* [PATCH AUTOSEL 4.19 02/11] batman-adv: Return directly after a failed batadv_dat_select_candidates() in batadv_dat_forward_data()
2024-03-29 12:35 [PATCH AUTOSEL 4.19 01/11] wifi: ath9k: fix LNA selection in ath_ant_try_scan() Sasha Levin
@ 2024-03-29 12:35 ` Sasha Levin
2024-03-29 12:35 ` [PATCH AUTOSEL 4.19 03/11] VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() Sasha Levin
` (8 subsequent siblings)
9 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2024-03-29 12:35 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Markus Elfring, Sven Eckelmann, Simon Wunderlich, Sasha Levin,
mareklindner, a, davem, edumazet, kuba, pabeni, b.a.t.m.a.n,
netdev
From: Markus Elfring <elfring@users.sourceforge.net>
[ Upstream commit ffc15626c861f811f9778914be004fcf43810a91 ]
The kfree() function was called in one case by
the batadv_dat_forward_data() function during error handling
even if the passed variable contained a null pointer.
This issue was detected by using the Coccinelle software.
* Thus return directly after a batadv_dat_select_candidates() call failed
at the beginning.
* Delete the label “out” which became unnecessary with this refactoring.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Acked-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/distributed-arp-table.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
index af380dc877e31..6930d414138e1 100644
--- a/net/batman-adv/distributed-arp-table.c
+++ b/net/batman-adv/distributed-arp-table.c
@@ -648,7 +648,7 @@ static bool batadv_dat_send_data(struct batadv_priv *bat_priv,
cand = batadv_dat_select_candidates(bat_priv, ip, vid);
if (!cand)
- goto out;
+ return ret;
batadv_dbg(BATADV_DBG_DAT, bat_priv, "DHT_SEND for %pI4\n", &ip);
@@ -692,7 +692,6 @@ static bool batadv_dat_send_data(struct batadv_priv *bat_priv,
batadv_orig_node_put(cand[i].orig_node);
}
-out:
kfree(cand);
return ret;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.19 03/11] VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()
2024-03-29 12:35 [PATCH AUTOSEL 4.19 01/11] wifi: ath9k: fix LNA selection in ath_ant_try_scan() Sasha Levin
2024-03-29 12:35 ` [PATCH AUTOSEL 4.19 02/11] batman-adv: Return directly after a failed batadv_dat_select_candidates() in batadv_dat_forward_data() Sasha Levin
@ 2024-03-29 12:35 ` Sasha Levin
2024-03-29 12:35 ` Sasha Levin
` (7 subsequent siblings)
9 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2024-03-29 12:35 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Harshit Mogalapalli, syzkaller, Vegard Nossum,
Gustavo A . R . Silva, Kees Cook, Dan Carpenter, Sasha Levin,
bryantan, vdasa, gregkh
From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
[ Upstream commit 19b070fefd0d024af3daa7329cbc0d00de5302ec ]
Syzkaller hit 'WARNING in dg_dispatch_as_host' bug.
memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg"
at drivers/misc/vmw_vmci/vmci_datagram.c:237 (size 24)
WARNING: CPU: 0 PID: 1555 at drivers/misc/vmw_vmci/vmci_datagram.c:237
dg_dispatch_as_host+0x88e/0xa60 drivers/misc/vmw_vmci/vmci_datagram.c:237
Some code commentry, based on my understanding:
544 #define VMCI_DG_SIZE(_dg) (VMCI_DG_HEADERSIZE + (size_t)(_dg)->payload_size)
/// This is 24 + payload_size
memcpy(&dg_info->msg, dg, dg_size);
Destination = dg_info->msg ---> this is a 24 byte
structure(struct vmci_datagram)
Source = dg --> this is a 24 byte structure (struct vmci_datagram)
Size = dg_size = 24 + payload_size
{payload_size = 56-24 =32} -- Syzkaller managed to set payload_size to 32.
35 struct delayed_datagram_info {
36 struct datagram_entry *entry;
37 struct work_struct work;
38 bool in_dg_host_queue;
39 /* msg and msg_payload must be together. */
40 struct vmci_datagram msg;
41 u8 msg_payload[];
42 };
So those extra bytes of payload are copied into msg_payload[], a run time
warning is seen while fuzzing with Syzkaller.
One possible way to fix the warning is to split the memcpy() into
two parts -- one -- direct assignment of msg and second taking care of payload.
Gustavo quoted:
"Under FORTIFY_SOURCE we should not copy data across multiple members
in a structure."
Reported-by: syzkaller <syzkaller@googlegroups.com>
Suggested-by: Vegard Nossum <vegard.nossum@oracle.com>
Suggested-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/20240105164001.2129796-2-harshit.m.mogalapalli@oracle.com
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/vmw_vmci/vmci_datagram.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/misc/vmw_vmci/vmci_datagram.c b/drivers/misc/vmw_vmci/vmci_datagram.c
index 8a4b6bbe1beed..275542e8b2ad9 100644
--- a/drivers/misc/vmw_vmci/vmci_datagram.c
+++ b/drivers/misc/vmw_vmci/vmci_datagram.c
@@ -242,7 +242,8 @@ static int dg_dispatch_as_host(u32 context_id, struct vmci_datagram *dg)
dg_info->in_dg_host_queue = true;
dg_info->entry = dst_entry;
- memcpy(&dg_info->msg, dg, dg_size);
+ dg_info->msg = *dg;
+ memcpy(&dg_info->msg_payload, dg + 1, dg->payload_size);
INIT_WORK(&dg_info->work, dg_delayed_dispatch);
schedule_work(&dg_info->work);
--
2.43.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.19 04/11] arm64: dts: rockchip: fix rk3399 hdmi ports node
2024-03-29 12:35 [PATCH AUTOSEL 4.19 01/11] wifi: ath9k: fix LNA selection in ath_ant_try_scan() Sasha Levin
2024-03-29 12:35 ` [PATCH AUTOSEL 4.19 02/11] batman-adv: Return directly after a failed batadv_dat_select_candidates() in batadv_dat_forward_data() Sasha Levin
@ 2024-03-29 12:35 ` Sasha Levin
2024-03-29 12:35 ` Sasha Levin
` (7 subsequent siblings)
9 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2024-03-29 12:35 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Johan Jonker, Heiko Stuebner, Sasha Levin, robh,
krzysztof.kozlowski+dt, conor+dt, dsimic, kmcopper, lukasz.luba,
rick.wertenbroek, chris.obbard, s.hauer, knaerzche, devicetree,
linux-arm-kernel, linux-rockchip
From: Johan Jonker <jbx6244@gmail.com>
[ Upstream commit f051b6ace7ffcc48d6d1017191f167c0a85799f6 ]
Fix rk3399 hdmi ports node so that it matches the
rockchip,dw-hdmi.yaml binding.
Signed-off-by: Johan Jonker <jbx6244@gmail.com>
Link: https://lore.kernel.org/r/a6ab6f75-3b80-40b1-bd30-3113e14becdd@gmail.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/rockchip/rk3399.dtsi | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3399.dtsi b/arch/arm64/boot/dts/rockchip/rk3399.dtsi
index 5a60faa8e9998..f19d43021a4e7 100644
--- a/arch/arm64/boot/dts/rockchip/rk3399.dtsi
+++ b/arch/arm64/boot/dts/rockchip/rk3399.dtsi
@@ -1683,6 +1683,7 @@ simple-audio-card,codec {
hdmi: hdmi@ff940000 {
compatible = "rockchip,rk3399-dw-hdmi";
reg = <0x0 0xff940000 0x0 0x20000>;
+ reg-io-width = <4>;
interrupts = <GIC_SPI 23 IRQ_TYPE_LEVEL_HIGH 0>;
clocks = <&cru PCLK_HDMI_CTRL>,
<&cru SCLK_HDMI_SFR>,
@@ -1691,13 +1692,16 @@ hdmi: hdmi@ff940000 {
<&cru PLL_VPLL>;
clock-names = "iahb", "isfr", "cec", "grf", "vpll";
power-domains = <&power RK3399_PD_HDCP>;
- reg-io-width = <4>;
rockchip,grf = <&grf>;
#sound-dai-cells = <0>;
status = "disabled";
ports {
- hdmi_in: port {
+ #address-cells = <1>;
+ #size-cells = <0>;
+
+ hdmi_in: port@0 {
+ reg = <0>;
#address-cells = <1>;
#size-cells = <0>;
@@ -1710,6 +1714,10 @@ hdmi_in_vopl: endpoint@1 {
remote-endpoint = <&vopl_out_hdmi>;
};
};
+
+ hdmi_out: port@1 {
+ reg = <1>;
+ };
};
};
--
2.43.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.19 04/11] arm64: dts: rockchip: fix rk3399 hdmi ports node
@ 2024-03-29 12:35 ` Sasha Levin
0 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2024-03-29 12:35 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Johan Jonker, Heiko Stuebner, Sasha Levin, robh,
krzysztof.kozlowski+dt, conor+dt, dsimic, kmcopper, lukasz.luba,
rick.wertenbroek, chris.obbard, s.hauer, knaerzche, devicetree,
linux-arm-kernel, linux-rockchip
From: Johan Jonker <jbx6244@gmail.com>
[ Upstream commit f051b6ace7ffcc48d6d1017191f167c0a85799f6 ]
Fix rk3399 hdmi ports node so that it matches the
rockchip,dw-hdmi.yaml binding.
Signed-off-by: Johan Jonker <jbx6244@gmail.com>
Link: https://lore.kernel.org/r/a6ab6f75-3b80-40b1-bd30-3113e14becdd@gmail.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/rockchip/rk3399.dtsi | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3399.dtsi b/arch/arm64/boot/dts/rockchip/rk3399.dtsi
index 5a60faa8e9998..f19d43021a4e7 100644
--- a/arch/arm64/boot/dts/rockchip/rk3399.dtsi
+++ b/arch/arm64/boot/dts/rockchip/rk3399.dtsi
@@ -1683,6 +1683,7 @@ simple-audio-card,codec {
hdmi: hdmi@ff940000 {
compatible = "rockchip,rk3399-dw-hdmi";
reg = <0x0 0xff940000 0x0 0x20000>;
+ reg-io-width = <4>;
interrupts = <GIC_SPI 23 IRQ_TYPE_LEVEL_HIGH 0>;
clocks = <&cru PCLK_HDMI_CTRL>,
<&cru SCLK_HDMI_SFR>,
@@ -1691,13 +1692,16 @@ hdmi: hdmi@ff940000 {
<&cru PLL_VPLL>;
clock-names = "iahb", "isfr", "cec", "grf", "vpll";
power-domains = <&power RK3399_PD_HDCP>;
- reg-io-width = <4>;
rockchip,grf = <&grf>;
#sound-dai-cells = <0>;
status = "disabled";
ports {
- hdmi_in: port {
+ #address-cells = <1>;
+ #size-cells = <0>;
+
+ hdmi_in: port@0 {
+ reg = <0>;
#address-cells = <1>;
#size-cells = <0>;
@@ -1710,6 +1714,10 @@ hdmi_in_vopl: endpoint@1 {
remote-endpoint = <&vopl_out_hdmi>;
};
};
+
+ hdmi_out: port@1 {
+ reg = <1>;
+ };
};
};
--
2.43.0
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.19 04/11] arm64: dts: rockchip: fix rk3399 hdmi ports node
@ 2024-03-29 12:35 ` Sasha Levin
0 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2024-03-29 12:35 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Johan Jonker, Heiko Stuebner, Sasha Levin, robh,
krzysztof.kozlowski+dt, conor+dt, dsimic, kmcopper, lukasz.luba,
rick.wertenbroek, chris.obbard, s.hauer, knaerzche, devicetree,
linux-arm-kernel, linux-rockchip
From: Johan Jonker <jbx6244@gmail.com>
[ Upstream commit f051b6ace7ffcc48d6d1017191f167c0a85799f6 ]
Fix rk3399 hdmi ports node so that it matches the
rockchip,dw-hdmi.yaml binding.
Signed-off-by: Johan Jonker <jbx6244@gmail.com>
Link: https://lore.kernel.org/r/a6ab6f75-3b80-40b1-bd30-3113e14becdd@gmail.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/rockchip/rk3399.dtsi | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3399.dtsi b/arch/arm64/boot/dts/rockchip/rk3399.dtsi
index 5a60faa8e9998..f19d43021a4e7 100644
--- a/arch/arm64/boot/dts/rockchip/rk3399.dtsi
+++ b/arch/arm64/boot/dts/rockchip/rk3399.dtsi
@@ -1683,6 +1683,7 @@ simple-audio-card,codec {
hdmi: hdmi@ff940000 {
compatible = "rockchip,rk3399-dw-hdmi";
reg = <0x0 0xff940000 0x0 0x20000>;
+ reg-io-width = <4>;
interrupts = <GIC_SPI 23 IRQ_TYPE_LEVEL_HIGH 0>;
clocks = <&cru PCLK_HDMI_CTRL>,
<&cru SCLK_HDMI_SFR>,
@@ -1691,13 +1692,16 @@ hdmi: hdmi@ff940000 {
<&cru PLL_VPLL>;
clock-names = "iahb", "isfr", "cec", "grf", "vpll";
power-domains = <&power RK3399_PD_HDCP>;
- reg-io-width = <4>;
rockchip,grf = <&grf>;
#sound-dai-cells = <0>;
status = "disabled";
ports {
- hdmi_in: port {
+ #address-cells = <1>;
+ #size-cells = <0>;
+
+ hdmi_in: port@0 {
+ reg = <0>;
#address-cells = <1>;
#size-cells = <0>;
@@ -1710,6 +1714,10 @@ hdmi_in_vopl: endpoint@1 {
remote-endpoint = <&vopl_out_hdmi>;
};
};
+
+ hdmi_out: port@1 {
+ reg = <1>;
+ };
};
};
--
2.43.0
_______________________________________________
Linux-rockchip mailing list
Linux-rockchip@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-rockchip
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.19 05/11] tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num()
2024-03-29 12:35 [PATCH AUTOSEL 4.19 01/11] wifi: ath9k: fix LNA selection in ath_ant_try_scan() Sasha Levin
` (2 preceding siblings ...)
2024-03-29 12:35 ` Sasha Levin
@ 2024-03-29 12:35 ` Sasha Levin
2024-03-29 12:35 ` [PATCH AUTOSEL 4.19 06/11] sparc: vdso: Disable UBSAN instrumentation Sasha Levin
` (5 subsequent siblings)
9 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2024-03-29 12:35 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Samasth Norway Ananda, Rafael J . Wysocki, Sasha Levin
From: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
[ Upstream commit f85450f134f0b4ca7e042dc3dc89155656a2299d ]
In function get_pkg_num() if fopen_or_die() succeeds it returns a file
pointer to be used. But fclose() is never called before returning from
the function.
Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c b/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c
index 2aba622d1c5aa..470d03e143422 100644
--- a/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c
+++ b/tools/power/x86/x86_energy_perf_policy/x86_energy_perf_policy.c
@@ -1112,6 +1112,7 @@ unsigned int get_pkg_num(int cpu)
retval = fscanf(fp, "%d\n", &pkg);
if (retval != 1)
errx(1, "%s: failed to parse", pathname);
+ fclose(fp);
return pkg;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.19 06/11] sparc: vdso: Disable UBSAN instrumentation
2024-03-29 12:35 [PATCH AUTOSEL 4.19 01/11] wifi: ath9k: fix LNA selection in ath_ant_try_scan() Sasha Levin
` (3 preceding siblings ...)
2024-03-29 12:35 ` [PATCH AUTOSEL 4.19 05/11] tools/power x86_energy_perf_policy: Fix file leak in get_pkg_num() Sasha Levin
@ 2024-03-29 12:35 ` Sasha Levin
2024-03-29 12:35 ` [PATCH AUTOSEL 4.19 07/11] sh: Fix build with CONFIG_UBSAN=y Sasha Levin
` (4 subsequent siblings)
9 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2024-03-29 12:35 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Kees Cook, Sam Ravnborg, Sasha Levin, davem, andreas, masahiroy,
rmk+kernel, deller, catalin.marinas, sparclinux
From: Kees Cook <keescook@chromium.org>
[ Upstream commit d4be85d068b4418c341f79b654399f7f0891069a ]
The UBSAN instrumentation cannot work in the vDSO since it is executing
in userspace, so disable it in the Makefile. Fixes the build failures
such as:
arch/sparc/vdso/vclock_gettime.c:217: undefined reference to `__ubsan_handle_shift_out_of_bounds'
Acked-by: Sam Ravnborg <sam@ravnborg.org>
Link: https://lore.kernel.org/all/20240224073617.GA2959352@ravnborg.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/sparc/vdso/Makefile | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/sparc/vdso/Makefile b/arch/sparc/vdso/Makefile
index dc85570d88395..4fa1cb1a67fca 100644
--- a/arch/sparc/vdso/Makefile
+++ b/arch/sparc/vdso/Makefile
@@ -1,6 +1,7 @@
#
# Building vDSO images for sparc.
#
+UBSAN_SANITIZE := n
KBUILD_CFLAGS += $(DISABLE_LTO)
--
2.43.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.19 07/11] sh: Fix build with CONFIG_UBSAN=y
2024-03-29 12:35 [PATCH AUTOSEL 4.19 01/11] wifi: ath9k: fix LNA selection in ath_ant_try_scan() Sasha Levin
` (4 preceding siblings ...)
2024-03-29 12:35 ` [PATCH AUTOSEL 4.19 06/11] sparc: vdso: Disable UBSAN instrumentation Sasha Levin
@ 2024-03-29 12:35 ` Sasha Levin
2024-03-29 12:35 ` [PATCH AUTOSEL 4.19 08/11] btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks() Sasha Levin
` (3 subsequent siblings)
9 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2024-03-29 12:35 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Kees Cook, kernel test robot, Yoshinori Sato, Rich Felker,
John Paul Adrian Glaubitz, Masahiro Yamada, Nicolas Schier,
linux-sh, Sasha Levin
From: Kees Cook <keescook@chromium.org>
[ Upstream commit e36b70fb8c707a0688960184380bc151390d671b ]
The early boot stub for sh had UBSan instrumentation present where it is
not supported. Disable it for this part of the build.
sh4-linux-ld: arch/sh/boot/compressed/misc.o: in function `zlib_inflate_table':
misc.c:(.text+0x670): undefined reference to `__ubsan_handle_shift_out_of_bounds'
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202401310416.s8HLiLnC-lkp@intel.com/
Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
Cc: Rich Felker <dalias@libc.org>
Cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: Nicolas Schier <n.schier@avm.de>
Cc: <linux-sh@vger.kernel.org>
Link: https://lore.kernel.org/r/20240130232717.work.088-kees@kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/sh/boot/compressed/Makefile | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/sh/boot/compressed/Makefile b/arch/sh/boot/compressed/Makefile
index f5e1bd7797892..362f2c9f9f7fc 100644
--- a/arch/sh/boot/compressed/Makefile
+++ b/arch/sh/boot/compressed/Makefile
@@ -13,6 +13,7 @@ targets := vmlinux vmlinux.bin vmlinux.bin.gz \
OBJECTS = $(obj)/head_$(BITS).o $(obj)/misc.o $(obj)/cache.o
GCOV_PROFILE := n
+UBSAN_SANITIZE := n
#
# IMAGE_OFFSET is the load offset of the compression loader
--
2.43.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.19 08/11] btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks()
2024-03-29 12:35 [PATCH AUTOSEL 4.19 01/11] wifi: ath9k: fix LNA selection in ath_ant_try_scan() Sasha Levin
` (5 preceding siblings ...)
2024-03-29 12:35 ` [PATCH AUTOSEL 4.19 07/11] sh: Fix build with CONFIG_UBSAN=y Sasha Levin
@ 2024-03-29 12:35 ` Sasha Levin
2024-03-29 12:35 ` [PATCH AUTOSEL 4.19 09/11] btrfs: export: handle invalid inode or root reference in btrfs_get_parent() Sasha Levin
` (2 subsequent siblings)
9 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2024-03-29 12:35 UTC (permalink / raw)
To: linux-kernel, stable
Cc: David Sterba, Josef Bacik, Anand Jain, Sasha Levin, clm, linux-btrfs
From: David Sterba <dsterba@suse.com>
[ Upstream commit 7411055db5ce64f836aaffd422396af0075fdc99 ]
The unhandled case in btrfs_relocate_sys_chunks() loop is a corruption,
as it could be caused only by two impossible conditions:
- at first the search key is set up to look for a chunk tree item, with
offset -1, this is an inexact search and the key->offset will contain
the correct offset upon a successful search, a valid chunk tree item
cannot have an offset -1
- after first successful search, the found_key corresponds to a chunk
item, the offset is decremented by 1 before the next loop, it's
impossible to find a chunk item there due to alignment and size
constraints
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/volumes.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index ceced5e56c5a9..30b5646b2c0de 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -2948,7 +2948,17 @@ static int btrfs_relocate_sys_chunks(struct btrfs_fs_info *fs_info)
mutex_unlock(&fs_info->delete_unused_bgs_mutex);
goto error;
}
- BUG_ON(ret == 0); /* Corruption */
+ if (ret == 0) {
+ /*
+ * On the first search we would find chunk tree with
+ * offset -1, which is not possible. On subsequent
+ * loops this would find an existing item on an invalid
+ * offset (one less than the previous one, wrong
+ * alignment and size).
+ */
+ ret = -EUCLEAN;
+ goto error;
+ }
ret = btrfs_previous_item(chunk_root, path, key.objectid,
key.type);
--
2.43.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.19 09/11] btrfs: export: handle invalid inode or root reference in btrfs_get_parent()
2024-03-29 12:35 [PATCH AUTOSEL 4.19 01/11] wifi: ath9k: fix LNA selection in ath_ant_try_scan() Sasha Levin
` (6 preceding siblings ...)
2024-03-29 12:35 ` [PATCH AUTOSEL 4.19 08/11] btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks() Sasha Levin
@ 2024-03-29 12:35 ` Sasha Levin
2024-03-29 12:35 ` [PATCH AUTOSEL 4.19 10/11] btrfs: send: handle path ref underflow in header iterate_inode_ref() Sasha Levin
2024-03-29 12:35 ` [PATCH AUTOSEL 4.19 11/11] Bluetooth: btintel: Fix null ptr deref in btintel_read_version Sasha Levin
9 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2024-03-29 12:35 UTC (permalink / raw)
To: linux-kernel, stable
Cc: David Sterba, Josef Bacik, Anand Jain, Sasha Levin, clm, linux-btrfs
From: David Sterba <dsterba@suse.com>
[ Upstream commit 26b66d1d366a375745755ca7365f67110bbf6bd5 ]
The get_parent handler looks up a parent of a given dentry, this can be
either a subvolume or a directory. The search is set up with offset -1
but it's never expected to find such item, as it would break allowed
range of inode number or a root id. This means it's a corruption (ext4
also returns this error code).
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/export.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/fs/btrfs/export.c b/fs/btrfs/export.c
index ecc33e3a3c063..01e9a5afc33bf 100644
--- a/fs/btrfs/export.c
+++ b/fs/btrfs/export.c
@@ -182,8 +182,15 @@ struct dentry *btrfs_get_parent(struct dentry *child)
ret = btrfs_search_slot(NULL, root, &key, path, 0, 0);
if (ret < 0)
goto fail;
+ if (ret == 0) {
+ /*
+ * Key with offset of -1 found, there would have to exist an
+ * inode with such number or a root with such id.
+ */
+ ret = -EUCLEAN;
+ goto fail;
+ }
- BUG_ON(ret == 0); /* Key with offset of -1 found */
if (path->slots[0] == 0) {
ret = -ENOENT;
goto fail;
--
2.43.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.19 10/11] btrfs: send: handle path ref underflow in header iterate_inode_ref()
2024-03-29 12:35 [PATCH AUTOSEL 4.19 01/11] wifi: ath9k: fix LNA selection in ath_ant_try_scan() Sasha Levin
` (7 preceding siblings ...)
2024-03-29 12:35 ` [PATCH AUTOSEL 4.19 09/11] btrfs: export: handle invalid inode or root reference in btrfs_get_parent() Sasha Levin
@ 2024-03-29 12:35 ` Sasha Levin
2024-03-29 12:35 ` [PATCH AUTOSEL 4.19 11/11] Bluetooth: btintel: Fix null ptr deref in btintel_read_version Sasha Levin
9 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2024-03-29 12:35 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: David Sterba, Sasha Levin, clm, josef, linux-btrfs
From: David Sterba <dsterba@suse.com>
[ Upstream commit 3c6ee34c6f9cd12802326da26631232a61743501 ]
Change BUG_ON to proper error handling if building the path buffer
fails. The pointers are not printed so we don't accidentally leak kernel
addresses.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/send.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 0c86409a316e8..e3b6ca9176afe 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -958,7 +958,15 @@ static int iterate_inode_ref(struct btrfs_root *root, struct btrfs_path *path,
ret = PTR_ERR(start);
goto out;
}
- BUG_ON(start < p->buf);
+ if (unlikely(start < p->buf)) {
+ btrfs_err(root->fs_info,
+ "send: path ref buffer underflow for key (%llu %u %llu)",
+ found_key->objectid,
+ found_key->type,
+ found_key->offset);
+ ret = -EINVAL;
+ goto out;
+ }
}
p->start = start;
} else {
--
2.43.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH AUTOSEL 4.19 11/11] Bluetooth: btintel: Fix null ptr deref in btintel_read_version
2024-03-29 12:35 [PATCH AUTOSEL 4.19 01/11] wifi: ath9k: fix LNA selection in ath_ant_try_scan() Sasha Levin
` (8 preceding siblings ...)
2024-03-29 12:35 ` [PATCH AUTOSEL 4.19 10/11] btrfs: send: handle path ref underflow in header iterate_inode_ref() Sasha Levin
@ 2024-03-29 12:35 ` Sasha Levin
9 siblings, 0 replies; 13+ messages in thread
From: Sasha Levin @ 2024-03-29 12:35 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Edward Adam Davis, syzbot+830d9e3fa61968246abd,
Luiz Augusto von Dentz, Sasha Levin, marcel, luiz.dentz,
linux-bluetooth
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit b79e040910101b020931ba0c9a6b77e81ab7f645 ]
If hci_cmd_sync_complete() is triggered and skb is NULL, then
hdev->req_skb is NULL, which will cause this issue.
Reported-and-tested-by: syzbot+830d9e3fa61968246abd@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btintel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
index 5270d55132015..6a3c0ad9f10ce 100644
--- a/drivers/bluetooth/btintel.c
+++ b/drivers/bluetooth/btintel.c
@@ -355,7 +355,7 @@ int btintel_read_version(struct hci_dev *hdev, struct intel_version *ver)
struct sk_buff *skb;
skb = __hci_cmd_sync(hdev, 0xfc05, 0, NULL, HCI_CMD_TIMEOUT);
- if (IS_ERR(skb)) {
+ if (IS_ERR_OR_NULL(skb)) {
bt_dev_err(hdev, "Reading Intel version information failed (%ld)",
PTR_ERR(skb));
return PTR_ERR(skb);
--
2.43.0
^ permalink raw reply related [flat|nested] 13+ messages in thread