From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com>
mainline inclusion
from mainline-v6.0-rc3
commit 21a87d88c2253350e115029f14fe2a10a7e6c856
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5X1Z4
CVE: CVE-2022-3621
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
If the i_mode field in inode of metadata files is corrupted on disk, it
can cause the initialization of bmap structure, which should have been
called from nilfs_read_inode_common(), not to be called. This causes a
lockdep warning followed by a NULL pointer dereference at
nilfs_bmap_lookup_at_level().
This patch fixes these issues by adding a missing sanitiy check for the
i_mode field of metadata file's inode.
Link: https://lkml.kernel.org/r/20221002030804.29978-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com>
Reported-by: syzbot+2b32eb36c1a825b7a74c(a)syzkaller.appspotmail.com
Reported-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp>
Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
Signed-off-by: Long Li <leo.lilong(a)huawei.com>
---
fs/nilfs2/inode.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c
index ca380c6d7825..bfe3c7ccdf50 100644
--- a/fs/nilfs2/inode.c
+++ b/fs/nilfs2/inode.c
@@ -462,6 +462,8 @@ int nilfs_read_inode_common(struct inode *inode,
inode->i_atime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec);
inode->i_ctime.tv_nsec = le32_to_cpu(raw_inode->i_ctime_nsec);
inode->i_mtime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec);
+ if (nilfs_is_metadata_file_inode(inode) && !S_ISREG(inode->i_mode))
+ return -EIO; /* this inode is for metadata and corrupted */
if (inode->i_nlink == 0)
return -ESTALE; /* this inode is deleted */
--
2.31.1
From: Ryusuke Konishi <konishi.ryusuke(a)gmail.com>
mainline inclusion
from mainline-v6.0-rc3
commit 21a87d88c2253350e115029f14fe2a10a7e6c856
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5X1Z4
CVE: CVE-2022-3621
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
If the i_mode field in inode of metadata files is corrupted on disk, it
can cause the initialization of bmap structure, which should have been
called from nilfs_read_inode_common(), not to be called. This causes a
lockdep warning followed by a NULL pointer dereference at
nilfs_bmap_lookup_at_level().
This patch fixes these issues by adding a missing sanitiy check for the
i_mode field of metadata file's inode.
Link: https://lkml.kernel.org/r/20221002030804.29978-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com>
Reported-by: syzbot+2b32eb36c1a825b7a74c(a)syzkaller.appspotmail.com
Reported-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp>
Tested-by: Ryusuke Konishi <konishi.ryusuke(a)gmail.com>
Cc: <stable(a)vger.kernel.org>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
Signed-off-by: Long Li <leo.lilong(a)huawei.com>
---
fs/nilfs2/inode.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c
index ca380c6d7825..bfe3c7ccdf50 100644
--- a/fs/nilfs2/inode.c
+++ b/fs/nilfs2/inode.c
@@ -462,6 +462,8 @@ int nilfs_read_inode_common(struct inode *inode,
inode->i_atime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec);
inode->i_ctime.tv_nsec = le32_to_cpu(raw_inode->i_ctime_nsec);
inode->i_mtime.tv_nsec = le32_to_cpu(raw_inode->i_mtime_nsec);
+ if (nilfs_is_metadata_file_inode(inode) && !S_ISREG(inode->i_mode))
+ return -EIO; /* this inode is for metadata and corrupted */
if (inode->i_nlink == 0)
return -ESTALE; /* this inode is deleted */
--
2.31.1
This is the start of the stable review cycle for the 6.0.4 release.
There are 20 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 26 Oct 2022 11:29:24 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.0.4-rc1.…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.0.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 6.0.4-rc1
Thomas Zimmermann <tzimmermann(a)suse.de>
fbdev/core: Remove remove_conflicting_pci_framebuffers()
Mel Gorman <mgorman(a)techsingularity.net>
mm/huge_memory: do not clobber swp_entry_t during THP split
Rafael Mendonca <rafaelmendsr(a)gmail.com>
io-wq: Fix memory leak in worker creation
Martin Liska <mliska(a)suse.cz>
gcov: support GCC 12.1 and newer compilers
Ard Biesheuvel <ardb(a)kernel.org>
efi: ssdt: Don't free memory if ACPI table was loaded successfully
Ard Biesheuvel <ardb(a)kernel.org>
efi: efivars: Fix variable writes without query_variable_store()
Nikos Tsironis <ntsironis(a)arrikto.com>
dm clone: Fix typo in block_device format specifier
Tim Huang <tim.huang(a)amd.com>
drm/amd/pm: update SMU IP v13.0.4 driver interface version
Evan Quan <evan.quan(a)amd.com>
drm/amd/pm: fulfill SMU13.0.0 cstate control interface
Evan Quan <evan.quan(a)amd.com>
drm/amd/pm: disable cstate feature for gpu reset scenario
Tim Huang <tim.huang(a)amd.com>
drm/amd/pm: add SMU IP v13.0.4 IF version define to V7
Evan Quan <evan.quan(a)amd.com>
drm/amd/pm: fulfill SMU13.0.7 cstate control interface
Pavel Begunkov <asml.silence(a)gmail.com>
net: flag sockets supporting msghdr originated zerocopy
Roderick Colenbrander <roderick(a)gaikai.com>
HID: playstation: add initial DualSense Edge controller support
Roderick Colenbrander <roderick(a)gaikai.com>
HID: playstation: stop DualSense output work on remove.
Pavel Begunkov <asml.silence(a)gmail.com>
io_uring/net: fail zc send when unsupported by socket
Rafael J. Wysocki <rafael.j.wysocki(a)intel.com>
thermal: intel_powerclamp: Use first online CPU as control_cpu
Basavaraj Natikar <Basavaraj.Natikar(a)amd.com>
pinctrl: amd: change dev_warn to dev_dbg for additional feature support
Ville Syrjälä <ville.syrjala(a)linux.intel.com>
drm/i915/bios: Use hardcoded fp_timing size for generating LFP data pointers
Ville Syrjälä <ville.syrjala(a)linux.intel.com>
drm/i915/bios: Validate fp_timing terminator presence
-------------
Diffstat:
Makefile | 4 +-
drivers/firmware/efi/efi.c | 2 +
drivers/firmware/efi/vars.c | 10 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 8 ++
.../pm/swsmu/inc/pmfw_if/smu13_driver_if_v13_0_4.h | 17 +++-
drivers/gpu/drm/amd/pm/swsmu/inc/smu_v13_0.h | 2 +-
drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 8 ++
drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c | 9 ++
.../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 11 +++
.../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 12 +++
drivers/gpu/drm/i915/display/intel_bios.c | 106 ++++++++++-----------
drivers/hid/hid-ids.h | 1 +
drivers/hid/hid-playstation.c | 46 +++++++--
drivers/md/dm-clone-target.c | 2 +-
drivers/pinctrl/pinctrl-amd.c | 4 +-
drivers/thermal/intel/intel_powerclamp.c | 6 +-
drivers/video/aperture.c | 30 +++---
drivers/video/fbdev/core/fbmem.c | 48 ----------
fs/efivarfs/vars.c | 16 ----
include/linux/efi.h | 3 -
include/linux/fb.h | 2 -
include/linux/net.h | 1 +
io_uring/io-wq.c | 2 +-
io_uring/net.c | 2 +
kernel/gcov/gcc_4_7.c | 18 +++-
mm/huge_memory.c | 11 ++-
net/ipv4/tcp.c | 1 +
net/ipv4/udp.c | 1 +
28 files changed, 218 insertions(+), 165 deletions(-)
From: Hans Verkuil <hverkuil-cisco(a)xs4all.nl>
[ Upstream commit 93f65ce036863893c164ca410938e0968964b26c ]
I expect that the hardware will have limited this to 16, but just in
case it hasn't, check for this corner case.
Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
---
drivers/staging/media/s5p-cec/s5p_cec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/staging/media/s5p-cec/s5p_cec.c b/drivers/staging/media/s5p-cec/s5p_cec.c
index bebd44d9bd51..f6d1d98431a7 100644
--- a/drivers/staging/media/s5p-cec/s5p_cec.c
+++ b/drivers/staging/media/s5p-cec/s5p_cec.c
@@ -112,6 +112,8 @@ static irqreturn_t s5p_cec_irq_handler(int irq, void *priv)
dev_dbg(cec->dev, "Buffer overrun (worker did not process previous message)\n");
cec->rx = STATE_BUSY;
cec->msg.len = status >> 24;
+ if (cec->msg.len > CEC_MAX_MSG_SIZE)
+ cec->msg.len = CEC_MAX_MSG_SIZE;
cec->msg.rx_status = CEC_RX_STATUS_OK;
s5p_cec_get_rx_buf(cec, cec->msg.len,
cec->msg.msg);
--
2.35.1
From: Hans Verkuil <hverkuil-cisco(a)xs4all.nl>
[ Upstream commit 93f65ce036863893c164ca410938e0968964b26c ]
I expect that the hardware will have limited this to 16, but just in
case it hasn't, check for this corner case.
Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
---
drivers/media/platform/s5p-cec/s5p_cec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/media/platform/s5p-cec/s5p_cec.c b/drivers/media/platform/s5p-cec/s5p_cec.c
index 3032247c63a5..554c8f2b60b8 100644
--- a/drivers/media/platform/s5p-cec/s5p_cec.c
+++ b/drivers/media/platform/s5p-cec/s5p_cec.c
@@ -116,6 +116,8 @@ static irqreturn_t s5p_cec_irq_handler(int irq, void *priv)
dev_dbg(cec->dev, "Buffer overrun (worker did not process previous message)\n");
cec->rx = STATE_BUSY;
cec->msg.len = status >> 24;
+ if (cec->msg.len > CEC_MAX_MSG_SIZE)
+ cec->msg.len = CEC_MAX_MSG_SIZE;
cec->msg.rx_status = CEC_RX_STATUS_OK;
s5p_cec_get_rx_buf(cec, cec->msg.len,
cec->msg.msg);
--
2.35.1
From: Hans Verkuil <hverkuil-cisco(a)xs4all.nl>
[ Upstream commit 93f65ce036863893c164ca410938e0968964b26c ]
I expect that the hardware will have limited this to 16, but just in
case it hasn't, check for this corner case.
Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
---
drivers/media/platform/s5p-cec/s5p_cec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/media/platform/s5p-cec/s5p_cec.c b/drivers/media/platform/s5p-cec/s5p_cec.c
index 3032247c63a5..554c8f2b60b8 100644
--- a/drivers/media/platform/s5p-cec/s5p_cec.c
+++ b/drivers/media/platform/s5p-cec/s5p_cec.c
@@ -116,6 +116,8 @@ static irqreturn_t s5p_cec_irq_handler(int irq, void *priv)
dev_dbg(cec->dev, "Buffer overrun (worker did not process previous message)\n");
cec->rx = STATE_BUSY;
cec->msg.len = status >> 24;
+ if (cec->msg.len > CEC_MAX_MSG_SIZE)
+ cec->msg.len = CEC_MAX_MSG_SIZE;
cec->msg.rx_status = CEC_RX_STATUS_OK;
s5p_cec_get_rx_buf(cec, cec->msg.len,
cec->msg.msg);
--
2.35.1
From: Hans Verkuil <hverkuil-cisco(a)xs4all.nl>
[ Upstream commit 93f65ce036863893c164ca410938e0968964b26c ]
I expect that the hardware will have limited this to 16, but just in
case it hasn't, check for this corner case.
Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
---
drivers/media/platform/s5p-cec/s5p_cec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/media/platform/s5p-cec/s5p_cec.c b/drivers/media/platform/s5p-cec/s5p_cec.c
index 828792b854f5..0c668d4a3daa 100644
--- a/drivers/media/platform/s5p-cec/s5p_cec.c
+++ b/drivers/media/platform/s5p-cec/s5p_cec.c
@@ -115,6 +115,8 @@ static irqreturn_t s5p_cec_irq_handler(int irq, void *priv)
dev_dbg(cec->dev, "Buffer overrun (worker did not process previous message)\n");
cec->rx = STATE_BUSY;
cec->msg.len = status >> 24;
+ if (cec->msg.len > CEC_MAX_MSG_SIZE)
+ cec->msg.len = CEC_MAX_MSG_SIZE;
cec->msg.rx_status = CEC_RX_STATUS_OK;
s5p_cec_get_rx_buf(cec, cec->msg.len,
cec->msg.msg);
--
2.35.1
From: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com>
[ Upstream commit 83b9296e399367862845d3b19984444fc756bd61 ]
Initialize the four color space fields on the sink and source video pads
of the resizer in the .init_cfg() operation. The resizer can't perform
any color space conversion, so set the sink and source color spaces to
the same defaults, which match the ISP source video pad default.
Signed-off-by: Laurent Pinchart <laurent.pinchart(a)ideasonboard.com>
Reviewed-by: Paul Elder <paul.elder(a)ideasonboard.com>
Reviewed-by: Dafna Hirschfeld <dafna(a)fastmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab(a)kernel.org>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
---
drivers/staging/media/rkisp1/rkisp1-resizer.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/staging/media/rkisp1/rkisp1-resizer.c b/drivers/staging/media/rkisp1/rkisp1-resizer.c
index 4dcc342ac2b2..76f17dd7670f 100644
--- a/drivers/staging/media/rkisp1/rkisp1-resizer.c
+++ b/drivers/staging/media/rkisp1/rkisp1-resizer.c
@@ -500,6 +500,10 @@ static int rkisp1_rsz_init_config(struct v4l2_subdev *sd,
sink_fmt->height = RKISP1_DEFAULT_HEIGHT;
sink_fmt->field = V4L2_FIELD_NONE;
sink_fmt->code = RKISP1_DEF_FMT;
+ sink_fmt->colorspace = V4L2_COLORSPACE_SRGB;
+ sink_fmt->xfer_func = V4L2_XFER_FUNC_SRGB;
+ sink_fmt->ycbcr_enc = V4L2_YCBCR_ENC_601;
+ sink_fmt->quantization = V4L2_QUANTIZATION_LIM_RANGE;
sink_crop = v4l2_subdev_get_try_crop(sd, cfg, RKISP1_RSZ_PAD_SINK);
sink_crop->width = RKISP1_DEFAULT_WIDTH;
--
2.35.1
Grüße, ich hoffe, diese E-Mail erreicht Sie gut. Sie haben nicht auf
die Informationen geantwortet, die ich Ihnen zuvor geschickt habe.
Bitte melden Sie sich bei mir, es ist dringend, wir müssen uns
unterhalten
Mit besten Empfehlungen
David Tayo