- 03 Apr, 2023 2 commits
-
-
Namjae Jeon authored
When smb1 mount fails, KASAN detect slab-out-of-bounds in init_smb2_rsp_hdr like the following one. For smb1 negotiate(56bytes) , init_smb2_rsp_hdr() for smb2 is called. The issue occurs while handling smb1 negotiate as smb2 server operations. Add smb server operations for smb1 (get_cmd_val, init_rsp_hdr, allocate_rsp_buf, check_user_session) to handle smb1 negotiate so that smb2 server operation does not handle it. [ 411.400423] CIFS: VFS: Use of the less secure dialect vers=1.0 is not recommended unless required for access to very old servers [ 411.400452] CIFS: Attempting to mount \\192.168.45.139\homes [ 411.479312] ksmbd: init_smb2_rsp_hdr : 492 [ 411.479323] ================================================================== [ 411.479327] BUG: KASAN: slab-out-of-bounds in init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479369] Read of size 16 at addr ffff888488ed0734 by task kworker/14:1/199 [ 411.479379] CPU: 14 PID: 199 Comm: kworker/14:1 Tainted: G OE 6.1.21 #3 [ 411.479386] Hardware name: ASUSTeK COMPUTER INC. Z10PA-D8 Series/Z10PA-D8 Series, BIOS 3801 08/23/2019 [ 411.479390] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] [ 411.479425] Call Trace: [ 411.479428] <TASK> [ 411.479432] dump_stack_lvl+0x49/0x63 [ 411.479444] print_report+0x171/0x4a8 [ 411.479452] ? kasan_complete_mode_report_info+0x3c/0x200 [ 411.479463] ? init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479497] kasan_report+0xb4/0x130 [ 411.479503] ? init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479537] kasan_check_range+0x149/0x1e0 [ 411.479543] memcpy+0x24/0x70 [ 411.479550] init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd] [ 411.479585] handle_ksmbd_work+0x109/0x760 [ksmbd] [ 411.479616] ? _raw_spin_unlock_irqrestore+0x50/0x50 [ 411.479624] ? smb3_encrypt_resp+0x340/0x340 [ksmbd] [ 411.479656] process_one_work+0x49c/0x790 [ 411.479667] worker_thread+0x2b1/0x6e0 [ 411.479674] ? process_one_work+0x790/0x790 [ 411.479680] kthread+0x177/0x1b0 [ 411.479686] ? kthread_complete_and_exit+0x30/0x30 [ 411.479692] ret_from_fork+0x22/0x30 [ 411.479702] </TASK> Fixes: 39b291b8 ("ksmbd: return unsupported error on smb1 mount") Cc: stable@vger.kernel.org Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
-
Namjae Jeon authored
When smb2_lock request is canceled by smb2_cancel or smb2_close(), ksmbd is missing deleting async_request_entry async_requests list. Because calling init_smb2_rsp_hdr() in smb2_lock() mark ->synchronous as true and then it will not be deleted in ksmbd_conn_try_dequeue_request(). This patch add release_async_work() to release the ones allocated for async work. Cc: stable@vger.kernel.org Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
-
- 25 Mar, 2023 3 commits
-
-
Tom Rix authored
clang with W=1 reports fs/ksmbd/unicode.c:122:19: error: unused function 'is_char_allowed' [-Werror,-Wunused-function] static inline int is_char_allowed(char *ch) ^ This function is not used so remove it. Signed-off-by: Tom Rix <trix@redhat.com> Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
-
Marios Makassikis authored
Commit 83dcedd5 ("ksmbd: fix infinite loop in ksmbd_conn_handler_loop()"), changes GFP modifiers passed to kvmalloc(). This cause xfstests generic/551 test to fail. We limit pdu length size according to connection status and maximum number of connections. In the rest, memory allocation of request is limited by credit management. so these flags are no longer needed. Fixes: 83dcedd5 ("ksmbd: fix infinite loop in ksmbd_conn_handler_loop()") Cc: stable@vger.kernel.org Signed-off-by: Marios Makassikis <mmakassikis@freebox.fr> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
-
git://git.samba.org/ksmbdLinus Torvalds authored
Pull ksmbd server fixes from Steve French: - return less confusing messages on unsupported dialects (STATUS_NOT_SUPPORTED instead of I/O error) - fix for overly frequent inactive session termination - fix refcount leak - fix bounds check problems found by static checkers - fix to advertise named stream support correctly - Fix AES256 signing bug when connected to from MacOS * tag '6.3-rc3-ksmbd-smb3-server-fixes' of git://git.samba.org/ksmbd: ksmbd: return unsupported error on smb1 mount ksmbd: return STATUS_NOT_SUPPORTED on unsupported smb2.0 dialect ksmbd: don't terminate inactive sessions after a few seconds ksmbd: fix possible refcount leak in smb2_open() ksmbd: add low bound validation to FSCTL_QUERY_ALLOCATED_RANGES ksmbd: add low bound validation to FSCTL_SET_ZERO_DATA ksmbd: set FILE_NAMED_STREAMS attribute in FS_ATTRIBUTE_INFORMATION ksmbd: fix wrong signingkey creation when encryption is AES256
-
- 24 Mar, 2023 29 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/soc/socLinus Torvalds authored
Pull ARM SoC fixes from Arnd Bergmann: "As usual, most of the bug fixes address issues in the devicetree files, and out of these, most are for the Qualcomm and NXP platforms, including: - A missing 'reserved-memory' property on LG G Watch R that is needed to prevent clashing with firmware - Annotations for cache coherency on multiple machines - Corrections for pinctrl, regulator, clock, iommu and power domain properties for i.MX and Qualcomm to correctly reflect the hardware settings - Firmware file names on multiple machines SA8540P Ride board - An incompatible change to the qcom vadc driver requires adding individual labels - Fix EQoS PHY reset GPIO by dropping the deprecated/wrong property and switch to the new bindings. - A fix for PCI bus address translation Tegra194 and Tegra234. There are also a couple of device driver fixes, addressing: - A race condition in the amdtee driver - A performance regression in the Qualcomm 'llcc' driver - An unitialized variable use NXP i.MX 'weim' driver - Error handling issues in Qualcomm 'rmtfs', and 'scm' drivers and the Arm scmi firmware driver" * tag 'arm-fixes-6.3-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (48 commits) arm64: dts: qcom: sc8280xp-x13s: mark bob regulator as always-on arm64: dts: qcom: sc8280xp-x13s: mark s12b regulator as always-on arm64: dts: qcom: sc8280xp-x13s: mark s10b regulator as always-on arm64: dts: qcom: sc8280xp-x13s: mark s11b regulator as always-on arm64: dts: imx93: add missing #address-cells and #size-cells to i2c nodes bus: imx-weim: fix branch condition evaluates to a garbage value arm64: dts: imx8mn: specify #sound-dai-cells for SAI nodes ARM: dts: imx6sl: tolino-shine2hd: fix usbotg1 pinctrl ARM: dts: imx6sll: e60k02: fix usbotg1 pinctrl ARM: dts: imx6sll: e70k02: fix usbotg1 pinctrl arm64: dts: imx93: Fix eqos properties arm64: dts: imx8mp: Fix LCDIF2 node clock order arm64: dts: imx8mm-nitrogen-r2: fix WM8960 clock name arm64: dts: imx8dxl-evk: Fix eqos phy reset gpio firmware: qcom: scm: fix bogus irq error at probe arm64: dts: qcom: sm8550: Mark UFS controller as cache coherent arm64: dts: qcom: sa8540p-ride: correct name of remoteproc_nsp0 firmware arm64: dts: qcom: sm8450: Mark UFS controller as cache coherent arm64: dts: qcom: sm8350: Mark UFS controller as cache coherent arm64: dts: qcom: sm8550: fix LPASS pinctrl slew base address ...
-
git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supplyLinus Torvalds authored
Pull power supply fixes from Sebastian Reichel: - rk817: Fix compiler warning - cros_usbpd-charger: Fix excessive error printing - axp288_fuel_gauge: handle platform_get_irq error - bq24190 and da9150: Fix race condition in remove path * tag 'for-v6.3-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply: power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition power: supply: axp288_fuel_gauge: Added check for negative values power: supply: cros_usbpd: reclassify "default case!" as debug power: supply: rk817: Fix unsigned comparison with less than zero
-
git://anongit.freedesktop.org/drm/drmLinus Torvalds authored
Pull drm fixes from Daniel Vetter: - usual pile of fixes for amdgpu & i915 - probe error handling fixes for meson, lt8912b bridge - the host1x patch from Arnd - panel-orientation fix for Lenovo Book X90F * tag 'drm-fixes-2023-03-24' of git://anongit.freedesktop.org/drm/drm: (23 commits) gpu: host1x: fix uninitialized variable use drm/amd/display: Set dcn32 caps.seamless_odm drm/amd/display: fix wrong index used in dccg32_set_dpstreamclk drm/amdgpu/nv: Apply ASPM quirk on Intel ADL + AMD Navi drm/amd/display: remove outdated 8bpc comments drm/amdgpu/gfx: set cg flags to enter/exit safe mode drm/amdgpu: Force signal hw_fences that are embedded in non-sched jobs drm/amdgpu: add mes resume when do gfx post soft reset drm/amdgpu: skip ASIC reset for APUs when go to S4 drm/amdgpu: reposition the gpu reset checking for reuse drm/bridge: lt8912b: return EPROBE_DEFER if bridge is not found drm/meson: fix missing component unbind on bind errors drm: panel-orientation-quirks: Add quirk for Lenovo Yoga Book X90F Revert "drm/i915/hwmon: Enable PL1 power limit" drm/i915: Update vblank timestamping stuff on seamless M/N change drm/i915: Fix format for perf_limit_reasons drm/i915/gt: perform uc late init after probe error injection drm/i915/active: Fix missing debug object activation drm/i915/guc: Fix missing ecodes drm/i915/mtl: Disable MC6 for MTL A step ...
-
Linus Torvalds authored
Merge tag 'for-6.3/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm Pull device mapper fixes from Mike Snitzer: - Fix DM thin to work as a swap device by using 'limit_swap_bios' DM target flag (initially added to allow swap to dm-crypt) to throttle the amount of outstanding swap bios. - Fix DM crypt soft lockup warnings by calling cond_resched() from the cpu intensive loop in dmcrypt_write(). - Fix DM crypt to not access an uninitialized tasklet. This fix allows for consistent handling of IO completion, by _not_ needlessly punting to a workqueue when tasklets are not needed. - Fix DM core's alloc_dev() initialization for DM stats to check for and propagate alloc_percpu() failure. * tag 'for-6.3/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: dm stats: check for and propagate alloc_percpu failure dm crypt: avoid accessing uninitialized tasklet dm crypt: add cond_resched() to dmcrypt_write() dm thin: fix deadlock when swapping to thin device
-
git://git.kernel.dk/linuxLinus Torvalds authored
Pull block fixes from Jens Axboe: - NVMe pull request via Christoph: - Send Identify with CNS 06h only to I/O controllers (Martin George) - Fix nvme_tcp_term_pdu to match spec (Caleb Sander) - Pass in issue_flags for uring_cmd, so the end_io handlers don't need to assume what the right context is (me) - Fix for ublk, marking it as LIVE before adding it to avoid races on the initial IO (Ming) * tag 'block-6.3-2023-03-24' of git://git.kernel.dk/linux: nvme-tcp: fix nvme_tcp_term_pdu to match spec nvme: send Identify with CNS 06h only to I/O controllers block/io_uring: pass in issue_flags for uring_cmd task_work handling block: ublk_drv: mark device as LIVE before adding disk
-
git://git.kernel.dk/linuxLinus Torvalds authored
Pull io_uring fixes from Jens Axboe: - Fix an issue with repeated -ECONNREFUSED on a socket (me) - Fix a NULL pointer deference due to a stale lookup cache for allocating direct descriptors (Savino) * tag 'io_uring-6.3-2023-03-24' of git://git.kernel.dk/linux: io_uring/rsrc: fix null-ptr-deref in io_file_bitmap_get() io_uring/net: avoid sending -ECONNABORTED on repeated connection requests
-
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pmLinus Torvalds authored
Pull thermal control fixes from Rafael Wysocki: "These address two recent regressions related to thermal control. Specifics: - Restore the thermal core behavior regarding zero-temperature trip points to avoid a driver regression (Ido Schimmel) - Fix a recent regression in the ACPI processor driver preventing it from changing the number of CPU cooling device states exposed via sysfs after the given CPU cooling device has been registered (Rafael Wysocki)" * tag 'thermal-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: thermal: core: Restore behavior regarding invalid trip points ACPI: processor: thermal: Update CPU cooling devices on cpufreq policy changes thermal: core: Introduce thermal_cooling_device_update() thermal: core: Introduce thermal_cooling_device_present() ACPI: processor: Reorder acpi_processor_driver_init()
-
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pmLinus Torvalds authored
Pull ACPI fixes from Rafael Wysocki: "These add new ACPI IRQ override and backlight detection quirks. Specifics: - Add backlight=native DMI quirk for Acer Aspire 3830TG to the ACPI backlight driver (Hans de Goede) - Add an ACPI IRQ override quirk for Medion S17413 (Aymeric Wibo)" * tag 'acpi-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI: resource: Add Medion S17413 to IRQ override quirk ACPI: video: Add backlight=native DMI quirk for Acer Aspire 3830TG
-
git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slabLinus Torvalds authored
Pull slab fix from Vlastimil Babka: "A single build fix for a corner case configuration that is apparently possible to achieve on some arches, from Geert" * tag 'slab-fix-for-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab: mm/slab: Fix undefined init_cache_node_node() for NUMA and !SMP
-
git://git.kernel.org/pub/scm/linux/kernel/git/efi/efiLinus Torvalds authored
Pull EFI fixes from Ard Biesheuvel: - Set the NX compat flag for arm64 and zboot, to ensure compatibility with EFI firmware that complies with tightening requirements imposed across the ecosystem. - Improve identification of Ampere Altra systems based on SMBIOS data. - Fix some issues related to the EFI framebuffer that were introduced as a result from some refactoring related to zboot and the merge with sysfb. - Makefile tweak to avoid rebuilding vmlinuz unnecessarily. - Fix efi_random_alloc() return value on out of memory condition. * tag 'efi-fixes-for-v6.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi: efi/libstub: randomalloc: Return EFI_OUT_OF_RESOURCES on failure efi/libstub: Use relocated version of kernel's struct screen_info efi/libstub: zboot: Add compressed image to make targets efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L efi: sysfb_efi: Fix DMI quirks not working for simpledrm efi/libstub: smbios: Drop unused 'recsize' parameter arm64: efi: Use SMBIOS processor version to key off Ampere quirk efi/libstub: smbios: Use length member instead of record struct size efi: earlycon: Reprobe after parsing config tables arm64: efi: Set NX compat flag in PE/COFF header efi/libstub: arm64: Remap relocated image with strict permissions efi/libstub: zboot: Mark zboot EFI application as NX compatible
-
Arnd Bergmann authored
Merge tag 'qcom-driver-fixes-for-6.3' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux into soc/fixes Qualcomm driver fixes for v6.3 Support for the secure world interrupting the SCM driver drive the wait queue mechanism was recently introduced, but most platforms doesn't have this mechanism and an error should not be printed in the log. The rmtfs_mem driver recently gained support for assigning the region to multiple VMIDs, but accidentally removed the support for running without assignment. A couple of changes are introducd to correct this. The SC8280XP LLCC slice configuration is wrong, reslting in incorrect configuration of the hardware. The table is corrected, based on the datasheet. * tag 'qcom-driver-fixes-for-6.3' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux: firmware: qcom: scm: fix bogus irq error at probe soc: qcom: rmtfs: handle optional qcom,vmid correctly soc: qcom: rmtfs: fix error handling reading qcom,vmid soc: qcom: llcc: Fix slice configuration values for SC8280XP Link: https://lore.kernel.org/r/20230323142505.1086072-1-andersson@kernel.orgSigned-off-by: Arnd Bergmann <arnd@arndb.de>
-
Arnd Bergmann authored
Merge tag 'qcom-dts-fixes-for-6.3' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux into soc/fixes Qualcomm ARM32 Devicetree fixes for v6.3 This introduces missing reserved-memory ranges on LG G Watch R, resolving stability issues caused by Linux reusing memory used by firmware. * tag 'qcom-dts-fixes-for-6.3' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux: ARM: dts: qcom: apq8026-lg-lenok: add missing reserved memory Link: https://lore.kernel.org/r/20230323141922.1085875-1-andersson@kernel.orgSigned-off-by: Arnd Bergmann <arnd@arndb.de>
-
Arnd Bergmann authored
Merge tag 'qcom-arm64-fixes-for-6.3' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux into soc/fixes Qualcomm ARM64 Devicetree fixes for v6.3 This correct SIM card selection on the two newly introduced MSM8916-based USB modems. The firmware-name for the first CDSP is corrected on the SA8540P Ride board. The PCIe controller in SC7280 is marked cache-coherent, which resolves seen data corruption issues. Labels are added to the vadc channel nodes on SC8280XP, as the Linux driver was updated to not include the unit address when generating device names and collisions thereby prevented registration of the channels. Audio clocks and routing is corrected and a few regulators are marked always-on for the Lenovo Thinkpad X13s, as their clients are not fully described at this point. SPI5 was accidentally enabled by default on SM6115, and is disabled again. CDSP on SM6375 is provided its power-domains, to appropriately vote for during power up for the DSP. The iommu mask for the PCIe controllers in SM8150 is updated, to match what the hypervisor expects. Th Venus firmware path is corrected on Xiaomi Mi Pad 5 Pro. The UFS controller is marked cache coherent on SM8350 and SM8450. The clocks for the second WSA macro on SM8450 is corrected, and given its own clocks. The bias-pull-up value for I2C pins are corrected on SM8550, to trigger the selection of the strong pull. CPU compatibles and the base address of the LPASS TLMM block are corrected. * tag 'qcom-arm64-fixes-for-6.3' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux: (23 commits) arm64: dts: qcom: sc8280xp-x13s: mark bob regulator as always-on arm64: dts: qcom: sc8280xp-x13s: mark s12b regulator as always-on arm64: dts: qcom: sc8280xp-x13s: mark s10b regulator as always-on arm64: dts: qcom: sc8280xp-x13s: mark s11b regulator as always-on arm64: dts: qcom: sm8550: Mark UFS controller as cache coherent arm64: dts: qcom: sa8540p-ride: correct name of remoteproc_nsp0 firmware arm64: dts: qcom: sm8450: Mark UFS controller as cache coherent arm64: dts: qcom: sm8350: Mark UFS controller as cache coherent arm64: dts: qcom: sm8550: fix LPASS pinctrl slew base address arm64: dts: qcom: sc8280xp-x13s: fix va dmic dai links and routing arm64: dts: qcom: sc8280xp-x13s: fix dmic sample rate arm64: dts: qcom: sc8280xp: fix lpass tx macro clocks arm64: dts: qcom: sc8280xp: fix rx frame shapping info arm64: dts: qcom: sm8450: correct WSA2 assigned clocks arm64: dts: qcom: sc7280: Mark PCIe controller as cache coherent arm64: dts: qcom: msm8916-ufi: Fix sim card selection pinctrl arm64: dts: qcom: sm8250-xiaomi-elish: Correct venus firmware path arm64: dts: qcom: sm8550: Use correct CPU compatibles arm64: dts: qcom: sm8550: Add bias pull up value to tlmm i2c data clk states arm64: dts: qcom: sm6375: Add missing power-domain-named to CDSP ... Link: https://lore.kernel.org/r/20230323141642.1085684-1-andersson@kernel.orgSigned-off-by: Arnd Bergmann <arnd@arndb.de>
-
git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linuxLinus Torvalds authored
Pull RISC-V fixes from Palmer Dabbelt: - A fix to match the CSR ASID masking rules when passing ASIDs to firmware - Force GCC to use ISA 2.2, to avoid a host of compatibily issues between toolchains * tag 'riscv-for-linus-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: riscv: Handle zicsr/zifencei issues between clang and binutils riscv: mm: Fix incorrect ASID argument when flushing TLB
-
git://git.kernel.org/pub/scm/linux/kernel/git/xen/tipLinus Torvalds authored
Pull xen fixes from Juergen Gross: - fix build warning - avoid concurrent accesses to the Xen PV console ring page * tag 'for-linus-6.3-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: x86/PVH: avoid 32-bit build warning when obtaining VGA console info hvc/xen: prevent concurrent accesses to the shared ring
-
Rafael J. Wysocki authored
Merge a fix for a recent thermal-related regression in the ACPI processor driver. * thermal-acpi: ACPI: processor: thermal: Update CPU cooling devices on cpufreq policy changes thermal: core: Introduce thermal_cooling_device_update() thermal: core: Introduce thermal_cooling_device_present() ACPI: processor: Reorder acpi_processor_driver_init()
-
Rafael J. Wysocki authored
Merge an ACPI backlight quirk for Acer Aspire 3830TG (Hans de Goede). * acpi-video: ACPI: video: Add backlight=native DMI quirk for Acer Aspire 3830TG
-
Aymeric Wibo authored
Add DMI info of the Medion S17413 (board M1xA) to the IRQ override quirk table. This fixes the keyboard not working on these laptops. Link: https://bugzilla.kernel.org/show_bug.cgi?id=213031Signed-off-by: Aymeric Wibo <obiwac@gmail.com> [ rjw: Fixed up white space ] Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
-
Linus Torvalds authored
Merge tag 'tag-chrome-platform-fixes-for-v6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux Pull chrome platform fix from Tzung-Bi Shih: "Fix a kernel data leak vulnerability" * tag 'tag-chrome-platform-fixes-for-v6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux: platform/chrome: cros_ec_chardev: fix kernel data leak from ioctl
-
git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linuxLinus Torvalds authored
Pull i2c fixes from Wolfram Sang: "A set of regular driver fixes" * tag 'i2c-for-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer() i2c: hisi: Only use the completion interrupt to finish the transfer i2c: hisi: Avoid redundant interrupts i2c: mxs: ensure that DMA buffers are safe for DMA i2c: imx-lpi2c: check only for enabled interrupt flags i2c: imx-lpi2c: clean rx/tx buffers upon new message
-
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/netLinus Torvalds authored
Pull networking fixes from Jakub Kicinski: "Including fixes from bpf, wifi and bluetooth. Current release - regressions: - wifi: mt76: mt7915: add back 160MHz channel width support for MT7915 - libbpf: revert poisoning of strlcpy, it broke uClibc-ng Current release - new code bugs: - bpf: improve the coverage of the "allow reads from uninit stack" feature to fix verification complexity problems - eth: am65-cpts: reset PPS genf adj settings on enable Previous releases - regressions: - wifi: mac80211: serialize ieee80211_handle_wake_tx_queue() - wifi: mt76: do not run mt76_unregister_device() on unregistered hw, fix null-deref - Bluetooth: btqcomsmd: fix command timeout after setting BD address - eth: igb: revert rtnl_lock() that causes a deadlock - dsa: mscc: ocelot: fix device specific statistics Previous releases - always broken: - xsk: add missing overflow check in xdp_umem_reg() - wifi: mac80211: - fix QoS on mesh interfaces - fix mesh path discovery based on unicast packets - Bluetooth: - ISO: fix timestamped HCI ISO data packet parsing - remove "Power-on" check from Mesh feature - usbnet: more fixes to drivers trusting packet length - wifi: iwlwifi: mvm: fix mvmtxq->stopped handling - Bluetooth: btintel: iterate only bluetooth device ACPI entries - eth: iavf: fix inverted Rx hash condition leading to disabled hash - eth: igc: fix the validation logic for taprio's gate list - dsa: tag_brcm: legacy: fix daisy-chained switches Misc: - bpf: adjust insufficient default bpf_jit_limit to account for growth of BPF use over the last 5 years - xdp: bpf_xdp_metadata() use EOPNOTSUPP as unique errno indicating no driver support" * tag 'net-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (84 commits) Bluetooth: HCI: Fix global-out-of-bounds Bluetooth: mgmt: Fix MGMT add advmon with RSSI command Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work Bluetooth: L2CAP: Fix responding with wrong PDU type Bluetooth: btqcomsmd: Fix command timeout after setting BD address Bluetooth: btinel: Check ACPI handle for NULL before accessing net: mdio: thunder: Add missing fwnode_handle_put() net: dsa: mt7530: move setting ssc_delta to PHY_INTERFACE_MODE_TRGMII case net: dsa: mt7530: move lowering TRGMII driving to mt7530_setup() net: dsa: mt7530: move enabling disabling core clock to mt7530_pll_setup() net: asix: fix modprobe "sysfs: cannot create duplicate filename" gve: Cache link_speed value from device tools: ynl: Fix genlmsg header encoding formats net: enetc: fix aggregate RMON counters not showing the ranges Bluetooth: Remove "Power-on" check from Mesh feature Bluetooth: Fix race condition in hci_cmd_sync_clear Bluetooth: btintel: Iterate only bluetooth device ACPI entries Bluetooth: ISO: fix timestamped HCI ISO data packet parsing Bluetooth: btusb: Remove detection of ISO packets over bulk Bluetooth: hci_core: Detect if an ACL packet is in fact an ISO packet ...
-
git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linuxLinus Torvalds authored
Pull btrfs fixes from David Sterba: "A few more fixes, the zoned accounting fix is spread across a few patches, preparatory and the actual fixes: - zoned mode: - fix accounting of unusable zone space - fix zone activation condition for DUP profile - preparatory patches - improved error handling of missing chunks - fix compiler warning" * tag 'for-6.3-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: zoned: drop space_info->active_total_bytes btrfs: zoned: count fresh BG region as zone unusable btrfs: use temporary variable for space_info in btrfs_update_block_group btrfs: rename BTRFS_FS_NO_OVERCOMMIT to BTRFS_FS_ACTIVE_ZONE_TRACKING btrfs: zoned: fix btrfs_can_activate_zone() to support DUP profile btrfs: fix compiler warning on SPARC/PA-RISC handling fscrypt_setup_filename btrfs: handle missing chunk mapping more gracefully
-
git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsiLinus Torvalds authored
Pull SCSI fixes from James Bottomley: "Four small fixes, three in drivers. The core fix adds a UFS device to an existing quirk to avoid a huge delay on boot" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate() scsi: qla2xxx: Synchronize the IOCB count to be in order scsi: qla2xxx: Perform lockless command completion in abort path scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR
-
Arnd Bergmann authored
The error handling for platform_get_irq() failing no longer works after a recent change, clang now points this out with a warning: drivers/gpu/host1x/dev.c:520:6: error: variable 'syncpt_irq' is uninitialized when used here [-Werror,-Wuninitialized] if (syncpt_irq < 0) ^~~~~~~~~~ Fix this by removing the variable and checking the correct error status. Fixes: 625d4ffb ("gpu: host1x: Rewrite syncpoint interrupt handling") Reviewed-by: Nathan Chancellor <nathan@kernel.org> Reviewed-by: Mikko Perttunen <mperttunen@nvidia.com> Reported-by: "kernelci.org bot" <bot@kernelci.org> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> Reviewed-by: Jon Hunter <jonathanh@nvidia.com> Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: https://patchwork.freedesktop.org/patch/msgid/20230127221418.2522612-1-arnd@kernel.org
-
Daniel Vetter authored
Merge tag 'amd-drm-fixes-6.3-2023-03-23' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-6.3-2023-03-23: amdgpu: - S4 fix - Soft reset fixes - SR-IOV fix - Remove an out of date comment in the DC code - ASPM fix - DCN 3.2 fixes Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> From: Alex Deucher <alexander.deucher@amd.com> Link: https://patchwork.freedesktop.org/patch/msgid/20230323161939.7751-1-alexander.deucher@amd.com
-
Daniel Vetter authored
Merge tag 'drm-intel-fixes-2023-03-23' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes drm/i915 fixes for v6.3-rc4: - Fix an MTL workaround - Fix fbdev obj locking before vma pin - Fix state inheritance tracking in initial commit - Fix missing GuC error capture codes - Fix missing debug object activation - Fix uc init late order relative to probe error injection - Fix perf limit reasons formatting - Fix vblank timestamp update on seamless M/N changes Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> From: Jani Nikula <jani.nikula@intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/878rfn7njw.fsf@intel.com
-
git://anongit.freedesktop.org/drm/drm-miscDaniel Vetter authored
Short summary of fixes pull: * fixes for bind and probing error handling for meson, lt8912b bridge * panel-orientation fixes for Lenovo Book X90F Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> From: Thomas Zimmermann <tzimmermann@suse.de> Link: https://patchwork.freedesktop.org/patch/msgid/20230323082401.GA8371@linux-uq9g
-
Namjae Jeon authored
ksmbd disconnect connection when mounting with vers=smb1. ksmbd should send smb1 negotiate response to client for correct unsupported error return. This patch add needed SMB1 macros and fill NegProt part of the response for smb1 negotiate response. Cc: stable@vger.kernel.org Reported-by: Steve French <stfrench@microsoft.com> Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com>
-
Tzung-Bi Shih authored
It is possible to peep kernel page's data by providing larger `insize` in struct cros_ec_command[1] when invoking EC host commands. Fix it by using zeroed memory. [1]: https://elixir.bootlin.com/linux/v6.2/source/include/linux/platform_data/cros_ec_proto.h#L74 Fixes: eda2e30c ("mfd / platform: cros_ec: Miscellaneous character device to talk with the EC") Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> Link: https://lore.kernel.org/r/20230324010658.1082361-1-tzungbi@kernel.org
-
- 23 Mar, 2023 6 commits
-
-
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpfJakub Kicinski authored
Daniel Borkmann says: ==================== pull-request: bpf 2023-03-23 We've added 8 non-merge commits during the last 13 day(s) which contain a total of 21 files changed, 238 insertions(+), 161 deletions(-). The main changes are: 1) Fix verification issues in some BPF programs due to their stack usage patterns, from Eduard Zingerman. 2) Fix to add missing overflow checks in xdp_umem_reg and return an error in such case, from Kal Conley. 3) Fix and undo poisoning of strlcpy in libbpf given it broke builds for libcs which provided the former like uClibc-ng, from Jesus Sanchez-Palencia. 4) Fix insufficient bpf_jit_limit default to avoid users running into hard to debug seccomp BPF errors, from Daniel Borkmann. 5) Fix driver return code when they don't support a bpf_xdp_metadata kfunc to make it unambiguous from other errors, from Jesper Dangaard Brouer. 6) Two BPF selftest fixes to address compilation errors from recent changes in kernel structures, from Alexei Starovoitov. * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf: xdp: bpf_xdp_metadata use EOPNOTSUPP for no driver support bpf: Adjust insufficient default bpf_jit_limit xsk: Add missing overflow check in xdp_umem_reg selftests/bpf: Fix progs/test_deny_namespace.c issues. selftests/bpf: Fix progs/find_vma_fail1.c build error. libbpf: Revert poisoning of strlcpy selftests/bpf: Tests for uninitialized stack reads bpf: Allow reads from uninit stack ==================== Link: https://lore.kernel.org/r/20230323225221.6082-1-daniel@iogearbox.netSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetoothJakub Kicinski authored
Luiz Augusto von Dentz says: ==================== bluetooth pull request for net: - Fix MGMT add advmon with RSSI command - L2CAP: Fix responding with wrong PDU type - Fix race condition in hci_cmd_sync_clear - ISO: Fix timestamped HCI ISO data packet parsing - HCI: Fix global-out-of-bounds - hci_sync: Resume adv with no RPA when active scan * tag 'for-net-2023-03-23' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth: Bluetooth: HCI: Fix global-out-of-bounds Bluetooth: mgmt: Fix MGMT add advmon with RSSI command Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work Bluetooth: L2CAP: Fix responding with wrong PDU type Bluetooth: btqcomsmd: Fix command timeout after setting BD address Bluetooth: btinel: Check ACPI handle for NULL before accessing Bluetooth: Remove "Power-on" check from Mesh feature Bluetooth: Fix race condition in hci_cmd_sync_clear Bluetooth: btintel: Iterate only bluetooth device ACPI entries Bluetooth: ISO: fix timestamped HCI ISO data packet parsing Bluetooth: btusb: Remove detection of ISO packets over bulk Bluetooth: hci_core: Detect if an ACL packet is in fact an ISO packet Bluetooth: hci_sync: Resume adv with no RPA when active scan ==================== Link: https://lore.kernel.org/r/20230323202335.3380841-1-luiz.dentz@gmail.comSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wirelessJakub Kicinski authored
Kalle Valo says: ==================== wireless fixes for v6.3 Third set of fixes for v6.3. mt76 has two kernel crash fixes and adding back 160 MHz channel support for mt7915. mac80211 has fixes for a race in transmit path and two mesh related fixes. iwlwifi also has fixes for races. * tag 'wireless-2023-03-23' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless: wifi: mac80211: fix mesh path discovery based on unicast packets wifi: mac80211: fix qos on mesh interfaces wifi: iwlwifi: mvm: protect TXQ list manipulation wifi: iwlwifi: mvm: fix mvmtxq->stopped handling wifi: mac80211: Serialize ieee80211_handle_wake_tx_queue() wifi: mwifiex: mark OF related data as maybe unused wifi: mt76: connac: do not check WED status for non-mmio devices wifi: mt76: mt7915: add back 160MHz channel width support for MT7915 wifi: mt76: do not run mt76_unregister_device() on unregistered hw ==================== Link: https://lore.kernel.org/r/20230323110332.C4FE4C433D2@smtp.kernel.orgSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2Linus Torvalds authored
Pull gfs2 fix from Andreas Gruenbacher: - Reinstate commit 970343cd ("GFS2: free disk inode which is deleted by remote node -V2") as reverting that commit could cause gfs2_put_super() to hang. * tag 'gfs2-v6.3-rc3-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2: Reinstate "GFS2: free disk inode which is deleted by remote node -V2"
-
Sungwoo Kim authored
To loop a variable-length array, hci_init_stage_sync(stage) considers that stage[i] is valid as long as stage[i-1].func is valid. Thus, the last element of stage[].func should be intentionally invalid as hci_init0[], le_init2[], and others did. However, amp_init1[] and amp_init2[] have no invalid element, letting hci_init_stage_sync() keep accessing amp_init1[] over its valid range. This patch fixes this by adding {} in the last of amp_init1[] and amp_init2[]. ================================================================== BUG: KASAN: global-out-of-bounds in hci_dev_open_sync ( /v6.2-bzimage/net/bluetooth/hci_sync.c:3154 /v6.2-bzimage/net/bluetooth/hci_sync.c:3343 /v6.2-bzimage/net/bluetooth/hci_sync.c:4418 /v6.2-bzimage/net/bluetooth/hci_sync.c:4609 /v6.2-bzimage/net/bluetooth/hci_sync.c:4689) Read of size 8 at addr ffffffffaed1ab70 by task kworker/u5:0/1032 CPU: 0 PID: 1032 Comm: kworker/u5:0 Not tainted 6.2.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04 Workqueue: hci1 hci_power_on Call Trace: <TASK> dump_stack_lvl (/v6.2-bzimage/lib/dump_stack.c:107 (discriminator 1)) print_report (/v6.2-bzimage/mm/kasan/report.c:307 /v6.2-bzimage/mm/kasan/report.c:417) ? hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154 /v6.2-bzimage/net/bluetooth/hci_sync.c:3343 /v6.2-bzimage/net/bluetooth/hci_sync.c:4418 /v6.2-bzimage/net/bluetooth/hci_sync.c:4609 /v6.2-bzimage/net/bluetooth/hci_sync.c:4689) kasan_report (/v6.2-bzimage/mm/kasan/report.c:184 /v6.2-bzimage/mm/kasan/report.c:519) ? hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154 /v6.2-bzimage/net/bluetooth/hci_sync.c:3343 /v6.2-bzimage/net/bluetooth/hci_sync.c:4418 /v6.2-bzimage/net/bluetooth/hci_sync.c:4609 /v6.2-bzimage/net/bluetooth/hci_sync.c:4689) hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154 /v6.2-bzimage/net/bluetooth/hci_sync.c:3343 /v6.2-bzimage/net/bluetooth/hci_sync.c:4418 /v6.2-bzimage/net/bluetooth/hci_sync.c:4609 /v6.2-bzimage/net/bluetooth/hci_sync.c:4689) ? __pfx_hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:4635) ? mutex_lock (/v6.2-bzimage/./arch/x86/include/asm/atomic64_64.h:190 /v6.2-bzimage/./include/linux/atomic/atomic-long.h:443 /v6.2-bzimage/./include/linux/atomic/atomic-instrumented.h:1781 /v6.2-bzimage/kernel/locking/mutex.c:171 /v6.2-bzimage/kernel/locking/mutex.c:285) ? __pfx_mutex_lock (/v6.2-bzimage/kernel/locking/mutex.c:282) hci_power_on (/v6.2-bzimage/net/bluetooth/hci_core.c:485 /v6.2-bzimage/net/bluetooth/hci_core.c:984) ? __pfx_hci_power_on (/v6.2-bzimage/net/bluetooth/hci_core.c:969) ? read_word_at_a_time (/v6.2-bzimage/./include/asm-generic/rwonce.h:85) ? strscpy (/v6.2-bzimage/./arch/x86/include/asm/word-at-a-time.h:62 /v6.2-bzimage/lib/string.c:161) process_one_work (/v6.2-bzimage/kernel/workqueue.c:2294) worker_thread (/v6.2-bzimage/./include/linux/list.h:292 /v6.2-bzimage/kernel/workqueue.c:2437) ? __pfx_worker_thread (/v6.2-bzimage/kernel/workqueue.c:2379) kthread (/v6.2-bzimage/kernel/kthread.c:376) ? __pfx_kthread (/v6.2-bzimage/kernel/kthread.c:331) ret_from_fork (/v6.2-bzimage/arch/x86/entry/entry_64.S:314) </TASK> The buggy address belongs to the variable: amp_init1+0x30/0x60 The buggy address belongs to the physical page: page:000000003a157ec6 refcount:1 mapcount:0 mapping:0000000000000000 ia flags: 0x200000000001000(reserved|node=0|zone=2) raw: 0200000000001000 ffffea0005054688 ffffea0005054688 000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffffaed1aa00: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00 ffffffffaed1aa80: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00 >ffffffffaed1ab00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 ^ ffffffffaed1ab80: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 f9 ffffffffaed1ac00: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 00 02 f9 This bug is found by FuzzBT, a modified version of Syzkaller. Other contributors for this bug are Ruoyu Wu and Peng Hui. Fixes: d0b13706 ("Bluetooth: hci_sync: Rework init stages") Signed-off-by: Sungwoo Kim <iam@sung-woo.kim> Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-
Howard Chung authored
The MGMT command: MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI uses variable length argument. This causes host not able to register advmon with rssi. This patch has been locally tested by adding monitor with rssi via btmgmt on a kernel 6.1 machine. Reviewed-by: Archie Pusaka <apusaka@chromium.org> Fixes: b338d917 ("Bluetooth: Implement support for Mesh") Signed-off-by: Howard Chung <howardchung@google.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-