* [PATCH AUTOSEL 5.10 2/8] scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown()
2022-01-03 17:29 [PATCH AUTOSEL 5.10 1/8] usb: mtu3: fix interval value for intr and isoc Sasha Levin
@ 2022-01-03 17:29 ` Sasha Levin
2022-01-03 17:29 ` [PATCH AUTOSEL 5.10 3/8] ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate Sasha Levin
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Sasha Levin @ 2022-01-03 17:29 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Lixiaokeng, Lu Tixiong, Mike Christie, Lee Duncan, Linfeilong,
Martin K . Petersen, Sasha Levin, cleech, jejb, open-iscsi,
linux-scsi
From: Lixiaokeng <lixiaokeng@huawei.com>
[ Upstream commit 1b8d0300a3e9f216ae4901bab886db7299899ec6 ]
|- iscsi_if_destroy_conn |-dev_attr_show
|-iscsi_conn_teardown
|-spin_lock_bh |-iscsi_sw_tcp_conn_get_param
|-kfree(conn->persistent_address) |-iscsi_conn_get_param
|-kfree(conn->local_ipaddr)
==>|-read persistent_address
==>|-read local_ipaddr
|-spin_unlock_bh
When iscsi_conn_teardown() and iscsi_conn_get_param() happen in parallel, a
UAF may be triggered.
Link: https://lore.kernel.org/r/046ec8a0-ce95-d3fc-3235-666a7c65b224@huawei.com
Reported-by: Lu Tixiong <lutianxiong@huawei.com>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Reviewed-by: Lee Duncan <lduncan@suse.com>
Signed-off-by: Lixiaokeng <lixiaokeng@huawei.com>
Signed-off-by: Linfeilong <linfeilong@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/libiscsi.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index 30d27b6706746..d4e66c595eb87 100644
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -2950,6 +2950,8 @@ void iscsi_conn_teardown(struct iscsi_cls_conn *cls_conn)
{
struct iscsi_conn *conn = cls_conn->dd_data;
struct iscsi_session *session = conn->session;
+ char *tmp_persistent_address = conn->persistent_address;
+ char *tmp_local_ipaddr = conn->local_ipaddr;
del_timer_sync(&conn->transport_timer);
@@ -2971,8 +2973,6 @@ void iscsi_conn_teardown(struct iscsi_cls_conn *cls_conn)
spin_lock_bh(&session->frwd_lock);
free_pages((unsigned long) conn->data,
get_order(ISCSI_DEF_MAX_RECV_SEG_LEN));
- kfree(conn->persistent_address);
- kfree(conn->local_ipaddr);
/* regular RX path uses back_lock */
spin_lock_bh(&session->back_lock);
kfifo_in(&session->cmdpool.queue, (void*)&conn->login_task,
@@ -2984,6 +2984,8 @@ void iscsi_conn_teardown(struct iscsi_cls_conn *cls_conn)
mutex_unlock(&session->eh_mutex);
iscsi_destroy_conn(cls_conn);
+ kfree(tmp_persistent_address);
+ kfree(tmp_local_ipaddr);
}
EXPORT_SYMBOL_GPL(iscsi_conn_teardown);
--
2.34.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH AUTOSEL 5.10 3/8] ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate
2022-01-03 17:29 [PATCH AUTOSEL 5.10 1/8] usb: mtu3: fix interval value for intr and isoc Sasha Levin
2022-01-03 17:29 ` [PATCH AUTOSEL 5.10 2/8] scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown() Sasha Levin
@ 2022-01-03 17:29 ` Sasha Levin
2022-01-03 17:29 ` [PATCH AUTOSEL 5.10 4/8] net: udp: fix alignment problem in udp4_seq_show() Sasha Levin
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Sasha Levin @ 2022-01-03 17:29 UTC (permalink / raw)
To: linux-kernel, stable
Cc: William Zhao, David S . Miller, Sasha Levin, steffen.klassert,
yoshfuji, dsahern, kuba, netdev
From: William Zhao <wizhao@redhat.com>
[ Upstream commit c1833c3964d5bd8c163bd4e01736a38bc473cb8a ]
The "__ip6_tnl_parm" struct was left uninitialized causing an invalid
load of random data when the "__ip6_tnl_parm" struct was used elsewhere.
As an example, in the function "ip6_tnl_xmit_ctl()", it tries to access
the "collect_md" member. With "__ip6_tnl_parm" being uninitialized and
containing random data, the UBSAN detected that "collect_md" held a
non-boolean value.
The UBSAN issue is as follows:
===============================================================
UBSAN: invalid-load in net/ipv6/ip6_tunnel.c:1025:14
load of value 30 is not a valid value for type '_Bool'
CPU: 1 PID: 228 Comm: kworker/1:3 Not tainted 5.16.0-rc4+ #8
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
<TASK>
dump_stack_lvl+0x44/0x57
ubsan_epilogue+0x5/0x40
__ubsan_handle_load_invalid_value+0x66/0x70
? __cpuhp_setup_state+0x1d3/0x210
ip6_tnl_xmit_ctl.cold.52+0x2c/0x6f [ip6_tunnel]
vti6_tnl_xmit+0x79c/0x1e96 [ip6_vti]
? lock_is_held_type+0xd9/0x130
? vti6_rcv+0x100/0x100 [ip6_vti]
? lock_is_held_type+0xd9/0x130
? rcu_read_lock_bh_held+0xc0/0xc0
? lock_acquired+0x262/0xb10
dev_hard_start_xmit+0x1e6/0x820
__dev_queue_xmit+0x2079/0x3340
? mark_lock.part.52+0xf7/0x1050
? netdev_core_pick_tx+0x290/0x290
? kvm_clock_read+0x14/0x30
? kvm_sched_clock_read+0x5/0x10
? sched_clock_cpu+0x15/0x200
? find_held_lock+0x3a/0x1c0
? lock_release+0x42f/0xc90
? lock_downgrade+0x6b0/0x6b0
? mark_held_locks+0xb7/0x120
? neigh_connected_output+0x31f/0x470
? lockdep_hardirqs_on+0x79/0x100
? neigh_connected_output+0x31f/0x470
? ip6_finish_output2+0x9b0/0x1d90
? rcu_read_lock_bh_held+0x62/0xc0
? ip6_finish_output2+0x9b0/0x1d90
ip6_finish_output2+0x9b0/0x1d90
? ip6_append_data+0x330/0x330
? ip6_mtu+0x166/0x370
? __ip6_finish_output+0x1ad/0xfb0
? nf_hook_slow+0xa6/0x170
ip6_output+0x1fb/0x710
? nf_hook.constprop.32+0x317/0x430
? ip6_finish_output+0x180/0x180
? __ip6_finish_output+0xfb0/0xfb0
? lock_is_held_type+0xd9/0x130
ndisc_send_skb+0xb33/0x1590
? __sk_mem_raise_allocated+0x11cf/0x1560
? dst_output+0x4a0/0x4a0
? ndisc_send_rs+0x432/0x610
addrconf_dad_completed+0x30c/0xbb0
? addrconf_rs_timer+0x650/0x650
? addrconf_dad_work+0x73c/0x10e0
addrconf_dad_work+0x73c/0x10e0
? addrconf_dad_completed+0xbb0/0xbb0
? rcu_read_lock_sched_held+0xaf/0xe0
? rcu_read_lock_bh_held+0xc0/0xc0
process_one_work+0x97b/0x1740
? pwq_dec_nr_in_flight+0x270/0x270
worker_thread+0x87/0xbf0
? process_one_work+0x1740/0x1740
kthread+0x3ac/0x490
? set_kthread_struct+0x100/0x100
ret_from_fork+0x22/0x30
</TASK>
===============================================================
The solution is to initialize "__ip6_tnl_parm" struct to zeros in the
"vti6_siocdevprivate()" function.
Signed-off-by: William Zhao <wizhao@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_vti.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index 23aeeb46f99fc..99f2dc802e366 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -804,6 +804,8 @@ vti6_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
struct net *net = dev_net(dev);
struct vti6_net *ip6n = net_generic(net, vti6_net_id);
+ memset(&p1, 0, sizeof(p1));
+
switch (cmd) {
case SIOCGETTUNNEL:
if (dev == ip6n->fb_tnl_dev) {
--
2.34.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH AUTOSEL 5.10 4/8] net: udp: fix alignment problem in udp4_seq_show()
2022-01-03 17:29 [PATCH AUTOSEL 5.10 1/8] usb: mtu3: fix interval value for intr and isoc Sasha Levin
2022-01-03 17:29 ` [PATCH AUTOSEL 5.10 2/8] scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown() Sasha Levin
2022-01-03 17:29 ` [PATCH AUTOSEL 5.10 3/8] ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate Sasha Levin
@ 2022-01-03 17:29 ` Sasha Levin
2022-01-03 17:29 ` [PATCH AUTOSEL 5.10 5/8] atlantic: Fix buff_ring OOB in aq_ring_rx_clean Sasha Levin
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Sasha Levin @ 2022-01-03 17:29 UTC (permalink / raw)
To: linux-kernel, stable
Cc: yangxingwu, David S . Miller, Sasha Levin, yoshfuji, dsahern,
kuba, netdev
From: yangxingwu <xingwu.yang@gmail.com>
[ Upstream commit 6c25449e1a32c594d743df8e8258e8ef870b6a77 ]
$ cat /pro/net/udp
before:
sl local_address rem_address st tx_queue rx_queue tr tm->when
26050: 0100007F:0035 00000000:0000 07 00000000:00000000 00:00000000
26320: 0100007F:0143 00000000:0000 07 00000000:00000000 00:00000000
27135: 00000000:8472 00000000:0000 07 00000000:00000000 00:00000000
after:
sl local_address rem_address st tx_queue rx_queue tr tm->when
26050: 0100007F:0035 00000000:0000 07 00000000:00000000 00:00000000
26320: 0100007F:0143 00000000:0000 07 00000000:00000000 00:00000000
27135: 00000000:8472 00000000:0000 07 00000000:00000000 00:00000000
Signed-off-by: yangxingwu <xingwu.yang@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/udp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 86ed2afbee302..ef2068a60d4ad 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -3006,7 +3006,7 @@ int udp4_seq_show(struct seq_file *seq, void *v)
{
seq_setwidth(seq, 127);
if (v == SEQ_START_TOKEN)
- seq_puts(seq, " sl local_address rem_address st tx_queue "
+ seq_puts(seq, " sl local_address rem_address st tx_queue "
"rx_queue tr tm->when retrnsmt uid timeout "
"inode ref pointer drops");
else {
--
2.34.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH AUTOSEL 5.10 5/8] atlantic: Fix buff_ring OOB in aq_ring_rx_clean
2022-01-03 17:29 [PATCH AUTOSEL 5.10 1/8] usb: mtu3: fix interval value for intr and isoc Sasha Levin
` (2 preceding siblings ...)
2022-01-03 17:29 ` [PATCH AUTOSEL 5.10 4/8] net: udp: fix alignment problem in udp4_seq_show() Sasha Levin
@ 2022-01-03 17:29 ` Sasha Levin
2022-01-03 17:29 ` [PATCH AUTOSEL 5.10 6/8] mISDN: change function names to avoid conflicts Sasha Levin
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Sasha Levin @ 2022-01-03 17:29 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zekun Shen, David S . Miller, Sasha Levin, irusskikh, kuba, netdev
From: Zekun Shen <bruceshenzk@gmail.com>
[ Upstream commit 5f50153288452e10b6edd69ec9112c49442b054a ]
The function obtain the next buffer without boundary check.
We should return with I/O error code.
The bug is found by fuzzing and the crash report is attached.
It is an OOB bug although reported as use-after-free.
[ 4.804724] BUG: KASAN: use-after-free in aq_ring_rx_clean+0x1e88/0x2730 [atlantic]
[ 4.805661] Read of size 4 at addr ffff888034fe93a8 by task ksoftirqd/0/9
[ 4.806505]
[ 4.806703] CPU: 0 PID: 9 Comm: ksoftirqd/0 Tainted: G W 5.6.0 #34
[ 4.809030] Call Trace:
[ 4.809343] dump_stack+0x76/0xa0
[ 4.809755] print_address_description.constprop.0+0x16/0x200
[ 4.810455] ? aq_ring_rx_clean+0x1e88/0x2730 [atlantic]
[ 4.811234] ? aq_ring_rx_clean+0x1e88/0x2730 [atlantic]
[ 4.813183] __kasan_report.cold+0x37/0x7c
[ 4.813715] ? aq_ring_rx_clean+0x1e88/0x2730 [atlantic]
[ 4.814393] kasan_report+0xe/0x20
[ 4.814837] aq_ring_rx_clean+0x1e88/0x2730 [atlantic]
[ 4.815499] ? hw_atl_b0_hw_ring_rx_receive+0x9a5/0xb90 [atlantic]
[ 4.816290] aq_vec_poll+0x179/0x5d0 [atlantic]
[ 4.816870] ? _GLOBAL__sub_I_65535_1_aq_pci_func_init+0x20/0x20 [atlantic]
[ 4.817746] ? __next_timer_interrupt+0xba/0xf0
[ 4.818322] net_rx_action+0x363/0xbd0
[ 4.818803] ? call_timer_fn+0x240/0x240
[ 4.819302] ? __switch_to_asm+0x40/0x70
[ 4.819809] ? napi_busy_loop+0x520/0x520
[ 4.820324] __do_softirq+0x18c/0x634
[ 4.820797] ? takeover_tasklets+0x5f0/0x5f0
[ 4.821343] run_ksoftirqd+0x15/0x20
[ 4.821804] smpboot_thread_fn+0x2f1/0x6b0
[ 4.822331] ? smpboot_unregister_percpu_thread+0x160/0x160
[ 4.823041] ? __kthread_parkme+0x80/0x100
[ 4.823571] ? smpboot_unregister_percpu_thread+0x160/0x160
[ 4.824301] kthread+0x2b5/0x3b0
[ 4.824723] ? kthread_create_on_node+0xd0/0xd0
[ 4.825304] ret_from_fork+0x35/0x40
Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
index 24122ccda614c..72f8751784c31 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
@@ -365,6 +365,10 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
if (!buff->is_eop) {
buff_ = buff;
do {
+ if (buff_->next >= self->size) {
+ err = -EIO;
+ goto err_exit;
+ }
next_ = buff_->next,
buff_ = &self->buff_ring[next_];
is_rsc_completed =
@@ -388,6 +392,10 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
(buff->is_lro && buff->is_cso_err)) {
buff_ = buff;
do {
+ if (buff_->next >= self->size) {
+ err = -EIO;
+ goto err_exit;
+ }
next_ = buff_->next,
buff_ = &self->buff_ring[next_];
--
2.34.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH AUTOSEL 5.10 6/8] mISDN: change function names to avoid conflicts
2022-01-03 17:29 [PATCH AUTOSEL 5.10 1/8] usb: mtu3: fix interval value for intr and isoc Sasha Levin
` (3 preceding siblings ...)
2022-01-03 17:29 ` [PATCH AUTOSEL 5.10 5/8] atlantic: Fix buff_ring OOB in aq_ring_rx_clean Sasha Levin
@ 2022-01-03 17:29 ` Sasha Levin
2022-01-03 17:30 ` [PATCH AUTOSEL 5.10 7/8] drm/amd/display: Added power down for DCN10 Sasha Levin
2022-01-03 17:30 ` [PATCH AUTOSEL 5.10 8/8] ipv6: raw: check passed optlen before reading Sasha Levin
6 siblings, 0 replies; 8+ messages in thread
From: Sasha Levin @ 2022-01-03 17:29 UTC (permalink / raw)
To: linux-kernel, stable
Cc: wolfgang huang, k2ci, David S . Miller, Sasha Levin, isdn, netdev
From: wolfgang huang <huangjinhui@kylinos.cn>
[ Upstream commit 8b5fdfc57cc2471179d1c51081424ded833c16c8 ]
As we build for mips, we meet following error. l1_init error with
multiple definition. Some architecture devices usually marked with
l1, l2, lxx as the start-up phase. so we change the mISDN function
names, align with Isdnl2_xxx.
mips-linux-gnu-ld: drivers/isdn/mISDN/layer1.o: in function `l1_init':
(.text+0x890): multiple definition of `l1_init'; \
arch/mips/kernel/bmips_5xxx_init.o:(.text+0xf0): first defined here
make[1]: *** [home/mips/kernel-build/linux/Makefile:1161: vmlinux] Error 1
Signed-off-by: wolfgang huang <huangjinhui@kylinos.cn>
Reported-by: k2ci <kernel-bot@kylinos.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/isdn/mISDN/core.c | 6 +++---
drivers/isdn/mISDN/core.h | 4 ++--
drivers/isdn/mISDN/layer1.c | 4 ++--
3 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/isdn/mISDN/core.c b/drivers/isdn/mISDN/core.c
index 55891e4204460..a41b4b2645941 100644
--- a/drivers/isdn/mISDN/core.c
+++ b/drivers/isdn/mISDN/core.c
@@ -381,7 +381,7 @@ mISDNInit(void)
err = mISDN_inittimer(&debug);
if (err)
goto error2;
- err = l1_init(&debug);
+ err = Isdnl1_Init(&debug);
if (err)
goto error3;
err = Isdnl2_Init(&debug);
@@ -395,7 +395,7 @@ mISDNInit(void)
error5:
Isdnl2_cleanup();
error4:
- l1_cleanup();
+ Isdnl1_cleanup();
error3:
mISDN_timer_cleanup();
error2:
@@ -408,7 +408,7 @@ static void mISDN_cleanup(void)
{
misdn_sock_cleanup();
Isdnl2_cleanup();
- l1_cleanup();
+ Isdnl1_cleanup();
mISDN_timer_cleanup();
class_unregister(&mISDN_class);
diff --git a/drivers/isdn/mISDN/core.h b/drivers/isdn/mISDN/core.h
index 23b44d3033279..42599f49c189d 100644
--- a/drivers/isdn/mISDN/core.h
+++ b/drivers/isdn/mISDN/core.h
@@ -60,8 +60,8 @@ struct Bprotocol *get_Bprotocol4id(u_int);
extern int mISDN_inittimer(u_int *);
extern void mISDN_timer_cleanup(void);
-extern int l1_init(u_int *);
-extern void l1_cleanup(void);
+extern int Isdnl1_Init(u_int *);
+extern void Isdnl1_cleanup(void);
extern int Isdnl2_Init(u_int *);
extern void Isdnl2_cleanup(void);
diff --git a/drivers/isdn/mISDN/layer1.c b/drivers/isdn/mISDN/layer1.c
index 98a3bc6c17009..7b31c25a550e3 100644
--- a/drivers/isdn/mISDN/layer1.c
+++ b/drivers/isdn/mISDN/layer1.c
@@ -398,7 +398,7 @@ create_l1(struct dchannel *dch, dchannel_l1callback *dcb) {
EXPORT_SYMBOL(create_l1);
int
-l1_init(u_int *deb)
+Isdnl1_Init(u_int *deb)
{
debug = deb;
l1fsm_s.state_count = L1S_STATE_COUNT;
@@ -409,7 +409,7 @@ l1_init(u_int *deb)
}
void
-l1_cleanup(void)
+Isdnl1_cleanup(void)
{
mISDN_FsmFree(&l1fsm_s);
}
--
2.34.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH AUTOSEL 5.10 7/8] drm/amd/display: Added power down for DCN10
2022-01-03 17:29 [PATCH AUTOSEL 5.10 1/8] usb: mtu3: fix interval value for intr and isoc Sasha Levin
` (4 preceding siblings ...)
2022-01-03 17:29 ` [PATCH AUTOSEL 5.10 6/8] mISDN: change function names to avoid conflicts Sasha Levin
@ 2022-01-03 17:30 ` Sasha Levin
2022-01-03 17:30 ` [PATCH AUTOSEL 5.10 8/8] ipv6: raw: check passed optlen before reading Sasha Levin
6 siblings, 0 replies; 8+ messages in thread
From: Sasha Levin @ 2022-01-03 17:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Lai, Derek, Daniel Wheeler, Anthony Koo, Rodrigo Siqueira,
Alex Deucher, Sasha Levin, harry.wentland, sunpeng.li,
christian.koenig, Xinhui.Pan, airlied, daniel, qingqing.zhuo,
wyatt.wood, Jun.Lei, aurabindo.pillai, paul.hsieh,
Wesley.Chalmers, victorchengchi.lu, amd-gfx, dri-devel
From: "Lai, Derek" <Derek.Lai@amd.com>
[ Upstream commit d97e631af2db84c8c9d63abf68d487d0bb559e4c ]
[Why]
The change of setting a timer callback on boot for 10 seconds is still
working, just lacked power down for DCN10.
[How]
Added power down for DCN10.
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Reviewed-by: Anthony Koo <Anthony.Koo@amd.com>
Acked-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Signed-off-by: Derek Lai <Derek.Lai@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dcn10/dcn10_init.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_init.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_init.c
index b24c8ae8b1ece..7e228c181b298 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_init.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_init.c
@@ -77,6 +77,7 @@ static const struct hw_sequencer_funcs dcn10_funcs = {
.get_clock = dcn10_get_clock,
.get_vupdate_offset_from_vsync = dcn10_get_vupdate_offset_from_vsync,
.calc_vupdate_position = dcn10_calc_vupdate_position,
+ .power_down = dce110_power_down,
.set_backlight_level = dce110_set_backlight_level,
.set_abm_immediate_disable = dce110_set_abm_immediate_disable,
.set_pipe = dce110_set_pipe,
--
2.34.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH AUTOSEL 5.10 8/8] ipv6: raw: check passed optlen before reading
2022-01-03 17:29 [PATCH AUTOSEL 5.10 1/8] usb: mtu3: fix interval value for intr and isoc Sasha Levin
` (5 preceding siblings ...)
2022-01-03 17:30 ` [PATCH AUTOSEL 5.10 7/8] drm/amd/display: Added power down for DCN10 Sasha Levin
@ 2022-01-03 17:30 ` Sasha Levin
6 siblings, 0 replies; 8+ messages in thread
From: Sasha Levin @ 2022-01-03 17:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Tamir Duberstein, Willem de Bruijn, Jakub Kicinski, Sasha Levin,
davem, yoshfuji, dsahern, netdev
From: Tamir Duberstein <tamird@gmail.com>
[ Upstream commit fb7bc9204095090731430c8921f9e629740c110a ]
Add a check that the user-provided option is at least as long as the
number of bytes we intend to read. Before this patch we would blindly
read sizeof(int) bytes even in cases where the user passed
optlen<sizeof(int), which would potentially read garbage or fault.
Discovered by new tests in https://github.com/google/gvisor/pull/6957 .
The original get_user call predates history in the git repo.
Signed-off-by: Tamir Duberstein <tamird@gmail.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Link: https://lore.kernel.org/r/20211229200947.2862255-1-willemdebruijn.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/raw.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 00f133a55ef7c..38349054e361e 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -1020,6 +1020,9 @@ static int do_rawv6_setsockopt(struct sock *sk, int level, int optname,
struct raw6_sock *rp = raw6_sk(sk);
int val;
+ if (optlen < sizeof(val))
+ return -EINVAL;
+
if (copy_from_sockptr(&val, optval, sizeof(val)))
return -EFAULT;
--
2.34.1
^ permalink raw reply related [flat|nested] 8+ messages in thread