December 2024 - Linux-stable-mirror

[PATCH][5.15.y] gfs2: Fix slab-use-after-free in gfs2_qd_dealloc

by guocai.he.cn＠windriver.com

From: Juntong Deng <juntong.deng(a)outlook.com> commit 7ad4e0a4f61c57c3ca291ee010a9d677d0199fba upstream. In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again. Reported-by: syzbot+29c47e9e51895928698c(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=29c47e9e51895928698c Signed-off-by: Juntong Deng <juntong.deng(a)outlook.com> Signed-off-by: Andreas Gruenbacher <agruenba(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Clayton Casciato <majortomtosourcecontrol(a)gmail.com> Signed-off-by: Guocai He <guocai.he.cn(a)windriver.com> --- This commit is backporting 7ad4e0a4f61c7ad4e0a4f61c57c3ca291ee010a9d677d0199fba to the branch linux-5.15.y to solve the CVE-2024-52760. Please merge this commit to linux-5.15.y. fs/gfs2/super.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c index 268651ac9fc8..98158559893f 100644 --- a/fs/gfs2/super.c +++ b/fs/gfs2/super.c @@ -590,6 +590,8 @@ static void gfs2_put_super(struct super_block *sb) if (!sb_rdonly(sb)) { gfs2_make_fs_ro(sdp); + } else { + gfs2_quota_cleanup(sdp); } WARN_ON(gfs2_withdrawing(sdp)); -- 2.34.1

6 months, 2 weeks

3
2
0 0

[PATCH 6.1.y] drm/amd/display: Don't refer to dc_sink in is_dsc_need_re_compute

by jianqi.ren.cn＠windriver.com

From: Wayne Lin <wayne.lin(a)amd.com> [ Upstream commit fcf6a49d79923a234844b8efe830a61f3f0584e4 ] [Why] When unplug one of monitors connected after mst hub, encounter null pointer dereference. It's due to dc_sink get released immediately in early_unregister() or detect_ctx(). When commit new state which directly referring to info stored in dc_sink will cause null pointer dereference. [how] Remove redundant checking condition. Relevant condition should already be covered by checking if dsc_aux is null or not. Also reset dsc_aux to NULL when the connector is disconnected. Reviewed-by: Jerry Zuo <jerry.zuo(a)amd.com> Acked-by: Zaeem Mohamed <zaeem.mohamed(a)amd.com> Signed-off-by: Wayne Lin <wayne.lin(a)amd.com> Tested-by: Daniel Wheeler <daniel.wheeler(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> --- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c index 1acef5f3838f..a1619f4569cf 100644 --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c @@ -183,6 +183,8 @@ amdgpu_dm_mst_connector_early_unregister(struct drm_connector *connector) dc_sink_release(dc_sink); aconnector->dc_sink = NULL; aconnector->edid = NULL; + aconnector->dsc_aux = NULL; + port->passthrough_aux = NULL; } aconnector->mst_status = MST_STATUS_DEFAULT; @@ -487,6 +489,8 @@ dm_dp_mst_detect(struct drm_connector *connector, dc_sink_release(aconnector->dc_sink); aconnector->dc_sink = NULL; aconnector->edid = NULL; + aconnector->dsc_aux = NULL; + port->passthrough_aux = NULL; amdgpu_dm_set_mst_status(&aconnector->mst_status, MST_REMOTE_EDID | MST_ALLOCATE_NEW_PAYLOAD | MST_CLEAR_ALLOCATED_PAYLOAD, -- 2.25.1

6 months, 2 weeks

2
1
0 0

[PATCH 6.1.y] ext4: fix access to uninitialised lock in fc replay path

by jianqi.ren.cn＠windriver.com

From: "Luis Henriques (SUSE)" <luis.henriques(a)linux.dev> [ commit 23dfdb56581ad92a9967bcd720c8c23356af74c1 upstream ] The following kernel trace can be triggered with fstest generic/629 when executed against a filesystem with fast-commit feature enabled: INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 0 PID: 866 Comm: mount Not tainted 6.10.0+ #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x66/0x90 register_lock_class+0x759/0x7d0 __lock_acquire+0x85/0x2630 ? __find_get_block+0xb4/0x380 lock_acquire+0xd1/0x2d0 ? __ext4_journal_get_write_access+0xd5/0x160 _raw_spin_lock+0x33/0x40 ? __ext4_journal_get_write_access+0xd5/0x160 __ext4_journal_get_write_access+0xd5/0x160 ext4_reserve_inode_write+0x61/0xb0 __ext4_mark_inode_dirty+0x79/0x270 ? ext4_ext_replay_set_iblocks+0x2f8/0x450 ext4_ext_replay_set_iblocks+0x330/0x450 ext4_fc_replay+0x14c8/0x1540 ? jread+0x88/0x2e0 ? rcu_is_watching+0x11/0x40 do_one_pass+0x447/0xd00 jbd2_journal_recover+0x139/0x1b0 jbd2_journal_load+0x96/0x390 ext4_load_and_init_journal+0x253/0xd40 ext4_fill_super+0x2cc6/0x3180 ... In the replay path there's an attempt to lock sbi->s_bdev_wb_lock in function ext4_check_bdev_write_error(). Unfortunately, at this point this spinlock has not been initialized yet. Moving it's initialization to an earlier point in __ext4_fill_super() fixes this splat. Signed-off-by: Luis Henriques (SUSE) <luis.henriques(a)linux.dev> Link: https://patch.msgid.link/20240718094356.7863-1-luis.henriques@linux.dev Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Cc: stable(a)kernel.org Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> --- fs/ext4/super.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 987d49e18dbe..65e6e532cfb9 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -5276,6 +5276,8 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb) INIT_LIST_HEAD(&sbi->s_orphan); /* unlinked but open files */ mutex_init(&sbi->s_orphan_lock); + spin_lock_init(&sbi->s_bdev_wb_lock); + ext4_fast_commit_init(sb); sb->s_root = NULL; @@ -5526,7 +5528,6 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb) * Save the original bdev mapping's wb_err value which could be * used to detect the metadata async write error. */ - spin_lock_init(&sbi->s_bdev_wb_lock); errseq_check_and_advance(&sb->s_bdev->bd_inode->i_mapping->wb_err, &sbi->s_bdev_wb_err); sb->s_bdev->bd_super = sb; -- 2.25.1

6 months, 2 weeks

2
1
0 0

[PATCH 6.1.y] fs/ntfs3: Fixed overflow check in mi_enum_attr()

by jianqi.ren.cn＠windriver.com

From: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> [ Upstream commit 652cfeb43d6b9aba5c7c4902bed7a7340df131fb ] Reported-by: Robert Morris <rtm(a)csail.mit.edu> Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> --- fs/ntfs3/record.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c index 7ab452710572..826a756669a3 100644 --- a/fs/ntfs3/record.c +++ b/fs/ntfs3/record.c @@ -273,7 +273,7 @@ struct ATTRIB *mi_enum_attr(struct mft_inode *mi, struct ATTRIB *attr) if (t16 > asize) return NULL; - if (t16 + le32_to_cpu(attr->res.data_size) > asize) + if (le32_to_cpu(attr->res.data_size) > asize - t16) return NULL; if (attr->name_len && -- 2.25.1

6 months, 2 weeks

2
1
0 0

[PATCH 0/1] Backport a fix for broken avs audio

by Amadeusz Sławiński

Patch fixing the broken audio issue for avs apparently didn't make it into v6.12 stable tree and playing audio results in NULL pointer dereference. Link: https://bugzilla.kernel.org/show_bug.cgi?id=219577 Backport a fix. Amadeusz Sławiński (1): ASoC: Intel: avs: Fix return status of avs_pcm_hw_constraints_init() sound/soc/intel/avs/pcm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.34.1

6 months, 2 weeks

2
2
0 0

[PATCH net] net: dsa: tag_ocelot_8021q: fix broken reception

by Robert Hodaszi

Commit dcfe7673787b4bfea2c213df443d312aa754757b ("net: dsa: tag_sja1105: absorb logic for not overwriting precise info into dsa_8021q_rcv()") added support to let the DSA switch driver set source_port and switch_id. tag_8021q's logic overrides the previously set source_port and switch_id only if they are marked as "invalid" (-1). sja1105 and vsc73xx drivers are doing that properly, but ocelot_8021q driver doesn't initialize those variables. That causes dsa_8021q_rcv() doesn't set them, and they remain unassigned. Initialize them as invalid to so dsa_8021q_rcv() can return with the proper values. Fixes: dcfe7673787b ("net: dsa: tag_sja1105: absorb logic for not overwriting precise info into dsa_8021q_rcv()") Signed-off-by: Robert Hodaszi <robert.hodaszi(a)digi.com> --- Cc: stable(a)vger.kernel.org --- net/dsa/tag_ocelot_8021q.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/dsa/tag_ocelot_8021q.c b/net/dsa/tag_ocelot_8021q.c index 8e8b1bef6af6..11ea8cfd6266 100644 --- a/net/dsa/tag_ocelot_8021q.c +++ b/net/dsa/tag_ocelot_8021q.c @@ -79,7 +79,7 @@ static struct sk_buff *ocelot_xmit(struct sk_buff *skb, static struct sk_buff *ocelot_rcv(struct sk_buff *skb, struct net_device *netdev) { - int src_port, switch_id; + int src_port = -1, switch_id = -1; dsa_8021q_rcv(skb, &src_port, &switch_id, NULL, NULL); -- 2.43.0

6 months, 2 weeks

2
2
0 0

Linux 6.6.65

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.65 kernel. This release only fixes a build regression for openrisc, and a runtime regression for domU guests. If you don't have problems with them, no need to upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 +- arch/openrisc/include/asm/fixmap.h | 31 +------------------------------ arch/x86/platform/pvh/head.S | 22 +--------------------- 3 files changed, 3 insertions(+), 52 deletions(-) Dawei Li (1): openrisc: Use asm-generic's version of fix_to_virt() & virt_to_fix() Greg Kroah-Hartman (3): Revert "x86/pvh: Call C code via the kernel virtual mapping" Revert "x86/pvh: Set phys_base when calling xen_prepare_pvh()" Linux 6.6.65

6 months, 2 weeks

1
1
0 0

[PATCH] net: dsa: tag_ocelot_8021q: fix broken reception

by Robert Hodaszi

Commit dcfe7673787b4bfea2c213df443d312aa754757b ("net: dsa: tag_sja1105: absorb logic for not overwriting precise info into dsa_8021q_rcv()") added support to let the DSA switch driver set source_port and switch_id. tag_8021q's logic overrides the previously set source_port and switch_id only if they are marked as "invalid" (-1). sja1105 and vsc73xx drivers are doing that properly, but ocelot_8021q driver doesn't initialize those variables. That causes dsa_8021q_rcv() doesn't set them, and they remain unassigned. Initialize them as invalid to so dsa_8021q_rcv() can return with the proper values. Signed-off-by: Robert Hodaszi <robert.hodaszi(a)digi.com> Cc: stable(a)vger.kernel.org --- net/dsa/tag_ocelot_8021q.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/dsa/tag_ocelot_8021q.c b/net/dsa/tag_ocelot_8021q.c index 8e8b1bef6af6..11ea8cfd6266 100644 --- a/net/dsa/tag_ocelot_8021q.c +++ b/net/dsa/tag_ocelot_8021q.c @@ -79,7 +79,7 @@ static struct sk_buff *ocelot_xmit(struct sk_buff *skb, static struct sk_buff *ocelot_rcv(struct sk_buff *skb, struct net_device *netdev) { - int src_port, switch_id; + int src_port = -1, switch_id = -1; dsa_8021q_rcv(skb, &src_port, &switch_id, NULL, NULL); -- 2.43.0

6 months, 2 weeks

3
4
0 0

[PATCH net] net: dsa: tag_ocelot_8021q: fix broken reception

by Robert Hodaszi

Commit dcfe7673787b4bfea2c213df443d312aa754757b ("net: dsa: tag_sja1105: absorb logic for not overwriting precise info into dsa_8021q_rcv()") added support to let the DSA switch driver set source_port and switch_id. tag_8021q's logic overrides the previously set source_port and switch_id only if they are marked as "invalid" (-1). sja1105 and vsc73xx drivers are doing that properly, but ocelot_8021q driver doesn't initialize those variables. That causes dsa_8021q_rcv() doesn't set them, and they remain unassigned. Initialize them as invalid to so dsa_8021q_rcv() can return with the proper values. Fixes: dcfe7673787b ("net: dsa: tag_sja1105: absorb logic for not overwriting precise info into dsa_8021q_rcv()") Signed-off-by: Robert Hodaszi <robert.hodaszi(a)digi.com> --- Cc: stable(a)vger.kernel.org --- net/dsa/tag_ocelot_8021q.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/dsa/tag_ocelot_8021q.c b/net/dsa/tag_ocelot_8021q.c index 8e8b1bef6af6..11ea8cfd6266 100644 --- a/net/dsa/tag_ocelot_8021q.c +++ b/net/dsa/tag_ocelot_8021q.c @@ -79,7 +79,7 @@ static struct sk_buff *ocelot_xmit(struct sk_buff *skb, static struct sk_buff *ocelot_rcv(struct sk_buff *skb, struct net_device *netdev) { - int src_port, switch_id; + int src_port = -1, switch_id = -1; dsa_8021q_rcv(skb, &src_port, &switch_id, NULL, NULL); -- 2.43.0

6 months, 2 weeks

1
1
0 0

Access Verified List Of I/ITSEC 2024

by Jennifer Martin

Hi, As you have been an exhibitor at I/ITSEC: The Interservice/Industry Training, Simulation & Education Conference 2024. We have received an updated post attendees list of people including last-minute registers and walk-ins to the show. Show details: Date: 02 - 05 Dec 2024 Place: Orlando, USA. Updated counts: 18,278+ visitors Please let me know if you’d be interested in acquiring the visitors list so that I’ll share pricing and additional details for the same. Kind Regards, Jennifer Martin Sr. Marketing Manager If you do not wish to receive this newsletter reply “Not interested”

6 months, 2 weeks

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror December 2024