1. 22 Feb, 2023 5 commits
  2. 16 Feb, 2023 1 commit
  3. 15 Feb, 2023 5 commits
  4. 09 Feb, 2023 2 commits
  5. 07 Feb, 2023 3 commits
    • Linus Torvalds's avatar
      Merge tag 'devicetree-fixes-for-6.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux · 0983f6bf
      Linus Torvalds authored
      Pull devicetree fixes from Rob Herring:
      
       - Fix handling of multiple OF framebuffer devices
      
       - Fix booting on Socionext Synquacer with bad 'dma-ranges' entries
      
       - Add DT binding .yamllint to .gitignore
      
      * tag 'devicetree-fixes-for-6.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        dt-bindings: interrupt-controller: arm,gic-v3: Fix typo in description of msi-controller property
        dt-bindings: Fix .gitignore
        of/address: Return an error when no valid dma-ranges are found
        of: Make OF framebuffer device names unique
      0983f6bf
    • Linus Torvalds's avatar
      Merge tag 'trace-v6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace · 513c1a3d
      Linus Torvalds authored
      Pull tracing fix from Steven Rostedt:
       "Fix regression in poll() and select()
      
        With the fix that made poll() and select() block if read would block
        caused a slight regression in rasdaemon, as it needed that kind of
        behavior. Add a way to make that behavior come back by writing zero
        into the 'buffer_percentage', which means to never block on read"
      
      * tag 'trace-v6.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        tracing: Fix poll() and select() do not work on per_cpu trace_pipe and trace_pipe_raw
      513c1a3d
    • ZhaoLong Wang's avatar
      cifs: Fix use-after-free in rdata->read_into_pages() · aa5465ae
      ZhaoLong Wang authored
      When the network status is unstable, use-after-free may occur when
      read data from the server.
      
        BUG: KASAN: use-after-free in readpages_fill_pages+0x14c/0x7e0
      
        Call Trace:
         <TASK>
         dump_stack_lvl+0x38/0x4c
         print_report+0x16f/0x4a6
         kasan_report+0xb7/0x130
         readpages_fill_pages+0x14c/0x7e0
         cifs_readv_receive+0x46d/0xa40
         cifs_demultiplex_thread+0x121c/0x1490
         kthread+0x16b/0x1a0
         ret_from_fork+0x2c/0x50
         </TASK>
      
        Allocated by task 2535:
         kasan_save_stack+0x22/0x50
         kasan_set_track+0x25/0x30
         __kasan_kmalloc+0x82/0x90
         cifs_readdata_direct_alloc+0x2c/0x110
         cifs_readdata_alloc+0x2d/0x60
         cifs_readahead+0x393/0xfe0
         read_pages+0x12f/0x470
         page_cache_ra_unbounded+0x1b1/0x240
         filemap_get_pages+0x1c8/0x9a0
         filemap_read+0x1c0/0x540
         cifs_strict_readv+0x21b/0x240
         vfs_read+0x395/0x4b0
         ksys_read+0xb8/0x150
         do_syscall_64+0x3f/0x90
         entry_SYSCALL_64_after_hwframe+0x72/0xdc
      
        Freed by task 79:
         kasan_save_stack+0x22/0x50
         kasan_set_track+0x25/0x30
         kasan_save_free_info+0x2e/0x50
         __kasan_slab_free+0x10e/0x1a0
         __kmem_cache_free+0x7a/0x1a0
         cifs_readdata_release+0x49/0x60
         process_one_work+0x46c/0x760
         worker_thread+0x2a4/0x6f0
         kthread+0x16b/0x1a0
         ret_from_fork+0x2c/0x50
      
        Last potentially related work creation:
         kasan_save_stack+0x22/0x50
         __kasan_record_aux_stack+0x95/0xb0
         insert_work+0x2b/0x130
         __queue_work+0x1fe/0x660
         queue_work_on+0x4b/0x60
         smb2_readv_callback+0x396/0x800
         cifs_abort_connection+0x474/0x6a0
         cifs_reconnect+0x5cb/0xa50
         cifs_readv_from_socket.cold+0x22/0x6c
         cifs_read_page_from_socket+0xc1/0x100
         readpages_fill_pages.cold+0x2f/0x46
         cifs_readv_receive+0x46d/0xa40
         cifs_demultiplex_thread+0x121c/0x1490
         kthread+0x16b/0x1a0
         ret_from_fork+0x2c/0x50
      
      The following function calls will cause UAF of the rdata pointer.
      
      readpages_fill_pages
       cifs_read_page_from_socket
        cifs_readv_from_socket
         cifs_reconnect
          __cifs_reconnect
           cifs_abort_connection
            mid->callback() --> smb2_readv_callback
             queue_work(&rdata->work)  # if the worker completes first,
                                       # the rdata is freed
                cifs_readv_complete
                  kref_put
                    cifs_readdata_release
                      kfree(rdata)
       return rdata->...               # UAF in readpages_fill_pages()
      
      Similarly, this problem also occurs in the uncache_fill_pages().
      
      Fix this by adjusts the order of condition judgment in the return
      statement.
      Signed-off-by: default avatarZhaoLong Wang <wangzhaolong1@huawei.com>
      Cc: stable@vger.kernel.org
      Acked-by: default avatarPaulo Alcantara (SUSE) <pc@cjr.nz>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      aa5465ae
  6. 06 Feb, 2023 20 commits
  7. 05 Feb, 2023 4 commits
    • Linus Torvalds's avatar
      Linux 6.2-rc7 · 4ec5183e
      Linus Torvalds authored
      4ec5183e
    • Linus Torvalds's avatar
      Merge tag 'usb-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · c608f6b5
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are some small USB fixes that resolve some reported problems.
        These include:
      
         - gadget driver fixes
      
         - dwc3 driver fix
      
         - typec driver fix
      
         - MAINTAINERS file update.
      
        All of these have been in linux-next with no reported problems"
      
      * tag 'usb-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: typec: ucsi: Don't attempt to resume the ports before they exist
        usb: gadget: udc: do not clear gadget driver.bus
        usb: gadget: f_uac2: Fix incorrect increment of bNumEndpoints
        usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait
        usb: dwc3: qcom: enable vbus override when in OTG dr-mode
        MAINTAINERS: Add myself as UVC Gadget Maintainer
      c608f6b5
    • Linus Torvalds's avatar
      Merge tag 'tty-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · dc0ce181
      Linus Torvalds authored
      Pull tty/serial driver fixes from Greg KH:
       "Here are some small serial and vt fixes. These include:
      
         - 8250 driver fixes relating to dma issues
      
         - stm32 serial driver fix for threaded irqs
      
         - vc_screen bugfix for reported problems.
      
        All have been in linux-next for a while with no reported problems"
      
      * tag 'tty-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF
        serial: 8250_dma: Fix DMA Rx rearm race
        serial: 8250_dma: Fix DMA Rx completion race
        serial: stm32: Merge hard IRQ and threaded IRQ handling into single IRQ handler
      dc0ce181
    • Linus Torvalds's avatar
      Merge tag 'char-misc-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · d3feaff4
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are a number of small char/misc/whatever driver fixes. They
        include:
      
         - IIO driver fixes for some reported problems
      
         - nvmem driver fixes
      
         - fpga driver fixes
      
         - debugfs memory leak fix in the hv_balloon and irqdomain code
           (irqdomain change was acked by the maintainer)
      
        All have been in linux-next with no reported problems"
      
      * tag 'char-misc-6.2-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (33 commits)
        kernel/irq/irqdomain.c: fix memory leak with using debugfs_lookup()
        HV: hv_balloon: fix memory leak with using debugfs_lookup()
        nvmem: qcom-spmi-sdam: fix module autoloading
        nvmem: core: fix return value
        nvmem: core: fix cell removal on error
        nvmem: core: fix device node refcounting
        nvmem: core: fix registration vs use race
        nvmem: core: fix cleanup after dev_set_name()
        nvmem: core: remove nvmem_config wp_gpio
        nvmem: core: initialise nvmem->id early
        nvmem: sunxi_sid: Always use 32-bit MMIO reads
        nvmem: brcm_nvram: Add check for kzalloc
        iio: imu: fxos8700: fix MAGN sensor scale and unit
        iio: imu: fxos8700: remove definition FXOS8700_CTRL_ODR_MIN
        iio: imu: fxos8700: fix failed initialization ODR mode assignment
        iio: imu: fxos8700: fix incorrect ODR mode readback
        iio: light: cm32181: Fix PM support on system with 2 I2C resources
        iio: hid: fix the retval in gyro_3d_capture_sample
        iio: hid: fix the retval in accel_3d_capture_sample
        iio: imu: st_lsm6dsx: fix build when CONFIG_IIO_TRIGGERED_BUFFER=m
        ...
      d3feaff4