[5.10,068/599] cifs: prevent bad output lengths in smb2_ioctl_query_info()

From: Paulo Alcantara <pc@cjr.nz>

From: Paulo Alcantara <pc@cjr.nz>

commit b92e358757b91c2827af112cae9af513f26a3f34 upstream.

When calling smb2_ioctl_query_info() with
smb_query_info::flags=PASSTHRU_FSCTL and
smb_query_info::output_buffer_length=0, the following would return
0x10

	buffer = memdup_user(arg + sizeof(struct smb_query_info),
			     qi.output_buffer_length);
	if (IS_ERR(buffer)) {
		kfree(vars);
		return PTR_ERR(buffer);
	}

rather than a valid pointer thus making IS_ERR() check fail.  This
would then cause a NULL ptr deference in @buffer when accessing it
later in smb2_ioctl_query_ioctl().  While at it, prevent having a
@buffer smaller than 8 bytes to correctly handle SMB2_SET_INFO
FileEndOfFileInformation requests when
smb_query_info::flags=PASSTHRU_SET_INFO.

Here is a small C reproducer which triggers a NULL ptr in @buffer when
passing an invalid smb_query_info::flags

	#include <stdio.h>
	#include <stdlib.h>
	#include <stdint.h>
	#include <unistd.h>
	#include <fcntl.h>
	#include <sys/ioctl.h>

	#define die(s) perror(s), exit(1)
	#define QUERY_INFO 0xc018cf07

	int main(int argc, char *argv[])
	{
		int fd;

		if (argc < 2)
			exit(1);
		fd = open(argv[1], O_RDONLY);
		if (fd == -1)
			die("open");
		if (ioctl(fd, QUERY_INFO, (uint32_t[]) { 0, 0, 0, 4, 0, 0}) == -1)
			die("ioctl");
		close(fd);
		return 0;
	}

	mount.cifs //srv/share /mnt -o ...
	gcc repro.c && ./a.out /mnt/f0

	[  114.138620] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
	[  114.139310] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
	[  114.139775] CPU: 2 PID: 995 Comm: a.out Not tainted 5.17.0-rc8 #1
	[  114.140148] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
	[  114.140818] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]
	[  114.141221] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24
	[  114.142348] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256
	[  114.142692] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d
	[  114.143119] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380
	[  114.143544] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003
	[  114.143983] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288
	[  114.144424] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000
	[  114.144852] FS:  00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000
	[  114.145338] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[  114.145692] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0
	[  114.146131] Call Trace:
	[  114.146291]  <TASK>
	[  114.146432]  ? smb2_query_reparse_tag+0x890/0x890 [cifs]
	[  114.146800]  ? cifs_mapchar+0x460/0x460 [cifs]
	[  114.147121]  ? rcu_read_lock_sched_held+0x3f/0x70
	[  114.147412]  ? cifs_strndup_to_utf16+0x15b/0x250 [cifs]
	[  114.147775]  ? dentry_path_raw+0xa6/0xf0
	[  114.148024]  ? cifs_convert_path_to_utf16+0x198/0x220 [cifs]
	[  114.148413]  ? smb2_check_message+0x1080/0x1080 [cifs]
	[  114.148766]  ? rcu_read_lock_sched_held+0x3f/0x70
	[  114.149065]  cifs_ioctl+0x1577/0x3320 [cifs]
	[  114.149371]  ? lock_downgrade+0x6f0/0x6f0
	[  114.149631]  ? cifs_readdir+0x2e60/0x2e60 [cifs]
	[  114.149956]  ? rcu_read_lock_sched_held+0x3f/0x70
	[  114.150250]  ? __rseq_handle_notify_resume+0x80b/0xbe0
	[  114.150562]  ? __up_read+0x192/0x710
	[  114.150791]  ? __ia32_sys_rseq+0xf0/0xf0
	[  114.151025]  ? __x64_sys_openat+0x11f/0x1d0
	[  114.151296]  __x64_sys_ioctl+0x127/0x190
	[  114.151549]  do_syscall_64+0x3b/0x90
	[  114.151768]  entry_SYSCALL_64_after_hwframe+0x44/0xae
	[  114.152079] RIP: 0033:0x7f7aead043df
	[  114.152306] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
	[  114.153431] RSP: 002b:00007ffc2e0c1f80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
	[  114.153890] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7aead043df
	[  114.154315] RDX: 00007ffc2e0c1ff0 RSI: 00000000c018cf07 RDI: 0000000000000003
	[  114.154747] RBP: 00007ffc2e0c2010 R08: 00007f7aeae03db0 R09: 00007f7aeae24c4e
	[  114.155192] R10: 00007f7aeabf7d40 R11: 0000000000000246 R12: 00007ffc2e0c2128
	[  114.155642] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007f7aeae57000
	[  114.156071]  </TASK>
	[  114.156218] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload
	[  114.156608] ---[ end trace 0000000000000000 ]---
	[  114.156898] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]
	[  114.157792] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24
	[  114.159293] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256
	[  114.159641] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d
	[  114.160093] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380
	[  114.160699] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003
	[  114.161196] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288
	[  114.155642] R13: 0000000000401176 R14: 0000000000403df8 R15: 00007f7aeae57000
	[  114.156071]  </TASK>
	[  114.156218] Modules linked in: cifs cifs_arc4 cifs_md4 bpf_preload
	[  114.156608] ---[ end trace 0000000000000000 ]---
	[  114.156898] RIP: 0010:smb2_ioctl_query_info+0x206/0x410 [cifs]
	[  114.157792] Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 c8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 7b 28 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 9c 01 00 00 49 8b 3f e8 58 02 fb ff 48 8b 14 24
	[  114.159293] RSP: 0018:ffffc90000b47b00 EFLAGS: 00010256
	[  114.159641] RAX: dffffc0000000000 RBX: ffff888115503200 RCX: ffffffffa020580d
	[  114.160093] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffa043a380
	[  114.160699] RBP: ffff888115503278 R08: 0000000000000001 R09: 0000000000000003
	[  114.161196] R10: fffffbfff4087470 R11: 0000000000000001 R12: ffff888115503288
	[  114.161823] R13: 00000000ffffffea R14: ffff888115503228 R15: 0000000000000000
	[  114.162274] FS:  00007f7aeabdf740(0000) GS:ffff888151600000(0000) knlGS:0000000000000000
	[  114.162853] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[  114.163218] CR2: 00007f7aeacfdf5e CR3: 000000012000e000 CR4: 0000000000350ee0
	[  114.163691] Kernel panic - not syncing: Fatal exception
	[  114.164087] Kernel Offset: disabled
	[  114.164316] ---[ end Kernel panic - not syncing: Fatal exception ]---

Cc: stable@vger.kernel.org
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/cifs/smb2ops.c |   16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

Message ID	20220405070300.849885230@linuxfoundation.org
State	Superseded
Headers	show Return-Path: <stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, "Paulo Alcantara (SUSE)" <pc@cjr.nz>, Steve French <stfrench@microsoft.com> Subject: [PATCH 5.10 068/599] cifs: prevent bad output lengths in smb2_ioctl_query_info() Date: Tue, 5 Apr 2022 09:26:02 +0200 Message-Id: <20220405070300.849885230@linuxfoundation.org> In-Reply-To: <20220405070258.802373272@linuxfoundation.org> References: <20220405070258.802373272@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	None \| expand [5.10,003/599] USB: serial: simple: add Nokia phone driver [5.10,006/599] HID: logitech-dj: add new lightspeed receiver id [5.10,007/599] xfrm: fix tunnel model fragmentation behavior [5.10,011/599] tools/virtio: fix virtio_test execution [5.10,014/599] spi: Fix invalid sgs value [5.10,016/599] Revert "gpio: Revert regression in sysfs-gpio (gpiolib.c)" [5.10,017/599] spi: Fix erroneous sgs value with min_t() [5.10,020/599] net: dsa: microchip: add spi_device_id tables [5.10,021/599] locking/lockdep: Avoid potential access of invalid memory in lock_class [5.10,023/599] tpm: fix reference counting for struct tpm_chip [5.10,024/599] virtio-blk: Use blk_validate_block_size() to validate block size [5.10,026/599] xhci: fix garbage USBSTS being logged in some cases [5.10,028/599] xhci: make xhci_handshake timeout for xhci_reset() adjustable [5.10,029/599] xhci: fix uninitialized string returned by xhci_decode_ctrl_ctx() [5.10,030/599] mei: me: add Alder Lake N device id. [5.10,034/599] iio: inkern: apply consumer scale on IIO_VAL_INT cases [5.10,036/599] iio: inkern: make a best effort on offset calculation [5.10,037/599] greybus: svc: fix an error handling bug in gb_svc_hello() [5.10,038/599] clk: uniphier: Fix fixed-rate initialization [5.10,039/599] ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE [5.10,044/599] HID: intel-ish-hid: Use dma_alloc_coherent for firmware update [5.10,046/599] NFSD: prevent underflow in nfssvc_decode_writeargs() [5.10,048/599] f2fs: fix to unlock page correctly in error path of is_alive() [5.10,049/599] f2fs: quota: fix loop condition at f2fs_quota_sync() [5.10,050/599] f2fs: fix to do sanity check on .cp_pack_total_block_count [5.10,051/599] remoteproc: Fix count check in rproc_coredump_write() [5.10,054/599] mtd: rawnand: protect access to rawnand devices while in suspend [5.10,056/599] jffs2: fix use-after-free in jffs2_clear_xattr_subsystem [5.10,058/599] jffs2: fix memory leak in jffs2_scan_medium [5.10,060/599] mm: invalidate hwpoison page cache page in fault path [5.10,062/599] scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA commands [5.10,063/599] qed: display VF trust config [5.10,067/599] Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads" [5.10,068/599] cifs: prevent bad output lengths in smb2_ioctl_query_info() [5.10,070/599] ALSA: cs4236: fix an incorrect NULL check on list iterator [5.10,072/599] ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock [5.10,077/599] mm,hwpoison: unmap poisoned page before invalidation [5.10,080/599] drbd: fix potential silent data corruption [5.10,081/599] can: isotp: sanitize CAN ID checks in isotp_bind() [5.10,082/599] powerpc/kvm: Fix kvm_use_magic_page [5.10,086/599] arm64: dts: ti: k3-j721e: Fix gic-v3 compatible regs [5.10,087/599] arm64: dts: ti: k3-j7200: Fix gic-v3 compatible regs [5.10,088/599] ACPI: properties: Consistently return -ENOENT if there are no more references [5.10,089/599] coredump: Also dump first pages of non-executable ELF libraries [5.10,091/599] ext4: fix fs corruption when tring to remove a non-empty directory with IO error [5.10,094/599] block: limit request dispatch loop duration [5.10,097/599] video: fbdev: sm712fb: Fix crash in smtcfb_read() [5.10,099/599] ARM: dts: at91: sama5d2: Fix PMERRLOC resource size [5.10,100/599] ARM: dts: exynos: fix UART3 pins configuration in Exynos5250 [5.10,104/599] carl9170: fix missing bit-wise or operator for tx_params [5.10,106/599] thermal: int340x: Increase bitmap size [5.10,108/599] exec: Force single empty string when argv is empty [5.10,109/599] crypto: rsa-pkcs1pad - only allow with rsa [5.10,110/599] crypto: rsa-pkcs1pad - correctly get hash from source scatterlist [5.10,112/599] crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete() [5.10,114/599] DEC: Limit PMAX memory probing to R3k systems [5.10,115/599] media: gpio-ir-tx: fix transmit with long spaces on Orange Pi PC [5.10,119/599] xtensa: fix xtensa_wsr always writing 0 [5.10,121/599] brcmfmac: pcie: Release firmwares in the brcmf_pcie_setup error path [5.10,122/599] brcmfmac: pcie: Replace brcmf_pcie_copy_mem_todev with memcpy_toio [5.10,123/599] brcmfmac: pcie: Fix crashes due to early IRQs [5.10,125/599] drm/i915/gem: add missing boundary check in vm_access [5.10,127/599] PCI: xgene: Revert "PCI: xgene: Fix IB window setup" [5.10,129/599] selinux: check return value of sel_make_avc_files [5.10,130/599] hwrng: cavium - Check health status while reading random data [5.10,131/599] hwrng: cavium - HW_RANDOM_CAVIUM should depend on ARCH_THUNDER [5.10,133/599] crypto: authenc - Fix sleep in atomic context in decrypt_tail [5.10,134/599] crypto: mxs-dcp - Fix scatterlist processing [5.10,135/599] thermal: int340x: Check for NULL after calling kmemdup() [5.10,138/599] selftests/x86: Add validity check and allow field splitting [5.10,140/599] audit: log AUDIT_TIME_* records only from rules [5.10,141/599] EVM: fix the evm= __setup handler return value [5.10,142/599] crypto: ccree - dont attempt 0 len DMA mappings [5.10,144/599] hwmon: (pmbus) Add mutex to regulator ops [5.10,147/599] block: dont delete queue kobject before its children [5.10,149/599] PM: suspend: fix return value of __setup handler [5.10,151/599] hwrng: atmel - disable trng on failure path [5.10,153/599] crypto: sun8i-ce - call finalize with bh disabled [5.10,155/599] crypto: vmx - add missing dependencies [5.10,156/599] clocksource/drivers/timer-ti-dm: Fix regression from errata i940 fix [5.10,161/599] ACPI: APEI: fix return value of __setup handlers [5.10,162/599] crypto: ccp - ccp_dmaengine_unregister release dma channels [5.10,164/599] vfio: platform: simplify device removal [5.10,167/599] hwmon: (pmbus) Add Vin unit off handling [5.10,170/599] watch_queue: Fix NULL dereference in error cleanup [5.10,171/599] watch_queue: Actually free the watch [5.10,172/599] f2fs: fix to enable ATGC correctly via gc_idle sysfs interface [5.10,175/599] rseq: Optimise rseq_get_rseq_cs() and clear_rseq_cs() [5.10,176/599] rseq: Remove broken uapi field layout on 32-bit little endian [5.10,179/599] f2fs: fix missing free nid in f2fs_handle_failed_inode [5.10,181/599] f2fs: fix to avoid potential deadlock [5.10,182/599] btrfs: fix unexpected error path when reflinking an inline extent [5.10,183/599] f2fs: compress: remove unneeded read when rewrite whole cluster [5.10,186/599] kunit: make kunit_test_timeout compatible with comment [5.10,187/599] media: staging: media: zoran: fix usage of vb2_dma_contig_set_max_seg_size [5.10,188/599] media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers across ioctls [5.10,191/599] ASoC: xilinx: xlnx_formatter_pcm: Handle sysclk setting [5.10,196/599] media: aspeed: Correct value for h-total-pixels [5.10,199/599] video: fbdev: controlfb: Fix COMPILE_TEST build [5.10,200/599] video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe() [5.10,201/599] video: fbdev: atmel_lcdfb: fix an error code in atmel_lcdfb_probe() [5.10,204/599] ARM: dts: qcom: ipq4019: fix sleep clock [5.10,206/599] soc: qcom: ocmem: Fix missing put_device() call in of_get_ocmem [5.10,207/599] soc: qcom: aoss: remove spurious IRQF_ONESHOT flags [5.10,208/599] arm64: dts: qcom: sdm845: fix microphone bias properties and values [5.10,209/599] arm64: dts: qcom: sm8150: Correct TCS configuration for apps rsc [5.10,210/599] firmware: ti_sci: Fix compilation failure when CONFIG_TI_SCI_PROTOCOL is not defined [5.10,213/599] ARM: ftrace: ensure that ADR takes the Thumb bit into account [5.10,214/599] ARM: dts: imx: Add missing LVDS decoder on M53Menlo [5.10,215/599] media: video/hdmi: handle short reads of hdmi info frame. [5.10,217/599] media: usb: go7007: s2250-board: fix leak in probe() [5.10,219/599] media: cedrus: h264: Fix neighbour info buffer size [5.10,222/599] ASoC: rt5663: check the return value of devm_kzalloc() in rt5663_parse_dp() [5.10,224/599] ALSA: spi: Add check for clk_enable() [5.10,226/599] arm64: dts: broadcom: Fix sata nodename [5.10,227/599] printk: fix return value of printk.devkmsg __setup handler [5.10,229/599] ASoC: atmel_ssc_dai: Handle errors for clk_enable [5.10,230/599] ASoC: dwc-i2s: Handle errors for clk_enable [5.10,231/599] ASoC: soc-compress: prevent the potentially use of null pointer [5.10,233/599] memory: emif: check the pointer temp in get_device_details() [5.10,236/599] m68k: coldfire/device.c: only build for MCF_EDMA when h/w macros are defined [5.10,237/599] media: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED [5.10,240/599] ASoC: wm8350: Handle error for wm8350_register_irq [5.10,241/599] ASoC: fsi: Add check for clk_enable [5.10,243/599] media: saa7134: convert list_for_each to entry variant [5.10,245/599] ivtv: fix incorrect device_caps for ivtvfb [5.10,246/599] ASoC: rockchip: i2s: Use devm_platform_get_and_ioremap_resource() [5.10,247/599] ASoC: rockchip: i2s: Fix missing clk_disable_unprepare() in rockchip_i2s_probe [5.10,248/599] ASoC: SOF: Add missing of_node_put() in imx8m_probe [5.10,249/599] ASoC: dmaengine: do not use a NULL prepare_slave_config() callback [5.10,251/599] ASoC: fsl_spdif: Disable TX clock when stop [5.10,254/599] mmc: davinci_mmc: Handle error for clk_enable [5.10,255/599] ASoC: atmel: sam9x5_wm8731: use devm_snd_soc_register_card() [5.10,256/599] ASoC: atmel: Fix error handling in sam9x5_wm8731_driver_probe [5.10,257/599] ASoC: msm8916-wcd-analog: Fix error handling in pm8916_wcd_analog_spmi_probe [5.10,265/599] ath10k: fix memory overwrite of the WoWLAN wakeup packet pattern [5.10,266/599] drm/panfrost: Check for error num after setting mask [5.10,272/599] drm/edid: Dont clear formats if using deep color [5.10,275/599] drm/amd/display: Fix a NULL pointer dereference in amdgpu_dm_connector_add_common_... [5.10,276/599] drm/amd/pm: return -ENOTSUPP if there is no get_dpm_ultimate_freq function [5.10,277/599] ath9k_htc: fix uninit value bugs [5.10,279/599] KVM: PPC: Fix vmx/vsx mixup in mmio emulation [5.10,281/599] i40e: respect metadata on XSK Rx to skb [5.10,282/599] power: reset: gemini-poweroff: Fix IRQ check in gemini_poweroff_probe [5.10,283/599] ray_cs: Check ioremap return value [5.10,285/599] KVM: PPC: Book3S HV: Check return value of kvmppc_radix_init [5.10,286/599] powerpc/perf: Dont use perf_hw_context for trace IMC PMU [5.10,294/599] PCI: aardvark: Fix reading PCI_EXP_RTSTA_PME bit on emulated bridge [5.10,295/599] drm/bridge: dw-hdmi: use safe format when first in bridge chain [5.10,297/599] HID: i2c-hid: fix GET/SET_REPORT for unnumbered reports [5.10,299/599] drm/amd/pm: enable pm sysfs write for one VF mode [5.10,301/599] IB/cma: Allow XRC INI QPs to set their local ACK timeout [5.10,305/599] drm/msm/dp: populate connector of struct dp_panel [5.10,307/599] drm/msm/dpu: fix dp audio condition [5.10,309/599] scsi: pm8001: Fix command initialization in pm80XX_send_read_log() [5.10,310/599] scsi: pm8001: Fix command initialization in pm8001_chip_ssp_tm_req() [5.10,312/599] scsi: pm8001: Fix le32 values handling in pm80xx_set_sas_protocol_timer_config() [5.10,314/599] scsi: pm8001: Fix le32 values handling in pm80xx_chip_ssp_io_req() [5.10,317/599] scsi: pm8001: Fix NCQ NON DATA command completion handling [5.10,318/599] scsi: pm8001: Fix abort all task initialization [5.10,319/599] RDMA/mlx5: Fix the flow of a miss in the allocation of a cache ODP MR [5.10,323/599] drm/tegra: Fix reference leak in tegra_dsi_ganged_probe [5.10,324/599] power: supply: bq24190_charger: Fix bq24190_vbus_is_enabled() wrong false return [5.10,325/599] scsi: hisi_sas: Change permission of parameter prot_mask [5.10,326/599] drm/bridge: cdns-dsi: Make sure to to create proper aliases for dt [5.10,331/599] powerpc/mm/numa: skip NUMA_NO_NODE onlining in parse_numa_properties() [5.10,332/599] powerpc/Makefile: Dont pass -mcpu=powerpc64 when building 32-bit [5.10,333/599] KVM: x86: Fix emulation in writing cr8 [5.10,334/599] KVM: x86/emulator: Defer not-present segment check in __load_segment_descriptor() [5.10,335/599] hv_balloon: rate-limit "Unhandled message" warning [5.10,338/599] power: supply: wm8350-power: Add missing free in free_charger_irq [5.10,342/599] mips: DEC: honor CONFIG_MIPS_FP_SUPPORT=n [5.10,343/599] powerpc/sysdev: fix incorrect use to determine if list is empty [5.10,344/599] mfd: mc13xxx: Add check for mc13xxx_irq_request [5.10,347/599] platform/x86: huawei-wmi: check the return value of device_create_file() [5.10,349/599] vxcan: enable local echo for sent CAN frames [5.10,352/599] MIPS: RB532: fix return value of __setup handler [5.10,356/599] bpf, sockmap: Fix memleak in tcp_bpf_sendmsg while sk msg is full [5.10,358/599] bpf, sockmap: Fix double uncharge the mem of sk_msg [5.10,361/599] can: isotp: return -EADDRNOTAVAIL when reading from unbound socket [5.10,362/599] can: isotp: support MSG_TRUNC flag when reading from socket [5.10,369/599] i2c: meson: Fix wrong speed use from probe [5.10,371/599] selftests/bpf/test_lirc_mode2.sh: Exit with proper code [5.10,373/599] net: bcmgenet: Use stronger register read/writes to assure ordering [5.10,375/599] openvswitch: always update flow key after nat [5.10,377/599] mfd: asic3: Add missing iounmap() on error asic3_mfd_probe [5.10,378/599] mxser: fix xmit_buf leak in activate when LSR == 0xff [5.10,379/599] pwm: lpc18xx-sct: Initialize driver data and hardware before pwmchip_add() [5.10,380/599] fsi: aspeed: convert to devm_platform_ioremap_resource [5.10,381/599] fsi: Aspeed: Fix a potential double free [5.10,384/599] soundwire: intel: fix wrong register name in intel_shim_wake [5.10,385/599] clk: qcom: ipq8074: fix PCI-E clock oops [5.10,387/599] staging:iio:adc:ad7280a: Fix handing of device address bit reversing. [5.10,390/599] clk: qcom: ipq8074: Use floor ops for SDCC1 clock [5.10,391/599] phy: dphy: Correct lpx parameter and its derivatives(ta_{get,go,sure}) [5.10,392/599] serial: 8250_mid: Balance reference count for PCI DMA device [5.10,394/599] NFS: Use of mapping_set_error() results in spurious errors [5.10,395/599] serial: 8250: Fix race condition in RTS-after-send handling [5.10,396/599] iio: adc: Add check for devm_request_threaded_irq [5.10,399/599] dma-debug: fix return value of __setup handlers [5.10,400/599] clk: imx7d: Remove audio_mclk_root_clk [5.10,404/599] dmaengine: hisi_dma: fix MSI allocate fail when reload hisi_dma [5.10,405/599] remoteproc: qcom: Fix missing of_node_put in adsp_alloc_memory_region [5.10,406/599] remoteproc: qcom_wcnss: Add missing of_node_put() in wcnss_alloc_memory_region [5.10,407/599] remoteproc: qcom_q6v5_mss: Fix some leaks in q6v5_alloc_memory_region [5.10,408/599] nvdimm/region: Fix default alignment for small regions [5.10,410/599] clk: loongson1: Terminate clk_div_table with sentinel element [5.10,411/599] clk: clps711x: Terminate clk_div_table with sentinel element [5.10,412/599] clk: tegra: tegra124-emc: Fix missing put_device() call in emc_ensure_emc_driver [5.10,415/599] staging: mt7621-dts: fix formatting [5.10,418/599] pinctrl: mediatek: Fix missing of_node_put() in mtk_pctrl_init [5.10,419/599] pinctrl: mediatek: paris: Fix PIN_CONFIG_BIAS_* readback [5.10,420/599] pinctrl: mediatek: paris: Fix "argument" argument type for mtk_pinconf_get() [5.10,421/599] pinctrl: mediatek: paris: Fix pingroup pin config state readback [5.10,425/599] tty: hvc: fix return value of __setup handler [5.10,426/599] kgdboc: fix return value of __setup handler [5.10,429/599] firmware: google: Properly state IOMEM dependency [5.10,432/599] netfilter: nf_conntrack_tcp: preserve liberal flag in tcp options [5.10,436/599] clk: Initialize orphan req_rate [5.10,439/599] net: hns3: fix bug when PF set the duplicate MAC address for VFs [5.10,442/599] qlcnic: dcb: default to returning -EOPNOTSUPP [5.10,444/599] NFSv4/pNFS: Fix another issue with a list iterator pointing to the head [5.10,445/599] net: dsa: bcm_sf2_cfp: fix an incorrect NULL check on list iterator [5.10,448/599] fs: fix fd table size alignment properly [5.10,449/599] LSM: general protection fault in legacy_parse_param [5.10,450/599] regulator: rpi-panel: Handle I2C errors/timing to the Atmel [5.10,453/599] block, bfq: dont move oom_bfqq [5.10,454/599] selinux: use correct type for context length [5.10,455/599] selinux: allow FIOCLEX and FIONCLEX with policy capability [5.10,456/599] loop: use sysfs_emit() in the sysfs xxx show() [5.10,457/599] Fix incorrect type in assignment of ipv6 port for audit [5.10,458/599] irqchip/qcom-pdc: Fix broken locking [5.10,460/599] fs/binfmt_elf: Fix AT_PHDR for unusual ELF files [5.10,464/599] Revert "Revert "block, bfq: honor already-setup queue merges"" [5.10,465/599] ACPI/APEI: Limit printable size of BERT table data [5.10,469/599] spi: tegra20: Use of_device_get_match_data() [5.10,472/599] ext4: fix ext4_mb_mark_bb() with flex_bg with fast_commit [5.10,474/599] f2fs: fix to do sanity check on curseg->alloc_type [5.10,477/599] ntfs: add sanity check on allocation size [5.10,479/599] media: staging: media: zoran: calculate the right buffer number for zoran_reap_sta... [5.10,480/599] media: staging: media: zoran: fix various V4L2 compliance errors [5.10,481/599] media: ir_toy: free before error exiting [5.10,483/599] video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow [5.10,484/599] video: fbdev: w100fb: Reset global state [5.10,488/599] ARM: dts: bcm2837: Add the missing L1/L2 cache information [5.10,489/599] ASoC: madera: Add dependencies on MFD [5.10,490/599] media: atomisp_gmin_platform: Add DMI quirk to not turn AXP ELDO2 regulator off on... [5.10,492/599] ARM: ftrace: avoid redundant loads or clobbering IP [5.10,493/599] ARM: dts: imx7: Use audio_mclk_post_div instead audio_mclk_root_clk [5.10,496/599] video: fbdev: omapfb: panel-tpo-td043mtea1: Use sysfs_emit() instead of snprintf() [5.10,497/599] video: fbdev: udlfb: replace snprintf in show functions with sysfs_emit [5.10,499/599] ASoC: soc-core: skip zero num_dai component in searching dai name [5.10,501/599] uaccess: fix type mismatch warnings from access_ok() [5.10,503/599] ARM: tegra: tamonten: Fix I2C3 pad setting [5.10,508/599] tracing: Have TRACE_DEFINE_ENUM affect trace event types as well [5.10,511/599] ALSA: hda/realtek: Add alc256-samsung-headphone fixup [5.10,512/599] KVM: x86/mmu: Check for present SPTE when clearing dirty bit in TDP MMU [5.10,513/599] powerpc/kasan: Fix early region not updated correctly [5.10,518/599] scsi: qla2xxx: Fix scheduling while atomic [5.10,519/599] scsi: qla2xxx: Fix wrong FDMI data for 64G adapter [5.10,520/599] scsi: qla2xxx: Fix warning for missing error code [5.10,523/599] scsi: qla2xxx: Check for firmware dump already collected [5.10,525/599] scsi: qla2xxx: Fix disk failure to rediscover [5.10,526/599] scsi: qla2xxx: Fix incorrect reporting of task management failure [5.10,527/599] scsi: qla2xxx: Fix hang due to session stuck [5.10,529/599] scsi: qla2xxx: Fix N2N inconsistent PLOGI [5.10,530/599] scsi: qla2xxx: Reduce false trigger to login [5.10,532/599] platform: chrome: Split trace include file [5.10,533/599] KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasnt activated [5.10,537/599] ASoC: SOF: Intel: Fix NULL ptr dereference when ENOMEM [5.10,538/599] ubifs: rename_whiteout: Fix double free for whiteout_ui->data [5.10,541/599] ubifs: setflags: Make dirtied_ino_d 8 bytes aligned [5.10,543/599] ubifs: Fix to add refcount once page is set private [5.10,549/599] can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb in error path [5.10,550/599] can: mcba_usb: properly check endpoint type [5.10,552/599] XArray: Update the LRU list in xas_split() [5.10,554/599] gfs2: Make sure FITRIM minlen is rounded up to fs block size [5.10,556/599] rxrpc: Fix call timer start racing with call destruction [5.10,560/599] pinctrl: pinconf-generic: Print arguments for bias-pull-* [5.10,561/599] watchdog: rti-wdt: Add missing pm_runtime_disable() in probe function [5.10,562/599] pinctrl: nuvoton: npcm7xx: Rename DS() macro to DSTR() [5.10,566/599] ARM: iop32x: offset IRQ numbers by 1 [5.10,570/599] platform/chrome: cros_ec_typec: Check for EC device [5.10,573/599] staging: mt7621-dts: fix pinctrl-0 items to be size-1 items on ethernet [5.10,574/599] ASoC: soc-compress: Change the check for codec_dai [5.10,575/599] batman-adv: Check ptr for NULL before reducing its refcnt [5.10,577/599] ARM: 9187/1: JIVE: fix return value of __setup handler [5.10,579/599] mm/usercopy: return 1 from hardened_usercopy __setup() handler [5.10,580/599] bpf: Adjust BPF stack helper functions to accommodate skip > 0 [5.10,581/599] bpf: Fix comment for helper bpf_current_task_under_cgroup() [5.10,582/599] dt-bindings: mtd: nand-controller: Fix the reg property description [5.10,587/599] ARM: dts: spear1340: Update serial node properties [5.10,589/599] um: Fix uml_mconsole stop/go [5.10,590/599] docs: sysctl/kernel: add missing bit to panic_print [5.10,591/599] openvswitch: Fixed nd target mask field in the flow dump. [5.10,595/599] coredump: Snapshot the vmas in do_coredump [5.10,596/599] coredump: Remove the WARN_ON in dump_vma_snapshot [5.10,597/599] coredump/elf: Pass coredump_params into fill_note_info [5.10,599/599] arm64: Do not defer reserve_crashkernel() for platforms with no DMA memory zones

[5.10,068/599] cifs: prevent bad output lengths in smb2_ioctl_query_info()

Commit Message

Patch