1. 30 Aug, 2024 2 commits
    • Namjae Jeon's avatar
      ksmbd: unset the binding mark of a reused connection · 78c5a6f1
      Namjae Jeon authored
      Steve French reported null pointer dereference error from sha256 lib.
      cifs.ko can send session setup requests on reused connection.
      If reused connection is used for binding session, conn->binding can
      still remain true and generate_preauth_hash() will not set
      sess->Preauth_HashValue and it will be NULL.
      It is used as a material to create an encryption key in
      ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer
      dereference error from crypto_shash_update().
      
      BUG: kernel NULL pointer dereference, address: 0000000000000000
      #PF: supervisor read access in kernel mode
      #PF: error_code(0x0000) - not-present page
      PGD 0 P4D 0
      Oops: 0000 [#1] PREEMPT SMP PTI
      CPU: 8 PID: 429254 Comm: kworker/8:39
      Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 )
      Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]
      RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]
      <TASK>
      ? show_regs+0x6d/0x80
      ? __die+0x24/0x80
      ? page_fault_oops+0x99/0x1b0
      ? do_user_addr_fault+0x2ee/0x6b0
      ? exc_page_fault+0x83/0x1b0
      ? asm_exc_page_fault+0x27/0x30
      ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
      ? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3]
      ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
      ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3]
      _sha256_update+0x77/0xa0 [sha256_ssse3]
      sha256_avx2_update+0x15/0x30 [sha256_ssse3]
      crypto_shash_update+0x1e/0x40
      hmac_update+0x12/0x20
      crypto_shash_update+0x1e/0x40
      generate_key+0x234/0x380 [ksmbd]
      generate_smb3encryptionkey+0x40/0x1c0 [ksmbd]
      ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd]
      ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd]
      smb2_sess_setup+0x952/0xaa0 [ksmbd]
      __process_request+0xa3/0x1d0 [ksmbd]
      __handle_ksmbd_work+0x1c4/0x2f0 [ksmbd]
      handle_ksmbd_work+0x2d/0xa0 [ksmbd]
      process_one_work+0x16c/0x350
      worker_thread+0x306/0x440
      ? __pfx_worker_thread+0x10/0x10
      kthread+0xef/0x120
      ? __pfx_kthread+0x10/0x10
      ret_from_fork+0x44/0x70
      ? __pfx_kthread+0x10/0x10
      ret_from_fork_asm+0x1b/0x30
      </TASK>
      
      Fixes: f5a544e3 ("ksmbd: add support for SMB3 multichannel")
      Cc: stable@vger.kernel.org # v5.15+
      Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      78c5a6f1
    • Thorsten Blum's avatar
      smb: Annotate struct xattr_smb_acl with __counted_by() · 8d8d2447
      Thorsten Blum authored
      Add the __counted_by compiler attribute to the flexible array member
      entries to improve access bounds-checking via CONFIG_UBSAN_BOUNDS and
      CONFIG_FORTIFY_SOURCE.
      Signed-off-by: default avatarThorsten Blum <thorsten.blum@toblux.com>
      Acked-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      8d8d2447
  2. 25 Aug, 2024 3 commits
    • Linus Torvalds's avatar
      Merge tag '6.11-rc5-server-fixes' of git://git.samba.org/ksmbd · 780bdc1b
      Linus Torvalds authored
      Pull smb server fixes from Steve French:
      
       - query directory flex array fix
      
       - fix potential null ptr reference in open
      
       - fix error message in some open cases
      
       - two minor cleanups
      
      * tag '6.11-rc5-server-fixes' of git://git.samba.org/ksmbd:
        smb/server: update misguided comment of smb2_allocate_rsp_buf()
        smb/server: remove useless assignment of 'file_present' in smb2_open()
        smb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open()
        smb/server: fix return value of smb2_open()
        ksmbd: the buffer of smb2 query dir response has at least 1 byte
      780bdc1b
    • Linus Torvalds's avatar
      Merge tag 's390-6.11-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · 48fb4b3d
      Linus Torvalds authored
      Pull s390 fixes from Vasily Gorbik:
      
       - Fix KASLR base offset to account for symbol offsets in the vmlinux
         ELF file, preventing tool breakages like the drgn debugger
      
       - Fix potential memory corruption of physmem_info during kernel
         physical address randomization
      
       - Fix potential memory corruption due to overlap between the relocated
         lowcore and identity mapping by correctly reserving lowcore memory
      
       - Fix performance regression and avoid randomizing identity mapping
         base by default
      
       - Fix unnecessary delay of AP bus binding complete uevent to prevent
         startup lag in KVM guests using AP
      
      * tag 's390-6.11-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/boot: Fix KASLR base offset off by __START_KERNEL bytes
        s390/boot: Avoid possible physmem_info segment corruption
        s390/ap: Refine AP bus bindings complete processing
        s390/mm: Pin identity mapping base to zero
        s390/mm: Prevent lowcore vs identity mapping overlap
      48fb4b3d
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 891e811a
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "The important core fix is another tweak to our discard discovery
        issues. The off by 512 in logical block count seems bad, but in fact
        the inline was only ever used in debug prints, which is why no-one
        noticed"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: sd: Do not attempt to configure discard unless LBPME is set
        scsi: MAINTAINERS: Add header files to SCSI SUBSYSTEM
        scsi: ufs: qcom: Add UFSHCD_QUIRK_BROKEN_LSDBS_CAP for SM8550 SoC
        scsi: ufs: core: Add a quirk for handling broken LSDBS field in controller capabilities register
        scsi: core: Fix the return value of scsi_logical_block_count()
        scsi: MAINTAINERS: Update HiSilicon SAS controller driver maintainer
      891e811a
  3. 24 Aug, 2024 8 commits
    • Linus Torvalds's avatar
      Merge tag 'cgroup-for-6.11-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup · d2bafcf2
      Linus Torvalds authored
      Pull cgroup fixes from Tejun Heo:
       "Three patches addressing cpuset corner cases"
      
      * tag 'cgroup-for-6.11-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
        cgroup/cpuset: Eliminate unncessary sched domains rebuilds in hotplug
        cgroup/cpuset: Clear effective_xcpus on cpus_allowed clearing only if cpus.exclusive not set
        cgroup/cpuset: fix panic caused by partcmd_update
      d2bafcf2
    • Linus Torvalds's avatar
      Merge tag 'wq-for-6.11-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq · cb2c84b3
      Linus Torvalds authored
      Pull workqueue fixes from Tejun Heo:
       "Nothing too interesting. One patch to remove spurious warning and
        others to address static checker warnings"
      
      * tag 'wq-for-6.11-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
        workqueue: Correct declaration of cpu_pwq in struct workqueue_struct
        workqueue: Fix spruious data race in __flush_work()
        workqueue: Remove incorrect "WARN_ON_ONCE(!list_empty(&worker->entry));" from dying worker
        workqueue: Fix UBSAN 'subtraction overflow' error in shift_and_mask()
        workqueue: doc: Fix function name, remove markers
      cb2c84b3
    • Linus Torvalds's avatar
      Merge tag 'mips-fixes_6.11_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux · 5bd6cf00
      Linus Torvalds authored
      Pull MIPS fixes from Thomas Bogendoerfer:
      
       - Set correct timer mode on Loongson64
      
       - Only request r4k clockevent interrupt on one CPU
      
      * tag 'mips-fixes_6.11_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
        MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed
        MIPS: Loongson64: Set timer mode in cpu-probe
      5bd6cf00
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · a8a8dcbd
      Linus Torvalds authored
      Pull arm64 kvm fixes from Catalin Marinas:
      
       - Don't drop references on LPIs that weren't visited by the vgic-debug
         iterator
      
       - Cure lock ordering issue when unregistering vgic redistributors
      
       - Fix for misaligned stage-2 mappings when VMs are backed by hugetlb
         pages
      
       - Treat SGI registers as UNDEFINED if a VM hasn't been configured for
         GICv3
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3
        KVM: arm64: Ensure canonical IPA is hugepage-aligned when handling fault
        KVM: arm64: vgic: Don't hold config_lock while unregistering redistributors
        KVM: arm64: vgic-debug: Don't put unmarked LPIs
      a8a8dcbd
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-6.11-2' of git://git.linux-nfs.org/projects/anna/linux-nfs · 60f0560f
      Linus Torvalds authored
      Pull NFS client fixes from Anna Schumaker:
      
       - Fix rpcrdma refcounting in xa_alloc
      
       - Fix rpcrdma usage of XA_FLAGS_ALLOC
      
       - Fix requesting FATTR4_WORD2_OPEN_ARGUMENTS
      
       - Fix attribute bitmap decoder to handle a 3rd word
      
       - Add reschedule points when returning delegations to avoid soft lockups
      
       - Fix clearing layout segments in layoutreturn
      
       - Avoid unnecessary rescanning of the per-server delegation list
      
      * tag 'nfs-for-6.11-2' of git://git.linux-nfs.org/projects/anna/linux-nfs:
        NFS: Avoid unnecessary rescanning of the per-server delegation list
        NFSv4: Fix clearing of layout segments in layoutreturn
        NFSv4: Add missing rescheduling points in nfs_client_return_marked_delegations
        nfs: fix bitmap decoder to handle a 3rd word
        nfs: fix the fetch of FATTR4_OPEN_ARGUMENTS
        rpcrdma: Trace connection registration and unregistration
        rpcrdma: Use XA_FLAGS_ALLOC instead of XA_FLAGS_ALLOC1
        rpcrdma: Device kref is over-incremented on error from xa_alloc
      60f0560f
    • Linus Torvalds's avatar
      Merge tag 'v6.11-rc4-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 · 66ace9a8
      Linus Torvalds authored
      Pull smb client fixes from Steve French:
      
       - fix refcount leak (can cause rmmod fail)
      
       - fix byte range locking problem with cached reads
      
       - fix for mount failure if reparse point unrecognized
      
       - minor typo
      
      * tag 'v6.11-rc4-client-fixes' of git://git.samba.org/sfrench/cifs-2.6:
        smb/client: fix typo: GlobalMid_Sem -> GlobalMid_Lock
        smb: client: ignore unhandled reparse tags
        smb3: fix problem unloading module due to leaked refcount on shutdown
        smb3: fix broken cached reads when posix locks
      66ace9a8
    • Linus Torvalds's avatar
      Merge tag 'input-for-v6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 7eb61cc6
      Linus Torvalds authored
      Pull input fixes from Dmitry Torokhov:
      
       - a tweak to uinput interface to reject requests with abnormally large
         number of slots. 100 slots/contacts should be enough for real devices
      
       - support for FocalTech FT8201 added to the edt-ft5x06 driver
      
       - tweaks to i8042 to handle more devices that have issue with its
         emulation
      
       - Synaptics touchpad switched to native SMbus/RMI mode on HP Elitebook
         840 G2
      
       - other minor fixes
      
      * tag 'input-for-v6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: himax_hx83112b - fix incorrect size when reading product ID
        Input: i8042 - use new forcenorestore quirk to replace old buggy quirk combination
        Input: i8042 - add forcenorestore quirk to leave controller untouched even on s3
        Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table
        Input: uinput - reject requests with unreasonable number of slots
        Input: edt-ft5x06 - add support for FocalTech FT8201
        dt-bindings: input: touchscreen: edt-ft5x06: Document FT8201 support
        Input: adc-joystick - fix optional value handling
        Input: synaptics - enable SMBus for HP Elitebook 840 G2
        Input: ads7846 - ratelimit the spi_sync error message
      7eb61cc6
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2024-08-24' of https://gitlab.freedesktop.org/drm/kernel · 79a899e3
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Weekly fixes. xe and msm are the major groups, with
        amdgpu/i915/nouveau having smaller bits. xe has a bunch of hw
        workaround fixes that were found to be missing, so that is why there
        are a bunch of scattered fixes, and one larger one. But overall size
        doesn't look too out of the ordinary.
      
        msm:
         - virtual plane fixes:
            - drop yuv on hw where not supported
            - csc vs yuv format fix
            - rotation fix
         - fix fb cleanup on close
         - reset phy before link training
         - fix visual corruption at 4K
         - fix NULL ptr crash on hotplug
         - simplify debug macros
         - sc7180 fix
         - adreno firmware name error path fix
      
        amdgpu:
         - GFX10 firmware loading fix
         - SDMA 5.2 fix
         - Debugfs parameter validation fix
         - eGPU hotplug fix
      
        i915:
         - fix HDCP timeouts
      
        nouveau:
         - fix SG_DEBUG crash
      
        xe:
         - Fix OA format masks which were breaking build with gcc-5
         - Fix opregion leak (Lucas)
         - Fix OA sysfs entry (Ashutosh)
         - Fix VM dma-resv lock (Brost)
         - Fix tile fini sequence (Brost)
         - Prevent UAF around preempt fence (Auld)
         - Fix DGFX display suspend/resume (Maarten)
         - Many Xe/Xe2 critical workarounds (Auld, Ngai-Mint, Bommu, Tejas, Daniele)
         - Fix devm/drmm issues (Daniele)
         - Fix missing workqueue destroy in xe_gt_pagefault (Stuart)
         - Drop HW fence pointer to HW fence ctx (Brost)
         - Free job before xe_exec_queue_put (Brost)"
      
      * tag 'drm-fixes-2024-08-24' of https://gitlab.freedesktop.org/drm/kernel: (35 commits)
        drm/xe: Free job before xe_exec_queue_put
        drm/xe: Drop HW fence pointer to HW fence ctx
        drm/xe: Fix missing workqueue destroy in xe_gt_pagefault
        drm/amdgpu: fix eGPU hotplug regression
        drm/amdgpu: Validate TA binary size
        drm/amdgpu/sdma5.2: limit wptr workaround to sdma 5.2.1
        drm/amdgpu: fixing rlc firmware loading failure issue
        drm/xe/uc: Use devm to register cleanup that includes exec_queues
        drm/xe: use devm instead of drmm for managed bo
        drm/xe/xe2hpg: Add Wa_14021821874
        drm/xe: fix WA 14018094691
        drm/xe/xe2: Add Wa_15015404425
        drm/xe/xe2: Make subsequent L2 flush sequential
        drm/xe/xe2lpg: Extend workaround 14021402888
        drm/xe/xe2lpm: Extend Wa_16021639441
        drm/xe/bmg: implement Wa_16023588340
        drm/xe/oa/uapi: Make bit masks unsigned
        drm/xe/display: Make display suspend/resume work on discrete
        drm/xe: prevent UAF around preempt fence
        drm/xe: Fix tile fini sequence
        ...
      79a899e3
  4. 23 Aug, 2024 10 commits
  5. 22 Aug, 2024 17 commits