4l2-dev.c | 14 +-- drivers/mfd/exynos-lpass.c | 1 - drivers/mfd/stmpe-spi.c | 2 +- drivers/mtd/nand/raw/sunxi_nand.c | 2 + drivers/net/ethernet/cadence/macb_main.c | 6 +- drivers/net/ethernet/dlink/dl2k.c | 14 ++- drivers/net/ethernet/dlink/dl2k.h | 2 + drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +- drivers/net/ethernet/intel/i40e/i40e_common.c | 7 +- drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 11 +- drivers/net/ethernet/intel/ice/ice_sched.c | 11 +- drivers/net/ethernet/mellanox/mlx4/en_clock.c | 2 +- drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 13 +- drivers/net/ethernet/microchip/lan743x_main.c | 4 +- drivers/net/phy/mdio_bus.c | 16 ++- drivers/net/usb/aqc111.c | 10 +- drivers/net/usb/ch9200.c | 7 +- drivers/net/vxlan.c | 8 +- drivers/net/wireless/ath/ath9k/htc_drv_beacon.c | 3 + drivers/net/wireless/ath/carl9170/usb.c | 19 ++- drivers/net/wireless/intersil/p54/fwio.c | 2 + drivers/net/wireless/intersil/p54/p54.h | 1 + drivers/net/wireless/intersil/p54/txrx.c | 13 +- drivers/net/wireless/realtek/rtlwifi/pci.c | 10 ++ drivers/net/wireless/realtek/rtw88/rtw8822c.c | 3 +- drivers/pci/pci.c | 3 +- drivers/pci/quirks.c | 23 ++++ drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 35 +++--- drivers/pinctrl/pinctrl-at91.c | 6 +- drivers/platform/Kconfig | 2 + drivers/platform/Makefile | 1 + drivers/platform/surface/Kconfig | 14 +++ drivers/platform/surface/Makefile | 5 + drivers/platform/x86/dell_rbu.c | 2 +- drivers/power/supply/bq27xxx_battery.c | 2 +- drivers/power/supply/bq27xxx_battery_i2c.c | 13 +- drivers/rapidio/rio_cm.c | 3 + drivers/regulator/max14577-regulator.c | 5 +- drivers/rpmsg/qcom_smd.c | 2 +- drivers/rtc/Kconfig | 10 ++ drivers/rtc/Makefile | 1 + drivers/rtc/class.c | 2 +- drivers/rtc/lib.c | 121 +++++++++++++----- drivers/rtc/lib_test.c | 79 ++++++++++++ drivers/rtc/rtc-sh.c | 12 +- drivers/s390/scsi/zfcp_sysfs.c | 2 + drivers/scsi/lpfc/lpfc_sli.c | 4 +- drivers/scsi/scsi_transport_iscsi.c | 11 +- drivers/scsi/storvsc_drv.c | 10 +- drivers/soc/aspeed/aspeed-lpc-snoop.c | 17 ++- drivers/spi/spi-sh-msiof.c | 13 +- drivers/staging/iio/impedance-analyzer/ad5933.c | 2 +- drivers/tee/tee_core.c | 11 +- drivers/thunderbolt/ctl.c | 5 + drivers/tty/serial/milbeaut_usio.c | 5 +- drivers/tty/vt/vt_ioctl.c | 2 - drivers/uio/uio_hv_generic.c | 4 +- drivers/usb/class/usbtmc.c | 4 +- drivers/usb/core/hub.c | 16 ++- drivers/usb/core/quirks.c | 3 + drivers/usb/gadget/function/f_hid.c | 12 +- drivers/usb/renesas_usbhs/common.c | 50 ++++++-- drivers/usb/storage/unusual_uas.h | 7 ++ drivers/video/console/vgacon.c | 2 +- drivers/video/fbdev/core/fbcvt.c | 2 +- drivers/video/fbdev/core/fbmem.c | 4 +- drivers/watchdog/da9052_wdt.c | 1 + fs/configfs/dir.c | 2 +- fs/ext4/extents.c | 11 +- fs/ext4/inline.c | 2 +- fs/f2fs/data.c | 2 +- fs/f2fs/f2fs.h | 10 +- fs/f2fs/namei.c | 19 ++- fs/f2fs/super.c | 4 +- fs/filesystems.c | 14 ++- fs/gfs2/inode.c | 3 +- fs/gfs2/lock_dlm.c | 3 +- fs/jbd2/transaction.c | 3 +- fs/jffs2/erase.c | 4 +- fs/jffs2/scan.c | 4 +- fs/jffs2/summary.c | 7 +- fs/jfs/jfs_discard.c | 3 +- fs/jfs/jfs_dtree.c | 18 ++- fs/namespace.c | 4 + fs/nfsd/nfs3xdr.c | 2 +- fs/nfsd/nfs4proc.c | 3 +- fs/nfsd/vfs.c | 4 + fs/nilfs2/btree.c | 4 +- fs/nilfs2/direct.c | 3 + fs/squashfs/super.c | 5 + include/acpi/actypes.h | 2 +- include/linux/atmdev.h | 6 + include/linux/hid.h | 3 +- include/trace/events/erofs.h | 18 --- include/uapi/linux/videodev2.h | 1 - ipc/shm.c | 5 +- kernel/events/core.c | 23 ++-- kernel/exit.c | 17 +-- kernel/power/wakelock.c | 3 + kernel/time/posix-cpu-timers.c | 9 ++ kernel/trace/bpf_trace.c | 2 +- kernel/trace/ftrace.c | 10 +- kernel/trace/trace.c | 2 +- mm/huge_memory.c | 2 +- mm/page-writeback.c | 2 +- net/atm/common.c | 1 + net/atm/lec.c | 12 +- net/atm/raw.c | 2 +- net/bluetooth/l2cap_core.c | 3 +- net/bridge/netfilter/nf_conntrack_bridge.c | 12 +- net/core/sock.c | 4 +- net/ipv4/route.c | 4 + net/ipv4/tcp_input.c | 63 +++++----- net/ipv6/calipso.c | 8 ++ net/ipv6/netfilter.c | 12 +- net/ipv6/netfilter/nft_fib_ipv6.c | 13 +- net/mac80211/mesh_hwmp.c | 6 +- net/mpls/af_mpls.c | 4 +- net/ncsi/internal.h | 21 ++-- net/ncsi/ncsi-pkt.h | 23 ++-- net/ncsi/ncsi-rsp.c | 21 ++-- net/netfilter/nft_socket.c | 3 +- net/netlabel/netlabel_kapi.c | 5 + net/nfc/nci/uart.c | 8 +- net/sched/sch_prio.c | 2 +- net/sched/sch_red.c | 2 +- net/sched/sch_sfq.c | 5 +- net/sched/sch_tbf.c | 2 +- net/sctp/socket.c | 3 +- net/sunrpc/cache.c | 2 + net/sunrpc/xprtrdma/verbs.c | 2 + net/tipc/udp_media.c | 4 +- net/tls/tls_sw.c | 7 ++ security/selinux/xfrm.c | 2 +- sound/pci/hda/hda_intel.c | 2 + sound/pci/hda/patch_realtek.c | 1 + tools/perf/builtin-record.c | 2 +- tools/perf/scripts/python/exported-sql-viewer.py | 5 +- tools/perf/tests/switch-tracking.c | 2 +- tools/perf/ui/browsers/hists.c | 2 +- tools/testing/selftests/seccomp/seccomp_bpf.c | 7 +- 222 files changed, 1294 insertions(+), 648 deletions(-)

2 months, 1 week

5
4
0 0

[PATCH] comedi: Fix use of uninitialized data in insn_rw_emulate_bits()

by Ian Abbott

For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital" subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and `COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have `insn_read` and `insn_write` handler functions, but to have an `insn_bits` handler function for handling Comedi `INSN_BITS` instructions. In that case, the subdevice's `insn_read` and/or `insn_write` function handler pointers are set to point to the `insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`. For `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the supplied `data[0]` value is a valid copy from user memory. It will at least exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in "comedi_fops.c" ensure at lease `MIN_SAMPLES` (16) elements are allocated. However, if `insn->n` is 0 (which is allowable for `INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain uninitialized data, and certainly contains invalid data, possibly from a different instruction in the array of instructions handled by `do_insnlist_ioctl()`. This will result in an incorrect value being written to the digital output channel (or to the digital input/output channel if configured as an output), and may be reflected in the internal saved state of the channel. Fix it by returning 0 early if `insn->n` is 0, before reaching the code that accesses `data[0]`. Previously, the function always returned 1 on success, but it is supposed to be the number of data samples actually read or written up to `insn->n`, which is 0 in this case. Reported-by: syzbot+cb96ec476fb4914445c9(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=cb96ec476fb4914445c9 Fixes: ed9eccbe8970 ("Staging: add comedi core") Cc: <stable(a)vger.kernel.org> # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- Patch does not apply cleanly to longterm kernels 5.4.x and 5.10.x. --- drivers/comedi/drivers.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/comedi/drivers.c b/drivers/comedi/drivers.c index 376130bfba8a..98e565088289 100644 --- a/drivers/comedi/drivers.c +++ b/drivers/comedi/drivers.c @@ -615,6 +615,9 @@ static int insn_rw_emulate_bits(struct comedi_device *dev, unsigned int _data[2]; int ret; + if (insn->n == 0) + return 0; + memset(_data, 0, sizeof(_data)); memset(&_insn, 0, sizeof(_insn)); _insn.insn = INSN_BITS; -- 2.47.2

2 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate()" failed to apply to 6.6-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.6-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y git checkout FETCH_HEAD git cherry-pick -x fba46a5d83ca8decb338722fb4899026d8d9ead2 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025063032-shed-reseller-6709@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From fba46a5d83ca8decb338722fb4899026d8d9ead2 Mon Sep 17 00:00:00 2001 From: "Liam R. Howlett" <Liam.Howlett(a)oracle.com> Date: Mon, 16 Jun 2025 14:45:20 -0400 Subject: [PATCH] maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() Temporarily clear the preallocation flag when explicitly requesting allocations. Pre-existing allocations are already counted against the request through mas_node_count_gfp(), but the allocations will not happen if the MA_STATE_PREALLOC flag is set. This flag is meant to avoid re-allocating in bulk allocation mode, and to detect issues with preallocation calculations. The MA_STATE_PREALLOC flag should also always be set on zero allocations so that detection of underflow allocations will print a WARN_ON() during consumption. User visible effect of this flaw is a WARN_ON() followed by a null pointer dereference when subsequent requests for larger number of nodes is ignored, such as the vma merge retry in mmap_region() caused by drivers altering the vma flags (which happens in v6.6, at least) Link: https://lkml.kernel.org/r/20250616184521.3382795-3-Liam.Howlett@oracle.com Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Reported-by: Zhaoyang Huang <zhaoyang.huang(a)unisoc.com> Reported-by: Hailong Liu <hailong.liu(a)oppo.com> Link: https://lore.kernel.org/all/1652f7eb-a51b-4fee-8058-c73af63bacd1@oppo.com/ Link: https://lore.kernel.org/all/20250428184058.1416274-1-Liam.Howlett@oracle.co… Link: https://lore.kernel.org/all/20250429014754.1479118-1-Liam.Howlett@oracle.co… Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Hailong Liu <hailong.liu(a)oppo.com> Cc: zhangpeng.00(a)bytedance.com <zhangpeng.00(a)bytedance.com> Cc: Steve Kang <Steve.Kang(a)unisoc.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Sidhartha Kumar <sidhartha.kumar(a)oracle.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/lib/maple_tree.c b/lib/maple_tree.c index affe979bd14d..00524e55a21e 100644 --- a/lib/maple_tree.c +++ b/lib/maple_tree.c @@ -5527,8 +5527,9 @@ int mas_preallocate(struct ma_state *mas, void *entry, gfp_t gfp) mas->store_type = mas_wr_store_type(&wr_mas); request = mas_prealloc_calc(&wr_mas, entry); if (!request) - return ret; + goto set_flag; + mas->mas_flags &= ~MA_STATE_PREALLOC; mas_node_count_gfp(mas, request, gfp); if (mas_is_err(mas)) { mas_set_alloc_req(mas, 0); @@ -5538,6 +5539,7 @@ int mas_preallocate(struct ma_state *mas, void *entry, gfp_t gfp) return ret; } +set_flag: mas->mas_flags |= MA_STATE_PREALLOC; return ret; }

2 months, 1 week

3
3
0 0

[PATCH net] net: phy: realtek: Reset after clock enable

by Sebastian Reichel

On Radxa ROCK 4D boards we are seeing some issues with PHY detection and stability (e.g. link loss, or not capable of transceiving packages) after new board revisions switched from a dedicated crystal to providing the 25 MHz PHY input clock from the SoC instead. This board is using a RTL8211F PHY, which is connected to an always-on regulator. Unfortunately the datasheet does not explicitly mention the power-up sequence regarding the clock, but it seems to assume that the clock is always-on (i.e. dedicated crystal). By doing an explicit reset after enabling the clock, the issue on the boards could no longer be observed. Cc: stable(a)vger.kernel.org Fixes: 7300c9b574cc ("net: phy: realtek: Add optional external PHY clock") Signed-off-by: Sebastian Reichel <sebastian.reichel(a)collabora.com> --- drivers/net/phy/realtek/realtek_main.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/net/phy/realtek/realtek_main.c b/drivers/net/phy/realtek/realtek_main.c index c3dcb62574303374666b46a454cd4e10de455d24..3a783f0c3b4f2a4f6aa63a16ad309e3471b0932a 100644 --- a/drivers/net/phy/realtek/realtek_main.c +++ b/drivers/net/phy/realtek/realtek_main.c @@ -231,6 +231,10 @@ static int rtl821x_probe(struct phy_device *phydev) return dev_err_probe(dev, PTR_ERR(priv->clk), "failed to get phy clock\n"); + /* enabling the clock might produce glitches, so hard-reset the PHY */ + phy_device_reset(phydev, 1); + phy_device_reset(phydev, 0); + ret = phy_read_paged(phydev, RTL8211F_PHYCR_PAGE, RTL8211F_PHYCR1); if (ret < 0) return ret; --- base-commit: 4c06e63b92038fadb566b652ec3ec04e228931e8 change-id: 20250704-phy-realtek-clock-fix-6cd393e8cb2a Best regards, -- Sebastian Reichel <sre(a)kernel.org>

2 months, 1 week

4
4
0 0

[PATCH] comedi: das6402: Fix bit shift out of bounds

by Ian Abbott

When checking for a supported IRQ number, the following test is used: /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ if ((1 << it->options[1]) & 0x8cec) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ will be in the range [1,15]. The value 0 explicitly disables the use of interrupts. Fixes: 79e5e6addbb1 ("staging: comedi: das6402: rewrite broken driver") Cc: <stable(a)vger.kernel.org> # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- Patch does not apply cleanly to longterm kernels 5.4.x and 5.10.x. --- drivers/comedi/drivers/das6402.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/comedi/drivers/das6402.c b/drivers/comedi/drivers/das6402.c index 68f95330de45..7660487e563c 100644 --- a/drivers/comedi/drivers/das6402.c +++ b/drivers/comedi/drivers/das6402.c @@ -567,7 +567,8 @@ static int das6402_attach(struct comedi_device *dev, das6402_reset(dev); /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ - if ((1 << it->options[1]) & 0x8cec) { + if (it->options[1] > 0 && it->options[1] < 16 && + (1 << it->options[1]) & 0x8cec) { ret = request_irq(it->options[1], das6402_interrupt, 0, dev->board_name, dev); if (ret == 0) { -- 2.47.2

2 months, 1 week

1
0
0 0

[PATCH] comedi: aio_iiro_16: Fix bit shift out of bounds

by Ian Abbott

When checking for a supported IRQ number, the following test is used: if ((1 << it->options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ will be in the range [1,15]. The value 0 explicitly disables the use of interrupts. Fixes: ad7a370c8be4 ("staging: comedi: aio_iiro_16: add command support for change of state detection") Cc: <stable(a)vger.kernel.org> # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- Patch does not apply cleanly to longterm kernels 5.4.x and 5.10.x. --- drivers/comedi/drivers/aio_iiro_16.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/comedi/drivers/aio_iiro_16.c b/drivers/comedi/drivers/aio_iiro_16.c index b00fab0b89d4..739cc4db52ac 100644 --- a/drivers/comedi/drivers/aio_iiro_16.c +++ b/drivers/comedi/drivers/aio_iiro_16.c @@ -177,7 +177,8 @@ static int aio_iiro_16_attach(struct comedi_device *dev, * Digital input change of state interrupts are optionally supported * using IRQ 2-7, 10-12, 14, or 15. */ - if ((1 << it->options[1]) & 0xdcfc) { + if (it->options[1] > 0 && it->options[1] < 16 && + (1 << it->options[1]) & 0xdcfc) { ret = request_irq(it->options[1], aio_iiro_16_cos, 0, dev->board_name, dev); if (ret == 0) -- 2.47.2

2 months, 1 week

1
0
0 0

[PATCH] comedi: pcl812: Fix bit shift out of bounds

by Ian Abbott

When checking for a supported IRQ number, the following test is used: if ((1 << it->options[1]) & board->irq_bits) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ will be in the range [1,15]. The value 0 explicitly disables the use of interrupts. Reported-by: syzbot+32de323b0addb9e114ff(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=32de323b0addb9e114ff Fixes: fcdb427bc7cf ("Staging: comedi: add pcl821 driver") Cc: <stable(a)vger.kernel.org> # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- Patch does not apply cleanly to longterm kernels 5.4.x and 5.10.x. --- drivers/comedi/drivers/pcl812.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/comedi/drivers/pcl812.c b/drivers/comedi/drivers/pcl812.c index 0df639c6a595..abca61a72cf7 100644 --- a/drivers/comedi/drivers/pcl812.c +++ b/drivers/comedi/drivers/pcl812.c @@ -1149,7 +1149,8 @@ static int pcl812_attach(struct comedi_device *dev, struct comedi_devconfig *it) if (IS_ERR(dev->pacer)) return PTR_ERR(dev->pacer); - if ((1 << it->options[1]) & board->irq_bits) { + if (it->options[1] > 0 && it->options[1] < 16 && + (1 << it->options[1]) & board->irq_bits) { ret = request_irq(it->options[1], pcl812_interrupt, 0, dev->board_name, dev); if (ret == 0) -- 2.47.2

2 months, 1 week

1
0
0 0

FAILED: patch "[PATCH] mm/hugetlb: unshare page tables during VMA split, not before" failed to apply to 6.1-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x 081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0 # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025062041-uplifted-cahoots-6c42@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From 081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0 Mon Sep 17 00:00:00 2001 From: Jann Horn <jannh(a)google.com> Date: Tue, 27 May 2025 23:23:53 +0200 Subject: [PATCH] mm/hugetlb: unshare page tables during VMA split, not before Currently, __split_vma() triggers hugetlb page table unsharing through vm_ops->may_split(). This happens before the VMA lock and rmap locks are taken - which is too early, it allows racing VMA-locked page faults in our process and racing rmap walks from other processes to cause page tables to be shared again before we actually perform the split. Fix it by explicitly calling into the hugetlb unshare logic from __split_vma() in the same place where THP splitting also happens. At that point, both the VMA and the rmap(s) are write-locked. An annoying detail is that we can now call into the helper hugetlb_unshare_pmds() from two different locking contexts: 1. from hugetlb_split(), holding: - mmap lock (exclusively) - VMA lock - file rmap lock (exclusively) 2. hugetlb_unshare_all_pmds(), which I think is designed to be able to call us with only the mmap lock held (in shared mode), but currently only runs while holding mmap lock (exclusively) and VMA lock Backporting note: This commit fixes a racy protection that was introduced in commit b30c14cd6102 ("hugetlb: unshare some PMDs when splitting VMAs"); that commit claimed to fix an issue introduced in 5.13, but it should actually also go all the way back. [jannh(a)google.com: v2] Link: https://lkml.kernel.org/r/20250528-hugetlb-fixes-splitrace-v2-1-1329349bad1… Link: https://lkml.kernel.org/r/20250528-hugetlb-fixes-splitrace-v2-0-1329349bad1… Link: https://lkml.kernel.org/r/20250527-hugetlb-fixes-splitrace-v1-1-f4136f5ec58… Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page") Signed-off-by: Jann Horn <jannh(a)google.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> [b30c14cd6102: hugetlb: unshare some PMDs when splitting VMAs] Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h index 0598f36931de..42f374e828a2 100644 --- a/include/linux/hugetlb.h +++ b/include/linux/hugetlb.h @@ -279,6 +279,7 @@ bool is_hugetlb_entry_migration(pte_t pte); bool is_hugetlb_entry_hwpoisoned(pte_t pte); void hugetlb_unshare_all_pmds(struct vm_area_struct *vma); void fixup_hugetlb_reservations(struct vm_area_struct *vma); +void hugetlb_split(struct vm_area_struct *vma, unsigned long addr); #else /* !CONFIG_HUGETLB_PAGE */ @@ -476,6 +477,8 @@ static inline void fixup_hugetlb_reservations(struct vm_area_struct *vma) { } +static inline void hugetlb_split(struct vm_area_struct *vma, unsigned long addr) {} + #endif /* !CONFIG_HUGETLB_PAGE */ #ifndef pgd_write diff --git a/mm/hugetlb.c b/mm/hugetlb.c index f0b1d53079f9..7ba020d489d4 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -121,7 +121,7 @@ static void hugetlb_vma_lock_free(struct vm_area_struct *vma); static void hugetlb_vma_lock_alloc(struct vm_area_struct *vma); static void __hugetlb_vma_unlock_write_free(struct vm_area_struct *vma); static void hugetlb_unshare_pmds(struct vm_area_struct *vma, - unsigned long start, unsigned long end); + unsigned long start, unsigned long end, bool take_locks); static struct resv_map *vma_resv_map(struct vm_area_struct *vma); static void hugetlb_free_folio(struct folio *folio) @@ -5426,26 +5426,40 @@ static int hugetlb_vm_op_split(struct vm_area_struct *vma, unsigned long addr) { if (addr & ~(huge_page_mask(hstate_vma(vma)))) return -EINVAL; + return 0; +} +void hugetlb_split(struct vm_area_struct *vma, unsigned long addr) +{ /* * PMD sharing is only possible for PUD_SIZE-aligned address ranges * in HugeTLB VMAs. If we will lose PUD_SIZE alignment due to this * split, unshare PMDs in the PUD_SIZE interval surrounding addr now. + * This function is called in the middle of a VMA split operation, with + * MM, VMA and rmap all write-locked to prevent concurrent page table + * walks (except hardware and gup_fast()). */ + vma_assert_write_locked(vma); + i_mmap_assert_write_locked(vma->vm_file->f_mapping); + if (addr & ~PUD_MASK) { - /* - * hugetlb_vm_op_split is called right before we attempt to - * split the VMA. We will need to unshare PMDs in the old and - * new VMAs, so let's unshare before we split. - */ unsigned long floor = addr & PUD_MASK; unsigned long ceil = floor + PUD_SIZE; - if (floor >= vma->vm_start && ceil <= vma->vm_end) - hugetlb_unshare_pmds(vma, floor, ceil); + if (floor >= vma->vm_start && ceil <= vma->vm_end) { + /* + * Locking: + * Use take_locks=false here. + * The file rmap lock is already held. + * The hugetlb VMA lock can't be taken when we already + * hold the file rmap lock, and we don't need it because + * its purpose is to synchronize against concurrent page + * table walks, which are not possible thanks to the + * locks held by our caller. + */ + hugetlb_unshare_pmds(vma, floor, ceil, /* take_locks = */ false); + } } - - return 0; } static unsigned long hugetlb_vm_op_pagesize(struct vm_area_struct *vma) @@ -7885,9 +7899,16 @@ void move_hugetlb_state(struct folio *old_folio, struct folio *new_folio, int re spin_unlock_irq(&hugetlb_lock); } +/* + * If @take_locks is false, the caller must ensure that no concurrent page table + * access can happen (except for gup_fast() and hardware page walks). + * If @take_locks is true, we take the hugetlb VMA lock (to lock out things like + * concurrent page fault handling) and the file rmap lock. + */ static void hugetlb_unshare_pmds(struct vm_area_struct *vma, unsigned long start, - unsigned long end) + unsigned long end, + bool take_locks) { struct hstate *h = hstate_vma(vma); unsigned long sz = huge_page_size(h); @@ -7911,8 +7932,12 @@ static void hugetlb_unshare_pmds(struct vm_area_struct *vma, mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, mm, start, end); mmu_notifier_invalidate_range_start(&range); - hugetlb_vma_lock_write(vma); - i_mmap_lock_write(vma->vm_file->f_mapping); + if (take_locks) { + hugetlb_vma_lock_write(vma); + i_mmap_lock_write(vma->vm_file->f_mapping); + } else { + i_mmap_assert_write_locked(vma->vm_file->f_mapping); + } for (address = start; address < end; address += PUD_SIZE) { ptep = hugetlb_walk(vma, address, sz); if (!ptep) @@ -7922,8 +7947,10 @@ static void hugetlb_unshare_pmds(struct vm_area_struct *vma, spin_unlock(ptl); } flush_hugetlb_tlb_range(vma, start, end); - i_mmap_unlock_write(vma->vm_file->f_mapping); - hugetlb_vma_unlock_write(vma); + if (take_locks) { + i_mmap_unlock_write(vma->vm_file->f_mapping); + hugetlb_vma_unlock_write(vma); + } /* * No need to call mmu_notifier_arch_invalidate_secondary_tlbs(), see * Documentation/mm/mmu_notifier.rst. @@ -7938,7 +7965,8 @@ static void hugetlb_unshare_pmds(struct vm_area_struct *vma, void hugetlb_unshare_all_pmds(struct vm_area_struct *vma) { hugetlb_unshare_pmds(vma, ALIGN(vma->vm_start, PUD_SIZE), - ALIGN_DOWN(vma->vm_end, PUD_SIZE)); + ALIGN_DOWN(vma->vm_end, PUD_SIZE), + /* take_locks = */ true); } /* diff --git a/mm/vma.c b/mm/vma.c index 1c6595f282e5..7ebc9eb608f4 100644 --- a/mm/vma.c +++ b/mm/vma.c @@ -539,7 +539,14 @@ __split_vma(struct vma_iterator *vmi, struct vm_area_struct *vma, init_vma_prep(&vp, vma); vp.insert = new; vma_prepare(&vp); + + /* + * Get rid of huge pages and shared page tables straddling the split + * boundary. + */ vma_adjust_trans_huge(vma, vma->vm_start, addr, NULL); + if (is_vm_hugetlb_page(vma)) + hugetlb_split(vma, addr); if (new_below) { vma->vm_start = addr; diff --git a/tools/testing/vma/vma_internal.h b/tools/testing/vma/vma_internal.h index 441feb21aa5a..4505b1c31be1 100644 --- a/tools/testing/vma/vma_internal.h +++ b/tools/testing/vma/vma_internal.h @@ -932,6 +932,8 @@ static inline void vma_adjust_trans_huge(struct vm_area_struct *vma, (void)next; } +static inline void hugetlb_split(struct vm_area_struct *, unsigned long) {} + static inline void vma_iter_free(struct vma_iterator *vmi) { mas_destroy(&vmi->mas);

2 months, 1 week

4
8
0 0

[PATCH] comedi: das16m1: Fix bit shift out of bounds

by Ian Abbott

When checking for a supported IRQ number, the following test is used: /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ if ((1 << it->options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Reported-by: syzbot+c52293513298e0fd9a94(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c52293513298e0fd9a94 Fixes: 729988507680 ("staging: comedi: das16m1: tidy up the irq support in das16m1_attach()") Tested-by: syzbot+c52293513298e0fd9a94(a)syzkaller.appspotmail.com Suggested-by: "Enju, Kohei" <enjuk(a)amazon.co.jp> Cc: <stable(a)vger.kernel.org> # 5.13+ Signed-off-by: Ian Abbott <abbotti(a)mev.co.uk> --- Patch does not apply cleanly to longterm kernels 5.4.x and 5.10.x. --- drivers/comedi/drivers/das16m1.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/comedi/drivers/das16m1.c b/drivers/comedi/drivers/das16m1.c index b8ea737ad3d1..1b638f5b5a4f 100644 --- a/drivers/comedi/drivers/das16m1.c +++ b/drivers/comedi/drivers/das16m1.c @@ -522,7 +522,8 @@ static int das16m1_attach(struct comedi_device *dev, devpriv->extra_iobase = dev->iobase + DAS16M1_8255_IOBASE; /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ - if ((1 << it->options[1]) & 0xdcfc) { + if (it->options[1] >= 2 && it->options[1] <= 15 && + (1 << it->options[1]) & 0xdcfc) { ret = request_irq(it->options[1], das16m1_interrupt, 0, dev->board_name, dev); if (ret == 0) -- 2.47.2

2 months, 1 week

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror