Development tree for the kernel CSPRNG https://git.zx2c4.com/linux-rng/atom/drivers/target?h=master 2025-12-01T21:45:41Z 2025-12-01T21:45:41Z Linus Torvalds torvalds@linux-foundation.org 2025-12-01T21:45:41Z urn:sha1:1d18101a644e6ece450d5b0a93f21a71a21b6222 Pull cred guard updates from Christian Brauner: "This contains substantial credential infrastructure improvements adding guard-based credential management that simplifies code and eliminates manual reference counting in many subsystems. Features: - Kernel Credential Guards Add with_kernel_creds() and scoped_with_kernel_creds() guards that allow using the kernel credentials without allocating and copying them. This was requested by Linus after seeing repeated prepare_kernel_creds() calls that duplicate the kernel credentials only to drop them again later. The new guards completely avoid the allocation and never expose the temporary variable to hold the kernel credentials anywhere in callers. - Generic Credential Guards Add scoped_with_creds() guards for the common override_creds() and revert_creds() pattern. This builds on earlier work that made override_creds()/revert_creds() completely reference count free. - Prepare Credential Guards Add prepare credential guards for the more complex pattern of preparing a new set of credentials and overriding the current credentials with them: - prepare_creds() - modify new creds - override_creds() - revert_creds() - put_cred() Cleanups: - Make init_cred static since it should not be directly accessed - Add kernel_cred() helper to properly access the kernel credentials - Fix scoped_class() macro that was introduced two cycles ago - coredump: split out do_coredump() from vfs_coredump() for cleaner credential handling - coredump: move revert_cred() before coredump_cleanup() - coredump: mark struct mm_struct as const - coredump: pass struct linux_binfmt as const - sev-dev: use guard for path" * tag 'kernel-6.19-rc1.cred' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: (36 commits) trace: use override credential guard trace: use prepare credential guard coredump: use override credential guard coredump: use prepare credential guard coredump: split out do_coredump() from vfs_coredump() coredump: mark struct mm_struct as const coredump: pass struct linux_binfmt as const coredump: move revert_cred() before coredump_cleanup() sev-dev: use override credential guards sev-dev: use prepare credential guard sev-dev: use guard for path cred: add prepare credential guard net/dns_resolver: use credential guards in dns_query() cgroup: use credential guards in cgroup_attach_permissions() act: use credential guards in acct_write_process() smb: use credential guards in cifs_get_spnego_key() nfs: use credential guards in nfs_idmap_get_key() nfs: use credential guards in nfs_local_call_write() nfs: use credential guards in nfs_local_call_read() erofs: use credential guards ... 2025-11-08T17:30:02Z Hamza Mahfooz hamzamahfooz@linux.microsoft.com 2025-11-05T19:25:46Z urn:sha1:e6965188f84a7883e6a0d3448e86b0cf29b24dfc If the allocation of tl_hba->sh fails in tcm_loop_driver_probe() and we attempt to dereference it in tcm_loop_tpg_address_show() we will get a segfault, see below for an example. So, check tl_hba->sh before dereferencing it. Unable to allocate struct scsi_host BUG: kernel NULL pointer dereference, address: 0000000000000194 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 8356 Comm: tokio-runtime-w Not tainted 6.6.104.2-4.azl3 #1 Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/28/2024 RIP: 0010:tcm_loop_tpg_address_show+0x2e/0x50 [tcm_loop] ... Call Trace: <TASK> configfs_read_iter+0x12d/0x1d0 [configfs] vfs_read+0x1b5/0x300 ksys_read+0x6f/0xf0 ... Cc: stable@vger.kernel.org Fixes: 2628b352c3d4 ("tcm_loop: Show address of tpg in configfs") Signed-off-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com> Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com> Reviewed-by: Allen Pais <apais@linux.microsoft.com> Link: https://patch.msgid.link/1762370746-6304-1-git-send-email-hamzamahfooz@linux.microsoft.com Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2025-11-04T11:36:18Z Christian Brauner brauner@kernel.org 2025-11-02T23:12:46Z urn:sha1:0f0e7cee3496cc053c7a1a15a428b585d6b7e897 Get rid of all the boilerplate and tightly scope when the task runs with kernel creds. Link: https://patch.msgid.link/20251103-work-creds-init_cred-v1-7-cb3ec8711a6a@kernel.org Reviewed-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Christian Brauner <brauner@kernel.org> 2025-10-11T18:49:00Z Linus Torvalds torvalds@linux-foundation.org 2025-10-11T18:49:00Z urn:sha1:2a6edd867b155cb5c391a32a66ce7e5d2cdcb531 Pull SCSI fixes from James Bottomley: "Fixes only in drivers (ufs, mvsas, qla2xxx, target) that came in just before or during the merge window. The most important one is the qla2xxx which reverts a conversion to fix flexible array member warnings, that went up in this merge window but which turned out on further testing to be causing data corruption" * tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: ufs: core: Include UTP error in INT_FATAL_ERRORS scsi: ufs: sysfs: Make HID attributes visible scsi: mvsas: Fix use-after-free bugs in mvs_work_queue scsi: ufs: core: Fix PM QoS mutex initialization scsi: ufs: core: Fix runtime suspend error deadlock Revert "scsi: qla2xxx: Fix memcpy() field-spanning write issue" scsi: target: target_core_configfs: Add length check to avoid buffer overflow 2025-10-04T02:17:48Z Linus Torvalds torvalds@linux-foundation.org 2025-10-04T02:17:48Z urn:sha1:674b0ddb7586a192612442c3aed9cf523faeed7a Pull SCSI updates from James Bottomley: "Usual driver updates (ufs, mpi3mr, lpfc, pm80xx, mpt3sas) plus assorted cleanups and fixes. The only core update is to sd.c and is mostly cosmetic" * tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (105 commits) scsi: MAINTAINERS: Update FC element owners scsi: mpt3sas: Update driver version to 54.100.00.00 scsi: mpt3sas: Add support for 22.5 Gbps SAS link rate scsi: mpt3sas: Suppress unnecessary IOCLogInfo on CONFIG_INVALID_PAGE scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() scsi: ufs: ufs-qcom: Add support for limiting HS gear and rate scsi: ufs: pltfrm: Add DT support to limit HS gear and gear rate scsi: ufs: ufs-qcom: Remove redundant re-assignment to hs_rate scsi: ufs: dt-bindings: Document gear and rate limit properties scsi: ufs: core: Fix data race in CPU latency PM QoS request handling scsi: libfc: Fix potential buffer overflow in fc_ct_ms_fill() scsi: storvsc: Remove redundant ternary operators scsi: ufs: core: Change MCQ interrupt enable flow scsi: smartpqi: Replace kmalloc() + copy_from_user() with memdup_user() scsi: hpsa: Replace kmalloc() + copy_from_user() with memdup_user() scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl() scsi: lpfc: Copyright updates for 14.4.0.11 patches scsi: lpfc: Update lpfc version to 14.4.0.11 scsi: lpfc: Convert debugfs directory counts from atomic to unsigned int scsi: lpfc: Clean up extraneous phba dentries ... 2025-09-29T11:49:12Z Wang Haoran haoranwangsec@gmail.com 2025-09-20T07:44:41Z urn:sha1:27e06650a5eafe832a90fd2604f0c5e920857fae A buffer overflow arises from the usage of snprintf to write into the buffer "buf" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes). snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev-> dev_group.cg_item) and a newline character, the total formatted string length may exceed the buffer size of 256 bytes. Since snprintf() returns the total number of bytes that would have been written (the length of %s/%sn ), this value may exceed the buffer length (256 bytes) passed to memcpy(), this will ultimately cause function memcpy reporting a buffer overflow error. An additional check of the return value of snprintf() can avoid this buffer overflow. Reported-by: Wang Haoran <haoranwangsec@gmail.com> Reported-by: ziiiro <yuanmingbuaa@gmail.com> Signed-off-by: Wang Haoran <haoranwangsec@gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2025-09-16T01:54:09Z Alok Tiwari alok.a.tiwari@oracle.com 2025-09-10T19:07:20Z urn:sha1:f2d81dd6751ae4a28456ed5b8807f381dc0dc6ad Fix several minor issues in lio_target code and messages: - Correct typo "locatel" -> "locate" in error log. - Add missing space in pr_debug() message for better readability. - Fix comment typo: "contig_item" -> "config_item". These changes improve code clarity and log readability. Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com> Reviewed-by: Mike Christie <michael.christie@oracle.com> Message-ID: <20250910190728.3783157-1-alok.a.tiwari@oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2025-09-10T02:05:36Z Qianfeng Rong rongqianfeng@vivo.com 2025-09-02T12:50:14Z urn:sha1:b0aca7ae828560b103016620be7fd4c302da4176 Change the 'ret' variable in iscsit_tmr_task_reassign() from u64 to int, as it needs to store either negative value or zero returned by iscsit_find_cmd_for_recovery(). Storing the negative error codes in unsigned type, or performing equality comparisons (e.g., ret == -2), doesn't cause an issue at runtime [1] but can be confusing. Additionally, assigning negative error codes to unsigned type may trigger a GCC warning when the -Wsign-conversion flag is enabled. No effect on runtime. Link: https://lore.kernel.org/all/x3wogjf6vgpkisdhg3abzrx7v7zktmdnfmqeih5kosszmagqfs@oh3qxrgzkikf/ #1 Signed-off-by: Qianfeng Rong <rongqianfeng@vivo.com> Reviewed-by: Mike Christie <michael.christie@oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> 2025-09-09T13:31:59Z Christoph Hellwig hch@lst.de 2025-09-08T10:56:38Z urn:sha1:70a6f71b1a77decfc5b1db426ccbe914b58adb38 Just a simpler wrapper around bio_init for callers that want to initialize a bio with inline bvecs. Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: John Garry <john.g.garry@oracle.com> Reviewed-by: Yu Kuai <yukuai3@huawei.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> 2025-08-06T12:44:25Z Linus Torvalds torvalds@linux-foundation.org 2025-08-06T12:44:25Z urn:sha1:d7edcc7c9109f165efcf5d767fed21578c37c46c Pull more SCSI updates from James Bottomley: "This is mostly fixes and cleanups and code reworks that trickled in across the merge window and the weeks leading up. The only substantive update is the Mediatek ufs driver which accounts for the bulk of the additions" * tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: (37 commits) scsi: libsas: Use a bool for sas_deform_port() second argument scsi: libsas: Move declarations of internal functions to sas_internal.h scsi: libsas: Make sas_get_ata_info() static scsi: libsas: Simplify sas_ata_wait_eh() scsi: libsas: Refactor dev_is_sata() scsi: sd: Make sd shutdown issue START STOP UNIT appropriately scsi: arm64: dts: mediatek: mt8195: Add UFSHCI node scsi: dt-bindings: mediatek,ufs: add MT8195 compatible and update clock nodes scsi: dt-bindings: mediatek,ufs: Add ufs-disable-mcq flag for UFS host scsi: ufs: ufs-mediatek: Add UFS host support for MT8195 SoC scsi: ufs: ufs-pci: Remove control of UIC Completion interrupt for Intel MTL scsi: ufs: core: Do not write interrupt enable register unnecessarily scsi: ufs: core: Set and clear UIC Completion interrupt as needed scsi: ufs: core: Remove duplicated code in ufshcd_send_bsg_uic_cmd() scsi: ufs: core: Move ufshcd_enable_intr() and ufshcd_disable_intr() scsi: ufs: ufs-pci: Remove UFS PCI driver's ->late_init() call back scsi: ufs: ufs-pci: Fix default runtime and system PM levels scsi: ufs: ufs-pci: Fix hibernate state transition for Intel MTL-like host controllers scsi: ufs: host: mediatek: Support FDE (AES) clock scaling scsi: ufs: host: mediatek: Support clock scaling with Vcore binding ...