- Linux-stable-mirror - lists.linaro.org

[PATCH v2] net: fealnx: fix possible 'card_idx' integer overflow in

by Ilya Krutskih

'card_idx' can be overflowed when fealnx_init_one() will be called more than INT_MAX times. Check before incremention is required. Fixes: 15c037d6423e ("fealnx: Move the Myson driver") Cc: stable(a)vger.kernel.org # v5.10+ Signed-off-by: Ilya Krutskih <devsec(a)tpz.ru> --- drivers/net/ethernet/fealnx.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/fealnx.c b/drivers/net/ethernet/fealnx.c index 6ac8547ef9b8..7eb6e42b4551 100644 --- a/drivers/net/ethernet/fealnx.c +++ b/drivers/net/ethernet/fealnx.c @@ -489,7 +489,10 @@ static int fealnx_init_one(struct pci_dev *pdev, int bar = 1; #endif - card_idx++; + if (card_idx == INT_MAX) + return -EINVAL; + else + card_idx++; sprintf(boardname, "fealnx%d", card_idx); option = card_idx < MAX_UNITS ? options[card_idx] : 0; -- 2.43.0

1 week, 6 days

5
5
0 0

Linux 6.18.1

by Greg Kroah-Hartman

I'm announcing the release of the 6.18.1 kernel. All users of the 6.18 kernel series must upgrade. The updated 6.18.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.18.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/renesas,rsci.yaml | 2 Documentation/process/2.Process.rst | 6 Documentation/tools/rtla/common_appendix.rst | 24 -- Documentation/tools/rtla/common_appendix.txt | 24 ++ Documentation/tools/rtla/common_hist_options.rst | 23 -- Documentation/tools/rtla/common_hist_options.txt | 23 ++ Documentation/tools/rtla/common_options.rst | 119 ------------- Documentation/tools/rtla/common_options.txt | 119 +++++++++++++ Documentation/tools/rtla/common_osnoise_description.rst | 8 Documentation/tools/rtla/common_osnoise_description.txt | 8 Documentation/tools/rtla/common_osnoise_options.rst | 39 ---- Documentation/tools/rtla/common_osnoise_options.txt | 39 ++++ Documentation/tools/rtla/common_timerlat_aa.rst | 7 Documentation/tools/rtla/common_timerlat_aa.txt | 7 Documentation/tools/rtla/common_timerlat_description.rst | 18 - Documentation/tools/rtla/common_timerlat_description.txt | 18 + Documentation/tools/rtla/common_timerlat_options.rst | 67 ------- Documentation/tools/rtla/common_timerlat_options.txt | 67 +++++++ Documentation/tools/rtla/common_top_options.rst | 3 Documentation/tools/rtla/common_top_options.txt | 3 Documentation/tools/rtla/rtla-hwnoise.rst | 8 Documentation/tools/rtla/rtla-osnoise-hist.rst | 10 - Documentation/tools/rtla/rtla-osnoise-top.rst | 10 - Documentation/tools/rtla/rtla-osnoise.rst | 4 Documentation/tools/rtla/rtla-timerlat-hist.rst | 12 - Documentation/tools/rtla/rtla-timerlat-top.rst | 12 - Documentation/tools/rtla/rtla-timerlat.rst | 4 Documentation/tools/rtla/rtla.rst | 2 Makefile | 2 arch/x86/include/asm/kvm_host.h | 9 arch/x86/kvm/svm/svm.c | 24 +- arch/x86/kvm/x86.c | 21 ++ crypto/zstd.c | 7 drivers/android/binder/node.rs | 6 drivers/comedi/comedi_fops.c | 42 +++- drivers/comedi/drivers/c6xdigio.c | 46 +++-- drivers/comedi/drivers/multiq3.c | 9 drivers/comedi/drivers/pcl818.c | 5 drivers/iio/adc/ad4080.c | 9 drivers/net/wireless/realtek/rtl8xxxu/core.c | 3 drivers/net/wireless/realtek/rtw88/rtw8822cu.c | 2 drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 14 - drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 13 - drivers/tty/serial/8250/8250_pci.c | 37 ++++ drivers/tty/serial/sh-sci.c | 12 + drivers/usb/serial/belkin_sa.c | 28 +-- drivers/usb/serial/ftdi_sio.c | 72 ++----- drivers/usb/serial/kobil_sct.c | 18 - drivers/usb/serial/option.c | 22 ++ fs/ext4/inline.c | 14 + fs/jbd2/transaction.c | 19 +- fs/smb/server/transport_ipc.c | 7 kernel/locking/spinlock_debug.c | 4 53 files changed, 650 insertions(+), 481 deletions(-) Alexander Sverdlin (1): locking/spinlock/debug: Fix data-race in do_raw_write_lock Alexey Nepomnyashih (1): ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Alice Ryhl (1): rust_binder: fix race condition on death_list Antoniu Miclaus (1): iio: adc: ad4080: fix chip identification Bagas Sanjaya (1): Documentation: process: Also mention Sasha Levin as stable tree maintainer Biju Das (2): dt-bindings: serial: rsci: Drop "uart-has-rtscts: false" serial: sh-sci: Fix deadlock during RSCI FIFO overrun error Deepanshu Kartikey (1): ext4: refresh inline data size before write operations Fabio Porcedda (2): USB: serial: option: add Telit Cinterion FE910C04 new compositions USB: serial: option: move Telit 0x10c7 composition in the right place Giovanni Cabiddu (1): crypto: zstd - fix double-free in per-CPU stream cleanup Gopi Krishna Menon (1): Documentation/rtla: rename common_xxx.rst files to common_xxx.txt Greg Kroah-Hartman (1): Linux 6.18.1 Ian Abbott (1): comedi: c6xdigio: Fix invalid PNP driver unregistration Johan Hovold (3): USB: serial: ftdi_sio: match on interface number for jtag USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC Magne Bruno (1): serial: add support of CPCI cards Navaneeth K (3): staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing Nikita Zhandarovich (3): comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() comedi: multiq3: sanitize config options in multiq3_attach() comedi: check device's attached status in compat ioctls Omar Sandoval (1): KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced Qianchang Zhao (1): ksmbd: ipc: fix use-after-free in ipc_msg_send_request Slark Xiao (1): USB: serial: option: add Foxconn T99W760 Ye Bin (1): jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Zenm Chen (2): wifi: rtl8xxxu: Add USB ID 2001:3328 for D-Link AN3U rev. A1 wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U rev. A1

2 weeks

1
1
0 0

Linux 6.17.12

by Greg Kroah-Hartman

I'm announcing the release of the 6.17.12 kernel. All users of the 6.17 kernel series must upgrade. The updated 6.17.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.17.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/serial/renesas,rsci.yaml | 2 Documentation/process/2.Process.rst | 6 Makefile | 2 arch/arm64/include/asm/alternative.h | 7 arch/arm64/kernel/alternative.c | 19 +- arch/arm64/kernel/module.c | 9 - arch/loongarch/kernel/machine_kexec.c | 2 arch/x86/include/asm/kvm_host.h | 9 + arch/x86/kvm/svm/svm.c | 24 +-- arch/x86/kvm/x86.c | 21 ++ crypto/zstd.c | 7 drivers/acpi/acpi_mrrm.c | 43 ++++- drivers/bluetooth/btrtl.c | 24 +-- drivers/comedi/comedi_fops.c | 42 +++++ drivers/comedi/drivers/c6xdigio.c | 46 ++++-- drivers/comedi/drivers/multiq3.c | 9 + drivers/comedi/drivers/pcl818.c | 5 drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 2 drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c | 12 - drivers/hid/hid-apple.c | 1 drivers/hid/hid-elecom.c | 6 drivers/hid/hid-ids.h | 4 drivers/hid/hid-input.c | 5 drivers/hid/hid-lenovo.c | 17 ++ drivers/hid/hid-quirks.c | 3 drivers/iio/adc/ad4080.c | 9 - drivers/net/wireless/realtek/rtl8xxxu/core.c | 3 drivers/net/wireless/realtek/rtw88/rtw8822cu.c | 2 drivers/nvme/host/core.c | 3 drivers/pinctrl/qcom/pinctrl-msm.c | 2 drivers/platform/x86/acer-wmi.c | 4 drivers/platform/x86/amd/pmc/pmc-quirks.c | 25 +++ drivers/platform/x86/amd/pmc/pmc.c | 3 drivers/platform/x86/amd/pmc/pmc.h | 1 drivers/platform/x86/hp/hp-wmi.c | 6 drivers/platform/x86/huawei-wmi.c | 4 drivers/platform/x86/intel/hid.c | 1 drivers/platform/x86/intel/uncore-frequency/uncore-frequency.c | 4 drivers/spi/spi-imx.c | 15 +- drivers/spi/spi-xilinx.c | 2 drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 14 + drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 13 + drivers/tty/serial/8250/8250_pci.c | 37 +++++ drivers/tty/serial/sh-sci.c | 12 + drivers/usb/serial/belkin_sa.c | 28 ++- drivers/usb/serial/ftdi_sio.c | 72 +++------- drivers/usb/serial/kobil_sct.c | 18 +- drivers/usb/serial/option.c | 22 ++- fs/bfs/inode.c | 19 ++ fs/ext4/inline.c | 14 + fs/jbd2/transaction.c | 19 +- fs/smb/client/fs_context.c | 2 fs/smb/server/transport_ipc.c | 7 kernel/locking/spinlock_debug.c | 4 kernel/sched/ext.c | 4 kernel/trace/ftrace.c | 40 ++++- samples/vfs/test-statx.c | 6 samples/watch_queue/watch_test.c | 6 sound/hda/codecs/realtek/alc269.c | 9 + sound/soc/sdca/sdca_functions.c | 3 sound/usb/quirks.c | 6 61 files changed, 559 insertions(+), 207 deletions(-) Adrian Barnaś (1): arm64: Reject modules with internal alternative callbacks Alexander Sverdlin (1): locking/spinlock/debug: Fix data-race in do_raw_write_lock Alexey Nepomnyashih (1): ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Alvaro Gamez Machado (1): spi: xilinx: increase number of retries before declaring stall Antheas Kapenekakis (3): platform/x86/amd/pmc: Add support for Van Gogh SoC platform/x86/amd: pmc: Add Lenovo Legion Go 2 to pmc quirk list platform/x86/amd/pmc: Add spurious_8042 to Xbox Ally Antoniu Miclaus (1): iio: adc: ad4080: fix chip identification April Grimoire (1): HID: apple: Add SONiX AK870 PRO to non_apple_keyboards quirk list Armin Wolf (1): platform/x86: acer-wmi: Ignore backlight event Bagas Sanjaya (1): Documentation: process: Also mention Sasha Levin as stable tree maintainer Baojun Xu (1): ALSA: hda/tas2781: Add new quirk for HP new projects Biju Das (2): dt-bindings: serial: rsci: Drop "uart-has-rtscts: false" serial: sh-sci: Fix deadlock during RSCI FIFO overrun error Deepanshu Kartikey (1): ext4: refresh inline data size before write operations Edip Hazuri (1): platform/x86: hp-wmi: mark Victus 16-r0 and 16-s0 for victus_s fan and thermal profile support Fabio Porcedda (2): USB: serial: option: add Telit Cinterion FE910C04 new compositions USB: serial: option: move Telit 0x10c7 composition in the right place Giovanni Cabiddu (1): crypto: zstd - fix double-free in per-CPU stream cleanup Greg Kroah-Hartman (1): Linux 6.17.12 Harish Kasiviswanathan (1): drm/amdkfd: Fix GPU mappings for APU after prefetch Huacai Chen (1): LoongArch: Mask all interrupts during kexec/kdump Ian Abbott (1): comedi: c6xdigio: Fix invalid PNP driver unregistration Ian Forbes (1): drm/vmwgfx: Use kref in vmw_bo_dirty Jia Ston (1): platform/x86: huawei-wmi: add keys for HONOR models Johan Hovold (3): USB: serial: ftdi_sio: match on interface number for jtag USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC Kaushlendra Kumar (1): ACPI: MRRM: Fix memory leaks and improve error handling Keith Busch (1): nvme: fix admin request_queue lifetime Krishna Chomal (1): platform/x86: hp-wmi: Add Omen 16-wf1xxx fan support Kuppuswamy Sathyanarayanan (1): platform/x86: intel-uncore-freq: Add additional client processors Lauri Tirkkonen (1): HID: lenovo: fixup Lenovo Yoga Slim 7x Keyboard rdesc Linus Torvalds (1): samples: work around glibc redefining some of our defines wrong Lushih Hsieh (1): ALSA: usb-audio: Add native DSD quirks for PureAudio DAC series Magne Bruno (1): serial: add support of CPCI cards Marcos Vega (1): platform/x86: hp-wmi: Add Omen MAX 16-ah0xx fan support and thermal profile Mario Limonciello (AMD) (1): HID: hid-input: Extend Elan ignore battery quirk to USB Max Chou (1): Bluetooth: btrtl: Avoid loading the config file on security chips Naoki Ueki (1): HID: elecom: Add support for ELECOM M-XT3URBK (018F) Navaneeth K (3): staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing Nikita Zhandarovich (3): comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() comedi: multiq3: sanitize config options in multiq3_attach() comedi: check device's attached status in compat ioctls Niranjan H Y (1): ASoC: SDCA: bug fix while parsing mipi-sdca-control-cn-list Omar Sandoval (1): KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced Praveen Talari (1): pinctrl: qcom: msm: Fix deadlock in pinmux configuration Qianchang Zhao (1): ksmbd: ipc: fix use-after-free in ipc_msg_send_request Robin Gong (1): spi: imx: keep dma request disabled before dma transfer setup Slark Xiao (1): USB: serial: option: add Foxconn T99W760 Song Liu (1): ftrace: bpf: Fix IPMODIFY + DIRECT in modify_ftrace_direct() Srinivas Pandruvada (1): platform/x86/intel/hid: Add Nova Lake support Tetsuo Handa (1): bfs: Reconstruct file type when loading from disk Ye Bin (1): jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Yiqi Sun (1): smb: fix invalid username check in smb3_fs_context_parse_param() Zenm Chen (2): wifi: rtl8xxxu: Add USB ID 2001:3328 for D-Link AN3U rev. A1 wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U rev. A1 Zqiang (2): sched_ext: Fix possible deadlock in the deferred_irq_workfn() sched_ext: Use IRQ_WORK_INIT_HARD() to initialize rq->scx.kick_cpus_irq_work

2 weeks

1
1
0 0

Linux 6.12.62

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.62 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/process/2.Process.rst | 6 +- Makefile | 2 arch/loongarch/kernel/machine_kexec.c | 2 arch/x86/include/asm/kvm_host.h | 9 +++ arch/x86/kvm/svm/svm.c | 24 ++++---- arch/x86/kvm/x86.c | 21 +++++++ drivers/bluetooth/btrtl.c | 24 ++++---- drivers/bus/mhi/host/pci_generic.c | 52 ++++++++++++++++++ drivers/comedi/comedi_fops.c | 42 ++++++++++++-- drivers/comedi/drivers/c6xdigio.c | 46 ++++++++++++--- drivers/comedi/drivers/multiq3.c | 9 +++ drivers/comedi/drivers/pcl818.c | 5 - drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 2 drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c | 12 +--- drivers/hid/hid-apple.c | 1 drivers/hid/hid-elecom.c | 6 +- drivers/hid/hid-ids.h | 3 - drivers/hid/hid-input.c | 5 + drivers/hid/hid-quirks.c | 3 - drivers/net/wireless/realtek/rtl8xxxu/core.c | 3 + drivers/net/wireless/realtek/rtw88/rtw8822cu.c | 2 drivers/nvme/host/core.c | 3 - drivers/pinctrl/qcom/pinctrl-msm.c | 2 drivers/platform/x86/acer-wmi.c | 4 + drivers/platform/x86/amd/pmc/pmc-quirks.c | 25 ++++++++ drivers/platform/x86/huawei-wmi.c | 4 + drivers/spi/spi-imx.c | 15 +++-- drivers/spi/spi-xilinx.c | 2 drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 14 ++-- drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 13 +++- drivers/tty/serial/8250/8250_pci.c | 37 ++++++++++++ drivers/usb/serial/belkin_sa.c | 28 +++++---- drivers/usb/serial/ftdi_sio.c | 72 ++++++++----------------- drivers/usb/serial/kobil_sct.c | 18 +++--- drivers/usb/serial/option.c | 22 ++++++- fs/bfs/inode.c | 19 ++++++ fs/ext4/inline.c | 14 ++++ fs/jbd2/transaction.c | 19 ++++-- fs/smb/client/fs_context.c | 2 fs/smb/server/transport_ipc.c | 7 +- include/net/xfrm.h | 13 +--- kernel/locking/spinlock_debug.c | 4 - kernel/trace/ftrace.c | 40 ++++++++++--- net/ipv4/ipcomp.c | 2 net/ipv6/ipcomp6.c | 2 net/ipv6/xfrm6_tunnel.c | 2 net/key/af_key.c | 2 net/xfrm/xfrm_ipcomp.c | 1 net/xfrm/xfrm_state.c | 41 +++++--------- net/xfrm/xfrm_user.c | 2 samples/vfs/test-statx.c | 6 ++ samples/watch_queue/watch_test.c | 6 ++ sound/usb/quirks.c | 6 ++ 53 files changed, 520 insertions(+), 206 deletions(-) Alexander Sverdlin (1): locking/spinlock/debug: Fix data-race in do_raw_write_lock Alexey Nepomnyashih (1): ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Alvaro Gamez Machado (1): spi: xilinx: increase number of retries before declaring stall Antheas Kapenekakis (2): platform/x86/amd: pmc: Add Lenovo Legion Go 2 to pmc quirk list platform/x86/amd/pmc: Add spurious_8042 to Xbox Ally April Grimoire (1): HID: apple: Add SONiX AK870 PRO to non_apple_keyboards quirk list Armin Wolf (1): platform/x86: acer-wmi: Ignore backlight event Bagas Sanjaya (1): Documentation: process: Also mention Sasha Levin as stable tree maintainer Daniele Palmas (2): bus: mhi: host: pci_generic: Add Telit FN920C04 modem support bus: mhi: host: pci_generic: Add Telit FN990B40 modem support Deepanshu Kartikey (1): ext4: refresh inline data size before write operations Fabio Porcedda (2): USB: serial: option: add Telit Cinterion FE910C04 new compositions USB: serial: option: move Telit 0x10c7 composition in the right place Greg Kroah-Hartman (1): Linux 6.12.62 Harish Kasiviswanathan (1): drm/amdkfd: Fix GPU mappings for APU after prefetch Huacai Chen (1): LoongArch: Mask all interrupts during kexec/kdump Ian Abbott (1): comedi: c6xdigio: Fix invalid PNP driver unregistration Ian Forbes (1): drm/vmwgfx: Use kref in vmw_bo_dirty Jia Ston (1): platform/x86: huawei-wmi: add keys for HONOR models Johan Hovold (3): USB: serial: ftdi_sio: match on interface number for jtag USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC Keith Busch (1): nvme: fix admin request_queue lifetime Linus Torvalds (1): samples: work around glibc redefining some of our defines wrong Lushih Hsieh (1): ALSA: usb-audio: Add native DSD quirks for PureAudio DAC series Magne Bruno (1): serial: add support of CPCI cards Mario Limonciello (AMD) (1): HID: hid-input: Extend Elan ignore battery quirk to USB Max Chou (1): Bluetooth: btrtl: Avoid loading the config file on security chips Naoki Ueki (1): HID: elecom: Add support for ELECOM M-XT3URBK (018F) Navaneeth K (3): staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing Nikita Zhandarovich (3): comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() comedi: multiq3: sanitize config options in multiq3_attach() comedi: check device's attached status in compat ioctls Omar Sandoval (1): KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced Praveen Talari (1): pinctrl: qcom: msm: Fix deadlock in pinmux configuration Qianchang Zhao (1): ksmbd: ipc: fix use-after-free in ipc_msg_send_request Robin Gong (1): spi: imx: keep dma request disabled before dma transfer setup Sabrina Dubroca (4): xfrm: delete x->tunnel as we delete x Revert "xfrm: destroy xfrm_state synchronously on net exit path" xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added xfrm: flush all states in xfrm_state_fini Slark Xiao (1): USB: serial: option: add Foxconn T99W760 Song Liu (1): ftrace: bpf: Fix IPMODIFY + DIRECT in modify_ftrace_direct() Tetsuo Handa (1): bfs: Reconstruct file type when loading from disk Ye Bin (1): jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Yiqi Sun (1): smb: fix invalid username check in smb3_fs_context_parse_param() Zenm Chen (2): wifi: rtl8xxxu: Add USB ID 2001:3328 for D-Link AN3U rev. A1 wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U rev. A1

2 weeks

1
1
0 0

[PATCH 5.15.y] mmc: core: use sysfs_emit() instead of sprintf()

by Chen Yu

From: Sergey Shtylyov <s.shtylyov(a)omp.ru> [ Upstream commit f5d8a5fe77ce933f53eb8f2e22bb7a1a2019ea11 ] sprintf() (still used in the MMC core for the sysfs output) is vulnerable to the buffer overflow. Use the new-fangled sysfs_emit() instead. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. Signed-off-by: Sergey Shtylyov <s.shtylyov(a)omp.ru> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/717729b2-d65b-c72e-9fac-471d28d00b5a@omp.ru Signed-off-by: Ulf Hansson <ulf.hansson(a)linaro.org> Signed-off-by: Chen Yu <xnguchen(a)sina.cn> --- drivers/mmc/core/bus.c | 9 +++++---- drivers/mmc/core/bus.h | 3 ++- drivers/mmc/core/mmc.c | 16 ++++++++-------- drivers/mmc/core/sd.c | 25 ++++++++++++------------- drivers/mmc/core/sdio.c | 5 +++-- drivers/mmc/core/sdio_bus.c | 7 ++++--- 6 files changed, 34 insertions(+), 31 deletions(-) diff --git a/drivers/mmc/core/bus.c b/drivers/mmc/core/bus.c index c25c58473a91..c80d61780ea9 100644 --- a/drivers/mmc/core/bus.c +++ b/drivers/mmc/core/bus.c @@ -15,6 +15,7 @@ #include <linux/stat.h> #include <linux/of.h> #include <linux/pm_runtime.h> +#include <linux/sysfs.h> #include <linux/mmc/card.h> #include <linux/mmc/host.h> @@ -34,13 +35,13 @@ static ssize_t type_show(struct device *dev, switch (card->type) { case MMC_TYPE_MMC: - return sprintf(buf, "MMC\n"); + return sysfs_emit(buf, "MMC\n"); case MMC_TYPE_SD: - return sprintf(buf, "SD\n"); + return sysfs_emit(buf, "SD\n"); case MMC_TYPE_SDIO: - return sprintf(buf, "SDIO\n"); + return sysfs_emit(buf, "SDIO\n"); case MMC_TYPE_SD_COMBO: - return sprintf(buf, "SDcombo\n"); + return sysfs_emit(buf, "SDcombo\n"); default: return -EFAULT; } diff --git a/drivers/mmc/core/bus.h b/drivers/mmc/core/bus.h index 8105852c4b62..3996b191b68d 100644 --- a/drivers/mmc/core/bus.h +++ b/drivers/mmc/core/bus.h @@ -9,6 +9,7 @@ #define _MMC_CORE_BUS_H #include <linux/device.h> +#include <linux/sysfs.h> struct mmc_host; struct mmc_card; @@ -17,7 +18,7 @@ struct mmc_card; static ssize_t mmc_##name##_show (struct device *dev, struct device_attribute *attr, char *buf) \ { \ struct mmc_card *card = mmc_dev_to_card(dev); \ - return sprintf(buf, fmt, args); \ + return sysfs_emit(buf, fmt, args); \ } \ static DEVICE_ATTR(name, S_IRUGO, mmc_##name##_show, NULL) diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c index a56906633ddf..958bd901a136 100644 --- a/drivers/mmc/core/mmc.c +++ b/drivers/mmc/core/mmc.c @@ -12,6 +12,7 @@ #include <linux/slab.h> #include <linux/stat.h> #include <linux/pm_runtime.h> +#include <linux/sysfs.h> #include <linux/mmc/host.h> #include <linux/mmc/card.h> @@ -812,12 +813,11 @@ static ssize_t mmc_fwrev_show(struct device *dev, { struct mmc_card *card = mmc_dev_to_card(dev); - if (card->ext_csd.rev < 7) { - return sprintf(buf, "0x%x\n", card->cid.fwrev); - } else { - return sprintf(buf, "0x%*phN\n", MMC_FIRMWARE_LEN, - card->ext_csd.fwrev); - } + if (card->ext_csd.rev < 7) + return sysfs_emit(buf, "0x%x\n", card->cid.fwrev); + else + return sysfs_emit(buf, "0x%*phN\n", MMC_FIRMWARE_LEN, + card->ext_csd.fwrev); } static DEVICE_ATTR(fwrev, S_IRUGO, mmc_fwrev_show, NULL); @@ -830,10 +830,10 @@ static ssize_t mmc_dsr_show(struct device *dev, struct mmc_host *host = card->host; if (card->csd.dsr_imp && host->dsr_req) - return sprintf(buf, "0x%x\n", host->dsr); + return sysfs_emit(buf, "0x%x\n", host->dsr); else /* return default DSR value */ - return sprintf(buf, "0x%x\n", 0x404); + return sysfs_emit(buf, "0x%x\n", 0x404); } static DEVICE_ATTR(dsr, S_IRUGO, mmc_dsr_show, NULL); diff --git a/drivers/mmc/core/sd.c b/drivers/mmc/core/sd.c index 592166e53dce..46ca73c17c4c 100644 --- a/drivers/mmc/core/sd.c +++ b/drivers/mmc/core/sd.c @@ -12,6 +12,7 @@ #include <linux/slab.h> #include <linux/stat.h> #include <linux/pm_runtime.h> +#include <linux/sysfs.h> #include <linux/mmc/host.h> #include <linux/mmc/card.h> @@ -707,18 +708,16 @@ MMC_DEV_ATTR(ocr, "0x%08x\n", card->ocr); MMC_DEV_ATTR(rca, "0x%04x\n", card->rca); -static ssize_t mmc_dsr_show(struct device *dev, - struct device_attribute *attr, - char *buf) +static ssize_t mmc_dsr_show(struct device *dev, struct device_attribute *attr, + char *buf) { - struct mmc_card *card = mmc_dev_to_card(dev); - struct mmc_host *host = card->host; - - if (card->csd.dsr_imp && host->dsr_req) - return sprintf(buf, "0x%x\n", host->dsr); - else - /* return default DSR value */ - return sprintf(buf, "0x%x\n", 0x404); + struct mmc_card *card = mmc_dev_to_card(dev); + struct mmc_host *host = card->host; + + if (card->csd.dsr_imp && host->dsr_req) + return sysfs_emit(buf, "0x%x\n", host->dsr); + /* return default DSR value */ + return sysfs_emit(buf, "0x%x\n", 0x404); } static DEVICE_ATTR(dsr, S_IRUGO, mmc_dsr_show, NULL); @@ -734,9 +733,9 @@ static ssize_t info##num##_show(struct device *dev, struct device_attribute *att \ if (num > card->num_info) \ return -ENODATA; \ - if (!card->info[num-1][0]) \ + if (!card->info[num - 1][0]) \ return 0; \ - return sprintf(buf, "%s\n", card->info[num-1]); \ + return sysfs_emit(buf, "%s\n", card->info[num - 1]); \ } \ static DEVICE_ATTR_RO(info##num) diff --git a/drivers/mmc/core/sdio.c b/drivers/mmc/core/sdio.c index cbc9ca0dd56e..53c8f71af966 100644 --- a/drivers/mmc/core/sdio.c +++ b/drivers/mmc/core/sdio.c @@ -7,6 +7,7 @@ #include <linux/err.h> #include <linux/pm_runtime.h> +#include <linux/sysfs.h> #include <linux/mmc/host.h> #include <linux/mmc/card.h> @@ -40,9 +41,9 @@ static ssize_t info##num##_show(struct device *dev, struct device_attribute *att \ if (num > card->num_info) \ return -ENODATA; \ - if (!card->info[num-1][0]) \ + if (!card->info[num - 1][0]) \ return 0; \ - return sprintf(buf, "%s\n", card->info[num-1]); \ + return sysfs_emit(buf, "%s\n", card->info[num - 1]); \ } \ static DEVICE_ATTR_RO(info##num) diff --git a/drivers/mmc/core/sdio_bus.c b/drivers/mmc/core/sdio_bus.c index f6cdec00e97e..f191a2a76f3b 100644 --- a/drivers/mmc/core/sdio_bus.c +++ b/drivers/mmc/core/sdio_bus.c @@ -14,6 +14,7 @@ #include <linux/pm_runtime.h> #include <linux/pm_domain.h> #include <linux/acpi.h> +#include <linux/sysfs.h> #include <linux/mmc/card.h> #include <linux/mmc/host.h> @@ -35,7 +36,7 @@ field##_show(struct device *dev, struct device_attribute *attr, char *buf) \ struct sdio_func *func; \ \ func = dev_to_sdio_func (dev); \ - return sprintf(buf, format_string, args); \ + return sysfs_emit(buf, format_string, args); \ } \ static DEVICE_ATTR_RO(field) @@ -52,9 +53,9 @@ static ssize_t info##num##_show(struct device *dev, struct device_attribute *att \ if (num > func->num_info) \ return -ENODATA; \ - if (!func->info[num-1][0]) \ + if (!func->info[num - 1][0]) \ return 0; \ - return sprintf(buf, "%s\n", func->info[num-1]); \ + return sysfs_emit(buf, "%s\n", func->info[num - 1]); \ } \ static DEVICE_ATTR_RO(info##num) -- 2.17.1

2 weeks

2
1
0 0

[PATCHSET v2 sched_ext/for-6.19-fixes] sched_ext: Fix missing post-enqueue handling in move_local_task_to_local_dsq()

by Tejun Heo

Hello, move_local_task_to_local_dsq() was missing post-enqueue handling which matters now that scx_bpf_dsq_move() can be called while the CPU is busy. v2: Updated commit messages and added Cc stable. v1: http://lkml.kernel.org/r/20251211224809.3383633-1-tj@kernel.org 0001-sched_ext-Factor-out-local_dsq_post_enq-from-dispatc.patch 0002-sched_ext-Fix-missing-post-enqueue-handling-in-move_.patch Based on sched_ext/for-6.19-fixes (9f769637a93f). diffstat: kernel/sched/ext.c | 44 +++++++++++++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 15 deletions(-) -- tejun

2 weeks

2
5
0 0

Follow-Up: LDI 2025 Attendee List + 20% Discount

by Juanita Garcia

Hi, Just checking in to see if you had a moment to review my earlier message. As you have been an exhibitor at Live Design International 2025 We have the final updated attendee list of verified contacts 16,537 of people including last-minute registers and walk-ins to the show, and all are confirmed Opt-in and Verified contacts Special :20% reduction on our compliant contact data. If you’d like more details, just let me know or reply “Send me pricing.” Best regards, Juanita Garcia Sr. Marketing Manager If you prefer not to receive updates, reply “Not Interested.”

2 weeks

1
0
0 0

[PATCH v2] PCI: Fix incorrect unlocking in pci_slot_trylock()

by Jinhui Guo

Commit a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()") delegates the bridge device's pci_dev_trylock() to pci_bus_trylock() in pci_slot_trylock(), but it forgets to remove the corresponding pci_dev_unlock() when pci_bus_trylock() fails. Before the commit, the code did: if (!pci_dev_trylock(dev)) /* <- lock bridge device */ goto unlock; if (dev->subordinate) { if (!pci_bus_trylock(dev->subordinate)) { pci_dev_unlock(dev); /* <- unlock bridge device */ goto unlock; } } After the commit the bridge-device lock is no longer taken, but the pci_dev_unlock(dev) on the failure path was left in place, leading to the bug. This yields one of two errors: 1. A warning that the lock is being unlocked when no one holds it. 2. An incorrect unlock of a lock that belongs to another thread. Fix it by removing the now-redundant pci_dev_unlock(dev) on the failure path. Fixes: a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()") Cc: stable(a)vger.kernel.org Signed-off-by: Jinhui Guo <guojinhui.liam(a)bytedance.com> Acked-by: Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> --- Hi, all v1: https://lore.kernel.org/all/20251211123635.2215-1-guojinhui.liam@bytedance.… Changelog in v1 -> v2 - The v1 commit message was too brief, so I’ve sent v2 with more detail. - Remove the braces from the if (!pci_bus_trylock(dev->subordinate)) statement. Sorry for the noise. Best Regards, Jinhui drivers/pci/pci.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c index 13dbb405dc31..59319e08fca6 100644 --- a/drivers/pci/pci.c +++ b/drivers/pci/pci.c @@ -5346,10 +5346,8 @@ static int pci_slot_trylock(struct pci_slot *slot) if (!dev->slot || dev->slot != slot) continue; if (dev->subordinate) { - if (!pci_bus_trylock(dev->subordinate)) { - pci_dev_unlock(dev); + if (!pci_bus_trylock(dev->subordinate)) goto unlock; - } } else if (!pci_dev_trylock(dev)) goto unlock; } -- 2.20.1

2 weeks

2
2
0 0

[PATCH] PCI: Remove redundant pci_dev_unlock() in pci_slot_trylock()

by Jinhui Guo

Commit a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()") delegates the bridge device's pci_dev_trylock() to pci_bus_trylock() in pci_slot_trylock(), but it leaves a redundant pci_dev_unlock() when pci_bus_trylock() fails. Remove the redundant bridge-device pci_dev_unlock() in pci_slot_trylock(), since that lock is no longer taken there. Fixes: a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()") Cc: stable(a)vger.kernel.org Signed-off-by: Jinhui Guo <guojinhui.liam(a)bytedance.com> --- drivers/pci/pci.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c index 13dbb405dc31..75a98819db6f 100644 --- a/drivers/pci/pci.c +++ b/drivers/pci/pci.c @@ -5347,7 +5347,6 @@ static int pci_slot_trylock(struct pci_slot *slot) continue; if (dev->subordinate) { if (!pci_bus_trylock(dev->subordinate)) { - pci_dev_unlock(dev); goto unlock; } } else if (!pci_dev_trylock(dev)) -- 2.20.1

2 weeks

2
2
0 0

[PATCH v3] drm: Fix object leak in DRM_IOCTL_GEM_CHANGE_HANDLE

by Karol Wachowski

Add missing drm_gem_object_put() call when drm_gem_object_lookup() successfully returns an object. This fixes a GEM object reference leak that can prevent driver modules from unloading when using prime buffers. Fixes: 53096728b891 ("drm: Add DRM prime interface to reassign GEM handle") Cc: <stable(a)vger.kernel.org> # v6.18+ Signed-off-by: Karol Wachowski <karol.wachowski(a)linux.intel.com> --- Changes between v3 and v2: - correctly add CC: tag this time Changes between v1 and v2: - move setting ret value under if branch as suggested in review - add Cc: stable 6.18+ --- drivers/gpu/drm/drm_gem.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/drm_gem.c b/drivers/gpu/drm/drm_gem.c index ca1956608261..bcc08a6aebf8 100644 --- a/drivers/gpu/drm/drm_gem.c +++ b/drivers/gpu/drm/drm_gem.c @@ -1010,8 +1010,10 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data, if (!obj) return -ENOENT; - if (args->handle == args->new_handle) - return 0; + if (args->handle == args->new_handle) { + ret = 0; + goto out; + } mutex_lock(&file_priv->prime.lock); @@ -1043,6 +1045,8 @@ int drm_gem_change_handle_ioctl(struct drm_device *dev, void *data, out_unlock: mutex_unlock(&file_priv->prime.lock); +out: + drm_gem_object_put(obj); return ret; } -- 2.43.0

2 weeks

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror