- Linux-stable-mirror - lists.linaro.org

Re: Patch "media: ov02c10: Fix default vertical flip" has been added to the 6.18-stable tree

by Hans de Goede

Hi Sasha, On 13-Dec-25 10:35, Sasha Levin wrote: > This is a note to let you know that I've just added the patch titled > > media: ov02c10: Fix default vertical flip This fix is incomplete, leading to wrong colors and it causes the image to be upside down on some Dell XPS models where it currently is the right way up. There is a series of fixes which applies on top of this to fix both issues: https://lore.kernel.org/linux-media/20251210112436.167212-1-johannes.goede@… For now (without the fixes on top) we are better of not adding this patch to the stable series. Can you drop this patch please? Same for 6.17 and other stable series. Regards, Hans > > to the 6.18-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > media-ov02c10-fix-default-vertical-flip.patch > and it can be found in the queue-6.18 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. > > > > commit 14cc4474799a595caeccdb8fdf2ca4b867cef972 > Author: Sebastian Reichel <sre(a)kernel.org> > Date: Wed Aug 20 02:13:19 2025 +0200 > > media: ov02c10: Fix default vertical flip > > [ Upstream commit d5ebe3f7d13d4cee3ff7e718de23564915aaf163 ] > > The driver right now defaults to setting the vertical flip bit. This > conflicts with proper handling of the rotation property defined in > ACPI or device tree, so drop the VFLIP bit. It should be handled via > V4L2_CID_VFLIP instead. > > Reported-by: Frederic Stuyk <fstuyk(a)runbox.com> > Closes: https://lore.kernel.org/all/b6df9ae7-ea9f-4e5a-8065-5b130f534f37@runbox.com/ > Fixes: 44f89010dae0 ("media: i2c: Add Omnivision OV02C10 sensor driver") > Signed-off-by: Sebastian Reichel <sre(a)kernel.org> > Reviewed-by: Bryan O'Donoghue <bod(a)kernel.org> > Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> > Signed-off-by: Hans Verkuil <hverkuil+cisco(a)kernel.org> > Signed-off-by: Sasha Levin <sashal(a)kernel.org> > > diff --git a/drivers/media/i2c/ov02c10.c b/drivers/media/i2c/ov02c10.c > index 8c4d85dc7922e..8e22ff446b0c4 100644 > --- a/drivers/media/i2c/ov02c10.c > +++ b/drivers/media/i2c/ov02c10.c > @@ -174,7 +174,7 @@ static const struct reg_sequence sensor_1928x1092_30fps_setting[] = { > {0x3816, 0x01}, > {0x3817, 0x01}, > > - {0x3820, 0xb0}, > + {0x3820, 0xa0}, > {0x3821, 0x00}, > {0x3822, 0x80}, > {0x3823, 0x08},

3 hours, 31 minutes

1
0
0 0

Re: Patch "RAS: Report all ARM processor CPER information to userspace" has been added to the 6.18-stable tree

by Mauro Carvalho Chehab

Hi Sacha, Em Sat, 13 Dec 2025 04:49:42 -0500 Sasha Levin <sashal(a)kernel.org> escreveu: > This is a note to let you know that I've just added the patch titled > > RAS: Report all ARM processor CPER information to userspace > > to the 6.18-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… > > The filename of the patch is: > ras-report-all-arm-processor-cper-information-to-use.patch > and it can be found in the queue-6.18 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable(a)vger.kernel.org> know about it. You should also backport this patch(*): 96b010536ee0 efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs It fixes a bug at the UEFI parser for the ARM Processor Error record: basically, the specs were not clear about how the error type should be reported. The Kernel implementation were assuming that this was an enum, but UEFI errata 2.9A make it clear that the value is a bitmap. So, basically, all kernels up to 6.18 are not parsing the field the expected way: only "Cache error" was properly reported. The other 3 types were wrong. (*) You could need to backport those patches as well: a976d790f494 efi/cper: Add a new helper function to print bitmasks 8ad2c72e21ef efi/cper: Adjust infopfx size to accept an extra space Regards, Mauro Thanks, Mauro

5 hours, 9 minutes

1
0
0 0

[PATCH net v2] erspan: Initialize options_len before referencing options.

by Frode Nordahl

The struct ip_tunnel_info has a flexible array member named options that is protected by a counted_by(options_len) attribute. The compiler will use this information to enforce runtime bounds checking deployed by FORTIFY_SOURCE string helpers. As laid out in the GCC documentation, the counter must be initialized before the first reference to the flexible array member. After scanning through the files that use struct ip_tunnel_info and also refer to options or options_len, it appears the normal case is to use the ip_tunnel_info_opts_set() helper. Said helper would initialize options_len properly before copying data into options, however in the GRE ERSPAN code a partial update is done, preventing the use of the helper function. Before this change the handling of ERSPAN traffic in GRE tunnels would cause a kernel panic when the kernel is compiled with GCC 15+ and having FORTIFY_SOURCE configured: memcpy: detected buffer overflow: 4 byte write of buffer size 0 Call Trace: <IRQ> __fortify_panic+0xd/0xf erspan_rcv.cold+0x68/0x83 ? ip_route_input_slow+0x816/0x9d0 gre_rcv+0x1b2/0x1c0 gre_rcv+0x8e/0x100 ? raw_v4_input+0x2a0/0x2b0 ip_protocol_deliver_rcu+0x1ea/0x210 ip_local_deliver_finish+0x86/0x110 ip_local_deliver+0x65/0x110 ? ip_rcv_finish_core+0xd6/0x360 ip_rcv+0x186/0x1a0 Cc: stable(a)vger.kernel.org Link: https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-co… Reported-at: https://launchpad.net/bugs/2129580 Fixes: bb5e62f2d547 ("net: Add options as a flexible array to struct ip_tunnel_info") Signed-off-by: Frode Nordahl <fnordahl(a)ubuntu.com> --- v2: - target correct netdev tree and properly cc stable in commit message. - replace repeated long in-line comments and link with a single line. - document search for any similar offenses in the code base in commit message. v1: https://lore.kernel.org/all/20251212073202.13153-1-fnordahl@ubuntu.com/ net/ipv4/ip_gre.c | 6 ++++-- net/ipv6/ip6_gre.c | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index 761a53c6a89a..8178c44a3cdd 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -330,6 +330,10 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi, if (!tun_dst) return PACKET_REJECT; + /* MUST set options_len before referencing options */ + info = &tun_dst->u.tun_info; + info->options_len = sizeof(*md); + /* skb can be uncloned in __iptunnel_pull_header, so * old pkt_md is no longer valid and we need to reset * it @@ -344,10 +348,8 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi, memcpy(md2, pkt_md, ver == 1 ? ERSPAN_V1_MDSIZE : ERSPAN_V2_MDSIZE); - info = &tun_dst->u.tun_info; __set_bit(IP_TUNNEL_ERSPAN_OPT_BIT, info->key.tun_flags); - info->options_len = sizeof(*md); } skb_reset_mac_header(skb); diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c index c82a75510c0e..4603554d4c7f 100644 --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -535,6 +535,10 @@ static int ip6erspan_rcv(struct sk_buff *skb, if (!tun_dst) return PACKET_REJECT; + /* MUST set options_len before referencing options */ + info = &tun_dst->u.tun_info; + info->options_len = sizeof(*md); + /* skb can be uncloned in __iptunnel_pull_header, so * old pkt_md is no longer valid and we need to reset * it @@ -543,7 +547,6 @@ static int ip6erspan_rcv(struct sk_buff *skb, skb_network_header_len(skb); pkt_md = (struct erspan_metadata *)(gh + gre_hdr_len + sizeof(*ershdr)); - info = &tun_dst->u.tun_info; md = ip_tunnel_info_opts(info); md->version = ver; md2 = &md->u.md2; @@ -551,7 +554,6 @@ static int ip6erspan_rcv(struct sk_buff *skb, ERSPAN_V2_MDSIZE); __set_bit(IP_TUNNEL_ERSPAN_OPT_BIT, info->key.tun_flags); - info->options_len = sizeof(*md); ip6_tnl_rcv(tunnel, skb, tpi, tun_dst, log_ecn_error); -- 2.51.0

5 hours, 9 minutes

1
0
0 0

[PATCH 6.12] LoongArch: Add machine_kexec_mask_interrupts() implementation

by Huacai Chen

Commit 863a320dc6fd7c855f47da4b ("LoongArch: Mask all interrupts during kexec/kdump") is backported to LTS branches, but they lack a generic machine_kexec_mask_interrupts() implementation, so add an arch-specific one. Signed-off-by: Tianyang Zhang <zhangtianyang(a)loongson.cn> Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- 6.6LTS also need it if commit 863a320dc6fd7c855f47da4b is backported. arch/loongarch/kernel/machine_kexec.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/arch/loongarch/kernel/machine_kexec.c b/arch/loongarch/kernel/machine_kexec.c index 8ef4e4595d61..19bd763263d3 100644 --- a/arch/loongarch/kernel/machine_kexec.c +++ b/arch/loongarch/kernel/machine_kexec.c @@ -136,6 +136,28 @@ void kexec_reboot(void) BUG(); } +static void machine_kexec_mask_interrupts(void) +{ + unsigned int i; + struct irq_desc *desc; + + for_each_irq_desc(i, desc) { + struct irq_chip *chip; + + chip = irq_desc_get_chip(desc); + if (!chip) + continue; + + if (chip->irq_eoi && irqd_irq_inprogress(&desc->irq_data)) + chip->irq_eoi(&desc->irq_data); + + if (chip->irq_mask) + chip->irq_mask(&desc->irq_data); + + if (chip->irq_disable && !irqd_irq_disabled(&desc->irq_data)) + chip->irq_disable(&desc->irq_data); + } +} #ifdef CONFIG_SMP static void kexec_shutdown_secondary(void *regs) -- 2.47.3

5 hours, 31 minutes

2
1
0 0

[PATCH v2] ocfs2: fix kernel BUG in ocfs2_write_block

by Prithvi Tambewagh

When the filesystem is being mounted, the kernel panics while the data regarding slot map allocation to the local node, is being written to the disk. This occurs because the value of slot map buffer head block number, which should have been greater than or equal to `OCFS2_SUPER_BLOCK_BLKNO` (evaluating to 2) is less than it, indicative of disk metadata corruption. This triggers BUG_ON(bh->b_blocknr < OCFS2_SUPER_BLOCK_BLKNO) in ocfs2_write_block(), causing the kernel to panic. This is fixed by introducing an if condition block in ocfs2_update_disk_slot(), right before calling ocfs2_write_block(), which checks if `bh->b_blocknr` is lesser than `OCFS2_SUPER_BLOCK_BLKNO`; if yes, then ocfs2_error is called, which prints the error log, for debugging purposes, and the return value of ocfs2_error() is returned back to caller of ocfs2_update_disk_slot() i.e. ocfs2_find_slot(). If the return value is zero. then error code EIO is returned. Reported-by: syzbot+c818e5c4559444f88aa0(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c818e5c4559444f88aa0 Tested-by: syzbot+c818e5c4559444f88aa0(a)syzkaller.appspotmail.com Cc: stable(a)vger.kernel.org Signed-off-by: Prithvi Tambewagh <activprithvi(a)gmail.com> --- v1->v2: - Remove usage of le16_to_cpu() from ocfs2_error() - Cast bh->b_blocknr to unsigned long long - Remove type casting for OCFS2_SUPER_BLOCK_BLKNO - Fix Sparse warnings reported in v1 by kernel test robot - Update title from 'ocfs2: Fix kernel BUG in ocfs2_write_block' to 'ocfs2: fix kernel BUG in ocfs2_write_block' v1 link: https://lore.kernel.org/all/20251206154819.175479-1-activprithvi@gmail.com/… fs/ocfs2/slot_map.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/ocfs2/slot_map.c b/fs/ocfs2/slot_map.c index e544c704b583..e916a2e8f92d 100644 --- a/fs/ocfs2/slot_map.c +++ b/fs/ocfs2/slot_map.c @@ -193,6 +193,16 @@ static int ocfs2_update_disk_slot(struct ocfs2_super *osb, else ocfs2_update_disk_slot_old(si, slot_num, &bh); spin_unlock(&osb->osb_lock); + if (bh->b_blocknr < OCFS2_SUPER_BLOCK_BLKNO) { + status = ocfs2_error(osb->sb, + "Invalid Slot Map Buffer Head " + "Block Number : %llu, Should be >= %d", + (unsigned long long)bh->b_blocknr, + OCFS2_SUPER_BLOCK_BLKNO); + if (!status) + return -EIO; + return status; + } status = ocfs2_write_block(osb, bh, INODE_CACHE(si->si_inode)); if (status < 0) base-commit: 24172e0d79900908cf5ebf366600616d29c9b417 -- 2.43.0

6 hours, 27 minutes

3
2
0 0

[PATCH] scsi: be2iscsi: fix a memory leak in beiscsi_boot_get_sinfo()

by Haoxiang Li

If nonemb_cmd->va fails to be allocated, call free_mcc_wrb() to restore the impact caused by alloc_mcc_wrb(). Fixes: 50a4b824be9e ("scsi: be2iscsi: Fix to make boot discovery non-blocking") Cc: stable(a)vger.kernel.org Signed-off-by: Haoxiang Li <lihaoxiang(a)isrc.iscas.ac.cn> --- drivers/scsi/be2iscsi/be_mgmt.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/scsi/be2iscsi/be_mgmt.c b/drivers/scsi/be2iscsi/be_mgmt.c index 4e899ec1477d..b1cba986f0fb 100644 --- a/drivers/scsi/be2iscsi/be_mgmt.c +++ b/drivers/scsi/be2iscsi/be_mgmt.c @@ -1025,6 +1025,7 @@ unsigned int beiscsi_boot_get_sinfo(struct beiscsi_hba *phba) &nonemb_cmd->dma, GFP_KERNEL); if (!nonemb_cmd->va) { + free_mcc_wrb(ctrl, tag); mutex_unlock(&ctrl->mbox_lock); return 0; } -- 2.25.1

6 hours, 46 minutes

1
0
0 0

[PATCH] drm/amd/display: Apply e4479aecf658 to dml

by Nathan Chancellor

After an innocuous optimization change in clang-22, allmodconfig (which enables CONFIG_KASAN and CONFIG_WERROR) breaks with: drivers/gpu/drm/amd/amdgpu/../display/dc/dml/dcn32/display_mode_vba_32.c:1724:6: error: stack frame size (3144) exceeds limit (3072) in 'dml32_ModeSupportAndSystemConfigurationFull' [-Werror,-Wframe-larger-than] 1724 | void dml32_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_lib) | ^ With clang-21, this function was already pretty close to the existing limit of 3072 bytes. drivers/gpu/drm/amd/amdgpu/../display/dc/dml/dcn32/display_mode_vba_32.c:1724:6: error: stack frame size (2904) exceeds limit (2048) in 'dml32_ModeSupportAndSystemConfigurationFull' [-Werror,-Wframe-larger-than] 1724 | void dml32_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_lib) | ^ A similar situation occurred in dml2, which was resolved by commit e4479aecf658 ("drm/amd/display: Increase sanitizer frame larger than limit when compile testing with clang") by increasing the limit for clang when compile testing with certain sanitizer enabled, so that allmodconfig (an easy testing target) continues to work. Apply that same change to the dml folder to clear up the warning for allmodconfig, unbreaking the build. Cc: stable(a)vger.kernel.org Closes: https://github.com/ClangBuiltLinux/linux/issues/2135 Signed-off-by: Nathan Chancellor <nathan(a)kernel.org> --- drivers/gpu/drm/amd/display/dc/dml/Makefile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/display/dc/dml/Makefile b/drivers/gpu/drm/amd/display/dc/dml/Makefile index b357683b4255..268b5fbdb48b 100644 --- a/drivers/gpu/drm/amd/display/dc/dml/Makefile +++ b/drivers/gpu/drm/amd/display/dc/dml/Makefile @@ -30,7 +30,11 @@ dml_rcflags := $(CC_FLAGS_NO_FPU) ifneq ($(CONFIG_FRAME_WARN),0) ifeq ($(filter y,$(CONFIG_KASAN)$(CONFIG_KCSAN)),y) - frame_warn_limit := 3072 + ifeq ($(CONFIG_CC_IS_CLANG)$(CONFIG_COMPILE_TEST),yy) + frame_warn_limit := 4096 + else + frame_warn_limit := 3072 + endif else frame_warn_limit := 2048 endif --- base-commit: f24e96d69f5b9eb0f3b9c49e53c385c50729edfd change-id: 20251213-dml-bump-frame-warn-clang-sanitizers-0a34fc916aec Best regards, -- Nathan Chancellor <nathan(a)kernel.org>

9 hours, 6 minutes

1
0
0 0

[PATCH] input: synaptics_i2c - cancel delayed work before freeing device

by Minseong Kim

synaptics_i2c_irq() schedules touch->dwork via mod_delayed_work(). The delayed work performs I2C transactions and may still be running (or get queued) when the device is removed. synaptics_i2c_remove() currently frees 'touch' without canceling touch->dwork. If removal happens while the work is pending/running, the work handler may dereference freed memory, leading to a potential use-after-free. Cancel the delayed work synchronously before unregistering/freeing the device. Fixes: eef3e4cab72e Input: add driver for Synaptics I2C touchpad Reported-by: Minseong Kim <ii4gsp(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Minseong Kim <ii4gsp(a)gmail.com> --- drivers/input/mouse/synaptics_i2c.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/input/mouse/synaptics_i2c.c b/drivers/input/mouse/synaptics_i2c.c index a0d707e47d93..fe30bf9aea3a 100644 --- a/drivers/input/mouse/synaptics_i2c.c +++ b/drivers/input/mouse/synaptics_i2c.c @@ -593,6 +593,8 @@ static void synaptics_i2c_remove(struct i2c_client *client) if (!polling_req) free_irq(client->irq, touch); + cancel_delayed_work_sync(&touch->dwork); + input_unregister_device(touch->input); kfree(touch); } -- 2.39.5

10 hours, 44 minutes

3
4
0 0

[PATCH 1/2] scsi: sd: fix write_same(16/10) to enable sector size > PAGE_SIZE

by sw.prabhu6＠gmail.com

From: Swarna Prabhu <sw.prabhu6(a)gmail.com> The WRITE SAME(16) and WRITE SAME(10) scsi commands uses a page from a dedicated mempool('sd_page_pool') for its payload. This pool was initialized to allocate single pages, which was sufficient as long as the device sector size did not exceed the PAGE_SIZE. Given that block layer now supports block size upto 64K ie beyond PAGE_SIZE, adapt sd_set_special_bvec() to accommodate that. With the above fix, enable sector sizes > PAGE_SIZE in scsi sd driver. Cc: stable(a)vger.kernel.org Signed-off-by: Swarna Prabhu <s.prabhu(a)samsung.com> Co-developed-by: Pankaj Raghav <p.raghav(a)samsung.com> Signed-off-by: Pankaj Raghav <p.raghav(a)samsung.com> --- Note: We are allocating pages of order aligned to BLK_MAX_BLOCK_SIZE for the mempool page allocator 'sd_page_pool' all the time. This is because we only know that a bigger sector size device is attached at sd_probe and it might be too late to reallocate mempool with order >0. drivers/scsi/sd.c | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index 0252d3f6bed1..17b5c1589eb2 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -892,14 +892,24 @@ static void sd_config_discard(struct scsi_disk *sdkp, struct queue_limits *lim, (logical_block_size >> SECTOR_SHIFT); } -static void *sd_set_special_bvec(struct request *rq, unsigned int data_len) +static void *sd_set_special_bvec(struct scsi_cmnd *cmd, unsigned int data_len) { struct page *page; + struct request *rq = scsi_cmd_to_rq(cmd); + struct scsi_device *sdp = cmd->device; + unsigned sector_size = sdp->sector_size; + unsigned int nr_pages = DIV_ROUND_UP(sector_size, PAGE_SIZE); + int n = 0; page = mempool_alloc(sd_page_pool, GFP_ATOMIC); if (!page) return NULL; - clear_highpage(page); + + do { + clear_highpage(page + n); + n++; + } while (n < nr_pages); + bvec_set_page(&rq->special_vec, page, data_len, 0); rq->rq_flags |= RQF_SPECIAL_PAYLOAD; return bvec_virt(&rq->special_vec); @@ -915,7 +925,7 @@ static blk_status_t sd_setup_unmap_cmnd(struct scsi_cmnd *cmd) unsigned int data_len = 24; char *buf; - buf = sd_set_special_bvec(rq, data_len); + buf = sd_set_special_bvec(cmd, data_len); if (!buf) return BLK_STS_RESOURCE; @@ -1004,7 +1014,7 @@ static blk_status_t sd_setup_write_same16_cmnd(struct scsi_cmnd *cmd, u32 nr_blocks = sectors_to_logical(sdp, blk_rq_sectors(rq)); u32 data_len = sdp->sector_size; - if (!sd_set_special_bvec(rq, data_len)) + if (!sd_set_special_bvec(cmd, data_len)) return BLK_STS_RESOURCE; cmd->cmd_len = 16; @@ -1031,7 +1041,7 @@ static blk_status_t sd_setup_write_same10_cmnd(struct scsi_cmnd *cmd, u32 nr_blocks = sectors_to_logical(sdp, blk_rq_sectors(rq)); u32 data_len = sdp->sector_size; - if (!sd_set_special_bvec(rq, data_len)) + if (!sd_set_special_bvec(cmd, data_len)) return BLK_STS_RESOURCE; cmd->cmd_len = 10; @@ -2880,10 +2890,7 @@ sd_read_capacity(struct scsi_disk *sdkp, struct queue_limits *lim, "assuming 512.\n"); } - if (sector_size != 512 && - sector_size != 1024 && - sector_size != 2048 && - sector_size != 4096) { + if (blk_validate_block_size(sector_size)) { sd_printk(KERN_NOTICE, sdkp, "Unsupported sector size %d.\n", sector_size); /* @@ -4368,7 +4375,7 @@ static int __init init_sd(void) if (err) goto err_out; - sd_page_pool = mempool_create_page_pool(SD_MEMPOOL_SIZE, 0); + sd_page_pool = mempool_create_page_pool(SD_MEMPOOL_SIZE, get_order(BLK_MAX_BLOCK_SIZE)); if (!sd_page_pool) { printk(KERN_ERR "sd: can't init discard page pool\n"); err = -ENOMEM; -- 2.51.0

11 hours, 58 minutes

3
3
0 0

[PATCH] virtiofs: fix NULL dereference in virtio_fs_add_queues_sysfs()

by Qianchang Zhao

virtio_fs_add_queues_sysfs() creates per-queue sysfs kobjects via kobject_create_and_add(). The current code checks the wrong variable after the allocation: - kobject_create_and_add() may return NULL on failure. - The code incorrectly checks fs->mqs_kobj (the parent kobject), which is expected to be non-NULL at this point. - If kobject_create_and_add() fails, fsvq->kobj is NULL but the code can still call sysfs_create_group(fsvq->kobj, ...), leading to a NULL pointer dereference and kernel panic (DoS). Fix by validating fsvq->kobj immediately after kobject_create_and_add() and aborting on failure, so sysfs_create_group() is never called with a NULL kobject. Reported-by: Qianchang Zhao <pioooooooooip(a)gmail.com> Reported-by: Zhitong Liu <liuzhitong1993(a)gmail.com> Cc: stable(a)vger.kernel.org Signed-off-by: Qianchang Zhao <pioooooooooip(a)gmail.com> --- fs/fuse/virtio_fs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c index 6bc7c97b0..b2f6486fe 100644 --- a/fs/fuse/virtio_fs.c +++ b/fs/fuse/virtio_fs.c @@ -373,7 +373,7 @@ static int virtio_fs_add_queues_sysfs(struct virtio_fs *fs) sprintf(buff, "%d", i); fsvq->kobj = kobject_create_and_add(buff, fs->mqs_kobj); - if (!fs->mqs_kobj) { + if (!fsvq->kobj) { ret = -ENOMEM; goto out_del; } -- 2.34.1

13 hours, 54 minutes

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror