From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Lin Ma <linma@zju.edu.cn>,
Steffen Klassert <steffen.klassert@secunet.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 076/135] net: xfrm: Fix xfrm_address_filter OOB read
Date: Thu, 24 Aug 2023 16:50:19 +0200 [thread overview]
Message-ID: <20230824145030.156635671@linuxfoundation.org> (raw)
In-Reply-To: <20230824145027.008282920@linuxfoundation.org>
From: Lin Ma <linma@zju.edu.cn>
[ Upstream commit dfa73c17d55b921e1d4e154976de35317e43a93a ]
We found below OOB crash:
[ 44.211730] ==================================================================
[ 44.212045] BUG: KASAN: slab-out-of-bounds in memcmp+0x8b/0xb0
[ 44.212045] Read of size 8 at addr ffff88800870f320 by task poc.xfrm/97
[ 44.212045]
[ 44.212045] CPU: 0 PID: 97 Comm: poc.xfrm Not tainted 6.4.0-rc7-00072-gdad9774deaf1-dirty #4
[ 44.212045] Call Trace:
[ 44.212045] <TASK>
[ 44.212045] dump_stack_lvl+0x37/0x50
[ 44.212045] print_report+0xcc/0x620
[ 44.212045] ? __virt_addr_valid+0xf3/0x170
[ 44.212045] ? memcmp+0x8b/0xb0
[ 44.212045] kasan_report+0xb2/0xe0
[ 44.212045] ? memcmp+0x8b/0xb0
[ 44.212045] kasan_check_range+0x39/0x1c0
[ 44.212045] memcmp+0x8b/0xb0
[ 44.212045] xfrm_state_walk+0x21c/0x420
[ 44.212045] ? __pfx_dump_one_state+0x10/0x10
[ 44.212045] xfrm_dump_sa+0x1e2/0x290
[ 44.212045] ? __pfx_xfrm_dump_sa+0x10/0x10
[ 44.212045] ? __kernel_text_address+0xd/0x40
[ 44.212045] ? kasan_unpoison+0x27/0x60
[ 44.212045] ? mutex_lock+0x60/0xe0
[ 44.212045] ? __pfx_mutex_lock+0x10/0x10
[ 44.212045] ? kasan_save_stack+0x22/0x50
[ 44.212045] netlink_dump+0x322/0x6c0
[ 44.212045] ? __pfx_netlink_dump+0x10/0x10
[ 44.212045] ? mutex_unlock+0x7f/0xd0
[ 44.212045] ? __pfx_mutex_unlock+0x10/0x10
[ 44.212045] __netlink_dump_start+0x353/0x430
[ 44.212045] xfrm_user_rcv_msg+0x3a4/0x410
[ 44.212045] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 44.212045] ? __pfx_xfrm_user_rcv_msg+0x10/0x10
[ 44.212045] ? __pfx_xfrm_dump_sa+0x10/0x10
[ 44.212045] ? __pfx_xfrm_dump_sa_done+0x10/0x10
[ 44.212045] ? __stack_depot_save+0x382/0x4e0
[ 44.212045] ? filter_irq_stacks+0x1c/0x70
[ 44.212045] ? kasan_save_stack+0x32/0x50
[ 44.212045] ? kasan_save_stack+0x22/0x50
[ 44.212045] ? kasan_set_track+0x25/0x30
[ 44.212045] ? __kasan_slab_alloc+0x59/0x70
[ 44.212045] ? kmem_cache_alloc_node+0xf7/0x260
[ 44.212045] ? kmalloc_reserve+0xab/0x120
[ 44.212045] ? __alloc_skb+0xcf/0x210
[ 44.212045] ? netlink_sendmsg+0x509/0x700
[ 44.212045] ? sock_sendmsg+0xde/0xe0
[ 44.212045] ? __sys_sendto+0x18d/0x230
[ 44.212045] ? __x64_sys_sendto+0x71/0x90
[ 44.212045] ? do_syscall_64+0x3f/0x90
[ 44.212045] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 44.212045] ? netlink_sendmsg+0x509/0x700
[ 44.212045] ? sock_sendmsg+0xde/0xe0
[ 44.212045] ? __sys_sendto+0x18d/0x230
[ 44.212045] ? __x64_sys_sendto+0x71/0x90
[ 44.212045] ? do_syscall_64+0x3f/0x90
[ 44.212045] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 44.212045] ? kasan_save_stack+0x22/0x50
[ 44.212045] ? kasan_set_track+0x25/0x30
[ 44.212045] ? kasan_save_free_info+0x2e/0x50
[ 44.212045] ? __kasan_slab_free+0x10a/0x190
[ 44.212045] ? kmem_cache_free+0x9c/0x340
[ 44.212045] ? netlink_recvmsg+0x23c/0x660
[ 44.212045] ? sock_recvmsg+0xeb/0xf0
[ 44.212045] ? __sys_recvfrom+0x13c/0x1f0
[ 44.212045] ? __x64_sys_recvfrom+0x71/0x90
[ 44.212045] ? do_syscall_64+0x3f/0x90
[ 44.212045] ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 44.212045] ? copyout+0x3e/0x50
[ 44.212045] netlink_rcv_skb+0xd6/0x210
[ 44.212045] ? __pfx_xfrm_user_rcv_msg+0x10/0x10
[ 44.212045] ? __pfx_netlink_rcv_skb+0x10/0x10
[ 44.212045] ? __pfx_sock_has_perm+0x10/0x10
[ 44.212045] ? mutex_lock+0x8d/0xe0
[ 44.212045] ? __pfx_mutex_lock+0x10/0x10
[ 44.212045] xfrm_netlink_rcv+0x44/0x50
[ 44.212045] netlink_unicast+0x36f/0x4c0
[ 44.212045] ? __pfx_netlink_unicast+0x10/0x10
[ 44.212045] ? netlink_recvmsg+0x500/0x660
[ 44.212045] netlink_sendmsg+0x3b7/0x700
[ 44.212045] ? __pfx_netlink_sendmsg+0x10/0x10
[ 44.212045] ? __pfx_netlink_sendmsg+0x10/0x10
[ 44.212045] sock_sendmsg+0xde/0xe0
[ 44.212045] __sys_sendto+0x18d/0x230
[ 44.212045] ? __pfx___sys_sendto+0x10/0x10
[ 44.212045] ? rcu_core+0x44a/0xe10
[ 44.212045] ? __rseq_handle_notify_resume+0x45b/0x740
[ 44.212045] ? _raw_spin_lock_irq+0x81/0xe0
[ 44.212045] ? __pfx___rseq_handle_notify_resume+0x10/0x10
[ 44.212045] ? __pfx_restore_fpregs_from_fpstate+0x10/0x10
[ 44.212045] ? __pfx_blkcg_maybe_throttle_current+0x10/0x10
[ 44.212045] ? __pfx_task_work_run+0x10/0x10
[ 44.212045] __x64_sys_sendto+0x71/0x90
[ 44.212045] do_syscall_64+0x3f/0x90
[ 44.212045] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 44.212045] RIP: 0033:0x44b7da
[ 44.212045] RSP: 002b:00007ffdc8838548 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 44.212045] RAX: ffffffffffffffda RBX: 00007ffdc8839978 RCX: 000000000044b7da
[ 44.212045] RDX: 0000000000000038 RSI: 00007ffdc8838770 RDI: 0000000000000003
[ 44.212045] RBP: 00007ffdc88385b0 R08: 00007ffdc883858c R09: 000000000000000c
[ 44.212045] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 44.212045] R13: 00007ffdc8839968 R14: 00000000004c37d0 R15: 0000000000000001
[ 44.212045] </TASK>
[ 44.212045]
[ 44.212045] Allocated by task 97:
[ 44.212045] kasan_save_stack+0x22/0x50
[ 44.212045] kasan_set_track+0x25/0x30
[ 44.212045] __kasan_kmalloc+0x7f/0x90
[ 44.212045] __kmalloc_node_track_caller+0x5b/0x140
[ 44.212045] kmemdup+0x21/0x50
[ 44.212045] xfrm_dump_sa+0x17d/0x290
[ 44.212045] netlink_dump+0x322/0x6c0
[ 44.212045] __netlink_dump_start+0x353/0x430
[ 44.212045] xfrm_user_rcv_msg+0x3a4/0x410
[ 44.212045] netlink_rcv_skb+0xd6/0x210
[ 44.212045] xfrm_netlink_rcv+0x44/0x50
[ 44.212045] netlink_unicast+0x36f/0x4c0
[ 44.212045] netlink_sendmsg+0x3b7/0x700
[ 44.212045] sock_sendmsg+0xde/0xe0
[ 44.212045] __sys_sendto+0x18d/0x230
[ 44.212045] __x64_sys_sendto+0x71/0x90
[ 44.212045] do_syscall_64+0x3f/0x90
[ 44.212045] entry_SYSCALL_64_after_hwframe+0x72/0xdc
[ 44.212045]
[ 44.212045] The buggy address belongs to the object at ffff88800870f300
[ 44.212045] which belongs to the cache kmalloc-64 of size 64
[ 44.212045] The buggy address is located 32 bytes inside of
[ 44.212045] allocated 36-byte region [ffff88800870f300, ffff88800870f324)
[ 44.212045]
[ 44.212045] The buggy address belongs to the physical page:
[ 44.212045] page:00000000e4de16ee refcount:1 mapcount:0 mapping:000000000 ...
[ 44.212045] flags: 0x100000000000200(slab|node=0|zone=1)
[ 44.212045] page_type: 0xffffffff()
[ 44.212045] raw: 0100000000000200 ffff888004c41640 dead000000000122 0000000000000000
[ 44.212045] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[ 44.212045] page dumped because: kasan: bad access detected
[ 44.212045]
[ 44.212045] Memory state around the buggy address:
[ 44.212045] ffff88800870f200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 44.212045] ffff88800870f280: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[ 44.212045] >ffff88800870f300: 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc
[ 44.212045] ^
[ 44.212045] ffff88800870f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 44.212045] ffff88800870f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 44.212045] ==================================================================
By investigating the code, we find the root cause of this OOB is the lack
of checks in xfrm_dump_sa(). The buggy code allows a malicious user to pass
arbitrary value of filter->splen/dplen. Hence, with crafted xfrm states,
the attacker can achieve 8 bytes heap OOB read, which causes info leak.
if (attrs[XFRMA_ADDRESS_FILTER]) {
filter = kmemdup(nla_data(attrs[XFRMA_ADDRESS_FILTER]),
sizeof(*filter), GFP_KERNEL);
if (filter == NULL)
return -ENOMEM;
// NO MORE CHECKS HERE !!!
}
This patch fixes the OOB by adding necessary boundary checks, just like
the code in pfkey_dump() function.
Fixes: d3623099d350 ("ipsec: add support of limited SA dump")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_user.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index c6bf3898d1bf0..025401bfa3e1e 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1062,6 +1062,15 @@ static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb)
sizeof(*filter), GFP_KERNEL);
if (filter == NULL)
return -ENOMEM;
+
+ /* see addr_match(), (prefix length >> 5) << 2
+ * will be used to compare xfrm_address_t
+ */
+ if (filter->splen > (sizeof(xfrm_address_t) << 3) ||
+ filter->dplen > (sizeof(xfrm_address_t) << 3)) {
+ kfree(filter);
+ return -EINVAL;
+ }
}
if (attrs[XFRMA_PROTO])
--
2.40.1
next prev parent reply other threads:[~2023-08-24 15:01 UTC|newest]
Thread overview: 143+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-24 14:49 [PATCH 5.10 000/135] 5.10.191-rc1 review Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 001/135] mmc: sdhci-f-sdh30: Replace with sdhci_pltfm Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 002/135] macsec: Fix traffic counters/statistics Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 003/135] macsec: use DEV_STATS_INC() Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 004/135] net/mlx5: Refactor init clock function Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 005/135] net/mlx5: Move all internal timer metadata into a dedicated struct Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 006/135] net/mlx5: Skip clock update work when device is in error state Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 007/135] drm/radeon: Fix integer overflow in radeon_cs_parser_init Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 008/135] ALSA: emu10k1: roll up loops in DSP setup code for Audigy Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 009/135] ASoC: Intel: sof_sdw: add quirk for MTL RVP Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 010/135] ASoC: Intel: sof_sdw: add quirk for LNL RVP Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 011/135] PCI: tegra194: Fix possible array out of bounds access Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 012/135] ARM: dts: imx6dl: prtrvt, prtvt7, prti6q, prtwd2: fix USB related warnings Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 013/135] ASoC: Intel: sof_sdw: Add support for Rex soundwire Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 014/135] iopoll: Call cpu_relax() in busy loops Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 015/135] quota: Properly disable quotas when add_dquot_ref() fails Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 016/135] quota: fix warning in dqgrab() Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 017/135] dma-remap: use kvmalloc_array/kvfree for larger dma memory remap Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 018/135] drm/amdgpu: install stub fence into potential unused fence pointers Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 019/135] HID: add quirk for 03f0:464a HP Elite Presenter Mouse Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 020/135] RDMA/mlx5: Return the firmware result upon destroying QP/RQ Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 021/135] ovl: check type and offset of struct vfsmount in ovl_entry Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 022/135] udf: Fix uninitialized array access for some pathnames Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 023/135] fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 024/135] MIPS: dec: prom: Address -Warray-bounds warning Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 025/135] FS: JFS: Fix null-ptr-deref Read in txBegin Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 026/135] FS: JFS: Check for read-only mounted filesystem " Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 027/135] media: v4l2-mem2mem: add lock to protect parameter num_rdy Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 028/135] usb: gadget: u_serial: Avoid spinlock recursion in __gs_console_push Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 029/135] media: platform: mediatek: vpu: fix NULL ptr dereference Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 030/135] usb: chipidea: imx: dont request QoS for imx8ulp Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 031/135] usb: chipidea: imx: add missing USB PHY DPDM wakeup setting Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 032/135] gfs2: Fix possible data races in gfs2_show_options() Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 033/135] pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db() Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 034/135] Bluetooth: L2CAP: Fix use-after-free Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 035/135] Bluetooth: btusb: Add MT7922 bluetooth ID for the Asus Ally Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 036/135] drm/amdgpu: Fix potential fence use-after-free v2 Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 037/135] ALSA: hda/realtek: Add quirks for Unis H3C Desktop B760 & Q760 Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 038/135] ALSA: hda: fix a possible null-pointer dereference due to data race in snd_hdac_regmap_sync() Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 039/135] powerpc/kasan: Disable KCOV in KASAN code Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 040/135] ring-buffer: Do not swap cpu_buffer during resize process Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 041/135] IMA: allow/fix UML builds Greg Kroah-Hartman
2023-08-24 14:49 ` Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 042/135] iio: add addac subdirectory Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 043/135] dt-bindings: iio: add AD74413R Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 044/135] iio: adc: stx104: Utilize iomap interface Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 045/135] iio: adc: stx104: Implement and utilize register structures Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 046/135] iio: addac: stx104: Fix race condition for stx104_write_raw() Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 047/135] iio: addac: stx104: Fix race condition when converting analog-to-digital Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 048/135] bus: mhi: Add MHI PCI support for WWAN modems Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 049/135] bus: mhi: Add MMIO region length to controller structure Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 050/135] bus: mhi: Move host MHI code to "host" directory Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 051/135] bus: mhi: host: Range check CHDBOFF and ERDBOFF Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 052/135] irqchip/mips-gic: Get rid of the reliance on irq_cpu_online() Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 053/135] irqchip/mips-gic: Use raw spinlock for gic_lock Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 054/135] usb: cdnsp: Device side header file for CDNSP driver Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 055/135] usb: gadget: udc: core: Introduce check_config to verify USB configuration Greg Kroah-Hartman
2023-08-24 14:49 ` [PATCH 5.10 056/135] usb: cdns3: allocate TX FIFO size according to composite EP number Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 057/135] usb: cdns3: fix NCM gadget RX speed 20x slow than expection at iMX8QM Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 058/135] USB: dwc3: qcom: fix NULL-deref on suspend Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 059/135] mmc: bcm2835: fix deferred probing Greg Kroah-Hartman
2023-08-26 15:39 ` Sergey Shtylyov
2023-08-24 14:50 ` [PATCH 5.10 060/135] mmc: sunxi: " Greg Kroah-Hartman
2023-08-26 15:45 ` Sergey Shtylyov
2023-08-24 14:50 ` [PATCH 5.10 061/135] mmc: core: add devm_mmc_alloc_host Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 062/135] mmc: meson-gx: use devm_mmc_alloc_host Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 063/135] mmc: meson-gx: fix deferred probing Greg Kroah-Hartman
2023-08-26 15:57 ` Sergey Shtylyov
2023-08-24 14:50 ` [PATCH 5.10 064/135] tracing/probes: Have process_fetch_insn() take a void * instead of pt_regs Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 065/135] tracing/probes: Fix to update dynamic data counter if fetcharg uses it Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 066/135] net/ncsi: change from ndo_set_mac_address to dev_set_mac_address Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 067/135] virtio-mmio: Use to_virtio_mmio_device() to simply code Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 068/135] virtio-mmio: dont break lifecycle of vm_dev Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 069/135] i2c: bcm-iproc: Fix bcm_iproc_i2c_isr deadlock issue Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 070/135] fbdev: mmp: fix value check in mmphw_probe() Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 071/135] powerpc/rtas_flash: allow user copy to flash block cache objects Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 072/135] tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 073/135] tty: serial: fsl_lpuart: Clear the error flags by writing 1 for lpuart32 platforms Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 074/135] btrfs: fix BUG_ON condition in btrfs_cancel_balance Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 075/135] i2c: designware: Handle invalid SMBus block data response length value Greg Kroah-Hartman
2023-08-24 14:50 ` Greg Kroah-Hartman [this message]
2023-08-24 14:50 ` [PATCH 5.10 077/135] net: af_key: fix sadb_x_filter validation Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 078/135] net: xfrm: Amend XFRMA_SEC_CTX nla_policy structure Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 079/135] xfrm: fix slab-use-after-free in decode_session6 Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 080/135] ip6_vti: " Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 081/135] ip_vti: fix potential " Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 082/135] xfrm: add NULL check in xfrm_update_ae_params Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 083/135] xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 084/135] selftests: mirror_gre_changes: Tighten up the TTL test match Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 085/135] drm/panel: simple: Fix AUO G121EAN01 panel timings according to the docs Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 086/135] ipvs: fix racy memcpy in proc_do_sync_threshold Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 087/135] netfilter: nft_dynset: disallow object maps Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 088/135] net: phy: broadcom: stub c45 read/write for 54810 Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 089/135] team: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 090/135] i40e: fix misleading debug logs Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 091/135] net: dsa: mv88e6xxx: Wait for EEPROM done before HW reset Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 092/135] sock: Fix misuse of sk_under_memory_pressure() Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 093/135] net: do not allow gso_size to be set to GSO_BY_FRAGS Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 094/135] bus: ti-sysc: Flush posted write on enable before reset Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 095/135] arm64: dts: rockchip: fix supplies on rk3399-rock-pi-4 Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 096/135] arm64: dts: rockchip: use USB host by default " Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 097/135] arm64: dts: rockchip: add ES8316 codec for ROCK Pi 4 Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 098/135] arm64: dts: rockchip: add SPDIF node " Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 099/135] arm64: dts: rockchip: fix regulator name on rk3399-rock-4 Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 100/135] arm64: dts: rockchip: sort nodes/properties " Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 101/135] arm64: dts: rockchip: Disable HS400 for eMMC on ROCK Pi 4 Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 102/135] ASoC: rt5665: add missed regulator_bulk_disable Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 103/135] ASoC: meson: axg-tdm-formatter: fix channel slot allocation Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 104/135] ALSA: hda/realtek - Remodified 3k pull low procedure Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 105/135] riscv: __asm_copy_to-from_user: Optimize unaligned memory access and pipeline stall Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 106/135] riscv: lib: uaccess: fold fixups into body Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 107/135] riscv: lib: uaccess: fix CSR_STATUS SR_SUM bit Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 108/135] riscv: uaccess: Return the number of bytes effectively not copied Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 109/135] serial: 8250: Fix oops for port->pm on uart_change_pm() Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 110/135] ALSA: usb-audio: Add support for Mythware XA001AU capture and playback interfaces Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 111/135] cifs: Release folio lock on fscache read hit Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 112/135] mmc: wbsd: fix double mmc_free_host() in wbsd_init() Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 113/135] mmc: block: Fix in_flight[issue_type] value error Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 114/135] netfilter: set default timeout to 3 secs for sctp shutdown send and recv state Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 115/135] af_unix: Fix null-ptr-deref in unix_stream_sendpage() Greg Kroah-Hartman
2023-08-24 14:50 ` [PATCH 5.10 116/135] virtio-net: set queues after driver_ok Greg Kroah-Hartman
2023-08-24 14:51 ` [PATCH 5.10 117/135] net: fix the RTO timer retransmitting skb every 1ms if linear option is enabled Greg Kroah-Hartman
2023-08-24 14:51 ` [PATCH 5.10 118/135] mmc: f-sdh30: fix order of function calls in sdhci_f_sdh30_remove Greg Kroah-Hartman
2023-08-24 14:51 ` [PATCH 5.10 119/135] x86/cpu: Fix __x86_return_thunk symbol type Greg Kroah-Hartman
2023-08-24 14:51 ` [PATCH 5.10 120/135] x86/cpu: Fix up srso_safe_ret() and __x86_return_thunk() Greg Kroah-Hartman
2023-08-24 14:51 ` [PATCH 5.10 121/135] x86/alternative: Make custom return thunk unconditional Greg Kroah-Hartman
2023-08-24 14:51 ` [PATCH 5.10 122/135] objtool: Add frame-pointer-specific function ignore Greg Kroah-Hartman
2023-08-24 14:51 ` [PATCH 5.10 123/135] x86/ibt: Add ANNOTATE_NOENDBR Greg Kroah-Hartman
2023-08-24 14:51 ` [PATCH 5.10 124/135] x86/cpu: Clean up SRSO return thunk mess Greg Kroah-Hartman
2023-08-24 14:51 ` [PATCH 5.10 125/135] x86/cpu: Rename original retbleed methods Greg Kroah-Hartman
2023-08-24 14:51 ` [PATCH 5.10 126/135] x86/cpu: Rename srso_(.*)_alias to srso_alias_\1 Greg Kroah-Hartman
2023-08-24 14:51 ` [PATCH 5.10 127/135] x86/cpu: Cleanup the untrain mess Greg Kroah-Hartman
2023-08-24 14:51 ` [PATCH 5.10 128/135] x86/srso: Explain the untraining sequences a bit more Greg Kroah-Hartman
2023-08-24 14:51 ` [PATCH 5.10 129/135] x86/static_call: Fix __static_call_fixup() Greg Kroah-Hartman
2023-08-24 14:51 ` [PATCH 5.10 130/135] x86/retpoline: Dont clobber RFLAGS during srso_safe_ret() Greg Kroah-Hartman
2023-08-24 14:51 ` [PATCH 5.10 131/135] x86/CPU/AMD: Fix the DIV(0) initial fix attempt Greg Kroah-Hartman
2023-08-24 14:51 ` [PATCH 5.10 132/135] x86/srso: Disable the mitigation on unaffected configurations Greg Kroah-Hartman
2023-08-24 14:51 ` [PATCH 5.10 133/135] x86/retpoline,kprobes: Fix position of thunk sections with CONFIG_LTO_CLANG Greg Kroah-Hartman
2023-08-24 14:51 ` [PATCH 5.10 134/135] objtool/x86: Fixup frame-pointer vs rethunk Greg Kroah-Hartman
2023-08-24 14:51 ` [PATCH 5.10 135/135] x86/srso: Correct the mitigation status when SMT is disabled Greg Kroah-Hartman
2023-08-24 16:05 ` [PATCH 5.10 000/135] 5.10.191-rc1 review Alexey Khoroshilov
2023-08-24 16:38 ` Greg Kroah-Hartman
-- strict thread matches above, loose matches on Subject: below --
2023-08-24 17:07 [PATCH 5.10 000/135] 5.10.192-rc1 review Greg Kroah-Hartman
2023-08-24 17:09 ` [PATCH 5.10 076/135] net: xfrm: Fix xfrm_address_filter OOB read Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230824145030.156635671@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linma@zju.edu.cn \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.