1. 03 Sep, 2024 2 commits
    • Carlos Llamas's avatar
      binder: fix UAF caused by offsets overwrite · 4df15365
      Carlos Llamas authored
      Binder objects are processed and copied individually into the target
      buffer during transactions. Any raw data in-between these objects is
      copied as well. However, this raw data copy lacks an out-of-bounds
      check. If the raw data exceeds the data section size then the copy
      overwrites the offsets section. This eventually triggers an error that
      attempts to unwind the processed objects. However, at this point the
      offsets used to index these objects are now corrupted.
      
      Unwinding with corrupted offsets can result in decrements of arbitrary
      nodes and lead to their premature release. Other users of such nodes are
      left with a dangling pointer triggering a use-after-free. This issue is
      made evident by the following KASAN report (trimmed):
      
        ==================================================================
        BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c
        Write of size 4 at addr ffff47fc91598f04 by task binder-util/743
      
        CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1
        Hardware name: linux,dummy-virt (DT)
        Call trace:
         _raw_spin_lock+0xe4/0x19c
         binder_free_buf+0x128/0x434
         binder_thread_write+0x8a4/0x3260
         binder_ioctl+0x18f0/0x258c
        [...]
      
        Allocated by task 743:
         __kmalloc_cache_noprof+0x110/0x270
         binder_new_node+0x50/0x700
         binder_transaction+0x413c/0x6da8
         binder_thread_write+0x978/0x3260
         binder_ioctl+0x18f0/0x258c
        [...]
      
        Freed by task 745:
         kfree+0xbc/0x208
         binder_thread_read+0x1c5c/0x37d4
         binder_ioctl+0x16d8/0x258c
        [...]
        ==================================================================
      
      To avoid this issue, let's check that the raw data copy is within the
      boundaries of the data section.
      
      Fixes: 6d98eb95 ("binder: avoid potential data leakage when copying txn")
      Cc: Todd Kjos <tkjos@google.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarCarlos Llamas <cmllamas@google.com>
      Link: https://lore.kernel.org/r/20240822182353.2129600-1-cmllamas@google.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4df15365
    • Greg Kroah-Hartman's avatar
      Merge tag 'iio-fixes-for-6.11a' of... · 8cbec539
      Greg Kroah-Hartman authored
      Merge tag 'iio-fixes-for-6.11a' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/jic23/iio into char-misc-linus
      
      Jonathan writes:
      
      IIO: 1st set of fixes for 6.11
      
      The usual mixed bag of new issues and ancient ones.
      The fact so many are ADI is probably due to an uptick in upstreaming
      effort from Analog + Baylibre  meaning existing code is getting more eyes
      on it. Hence it's a good sign not a reflection of inherent high bug
      incidence!
      
      Core and helper related
      -----------------------
      
      in kernel interfaces
      - Fix missing application of scale to the integer part of
        IIO_INT_PLUS_XXX value pairs when using the
        iio_convert_raw_to_processed*() helper.
      buffer-dmaengine
      - Make sure to release DMA channel in error path.
      
      Driver related
      --------------
      
      adi,ad-sigma-delta library
      - Check irq-flags for the correct irq if multiple are provided.
      adi,ad7124
      - Wait after reset before reading the chip ID register.
      - Compare only the relevant field when looking for an existing
        config to reuse for a new channel.
      - Fix an off by one in which channel config is being filled from
        firmware.
      adi,ad7173
      - Fix missing vendor prefix in compatible strings.
      - Fix wrong info for GPIO related bit positions for ad4114,ad4115 and ad4116.
      adi,ad7606
      - Drop incorrect check on frstdata when in serial mode, it only applies to
        parallel mode.
      adi,ad9834
      - Check userspace input for frequency parameter to avoid div by zero.
      invensense,mpu6050
      - Avoid reading interrupt status on some older chips as it seems there
        is a hardware problem that surfaces as a result of adding wake on
        motion support to the driver (which these chips don't support).
      ti,ads1119
      - Fix incorrect IRQ flag (new driver so no firmware compatibility regression
        issues with fixing this now).
      
      * tag 'iio-fixes-for-6.11a' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/jic23/iio:
        iio: imu: inv_mpu6050: fix interrupt status read for old buggy chips
        iio: adc: ad7173: fix GPIO device info
        iio: adc: ad7124: fix DT configuration parsing
        iio: adc: ad_sigma_delta: fix irq_flags on irq request
        iio: adc: ads1119: Fix IRQ flags
        iio: fix scale application in iio_convert_raw_to_processed_unlocked
        iio: adc: ad7124: fix config comparison
        iio: adc: ad7124: fix chip ID mismatch
        iio: adc: ad7173: Fix incorrect compatible string
        iio: buffer-dmaengine: fix releasing dma channel on error
        iio: adc: ad7606: remove frstdata check for serial mode
        staging: iio: frequency: ad9834: Validate frequency parameter value
      8cbec539
  2. 18 Aug, 2024 9 commits
    • Linus Torvalds's avatar
      Linux 6.11-rc4 · 47ac09b9
      Linus Torvalds authored
      47ac09b9
    • Linus Torvalds's avatar
      Merge tag 'driver-core-6.11-rc4' of... · ccdbf91f
      Linus Torvalds authored
      Merge tag 'driver-core-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
      
      Pull driver core fixes from Greg KH:
       "Here are two driver fixes for regressions from 6.11-rc1 due to the
        driver core change making a structure in a driver core callback const.
      
        These were missed by all testing EXCEPT for what Bart happened to be
        running, so I appreciate the fixes provided here for some
        odd/not-often-used driver subsystems that nothing else happened to
        catch.
      
        Both of these fixes have been in linux-next all week with no reported
        issues"
      
      * tag 'driver-core-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
        mips: sgi-ip22: Fix the build
        ARM: riscpc: ecard: Fix the build
      ccdbf91f
    • Linus Torvalds's avatar
      Merge tag 'char-misc-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · e1bc1132
      Linus Torvalds authored
      Pull char / misc fixes from Greg KH:
       "Here are some small char/misc fixes for 6.11-rc4 to resolve reported
        problems. Included in here are:
      
         - fastrpc revert of a change that broke userspace
      
         - xillybus fixes for reported issues
      
        Half of these have been in linux-next this week with no reported
        problems, I don't know if the last bit of xillybus driver changes made
        it in, but they are 'obviously correct' so will be safe :)"
      
      * tag 'char-misc-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        char: xillybus: Check USB endpoints when probing device
        char: xillybus: Refine workqueue handling
        Revert "misc: fastrpc: Restrict untrusted app to attach to privileged PD"
        char: xillybus: Don't destroy workqueue from work item running on it
      e1bc1132
    • Linus Torvalds's avatar
      Merge tag 'tty-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 394f33f9
      Linus Torvalds authored
      Pull tty / serial fixes from Greg KH:
       "Here are some small tty and serial driver fixes for 6.11-rc4 to
        resolve some reported problems. Included in here are:
      
         - conmakehash.c userspace build issues
      
         - fsl_lpuart driver fix
      
         - 8250_omap revert for reported regression
      
         - atmel_serial rts flag fix
      
        All of these have been in linux-next this week with no reported
        issues"
      
      * tag 'tty-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        Revert "serial: 8250_omap: Set the console genpd always on if no console suspend"
        tty: atmel_serial: use the correct RTS flag.
        tty: vt: conmakehash: remove non-portable code printing comment header
        tty: serial: fsl_lpuart: mark last busy before uart_add_one_port
      394f33f9
    • Linus Torvalds's avatar
      Merge tag 'usb-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 3d9061d2
      Linus Torvalds authored
      Pull USB / Thunderbolt driver fixes from Greg KH:
       "Here are some small USB and Thunderbolt driver fixes for 6.11-rc4 to
        resolve some reported issues. Included in here are:
      
         - thunderbolt driver fixes for reported problems
      
         - typec driver fixes
      
         - xhci fixes
      
         - new device id for ljca usb driver
      
        All of these have been in linux-next this week with no reported
        issues"
      
      * tag 'usb-6.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration
        usb: misc: ljca: Add Lunar Lake ljca GPIO HID to ljca_gpio_hids[]
        Revert "usb: typec: tcpm: clear pd_event queue in PORT_RESET"
        usb: typec: ucsi: Fix the return value of ucsi_run_command()
        usb: xhci: fix duplicate stall handling in handle_tx_event()
        usb: xhci: Check for xhci->interrupters being allocated in xhci_mem_clearup()
        thunderbolt: Mark XDomain as unplugged when router is removed
        thunderbolt: Fix memory leaks in {port|retimer}_sb_regs_write()
      3d9061d2
    • Linus Torvalds's avatar
      Merge tag 'for-6.11-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 57b14823
      Linus Torvalds authored
      Pull more btrfs fixes from David Sterba:
       "A more fixes. We got reports that shrinker added in 6.10 still causes
        latency spikes and the fixes don't handle all corner cases. Due to
        summer holidays we're taking a shortcut to disable it for release
        builds and will fix it in the near future.
      
         - only enable extent map shrinker for DEBUG builds, temporary quick
           fix to avoid latency spikes for regular builds
      
         - update target inode's ctime on unlink, mandated by POSIX
      
         - properly take lock to read/update block group's zoned variables
      
         - add counted_by() annotations"
      
      * tag 'for-6.11-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: only enable extent map shrinker for DEBUG builds
        btrfs: zoned: properly take lock to read/update block group's zoned variables
        btrfs: tree-checker: add dev extent item checks
        btrfs: update target inode's ctime on unlink
        btrfs: send: annotate struct name_cache_entry with __counted_by()
      57b14823
    • Jann Horn's avatar
      fuse: Initialize beyond-EOF page contents before setting uptodate · 3c0da3d1
      Jann Horn authored
      fuse_notify_store(), unlike fuse_do_readpage(), does not enable page
      zeroing (because it can be used to change partial page contents).
      
      So fuse_notify_store() must be more careful to fully initialize page
      contents (including parts of the page that are beyond end-of-file)
      before marking the page uptodate.
      
      The current code can leave beyond-EOF page contents uninitialized, which
      makes these uninitialized page contents visible to userspace via mmap().
      
      This is an information leak, but only affects systems which do not
      enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the
      corresponding kernel command line parameter).
      
      Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=2574
      Cc: stable@kernel.org
      Fixes: a1d75f25 ("fuse: add store request")
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3c0da3d1
    • Linus Torvalds's avatar
      Merge tag 'mm-hotfixes-stable-2024-08-17-19-34' of... · c3f2d783
      Linus Torvalds authored
      Merge tag 'mm-hotfixes-stable-2024-08-17-19-34' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
      
      Pull misc fixes from Andrew Morton:
       "16 hotfixes. All except one are for MM. 10 of these are cc:stable and
        the others pertain to post-6.10 issues.
      
        As usual with these merges, singletons and doubletons all over the
        place, no identifiable-by-me theme. Please see the lovingly curated
        changelogs to get the skinny"
      
      * tag 'mm-hotfixes-stable-2024-08-17-19-34' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
        mm/migrate: fix deadlock in migrate_pages_batch() on large folios
        alloc_tag: mark pages reserved during CMA activation as not tagged
        alloc_tag: introduce clear_page_tag_ref() helper function
        crash: fix riscv64 crash memory reserve dead loop
        selftests: memfd_secret: don't build memfd_secret test on unsupported arches
        mm: fix endless reclaim on machines with unaccepted memory
        selftests/mm: compaction_test: fix off by one in check_compaction()
        mm/numa: no task_numa_fault() call if PMD is changed
        mm/numa: no task_numa_fault() call if PTE is changed
        mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0
        mm/memory-failure: use raw_spinlock_t in struct memory_failure_cpu
        mm: don't account memmap per-node
        mm: add system wide stats items category
        mm: don't account memmap on failure
        mm/hugetlb: fix hugetlb vs. core-mm PT locking
        mseal: fix is_madv_discard()
      c3f2d783
    • Linus Torvalds's avatar
      Merge tag 'powerpc-6.11-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 810996a3
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
      
       - Fix crashes on 85xx with some configs since the recent hugepd rework.
      
       - Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL on some
         platforms.
      
       - Don't enable offline cores when changing SMT modes, to match existing
         userspace behaviour.
      
      Thanks to Christophe Leroy, Dr. David Alan Gilbert, Guenter Roeck, Nysal
      Jan K.A, Shrikanth Hegde, Thomas Gleixner, and Tyrel Datwyler.
      
      * tag 'powerpc-6.11-2' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/topology: Check if a core is online
        cpu/SMT: Enable SMT only if a core is online
        powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL
        powerpc/mm: Fix size of allocated PGDIR
        soc: fsl: qbman: remove unused struct 'cgr_comp'
      810996a3
  3. 17 Aug, 2024 10 commits
  4. 16 Aug, 2024 19 commits