1. 04 May, 2023 3 commits
    • Krzysztof Kozlowski's avatar
      mailbox: rockchip: drop of_match_ptr for ID table · 7490b8fb
      Krzysztof Kozlowski authored
      The driver can match only via the DT table so the table should be always
      used and the of_match_ptr does not have any sense (this also allows ACPI
      matching via PRP0001, even though it might not be relevant here).
      
        drivers/mailbox/rockchip-mailbox.c:158:34: error: ‘rockchip_mbox_of_match’ defined but not used [-Werror=unused-const-variable=]
      Signed-off-by: default avatarKrzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
      Signed-off-by: default avatarJassi Brar <jaswinder.singh@linaro.org>
      7490b8fb
    • Lee Jones's avatar
      mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write() · 2d1e952a
      Lee Jones authored
      If a user can make copy_from_user() fail, there is a potential for
      UAF/DF due to a lack of locking around the allocation, use and freeing
      of the data buffers.
      
      This issue is not theoretical.  I managed to author a POC for it:
      
          BUG: KASAN: double-free in kfree+0x5c/0xac
          Free of addr ffff29280be5de00 by task poc/356
          CPU: 1 PID: 356 Comm: poc Not tainted 6.1.0-00001-g961aa6552c04-dirty #20
          Hardware name: linux,dummy-virt (DT)
          Call trace:
           dump_backtrace.part.0+0xe0/0xf0
           show_stack+0x18/0x40
           dump_stack_lvl+0x64/0x80
           print_report+0x188/0x48c
           kasan_report_invalid_free+0xa0/0xc0
           ____kasan_slab_free+0x174/0x1b0
           __kasan_slab_free+0x18/0x24
           __kmem_cache_free+0x130/0x2e0
           kfree+0x5c/0xac
           mbox_test_message_write+0x208/0x29c
           full_proxy_write+0x90/0xf0
           vfs_write+0x154/0x440
           ksys_write+0xcc/0x180
           __arm64_sys_write+0x44/0x60
           invoke_syscall+0x60/0x190
           el0_svc_common.constprop.0+0x7c/0x160
           do_el0_svc+0x40/0xf0
           el0_svc+0x2c/0x6c
           el0t_64_sync_handler+0xf4/0x120
           el0t_64_sync+0x18c/0x190
      
          Allocated by task 356:
           kasan_save_stack+0x3c/0x70
           kasan_set_track+0x2c/0x40
           kasan_save_alloc_info+0x24/0x34
           __kasan_kmalloc+0xb8/0xc0
           kmalloc_trace+0x58/0x70
           mbox_test_message_write+0x6c/0x29c
           full_proxy_write+0x90/0xf0
           vfs_write+0x154/0x440
           ksys_write+0xcc/0x180
           __arm64_sys_write+0x44/0x60
           invoke_syscall+0x60/0x190
           el0_svc_common.constprop.0+0x7c/0x160
           do_el0_svc+0x40/0xf0
           el0_svc+0x2c/0x6c
           el0t_64_sync_handler+0xf4/0x120
           el0t_64_sync+0x18c/0x190
      
          Freed by task 357:
           kasan_save_stack+0x3c/0x70
           kasan_set_track+0x2c/0x40
           kasan_save_free_info+0x38/0x5c
           ____kasan_slab_free+0x13c/0x1b0
           __kasan_slab_free+0x18/0x24
           __kmem_cache_free+0x130/0x2e0
           kfree+0x5c/0xac
           mbox_test_message_write+0x208/0x29c
           full_proxy_write+0x90/0xf0
           vfs_write+0x154/0x440
           ksys_write+0xcc/0x180
           __arm64_sys_write+0x44/0x60
           invoke_syscall+0x60/0x190
           el0_svc_common.constprop.0+0x7c/0x160
           do_el0_svc+0x40/0xf0
           el0_svc+0x2c/0x6c
           el0t_64_sync_handler+0xf4/0x120
           el0t_64_sync+0x18c/0x190
      Signed-off-by: default avatarLee Jones <lee@kernel.org>
      Signed-off-by: default avatarJassi Brar <jaswinder.singh@linaro.org>
      2d1e952a
    • Lee Jones's avatar
      mailbox: mailbox-test: Explicitly include header for spinlock support · be884585
      Lee Jones authored
      Presently the support appears to be implied.
      Signed-off-by: default avatarLee Jones <lee@kernel.org>
      Signed-off-by: default avatarJassi Brar <jaswinder.singh@linaro.org>
      be884585
  2. 18 Apr, 2023 4 commits
  3. 16 Apr, 2023 12 commits
  4. 15 Apr, 2023 6 commits
  5. 14 Apr, 2023 14 commits
  6. 13 Apr, 2023 1 commit
    • Linus Torvalds's avatar
      Merge tag 'cgroup-for-6.3-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup · 44149752
      Linus Torvalds authored
      Pull cgroup fixes from Tejun Heo:
       "This is a relatively big pull request this late in the cycle but the
        major contributor is the cpuset bug which is rather significant:
      
         - Fix several cpuset bugs including one where it wasn't applying the
           target cgroup when tasks are created with CLONE_INTO_CGROUP
      
        With a few smaller fixes:
      
         - Fix inversed locking order in cgroup1 freezer implementation
      
         - Fix garbage cpu.stat::core_sched.forceidle_usec reporting in the
           root cgroup"
      
      * tag 'cgroup-for-6.3-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
        cgroup/cpuset: Make cpuset_attach_task() skip subpartitions CPUs for top_cpuset
        cgroup/cpuset: Add cpuset_can_fork() and cpuset_cancel_fork() methods
        cgroup/cpuset: Make cpuset_fork() handle CLONE_INTO_CGROUP properly
        cgroup/cpuset: Wake up cpuset_attach_wq tasks in cpuset_cancel_attach()
        cgroup,freezer: hold cpu_hotplug_lock before freezer_mutex
        cgroup/cpuset: Fix partition root's cpuset.cpus update bug
        cgroup: fix display of forceidle time at root
      44149752