From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Olivier Sobrie <olivier@sobrie.be>,
Basavaraj Natikar <Basavaraj.Natikar@amd.com>,
Jiri Kosina <jkosina@suse.com>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 164/214] HID: amd_sfh: free driver_data after destroying hid device
Date: Tue, 10 Sep 2024 11:33:06 +0200 [thread overview]
Message-ID: <20240910092605.393048315@linuxfoundation.org> (raw)
In-Reply-To: <20240910092558.714365667@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Olivier Sobrie <olivier@sobrie.be>
[ Upstream commit 97155021ae17b86985121b33cf8098bcde00d497 ]
HID driver callbacks aren't called anymore once hid_destroy_device() has
been called. Hence, hid driver_data should be freed only after the
hid_destroy_device() function returned as driver_data is used in several
callbacks.
I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling
KASAN to debug memory allocation, I got this output:
[ 13.050438] ==================================================================
[ 13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh]
[ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3
[ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479
[ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0
[ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024
[ 13.067860] Call Trace:
[ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8
[ 13.071486] <TASK>
[ 13.071492] dump_stack_lvl+0x5d/0x80
[ 13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -> 0002)
[ 13.078296] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.082199] print_report+0x174/0x505
[ 13.085776] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 13.089367] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.093255] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.097464] kasan_report+0xc8/0x150
[ 13.101461] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.105802] amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.110303] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.114879] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.119450] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082]
[ 13.124097] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
[ 13.127404] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.131925] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
[ 13.136455] ? _raw_spin_lock_irqsave+0x96/0xf0
[ 13.140197] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 13.143602] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b]
[ 13.147234] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.150446] ? __devm_add_action+0x167/0x1d0
[ 13.155061] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
[ 13.158581] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.161814] platform_probe+0xa2/0x150
[ 13.165029] really_probe+0x1e3/0x8a0
[ 13.168243] __driver_probe_device+0x18c/0x370
[ 13.171500] driver_probe_device+0x4a/0x120
[ 13.175000] __driver_attach+0x190/0x4a0
[ 13.178521] ? __pfx___driver_attach+0x10/0x10
[ 13.181771] bus_for_each_dev+0x106/0x180
[ 13.185033] ? __pfx__raw_spin_lock+0x10/0x10
[ 13.188229] ? __pfx_bus_for_each_dev+0x10/0x10
[ 13.191446] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.194382] bus_add_driver+0x29e/0x4d0
[ 13.197328] driver_register+0x1a5/0x360
[ 13.200283] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
[ 13.203362] do_one_initcall+0xa7/0x380
[ 13.206432] ? __pfx_do_one_initcall+0x10/0x10
[ 13.210175] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.213211] ? kasan_unpoison+0x44/0x70
[ 13.216688] do_init_module+0x238/0x750
[ 13.219696] load_module+0x5011/0x6af0
[ 13.223096] ? kasan_save_stack+0x30/0x50
[ 13.226743] ? kasan_save_track+0x14/0x30
[ 13.230080] ? kasan_save_free_info+0x3b/0x60
[ 13.233323] ? poison_slab_object+0x109/0x180
[ 13.236778] ? __pfx_load_module+0x10/0x10
[ 13.239703] ? poison_slab_object+0x109/0x180
[ 13.243070] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.245924] ? init_module_from_file+0x13d/0x150
[ 13.248745] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.251503] ? init_module_from_file+0xdf/0x150
[ 13.254198] init_module_from_file+0xdf/0x150
[ 13.256826] ? __pfx_init_module_from_file+0x10/0x10
[ 13.259428] ? kasan_save_track+0x14/0x30
[ 13.261959] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.264471] ? kasan_save_free_info+0x3b/0x60
[ 13.267026] ? poison_slab_object+0x109/0x180
[ 13.269494] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.271949] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.274324] ? _raw_spin_lock+0x85/0xe0
[ 13.276671] ? __pfx__raw_spin_lock+0x10/0x10
[ 13.278963] ? __rseq_handle_notify_resume+0x1a6/0xad0
[ 13.281193] idempotent_init_module+0x23b/0x650
[ 13.283420] ? __pfx_idempotent_init_module+0x10/0x10
[ 13.285619] ? __pfx___seccomp_filter+0x10/0x10
[ 13.287714] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.289828] ? __fget_light+0x57/0x420
[ 13.291870] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.293880] ? security_capable+0x74/0xb0
[ 13.295820] __x64_sys_finit_module+0xbe/0x130
[ 13.297874] do_syscall_64+0x82/0x190
[ 13.299898] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.301905] ? irqtime_account_irq+0x3d/0x1f0
[ 13.303877] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.305753] ? __irq_exit_rcu+0x4e/0x130
[ 13.307577] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.309489] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 13.311371] RIP: 0033:0x7a21f96ade9d
[ 13.313234] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 63 de 0c 00 f7 d8 64 89 01 48
[ 13.317051] RSP: 002b:00007ffeae934e78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 13.319024] RAX: ffffffffffffffda RBX: 00005987276bfcf0 RCX: 00007a21f96ade9d
[ 13.321100] RDX: 0000000000000004 RSI: 00007a21f8eda376 RDI: 000000000000001c
[ 13.323314] RBP: 00007a21f8eda376 R08: 0000000000000001 R09: 00007ffeae934ec0
[ 13.325505] R10: 0000000000000050 R11: 0000000000000246 R12: 0000000000020000
[ 13.327637] R13: 00005987276c1250 R14: 0000000000000000 R15: 00005987276c4530
[ 13.329737] </TASK>
[ 13.333945] Allocated by task 139:
[ 13.336111] kasan_save_stack+0x30/0x50
[ 13.336121] kasan_save_track+0x14/0x30
[ 13.336125] __kasan_kmalloc+0xaa/0xb0
[ 13.336129] amdtp_hid_probe+0xb1/0x440 [amd_sfh]
[ 13.336138] amd_sfh_hid_client_init+0xb8a/0x10f0 [amd_sfh]
[ 13.336144] sfh_init_work+0x47/0x120 [amd_sfh]
[ 13.336150] process_one_work+0x673/0xeb0
[ 13.336155] worker_thread+0x795/0x1250
[ 13.336160] kthread+0x290/0x350
[ 13.336164] ret_from_fork+0x34/0x70
[ 13.336169] ret_from_fork_asm+0x1a/0x30
[ 13.338175] Freed by task 139:
[ 13.340064] kasan_save_stack+0x30/0x50
[ 13.340072] kasan_save_track+0x14/0x30
[ 13.340076] kasan_save_free_info+0x3b/0x60
[ 13.340081] poison_slab_object+0x109/0x180
[ 13.340085] __kasan_slab_free+0x32/0x50
[ 13.340089] kfree+0xe5/0x310
[ 13.340094] amdtp_hid_remove+0xb2/0x160 [amd_sfh]
[ 13.340102] amd_sfh_hid_client_deinit+0x324/0x640 [amd_sfh]
[ 13.340107] amd_sfh_hid_client_init+0x94a/0x10f0 [amd_sfh]
[ 13.340113] sfh_init_work+0x47/0x120 [amd_sfh]
[ 13.340118] process_one_work+0x673/0xeb0
[ 13.340123] worker_thread+0x795/0x1250
[ 13.340127] kthread+0x290/0x350
[ 13.340132] ret_from_fork+0x34/0x70
[ 13.340136] ret_from_fork_asm+0x1a/0x30
[ 13.342482] The buggy address belongs to the object at ffff88813152f400
which belongs to the cache kmalloc-64 of size 64
[ 13.347357] The buggy address is located 8 bytes inside of
freed 64-byte region [ffff88813152f400, ffff88813152f440)
[ 13.347367] The buggy address belongs to the physical page:
[ 13.355409] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13152f
[ 13.355416] anon flags: 0x2ffff8000000000(node=0|zone=2|lastcpupid=0x1ffff)
[ 13.355423] page_type: 0xffffefff(slab)
[ 13.355429] raw: 02ffff8000000000 ffff8881000428c0 ffffea0004c43a00 0000000000000005
[ 13.355435] raw: 0000000000000000 0000000000200020 00000001ffffefff 0000000000000000
[ 13.355439] page dumped because: kasan: bad access detected
[ 13.357295] Memory state around the buggy address:
[ 13.357299] ffff88813152f300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 13.357303] ffff88813152f380: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 13.357306] >ffff88813152f400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 13.357309] ^
[ 13.357311] ffff88813152f480: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[ 13.357315] ffff88813152f500: 00 00 00 00 00 00 00 06 fc fc fc fc fc fc fc fc
[ 13.357318] ==================================================================
[ 13.357405] Disabling lock debugging due to kernel taint
[ 13.383534] Oops: general protection fault, probably for non-canonical address 0xe0a1bc4140000013: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 13.383544] KASAN: maybe wild-memory-access in range [0x050e020a00000098-0x050e020a0000009f]
[ 13.383551] CPU: 3 PID: 479 Comm: (udev-worker) Tainted: G B 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0
[ 13.383561] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024
[ 13.383565] RIP: 0010:amd_sfh_get_report+0x81/0x530 [amd_sfh]
[ 13.383580] Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 78 03 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 08 49 8d 7c 24 10 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 1a 03 00 00 45 8b 74 24 10 45
[ 13.383585] RSP: 0018:ffff8881261f7388 EFLAGS: 00010212
[ 13.383592] RAX: dffffc0000000000 RBX: ffff88813152f400 RCX: 0000000000000002
[ 13.383597] RDX: 00a1c04140000013 RSI: 0000000000000008 RDI: 050e020a0000009b
[ 13.383600] RBP: ffff88814d010000 R08: 0000000000000002 R09: fffffbfff3ddb8c0
[ 13.383604] R10: ffffffff9eedc607 R11: ffff88810ce98000 R12: 050e020a0000008b
[ 13.383607] R13: ffff88814d010000 R14: dffffc0000000000 R15: 0000000000000004
[ 13.383611] FS: 00007a21f94d0880(0000) GS:ffff8887e7d80000(0000) knlGS:0000000000000000
[ 13.383615] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 13.383618] CR2: 00007e0014c438f0 CR3: 000000012614c000 CR4: 0000000000f50ef0
[ 13.383622] PKRU: 55555554
[ 13.383625] Call Trace:
[ 13.383629] <TASK>
[ 13.383632] ? __die_body.cold+0x19/0x27
[ 13.383644] ? die_addr+0x46/0x70
[ 13.383652] ? exc_general_protection+0x150/0x240
[ 13.383664] ? asm_exc_general_protection+0x26/0x30
[ 13.383674] ? amd_sfh_get_report+0x81/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.383686] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.383697] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
[ 13.383706] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.383713] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082]
[ 13.383727] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
[ 13.383739] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.383745] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
[ 13.383753] ? _raw_spin_lock_irqsave+0x96/0xf0
[ 13.383762] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 13.383768] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b]
[ 13.383790] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.383795] ? __devm_add_action+0x167/0x1d0
[ 13.383806] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
[ 13.383818] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.383826] platform_probe+0xa2/0x150
[ 13.383832] really_probe+0x1e3/0x8a0
[ 13.383838] __driver_probe_device+0x18c/0x370
[ 13.383844] driver_probe_device+0x4a/0x120
[ 13.383851] __driver_attach+0x190/0x4a0
[ 13.383857] ? __pfx___driver_attach+0x10/0x10
[ 13.383863] bus_for_each_dev+0x106/0x180
[ 13.383868] ? __pfx__raw_spin_lock+0x10/0x10
[ 13.383874] ? __pfx_bus_for_each_dev+0x10/0x10
[ 13.383880] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.383887] bus_add_driver+0x29e/0x4d0
[ 13.383895] driver_register+0x1a5/0x360
[ 13.383902] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
[ 13.383910] do_one_initcall+0xa7/0x380
[ 13.383919] ? __pfx_do_one_initcall+0x10/0x10
[ 13.383927] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.383933] ? kasan_unpoison+0x44/0x70
[ 13.383943] do_init_module+0x238/0x750
[ 13.383955] load_module+0x5011/0x6af0
[ 13.383962] ? kasan_save_stack+0x30/0x50
[ 13.383968] ? kasan_save_track+0x14/0x30
[ 13.383973] ? kasan_save_free_info+0x3b/0x60
[ 13.383980] ? poison_slab_object+0x109/0x180
[ 13.383993] ? __pfx_load_module+0x10/0x10
[ 13.384007] ? poison_slab_object+0x109/0x180
[ 13.384012] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384018] ? init_module_from_file+0x13d/0x150
[ 13.384025] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384032] ? init_module_from_file+0xdf/0x150
[ 13.384037] init_module_from_file+0xdf/0x150
[ 13.384044] ? __pfx_init_module_from_file+0x10/0x10
[ 13.384050] ? kasan_save_track+0x14/0x30
[ 13.384055] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384060] ? kasan_save_free_info+0x3b/0x60
[ 13.384066] ? poison_slab_object+0x109/0x180
[ 13.384071] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384080] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384085] ? _raw_spin_lock+0x85/0xe0
[ 13.384091] ? __pfx__raw_spin_lock+0x10/0x10
[ 13.384096] ? __rseq_handle_notify_resume+0x1a6/0xad0
[ 13.384106] idempotent_init_module+0x23b/0x650
[ 13.384114] ? __pfx_idempotent_init_module+0x10/0x10
[ 13.384120] ? __pfx___seccomp_filter+0x10/0x10
[ 13.384129] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384135] ? __fget_light+0x57/0x420
[ 13.384142] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384147] ? security_capable+0x74/0xb0
[ 13.384157] __x64_sys_finit_module+0xbe/0x130
[ 13.384164] do_syscall_64+0x82/0x190
[ 13.384174] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384179] ? irqtime_account_irq+0x3d/0x1f0
[ 13.384188] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384193] ? __irq_exit_rcu+0x4e/0x130
[ 13.384201] ? srso_alias_return_thunk+0x5/0xfbef5
[ 13.384206] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 13.384212] RIP: 0033:0x7a21f96ade9d
[ 13.384263] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 63 de 0c 00 f7 d8 64 89 01 48
[ 13.384267] RSP: 002b:00007ffeae934e78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 13.384273] RAX: ffffffffffffffda RBX: 00005987276bfcf0 RCX: 00007a21f96ade9d
[ 13.384277] RDX: 0000000000000004 RSI: 00007a21f8eda376 RDI: 000000000000001c
[ 13.384280] RBP: 00007a21f8eda376 R08: 0000000000000001 R09: 00007ffeae934ec0
[ 13.384284] R10: 0000000000000050 R11: 0000000000000246 R12: 0000000000020000
[ 13.384288] R13: 00005987276c1250 R14: 0000000000000000 R15: 00005987276c4530
[ 13.384297] </TASK>
[ 13.384299] Modules linked in: soundwire_amd(+) hid_sensor_gyro_3d(+) hid_sensor_magn_3d hid_sensor_accel_3d soundwire_generic_allocation amdxcp hid_sensor_trigger drm_exec industrialio_triggered_buffer soundwire_bus gpu_sched kvm_amd kfifo_buf qmi_helpers joydev drm_buddy hid_sensor_iio_common mousedev snd_soc_core industrialio i2c_algo_bit mac80211 snd_compress drm_suballoc_helper kvm snd_hda_intel drm_ttm_helper ac97_bus snd_pcm_dmaengine snd_intel_dspcfg ttm thinkpad_acpi(+) snd_intel_sdw_acpi hid_sensor_hub snd_rpl_pci_acp6x drm_display_helper snd_hda_codec hid_multitouch libarc4 snd_acp_pci platform_profile think_lmi(+) hid_generic firmware_attributes_class wmi_bmof cec snd_acp_legacy_common sparse_keymap rapl snd_hda_core psmouse cfg80211 pcspkr snd_pci_acp6x snd_hwdep video snd_pcm snd_pci_acp5x snd_timer snd_rn_pci_acp3x ucsi_acpi snd_acp_config snd sp5100_tco rfkill snd_soc_acpi typec_ucsi thunderbolt amd_sfh k10temp mhi soundcore i2c_piix4 snd_pci_acp3x typec i2c_hid_acpi roles i2c_hid wmi acpi_tad amd_pmc
[ 13.384454] mac_hid i2c_dev crypto_user loop nfnetlink zram ip_tables x_tables dm_crypt cbc encrypted_keys trusted asn1_encoder tee dm_mod crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic gf128mul ghash_clmulni_intel serio_raw sha512_ssse3 atkbd sha256_ssse3 libps2 sha1_ssse3 vivaldi_fmap nvme aesni_intel crypto_simd nvme_core cryptd ccp xhci_pci i8042 nvme_auth xhci_pci_renesas serio vfat fat btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq
[ 13.384552] ---[ end trace 0000000000000000 ]---
KASAN reports a use-after-free of hid->driver_data in function
amd_sfh_get_report(). The backtrace indicates that the function is called
by amdtp_hid_request() which is one of the callbacks of hid device.
The current make sure that driver_data is freed only once
hid_destroy_device() returned.
Note that I observed the crash both on v6.9.9 and v6.10.0. The
code seems to be as it was from the early days of the driver.
Signed-off-by: Olivier Sobrie <olivier@sobrie.be>
Acked-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/amd-sfh-hid/amd_sfh_hid.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/amd-sfh-hid/amd_sfh_hid.c b/drivers/hid/amd-sfh-hid/amd_sfh_hid.c
index 3b0615c6aecf..b47228207d98 100644
--- a/drivers/hid/amd-sfh-hid/amd_sfh_hid.c
+++ b/drivers/hid/amd-sfh-hid/amd_sfh_hid.c
@@ -164,11 +164,13 @@ int amdtp_hid_probe(u32 cur_hid_dev, struct amdtp_cl_data *cli_data)
void amdtp_hid_remove(struct amdtp_cl_data *cli_data)
{
int i;
+ struct amdtp_hid_data *hid_data;
for (i = 0; i < cli_data->num_hid_devices; ++i) {
if (cli_data->hid_sensor_hubs[i]) {
- kfree(cli_data->hid_sensor_hubs[i]->driver_data);
+ hid_data = cli_data->hid_sensor_hubs[i]->driver_data;
hid_destroy_device(cli_data->hid_sensor_hubs[i]);
+ kfree(hid_data);
cli_data->hid_sensor_hubs[i] = NULL;
}
}
--
2.43.0
next prev parent reply other threads:[~2024-09-10 10:22 UTC|newest]
Thread overview: 223+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-10 9:30 [PATCH 5.15 000/214] 5.15.167-rc1 review Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 001/214] drm: panel-orientation-quirks: Add quirk for OrangePi Neo Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 002/214] ALSA: hda/generic: Add a helper to mute speakers at suspend/shutdown Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 003/214] ALSA: hda/conexant: Mute speakers at suspend / shutdown Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 004/214] i2c: Fix conditional for substituting empty ACPI functions Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 005/214] dma-debug: avoid deadlock between dma debug vs printk and netconsole Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 006/214] net: usb: qmi_wwan: add MeiG Smart SRM825L Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 007/214] drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 008/214] drm/amd/display: Assign linear_pitch_alignment even for VM Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 009/214] drm/amdgpu: fix overflowed array index read warning Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 010/214] drm/amdgpu/pm: Check the return value of smum_send_msg_to_smc Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 011/214] drm/amd/pm: fix uninitialized variable warning for smu8_hwmgr Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 012/214] drm/amd/pm: fix warning using uninitialized value of max_vid_step Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 013/214] drm/amd/pm: fix the Out-of-bounds read warning Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 014/214] drm/amdgpu: fix uninitialized scalar variable warning Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 015/214] drm/amd/pm: fix uninitialized variable warnings for vega10_hwmgr Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 016/214] drm/amdgpu: avoid reading vf2pf info size from FB Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 017/214] drm/amd/display: Check gpio_id before used as array index Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 018/214] drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6 Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 019/214] drm/amd/display: Add array index check for hdcp ddc access Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 020/214] drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[] Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 021/214] drm/amd/display: Check msg_id before processing transcation Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 022/214] drm/amd/display: Fix Coverity INTEGER_OVERFLOW within dal_gpio_service_create Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 023/214] drm/amd/amdgpu: Check tbo resource pointer Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 024/214] drm/amdgpu/pm: Fix uninitialized variable warning for smu10 Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 025/214] drm/amdgpu/pm: Fix uninitialized variable agc_btc_response Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 026/214] drm/amdgpu: Fix out-of-bounds write warning Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 027/214] drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 028/214] drm/amdgpu: fix ucode out-of-bounds read warning Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 029/214] drm/amdgpu: fix mc_data " Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 030/214] drm/amdkfd: Reconcile the definition and use of oem_id in struct kfd_topology_device Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 031/214] apparmor: fix possible NULL pointer dereference Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 032/214] drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on legacy SOCs Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 033/214] drm/amdgpu: fix the waring dereferencing hive Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 034/214] drm/amd/pm: check specific index for aldebaran Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 035/214] drm/amdgpu: the warning dereferencing obj for nbio_v7_4 Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 036/214] drm/amd/pm: check negtive return for table entries Greg Kroah-Hartman
2024-09-10 9:30 ` [PATCH 5.15 037/214] drm/amdgpu: update type of buf size to u32 for eeprom functions Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 038/214] wifi: iwlwifi: remove fw_running op Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 039/214] cpufreq: scmi: Avoid overflow of target_freq in fast switch Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 040/214] PCI: al: Check IORESOURCE_BUS existence during probe Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 041/214] hwspinlock: Introduce hwspin_lock_bust() Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 042/214] RDMA/efa: Properly handle unexpected AQ completions Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 043/214] ionic: fix potential irq name truncation Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 044/214] rcu/nocb: Remove buggy bypass lock contention mitigation Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 045/214] usbip: Dont submit special requests twice Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 046/214] usb: typec: ucsi: Fix null pointer dereference in trace Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 047/214] fsnotify: clear PARENT_WATCHED flags lazily Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 048/214] smack: tcp: ipv4, fix incorrect labeling Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 049/214] drm/meson: plane: Add error handling Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 050/214] drm/bridge: tc358767: Check if fully initialized before signalling HPD event via IRQ Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 051/214] wifi: cfg80211: make hash table duplicates more survivable Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 052/214] block: remove the blk_flush_integrity call in blk_integrity_unregister Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 053/214] drm/amd/display: Skip wbscl_set_scaler_filter if filter is null Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 054/214] media: uvcvideo: Enforce alignment of frame and interval Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 055/214] drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 056/214] virtio_net: Fix napi_skb_cache_put warning Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 057/214] rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 058/214] ext4: reject casefold inode flag without casefold feature Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 059/214] udf: Limit file size to 4TB Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 060/214] ext4: handle redirtying in ext4_bio_write_page() Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 061/214] i2c: Use IS_REACHABLE() for substituting empty ACPI functions Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 062/214] sch/netem: fix use after free in netem_dequeue Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 063/214] ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 064/214] KVM: SVM: fix emulation of msr reads/writes of MSR_FS_BASE and MSR_GS_BASE Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 065/214] KVM: SVM: Dont advertise Bus Lock Detect to guest if SVM support is missing Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 066/214] ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius devices Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 067/214] ALSA: hda/realtek: add patch for internal mic in Lenovo V145 Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 068/214] ALSA: hda/realtek: Support mute LED on HP Laptop 14-dq2xxx Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 069/214] ata: libata: Fix memory leak for error path in ata_host_alloc() Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 070/214] irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init() Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 071/214] rtmutex: Drop rt_mutex::wait_lock before scheduling Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 072/214] nvme-pci: Add sleep quirk for Samsung 990 Evo Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 073/214] Revert "Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE" Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 074/214] Bluetooth: MGMT: Ignore keys being loaded with invalid type Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 075/214] mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 076/214] mmc: sdhci-of-aspeed: fix module autoloading Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 077/214] mmc: cqhci: Fix checking of CQHCI_HALT state Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 078/214] fuse: update stats for pages in dropped aux writeback list Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 079/214] fuse: use unsigned type for getxattr/listxattr size truncation Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 080/214] clk: qcom: clk-alpha-pll: Fix the pll post div mask Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 081/214] clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 082/214] clk: qcom: clk-alpha-pll: Fix zonda set_rate failure when PLL is disabled Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 083/214] clk: qcom: clk-alpha-pll: Update set_rate for Zonda PLL Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 084/214] can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 085/214] tracing: Avoid possible softlockup in tracing_iter_reset() Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 086/214] ila: call nf_unregister_net_hooks() sooner Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 087/214] sched: sch_cake: fix bulk flow accounting logic for host fairness Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 088/214] nilfs2: fix missing cleanup on rollforward recovery error Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 089/214] nilfs2: fix state management in error path of log writing function Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 090/214] mptcp: pm: re-using ID of unused flushed subflows Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 091/214] mptcp: pm: only decrement add_addr_accepted for MPJ req Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 092/214] mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 093/214] mptcp: pm: fullmesh: select the right ID later Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 094/214] mptcp: constify a bunch of of helpers Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 095/214] mptcp: pm: avoid possible UaF when selecting endp Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 096/214] mptcp: avoid duplicated SUB_CLOSED events Greg Kroah-Hartman
2024-09-10 9:31 ` [PATCH 5.15 097/214] mptcp: close subflow when receiving TCP+FIN Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 098/214] mptcp: pm: ADD_ADDR 0 is not a new address Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 099/214] mptcp: pm: do not remove already closed subflows Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 100/214] mptcp: pm: skip connecting to already established sf Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 101/214] mptcp: pr_debug: add missing \n at the end Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 102/214] mptcp: pm: send ACK on an active subflow Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 103/214] ALSA: hda: Add input value sanity checks to HDMI channel map controls Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 104/214] smack: unix sockets: fix accept()ed socket label Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 105/214] irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1 Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 106/214] af_unix: Remove put_pid()/put_cred() in copy_peercred() Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 107/214] iommu: sun50i: clear bypass register Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 108/214] netfilter: nf_conncount: fix wrong variable type Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 109/214] udf: Avoid excessive partition lengths Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 110/214] media: vivid: fix wrong sizeimage value for mplane Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 111/214] leds: spi-byte: Call of_node_put() on error path Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 112/214] wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3 Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 113/214] usb: uas: set host status byte on data completion error Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 114/214] drm/amd/display: Check HDCP returned status Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 115/214] media: vivid: dont set HDMI TX controls if there are no HDMI outputs Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 116/214] PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0) Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 117/214] media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 118/214] pcmcia: Use resource_size function on resource object Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 119/214] drm/amdgpu: check for LINEAR_ALIGNED correctly in check_tiling_flags_gfx6 Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 120/214] can: bcm: Remove proc entry when dev is unregistered Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 121/214] can: m_can: Release irq on error in m_can_open Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 122/214] igb: Fix not clearing TimeSync interrupts for 82580 Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 123/214] platform/x86: dell-smbios: Fix error path in dell_smbios_init() Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 124/214] tcp_bpf: fix return value of tcp_bpf_sendmsg() Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 125/214] igc: Unlock on error in igc_io_resume() Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 126/214] ice: check ICE_VSI_DOWN under rtnl_lock when preparing for reset Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 127/214] net: usb: dont write directly to netdev->dev_addr Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 128/214] usbnet: modern method to get random MAC Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 129/214] bareudp: Fix device stats updates Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 130/214] gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 131/214] gro: remove rcu_read_lock/rcu_read_unlock from gro_complete handlers Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 132/214] fou: Fix null-ptr-deref in GRO Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 133/214] net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 134/214] net: dsa: vsc73xx: fix possible subblocks range of CAPT block Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 135/214] ASoC: topology: Properly initialize soc_enum values Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 136/214] dm init: Handle minors larger than 255 Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 137/214] iommu/vt-d: Handle volatile descriptor status read Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 138/214] cgroup: Protect css->cgroup write under css_set_lock Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 139/214] um: line: always fill *error_out in setup_one_line() Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 140/214] devres: Initialize an uninitialized struct member Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 141/214] pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 142/214] hwmon: (adc128d818) Fix underflows seen when writing limit attributes Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 143/214] hwmon: (lm95234) " Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 144/214] hwmon: (nct6775-core) " Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 145/214] hwmon: (w83627ehf) " Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 146/214] libbpf: Add NULL checks to bpf_object__{prev_map,next_map} Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 147/214] drm/amdgpu: Set no_hw_access when VF request full GPU fails Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 148/214] ext4: fix possible tid_t sequence overflows Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 149/214] dma-mapping: benchmark: Dont starve others when doing the test Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 150/214] wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 151/214] smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu() Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 152/214] fs/ntfs3: Check more cases when directory is corrupted Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 153/214] btrfs: replace BUG_ON with ASSERT in walk_down_proc() Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 154/214] btrfs: clean up our handling of refs == 0 in snapshot delete Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 155/214] btrfs: replace BUG_ON() with error handling at update_ref_for_cow() Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 156/214] riscv: set trap vector earlier Greg Kroah-Hartman
2024-09-10 9:32 ` [PATCH 5.15 157/214] PCI: Add missing bridge lock to pci_bus_lock() Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 158/214] net: dpaa: avoid on-stack arrays of NR_CPUS elements Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 159/214] i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 160/214] kselftests: dmabuf-heaps: Ensure the driver name is null-terminated Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 161/214] btrfs: initialize location to fix -Wmaybe-uninitialized in btrfs_lookup_dentry() Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 162/214] s390/vmlinux.lds.S: Move ro_after_init section behind rodata section Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 163/214] HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup Greg Kroah-Hartman
2024-09-10 9:33 ` Greg Kroah-Hartman [this message]
2024-09-10 9:33 ` [PATCH 5.15 165/214] Input: uinput - reject requests with unreasonable number of slots Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 166/214] usbnet: ipheth: race between ipheth_close and error handling Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 167/214] Squashfs: sanity check symbolic link size Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 168/214] of/irq: Prevent device address out-of-bounds read in interrupt map walk Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 169/214] lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 170/214] MIPS: cevt-r4k: Dont call get_c0_compare_int if timer irq is installed Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 171/214] ata: pata_macio: Use WARN instead of BUG Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 172/214] NFSv4: Add missing rescheduling points in nfs_client_return_marked_delegations Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 173/214] cifs: Check the lease context if we actually got a lease Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 174/214] staging: iio: frequency: ad9834: Validate frequency parameter value Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 175/214] iio: buffer-dmaengine: fix releasing dma channel on error Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 176/214] iio: fix scale application in iio_convert_raw_to_processed_unlocked Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 177/214] iio: adc: ad7124: fix config comparison Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 178/214] iio: adc: ad7606: remove frstdata check for serial mode Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 179/214] iio: adc: ad7124: fix chip ID mismatch Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 180/214] usb: dwc3: core: update LC timer as per USB Spec V3.2 Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 181/214] binder: fix UAF caused by offsets overwrite Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 182/214] nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 183/214] uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 184/214] Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 185/214] VMCI: Fix use-after-free when removing resource in vmci_resource_remove() Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 186/214] clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 187/214] clocksource/drivers/imx-tpm: Fix next event not taking effect sometime Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 188/214] clocksource/drivers/timer-of: Remove percpu irq related code Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 189/214] uprobes: Use kzalloc to allocate xol area Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 190/214] perf/aux: Fix AUX buffer serialization Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 191/214] ksmbd: unset the binding mark of a reused connection Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 192/214] ksmbd: Unlock on in ksmbd_tcp_set_interfaces() Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 193/214] nilfs2: replace snprintf in show functions with sysfs_emit Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 194/214] nilfs2: protect references to superblock parameters exposed in sysfs Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 195/214] workqueue: wq_watchdog_touch is always called with valid CPU Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 196/214] workqueue: Improve scalability of workqueue watchdog touch Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 197/214] ACPI: processor: Return an error if acpi_processor_get_info() fails in processor_add() Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 198/214] ACPI: processor: Fix memory leaks in error paths of processor_add() Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 199/214] arm64: acpi: Move get_cpu_for_acpi_id() to a header Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 200/214] arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 201/214] nvmet-tcp: fix kernel crash if commands allocation fails Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 202/214] ASoC: sunxi: sun4i-i2s: fix LRCLK polarity in i2s mode Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 203/214] drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 204/214] drm/i915/fence: Mark debug_fence_free() " Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 205/214] gpio: rockchip: fix OF node leak in probe() Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 206/214] net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 207/214] net: change maximum number of UDP segments to 128 Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 208/214] gso: fix dodgy bit handling for GSO_UDP_L4 Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 209/214] net: drop bad gso csum_start and offset in virtio_net_hdr Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 210/214] x86/mm: Fix PTI for i386 some more Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 211/214] net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 212/214] btrfs: fix race between direct IO write and fsync when using same fd Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 213/214] memcg: protect concurrent access to mem_cgroup_idr Greg Kroah-Hartman
2024-09-10 9:33 ` [PATCH 5.15 214/214] udp: fix receiving fraglist GSO packets Greg Kroah-Hartman
2024-09-10 13:08 ` [PATCH 5.15 000/214] 5.15.167-rc1 review Jon Hunter
2024-09-11 12:56 ` Greg Kroah-Hartman
2024-09-10 16:20 ` Mark Brown
2024-09-10 18:37 ` Florian Fainelli
2024-09-10 18:43 ` Harshit Mogalapalli
2024-09-10 21:12 ` Shuah Khan
2024-09-11 12:48 ` Greg Kroah-Hartman
2024-09-11 11:14 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240910092605.393048315@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=Basavaraj.Natikar@amd.com \
--cc=jkosina@suse.com \
--cc=olivier@sobrie.be \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox