Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.18.34 2026-05-07T04:11:32+00:00 2026-05-07T04:11:32+00:00 Tyllis Xu livelycarpet87@gmail.com 2026-03-14T16:58:05+00:00 urn:sha1:c1c2417c60dbdca5ebb00462f21ee71c2d7f7083 commit 9aad71144fa3682cca3837a06c8623016790e7ec upstream. The ibmasm_send_i2o_message() function uses get_dot_command_size() to compute the byte count for memcpy_toio(), but this value is derived from user-controlled fields in the dot_command_header (command_size: u8, data_size: u16) and is never validated against the actual allocation size. A root user can write a small buffer with inflated header fields, causing memcpy_toio() to read up to ~65 KB past the end of the allocation into adjacent kernel heap, which is then forwarded to the service processor over MMIO. Silently clamping the copy size is not sufficient: if the header fields claim a larger size than the buffer, the SP receives a dot command whose own header is inconsistent with the I2O message length, which can cause the SP to desynchronize. Reject such commands outright by returning failure. Validate command_size before calling get_mfa_inbound() to avoid leaking an I2O message frame: reading INBOUND_QUEUE_PORT dequeues a hardware frame from the controller's free pool, and returning without a corresponding set_mfa_inbound() call would permanently exhaust it. Additionally, clamp command_size to I2O_COMMAND_SIZE before the memcpy_toio() so the MMIO write stays within the I2O message frame, consistent with the clamping already performed by outgoing_message_size() for the header field. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Yuhao Jiang <danisjiang@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Tyllis Xu <LivelyCarpet87@gmail.com> Link: https://patch.msgid.link/20260314165805.548293-1-LivelyCarpet87@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-05-07T04:11:32+00:00 Tyllis Xu livelycarpet87@gmail.com 2026-03-14T16:53:54+00:00 urn:sha1:ee5737891464030a189837467df3b81a273718ad commit 0eb09f737428e482a32a2e31e5e223f2b35a71d3 upstream. The command_file_write() handler allocates a kernel buffer of exactly count bytes and copies user data into it, but does not validate the buffer against the dot command protocol before passing it to get_dot_command_size() and get_dot_command_timeout(). Since both the allocation size (count) and the header fields (command_size, data_size) are independently user-controlled, an attacker can cause get_dot_command_size() to return a value exceeding the allocation, triggering OOB reads in get_dot_command_timeout() and an out-of-bounds memcpy_toio() that leaks kernel heap memory to the service processor. Fix with two guards: reject writes smaller than sizeof(struct dot_command_header) before allocation, then after copying user data reject commands where the buffer is smaller than the total size declared by the header (sizeof(header) + command_size + data_size). This ensures all subsequent header and payload field accesses stay within the buffer. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Yuhao Jiang <danisjiang@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Tyllis Xu <LivelyCarpet87@gmail.com> Link: https://patch.msgid.link/20260314165355.548119-1-LivelyCarpet87@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-05-07T04:11:32+00:00 Tyllis Xu livelycarpet87@gmail.com 2026-03-08T06:21:08+00:00 urn:sha1:22a16d3eafee92a165c756081587c95850127107 commit 4b6e6ead556734bdc14024c5f837132b1e7a4b84 upstream. ibmasm_handle_mouse_interrupt() performs an out-of-bounds MMIO read when the queue reader or writer index from hardware exceeds REMOTE_QUEUE_SIZE (60). A compromised service processor can trigger this by writing an out-of-range value to the reader or writer MMIO register before asserting an interrupt. Since writer is re-read from hardware on every loop iteration, it can also be set to an out-of-range value after the loop has already started. The root cause is that get_queue_reader() and get_queue_writer() return raw readl() values that are passed directly into get_queue_entry(), which computes: queue_begin + reader * sizeof(struct remote_input) with no bounds check. This unchecked MMIO address is then passed to memcpy_fromio(), reading 8 bytes from unintended device registers. For sufficiently large values the address falls outside the PCI BAR mapping entirely, triggering a machine check exception. Fix by checking both indices against REMOTE_QUEUE_SIZE at the top of the loop body, before any call to get_queue_entry(). On an out-of-range value, reset the reader register to 0 via set_queue_reader() before breaking, so that normal queue operation can resume if the corrupted hardware state is transient. Reported-by: Yuhao Jiang <danisjiang@gmail.com> Fixes: 278d72ae8803 ("[PATCH] ibmasm driver: redesign handling of remote control events") Cc: stable@vger.kernel.org Cc: ychen@northwestern.edu Signed-off-by: Tyllis Xu <LivelyCarpet87@gmail.com> Link: https://patch.msgid.link/20260308062108.258940-1-LivelyCarpet87@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-10-04T23:26:32+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-10-04T23:26:32+00:00 urn:sha1:6093a688a07da07808f0122f9aa2a3eed250d853 Pull Char/Misc/IIO/Binder updates from Greg KH: "Here is the big set of char/misc/iio and other driver subsystem changes for 6.18-rc1. Loads of different stuff in here, it was a busy development cycle in lots of different subsystems, with over 27k new lines added to the tree. Included in here are: - IIO updates including new drivers, reworking of existing apis, and other goodness in the sensor subsystems - MEI driver updates and additions - NVMEM driver updates - slimbus removal for an unused driver and some other minor updates - coresight driver updates and additions - MHI driver updates - comedi driver updates and fixes - extcon driver updates - interconnect driver additions - eeprom driver updates and fixes - minor UIO driver updates - tiny W1 driver updates But the majority of new code is in the rust bindings and additions, which includes: - misc driver rust binding updates for read/write support, we can now write "normal" misc drivers in rust fully, and the sample driver shows how this can be done. - Initial framework for USB driver rust bindings, which are disabled for now in the build, due to limited support, but coming in through this tree due to dependencies on other rust binding changes that were in here. I'll be enabling these back on in the build in the usb.git tree after -rc1 is out so that developers can continue to work on these in linux-next over the next development cycle. - Android Binder driver implemented in Rust. This is the big one, and was driving a huge majority of the rust binding work over the past years. Right now there are two binder drivers in the kernel, selected only at build time as to which one to use as binder wants to be included in the system at boot time. The binder C maintainers all agreed on this, as eventually, they want the C code to be removed from the tree, but it will take a few releases to get there while both are maintained to ensure that the rust implementation is fully stable and compliant with the existing userspace apis. All of these have been in linux-next for a while" * tag 'char-misc-6.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (320 commits) rust: usb: keep usb::Device private for now rust: usb: don't retain device context for the interface parent USB: disable rust bindings from the build for now samples: rust: add a USB driver sample rust: usb: add basic USB abstractions coresight: Add label sysfs node support dt-bindings: arm: Add label in the coresight components coresight: tnoc: add new AMBA ID to support Trace Noc V2 coresight: Fix incorrect handling for return value of devm_kzalloc coresight: tpda: fix the logic to setup the element size coresight: trbe: Return NULL pointer for allocation failures coresight: Refactor runtime PM coresight: Make clock sequence consistent coresight: Refactor driver data allocation coresight: Consolidate clock enabling coresight: Avoid enable programming clock duplicately coresight: Appropriately disable trace bus clocks coresight: Appropriately disable programming clocks coresight: etm4x: Support atclk coresight: catu: Support atclk ... 2025-09-15T14:09:42+00:00 Mateusz Guzik mjguzik@gmail.com 2025-09-15T12:57:29+00:00 urn:sha1:f99b3917789d83ea89b24b722d784956f8289f45 generic_delete_inode() is rather misleading for what the routine is doing. inode_just_drop() should be much clearer. The new naming is inconsistent with generic_drop_inode(), so rename that one as well with inode_ as the suffix. No functional changes. Signed-off-by: Mateusz Guzik <mjguzik@gmail.com> Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Christian Brauner <brauner@kernel.org> 2025-09-06T14:00:54+00:00 Thorsten Blum thorsten.blum@linux.dev 2025-09-05T10:32:44+00:00 urn:sha1:0c82fd9609a1e4bf1db84b0fd56bc3b2773da179 Replace kzalloc() followed by copy_from_user() with memdup_user_nul() to improve and simplify remote_settings_file_write(). No functional changes intended. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Link: https://lore.kernel.org/r/20250905103247.423840-2-thorsten.blum@linux.dev Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-10-18T11:26:16+00:00 Jeff Layton jlayton@kernel.org 2023-10-04T18:51:53+00:00 urn:sha1:4a2ef475464cd823ec8edc6b33b5c1b40f46cb1a Convert to using the new inode timestamp accessor functions. Signed-off-by: Jeff Layton <jlayton@kernel.org> Link: https://lore.kernel.org/r/20231004185347.80880-6-jlayton@kernel.org Signed-off-by: Christian Brauner <brauner@kernel.org> 2023-07-13T08:28:02+00:00 Jeff Layton jlayton@kernel.org 2023-07-05T19:00:44+00:00 urn:sha1:41441cecd10f565d18668216dc46b634bcc2cada In later patches, we're going to change how the inode's ctime field is used. Switch to using accessor functions instead of raw accesses of inode->i_ctime. Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: Jan Kara <jack@suse.cz> Message-Id: <20230705190309.579783-17-jlayton@kernel.org> Signed-off-by: Christian Brauner <brauner@kernel.org> 2021-07-05T20:42:16+00:00 Linus Torvalds torvalds@linux-foundation.org 2021-07-05T20:42:16+00:00 urn:sha1:eed0218e8cae9fcd186c30e9fcf5fe46a87e056e Pull char / misc driver updates from Greg KH: "Here is the big set of char / misc and other driver subsystem updates for 5.14-rc1. Included in here are: - habanalabs driver updates - fsl-mc driver updates - comedi driver updates - fpga driver updates - extcon driver updates - interconnect driver updates - mei driver updates - nvmem driver updates - phy driver updates - pnp driver updates - soundwire driver updates - lots of other tiny driver updates for char and misc drivers This is looking more and more like the "various driver subsystems mushed together" tree... All of these have been in linux-next for a while with no reported issues" * tag 'char-misc-5.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (292 commits) mcb: Use DEFINE_RES_MEM() helper macro and fix the end address PNP: moved EXPORT_SYMBOL so that it immediately followed its function/variable bus: mhi: pci-generic: Add missing 'pci_disable_pcie_error_reporting()' calls bus: mhi: Wait for M2 state during system resume bus: mhi: core: Fix power down latency intel_th: Wait until port is in reset before programming it intel_th: msu: Make contiguous buffers uncached intel_th: Remove an unused exit point from intel_th_remove() stm class: Spelling fix nitro_enclaves: Set Bus Master for the NE PCI device misc: ibmasm: Modify matricies to matrices misc: vmw_vmci: return the correct errno code siox: Simplify error handling via dev_err_probe() fpga: machxo2-spi: Address warning about unused variable lkdtm/heap: Add init_on_alloc tests selftests/lkdtm: Enable various testable CONFIGs lkdtm: Add CONFIG hints in errors where possible lkdtm: Enable DOUBLE_FAULT on all architectures lkdtm/heap: Add vmalloc linear overflow test lkdtm/bugs: XFAIL UNALIGNED_LOAD_STORE_WRITE ... 2021-07-01T18:06:04+00:00 Andy Shevchenko andriy.shevchenko@linux.intel.com 2021-07-01T01:54:59+00:00 urn:sha1:f39650de687e35766572ac89dbcd16a5911e2f0a kernel.h is being used as a dump for all kinds of stuff for a long time. Here is the attempt to start cleaning it up by splitting out panic and oops helpers. There are several purposes of doing this: - dropping dependency in bug.h - dropping a loop by moving out panic_notifier.h - unload kernel.h from something which has its own domain At the same time convert users tree-wide to use new headers, although for the time being include new header back to kernel.h to avoid twisted indirected includes for existing users. [akpm@linux-foundation.org: thread_info.h needs limits.h] [andriy.shevchenko@linux.intel.com: ia64 fix] Link: https://lkml.kernel.org/r/20210520130557.55277-1-andriy.shevchenko@linux.intel.com Link: https://lkml.kernel.org/r/20210511074137.33666-1-andriy.shevchenko@linux.intel.com Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org> Co-developed-by: Andrew Morton <akpm@linux-foundation.org> Acked-by: Mike Rapoport <rppt@linux.ibm.com> Acked-by: Corey Minyard <cminyard@mvista.com> Acked-by: Christian Brauner <christian.brauner@ubuntu.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Kees Cook <keescook@chromium.org> Acked-by: Wei Liu <wei.liu@kernel.org> Acked-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Acked-by: Sebastian Reichel <sre@kernel.org> Acked-by: Luis Chamberlain <mcgrof@kernel.org> Acked-by: Stephen Boyd <sboyd@kernel.org> Acked-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de> Acked-by: Helge Deller <deller@gmx.de> # parisc Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>