- Linux-stable-mirror - lists.linaro.org

[PATCH v2 6.6] ksmbd: fix use-after-free in session logoff

by Nazar Kalashnikov

From: Sean Heelan <seanheelan(a)gmail.com> commit 2fc9feff45d92a92cd5f96487655d5be23fb7e2b upstream. The sess->user object can currently be in use by another thread, for example if another connection has sent a session setup request to bind to the session being free'd. The handler for that connection could be in the smb2_sess_setup function which makes use of sess->user. Signed-off-by: Sean Heelan <seanheelan(a)gmail.com> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Nazar Kalashnikov <sivartiwe(a)gmail.com> --- v2: Fix duplicate From: header Backport fix for CVE-2025-37899 fs/smb/server/smb2pdu.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 9f64808c7917..a819f198c333 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -2255,10 +2255,6 @@ int smb2_session_logoff(struct ksmbd_work *work) sess->state = SMB2_SESSION_EXPIRED; up_write(&conn->session_lock); - if (sess->user) { - ksmbd_free_user(sess->user); - sess->user = NULL; - } ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_SETUP); rsp->StructureSize = cpu_to_le16(4); -- 2.43.0

2 weeks, 6 days

1
0
0 0

[PATCH v2 6.1] ksmbd: fix use-after-free in session logoff

by Nazar Kalashnikov

From: Sean Heelan <seanheelan(a)gmail.com> commit 2fc9feff45d92a92cd5f96487655d5be23fb7e2b upstream. The sess->user object can currently be in use by another thread, for example if another connection has sent a session setup request to bind to the session being free'd. The handler for that connection could be in the smb2_sess_setup function which makes use of sess->user. Signed-off-by: Sean Heelan <seanheelan(a)gmail.com> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Nazar Kalashnikov <sivartiwe(a)gmail.com> --- v2: Fix duplicate From: header Backport fix for CVE-2025-37899 fs/smb/server/smb2pdu.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index d2dca5d2f17c..f72ef3fe4968 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -2252,10 +2252,6 @@ int smb2_session_logoff(struct ksmbd_work *work) sess->state = SMB2_SESSION_EXPIRED; up_write(&conn->session_lock); - if (sess->user) { - ksmbd_free_user(sess->user); - sess->user = NULL; - } ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_NEGOTIATE); rsp->StructureSize = cpu_to_le16(4); -- 2.39.2

2 weeks, 6 days

1
0
0 0

Re: [PATCH 6.1] ksmbd: fix use-after-free in session logoff

by SIVARTIWE PROST

Sorry about that! I will send the revised second version shortly

2 weeks, 6 days

1
0
0 0

[PATCH] hwmon: (max6697) fix regmap leak on probe failure

by Johan Hovold

The i2c regmap allocated during probe is never freed. Switch to using the device managed allocator so that the regmap is released on probe failures (e.g. probe deferral) and on driver unbind. Fixes: 3a2a8cc3fe24 ("hwmon: (max6697) Convert to use regmap") Cc: stable(a)vger.kernel.org # 6.12 Cc: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/hwmon/max6697.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hwmon/max6697.c b/drivers/hwmon/max6697.c index 0735a1d2c20f..6926d787b5ad 100644 --- a/drivers/hwmon/max6697.c +++ b/drivers/hwmon/max6697.c @@ -548,7 +548,7 @@ static int max6697_probe(struct i2c_client *client) struct regmap *regmap; int err; - regmap = regmap_init_i2c(client, &max6697_regmap_config); + regmap = devm_regmap_init_i2c(client, &max6697_regmap_config); if (IS_ERR(regmap)) return PTR_ERR(regmap); -- 2.51.2

2 weeks, 6 days

2
1
0 0

[REGRESSION] stable-rc/linux-5.4.y: (build) GCC does not allow variable declarations in for loop initializers ...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-5.4.y: --- GCC does not allow variable declarations in for loop initializers before C99 [-Wgcc-compat] in mm/mempool.o (mm/mempool.c) [logspec:kbuild,kbuild.compiler.warning] --- - dashboard: https://d.kernelci.org/i/maestro:d414057925e4dea9704ce677eef188319c8610a4 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: b11ac6e8f913ac67f9424a5cdd4158b283c0e3cb Please include the KernelCI tag when submitting a fix: Reported-by: kernelci.org bot <bot(a)kernelci.org> Log excerpt: ===================================================== mm/mempool.c:69:8: warning: GCC does not allow variable declarations in for loop initializers before C99 [-Wgcc-compat] 69 | for (int i = 0; i < (1 << order); i++) { | ^ CC arch/arm/mach-imx/mach-vpr200.o mm/mempool.c:71:17: error: implicit declaration of function 'kmap_local_page' [-Werror,-Wimplicit-function-declaration] 71 | void *addr = kmap_local_page(page + i); | ^ mm/mempool.c:71:17: note: did you mean 'kmap_to_page'? ./include/linux/highmem.h:67:14: note: 'kmap_to_page' declared here 67 | struct page *kmap_to_page(void *addr); | ^ mm/mempool.c:71:10: error: incompatible integer to pointer conversion initializing 'void *' with an expression of type 'int' [-Wint-conversion] 71 | void *addr = kmap_local_page(page + i); | ^ ~~~~~~~~~~~~~~~~~~~~~~~~~ mm/mempool.c:74:4: error: implicit declaration of function 'kunmap_local' [-Werror,-Wimplicit-function-declaration] 74 | kunmap_local(addr); | ^ mm/mempool.c:103:8: warning: GCC does not allow variable declarations in for loop initializers before C99 [-Wgcc-compat] 103 | for (int i = 0; i < (1 << order); i++) { | ^ mm/mempool.c:105:17: error: implicit declaration of function 'kmap_local_page' [-Werror,-Wimplicit-function-declaration] 105 | void *addr = kmap_local_page(page + i); | ^ mm/mempool.c:105:10: error: incompatible integer to pointer conversion initializing 'void *' with an expression of type 'int' [-Wint-conversion] 105 | void *addr = kmap_local_page(page + i); | ^ ~~~~~~~~~~~~~~~~~~~~~~~~~ mm/mempool.c:108:4: error: implicit declaration of function 'kunmap_local' [-Werror,-Wimplicit-function-declaration] 108 | kunmap_local(addr); | ^ 2 warnings and 6 errors generated. ===================================================== # Builds where the incident occurred: ## defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (arm): - compiler: clang-21 - config: https://files.kernelci.org/kbuild-clang-21-arm-allmodconfig-69286c4df5b8743… - dashboard: https://d.kernelci.org/build/maestro:69286c4df5b8743b1f65f308 #kernelci issue maestro:d414057925e4dea9704ce677eef188319c8610a4 -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

2 weeks, 6 days

1
0
0 0

[REGRESSION] stable-rc/linux-5.10.y: (build) GCC does not allow variable declarations in for loop initializers ...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-5.10.y: --- GCC does not allow variable declarations in for loop initializers before C99 [-Wgcc-compat] in mm/mempool.o (mm/mempool.c) [logspec:kbuild,kbuild.compiler.warning] --- - dashboard: https://d.kernelci.org/i/maestro:edfc0791be4ae7547a2a17054e9cd0317c106f20 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 92a27d160c829ca1d8dd3be92e8e8669620d66d5 Please include the KernelCI tag when submitting a fix: Reported-by: kernelci.org bot <bot(a)kernelci.org> Log excerpt: ===================================================== mm/mempool.c:68:8: warning: GCC does not allow variable declarations in for loop initializers before C99 [-Wgcc-compat] 68 | for (int i = 0; i < (1 << order); i++) { | ^ mm/mempool.c:70:17: error: implicit declaration of function 'kmap_local_page' [-Werror,-Wimplicit-function-declaration] 70 | void *addr = kmap_local_page(page + i); | ^ mm/mempool.c:70:17: note: did you mean 'kmap_to_page'? ./include/linux/highmem.h:124:14: note: 'kmap_to_page' declared here 124 | struct page *kmap_to_page(void *addr); | ^ mm/mempool.c:70:10: error: incompatible integer to pointer conversion initializing 'void *' with an expression of type 'int' [-Wint-conversion] 70 | void *addr = kmap_local_page(page + i); | ^ ~~~~~~~~~~~~~~~~~~~~~~~~~ mm/mempool.c:73:4: error: implicit declaration of function 'kunmap_local' [-Werror,-Wimplicit-function-declaration] 73 | kunmap_local(addr); | ^ mm/mempool.c:101:8: warning: GCC does not allow variable declarations in for loop initializers before C99 [-Wgcc-compat] 101 | for (int i = 0; i < (1 << order); i++) { | ^ mm/mempool.c:103:17: error: implicit declaration of function 'kmap_local_page' [-Werror,-Wimplicit-function-declaration] 103 | void *addr = kmap_local_page(page + i); | ^ mm/mempool.c:103:10: error: incompatible integer to pointer conversion initializing 'void *' with an expression of type 'int' [-Wint-conversion] 103 | void *addr = kmap_local_page(page + i); | ^ ~~~~~~~~~~~~~~~~~~~~~~~~~ mm/mempool.c:106:4: error: implicit declaration of function 'kunmap_local' [-Werror,-Wimplicit-function-declaration] 106 | kunmap_local(addr); | ^ CC fs/notify/fanotify/fanotify.o 2 warnings and 6 errors generated. ===================================================== # Builds where the incident occurred: ## defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (arm): - compiler: clang-21 - config: https://files.kernelci.org/kbuild-clang-21-arm-allmodconfig-69286cb5f5b8743… - dashboard: https://d.kernelci.org/build/maestro:69286cb5f5b8743b1f65f372 ## i386_defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (i386): - compiler: clang-21 - config: https://files.kernelci.org/kbuild-clang-21-i386-allmodconfig-69286ceff5b874… - dashboard: https://d.kernelci.org/build/maestro:69286ceff5b8743b1f65f3b6 #kernelci issue maestro:edfc0791be4ae7547a2a17054e9cd0317c106f20 -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

2 weeks, 6 days

1
0
0 0

[REGRESSION] stable-rc/linux-5.15.y: (build) GCC does not allow variable declarations in for loop initializers ...

by KernelCI bot

Hello, New build issue found on stable-rc/linux-5.15.y: --- GCC does not allow variable declarations in for loop initializers before C99 [-Werror,-Wgcc-compat] in mm/mempool.o (mm/mempool.c) [logspec:kbuild,kbuild.compiler.error] --- - dashboard: https://d.kernelci.org/i/maestro:5387ce1530c340d198d1f318d34f9904675295a1 - giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git - commit HEAD: 0001989708674740432a288983eddc1fdad1073b Please include the KernelCI tag when submitting a fix: Reported-by: kernelci.org bot <bot(a)kernelci.org> Log excerpt: ===================================================== mm/mempool.c:68:8: error: GCC does not allow variable declarations in for loop initializers before C99 [-Werror,-Wgcc-compat] 68 | for (int i = 0; i < (1 << order); i++) { | ^ mm/mempool.c:101:8: error: GCC does not allow variable declarations in for loop initializers before C99 [-Werror,-Wgcc-compat] 101 | for (int i = 0; i < (1 << order); i++) { | ^ CC kernel/irq/spurious.o 2 errors generated. ===================================================== # Builds where the incident occurred: ## defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (arm): - compiler: clang-21 - config: https://files.kernelci.org/kbuild-clang-21-arm-allmodconfig-69286d2ef5b8743… - dashboard: https://d.kernelci.org/build/maestro:69286d2ef5b8743b1f65f3ee ## i386_defconfig+allmodconfig+CONFIG_FRAME_WARN=2048 on (i386): - compiler: clang-21 - config: https://files.kernelci.org/kbuild-clang-21-i386-allmodconfig-69286d6ff5b874… - dashboard: https://d.kernelci.org/build/maestro:69286d6ff5b8743b1f65f41f #kernelci issue maestro:5387ce1530c340d198d1f318d34f9904675295a1 -- This is an experimental report format. Please send feedback in! Talk to us at kernelci(a)lists.linux.dev Made with love by the KernelCI team - https://kernelci.org

2 weeks, 6 days

1
0
0 0

Optimiza tu reclutamiento con PsicoSmart

by Valeria Pérez

Mejora tus contrataciones con PsicoSmart body { margin: 0; padding: 0; font-family: Arial, Helvetica, sans-serif; font-size: 14px; color: #333; background-color: #ffffff; } table { border-spacing: 0; width: 100%; max-width: 600px; margin: auto; } td { padding: 12px 20px; } a { color: #1a73e8; text-decoration: none; } .footer { font-size: 12px; color: #888888; text-align: center; } Evalúa talento de forma objetiva y mejora tus contrataciones con PsicoSmart. Hola, , ¿Te ha pasado que un candidato luce perfecto en entrevista, pero en el trabajo no encaja como esperabas? En selección, confiar solo en la percepción puede llevar a decisiones costosas. Por eso quiero presentarte PsicoSmart, una herramienta creada para que los equipos de Recursos Humanos tomen decisiones más objetivas y acertadas. Con PsicoSmart puedes: Aplicar 31 pruebas psicométricas que evalúan liderazgo, honestidad, comunicación e inteligencia. Validar conocimientos técnicos con más de 2,500 exámenes especializados. Supervisar la identidad de quien responde mediante captura fotográfica automática durante la evaluación. Gestionar todo desde una sola plataforma, accesible desde cualquier dispositivo. Si estás buscando mejorar tus contrataciones, podría ser una muy buena opción. Si quieres conocer más puedes responder este correo o simplemente contactarme, mis datos están abajo. Saludos, -------------- Atte.: Valeria Pérez Ciudad de México: (55) 5018 0565 WhatsApp: +52 33 1607 2089 Si no deseas recibir más correos, haz clic aquí para darte de baja. Para remover su dirección de esta lista haga <a href="https://s1.arrobamail.com/unsuscribe.php?id=yiwtsrewiswqrwseup">click aquí</a>

2 weeks, 6 days

1
0
0 0

[PATCH] soc: samsung: exynos-pmu: fix device leak on regmap lookup

by Johan Hovold

Make sure to drop the reference taken when looking up the PMU device and its regmap. Note that holding a reference to a device does not prevent its regmap from going away so there is no point in keeping the reference. Fixes: 0b7c6075022c ("soc: samsung: exynos-pmu: Add regmap support for SoCs that protect PMU regs") Cc: stable(a)vger.kernel.org # 6.9 Cc: Peter Griffin <peter.griffin(a)linaro.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/soc/samsung/exynos-pmu.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/soc/samsung/exynos-pmu.c b/drivers/soc/samsung/exynos-pmu.c index 22c50ca2aa79..ba4de8194a0e 100644 --- a/drivers/soc/samsung/exynos-pmu.c +++ b/drivers/soc/samsung/exynos-pmu.c @@ -346,6 +346,8 @@ struct regmap *exynos_get_pmu_regmap_by_phandle(struct device_node *np, if (!dev) return ERR_PTR(-EPROBE_DEFER); + put_device(dev); + return syscon_node_to_regmap(pmu_np); } EXPORT_SYMBOL_GPL(exynos_get_pmu_regmap_by_phandle); -- 2.51.2

2 weeks, 6 days

2
4
0 0

[PATCH 6.1] ksmbd: fix use-after-free in session logoff

by Nazar Kalashnikov

From: Nazar Kalashnikov <sivartiwe(a)gmail.com> From: Sean Heelan <seanheelan(a)gmail.com> commit 2fc9feff45d92a92cd5f96487655d5be23fb7e2b upstream. The sess->user object can currently be in use by another thread, for example if another connection has sent a session setup request to bind to the session being free'd. The handler for that connection could be in the smb2_sess_setup function which makes use of sess->user. Signed-off-by: Sean Heelan <seanheelan(a)gmail.com> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Nazar Kalashnikov <sivartiwe(a)gmail.com> --- Backport fix for CVE-2025-37899 fs/smb/server/smb2pdu.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index d2dca5d2f17c..f72ef3fe4968 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -2252,10 +2252,6 @@ int smb2_session_logoff(struct ksmbd_work *work) sess->state = SMB2_SESSION_EXPIRED; up_write(&conn->session_lock); - if (sess->user) { - ksmbd_free_user(sess->user); - sess->user = NULL; - } ksmbd_all_conn_set_status(sess_id, KSMBD_SESS_NEED_NEGOTIATE); rsp->StructureSize = cpu_to_le16(4); -- 2.39.2

2 weeks, 6 days

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror