1. 12 Nov, 2020 8 commits
  2. 11 Nov, 2020 1 commit
  3. 10 Nov, 2020 12 commits
  4. 09 Nov, 2020 13 commits
  5. 08 Nov, 2020 6 commits
    • Dan Carpenter's avatar
      net/sunrpc: fix useless comparison in proc_do_xprt() · ae297504
      Dan Carpenter authored
      In the original code, the "if (*lenp < 0)" check didn't work because
      "*lenp" is unsigned.  Fortunately, the memory_read_from_buffer() call
      will never fail in this context so it doesn't affect runtime.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      ae297504
    • Linus Torvalds's avatar
      Merge tag 'driver-core-5.10-rc3' of... · 15f5d201
      Linus Torvalds authored
      Merge tag 'driver-core-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
      
      Pull driver core documentation fixes from Greg KH:
       "Some small Documentation fixes that were fallout from the larger
        documentation update we did in 5.10-rc2.
      
        Nothing major here at all, but all of these have been in linux-next
        and resolve build warnings when building the documentation files"
      
      * tag 'driver-core-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
        Documentation: remove mic/index from misc-devices/index.rst
        scripts: get_api.pl: Add sub-titles to ABI output
        scripts: get_abi.pl: Don't let ABI files to create subtitles
        docs: leds: index.rst: add a missing file
        docs: ABI: sysfs-class-net: fix a typo
        docs: ABI: sysfs-driver-dma-ioatdma: what starts with /sys
      15f5d201
    • Linus Torvalds's avatar
      Merge tag 'tty-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · bbc82184
      Linus Torvalds authored
      Pull tty/serial fixes from Greg KH:
       "Here are a small number of small tty and serial fixes for some
        reported problems for the tty core, vt code, and some serial drivers.
      
        They include fixes for:
      
         - a buggy and obsolete vt font ioctl removal
      
         - 8250_mtk serial baudrate runtime warnings
      
         - imx serial earlycon build configuration fix
      
         - txx9 serial driver error path cleanup issues
      
         - tty core fix in release_tty that can be triggered by trying to bind
           an invalid serial port name to a speakup console device
      
        Almost all of these have been in linux-next without any problems, the
        only one that hasn't, just deletes code :)"
      
      * tag 'tty-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        vt: Disable KD_FONT_OP_COPY
        tty: fix crash in release_tty if tty->port is not set
        serial: txx9: add missing platform_driver_unregister() on error in serial_txx9_init
        tty: serial: imx: enable earlycon by default if IMX_SERIAL_CONSOLE is enabled
        serial: 8250_mtk: Fix uart_get_baud_rate warning
      bbc82184
    • Linus Torvalds's avatar
      Merge tag 'usb-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · df53b815
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are some small USB fixes and new device ids:
      
         - USB gadget fixes for some reported issues
      
         - Fixes for the ever-troublesome apple fastcharge driver, hopefully
           we finally have it right.
      
         - More USB core quirks for odd devices
      
         - USB serial driver fixes for some long-standing issues that were
           recently found
      
         - some new USB serial driver device ids
      
        All have been in linux-next with no reported issues"
      
      * tag 'usb-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        USB: apple-mfi-fastcharge: fix reference leak in apple_mfi_fc_set_property
        usb: mtu3: fix panic in mtu3_gadget_stop()
        USB: serial: option: add Telit FN980 composition 0x1055
        USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231
        USB: serial: cyberjack: fix write-URB completion race
        USB: Add NO_LPM quirk for Kingston flash drive
        USB: serial: option: add Quectel EC200T module support
        usb: raw-gadget: fix memory leak in gadget_setup
        usb: dwc2: Avoid leaving the error_debugfs label unused
        usb: dwc3: ep0: Fix delay status handling
        usb: gadget: fsl: fix null pointer checking
        usb: gadget: goku_udc: fix potential crashes in probe
        usb: dwc3: pci: add support for the Intel Alder Lake-S
      df53b815
    • Eddy Wu's avatar
      fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent · b4e00444
      Eddy Wu authored
      current->group_leader->exit_signal may change during copy_process() if
      current->real_parent exits.
      
      Move the assignment inside tasklist_lock to avoid the race.
      Signed-off-by: default avatarEddy Wu <eddy_wu@trendmicro.com>
      Acked-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b4e00444
    • Daniel Vetter's avatar
      vt: Disable KD_FONT_OP_COPY · 3c4e0dff
      Daniel Vetter authored
      It's buggy:
      
      On Fri, Nov 06, 2020 at 10:30:08PM +0800, Minh Yuan wrote:
      > We recently discovered a slab-out-of-bounds read in fbcon in the latest
      > kernel ( v5.10-rc2 for now ).  The root cause of this vulnerability is that
      > "fbcon_do_set_font" did not handle "vc->vc_font.data" and
      > "vc->vc_font.height" correctly, and the patch
      > <https://lkml.org/lkml/2020/9/27/223> for VT_RESIZEX can't handle this
      > issue.
      >
      > Specifically, we use KD_FONT_OP_SET to set a small font.data for tty6, and
      > use  KD_FONT_OP_SET again to set a large font.height for tty1. After that,
      > we use KD_FONT_OP_COPY to assign tty6's vc_font.data to tty1's vc_font.data
      > in "fbcon_do_set_font", while tty1 retains the original larger
      > height. Obviously, this will cause an out-of-bounds read, because we can
      > access a smaller vc_font.data with a larger vc_font.height.
      
      Further there was only one user ever.
      - Android's loadfont, busybox and console-tools only ever use OP_GET
        and OP_SET
      - fbset documentation only mentions the kernel cmdline font: option,
        not anything else.
      - systemd used OP_COPY before release 232 published in Nov 2016
      
      Now unfortunately the crucial report seems to have gone down with
      gmane, and the commit message doesn't say much. But the pull request
      hints at OP_COPY being broken
      
      https://github.com/systemd/systemd/pull/3651
      
      So in other words, this never worked, and the only project which
      foolishly every tried to use it, realized that rather quickly too.
      
      Instead of trying to fix security issues here on dead code by adding
      missing checks, fix the entire thing by removing the functionality.
      
      Note that systemd code using the OP_COPY function ignored the return
      value, so it doesn't matter what we're doing here really - just in
      case a lone server somewhere happens to be extremely unlucky and
      running an affected old version of systemd. The relevant code from
      font_copy_to_all_vcs() in systemd was:
      
      	/* copy font from active VT, where the font was uploaded to */
      	cfo.op = KD_FONT_OP_COPY;
      	cfo.height = vcs.v_active-1; /* tty1 == index 0 */
      	(void) ioctl(vcfd, KDFONTOP, &cfo);
      
      Note this just disables the ioctl, garbage collecting the now unused
      callbacks is left for -next.
      
      v2: Tetsuo found the old mail, which allowed me to find it on another
      archive. Add the link too.
      Acked-by: default avatarPeilin Ye <yepeilin.cs@gmail.com>
      Reported-by: default avatarMinh Yuan <yuanmingbuaa@gmail.com>
      References: https://lists.freedesktop.org/archives/systemd-devel/2016-June/036935.html
      References: https://github.com/systemd/systemd/pull/3651
      Cc: Greg KH <greg@kroah.com>
      Cc: Peilin Ye <yepeilin.cs@gmail.com>
      Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@intel.com>
      Link: https://lore.kernel.org/r/20201108153806.3140315-1-daniel.vetter@ffwll.chSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3c4e0dff