From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+356aed408415a56543cd@syzkaller.appspotmail.com,
Yang Chenzhi <yang.chenzhi@vivo.com>,
Viacheslav Dubeyko <slava@dubeyko.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 176/224] hfs: validate record offset in hfsplus_bmap_alloc
Date: Mon, 27 Oct 2025 19:35:22 +0100 [thread overview]
Message-ID: <20251027183513.590712887@linuxfoundation.org> (raw)
In-Reply-To: <20251027183508.963233542@linuxfoundation.org>
5.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Chenzhi <yang.chenzhi@vivo.com>
[ Upstream commit 738d5a51864ed8d7a68600b8c0c63fe6fe5c4f20 ]
hfsplus_bmap_alloc can trigger a crash if a
record offset or length is larger than node_size
[ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0
[ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183
[ 15.265949]
[ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary)
[ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 15.266167] Call Trace:
[ 15.266168] <TASK>
[ 15.266169] dump_stack_lvl+0x53/0x70
[ 15.266173] print_report+0xd0/0x660
[ 15.266181] kasan_report+0xce/0x100
[ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0
[ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0
[ 15.266217] hfsplus_brec_insert+0x870/0xb00
[ 15.266222] __hfsplus_ext_write_extent+0x428/0x570
[ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910
[ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200
[ 15.266233] hfsplus_file_extend+0x5a7/0x1000
[ 15.266237] hfsplus_get_block+0x12b/0x8c0
[ 15.266238] __block_write_begin_int+0x36b/0x12c0
[ 15.266251] block_write_begin+0x77/0x110
[ 15.266252] cont_write_begin+0x428/0x720
[ 15.266259] hfsplus_write_begin+0x51/0x100
[ 15.266262] cont_write_begin+0x272/0x720
[ 15.266270] hfsplus_write_begin+0x51/0x100
[ 15.266274] generic_perform_write+0x321/0x750
[ 15.266285] generic_file_write_iter+0xc3/0x310
[ 15.266289] __kernel_write_iter+0x2fd/0x800
[ 15.266296] dump_user_range+0x2ea/0x910
[ 15.266301] elf_core_dump+0x2a94/0x2ed0
[ 15.266320] vfs_coredump+0x1d85/0x45e0
[ 15.266349] get_signal+0x12e3/0x1990
[ 15.266357] arch_do_signal_or_restart+0x89/0x580
[ 15.266362] irqentry_exit_to_user_mode+0xab/0x110
[ 15.266364] asm_exc_page_fault+0x26/0x30
[ 15.266366] RIP: 0033:0x41bd35
[ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 <f3> 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f
[ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283
[ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000
[ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100
[ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000
[ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000
[ 15.266376] </TASK>
When calling hfsplus_bmap_alloc to allocate a free node, this function
first retrieves the bitmap from header node and map node using node->page
together with the offset and length from hfs_brec_lenoff
```
len = hfs_brec_lenoff(node, 2, &off16);
off = off16;
off += node->page_offset;
pagep = node->page + (off >> PAGE_SHIFT);
data = kmap_local_page(*pagep);
```
However, if the retrieved offset or length is invalid(i.e. exceeds
node_size), the code may end up accessing pages outside the allocated
range for this node.
This patch adds proper validation of both offset and length before use,
preventing out-of-bounds page access. Move is_bnode_offset_valid and
check_and_correct_requested_length to hfsplus_fs.h, as they may be
required by other functions.
Reported-by: syzbot+356aed408415a56543cd@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/67bcb4a6.050a0220.bbfd1.008f.GAE@google.com/
Signed-off-by: Yang Chenzhi <yang.chenzhi@vivo.com>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/20250818141734.8559-2-yang.chenzhi@vivo.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/bnode.c | 41 ----------------------------------------
fs/hfsplus/btree.c | 6 ++++++
fs/hfsplus/hfsplus_fs.h | 42 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 48 insertions(+), 41 deletions(-)
diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index c9c38fddf505b..e566cea238279 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -18,47 +18,6 @@
#include "hfsplus_fs.h"
#include "hfsplus_raw.h"
-static inline
-bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
-{
- bool is_valid = off < node->tree->node_size;
-
- if (!is_valid) {
- pr_err("requested invalid offset: "
- "NODE: id %u, type %#x, height %u, "
- "node_size %u, offset %d\n",
- node->this, node->type, node->height,
- node->tree->node_size, off);
- }
-
- return is_valid;
-}
-
-static inline
-int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
-{
- unsigned int node_size;
-
- if (!is_bnode_offset_valid(node, off))
- return 0;
-
- node_size = node->tree->node_size;
-
- if ((off + len) > node_size) {
- int new_len = (int)node_size - off;
-
- pr_err("requested length has been corrected: "
- "NODE: id %u, type %#x, height %u, "
- "node_size %u, offset %d, "
- "requested_len %d, corrected_len %d\n",
- node->this, node->type, node->height,
- node->tree->node_size, off, len, new_len);
-
- return new_len;
- }
-
- return len;
-}
/* Copy a specified range of bytes from the raw data of a node */
void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c
index 66774f4cb4fd5..2211907537fec 100644
--- a/fs/hfsplus/btree.c
+++ b/fs/hfsplus/btree.c
@@ -392,6 +392,12 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree)
len = hfs_brec_lenoff(node, 2, &off16);
off = off16;
+ if (!is_bnode_offset_valid(node, off)) {
+ hfs_bnode_put(node);
+ return ERR_PTR(-EIO);
+ }
+ len = check_and_correct_requested_length(node, off, len);
+
off += node->page_offset;
pagep = node->page + (off >> PAGE_SHIFT);
data = kmap(*pagep);
diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h
index 86cfc147bf3d1..5355d1ff7a9b2 100644
--- a/fs/hfsplus/hfsplus_fs.h
+++ b/fs/hfsplus/hfsplus_fs.h
@@ -561,6 +561,48 @@ hfsplus_btree_lock_class(struct hfs_btree *tree)
return class;
}
+static inline
+bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
+{
+ bool is_valid = off < node->tree->node_size;
+
+ if (!is_valid) {
+ pr_err("requested invalid offset: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off);
+ }
+
+ return is_valid;
+}
+
+static inline
+int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
+{
+ unsigned int node_size;
+
+ if (!is_bnode_offset_valid(node, off))
+ return 0;
+
+ node_size = node->tree->node_size;
+
+ if ((off + len) > node_size) {
+ int new_len = (int)node_size - off;
+
+ pr_err("requested length has been corrected: "
+ "NODE: id %u, type %#x, height %u, "
+ "node_size %u, offset %d, "
+ "requested_len %d, corrected_len %d\n",
+ node->this, node->type, node->height,
+ node->tree->node_size, off, len, new_len);
+
+ return new_len;
+ }
+
+ return len;
+}
+
/* compatibility */
#define hfsp_mt2ut(t) (struct timespec){ .tv_sec = __hfsp_mt2ut(t) }
#define hfsp_ut2mt(t) __hfsp_ut2mt((t).tv_sec)
--
2.51.0
next prev parent reply other threads:[~2025-10-27 18:46 UTC|newest]
Thread overview: 234+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-27 18:32 [PATCH 5.4 000/224] 5.4.301-rc1 review Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 001/224] scsi: target: target_core_configfs: Add length check to avoid buffer overflow Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 002/224] media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 003/224] udp: Fix memory accounting leak Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 004/224] media: tunner: xc5000: Refactor firmware load Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 005/224] media: tuner: xc5000: Fix use-after-free in xc5000_release Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 006/224] media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 007/224] media: rc: Add support for another iMON 0xffdc device Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 008/224] media: imon: reorganize serialization Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 009/224] media: imon: grab lock earlier in imon_ir_change_protocol() Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 010/224] media: rc: fix races with imon_disconnect() Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 011/224] USB: serial: option: add SIMCom 8230C compositions Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 012/224] wifi: rtlwifi: rtl8192cu: Dont claim USB ID 07b8:8188 Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 013/224] dm-integrity: limit MAX_TAG_SIZE to 255 Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 014/224] perf subcmd: avoid crash in exclude_cmds when excludes is empty Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 015/224] staging: axis-fifo: fix maximum TX packet length check Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 016/224] staging: axis-fifo: flush RX FIFO on read errors Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 017/224] driver core/PM: Set power.no_callbacks along with power.no_pm Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 018/224] perf: arm_spe: Prevent overflow in PERF_IDX2OFF() Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 019/224] x86/vdso: Fix output operand size of RDPID Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 020/224] regmap: Remove superfluous check for !config in __regmap_init() Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 021/224] ACPI: processor: idle: Fix memory leak when register cpuidle device failed Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 022/224] soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 023/224] pinctrl: meson-gxl: add missing i2c_d pinmux Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 024/224] blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 025/224] block: use int to store blk_stack_limits() return value Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 026/224] pwm: tiehrpwm: Fix corner case in clock divisor calculation Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 027/224] selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 028/224] bpf: Explicitly check accesses to bpf_sock_addr Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 029/224] i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 030/224] i2c: designware: Add disabling clocks when probe fails Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 031/224] drm/radeon/r600_cs: clean up of dead code in r600_cs Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 032/224] usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup Greg Kroah-Hartman
2025-10-27 18:32 ` [PATCH 5.4 033/224] serial: max310x: Add error checking in probe() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 034/224] scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 035/224] scsi: myrs: Fix dma_alloc_coherent() error check Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 036/224] media: rj54n1cb0c: Fix memleak in rj54n1_probe() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 037/224] ALSA: lx_core: use int type to store negative error codes Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 038/224] wifi: mwifiex: send world regulatory domain to driver Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 039/224] PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 040/224] tcp: fix __tcp_close() to only send RST when required Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 041/224] usb: phy: twl6030: Fix incorrect type for ret Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 042/224] usb: gadget: configfs: Correctly set use_os_string at bind Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 043/224] misc: genwqe: Fix incorrect cmd field being reported in error Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 044/224] pps: fix warning in pps_register_cdev when register device fail Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 045/224] ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 046/224] ASoC: Intel: bytcr_rt5640: " Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 047/224] ASoC: Intel: bytcr_rt5651: " Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 048/224] iio: consumers: Fix offset handling in iio_convert_raw_to_processed() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 049/224] netfilter: ipset: Remove unused htable_bits in macro ahash_region Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 050/224] watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the watchdog Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 051/224] drivers/base/node: handle error properly in register_one_node() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 052/224] wifi: mt76: fix potential memory leak in mt76_wmac_probe() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 053/224] RDMA/core: Resolve MAC of next-hop device without ARP support Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 054/224] IB/sa: Fix sa_local_svc_timeout_ms read race Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 055/224] wifi: ath10k: avoid unnecessary wait for service ready message Greg Kroah-Hartman
2025-10-27 18:46 ` Jeff Johnson
2025-10-27 18:33 ` [PATCH 5.4 056/224] sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 057/224] sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 058/224] sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 059/224] sparc: fix accurate exception reporting in copy_to_user for Niagara 4 Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 060/224] sparc: fix accurate exception reporting in copy_{from,to}_user for M7 Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 061/224] remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 062/224] NFSv4.1: fix backchannel max_resp_sz verification check Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 063/224] ipvs: Defer ip_vs_ftp unregister during netns cleanup Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 064/224] scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 065/224] usb: vhci-hcd: Prevent suspending virtually attached devices Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 066/224] RDMA/siw: Always report immediate post SQ errors Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 067/224] net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 068/224] ocfs2: fix double free in user_cluster_connect() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 069/224] drivers/base/node: fix double free in register_one_node() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 070/224] nfp: fix RSS hash key size when RSS is not supported Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 071/224] net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not configurable Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 072/224] Revert "net/mlx5e: Update and set Xon/Xoff upon MTU set" Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 073/224] Squashfs: fix uninit-value in squashfs_get_parent Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 074/224] uio_hv_generic: Let userspace take care of interrupt mask Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 075/224] mm: hugetlb: avoid soft lockup when mprotect to large memory area Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 076/224] Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 077/224] pinctrl: check the return value of pinmux_ops::get_function_name() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 078/224] clocksource/drivers/clps711x: Fix resource leaks in error paths Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 079/224] iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 080/224] perf util: Fix compression checks returning -1 as bool Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 081/224] rtc: x1205: Fix Xicor X1205 vendor prefix Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 082/224] perf session: Fix handling when buffer exceeds 2 GiB Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 083/224] clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 084/224] clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 085/224] scsi: libsas: Add sas_task_find_rq() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 086/224] scsi: mvsas: Delete mvs_tag_init() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 087/224] scsi: mvsas: Use sas_task_find_rq() for tagging Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 088/224] scsi: mvsas: Fix use-after-free bugs in mvs_work_queue Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 089/224] net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 090/224] drm/vmwgfx: Fix Use-after-free in validation Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 091/224] net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 092/224] tcp: Dont call reqsk_fastopen_remove() in tcp_conn_request() Greg Kroah-Hartman
2025-10-27 18:33 ` [PATCH 5.4 093/224] net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 094/224] tools build: Align warning options with perf Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 095/224] mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 096/224] mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 097/224] crypto: essiv - Check ssize for decryption and in-place encryption Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 098/224] tpm, tpm_tis: Claim locality before writing interrupt registers Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 099/224] tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 100/224] ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 101/224] ACPI: debug: fix signedness issues in read/write helpers Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 102/224] arm64: dts: qcom: msm8916: Add missing MDSS reset Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 103/224] xen/manage: Fix suspend error path Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 104/224] firmware: meson_sm: fix device leak at probe Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 105/224] media: i2c: mt9v111: fix incorrect type for ret Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 106/224] drm/nouveau: fix bad ret code in nouveau_bo_move_prep Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 107/224] cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 108/224] crypto: atmel - Fix dma_unmap_sg() direction Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 109/224] iio: dac: ad5360: use int type to store negative error codes Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 110/224] iio: dac: ad5421: " Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 111/224] iio: frequency: adf4350: Fix prescaler usage Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 112/224] lib/genalloc: fix device leak in of_gen_pool_get() Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 113/224] parisc: dont reference obsolete termio struct for TC* constants Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 114/224] scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl() Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 115/224] sctp: Fix MAC comparison to be constant-time Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 116/224] sparc64: fix hugetlb for sun4u Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 117/224] sparc: fix error handling in scan_one_device() Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 118/224] mtd: rawnand: fsmc: Default to autodetect buswidth Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 119/224] mmc: core: SPI mode remove cmd7 Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 120/224] rtc: interface: Ensure alarm irq is enabled when UIE is enabled Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 121/224] rtc: interface: Fix long-standing race when setting alarm Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 122/224] rseq/selftests: Use weak symbol reference, not definition, to link with glibc Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 123/224] PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 124/224] PCI/AER: Fix missing uevent on recovery when a reset is requested Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 125/224] PCI: keystone: Use devm_request_irq() to free "ks-pcie-error-irq" on exit Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 126/224] x86/umip: Check that the instruction opcode is at least two bytes Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 127/224] x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases) Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 128/224] nfsd: nfserr_jukebox in nlm_fopen should lead to a retry Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 129/224] ext4: increase i_disksize to offset + len in ext4_update_disksize_before_punch() Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 130/224] ext4: correctly handle queries for metadata mappings Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 131/224] ext4: guard against EA inode refcount underflow in xattr update Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 132/224] net/9p: fix double req put in p9_fd_cancelled Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 133/224] KVM: x86: Dont (re)check L1 intercepts when completing userspace I/O Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 134/224] fs: udf: fix OOB read in lengthAllocDescs handling Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 135/224] mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data() Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 136/224] media: mc: Clear minor number before put device Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 137/224] Squashfs: add additional inode sanity checking Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 138/224] Squashfs: reject negative file sizes in squashfs_read_inode() Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 139/224] mfd: intel_soc_pmic_chtdc_ti: Fix invalid regmap-config max_register value Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 140/224] mfd: intel_soc_pmic_chtdc_ti: Drop unneeded assignment for cache_type Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 141/224] mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 142/224] dm: fix NULL pointer dereference in __dm_suspend() Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 143/224] tracing: Fix race condition in kprobe initialization causing NULL pointer dereference Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 144/224] minixfs: Verify inode mode when loading from disk Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 145/224] pid: Add a judgment for ns null in pid_nr_ns Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 146/224] fs: Add initramfs_options to set initramfs mount options Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 147/224] cramfs: Verify inode mode when loading from disk Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 148/224] xen/events: Cleanup find_virq() return codes Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 149/224] media: cx18: Add missing check after DMA map Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 150/224] pwm: berlin: Fix wrong register in suspend/resume Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 151/224] btrfs: avoid potential out-of-bounds in btrfs_encode_fh() Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 152/224] drm/exynos: exynos7_drm_decon: remove ctx->suspended Greg Kroah-Hartman
2025-10-27 18:34 ` [PATCH 5.4 153/224] media: rc: Directly use ida_free() Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 154/224] media: lirc: Fix error handling in lirc_register() Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 155/224] xen/events: Update virq_to_irq on migration Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 156/224] media: pci/ivtv: switch from pci_ to dma_ API Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 157/224] media: pci: ivtv: Add missing check after DMA map Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 158/224] net: dl2k: switch from pci_ to dma_ API Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 159/224] net: dlink: handle dma_map_single() failure properly Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 160/224] net/ip6_tunnel: Prevent perpetual tunnel growth Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 161/224] amd-xgbe: Avoid spurious link down messages during interface toggle Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 162/224] tcp: fix tcp_tso_should_defer() vs large RTT Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 163/224] tg3: prevent use of uninitialized remote_adv and local_adv variables Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 164/224] tls: always set record_type in tls_process_cmsg Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 165/224] tls: dont rely on tx_work during send() Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 166/224] sched: Make newidle_balance() static again Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 167/224] sched/fair: Trivial correction of the newidle_balance() comment Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 168/224] sched/balancing: Rename newidle_balance() => sched_balance_newidle() Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 169/224] sched/fair: Fix pelt lost idle time detection Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 170/224] ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 171/224] hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 172/224] exec: Fix incorrect type for ret Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 173/224] hfs: clear offset and space out of valid records in b-tree node Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 174/224] hfs: make proper initalization of struct hfs_find_data Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 175/224] hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() Greg Kroah-Hartman
2025-10-27 18:35 ` Greg Kroah-Hartman [this message]
2025-10-27 18:35 ` [PATCH 5.4 177/224] hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat() Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 178/224] dlm: check for defined force value in dlm_lockspace_release Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 179/224] hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 180/224] hfsplus: return EIO when type of hidden directory mismatch in hfsplus_fill_super() Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 181/224] m68k: bitops: Fix find_*_bit() signatures Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 182/224] net: rtnetlink: remove redundant assignment to variable err Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 183/224] net: rtnetlink: add msg kind names Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 184/224] net: rtnetlink: add helper to extract msg types kind Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 185/224] net: rtnetlink: use BIT for flag values Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 186/224] net: netlink: add NLM_F_BULK delete request modifier Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 187/224] net: rtnetlink: add bulk delete support flag Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 188/224] net: add ndo_fdb_del_bulk Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 189/224] net: rtnetlink: add NLM_F_BULK support to rtnl_fdb_del Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 190/224] rtnetlink: Allow deleting FDB entries in user namespace Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 191/224] net: enetc: correct the value of ENETC_RXB_TRUESIZE Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 192/224] arm64, mm: avoid always making PTE dirty in pte_mkwrite() Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 193/224] sctp: avoid NULL dereference when chunk data buffer is missing Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 194/224] net: bonding: fix possible peer notify event loss or dup issue Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 195/224] Revert "cpuidle: menu: Avoid discarding useful information" Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 196/224] MIPS: Malta: Fix keyboard resource preventing i8042 driver from registering Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 197/224] ocfs2: clear extent cache after moving/defragmenting extents Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 198/224] net: usb: rtl8150: Fix frame padding Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 199/224] net: ravb: Ensure memory write completes before ringing TX doorbell Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 200/224] USB: serial: option: add UNISOC UIS7720 Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 201/224] USB: serial: option: add Quectel RG255C Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 202/224] USB: serial: option: add Telit FN920C04 ECM compositions Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 203/224] usb/core/quirks: Add Huawei ME906S to wakeup quirk Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 204/224] xhci: dbc: enable back DbC in resume if it was enabled before suspend Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 205/224] binder: remove "invalid inc weak" check Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 206/224] comedi: fix divide-by-zero in comedi_buf_munge() Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 207/224] arm64: cputype: Add Neoverse-V3AE definitions Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 208/224] arm64: errata: Apply workarounds for Neoverse-V3AE Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 209/224] memory: samsung: exynos-srom: Correct alignment Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 210/224] memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 211/224] spi: cadence-quadspi: Flush posted register writes before INDAC access Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 212/224] spi: cadence-quadspi: Flush posted register writes before DAC access Greg Kroah-Hartman
2025-10-27 18:35 ` [PATCH 5.4 213/224] ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 214/224] drm/amdgpu: use atomic functions with memory barriers for vm fault info Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 215/224] ext4: detect invalid INLINE_DATA + EXTENTS flag combination Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 216/224] jbd2: ensure that all ongoing I/O complete before freeing blocks Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 217/224] vfs: Dont leak disconnected dentries on umount Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 218/224] NFSD: Define a proc_layoutcommit for the FlexFiles layout type Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 219/224] KEYS: trusted_tpm1: Compare HMAC values in constant time Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 220/224] padata: Reset next CPU when reorder sequence wraps around Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 221/224] NFSD: Minor cleanup in layoutcommit processing Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 222/224] NFSD: Fix last write offset handling in layoutcommit Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 223/224] media: s5p-mfc: remove an unused/uninitialized variable Greg Kroah-Hartman
2025-10-27 18:36 ` [PATCH 5.4 224/224] net: rtnetlink: fix module reference count leak issue in rtnetlink_rcv_msg Greg Kroah-Hartman
2025-10-27 19:31 ` [PATCH 5.4 000/224] 5.4.301-rc1 review Florian Fainelli
2025-10-28 8:14 ` Pavel Machek
2025-10-28 11:28 ` Jon Hunter
2025-10-28 13:45 ` Naresh Kamboju
2025-10-28 13:55 ` Brett A C Sheffield
2025-10-28 14:17 ` [External] : " ALOK TIWARI
2025-10-28 19:27 ` Shuah Khan
2025-10-29 7:39 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251027183513.590712887@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=slava@dubeyko.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+356aed408415a56543cd@syzkaller.appspotmail.com \
--cc=yang.chenzhi@vivo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).