- Linux-stable-mirror - lists.linaro.org

[PATCH AUTOSEL 5.10 1/6] atm: idt77252: Add missing `dma_map_error()`

by Sasha Levin

From: Thomas Fourier <fourier.thomas(a)gmail.com> [ Upstream commit c4890963350dcf4e9a909bae23665921fba4ad27 ] The DMA map functions can fail and should be tested for errors. Signed-off-by: Thomas Fourier <fourier.thomas(a)gmail.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20250624064148.12815-3-fourier.thomas@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. ## Detailed Analysis: **Nature of the fix:** The commit adds missing error checking for `dma_map_single()` calls in two locations within the idt77252 ATM driver: 1. **In `queue_skb()` function (line 853-854):** ```c IDT77252_PRV_PADDR(skb) = dma_map_single(&card->pcidev->dev, skb->data, skb->len, DMA_TO_DEVICE); +if (dma_mapping_error(&card->pcidev->dev, IDT77252_PRV_PADDR(skb))) + return -ENOMEM; ``` This correctly returns -ENOMEM before reaching the errout label, avoiding any cleanup issues since the DMA mapping never succeeded. 2. **In `add_rx_skb()` function (line 1857-1860):** ```c paddr = dma_map_single(&card->pcidev->dev, skb->data, skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); +if (dma_mapping_error(&card->pcidev->dev, paddr)) + goto outpoolrm; ``` This properly jumps to the new `outpoolrm` label which removes the SKB from the pool before freeing it, maintaining correct cleanup order. **Why this qualifies for stable backporting:** 1. **Fixes a real bug**: Missing DMA mapping error checks can cause system crashes or data corruption, especially on systems with IOMMU or SWIOTLB where DMA mapping failures are more likely. 2. **Simple and contained**: The fix adds only 5 lines of error checking code with no architectural changes. 3. **Similar to approved backports**: This follows the exact same pattern as Similar Commits #1 (eni driver) and #2 (aic94xx driver) which were both marked "YES" for backporting. 4. **Long-standing issue**: The driver has existed since at least 2005 (Linux 2.6.12-rc2), meaning this bug has been present for nearly 20 years. 5. **Minimal regression risk**: The changes only add error checking; they don't modify any existing logic paths. 6. **Proper error handling**: Both error paths are correctly implemented with appropriate cleanup sequences. The commit clearly meets all stable tree criteria as an important bug fix with minimal risk and should be backported to protect users from potential DMA-related crashes. drivers/atm/idt77252.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c index 25fd73fafb371..89b0ed8e51430 100644 --- a/drivers/atm/idt77252.c +++ b/drivers/atm/idt77252.c @@ -852,6 +852,8 @@ queue_skb(struct idt77252_dev *card, struct vc_map *vc, IDT77252_PRV_PADDR(skb) = dma_map_single(&card->pcidev->dev, skb->data, skb->len, DMA_TO_DEVICE); + if (dma_mapping_error(&card->pcidev->dev, IDT77252_PRV_PADDR(skb))) + return -ENOMEM; error = -EINVAL; @@ -1863,6 +1865,8 @@ add_rx_skb(struct idt77252_dev *card, int queue, paddr = dma_map_single(&card->pcidev->dev, skb->data, skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); + if (dma_mapping_error(&card->pcidev->dev, paddr)) + goto outpoolrm; IDT77252_PRV_PADDR(skb) = paddr; if (push_rx_skb(card, skb, queue)) { @@ -1877,6 +1881,7 @@ add_rx_skb(struct idt77252_dev *card, int queue, dma_unmap_single(&card->pcidev->dev, IDT77252_PRV_PADDR(skb), skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); +outpoolrm: handle = IDT77252_PRV_POOL(skb); card->sbpool[POOL_QUEUE(handle)].skb[POOL_INDEX(handle)] = NULL; -- 2.39.5

1 week, 3 days

1
5
0 0

[PATCH AUTOSEL 5.15 1/7] atm: idt77252: Add missing `dma_map_error()`

by Sasha Levin

From: Thomas Fourier <fourier.thomas(a)gmail.com> [ Upstream commit c4890963350dcf4e9a909bae23665921fba4ad27 ] The DMA map functions can fail and should be tested for errors. Signed-off-by: Thomas Fourier <fourier.thomas(a)gmail.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20250624064148.12815-3-fourier.thomas@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. ## Detailed Analysis: **Nature of the fix:** The commit adds missing error checking for `dma_map_single()` calls in two locations within the idt77252 ATM driver: 1. **In `queue_skb()` function (line 853-854):** ```c IDT77252_PRV_PADDR(skb) = dma_map_single(&card->pcidev->dev, skb->data, skb->len, DMA_TO_DEVICE); +if (dma_mapping_error(&card->pcidev->dev, IDT77252_PRV_PADDR(skb))) + return -ENOMEM; ``` This correctly returns -ENOMEM before reaching the errout label, avoiding any cleanup issues since the DMA mapping never succeeded. 2. **In `add_rx_skb()` function (line 1857-1860):** ```c paddr = dma_map_single(&card->pcidev->dev, skb->data, skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); +if (dma_mapping_error(&card->pcidev->dev, paddr)) + goto outpoolrm; ``` This properly jumps to the new `outpoolrm` label which removes the SKB from the pool before freeing it, maintaining correct cleanup order. **Why this qualifies for stable backporting:** 1. **Fixes a real bug**: Missing DMA mapping error checks can cause system crashes or data corruption, especially on systems with IOMMU or SWIOTLB where DMA mapping failures are more likely. 2. **Simple and contained**: The fix adds only 5 lines of error checking code with no architectural changes. 3. **Similar to approved backports**: This follows the exact same pattern as Similar Commits #1 (eni driver) and #2 (aic94xx driver) which were both marked "YES" for backporting. 4. **Long-standing issue**: The driver has existed since at least 2005 (Linux 2.6.12-rc2), meaning this bug has been present for nearly 20 years. 5. **Minimal regression risk**: The changes only add error checking; they don't modify any existing logic paths. 6. **Proper error handling**: Both error paths are correctly implemented with appropriate cleanup sequences. The commit clearly meets all stable tree criteria as an important bug fix with minimal risk and should be backported to protect users from potential DMA-related crashes. drivers/atm/idt77252.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c index 7810f974b2ca9..d9ee20f0048fe 100644 --- a/drivers/atm/idt77252.c +++ b/drivers/atm/idt77252.c @@ -852,6 +852,8 @@ queue_skb(struct idt77252_dev *card, struct vc_map *vc, IDT77252_PRV_PADDR(skb) = dma_map_single(&card->pcidev->dev, skb->data, skb->len, DMA_TO_DEVICE); + if (dma_mapping_error(&card->pcidev->dev, IDT77252_PRV_PADDR(skb))) + return -ENOMEM; error = -EINVAL; @@ -1857,6 +1859,8 @@ add_rx_skb(struct idt77252_dev *card, int queue, paddr = dma_map_single(&card->pcidev->dev, skb->data, skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); + if (dma_mapping_error(&card->pcidev->dev, paddr)) + goto outpoolrm; IDT77252_PRV_PADDR(skb) = paddr; if (push_rx_skb(card, skb, queue)) { @@ -1871,6 +1875,7 @@ add_rx_skb(struct idt77252_dev *card, int queue, dma_unmap_single(&card->pcidev->dev, IDT77252_PRV_PADDR(skb), skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); +outpoolrm: handle = IDT77252_PRV_POOL(skb); card->sbpool[POOL_QUEUE(handle)].skb[POOL_INDEX(handle)] = NULL; -- 2.39.5

1 week, 3 days

1
6
0 0

[PATCH AUTOSEL 6.1 01/10] atm: idt77252: Add missing `dma_map_error()`

by Sasha Levin

From: Thomas Fourier <fourier.thomas(a)gmail.com> [ Upstream commit c4890963350dcf4e9a909bae23665921fba4ad27 ] The DMA map functions can fail and should be tested for errors. Signed-off-by: Thomas Fourier <fourier.thomas(a)gmail.com> Reviewed-by: Simon Horman <horms(a)kernel.org> Link: https://patch.msgid.link/20250624064148.12815-3-fourier.thomas@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees. ## Detailed Analysis: **Nature of the fix:** The commit adds missing error checking for `dma_map_single()` calls in two locations within the idt77252 ATM driver: 1. **In `queue_skb()` function (line 853-854):** ```c IDT77252_PRV_PADDR(skb) = dma_map_single(&card->pcidev->dev, skb->data, skb->len, DMA_TO_DEVICE); +if (dma_mapping_error(&card->pcidev->dev, IDT77252_PRV_PADDR(skb))) + return -ENOMEM; ``` This correctly returns -ENOMEM before reaching the errout label, avoiding any cleanup issues since the DMA mapping never succeeded. 2. **In `add_rx_skb()` function (line 1857-1860):** ```c paddr = dma_map_single(&card->pcidev->dev, skb->data, skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); +if (dma_mapping_error(&card->pcidev->dev, paddr)) + goto outpoolrm; ``` This properly jumps to the new `outpoolrm` label which removes the SKB from the pool before freeing it, maintaining correct cleanup order. **Why this qualifies for stable backporting:** 1. **Fixes a real bug**: Missing DMA mapping error checks can cause system crashes or data corruption, especially on systems with IOMMU or SWIOTLB where DMA mapping failures are more likely. 2. **Simple and contained**: The fix adds only 5 lines of error checking code with no architectural changes. 3. **Similar to approved backports**: This follows the exact same pattern as Similar Commits #1 (eni driver) and #2 (aic94xx driver) which were both marked "YES" for backporting. 4. **Long-standing issue**: The driver has existed since at least 2005 (Linux 2.6.12-rc2), meaning this bug has been present for nearly 20 years. 5. **Minimal regression risk**: The changes only add error checking; they don't modify any existing logic paths. 6. **Proper error handling**: Both error paths are correctly implemented with appropriate cleanup sequences. The commit clearly meets all stable tree criteria as an important bug fix with minimal risk and should be backported to protect users from potential DMA-related crashes. drivers/atm/idt77252.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c index 7810f974b2ca9..d9ee20f0048fe 100644 --- a/drivers/atm/idt77252.c +++ b/drivers/atm/idt77252.c @@ -852,6 +852,8 @@ queue_skb(struct idt77252_dev *card, struct vc_map *vc, IDT77252_PRV_PADDR(skb) = dma_map_single(&card->pcidev->dev, skb->data, skb->len, DMA_TO_DEVICE); + if (dma_mapping_error(&card->pcidev->dev, IDT77252_PRV_PADDR(skb))) + return -ENOMEM; error = -EINVAL; @@ -1857,6 +1859,8 @@ add_rx_skb(struct idt77252_dev *card, int queue, paddr = dma_map_single(&card->pcidev->dev, skb->data, skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); + if (dma_mapping_error(&card->pcidev->dev, paddr)) + goto outpoolrm; IDT77252_PRV_PADDR(skb) = paddr; if (push_rx_skb(card, skb, queue)) { @@ -1871,6 +1875,7 @@ add_rx_skb(struct idt77252_dev *card, int queue, dma_unmap_single(&card->pcidev->dev, IDT77252_PRV_PADDR(skb), skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE); +outpoolrm: handle = IDT77252_PRV_POOL(skb); card->sbpool[POOL_QUEUE(handle)].skb[POOL_INDEX(handle)] = NULL; -- 2.39.5

1 week, 3 days

1
9
0 0

[PATCH AUTOSEL 6.6 01/14] ublk: sanity check add_dev input for underflow

by Sasha Levin

From: Ronnie Sahlberg <rsahlberg(a)whamcloud.com> [ Upstream commit 969127bf0783a4ac0c8a27e633a9e8ea1738583f ] Add additional checks that queue depth and number of queues are non-zero. Signed-off-by: Ronnie Sahlberg <rsahlberg(a)whamcloud.com> Reviewed-by: Ming Lei <ming.lei(a)redhat.com> Link: https://lore.kernel.org/r/20250626022046.235018-1-ronniesahlberg@gmail.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees for the following reasons: **1. Fixes a Critical Input Validation Bug** The commit addresses a serious bug where userspace could pass zero values for `queue_depth` or `nr_hw_queues`, leading to: - Memory allocation failures (`kcalloc(0, ubq_size, GFP_KERNEL)` in `ublk_init_queues()`) - Non-functional block devices with zero queues - Potential kernel crashes or undefined behavior **2. Minimal and Contained Fix** The change is extremely minimal - just adding two checks to an existing validation: ```diff - if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || info.nr_hw_queues > UBLK_MAX_NR_QUEUES) + if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || !info.queue_depth || + info.nr_hw_queues > UBLK_MAX_NR_QUEUES || !info.nr_hw_queues) ``` **3. Prevents Security/Stability Issues** Based on the kernel source analysis: - `ublk_init_queues()` uses these values directly for memory allocation - Multiple loops iterate based on `nr_hw_queues` - zero would skip all initialization - The block layer's `blk_mq_alloc_tag_set()` expects non-zero values **4. Similar to Previously Backported Commits** This is very similar to "block: ublk: extending queue_size to fix overflow" (Similar Commit #2), which was marked YES for backporting. Both fix input validation issues that could cause memory/stability problems. **5. Clear Bug Fix Following Stable Rules** - Fixes a real bug (not theoretical) - No new features or architectural changes - Minimal risk - simply rejects invalid input - Confined to the ublk subsystem - Prevents userspace from creating broken/dangerous kernel state The commit prevents userspace from triggering undefined behavior in the kernel by passing invalid parameters, which is exactly the type of bug fix that belongs in stable kernels. drivers/block/ublk_drv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c index df3e5aab4b5ac..8c873a8e39cd9 100644 --- a/drivers/block/ublk_drv.c +++ b/drivers/block/ublk_drv.c @@ -2323,7 +2323,8 @@ static int ublk_ctrl_add_dev(struct io_uring_cmd *cmd) if (copy_from_user(&info, argp, sizeof(info))) return -EFAULT; - if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || info.nr_hw_queues > UBLK_MAX_NR_QUEUES) + if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || !info.queue_depth || + info.nr_hw_queues > UBLK_MAX_NR_QUEUES || !info.nr_hw_queues) return -EINVAL; if (capable(CAP_SYS_ADMIN)) -- 2.39.5

1 week, 3 days

1
13
0 0

[PATCH AUTOSEL 6.12 01/21] ublk: sanity check add_dev input for underflow

by Sasha Levin

From: Ronnie Sahlberg <rsahlberg(a)whamcloud.com> [ Upstream commit 969127bf0783a4ac0c8a27e633a9e8ea1738583f ] Add additional checks that queue depth and number of queues are non-zero. Signed-off-by: Ronnie Sahlberg <rsahlberg(a)whamcloud.com> Reviewed-by: Ming Lei <ming.lei(a)redhat.com> Link: https://lore.kernel.org/r/20250626022046.235018-1-ronniesahlberg@gmail.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees for the following reasons: **1. Fixes a Critical Input Validation Bug** The commit addresses a serious bug where userspace could pass zero values for `queue_depth` or `nr_hw_queues`, leading to: - Memory allocation failures (`kcalloc(0, ubq_size, GFP_KERNEL)` in `ublk_init_queues()`) - Non-functional block devices with zero queues - Potential kernel crashes or undefined behavior **2. Minimal and Contained Fix** The change is extremely minimal - just adding two checks to an existing validation: ```diff - if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || info.nr_hw_queues > UBLK_MAX_NR_QUEUES) + if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || !info.queue_depth || + info.nr_hw_queues > UBLK_MAX_NR_QUEUES || !info.nr_hw_queues) ``` **3. Prevents Security/Stability Issues** Based on the kernel source analysis: - `ublk_init_queues()` uses these values directly for memory allocation - Multiple loops iterate based on `nr_hw_queues` - zero would skip all initialization - The block layer's `blk_mq_alloc_tag_set()` expects non-zero values **4. Similar to Previously Backported Commits** This is very similar to "block: ublk: extending queue_size to fix overflow" (Similar Commit #2), which was marked YES for backporting. Both fix input validation issues that could cause memory/stability problems. **5. Clear Bug Fix Following Stable Rules** - Fixes a real bug (not theoretical) - No new features or architectural changes - Minimal risk - simply rejects invalid input - Confined to the ublk subsystem - Prevents userspace from creating broken/dangerous kernel state The commit prevents userspace from triggering undefined behavior in the kernel by passing invalid parameters, which is exactly the type of bug fix that belongs in stable kernels. drivers/block/ublk_drv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c index 746ef36e58df2..3b1a5cdd63116 100644 --- a/drivers/block/ublk_drv.c +++ b/drivers/block/ublk_drv.c @@ -2457,7 +2457,8 @@ static int ublk_ctrl_add_dev(struct io_uring_cmd *cmd) if (copy_from_user(&info, argp, sizeof(info))) return -EFAULT; - if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || info.nr_hw_queues > UBLK_MAX_NR_QUEUES) + if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || !info.queue_depth || + info.nr_hw_queues > UBLK_MAX_NR_QUEUES || !info.nr_hw_queues) return -EINVAL; if (capable(CAP_SYS_ADMIN)) -- 2.39.5

1 week, 3 days

1
20
0 0

[PATCH AUTOSEL 6.15 01/23] ublk: sanity check add_dev input for underflow

by Sasha Levin

From: Ronnie Sahlberg <rsahlberg(a)whamcloud.com> [ Upstream commit 969127bf0783a4ac0c8a27e633a9e8ea1738583f ] Add additional checks that queue depth and number of queues are non-zero. Signed-off-by: Ronnie Sahlberg <rsahlberg(a)whamcloud.com> Reviewed-by: Ming Lei <ming.lei(a)redhat.com> Link: https://lore.kernel.org/r/20250626022046.235018-1-ronniesahlberg@gmail.com Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- **YES** This commit should be backported to stable kernel trees for the following reasons: **1. Fixes a Critical Input Validation Bug** The commit addresses a serious bug where userspace could pass zero values for `queue_depth` or `nr_hw_queues`, leading to: - Memory allocation failures (`kcalloc(0, ubq_size, GFP_KERNEL)` in `ublk_init_queues()`) - Non-functional block devices with zero queues - Potential kernel crashes or undefined behavior **2. Minimal and Contained Fix** The change is extremely minimal - just adding two checks to an existing validation: ```diff - if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || info.nr_hw_queues > UBLK_MAX_NR_QUEUES) + if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || !info.queue_depth || + info.nr_hw_queues > UBLK_MAX_NR_QUEUES || !info.nr_hw_queues) ``` **3. Prevents Security/Stability Issues** Based on the kernel source analysis: - `ublk_init_queues()` uses these values directly for memory allocation - Multiple loops iterate based on `nr_hw_queues` - zero would skip all initialization - The block layer's `blk_mq_alloc_tag_set()` expects non-zero values **4. Similar to Previously Backported Commits** This is very similar to "block: ublk: extending queue_size to fix overflow" (Similar Commit #2), which was marked YES for backporting. Both fix input validation issues that could cause memory/stability problems. **5. Clear Bug Fix Following Stable Rules** - Fixes a real bug (not theoretical) - No new features or architectural changes - Minimal risk - simply rejects invalid input - Confined to the ublk subsystem - Prevents userspace from creating broken/dangerous kernel state The commit prevents userspace from triggering undefined behavior in the kernel by passing invalid parameters, which is exactly the type of bug fix that belongs in stable kernels. drivers/block/ublk_drv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c index 8a482853a75ed..0e017eae97fb1 100644 --- a/drivers/block/ublk_drv.c +++ b/drivers/block/ublk_drv.c @@ -2710,7 +2710,8 @@ static int ublk_ctrl_add_dev(const struct ublksrv_ctrl_cmd *header) if (copy_from_user(&info, argp, sizeof(info))) return -EFAULT; - if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || info.nr_hw_queues > UBLK_MAX_NR_QUEUES) + if (info.queue_depth > UBLK_MAX_QUEUE_DEPTH || !info.queue_depth || + info.nr_hw_queues > UBLK_MAX_NR_QUEUES || !info.nr_hw_queues) return -EINVAL; if (capable(CAP_SYS_ADMIN)) -- 2.39.5

1 week, 3 days

1
22
0 0

[PATCH] media: uvcvideo: fix build error in uvc_ctrl_cleanup_fh

by Desnes Nunes

This fixes the following compilation failure: "error: ‘for’ loop initial declarations are only allowed in C99 or C11 mode" Cc: stable(a)vger.kernel.org Fixes: 221cd51efe45 ("media: uvcvideo: Remove dangling pointers") Signed-off-by: Desnes Nunes <desnesn(a)redhat.com> --- drivers/media/usb/uvc/uvc_ctrl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c index 44b6513c5264..532615d8484b 100644 --- a/drivers/media/usb/uvc/uvc_ctrl.c +++ b/drivers/media/usb/uvc/uvc_ctrl.c @@ -3260,7 +3260,7 @@ int uvc_ctrl_init_device(struct uvc_device *dev) void uvc_ctrl_cleanup_fh(struct uvc_fh *handle) { struct uvc_entity *entity; - int i; + unsigned int i; guard(mutex)(&handle->chain->ctrl_mutex); @@ -3268,7 +3268,7 @@ void uvc_ctrl_cleanup_fh(struct uvc_fh *handle) return; list_for_each_entry(entity, &handle->chain->dev->entities, list) { - for (unsigned int i = 0; i < entity->ncontrols; ++i) { + for (i = 0; i < entity->ncontrols; ++i) { if (entity->controls[i].handle != handle) continue; uvc_ctrl_set_handle(handle, &entity->controls[i], NULL); -- 2.49.0

1 week, 3 days

4
6
0 0

[PATCH] i2c/designware: Fix an initialization issue

by Michael J. Ruhl

The i2c_dw_xfer_init() function requires msgs and msg_write_idx from the dev context to be initialized. amd_i2c_dw_xfer_quirk() inits msgs and msgs_num, but not msg_write_idx. This could allow an out of bounds access (of msgs). Initialize msg_write_idx before calling i2c_dw_xfer_init(). Reviewed-by: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Fixes: 17631e8ca2d3 ("i2c: designware: Add driver support for AMD NAVI GPU") Cc: <stable(a)vger.kernel.org> Signed-off-by: Michael J. Ruhl <michael.j.ruhl(a)intel.com> --- drivers/i2c/busses/i2c-designware-master.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/i2c/busses/i2c-designware-master.c b/drivers/i2c/busses/i2c-designware-master.c index c5394229b77f..40aa5114bf8c 100644 --- a/drivers/i2c/busses/i2c-designware-master.c +++ b/drivers/i2c/busses/i2c-designware-master.c @@ -363,6 +363,7 @@ static int amd_i2c_dw_xfer_quirk(struct i2c_adapter *adap, struct i2c_msg *msgs, dev->msgs = msgs; dev->msgs_num = num_msgs; + dev->msg_write_idx = 0; i2c_dw_xfer_init(dev); /* Initiate messages read/write transaction */ -- 2.49.0

1 week, 3 days

2
1
0 0

[PATCH 5.10 1/2] string.h: add array-wrappers for (v)memdup_user()

by Fedor Pchelkin

From: Philipp Stanner <pstanner(a)redhat.com> commit 313ebe47d75558511aa1237b6e35c663b5c0ec6f upstream. Currently, user array duplications are sometimes done without an overflow check. Sometimes the checks are done manually; sometimes the array size is calculated with array_size() and sometimes by calculating n * size directly in code. Introduce wrappers for arrays for memdup_user() and vmemdup_user() to provide a standardized and safe way for duplicating user arrays. This is both for new code as well as replacing usage of (v)memdup_user() in existing code that uses, e.g., n * size to calculate array sizes. Suggested-by: David Airlie <airlied(a)redhat.com> Signed-off-by: Philipp Stanner <pstanner(a)redhat.com> Reviewed-by: Andy Shevchenko <andy.shevchenko(a)gmail.com> Reviewed-by: Kees Cook <keescook(a)chromium.org> Reviewed-by: Zack Rusin <zackr(a)vmware.com> Signed-off-by: Dave Airlie <airlied(a)redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/20230920123612.16914-3-pstann… [ fp: fix small conflict in header includes; take linux/errno.h as well ] Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- s390 and x86_64 allmodconfig build passed. include/linux/string.h | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/include/linux/string.h b/include/linux/string.h index 0cef345a6e87..cd8c007ad3be 100644 --- a/include/linux/string.h +++ b/include/linux/string.h @@ -5,6 +5,9 @@ #include <linux/compiler.h> /* for inline */ #include <linux/types.h> /* for size_t */ #include <linux/stddef.h> /* for NULL */ +#include <linux/err.h> /* for ERR_PTR() */ +#include <linux/errno.h> /* for E2BIG */ +#include <linux/overflow.h> /* for check_mul_overflow() */ #include <stdarg.h> #include <uapi/linux/string.h> @@ -13,6 +16,44 @@ extern void *memdup_user(const void __user *, size_t); extern void *vmemdup_user(const void __user *, size_t); extern void *memdup_user_nul(const void __user *, size_t); +/** + * memdup_array_user - duplicate array from user space + * @src: source address in user space + * @n: number of array members to copy + * @size: size of one array member + * + * Return: an ERR_PTR() on failure. Result is physically + * contiguous, to be freed by kfree(). + */ +static inline void *memdup_array_user(const void __user *src, size_t n, size_t size) +{ + size_t nbytes; + + if (check_mul_overflow(n, size, &nbytes)) + return ERR_PTR(-EOVERFLOW); + + return memdup_user(src, nbytes); +} + +/** + * vmemdup_array_user - duplicate array from user space + * @src: source address in user space + * @n: number of array members to copy + * @size: size of one array member + * + * Return: an ERR_PTR() on failure. Result may be not + * physically contiguous. Use kvfree() to free. + */ +static inline void *vmemdup_array_user(const void __user *src, size_t n, size_t size) +{ + size_t nbytes; + + if (check_mul_overflow(n, size, &nbytes)) + return ERR_PTR(-EOVERFLOW); + + return vmemdup_user(src, nbytes); +} + /* * Include machine specific inline routines */ -- 2.50.0

1 week, 3 days

1
1
0 0

[PATCH net v3 1/2] virtio-net: xsk: rx: fix the frame's length check

by Bui Quang Minh

When calling buf_to_xdp, the len argument is the frame data's length without virtio header's length (vi->hdr_len). We check that len with xsk_pool_get_rx_frame_size() + vi->hdr_len to ensure the provided len does not larger than the allocated chunk size. The additional vi->hdr_len is because in virtnet_add_recvbuf_xsk, we use part of XDP_PACKET_HEADROOM for virtio header and ask the vhost to start placing data from hard_start + XDP_PACKET_HEADROOM - vi->hdr_len not hard_start + XDP_PACKET_HEADROOM But the first buffer has virtio_header, so the maximum frame's length in the first buffer can only be xsk_pool_get_rx_frame_size() not xsk_pool_get_rx_frame_size() + vi->hdr_len like in the current check. This commit adds an additional argument to buf_to_xdp differentiate between the first buffer and other ones to correctly calculate the maximum frame's length. Cc: stable(a)vger.kernel.org Reviewed-by: Xuan Zhuo <xuanzhuo(a)linux.alibaba.com> Fixes: a4e7ba702701 ("virtio_net: xsk: rx: support recv small mode") Signed-off-by: Bui Quang Minh <minhquangbui99(a)gmail.com> --- drivers/net/virtio_net.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index e53ba600605a..1eb237cd5d0b 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -1127,15 +1127,29 @@ static void check_sq_full_and_disable(struct virtnet_info *vi, } } +/* Note that @len is the length of received data without virtio header */ static struct xdp_buff *buf_to_xdp(struct virtnet_info *vi, - struct receive_queue *rq, void *buf, u32 len) + struct receive_queue *rq, void *buf, + u32 len, bool first_buf) { struct xdp_buff *xdp; u32 bufsize; xdp = (struct xdp_buff *)buf; - bufsize = xsk_pool_get_rx_frame_size(rq->xsk_pool) + vi->hdr_len; + /* In virtnet_add_recvbuf_xsk, we use part of XDP_PACKET_HEADROOM for + * virtio header and ask the vhost to fill data from + * hard_start + XDP_PACKET_HEADROOM - vi->hdr_len + * The first buffer has virtio header so the remaining region for frame + * data is + * xsk_pool_get_rx_frame_size() + * While other buffers than the first one do not have virtio header, so + * the maximum frame data's length can be + * xsk_pool_get_rx_frame_size() + vi->hdr_len + */ + bufsize = xsk_pool_get_rx_frame_size(rq->xsk_pool); + if (!first_buf) + bufsize += vi->hdr_len; if (unlikely(len > bufsize)) { pr_debug("%s: rx error: len %u exceeds truesize %u\n", @@ -1260,7 +1274,7 @@ static int xsk_append_merge_buffer(struct virtnet_info *vi, u64_stats_add(&stats->bytes, len); - xdp = buf_to_xdp(vi, rq, buf, len); + xdp = buf_to_xdp(vi, rq, buf, len, false); if (!xdp) goto err; @@ -1358,7 +1372,7 @@ static void virtnet_receive_xsk_buf(struct virtnet_info *vi, struct receive_queu u64_stats_add(&stats->bytes, len); - xdp = buf_to_xdp(vi, rq, buf, len); + xdp = buf_to_xdp(vi, rq, buf, len, true); if (!xdp) return; -- 2.43.0

1 week, 3 days

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror