February 2023 - Linux-stable-mirror

[PATCH 6.1 0/5] Backport v6.2 SGID fixes to LTS 6.1

by Amir Goldstein

Greg, Following are backports of Christian's SGID fixes that were merged to v6.2-rc1. Note that Christain's PR [1] contains also two ovl patches (from me). Those two are independent fixes that have already been AUTOSELected to 6.1.y. Christain's fixes also contain a user observable change of behavior to fix inconsistencies of behavior between chmod/chown and write. This change is best described in Christain's commit to fix the expected behavior in xfstests [2]. It is hoped that no applications rely on this minor behavioral difference, and if we are wrong, we may need to party revert the change, but in any case, we prefer the behavior of LTS kernels to be consitent with that of upstream. I ran the relevant fstests test groups on xfs and on overlayfs over xfs. I also have backports that I prepared for 5.15 and 5.10, but those backports include also xfs SGID fixes, so those need to go through the xfs stable review process. Thanks, Amir. [1] https://lore.kernel.org/linux-fsdevel/20221212112053.99208-1-brauner@kernel… [2] https://lore.kernel.org/linux-fsdevel/20230103-fstests-setgid-v6-2-v3-1-595… Christian Brauner (5): attr: add in_group_or_capable() fs: move should_remove_suid() attr: add setattr_should_drop_sgid() attr: use consistent sgid stripping checks fs: use consistent setgid checks in is_sxid() Documentation/trace/ftrace.rst | 2 +- fs/attr.c | 74 +++++++++++++++++++++++++++++++--- fs/fuse/file.c | 2 +- fs/inode.c | 64 +++++++++++++---------------- fs/internal.h | 10 ++++- fs/ocfs2/file.c | 4 +- fs/open.c | 8 ++-- include/linux/fs.h | 4 +- 8 files changed, 115 insertions(+), 53 deletions(-) -- 2.34.1

1 year, 1 month

2
6
0 0

S2idle fix for DCN314

by Limonciello, Mario

[Public] Hi, Newer GPU microcode binaries for products with DCN 314 cause the display to fail to resume from s2idle. The following fix went into 6.3 that makes it work with both newer and older GPU microcode binaries. Please take this to 6.1.y. e383b12709e32 ("drm/amd/display: Move DCN314 DOMAIN power control to DMCUB") Thanks,

1 year, 1 month

2
2
0 0

USB4 DPIA fixups for 6.1.y/6.2

by Limonciello, Mario

Hi, The following two commits help with initialization of DPIA which is used for DP tunneling over USB4 within amdgpu. Needed for both 6.1.y and 6.2.y: ead08b95fa50 ("drm/amd/display: Fix race condition in DPIA AUX transfer") 0cf8307adbc6 ("drm/amd/display: Properly reuse completion structure") Needed just for 6.2: 0cf8307adbc6 ("drm/amd/display: Properly reuse completion structure") 0cf8307adbc6 was actually already tagged to go stable but it doesn’t apply cleanly to 6.1.y because of the above mentioned dependency so it didn’t come back. Can you please bring them back as requested above? Thanks,

1 year, 1 month

2
1
0 0

[PATCH 5.10] md: Flush workqueue md_rdev_misc_wq in md_alloc()

by Hou Tao

From: David Sloan <david.sloan(a)eideticom.com> commit 5e8daf906f890560df430d30617c692a794acb73 upstream. A race condition still exists when removing and re-creating md devices in test cases. However, it is only seen on some setups. The race condition was tracked down to a reference still being held to the kobject by the rdev in the md_rdev_misc_wq which will be released in rdev_delayed_delete(). md_alloc() waits for previous deletions by waiting on the md_misc_wq, but the md_rdev_misc_wq may still be holding a reference to a recently removed device. To fix this, also flush the md_rdev_misc_wq in md_alloc(). Signed-off-by: David Sloan <david.sloan(a)eideticom.com> [logang(a)deltatee.com: rewrote commit message] Signed-off-by: Logan Gunthorpe <logang(a)deltatee.com> Signed-off-by: Song Liu <song(a)kernel.org> Signed-off-by: Hou Tao <houtao1(a)huawei.com> --- Hi Greg, We found the problem also exists on v5.10, so could you please pick it up for v5.10 ? Thanks. drivers/md/md.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/md/md.c b/drivers/md/md.c index 3038e7ecb7e1..c0b34637bd66 100644 --- a/drivers/md/md.c +++ b/drivers/md/md.c @@ -5683,6 +5683,7 @@ static int md_alloc(dev_t dev, char *name) * completely removed (mddev_delayed_delete). */ flush_workqueue(md_misc_wq); + flush_workqueue(md_rdev_misc_wq); mutex_lock(&disks_mutex); error = -EEXIST; -- 2.29.2

1 year, 1 month

3
3
0 0

Please backport commit ae3419fbac84 ("vc_screen: don't clobber return value in vcs_read")

by Thomas Weißschuh

Hi, please backport the following commit[0] to all stable releases that contain the commit 226fae124b2d ("vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF") Commit 46d733d0efc7 ("vc_screen: modify vcs_size() handling in vcs_read()") [1] also tries to fix this commit but should not actually be necessary for a proper fix. It may make sense to also backport for consistency. commit ae3419fbac845b4d3f3a9fae4cc80c68d82cdf6e Author: Thomas Weißschuh <linux(a)weissschuh.net> Date: Mon Feb 20 06:46:12 2023 +0000 vc_screen: don't clobber return value in vcs_read Commit 226fae124b2d ("vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF") moved the call to vcs_vc() into the loop. While doing this it also moved the unconditional assignment of ret = -ENXIO; This unconditional assignment was valid outside the loop but within it it clobbers the actual value of ret. To avoid this only assign "ret = -ENXIO" when actually needed. [ Also, the 'goto unlock_out" needs to be just a "break", so that it does the right thing when it exits on later iterations when partial success has happened - Linus ] Reported-by: Storm Dragon <stormdragon2976(a)gmail.com> Link: https://lore.kernel.org/lkml/Y%2FKS6vdql2pIsCiI@hotmail.com/ Fixes: 226fae124b2d ("vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF") Signed-off-by: Thomas Weißschuh <linux(a)weissschuh.net> Link: https://lore.kernel.org/lkml/64981d94-d00c-4b31-9063-43ad0a384bde@t-8ch.de/ Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Thanks, Thomas [0] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…

1 year, 1 month

2
1
0 0

Please apply 4e4a08868f15897ca236528771c3733fded42c62 to linux-6.2.y

by Nathan Chancellor

Hi Greg and Sasha, Please apply commit 4e4a08868f15 ("crypto: arm64/sm4-gcm - Fix possible crash in GCM cryption") to 6.2, as it fixes a crash that I see when booting Arch Linux ARM's aarch64 configuration [1] in QEMU: [ 1.512110] Unable to handle kernel paging request at virtual address fffffe000024d588 [ 1.512357] Mem abort info: [ 1.512542] ESR = 0x0000000097c38004 [ 1.512695] EC = 0x25: DABT (current EL), IL = 32 bits [ 1.512863] SET = 0, FnV = 0 [ 1.512967] EA = 0, S1PTW = 0 [ 1.513075] FSC = 0x04: level 0 translation fault [ 1.513236] Data abort info: [ 1.513343] Access size = 8 byte(s) [ 1.513618] SSE = 0, SRT = 3 [ 1.513721] SF = 1, AR = 0 [ 1.513824] CM = 0, WnR = 0 [ 1.513964] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041ef8000 [ 1.514162] [fffffe000024d588] pgd=0000000000000000, p4d=0000000000000000 [ 1.514932] Internal error: Oops: 0000000097c38004 [#1] PREEMPT SMP [ 1.515206] Modules linked in: [ 1.515477] CPU: 0 PID: 113 Comm: cryptomgr_test Not tainted 6.2.1-ARCH #1 [ 1.515755] Hardware name: linux,dummy-virt (DT) [ 1.516029] pstate: a1400009 (NzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1.516277] pc : kfree+0x30/0xb0 [ 1.516766] lr : skcipher_walk_done+0x198/0x2b0 [ 1.516934] sp : ffff80000ace3820 [ 1.517042] x29: ffff80000ace3820 x28: 0000000000000000 x27: 0000000000000400 [ 1.517316] x26: ffff80000937d880 x25: ffff0000034d0400 x24: ffff0000036efe00 [ 1.517557] x23: ffff800008088730 x22: ffff0000036efd00 x21: ffff80000ace3998 [ 1.517791] x20: 0000000000000000 x19: ffff80000ace3900 x18: ffffffffffffffff [ 1.518022] x17: 0000000000000000 x16: 0000000000000000 x15: ffffffffffffffff [ 1.518263] x14: ffff80008ace3ce7 x13: 0000000000000000 x12: 0000000000000000 [ 1.518510] x11: ffff80000ace38c8 x10: ffff80000ace38d0 x9 : 0000000000000001 [ 1.518757] x8 : 0000000000000000 x7 : ffff80000ace38a8 x6 : 0000000000000001 [ 1.518993] x5 : ffff80000ace3998 x4 : fffffc0000000000 x3 : ffff80000ace3b00 [ 1.519242] x2 : 000002000024d580 x1 : ffff800009356218 x0 : fffffe000024d580 [ 1.519549] Call trace: [ 1.519654] kfree+0x30/0xb0 [ 1.519785] skcipher_walk_done+0x198/0x2b0 [ 1.519931] gcm_crypt+0xd8/0x170 [ 1.520047] gcm_encrypt+0x90/0xbc [ 1.520153] crypto_aead_encrypt+0x24/0x40 [ 1.520285] test_aead_vec_cfg+0x21c/0x770 [ 1.520422] test_aead+0xb4/0x140 [ 1.520538] alg_test_aead+0x94/0x190 [ 1.520662] alg_test+0x34c/0x520 [ 1.520770] cryptomgr_test+0x24/0x44 [ 1.520889] kthread+0xe4/0xf0 [ 1.520993] ret_from_fork+0x10/0x20 [ 1.521300] Code: b25657e4 d34cfc42 d37ae442 8b040040 (f9400403) [ 1.521691] ---[ end trace 0000000000000000 ]--- [1]: https://github.com/archlinuxarm/PKGBUILDs/raw/master/core/linux-aarch64/con… Cheers, Nathan

1 year, 1 month

2
1
0 0

Please apply efbc7bd90f60 to 5.15

by Arınç ÜNAL

commit efbc7bd90f60c71b8e786ee767952bc22fc3666d upstream. Please apply ("staging: mt7621-dts: change palmbus address to lower case") to 5.15. It solves the duplicate label error caused by the node name being uppercase on gbpc1.dts, but lowercase on mt7621.dtsi. drivers/staging/mt7621-dts/gbpc1.dts:22.28-26.4: ERROR (duplicate_label): /palmbus@1E000000: Duplicate label 'palmbus' on /palmbus@1E000000 and /palmbus@1e000000 ERROR: Input tree has errors, aborting (use -f to force output) Arınç

1 year, 1 month

3
3
0 0

[PATCH] ceph: do not print the whole xattr value if it's too long

by xiubli＠redhat.com

From: Xiubo Li <xiubli(a)redhat.com> If the xattr's value size is long enough the kernel will warn and then will fail the xfstests test case. Just print part of the value string if it's too long. Cc: stable(a)vger.kernel.org URL: https://tracker.ceph.com/issues/58404 Signed-off-by: Xiubo Li <xiubli(a)redhat.com> --- fs/ceph/xattr.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c index b10d459c2326..6638bb0ec10f 100644 --- a/fs/ceph/xattr.c +++ b/fs/ceph/xattr.c @@ -561,6 +561,7 @@ static struct ceph_vxattr *ceph_match_vxattr(struct inode *inode, return NULL; } +#define XATTR_MAX_VAL 256 static int __set_xattr(struct ceph_inode_info *ci, const char *name, int name_len, const char *val, int val_len, @@ -654,8 +655,10 @@ static int __set_xattr(struct ceph_inode_info *ci, dout("__set_xattr_val p=%p\n", p); } - dout("__set_xattr_val added %llx.%llx xattr %p %.*s=%.*s\n", - ceph_vinop(&ci->netfs.inode), xattr, name_len, name, val_len, val); + dout("__set_xattr_val added %llx.%llx xattr %p %.*s=%.*s%s\n", + ceph_vinop(&ci->netfs.inode), xattr, name_len, name, + val_len > XATTR_MAX_VAL ? XATTR_MAX_VAL : val_len, val, + val_len > XATTR_MAX_VAL ? "..." : ""); return 0; } @@ -681,8 +684,10 @@ static struct ceph_inode_xattr *__get_xattr(struct ceph_inode_info *ci, else if (c > 0) p = &(*p)->rb_right; else { - dout("__get_xattr %s: found %.*s\n", name, - xattr->val_len, xattr->val); + int len = xattr->val_len; + dout("__get_xattr %s: found %.*s%s\n", name, + len > XATTR_MAX_VAL ? XATTR_MAX_VAL : len, + xattr->val, len > XATTR_MAX_VAL ? "..." : ""); return xattr; } } -- 2.31.1

1 year, 1 month

3
2
0 0

stable/6.2: backport commit 943f4e64ee17 ("ALSA: hda: cs35l41: Correct error condition handling")

by Richard Fitzgerald

commit 943f4e64ee177cf44d7f2c235281fcda7c32bb28 upstream Please backport to 6.2. This fixes an API break between the cs_dsp driver and the cs35l41 HDA driver that broke the cs35l41 driver. The original chain of patches that made the cs_dsp change missed out the corresponding change to the HDA code. These changes went into the first 6.2 release. Reported-by: Martin Wolf <info(a)martinwolf.pub>

1 year, 1 month

2
1
0 0

Ahoj

by silverl ynrojas

drahý příteli Jak se dneska máš? Myslím, že už je to dlouho, co jsme spolu mluvili naposledy. V každém případě Vás budu znovu kontaktovat ohledně naší předchozí transakce, která u Vás nebyla úspěšná. Vaše spolupráce se mnou bohužel nemůže dokončit převod finančních prostředků. Nevím, možná proto, že se musím smířit se svým zájmem o případ. V každém případě jsem rád, že mohu oznámit úspěch při přijímání finančních prostředků převedených novým partnerem z Venezuely. Momentálně jsem ve Venezuele kvůli investici. Nezapomněl jsem však na své předchozí snažení a snažil jsem se mi s převodem fondu pomoci, i když jsme nemohli dojít ke konkrétnímu závěru. Díky mé snaze pomoci mně jsme se s mým novým partnerem rozhodli vrátit vám 850 000 $, abyste si s námi mohli užívat radosti a štěstí. Nechal jsem vaše kompenzační vízum pro svou sekretářku, aby mi pomohla podat žádost. Nyní kontaktujte mou sekretářku v Togu, jmenuje se paní Silverly Rojas a její e-mailová adresa je (silverlynrojas94(a)gmail.com). Řekněte jí, aby vám poslala kartu Visa v hodnotě 850 000 USD. V současné době jsem velmi zaneprázdněn ve Venezuele kvůli investičním projektům, které mám se svým novým partnerem. Rychle kontaktujte paní Silverly Rojasovou a dejte jí vědět, kam má poslat čekající vízum. Karta vám bude obratem zaslána. Přeji vám vše nejlepší ve všech vašich snahách. S pozdravem Robert G Mohammed

1 year, 1 month

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror February 2023