1. 23 Jun, 2024 3 commits
  2. 16 Jun, 2024 1 commit
    • Michael Ellerman's avatar
      KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() · a986fa57
      Michael Ellerman authored
      Al reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group().
      
      It looks up `stt` from tablefd, but then continues to use it after doing
      fdput() on the returned fd. After the fdput() the tablefd is free to be
      closed by another thread. The close calls kvm_spapr_tce_release() and
      then release_spapr_tce_table() (via call_rcu()) which frees `stt`.
      
      Although there are calls to rcu_read_lock() in
      kvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent
      the UAF, because `stt` is used outside the locked regions.
      
      With an artifcial delay after the fdput() and a userspace program which
      triggers the race, KASAN detects the UAF:
      
        BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]
        Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505
        CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1
        Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV
        Call Trace:
          dump_stack_lvl+0xb4/0x108 (unreliable)
          print_report+0x2b4/0x6ec
          kasan_report+0x118/0x2b0
          __asan_load4+0xb8/0xd0
          kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]
          kvm_vfio_set_attr+0x524/0xac0 [kvm]
          kvm_device_ioctl+0x144/0x240 [kvm]
          sys_ioctl+0x62c/0x1810
          system_call_exception+0x190/0x440
          system_call_vectored_common+0x15c/0x2ec
        ...
        Freed by task 0:
         ...
         kfree+0xec/0x3e0
         release_spapr_tce_table+0xd4/0x11c [kvm]
         rcu_core+0x568/0x16a0
         handle_softirqs+0x23c/0x920
         do_softirq_own_stack+0x6c/0x90
         do_softirq_own_stack+0x58/0x90
         __irq_exit_rcu+0x218/0x2d0
         irq_exit+0x30/0x80
         arch_local_irq_restore+0x128/0x230
         arch_local_irq_enable+0x1c/0x30
         cpuidle_enter_state+0x134/0x5cc
         cpuidle_enter+0x6c/0xb0
         call_cpuidle+0x7c/0x100
         do_idle+0x394/0x410
         cpu_startup_entry+0x60/0x70
         start_secondary+0x3fc/0x410
         start_secondary_prolog+0x10/0x14
      
      Fix it by delaying the fdput() until `stt` is no longer in use, which
      is effectively the entire function. To keep the patch minimal add a call
      to fdput() at each of the existing return paths. Future work can convert
      the function to goto or __cleanup style cleanup.
      
      With the fix in place the test case no longer triggers the UAF.
      Reported-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Closes: https://lore.kernel.org/all/20240610024437.GA1464458@ZenIV/Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://msgid.link/20240614122910.3499489-1-mpe@ellerman.id.au
      a986fa57
  3. 04 Jun, 2024 1 commit
  4. 02 Jun, 2024 8 commits
  5. 01 Jun, 2024 6 commits
  6. 31 May, 2024 21 commits
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2024-06-01' of https://gitlab.freedesktop.org/drm/kernel · cc8ed4d0
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "This is the weekly fixes. Lots of small fixes across the board, one
        BUG_ON fix in shmem seems most important, otherwise amdgpu, i915, xe
        mostly with small fixes to all the other drivers.
      
        shmem:
         - fix BUG_ON in COW handling
         - warn when trying to pin imported objects
      
        buddy:
         - fix page size handling
      
        dma-buf:
         - sw-sync: Don't interfere with IRQ handling
         - fix kthreads-handling error path
      
        i915:
         - fix a race in audio component by registering it later
         - make DPT object unshrinkable to avoid shrinking when framebuffer
           has not shrunk
         - fix CCS id calculation to fix a perf regression
         - fix selftest caching mode
         - fix FIELD_PREP compiler warnings
         - fix indefinite wait for GT wakeref release
         - revert overeager multi-gt pm reference removal
      
        xe:
         - pcode polling timeout change
         - fix for deadlocks for faulting VMs
         - error-path lock imbalance fix
      
        amdgpu:
         - RAS fix
         - fix colorspace property for MST connectors
         - fix for PCIe DPM
         - silence UBSAN warning
         - GPUVM robustness fix
         - partition fix
         - drop deprecated I2C_CLASS_SPD
      
        amdkfd:
         - revert unused changes for certain 11.0.3 devices
         - simplify APU VRAM handling
      
        lima:
         - fix dma_resv-related deadlock in object pin
      
        msm:
         - remove build-time dependency on Python 3.9
      
        nouveau:
         - nvif: Fix possible integer overflow
      
        panel:
         - lg-sw43408: Select DP helpers; Declare backlight ops as static
         - sitronix-st7789v: Various fixes for jt240mhqs_hwt_ek_e3 panel
      
        panfrost:
         - fix dma_resv-related deadlock in object pin"
      
      * tag 'drm-fixes-2024-06-01' of https://gitlab.freedesktop.org/drm/kernel: (35 commits)
        drm/msm: remove python 3.9 dependency for compiling msm
        drm/panel: sitronix-st7789v: fix display size for jt240mhqs_hwt_ek_e3 panel
        drm/panel: sitronix-st7789v: tweak timing for jt240mhqs_hwt_ek_e3 panel
        drm/panel: sitronix-st7789v: fix timing for jt240mhqs_hwt_ek_e3 panel
        drm/amd/pm: remove deprecated I2C_CLASS_SPD support from newly added SMU_14_0_2
        drm/amdgpu: Make CPX mode auto default in NPS4
        drm/amdkfd: simplify APU VRAM handling
        Revert "drm/amdkfd: fix gfx_target_version for certain 11.0.3 devices"
        drm/amdgpu: fix dereference null return value for the function amdgpu_vm_pt_parent
        drm/amdgpu: silence UBSAN warning
        drm/amdgpu: Adjust logic in amdgpu_device_partner_bandwidth()
        drm/i915: Fix audio component initialization
        drm/i915/dpt: Make DPT object unshrinkable
        drm/i915/gt: Fix CCS id's calculation for CCS mode setting
        drm/panel/lg-sw43408: mark sw43408_backlight_ops as static
        drm/i915/selftests: Set always_coherent to false when reading from CPU
        drm/panel/lg-sw43408: select CONFIG_DRM_DISPLAY_DP_HELPER
        drm/i915/guc: avoid FIELD_PREP warning
        drm/i915/gt: Disarm breadcrumbs if engines are already idle
        Revert "drm/i915: Remove extra multi-gt pm-references"
        ...
      cc8ed4d0
    • Linus Torvalds's avatar
      Merge tag 'hwmon-for-v6.10-rc2' of... · 1b907b83
      Linus Torvalds authored
      Merge tag 'hwmon-for-v6.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
      
      Pull hwmon fixes from Guenter Roeck:
      
       - sttcs: Fix property spelling
      
       - intel-m10-bmc-hwmon: Fix multiplier for N6000 board power sensor
      
       - ltc2992: Fix memory leak
      
       - dell-smm: Add Dell G15 5511 to fan control whitelist
      
      * tag 'hwmon-for-v6.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
        hwmon: (shtc1) Fix property misspelling
        hwmon: (intel-m10-bmc-hwmon) Fix multiplier for N6000 board power sensor
        hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt()
        hwmon: (dell-smm) Add Dell G15 5511 to fan control whitelist
      1b907b83
    • Linus Torvalds's avatar
      Merge tag 'mailbox-fixes-v6.10-rc1' of... · b7087cb3
      Linus Torvalds authored
      Merge tag 'mailbox-fixes-v6.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jassibrar/mailbox
      
      Pull mailbox fix from Jassi Brar:
      
       - zynqmp-ipi: fix linker error on some configurations
      
      * tag 'mailbox-fixes-v6.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jassibrar/mailbox:
        mailbox: zynqmp-ipi: drop irq_to_desc() call
      b7087cb3
    • Linus Torvalds's avatar
      Merge tag 'spi-fix-v6.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · d5931dd0
      Linus Torvalds authored
      Pull spi fixes from Mark Brown:
       "A series of fixes that came in since the merge window, the main thing
        being the fixes Andy did for DMA sync where we were calling into the
        DMA API in suprising ways and causing issues as a result, the main
        thing being confusing the IOMMU code.
      
        We've also got some fairly important fixes for the stm32 driver, it
        supports a wide range of hardware and some optimisations that were
        done recently have broken on some systems, and a fix to prevent
        glitched signals on the bus in the cadence driver"
      
      * tag 'spi-fix-v6.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        spi: stm32: Don't warn about spurious interrupts
        spi: Assign dummy scatterlist to unidirectional transfers
        spi: cadence: Ensure data lines set to low during dummy-cycle period
        spi: stm32: Revert change that enabled controller before asserting CS
        spi: Check if transfer is mapped before calling DMA sync APIs
        spi: Don't mark message DMA mapped when no transfer in it is
      d5931dd0
    • Linus Torvalds's avatar
      Merge tag 'regulator-fix-v6.10-rc1' of... · 28add42d
      Linus Torvalds authored
      Merge tag 'regulator-fix-v6.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
      
      Pull regulator fix from Mark Brown:
       "One fix that came in since -rc1, fixing misuse of a local variable in
        the DT parsing code in the RTQ2208 driver"
      
      * tag 'regulator-fix-v6.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
        regulator: rtq2208: Fix invalid memory access when devm_of_regulator_put_matches is called
      28add42d
    • Linus Torvalds's avatar
      Merge tag 'regmap-fix-v6.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap · b7c05622
      Linus Torvalds authored
      Pull regmap fix from Mark Brown:
       "The I2C bus was not taking account of the register and any padding
        bytes when handling maximum write sizes supported by an I2C adaptor,
        this patch from Jim Wylder fixes that"
      
      * tag 'regmap-fix-v6.10-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap:
        regmap-i2c: Subtract reg size from max_write
      b7c05622
    • Linus Torvalds's avatar
      Merge tag 'block-6.10-20240530' of git://git.kernel.dk/linux · 0f9a7517
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - NVMe fixes via Keith:
            - Removing unused fields (Kanchan)
            - Large folio offsets support (Kundan)
            - Multipath NUMA node initialiazation fix (Nilay)
            - Multipath IO stats accounting fixes (Keith)
            - Circular lockdep fix (Keith)
            - Target race condition fix (Sagi)
            - Target memory leak fix (Sagi)
      
       - bcache fixes
      
       - null_blk fixes (Damien)
      
       - Fix regression in io.max due to throttle low removal (Waiman)
      
       - DM limit table fixes (Christoph)
      
       - SCSI and block limit fixes (Christoph)
      
       - zone fixes (Damien)
      
       - Misc fixes (Christoph, Hannes, hexue)
      
      * tag 'block-6.10-20240530' of git://git.kernel.dk/linux: (25 commits)
        blk-throttle: Fix incorrect display of io.max
        block: Fix zone write plugging handling of devices with a runt zone
        block: Fix validation of zoned device with a runt zone
        null_blk: Do not allow runt zone with zone capacity smaller then zone size
        nvmet: fix a possible leak when destroy a ctrl during qp establishment
        nvme: use srcu for iterating namespace list
        bcache: code cleanup in __bch_bucket_alloc_set()
        bcache: call force_wake_up_gc() if necessary in check_should_bypass()
        bcache: allow allocator to invalidate bucket in gc
        block: check for max_hw_sectors underflow
        block: stack max_user_sectors
        sd: also set max_user_sectors when setting max_sectors
        null_blk: Print correct max open zones limit in null_init_zoned_dev()
        block: delete redundant function declaration
        null_blk: Fix return value of nullb_device_power_store()
        dm: make dm_set_zones_restrictions work on the queue limits
        dm: remove dm_check_zoned
        dm: move setting zoned_enabled to dm_table_set_restrictions
        block: remove blk_queue_max_integrity_segments
        nvme: adjust multiples of NVME_CTRL_PAGE_SIZE in offset
        ...
      0f9a7517
    • Linus Torvalds's avatar
      Merge tag 'io_uring-6.10-20240530' of git://git.kernel.dk/linux · 6d541d66
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
       "A couple of minor fixes for issues introduced in the 6.10 merge window:
      
         - Ensure that all read/write ops have an appropriate cleanup handler
           set (Breno)
      
         - Regression for applications still doing multiple mmaps even if
           FEAT_SINGLE_MMAP is set (me)
      
         - Move kmsg inquiry setting above any potential failure point,
           avoiding a spurious NONEMPTY flag setting on early error (me)"
      
      * tag 'io_uring-6.10-20240530' of git://git.kernel.dk/linux:
        io_uring/net: assign kmsg inq/flags before buffer selection
        io_uring/rw: Free iovec before cleaning async data
        io_uring: don't attempt to mmap larger than what the user asks for
      6d541d66
    • Kees Cook's avatar
      kunit/fortify: Remove __kmalloc_node() test · 99a6087d
      Kees Cook authored
      __kmalloc_node() is considered an "internal" function to the Slab, so
      drop it from explicit testing.
      
      Link: https://lore.kernel.org/r/20240531185703.work.588-kees@kernel.orgSigned-off-by: default avatarKees Cook <kees@kernel.org>
      99a6087d
    • Linus Torvalds's avatar
      Merge tag 'dma-mapping-6.10-2024-05-31' of git://git.infradead.org/users/hch/dma-mapping · b0504965
      Linus Torvalds authored
      Pull dma-mapping fixes from Christoph Hellwig:
      
       - dma-mapping benchmark error handling fixes (Fedor Pchelkin)
      
       - correct a config symbol reference in the DMA API documentation (Lukas
         Bulwahn)
      
      * tag 'dma-mapping-6.10-2024-05-31' of git://git.infradead.org/users/hch/dma-mapping:
        Documentation/core-api: correct reference to SWIOTLB_DYNAMIC
        dma-mapping: benchmark: handle NUMA_NO_NODE correctly
        dma-mapping: benchmark: fix node id validation
        dma-mapping: benchmark: avoid needless copy_to_user if benchmark fails
        dma-mapping: benchmark: fix up kthread-related error handling
      b0504965
    • Linus Torvalds's avatar
      Merge tag 'sound-6.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 7d88cc8e
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Lots of small fixes:
      
         - A race fix for debugfs handling in ALSA core
      
         - A series of corrections for MIDI2 core format conversions
      
         - ASoC Intel fixes for 16 bit DMIC config
      
         - Updates for missing module parameters in ASoC code
      
         - HD-audio quirk, Cirrus codec fix, etc minor fixes"
      
      * tag 'sound-6.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (26 commits)
        ALSA: seq: ump: Fix swapped song position pointer data
        ASoC: SOF: ipc4-topology: Adjust the params based on DAI formats
        ASoC: SOF: ipc4-topology: Improve readability of sof_ipc4_prepare_dai_copier()
        ASoC: SOF: ipc4-topology/pcm: Rename sof_ipc4_copier_is_single_format()
        ASoC: SOF: ipc4-topology: Print out the channel count in sof_ipc4_dbg_audio_format
        ASoC: SOF: ipc4-topology: Add support for NHLT with 16-bit only DMIC blob
        ALSA: seq: Fix yet another spot for system message conversion
        ALSA: ump: Set default protocol when not given explicitly
        ALSA: ump: Don't accept an invalid UMP protocol number
        ASoC: SOF: ipc4-topology: Fix input format query of process modules without base extension
        ASoC: Intel: sof-sdw: fix missing SPI_MASTER dependency
        ALSA: pcm: fix typo in comment
        ALSA: ump: Don't clear bank selection after sending a program change
        ALSA: seq: Fix incorrect UMP type for system messages
        ALSA/hda: intel-dsp-config: reduce log verbosity
        ALSA: seq: Don't clear bank selection at event -> UMP MIDI2 conversion
        ALSA: seq: Fix missing bank setup between MIDI1/MIDI2 UMP conversion
        ASoC: SOF: add missing MODULE_DESCRIPTION()
        ASoC: SOF: reorder MODULE_ definitions
        ASoC: SOF: AMD: group all module related information
        ...
      7d88cc8e
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v6.10-2' of... · 87895a64
      Linus Torvalds authored
      Merge tag 'platform-drivers-x86-v6.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86
      
      Pull x86 platform driver fixes from Hans de Goede:
      
       - a use-after-free bugfix
      
       - Kconfig fixes for randconfig builds
      
       - allow setting touchscreen_dmi quirks from the cmdline for debugging
      
       - touchscreen_dmi quirks for two new laptop/tablet models
      
      * tag 'platform-drivers-x86-v6.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86:
        platform/x86: touchscreen_dmi: Add info for the EZpad 6s Pro
        platform/x86: touchscreen_dmi: Add info for GlobalSpace SolT IVW 11.6" tablet
        platform/x86: touchscreen_dmi: Add support for setting touchscreen properties from cmdline
        platform/x86: thinkpad_acpi: Select INPUT_SPARSEKMAP in Kconfig
        platform/x86: x86-android-tablets: Add "select LEDS_CLASS"
        platform/x86: ISST: fix use-after-free in tpmi_sst_dev_remove()
      87895a64
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-6.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · c6cc9799
      Linus Torvalds authored
      Pull RISC-V fixes from Palmer Dabbelt:
      
       - A fix to avoid pt_regs aliasing with idle thread stacks on secondary
         harts.
      
       - HAVE_ARCH_HUGE_VMAP is enabled on XIP kernels, which fixes boot
         issues on XIP systems with huge pages.
      
       - An update to the uABI documentation clarifying that only scalar
         misaligned accesses were grandfathered in as supported, as the vector
         extension did not exist at the time the uABI was frozen.
      
       - A fix for the recently-added byte/half atomics to avoid losing the
         fully ordered decorations.
      
      * tag 'riscv-for-linus-6.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        riscv: Fix fully ordered LR/SC xchg[8|16]() implementations
        Documentation: RISC-V: uabi: Only scalar misaligned loads are supported
        riscv: enable HAVE_ARCH_HUGE_VMAP for XIP kernel
        riscv: prevent pt_regs corruption for secondary idle threads
      c6cc9799
    • Linus Torvalds's avatar
      Merge tag 'bcachefs-2024-05-30' of https://evilpiepirate.org/git/bcachefs · ff9bce3d
      Linus Torvalds authored
      Pull bcachefs fixes from Kent Overstreet:
       "Assorted odds and ends...
      
         - two downgrade fixes
      
         - a couple snapshot deletion and repair fixes, thanks to noradtux for
           finding these and providing the image to debug them
      
         - a couple assert fixes
      
         - convert to folio helper, from Matthew
      
         - some improved error messages
      
         - bit of code reorganization (just moving things around); doing this
           while things are quiet so I'm not rebasing fixes past reorgs
      
         - don't return -EROFS on inconsistency error in recovery, this
           confuses util-linux and has it retry the mount
      
         - fix failure to return error on misaligned dio write; reported as an
           issue with coreutils shred"
      
      * tag 'bcachefs-2024-05-30' of https://evilpiepirate.org/git/bcachefs: (21 commits)
        bcachefs: Fix failure to return error on misaligned dio write
        bcachefs: Don't return -EROFS from mount on inconsistency error
        bcachefs: Fix uninitialized var warning
        bcachefs: Split out sb-errors_format.h
        bcachefs: Split out journal_seq_blacklist_format.h
        bcachefs: Split out replicas_format.h
        bcachefs: Split out disk_groups_format.h
        bcachefs: split out sb-downgrade_format.h
        bcachefs: split out sb-members_format.h
        bcachefs: Better fsck error message for key version
        bcachefs: btree_gc can now handle unknown btrees
        bcachefs: add missing MODULE_DESCRIPTION()
        bcachefs: Fix setting of downgrade recovery passes/errors
        bcachefs: Run check_key_has_snapshot in snapshot_delete_keys()
        bcachefs: Refactor delete_dead_snapshots()
        bcachefs: Fix locking assert
        bcachefs: Fix lookup_first_inode() when inode_generations are present
        bcachefs: Plumb bkey into __btree_err()
        bcachefs: Use copy_folio_from_iter_atomic()
        bcachefs: Fix sb-downgrade validation
        ...
      ff9bce3d
    • Thomas Gleixner's avatar
      x86/topology/intel: Unlock CPUID before evaluating anything · 0c2f6d04
      Thomas Gleixner authored
      Intel CPUs have a MSR bit to limit CPUID enumeration to leaf two. If
      this bit is set by the BIOS then CPUID evaluation including topology
      enumeration does not work correctly as the evaluation code does not try
      to analyze any leaf greater than two.
      
      This went unnoticed before because the original topology code just
      repeated evaluation several times and managed to overwrite the initial
      limited information with the correct one later. The new evaluation code
      does it once and therefore ends up with the limited and wrong
      information.
      
      Cure this by unlocking CPUID right before evaluating anything which
      depends on the maximum CPUID leaf being greater than two instead of
      rereading stuff after unlock.
      
      Fixes: 22d63660 ("x86/cpu: Use common topology code for Intel")
      Reported-by: default avatarPeter Schneider <pschneider1968@googlemail.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarBorislav Petkov (AMD) <bp@alien8.de>
      Tested-by: default avatarPeter Schneider <pschneider1968@googlemail.com>
      Cc: <stable@kernel.org>
      Link: https://lore.kernel.org/r/fd3f73dc-a86f-4bcf-9c60-43556a21eb42@googlemail.com
      0c2f6d04
    • Arnd Bergmann's avatar
      mailbox: zynqmp-ipi: drop irq_to_desc() call · d551ce15
      Arnd Bergmann authored
      irq_to_desc() is not exported to loadable modules, so this driver now
      fails to link in some configurations:
      
      ERROR: modpost: "irq_to_desc" [drivers/mailbox/zynqmp-ipi-mailbox.ko] undefined!
      
      I can't see a purpose for this call, since the return value is unused
      and probably left over from some code refactoring.
      
      Address the link failure by just removing the line.
      
      Fixes: 6ffb1635 ("mailbox: zynqmp: handle SGI for shared IPI")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Tested-by: default avatarTanmay Shah <tanmay.shah@amd.com>
      Signed-off-by: default avatarJassi Brar <jassisinghbrar@gmail.com>
      d551ce15
    • Kees Cook's avatar
      mailmap: update entry for Kees Cook · 4e173c82
      Kees Cook authored
      I'm tired of gmail breaking DKIM. Switch everything over to my
      @kernel.org alias instead.
      Signed-off-by: default avatarKees Cook <kees@kernel.org>
      4e173c82
    • Kees Cook's avatar
      scsi: mpt3sas: Avoid possible run-time warning with long manufacturer strings · adb77bba
      Kees Cook authored
      The prior strscpy() replacement of strncpy() here expected the
      manufacture_reply strings to be NUL-terminated, but it is possible
      they are not, as the code pattern here shows, e.g., edev->vendor_id
      being exactly 1 character larger than manufacture_reply->vendor_id,
      and the replaced strncpy() was copying only up to the size of the
      source character array. Replace this with memtostr(), which is the
      unambiguous way to convert a maybe not-NUL-terminated character array
      into a NUL-terminated string.
      
      Fixes: b7e9712a ("scsi: mpt3sas: Replace deprecated strncpy() with strscpy()")
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Tested-by: default avatarMarco Patalano <mpatalan@redhat.com>
      Reviewed-by: default avatarEwan D. Milne <emilne@redhat.com>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Link: https://lore.kernel.org/r/20240410023155.2100422-3-keescook@chromium.orgSigned-off-by: default avatarKees Cook <kees@kernel.org>
      adb77bba
    • Steve French's avatar
      cifs: fix creating sockets when using sfu mount options · 518549c1
      Steve French authored
      When running fstest generic/423 with sfu mount option, it
      was being skipped due to inability to create sockets:
      
        generic/423  [not run] cifs does not support mknod/mkfifo
      
      which can also be easily reproduced with their af_unix tool:
      
        ./src/af_unix /mnt1/socket-two bind: Operation not permitted
      
      Fix sfu mount option to allow creating and reporting sockets.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      518549c1
    • Mickaël Salaün's avatar
      selftests/landlock: Add layout1.refer_mount_root · 0055f53a
      Mickaël Salaün authored
      Add tests to check error codes when linking or renaming a mount root
      directory.  This previously triggered a kernel warning, but it is fixed
      with the previous commit.
      
      Cc: Günther Noack <gnoack@google.com>
      Cc: Paul Moore <paul@paul-moore.com>
      Link: https://lore.kernel.org/r/20240516181935.1645983-3-mic@digikod.netSigned-off-by: default avatarMickaël Salaün <mic@digikod.net>
      0055f53a
    • Mickaël Salaün's avatar
      landlock: Fix d_parent walk · 88da52cc
      Mickaël Salaün authored
      The WARN_ON_ONCE() in collect_domain_accesses() can be triggered when
      trying to link a root mount point.  This cannot work in practice because
      this directory is mounted, but the VFS check is done after the call to
      security_path_link().
      
      Do not use source directory's d_parent when the source directory is the
      mount point.
      
      Cc: Günther Noack <gnoack@google.com>
      Cc: Paul Moore <paul@paul-moore.com>
      Cc: stable@vger.kernel.org
      Reported-by: syzbot+bf4903dc7e12b18ebc87@syzkaller.appspotmail.com
      Fixes: b91c3e4e ("landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER")
      Closes: https://lore.kernel.org/r/000000000000553d3f0618198200@google.com
      Link: https://lore.kernel.org/r/20240516181935.1645983-2-mic@digikod.net
      [mic: Fix commit message]
      Signed-off-by: default avatarMickaël Salaün <mic@digikod.net>
      88da52cc