- Linux-stable-mirror - lists.linaro.org

[PATCH] crypto: padlock-sha - Disable broken driver

by Eric Biggers

This driver is known broken, as it computes the wrong SHA-1 and SHA-256 hashes. Correctness needs to be the first priority for cryptographic code. Just disable it, allowing the standard (and actually correct) SHA-1 and SHA-256 implementations to take priority. Reported-by: larryw3i <larryw3i(a)yeah.net> Closes: https://lore.kernel.org/r/3af01fec-b4d3-4d0c-9450-2b722d4bbe39@yeah.net/ Closes: https://lists.debian.org/debian-kernel/2025/09/msg00019.html Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113996 Cc: stable(a)vger.kernel.org Cc: AlanSong-oc(a)zhaoxin.com Cc: CobeChen(a)zhaoxin.com Cc: GeorgeXue(a)zhaoxin.com Cc: HansHu(a)zhaoxin.com Cc: LeoLiu-oc(a)zhaoxin.com Cc: TonyWWang-oc(a)zhaoxin.com Cc: YunShen(a)zhaoxin.com Signed-off-by: Eric Biggers <ebiggers(a)kernel.org> --- This patch is targeting crypto/master drivers/crypto/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig index a6688d54984c..16ea3e741350 100644 --- a/drivers/crypto/Kconfig +++ b/drivers/crypto/Kconfig @@ -38,11 +38,11 @@ config CRYPTO_DEV_PADLOCK_AES If unsure say M. The compiled module will be called padlock-aes. config CRYPTO_DEV_PADLOCK_SHA tristate "PadLock driver for SHA1 and SHA256 algorithms" - depends on CRYPTO_DEV_PADLOCK + depends on CRYPTO_DEV_PADLOCK && BROKEN select CRYPTO_HASH select CRYPTO_SHA1 select CRYPTO_SHA256 help Use VIA PadLock for SHA1/SHA256 algorithms. base-commit: 59b0afd01b2ce353ab422ea9c8375b03db313a21 -- 2.51.2

1 day, 3 hours

4
6
0 0

[PATCH v2] drm/xe/exec: Validate num_syncs to prevent oversized allocations

by Shuicheng Lin

The exec ioctl allows userspace to specify an arbitrary num_syncs value. Without bounds checking, a very large num_syncs can force an excessively large allocation, leading to kernel warnings from the page allocator as below. Introduce XE_EXEC_MAX_SYNCS (set to 64) and reject any request exceeding this limit. " ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1217 at mm/page_alloc.c:5124 __alloc_frozen_pages_noprof+0x2f8/0x2180 mm/page_alloc.c:5124 ... Call Trace: <TASK> alloc_pages_mpol+0xe4/0x330 mm/mempolicy.c:2416 ___kmalloc_large_node+0xd8/0x110 mm/slub.c:4317 __kmalloc_large_node_noprof+0x18/0xe0 mm/slub.c:4348 __do_kmalloc_node mm/slub.c:4364 [inline] __kmalloc_noprof+0x3d4/0x4b0 mm/slub.c:4388 kmalloc_noprof include/linux/slab.h:909 [inline] kmalloc_array_noprof include/linux/slab.h:948 [inline] xe_exec_ioctl+0xa47/0x1e70 drivers/gpu/drm/xe/xe_exec.c:158 drm_ioctl_kernel+0x1f1/0x3e0 drivers/gpu/drm/drm_ioctl.c:797 drm_ioctl+0x5e7/0xc50 drivers/gpu/drm/drm_ioctl.c:894 xe_drm_ioctl+0x10b/0x170 drivers/gpu/drm/xe/xe_device.c:224 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xbb/0x380 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... " v2: Add "Reported-by" and Cc stable kernels. Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6450 Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Reported-by: Koen Koning <koen.koning(a)intel.com> Reported-by: Peter Senna Tschudin <peter.senna(a)linux.intel.com> Cc: <stable(a)vger.kernel.org> Cc: Matthew Brost <matthew.brost(a)intel.com> Signed-off-by: Shuicheng Lin <shuicheng.lin(a)intel.com> --- drivers/gpu/drm/xe/xe_exec.c | 5 +++++ include/uapi/drm/xe_drm.h | 1 + 2 files changed, 6 insertions(+) diff --git a/drivers/gpu/drm/xe/xe_exec.c b/drivers/gpu/drm/xe/xe_exec.c index 4d81210e41f5..01c56fd95d5b 100644 --- a/drivers/gpu/drm/xe/xe_exec.c +++ b/drivers/gpu/drm/xe/xe_exec.c @@ -162,6 +162,11 @@ int xe_exec_ioctl(struct drm_device *dev, void *data, struct drm_file *file) } if (args->num_syncs) { + if (XE_IOCTL_DBG(xe, args->num_syncs > XE_EXEC_MAX_SYNCS)) { + err = -EINVAL; + goto err_exec_queue; + } + syncs = kcalloc(args->num_syncs, sizeof(*syncs), GFP_KERNEL); if (!syncs) { err = -ENOMEM; diff --git a/include/uapi/drm/xe_drm.h b/include/uapi/drm/xe_drm.h index 47853659a705..1901ca26621a 100644 --- a/include/uapi/drm/xe_drm.h +++ b/include/uapi/drm/xe_drm.h @@ -1463,6 +1463,7 @@ struct drm_xe_exec { /** @exec_queue_id: Exec queue ID for the batch buffer */ __u32 exec_queue_id; +#define XE_EXEC_MAX_SYNCS 64 /** @num_syncs: Amount of struct drm_xe_sync in array. */ __u32 num_syncs; -- 2.49.0

1 day, 3 hours

2
1
0 0

[PATCH] arm64: dts: intel: agilex5: Add fallback compatible for XGMAC

by muhamm120

Add "snps,dwxgmac" as fallback compatible string to all three gmac nodes (gmac0, gmac1, gmac2) in Agilex5 DTSI. With the fallback present, the generic dwmac driver can properly initialize the XGMAC2 hardware, allowing ethernet to function correctly. This fixes ethernet regression test failures on Agilex3/Agilex5 SOCDK platforms. Fixes: 343ea11a2fe3 ("arm64: dts: Agilex5 Add gmac nodes to DTSI for Agilex5") Cc: stable(a)vger.kernel.org # 6.18+ Signed-off-by: Muhammad Amirul Asyraf Mohamad Jamian <muhammad.amirul. asyraf.mohamad.jamian(a)intel.com> --- arch/arm64/boot/dts/intel/socfpga_agilex5.dtsi | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/arch/arm64/boot/dts/intel/socfpga_agilex5.dtsi b/arch/arm64/boot/dts/intel/socfpga_agilex5.dtsi index a5c2025a616e..942773e96d02 100644 --- a/arch/arm64/boot/dts/intel/socfpga_agilex5.dtsi +++ b/arch/arm64/boot/dts/intel/socfpga_agilex5.dtsi @@ -544,7 +544,8 @@ qspi: spi@108d2000 { gmac0: ethernet@10810000 { compatible = "altr,socfpga-stmmac-agilex5", - "snps,dwxgmac-2.10"; + "snps,dwxgmac-2.10", + "snps,dwxgmac"; reg = <0x10810000 0x3500>; interrupts = <GIC_SPI 190 IRQ_TYPE_LEVEL_HIGH>; interrupt-names = "macirq"; @@ -656,7 +657,8 @@ queue7 { gmac1: ethernet@10820000 { compatible = "altr,socfpga-stmmac-agilex5", - "snps,dwxgmac-2.10"; + "snps,dwxgmac-2.10", + "snps,dwxgmac"; reg = <0x10820000 0x3500>; interrupts = <GIC_SPI 207 IRQ_TYPE_LEVEL_HIGH>; interrupt-names = "macirq"; @@ -768,7 +770,8 @@ queue7 { gmac2: ethernet@10830000 { compatible = "altr,socfpga-stmmac-agilex5", - "snps,dwxgmac-2.10"; + "snps,dwxgmac-2.10", + "snps,dwxgmac"; reg = <0x10830000 0x3500>; interrupts = <GIC_SPI 224 IRQ_TYPE_LEVEL_HIGH>; interrupt-names = "macirq"; -- 2.43.7

1 day, 4 hours

1
0
0 0

[PATCH net] vhost: rewind next_avail_head while discarding descriptors

by Jason Wang

When discarding descriptors with IN_ORDER, we should rewind next_avail_head otherwise it would run out of sync with last_avail_idx. This would cause driver to report "id X is not a head". Fixing this by returning the number of descriptors that is used for each buffer via vhost_get_vq_desc_n() so caller can use the value while discarding descriptors. Fixes: 67a873df0c41 ("vhost: basic in order support") Cc: stable(a)vger.kernel.org Signed-off-by: Jason Wang <jasowang(a)redhat.com> --- drivers/vhost/net.c | 53 ++++++++++++++++++++++++++----------------- drivers/vhost/vhost.c | 43 ++++++++++++++++++++++++----------- drivers/vhost/vhost.h | 9 +++++++- 3 files changed, 70 insertions(+), 35 deletions(-) diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c index 35ded4330431..8f7f50acb6d6 100644 --- a/drivers/vhost/net.c +++ b/drivers/vhost/net.c @@ -592,14 +592,15 @@ static void vhost_net_busy_poll(struct vhost_net *net, static int vhost_net_tx_get_vq_desc(struct vhost_net *net, struct vhost_net_virtqueue *tnvq, unsigned int *out_num, unsigned int *in_num, - struct msghdr *msghdr, bool *busyloop_intr) + struct msghdr *msghdr, bool *busyloop_intr, + unsigned int *ndesc) { struct vhost_net_virtqueue *rnvq = &net->vqs[VHOST_NET_VQ_RX]; struct vhost_virtqueue *rvq = &rnvq->vq; struct vhost_virtqueue *tvq = &tnvq->vq; - int r = vhost_get_vq_desc(tvq, tvq->iov, ARRAY_SIZE(tvq->iov), - out_num, in_num, NULL, NULL); + int r = vhost_get_vq_desc_n(tvq, tvq->iov, ARRAY_SIZE(tvq->iov), + out_num, in_num, NULL, NULL, ndesc); if (r == tvq->num && tvq->busyloop_timeout) { /* Flush batched packets first */ @@ -610,8 +611,8 @@ static int vhost_net_tx_get_vq_desc(struct vhost_net *net, vhost_net_busy_poll(net, rvq, tvq, busyloop_intr, false); - r = vhost_get_vq_desc(tvq, tvq->iov, ARRAY_SIZE(tvq->iov), - out_num, in_num, NULL, NULL); + r = vhost_get_vq_desc_n(tvq, tvq->iov, ARRAY_SIZE(tvq->iov), + out_num, in_num, NULL, NULL, ndesc); } return r; @@ -642,12 +643,14 @@ static int get_tx_bufs(struct vhost_net *net, struct vhost_net_virtqueue *nvq, struct msghdr *msg, unsigned int *out, unsigned int *in, - size_t *len, bool *busyloop_intr) + size_t *len, bool *busyloop_intr, + unsigned int *ndesc) { struct vhost_virtqueue *vq = &nvq->vq; int ret; - ret = vhost_net_tx_get_vq_desc(net, nvq, out, in, msg, busyloop_intr); + ret = vhost_net_tx_get_vq_desc(net, nvq, out, in, msg, + busyloop_intr, ndesc); if (ret < 0 || ret == vq->num) return ret; @@ -766,6 +769,7 @@ static void handle_tx_copy(struct vhost_net *net, struct socket *sock) int sent_pkts = 0; bool sock_can_batch = (sock->sk->sk_sndbuf == INT_MAX); bool in_order = vhost_has_feature(vq, VIRTIO_F_IN_ORDER); + unsigned int ndesc = 0; do { bool busyloop_intr = false; @@ -774,7 +778,7 @@ static void handle_tx_copy(struct vhost_net *net, struct socket *sock) vhost_tx_batch(net, nvq, sock, &msg); head = get_tx_bufs(net, nvq, &msg, &out, &in, &len, - &busyloop_intr); + &busyloop_intr, &ndesc); /* On error, stop handling until the next kick. */ if (unlikely(head < 0)) break; @@ -806,7 +810,7 @@ static void handle_tx_copy(struct vhost_net *net, struct socket *sock) goto done; } else if (unlikely(err != -ENOSPC)) { vhost_tx_batch(net, nvq, sock, &msg); - vhost_discard_vq_desc(vq, 1); + vhost_discard_vq_desc(vq, 1, ndesc); vhost_net_enable_vq(net, vq); break; } @@ -829,7 +833,7 @@ static void handle_tx_copy(struct vhost_net *net, struct socket *sock) err = sock->ops->sendmsg(sock, &msg, len); if (unlikely(err < 0)) { if (err == -EAGAIN || err == -ENOMEM || err == -ENOBUFS) { - vhost_discard_vq_desc(vq, 1); + vhost_discard_vq_desc(vq, 1, ndesc); vhost_net_enable_vq(net, vq); break; } @@ -868,6 +872,7 @@ static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock) int err; struct vhost_net_ubuf_ref *ubufs; struct ubuf_info_msgzc *ubuf; + unsigned int ndesc = 0; bool zcopy_used; int sent_pkts = 0; @@ -879,7 +884,7 @@ static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock) busyloop_intr = false; head = get_tx_bufs(net, nvq, &msg, &out, &in, &len, - &busyloop_intr); + &busyloop_intr, &ndesc); /* On error, stop handling until the next kick. */ if (unlikely(head < 0)) break; @@ -941,7 +946,7 @@ static void handle_tx_zerocopy(struct vhost_net *net, struct socket *sock) vq->heads[ubuf->desc].len = VHOST_DMA_DONE_LEN; } if (retry) { - vhost_discard_vq_desc(vq, 1); + vhost_discard_vq_desc(vq, 1, ndesc); vhost_net_enable_vq(net, vq); break; } @@ -1045,11 +1050,12 @@ static int get_rx_bufs(struct vhost_net_virtqueue *nvq, unsigned *iovcount, struct vhost_log *log, unsigned *log_num, - unsigned int quota) + unsigned int quota, + unsigned int *ndesc) { struct vhost_virtqueue *vq = &nvq->vq; bool in_order = vhost_has_feature(vq, VIRTIO_F_IN_ORDER); - unsigned int out, in; + unsigned int out, in, desc_num, n = 0; int seg = 0; int headcount = 0; unsigned d; @@ -1064,9 +1070,9 @@ static int get_rx_bufs(struct vhost_net_virtqueue *nvq, r = -ENOBUFS; goto err; } - r = vhost_get_vq_desc(vq, vq->iov + seg, - ARRAY_SIZE(vq->iov) - seg, &out, - &in, log, log_num); + r = vhost_get_vq_desc_n(vq, vq->iov + seg, + ARRAY_SIZE(vq->iov) - seg, &out, + &in, log, log_num, &desc_num); if (unlikely(r < 0)) goto err; @@ -1093,6 +1099,7 @@ static int get_rx_bufs(struct vhost_net_virtqueue *nvq, ++headcount; datalen -= len; seg += in; + n += desc_num; } *iovcount = seg; @@ -1113,9 +1120,11 @@ static int get_rx_bufs(struct vhost_net_virtqueue *nvq, nheads[0] = headcount; } + *ndesc = n; + return headcount; err: - vhost_discard_vq_desc(vq, headcount); + vhost_discard_vq_desc(vq, headcount, n); return r; } @@ -1151,6 +1160,7 @@ static void handle_rx(struct vhost_net *net) struct iov_iter fixup; __virtio16 num_buffers; int recv_pkts = 0; + unsigned int ndesc; mutex_lock_nested(&vq->mutex, VHOST_NET_VQ_RX); sock = vhost_vq_get_backend(vq); @@ -1182,7 +1192,8 @@ static void handle_rx(struct vhost_net *net) headcount = get_rx_bufs(nvq, vq->heads + count, vq->nheads + count, vhost_len, &in, vq_log, &log, - likely(mergeable) ? UIO_MAXIOV : 1); + likely(mergeable) ? UIO_MAXIOV : 1, + &ndesc); /* On error, stop handling until the next kick. */ if (unlikely(headcount < 0)) goto out; @@ -1228,7 +1239,7 @@ static void handle_rx(struct vhost_net *net) if (unlikely(err != sock_len)) { pr_debug("Discarded rx packet: " " len %d, expected %zd\n", err, sock_len); - vhost_discard_vq_desc(vq, headcount); + vhost_discard_vq_desc(vq, headcount, ndesc); continue; } /* Supply virtio_net_hdr if VHOST_NET_F_VIRTIO_NET_HDR */ @@ -1252,7 +1263,7 @@ static void handle_rx(struct vhost_net *net) copy_to_iter(&num_buffers, sizeof num_buffers, &fixup) != sizeof num_buffers) { vq_err(vq, "Failed num_buffers write"); - vhost_discard_vq_desc(vq, headcount); + vhost_discard_vq_desc(vq, headcount, ndesc); goto out; } nvq->done_idx += headcount; diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index 8570fdf2e14a..b56568807588 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -2792,18 +2792,11 @@ static int get_indirect(struct vhost_virtqueue *vq, return 0; } -/* This looks in the virtqueue and for the first available buffer, and converts - * it to an iovec for convenient access. Since descriptors consist of some - * number of output then some number of input descriptors, it's actually two - * iovecs, but we pack them into one and note how many of each there were. - * - * This function returns the descriptor number found, or vq->num (which is - * never a valid descriptor number) if none was found. A negative code is - * returned on error. */ -int vhost_get_vq_desc(struct vhost_virtqueue *vq, - struct iovec iov[], unsigned int iov_size, - unsigned int *out_num, unsigned int *in_num, - struct vhost_log *log, unsigned int *log_num) +int vhost_get_vq_desc_n(struct vhost_virtqueue *vq, + struct iovec iov[], unsigned int iov_size, + unsigned int *out_num, unsigned int *in_num, + struct vhost_log *log, unsigned int *log_num, + unsigned int *ndesc) { bool in_order = vhost_has_feature(vq, VIRTIO_F_IN_ORDER); struct vring_desc desc; @@ -2921,16 +2914,40 @@ int vhost_get_vq_desc(struct vhost_virtqueue *vq, vq->last_avail_idx++; vq->next_avail_head += c; + if (ndesc) + *ndesc = c; + /* Assume notifications from guest are disabled at this point, * if they aren't we would need to update avail_event index. */ BUG_ON(!(vq->used_flags & VRING_USED_F_NO_NOTIFY)); return head; } +EXPORT_SYMBOL_GPL(vhost_get_vq_desc_n); + +/* This looks in the virtqueue and for the first available buffer, and converts + * it to an iovec for convenient access. Since descriptors consist of some + * number of output then some number of input descriptors, it's actually two + * iovecs, but we pack them into one and note how many of each there were. + * + * This function returns the descriptor number found, or vq->num (which is + * never a valid descriptor number) if none was found. A negative code is + * returned on error. + */ +int vhost_get_vq_desc(struct vhost_virtqueue *vq, + struct iovec iov[], unsigned int iov_size, + unsigned int *out_num, unsigned int *in_num, + struct vhost_log *log, unsigned int *log_num) +{ + return vhost_get_vq_desc_n(vq, iov, iov_size, out_num, in_num, + log, log_num, NULL); +} EXPORT_SYMBOL_GPL(vhost_get_vq_desc); /* Reverse the effect of vhost_get_vq_desc. Useful for error handling. */ -void vhost_discard_vq_desc(struct vhost_virtqueue *vq, int n) +void vhost_discard_vq_desc(struct vhost_virtqueue *vq, int n, + unsigned int ndesc) { + vq->next_avail_head -= ndesc; vq->last_avail_idx -= n; } EXPORT_SYMBOL_GPL(vhost_discard_vq_desc); diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h index 621a6d9a8791..69a39540df3d 100644 --- a/drivers/vhost/vhost.h +++ b/drivers/vhost/vhost.h @@ -230,7 +230,14 @@ int vhost_get_vq_desc(struct vhost_virtqueue *, struct iovec iov[], unsigned int iov_size, unsigned int *out_num, unsigned int *in_num, struct vhost_log *log, unsigned int *log_num); -void vhost_discard_vq_desc(struct vhost_virtqueue *, int n); + +int vhost_get_vq_desc_n(struct vhost_virtqueue *vq, + struct iovec iov[], unsigned int iov_size, + unsigned int *out_num, unsigned int *in_num, + struct vhost_log *log, unsigned int *log_num, + unsigned int *ndesc); + +void vhost_discard_vq_desc(struct vhost_virtqueue *, int n, unsigned int ndesc); bool vhost_vq_work_queue(struct vhost_virtqueue *vq, struct vhost_work *work); bool vhost_vq_has_work(struct vhost_virtqueue *vq); -- 2.31.1

1 day, 4 hours

2
6
0 0

Inquiry about purchasing your products.

by PERDIS SUPER U

-- Hi, PERDIS SUPER U is a leading retail group in France with numerous outlets across the country. After reviewing your company profile and products, we’re very interested in establishing a long-term partnership. Kindly share your product catalog or website so we can review your offerings and pricing. We are ready to place orders and begin cooperation.Please note: Our payment terms are SWIFT, 14 days after delivery. Looking forward to your response. Best regards, Dominique Schelcher Director, PERDIS SUPER U RUE DE SAVOIE, 45600 SAINT-PÈRE-SUR-LOIRE VAT: FR65380071464 www.magasins-u.com

1 day, 5 hours

1
0
0 0

[PATCH 0/2] drm/xe: Fix and refactor CONFIG_DRM_XE_DEBUG_GUC

by Lucas De Marchi

There was a missing call to stack_depot_init() that is needed if CONFIG_DRM_XE_DEBUG_GUC is defined. That is fixed in the simplest possible way in the first patch. Second patch refactors it to try to isolate the ifdefs in specific functions related to CONFIG_DRM_XE_DEBUG and CONFIG_DRM_XE_DEBUG_GUC. Signed-off-by: Lucas De Marchi <lucas.demarchi(a)intel.com> --- Lucas De Marchi (2): drm/xe/guc: Fix stack_depot usage drm/xe/guc_ct: Cleanup ifdef'ry drivers/gpu/drm/xe/xe_guc_ct.c | 204 +++++++++++++++++++++-------------------- 1 file changed, 107 insertions(+), 97 deletions(-) base-commit: b603326a067916accf680fd623f4fc3c22bba487 change-id: 20251117-fix-debug-guc-3d79bbe9dead Lucas De Marchi

1 day, 5 hours

3
7
0 0

Re: RFQ

by Zarja®

1 day, 6 hours

1
0
0 0

+ unshare-fix-nsproxy-leak-on-set_cred_ucounts-error-path.patch added to mm-nonmm-unstable branch

by Andrew Morton

The patch titled Subject: unshare: fix nsproxy leak on set_cred_ucounts() error path has been added to the -mm mm-nonmm-unstable branch. Its filename is unshare-fix-nsproxy-leak-on-set_cred_ucounts-error-path.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-nonmm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: Pavel Tikhomirov <ptikhomirov(a)virtuozzo.com> Subject: unshare: fix nsproxy leak on set_cred_ucounts() error path Date: Tue, 18 Nov 2025 14:45:50 +0800 If unshare_nsproxy_namespaces() successfully creates the new_nsproxy, but then set_cred_ucounts() fails, on its error path there is no cleanup for new_nsproxy, so it is leaked. Let's fix that by freeing new_nsproxy if it's not NULL on this error path. Link: https://lkml.kernel.org/r/20251118064552.936962-1-ptikhomirov@virtuozzo.com Fixes: 905ae01c4ae2a ("Add a reference to ucounts for each cred") Signed-off-by: Pavel Tikhomirov <ptikhomirov(a)virtuozzo.com> Acked-by: Alexey Gladkov <legion(a)kernel.org> Reviewed-by: Liam R. Howlett <Liam.Howlett(a)oracle.com> Cc: Ben Segall <bsegall(a)google.com> Cc: Dietmar Eggemann <dietmar.eggemann(a)arm.com> Cc: Eric Biederman <ebiederm(a)xmission.com> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Juri Lelli <juri.lelli(a)redhat.com> Cc: Kees Cook <kees(a)kernel.org> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: Mel Gorman <mgorman <mgorman(a)suse.de> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Valentin Schneider <vschneid(a)redhat.com> Cc: Vincent Guittot <vincent.guittot(a)linaro.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/fork.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/kernel/fork.c~unshare-fix-nsproxy-leak-on-set_cred_ucounts-error-path +++ a/kernel/fork.c @@ -3133,8 +3133,11 @@ int ksys_unshare(unsigned long unshare_f if (new_cred) { err = set_cred_ucounts(new_cred); - if (err) + if (err) { + if (new_nsproxy) + free_nsproxy(new_nsproxy); goto bad_unshare_cleanup_cred; + } } if (new_fs || new_fd || do_sysvsem || new_cred || new_nsproxy) { _ Patches currently in -mm which might be from ptikhomirov(a)virtuozzo.com are unshare-fix-nsproxy-leak-on-set_cred_ucounts-error-path.patch

1 day, 8 hours

1
0
0 0

[PATCH v2 0/3] SDM630/660: Add missing MDSS reset

by Alexey Minnekhanov

Since kernel 6.17 display stack needs to reset the hardware properly to ensure that we don't run into issues with the hardware configured by the bootloader. MDSS reset is necessary to have working display when the bootloader has already initialized it for the boot splash screen. Signed-off-by: Alexey Minnekhanov <alexeymin(a)postmarketos.org> --- Changes in v2: - Added "Fixes" tag, pointing to commit which is the root cause for exposing this "bug", which is only present since 6.17 - Extended commit messages - Prepared series using correct user.email git setting - Link to v1: https://lore.kernel.org/r/20251031-sdm660-mdss-reset-v1-0-14cb4e6836f2@post… --- Alexey Minnekhanov (3): dt-bindings: clock: mmcc-sdm660: Add missing MDSS reset clk: qcom: mmcc-sdm660: Add missing MDSS reset arm64: dts: qcom: sdm630: Add missing MDSS reset arch/arm64/boot/dts/qcom/sdm630.dtsi | 1 + drivers/clk/qcom/mmcc-sdm660.c | 1 + include/dt-bindings/clock/qcom,mmcc-sdm660.h | 1 + 3 files changed, 3 insertions(+) --- base-commit: 1cc41c88ef00de0f3216c5f4b9cfab47de1c49d3 change-id: 20251031-sdm660-mdss-reset-015a46a238b5 Best regards, -- Alexey Minnekhanov <alexeymin(a)postmarketos.org>

1 day, 8 hours

5
8
0 0

[PATCH] scsi: target: reset t_task_cdb pointer in error case

by Ваторопин Андрей

From: Andrey Vatoropin <a.vatoropin(a)crpt.ru> If allocation of cmd->t_task_cdb fails, it remains NULL but is later dereferenced at the 'err' path. In case of error reset NULL t_task_cdb value to point at the default fixed-size buffer. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 9e95fb805dc0 ("scsi: target: Fix NULL pointer dereference") Cc: stable(a)vger.kernel.org Signed-off-by: Andrey Vatoropin <a.vatoropin(a)crpt.ru> --- drivers/target/target_core_transport.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c index 0a76bdfe5528..88544c911949 100644 --- a/drivers/target/target_core_transport.c +++ b/drivers/target/target_core_transport.c @@ -1524,6 +1524,7 @@ target_cmd_init_cdb(struct se_cmd *cmd, unsigned char *cdb, gfp_t gfp) if (scsi_command_size(cdb) > sizeof(cmd->__t_task_cdb)) { cmd->t_task_cdb = kzalloc(scsi_command_size(cdb), gfp); if (!cmd->t_task_cdb) { + cmd->t_task_cdb = &cmd->__t_task_cdb[0]; pr_err("Unable to allocate cmd->t_task_cdb" " %u > sizeof(cmd->__t_task_cdb): %lu ops\n", scsi_command_size(cdb), -- 2.43.0

1 day, 10 hours

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror