linux-yocto

mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-08-21 16:31:14 +02:00

History

Dongli Zhang 8312a1ccff vhost-scsi: protect vq->log_used with vq->mutex commit `f591cf9fce` upstream. The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue. Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com> Acked-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Mike Christie <michael.christie@oracle.com> Message-Id: <20250403063028.16045-2-dongli.zhang@oracle.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> [ Resolved conflicts in drivers/vhost/scsi.c bacause vhost_scsi_complete_cmd_work() has been refactored. ] Signed-off-by: Xinyu Zheng <zhengxinyu6@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2025-07-17 18:30:55 +02:00
..
accessibility
acpi	Revert "ACPI: battery: negate current when discharging"	2025-07-17 18:30:50 +02:00
amba
android	binder: fix UAF caused by offsets overwrite	2024-09-12 11:07:51 +02:00
ata	ata: pata_cs5536: fix build on 32-bit UML	2025-07-10 15:57:46 +02:00
atm	atm: idt77252: Add missing `dma_map_error()`	2025-07-17 18:30:54 +02:00
auxdisplay	auxdisplay: charlcd: Partially revert "Move hwidth and bwidth to struct hd44780_common"	2025-06-04 14:37:57 +02:00
base	x86/bugs: Add a Transient Scheduler Attacks mitigation	2025-07-10 15:57:50 +02:00
bcma
block	nbd: fix uaf in nbd_genl_connect() error path	2025-07-17 18:30:52 +02:00
bluetooth	Bluetooth: btrtl: Prevent potential NULL dereference	2025-05-02 07:44:09 +02:00
bus	Revert "bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first"	2025-06-27 11:05:33 +01:00
cdrom
char	tpm: tis: Double the timeout B to 4s	2025-06-04 14:38:08 +02:00
clk	clk: ti: am43xx: Add clkctrl data for am43xx ADC1	2025-07-10 15:57:35 +02:00
clocksource	clocksource: mips-gic-timer: Enable counter when CPUs start	2025-06-04 14:38:01 +02:00
comedi	comedi: jr3_pci: Fix synchronous deletion of timer	2025-05-02 07:44:39 +02:00
connector
counter	counter: microchip-tcb-capture: Fix undefined counter channel state on probe	2025-04-10 14:31:56 +02:00
cpufreq	Revert "cpufreq: tegra186: Share policy per cluster"	2025-06-27 11:05:36 +01:00
cpuidle	cpuidle: menu: Avoid discarding useful information	2025-06-04 14:38:00 +02:00
crypto	crypto: marvell/cesa - Do not chain submitted requests	2025-06-27 11:05:22 +01:00
cxl
dax
dca
devfreq	PM / devfreq: Synchronize devfreq_monitor_[start/stop]	2024-02-23 08:54:38 +01:00
dio
dma	dmaengine: xilinx_dma: Set dma_device directions	2025-07-10 15:57:32 +02:00
dma-buf	dma-buf: fix timeout handling in dma_resv_wait_timeout v2	2025-07-17 18:30:52 +02:00
edac	EDAC/altera: Use correct write width with the INTTEST register	2025-06-27 11:05:25 +01:00
eisa
extcon
firewire
firmware	firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES	2025-06-27 11:05:11 +01:00
fpga	fpga: altera-cvp: Increase credit timeout	2025-06-04 14:37:59 +02:00
fsi
gnss	treewide: replace '---help---' in Kconfig files with 'help'	2020-06-14 01:57:21 +09:00
gpio	gpio: tegra186: fix resource handling in ACPI probe path	2025-05-02 07:44:27 +02:00
gpu	drm/gem: Fix race in drm_gem_handle_create_tail()	2025-07-17 18:30:49 +02:00
greybus
hid	HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras	2025-07-17 18:30:54 +02:00
hsi	HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition	2025-05-02 07:44:06 +02:00
hv	Drivers: hv: vmbus: Add utility function for querying ring size	2025-07-10 15:57:36 +02:00
hwmon	hwmon: (pmbus/max34440) Fix support for max34451	2025-07-10 15:57:32 +02:00
hwspinlock	hwspinlock: Introduce hwspin_lock_bust()	2024-09-12 11:07:41 +02:00
hwtracing	coresight: Only check bottom two claim bits	2025-07-10 15:57:33 +02:00
i2c	i2c/designware: Fix an initialization issue	2025-07-10 15:57:49 +02:00
i3c	i3c: master: svc: Fix implicit fallthrough in svc_i3c_master_ibi_work()	2025-06-04 14:38:06 +02:00
idle	intel_idle: Handle older CPUs, which stop the TSC in deeper C states, correctly	2025-03-13 12:51:00 +01:00
iio	iio: pressure: zpa2326: Use aligned_s64 for the timestamp	2025-07-10 15:57:33 +02:00
infiniband	RDMA/mlx5: Fix vport loopback for MPV device	2025-07-17 18:30:50 +02:00
input	Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID	2025-07-17 18:30:55 +02:00
interconnect
iommu	iommu/amd: Ensure GA log notifier callbacks finish running before module unload	2025-06-27 11:05:32 +01:00
ipack
irqchip	irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()	2025-05-09 09:39:42 +02:00
isdn
leds	leds: multicolor: Fix intensity setting while SW blinking	2025-07-10 15:57:32 +02:00
macintosh	macintosh/therm_windtunnel: fix module unload.	2024-08-19 05:45:06 +02:00
mailbox	mailbox: Not protect module_put with spin_lock_irqsave	2025-07-10 15:57:32 +02:00
mcb	mcb: fix a double free bug in chameleon_parse_gdd()	2025-05-02 07:44:31 +02:00
md	raid10: cleanup memleak at raid10_make_request	2025-07-17 18:30:52 +02:00
media	media: uvcvideo: Rollback non processed entities on error	2025-07-10 15:57:41 +02:00
memory
memstick	memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove	2025-04-10 14:31:56 +02:00
message
mfd	mfd: max14577: Fix wakeup source leaks on device unbind	2025-07-10 15:57:32 +02:00
misc	VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify	2025-06-27 11:05:21 +01:00
mmc	mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier	2025-07-10 15:57:47 +02:00
most
mtd	mtd: spinand: fix memory leak of ECC engine conf	2025-07-10 15:57:47 +02:00
mux
net	net: usb: qmi_wwan: add SIMCom 8230C composition	2025-07-17 18:30:54 +02:00
nfc
ntb	ntb: reduce stack usage in idt_scan_mws	2025-05-02 07:44:36 +02:00
nubus
nvdimm	libnvdimm/labels: Fix divide error in nd_label_data_init()	2025-06-04 14:37:55 +02:00
nvme	nvmet-fcloop: access fcpreq only when holding reqlock	2025-06-27 11:05:20 +01:00
nvmem
of	of: module: add buffer overflow check in of_modalias()	2025-05-09 09:39:41 +02:00
opp
parisc
parport	parport_pc: add support for ASIX AX99100	2025-03-13 12:50:46 +01:00
pci	PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time	2025-07-10 15:57:41 +02:00
pcmcia
perf	perf/arm-cmn: Initialise cmn->cpu earlier	2025-06-04 14:38:08 +02:00
phy	phy: core: don't require set_mode() callback for phy_get_mode() to work	2025-06-04 14:38:02 +02:00
pinctrl	pinctrl: qcom: msm: mark certain pins as invalid for interrupts	2025-07-17 18:30:49 +02:00
platform	platform/x86: think-lmi: Create ksets consecutively	2025-07-10 15:57:50 +02:00
pnp
power	power: supply: bq27xxx: Retrieve again when busy	2025-06-27 11:05:28 +01:00
powercap	powercap: call put_device() on an error path in powercap_register_control_type()	2025-04-10 14:31:50 +02:00
pps	pps: Fix a use-after-free	2025-03-13 12:50:47 +01:00
ps3
ptp	ptp: fix breakage after ptp_vclock_in_use() rework	2025-06-27 11:05:35 +01:00
pwm	pwm: mediatek: Ensure to disable clocks in error path	2025-07-17 18:30:50 +02:00
rapidio	drivers/rapidio/rio_cm.c: prevent possible heap overwrite	2025-06-27 11:05:33 +01:00
ras
regulator	regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods	2025-07-10 15:57:48 +02:00
remoteproc	remoteproc: core: Release rproc->clean_table after rproc_attach() fails	2025-06-27 11:05:27 +01:00
reset
rpmsg	rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()	2025-06-27 11:05:15 +01:00
rtc	rtc: cmos: use spin_lock_irqsave in cmos_interrupt	2025-07-10 15:57:42 +02:00
s390	s390/pkey: Prevent overflow in size calculation for memdup_user()	2025-07-10 15:57:37 +02:00
sbus
scsi	scsi: ufs: core: Fix spelling of a sysfs attribute name	2025-07-10 15:57:44 +02:00
sh
siox
slimbus	slimbus: messaging: Free transaction ID in delayed interrupt scenario	2025-03-13 12:51:10 +01:00
soc	pmdomain: ti: Fix STANDBY handling of PER power domain	2025-06-27 11:05:30 +01:00
soundwire	soundwire: slave: fix an OF node reference leak in soundwire slave device	2025-04-10 14:32:01 +02:00
spi	spi: spi-fsl-dspi: Clear completion counter before initiating transfer	2025-07-10 15:57:45 +02:00
spmi
ssb
staging	staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher()	2025-07-10 15:57:39 +02:00
target	scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port()	2025-07-10 15:57:47 +02:00
tc
tee	tee: Prevent size calculation wraparound on 32-bit kernels	2025-06-27 11:05:33 +01:00
thermal	thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR	2025-07-17 18:30:48 +02:00
thunderbolt	thunderbolt: Do not double dequeue a configuration request	2025-06-27 11:05:09 +01:00
tty	vt: add missing notification when switching back to text mode	2025-07-17 18:30:54 +02:00
uio	uio_hv_generic: Align ring size to system page	2025-07-10 15:57:36 +02:00
usb	usb: dwc3: Abort suspend on soft disconnect failure	2025-07-17 18:30:52 +02:00
vdpa	vdpa/mlx5: Fix oversized null mkey longer than 32bit	2025-05-02 07:44:02 +02:00
vfio	vfio/type1: Fix error unwind in migration dirty bitmap allocation	2025-06-27 11:05:13 +01:00
vhost	vhost-scsi: protect vq->log_used with vq->mutex	2025-07-17 18:30:55 +02:00
video	dummycon: Trigger redraw when switching consoles with deferred takeover	2025-07-10 15:57:37 +02:00
virt	drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl	2025-03-13 12:51:11 +01:00
virtio	virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN	2025-06-04 14:37:54 +02:00
visorbus
vlynq
vme
w1
watchdog	watchdog: da9052_wdt: respect TWDMIN	2025-06-27 11:05:33 +01:00
xen	xen: replace xen_remap() with memremap()	2025-07-17 18:30:48 +02:00
zorro
Kconfig
Makefile