November 2022 - Linux-stable-mirror

[PATCH openEuler-22.03-LTS] nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level()

by Long Li

From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> mainline inclusion from mainline-v6.0-rc3 commit 21a87d88c2253350e115029f14fe2a10a7e6c856 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5X1Z4 CVE: CVE-2022-3621 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- If the i_mode field in inode of metadata files is corrupted on disk, it can cause the initialization of bmap structure, which should have been called from nilfs_read_inode_common(), not to be called. This causes a lockdep warning followed by a NULL pointer dereference at nilfs_bmap_lookup_at_level(). This patch fixes these issues by adding a missing sanitiy check for the i_mode field of metadata file's inode. Link: https://lkml.kernel.org/r/20221002030804.29978-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+2b32eb36c1a825b7a74c(a)syzkaller.appspotmail.com Reported-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/nilfs2/inode.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c index ca380c6d7825..bfe3c7ccdf50 100644 --- a/fs/nilfs2/inode.c +++ b/fs/nilfs2/inode.c @@ -462,6 +462,8 @@ int nilfs_read_inode_common(struct inode *inode, inode->i_atime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec); inode->i_ctime.tv_nsec = le32_to_cpu(raw_inode->i_ctime_nsec); inode->i_mtime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec); + if (nilfs_is_metadata_file_inode(inode) && !S_ISREG(inode->i_mode)) + return -EIO; /* this inode is for metadata and corrupted */ if (inode->i_nlink == 0) return -ESTALE; /* this inode is deleted */ -- 2.31.1

1 year, 5 months

2
2
0 0

[PATCH openEuler-22.03-LTS] nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level()

by Long Li

From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> mainline inclusion from mainline-v6.0-rc3 commit 21a87d88c2253350e115029f14fe2a10a7e6c856 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5X1Z4 CVE: CVE-2022-3621 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- If the i_mode field in inode of metadata files is corrupted on disk, it can cause the initialization of bmap structure, which should have been called from nilfs_read_inode_common(), not to be called. This causes a lockdep warning followed by a NULL pointer dereference at nilfs_bmap_lookup_at_level(). This patch fixes these issues by adding a missing sanitiy check for the i_mode field of metadata file's inode. Link: https://lkml.kernel.org/r/20221002030804.29978-1-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Reported-by: syzbot+2b32eb36c1a825b7a74c(a)syzkaller.appspotmail.com Reported-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Long Li <leo.lilong(a)huawei.com> --- fs/nilfs2/inode.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c index ca380c6d7825..bfe3c7ccdf50 100644 --- a/fs/nilfs2/inode.c +++ b/fs/nilfs2/inode.c @@ -462,6 +462,8 @@ int nilfs_read_inode_common(struct inode *inode, inode->i_atime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec); inode->i_ctime.tv_nsec = le32_to_cpu(raw_inode->i_ctime_nsec); inode->i_mtime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec); + if (nilfs_is_metadata_file_inode(inode) && !S_ISREG(inode->i_mode)) + return -EIO; /* this inode is for metadata and corrupted */ if (inode->i_nlink == 0) return -ESTALE; /* this inode is deleted */ -- 2.31.1

1 year, 5 months

1
0
0 0

[PATCH 6.0 00/20] 6.0.4-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.0.4 release. There are 20 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 26 Oct 2022 11:29:24 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.0.4-rc1.… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.0.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.0.4-rc1 Thomas Zimmermann <tzimmermann(a)suse.de> fbdev/core: Remove remove_conflicting_pci_framebuffers() Mel Gorman <mgorman(a)techsingularity.net> mm/huge_memory: do not clobber swp_entry_t during THP split Rafael Mendonca <rafaelmendsr(a)gmail.com> io-wq: Fix memory leak in worker creation Martin Liska <mliska(a)suse.cz> gcov: support GCC 12.1 and newer compilers Ard Biesheuvel <ardb(a)kernel.org> efi: ssdt: Don't free memory if ACPI table was loaded successfully Ard Biesheuvel <ardb(a)kernel.org> efi: efivars: Fix variable writes without query_variable_store() Nikos Tsironis <ntsironis(a)arrikto.com> dm clone: Fix typo in block_device format specifier Tim Huang <tim.huang(a)amd.com> drm/amd/pm: update SMU IP v13.0.4 driver interface version Evan Quan <evan.quan(a)amd.com> drm/amd/pm: fulfill SMU13.0.0 cstate control interface Evan Quan <evan.quan(a)amd.com> drm/amd/pm: disable cstate feature for gpu reset scenario Tim Huang <tim.huang(a)amd.com> drm/amd/pm: add SMU IP v13.0.4 IF version define to V7 Evan Quan <evan.quan(a)amd.com> drm/amd/pm: fulfill SMU13.0.7 cstate control interface Pavel Begunkov <asml.silence(a)gmail.com> net: flag sockets supporting msghdr originated zerocopy Roderick Colenbrander <roderick(a)gaikai.com> HID: playstation: add initial DualSense Edge controller support Roderick Colenbrander <roderick(a)gaikai.com> HID: playstation: stop DualSense output work on remove. Pavel Begunkov <asml.silence(a)gmail.com> io_uring/net: fail zc send when unsupported by socket Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> thermal: intel_powerclamp: Use first online CPU as control_cpu Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> pinctrl: amd: change dev_warn to dev_dbg for additional feature support Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/bios: Use hardcoded fp_timing size for generating LFP data pointers Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/i915/bios: Validate fp_timing terminator presence ------------- Diffstat: Makefile | 4 +- drivers/firmware/efi/efi.c | 2 + drivers/firmware/efi/vars.c | 10 +- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 8 ++ .../pm/swsmu/inc/pmfw_if/smu13_driver_if_v13_0_4.h | 17 +++- drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h | 2 +- drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 8 ++ drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c | 9 ++ .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 11 +++ .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 12 +++ drivers/gpu/drm/i915/display/intel_bios.c | 106 ++++++++++----------- drivers/hid/hid-ids.h | 1 + drivers/hid/hid-playstation.c | 46 +++++++-- drivers/md/dm-clone-target.c | 2 +- drivers/pinctrl/pinctrl-amd.c | 4 +- drivers/thermal/intel/intel_powerclamp.c | 6 +- drivers/video/aperture.c | 30 +++--- drivers/video/fbdev/core/fbmem.c | 48 ---------- fs/efivarfs/vars.c | 16 ---- include/linux/efi.h | 3 - include/linux/fb.h | 2 - include/linux/net.h | 1 + io_uring/io-wq.c | 2 +- io_uring/net.c | 2 + kernel/gcov/gcc_4_7.c | 18 +++- mm/huge_memory.c | 11 ++- net/ipv4/tcp.c | 1 + net/ipv4/udp.c | 1 + 28 files changed, 218 insertions(+), 165 deletions(-)

1 year, 5 months

17
41
0 0

[PATCH AUTOSEL 4.9 1/3] media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE

by Sasha Levin

From: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> [ Upstream commit 93f65ce036863893c164ca410938e0968964b26c ] I expect that the hardware will have limited this to 16, but just in case it hasn't, check for this corner case. Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/staging/media/s5p-cec/s5p_cec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/staging/media/s5p-cec/s5p_cec.c b/drivers/staging/media/s5p-cec/s5p_cec.c index bebd44d9bd51..f6d1d98431a7 100644 --- a/drivers/staging/media/s5p-cec/s5p_cec.c +++ b/drivers/staging/media/s5p-cec/s5p_cec.c @@ -112,6 +112,8 @@ static irqreturn_t s5p_cec_irq_handler(int irq, void *priv) dev_dbg(cec->dev, "Buffer overrun (worker did not process previous message)\n"); cec->rx = STATE_BUSY; cec->msg.len = status >> 24; + if (cec->msg.len > CEC_MAX_MSG_SIZE) + cec->msg.len = CEC_MAX_MSG_SIZE; cec->msg.rx_status = CEC_RX_STATUS_OK; s5p_cec_get_rx_buf(cec, cec->msg.len, cec->msg.msg); -- 2.35.1

1 year, 5 months

1
2
0 0

[PATCH AUTOSEL 4.14 1/4] media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE

by Sasha Levin

From: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> [ Upstream commit 93f65ce036863893c164ca410938e0968964b26c ] I expect that the hardware will have limited this to 16, but just in case it hasn't, check for this corner case. Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/media/platform/s5p-cec/s5p_cec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/media/platform/s5p-cec/s5p_cec.c b/drivers/media/platform/s5p-cec/s5p_cec.c index 3032247c63a5..554c8f2b60b8 100644 --- a/drivers/media/platform/s5p-cec/s5p_cec.c +++ b/drivers/media/platform/s5p-cec/s5p_cec.c @@ -116,6 +116,8 @@ static irqreturn_t s5p_cec_irq_handler(int irq, void *priv) dev_dbg(cec->dev, "Buffer overrun (worker did not process previous message)\n"); cec->rx = STATE_BUSY; cec->msg.len = status >> 24; + if (cec->msg.len > CEC_MAX_MSG_SIZE) + cec->msg.len = CEC_MAX_MSG_SIZE; cec->msg.rx_status = CEC_RX_STATUS_OK; s5p_cec_get_rx_buf(cec, cec->msg.len, cec->msg.msg); -- 2.35.1

1 year, 5 months

1
3
0 0

[PATCH AUTOSEL 4.19 1/6] media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE

by Sasha Levin

From: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> [ Upstream commit 93f65ce036863893c164ca410938e0968964b26c ] I expect that the hardware will have limited this to 16, but just in case it hasn't, check for this corner case. Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/media/platform/s5p-cec/s5p_cec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/media/platform/s5p-cec/s5p_cec.c b/drivers/media/platform/s5p-cec/s5p_cec.c index 3032247c63a5..554c8f2b60b8 100644 --- a/drivers/media/platform/s5p-cec/s5p_cec.c +++ b/drivers/media/platform/s5p-cec/s5p_cec.c @@ -116,6 +116,8 @@ static irqreturn_t s5p_cec_irq_handler(int irq, void *priv) dev_dbg(cec->dev, "Buffer overrun (worker did not process previous message)\n"); cec->rx = STATE_BUSY; cec->msg.len = status >> 24; + if (cec->msg.len > CEC_MAX_MSG_SIZE) + cec->msg.len = CEC_MAX_MSG_SIZE; cec->msg.rx_status = CEC_RX_STATUS_OK; s5p_cec_get_rx_buf(cec, cec->msg.len, cec->msg.msg); -- 2.35.1

1 year, 5 months

1
5
0 0

[PATCH AUTOSEL 5.4 1/8] media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE

by Sasha Levin

From: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> [ Upstream commit 93f65ce036863893c164ca410938e0968964b26c ] I expect that the hardware will have limited this to 16, but just in case it hasn't, check for this corner case. Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/media/platform/s5p-cec/s5p_cec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/media/platform/s5p-cec/s5p_cec.c b/drivers/media/platform/s5p-cec/s5p_cec.c index 828792b854f5..0c668d4a3daa 100644 --- a/drivers/media/platform/s5p-cec/s5p_cec.c +++ b/drivers/media/platform/s5p-cec/s5p_cec.c @@ -115,6 +115,8 @@ static irqreturn_t s5p_cec_irq_handler(int irq, void *priv) dev_dbg(cec->dev, "Buffer overrun (worker did not process previous message)\n"); cec->rx = STATE_BUSY; cec->msg.len = status >> 24; + if (cec->msg.len > CEC_MAX_MSG_SIZE) + cec->msg.len = CEC_MAX_MSG_SIZE; cec->msg.rx_status = CEC_RX_STATUS_OK; s5p_cec_get_rx_buf(cec, cec->msg.len, cec->msg.msg); -- 2.35.1

1 year, 5 months

1
7
0 0

[PATCH AUTOSEL 5.10 01/14] media: rkisp1: Initialize color space on resizer sink and source pads

by Sasha Levin

From: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> [ Upstream commit 83b9296e399367862845d3b19984444fc756bd61 ] Initialize the four color space fields on the sink and source video pads of the resizer in the .init_cfg() operation. The resizer can't perform any color space conversion, so set the sink and source color spaces to the same defaults, which match the ISP source video pad default. Signed-off-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Reviewed-by: Paul Elder <paul.elder(a)ideasonboard.com> Reviewed-by: Dafna Hirschfeld <dafna(a)fastmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/staging/media/rkisp1/rkisp1-resizer.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/staging/media/rkisp1/rkisp1-resizer.c b/drivers/staging/media/rkisp1/rkisp1-resizer.c index 4dcc342ac2b2..76f17dd7670f 100644 --- a/drivers/staging/media/rkisp1/rkisp1-resizer.c +++ b/drivers/staging/media/rkisp1/rkisp1-resizer.c @@ -500,6 +500,10 @@ static int rkisp1_rsz_init_config(struct v4l2_subdev *sd, sink_fmt->height = RKISP1_DEFAULT_HEIGHT; sink_fmt->field = V4L2_FIELD_NONE; sink_fmt->code = RKISP1_DEF_FMT; + sink_fmt->colorspace = V4L2_COLORSPACE_SRGB; + sink_fmt->xfer_func = V4L2_XFER_FUNC_SRGB; + sink_fmt->ycbcr_enc = V4L2_YCBCR_ENC_601; + sink_fmt->quantization = V4L2_QUANTIZATION_LIM_RANGE; sink_crop = v4l2_subdev_get_try_crop(sd, cfg, RKISP1_RSZ_PAD_SINK); sink_crop->width = RKISP1_DEFAULT_WIDTH; -- 2.35.1

1 year, 5 months

1
13
0 0

[PATCH AUTOSEL 5.15 01/19] media: rkisp1: Don't pass the quantization to rkisp1_csm_config()

by Sasha Levin

From: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> [ Upstream commit 711d91497e203b058cf0a08c0f7d41c04efbde76 ] The rkisp1_csm_config() function takes a pointer to the rkisp1_params structure which contains the quantization value. There's no need to pass it separately to the function. Drop it from the function parameters. Signed-off-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com> Reviewed-by: Dafna Hirschfeld <dafna(a)fastmail.com> Reviewed-by: Paul Elder <paul.elder(a)ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- drivers/media/platform/rockchip/rkisp1/rkisp1-params.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/drivers/media/platform/rockchip/rkisp1/rkisp1-params.c b/drivers/media/platform/rockchip/rkisp1/rkisp1-params.c index 8fa5b0abf1f9..8461e88c1288 100644 --- a/drivers/media/platform/rockchip/rkisp1/rkisp1-params.c +++ b/drivers/media/platform/rockchip/rkisp1/rkisp1-params.c @@ -751,7 +751,7 @@ static void rkisp1_ie_enable(struct rkisp1_params *params, bool en) } } -static void rkisp1_csm_config(struct rkisp1_params *params, bool full_range) +static void rkisp1_csm_config(struct rkisp1_params *params) { static const u16 full_range_coeff[] = { 0x0026, 0x004b, 0x000f, @@ -765,7 +765,7 @@ static void rkisp1_csm_config(struct rkisp1_params *params, bool full_range) }; unsigned int i; - if (full_range) { + if (params->quantization == V4L2_QUANTIZATION_FULL_RANGE) { for (i = 0; i < ARRAY_SIZE(full_range_coeff); i++) rkisp1_write(params->rkisp1, full_range_coeff[i], RKISP1_CIF_ISP_CC_COEFF_0 + i * 4); @@ -1235,11 +1235,7 @@ static void rkisp1_params_config_parameter(struct rkisp1_params *params) rkisp1_param_set_bits(params, RKISP1_CIF_ISP_HIST_PROP, rkisp1_hst_params_default_config.mode); - /* set the range */ - if (params->quantization == V4L2_QUANTIZATION_FULL_RANGE) - rkisp1_csm_config(params, true); - else - rkisp1_csm_config(params, false); + rkisp1_csm_config(params); spin_lock_irq(&params->config_lock); -- 2.35.1

1 year, 5 months

1
18
0 0

bestätigen

by david tayo

Grüße, ich hoffe, diese E-Mail erreicht Sie gut. Sie haben nicht auf die Informationen geantwortet, die ich Ihnen zuvor geschickt habe. Bitte melden Sie sich bei mir, es ist dringend, wir müssen uns unterhalten Mit besten Empfehlungen David Tayo

1 year, 5 months

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror November 2022