September 2024 - Kernel - mailweb.openeuler.org

[openeuler:OLK-5.10 16261/30000] drivers/video/fbdev/ls2k500sfb.c:244: undefined reference to `fg_console'
by kernel test robot 24 Sep '24

24 Sep '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: ec708b533135368027cf0b97c4d1abf6950e86db commit: d74f3b70d73220d919db010ec1c81aa1d89082b6 [16261/30000] fbdev: add ls2k500sfb driver for ls2k500 bmc. config: x86_64-randconfig-074-20240924 (https://download.01.org/0day-ci/archive/20240924/202409241851.FLydbyQT-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240924/202409241851.FLydbyQT-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202409241851.FLydbyQT-lkp@intel.com/ All errors (new ones prefixed by >>): ld: drivers/video/fbdev/ls2k500sfb.o: in function `ls2k500sfb_events_fn': >> drivers/video/fbdev/ls2k500sfb.c:244: undefined reference to `fg_console' >> ld: drivers/video/fbdev/ls2k500sfb.c:244: undefined reference to `fg_console' >> ld: drivers/video/fbdev/ls2k500sfb.c:244: undefined reference to `fg_console' vim +244 drivers/video/fbdev/ls2k500sfb.c 110 111 static void ls2k500sfb_events_fn(struct work_struct *work) 112 { 113 struct ls2k500sfb_struct *priv = container_of(work, struct ls2k500sfb_struct, work); 114 struct pci_dev *pdev = priv->dev; 115 struct pci_dev *ppdev = pdev->bus->self; 116 uint32_t i, d, timeout, retry = 0; 117 static const uint32_t index[] = { 118 0x10, 0x14, 0x18, 0x1c, 0x20, 0x24, 0x30, 0x3c, 0x54, 0x58, 0x78, 0x7c, 0x80, 4 119 }; 120 121 static uint32_t data[sizeof(index) / 4]; 122 static const uint32_t cindex[] = { 0x10, 0x3c, 4 }; 123 124 static uint32_t cdata[sizeof(cindex) / 4]; 125 static uint32_t d80c, d71c, ctrl; 126 static void *p; 127 128 if (!priv->running) { 129 for (i = 0; i < ARRAY_SIZE(index); i++) 130 pci_read_config_dword(ppdev, index[i], &data[i]); 131 for (i = 0; i < ARRAY_SIZE(cindex); i++) 132 pci_read_config_dword(pdev, cindex[i], &cdata[i]); 133 if (ppdev->vendor == 0x14) { 134 pci_read_config_dword(ppdev, 0x80c, &d80c); 135 d80c = (d80c & ~(3 << 17)) | (1 << 17); 136 137 pci_read_config_dword(ppdev, 0x71c, &d71c); 138 d71c |= 1 << 26; 139 140 p = pci_iomap(ppdev, 0, 0x100); 141 } 142 ctrl = readl(p); 143 return; 144 } 145 local_bh_disable(); 146 pciebreak_smp_send_stop(100); 147 wmb(); /* flush all write before we disable pcie window */ 148 pci_write_config_dword(ppdev, 0x18, 0); 149 pci_write_config_dword(ppdev, 0x1c, 0); 150 pci_write_config_dword(ppdev, 0x20, 0); 151 atomic_set(&waiting_for_pciebreak_ipi, 0); 152 wmb(); /* flush all write after change pcie window */ 153 local_bh_enable(); 154 if (ppdev->vendor == 0x14) { 155 timeout = 10000; 156 while (timeout) { 157 pci_read_config_dword(ppdev, 0x10, &d); 158 d &= ~0xf; 159 if (!d) 160 break; 161 mdelay(1); 162 timeout--; 163 }; 164 if (!timeout) 165 pr_info("bar not clear 0\n"); 166 167 pci_read_config_dword(ppdev, 0x0, &d); 168 pr_info("pcie port deviceid=0x%x recover begin\n", d); 169 retrain: 170 while (1) { 171 pci_write_config_dword(ppdev, index[0], data[0]); 172 pci_read_config_dword(ppdev, index[0], &d); 173 d &= ~0xf; 174 if (d) 175 break; 176 mdelay(1); 177 } 178 179 while (1) { 180 for (i = 0; i < ARRAY_SIZE(index); i++) { 181 if (index[i] != 0x18 && index[i] != 0x1c && index[i] != 0x20) 182 pci_write_config_dword(ppdev, index[i], data[i]); 183 } 184 pci_write_config_dword(ppdev, 0x80c, d80c); 185 pci_write_config_dword(ppdev, 0x71c, d71c); 186 187 pci_read_config_dword(ppdev, 0x10, &d); 188 d &= ~0xf; 189 if (d) 190 break; 191 mdelay(1); 192 } 193 194 timeout = 10000; 195 196 writel(ctrl | 0x8, p); 197 while (1) { 198 d = readl(p + 0xc); 199 if ((d & 0x11) == 0x11) { 200 break; 201 } else if (!timeout) { 202 pr_info("pcie train failed status=0x%x\n", d); 203 goto out; 204 } 205 mdelay(1); 206 timeout--; 207 } 208 209 210 pr_info("pcie recovered done\n"); 211 212 if (!retry) { 213 /*wait u-boot ddr config */ 214 set_current_state(TASK_UNINTERRUPTIBLE); 215 schedule_timeout(HZ*resetbootwait); 216 set_current_state(TASK_RUNNING); 217 pci_read_config_dword(ppdev, 0x10, &d); 218 d &= ~0xf; 219 if (!d) { 220 retry = 1; 221 goto retrain; 222 } 223 } 224 } else { 225 set_current_state(TASK_UNINTERRUPTIBLE); 226 schedule_timeout(HZ*resetbootwait); 227 set_current_state(TASK_RUNNING); 228 } 229 local_bh_disable(); 230 pciebreak_smp_send_stop(10000); 231 wmb(); /* flush all write before we update pcie window */ 232 for (i = 0; i < ARRAY_SIZE(index); i++) 233 pci_write_config_dword(ppdev, index[i], data[i]); 234 235 for (i = 0; i < ARRAY_SIZE(cindex); i++) 236 pci_write_config_dword(pdev, cindex[i], cdata[i]); 237 atomic_set(&waiting_for_pciebreak_ipi, 0); 238 wmb(); /* flush all write after we update pcie window */ 239 local_bh_enable(); 240 241 242 pr_info("redraw console\n"); 243 > 244 saved_console = fg_console; 245 switch_console(fg_console > 0?fg_console - 1 : fg_console + 1); 246 queue_delayed_work(priv->wq, &priv->redraw_work, HZ); 247 out: 248 priv->running = 0; 249 } 250 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-22.03-LTS-SP1] ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object
by Liu Mingrui 24 Sep '24

24 Sep '24

From: robelin <robelin(a)nvidia.com> stable inclusion from stable-v5.10.226 commit 8ca21e7a27c66b95a4b215edc8e45e5d66679f9f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARYAA CVE: CVE-2024-46798 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit b4a90b543d9f62d3ac34ec1ab97fc5334b048565 upstream. When using kernel with the following extra config, - CONFIG_KASAN=y - CONFIG_KASAN_GENERIC=y - CONFIG_KASAN_INLINE=y - CONFIG_KASAN_VMALLOC=y - CONFIG_FRAME_WARN=4096 kernel detects that snd_pcm_suspend_all() access a freed 'snd_soc_pcm_runtime' object when the system is suspended, which leads to a use-after-free bug: [ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270 [ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330 [ 52.047785] Call trace: [ 52.047787] dump_backtrace+0x0/0x3c0 [ 52.047794] show_stack+0x34/0x50 [ 52.047797] dump_stack_lvl+0x68/0x8c [ 52.047802] print_address_description.constprop.0+0x74/0x2c0 [ 52.047809] kasan_report+0x210/0x230 [ 52.047815] __asan_report_load1_noabort+0x3c/0x50 [ 52.047820] snd_pcm_suspend_all+0x1a8/0x270 [ 52.047824] snd_soc_suspend+0x19c/0x4e0 The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before making any access. So we need to always set 'substream->runtime' to NULL everytime we kfree() it. Fixes: a72706ed8208 ("ASoC: codec2codec: remove ephemeral variables") Signed-off-by: robelin <robelin(a)nvidia.com> Signed-off-by: Sameer Pujar <spujar(a)nvidia.com> Link: https://patch.msgid.link/20240823144342.4123814-2-spujar@nvidia.com Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com> --- sound/soc/soc-dapm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c index 754c1f16ee83..acb46e1f9c0a 100644 --- a/sound/soc/soc-dapm.c +++ b/sound/soc/soc-dapm.c @@ -4014,6 +4014,7 @@ static int snd_soc_dai_link_event(struct snd_soc_dapm_widget *w, case SND_SOC_DAPM_POST_PMD: kfree(substream->runtime); + substream->runtime = NULL; break; default: -- 2.25.1

2 1

[PATCH OLK-5.10] ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object
by Liu Mingrui 24 Sep '24

24 Sep '24

From: robelin <robelin(a)nvidia.com> stable inclusion from stable-v5.10.226 commit 8ca21e7a27c66b95a4b215edc8e45e5d66679f9f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARYAA CVE: CVE-2024-46798 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit b4a90b543d9f62d3ac34ec1ab97fc5334b048565 upstream. When using kernel with the following extra config, - CONFIG_KASAN=y - CONFIG_KASAN_GENERIC=y - CONFIG_KASAN_INLINE=y - CONFIG_KASAN_VMALLOC=y - CONFIG_FRAME_WARN=4096 kernel detects that snd_pcm_suspend_all() access a freed 'snd_soc_pcm_runtime' object when the system is suspended, which leads to a use-after-free bug: [ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270 [ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330 [ 52.047785] Call trace: [ 52.047787] dump_backtrace+0x0/0x3c0 [ 52.047794] show_stack+0x34/0x50 [ 52.047797] dump_stack_lvl+0x68/0x8c [ 52.047802] print_address_description.constprop.0+0x74/0x2c0 [ 52.047809] kasan_report+0x210/0x230 [ 52.047815] __asan_report_load1_noabort+0x3c/0x50 [ 52.047820] snd_pcm_suspend_all+0x1a8/0x270 [ 52.047824] snd_soc_suspend+0x19c/0x4e0 The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before making any access. So we need to always set 'substream->runtime' to NULL everytime we kfree() it. Fixes: a72706ed8208 ("ASoC: codec2codec: remove ephemeral variables") Signed-off-by: robelin <robelin(a)nvidia.com> Signed-off-by: Sameer Pujar <spujar(a)nvidia.com> Link: https://patch.msgid.link/20240823144342.4123814-2-spujar@nvidia.com Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com> --- sound/soc/soc-dapm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c index 754c1f16ee83..acb46e1f9c0a 100644 --- a/sound/soc/soc-dapm.c +++ b/sound/soc/soc-dapm.c @@ -4014,6 +4014,7 @@ static int snd_soc_dai_link_event(struct snd_soc_dapm_widget *w, case SND_SOC_DAPM_POST_PMD: kfree(substream->runtime); + substream->runtime = NULL; break; default: -- 2.25.1

2 1

[PATCH OLK-6.6] ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object
by Liu Mingrui 24 Sep '24

24 Sep '24

From: robelin <robelin(a)nvidia.com> stable inclusion from stable-v5.10.226 commit 8ca21e7a27c66b95a4b215edc8e45e5d66679f9f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARYAA CVE: CVE-2024-46798 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit b4a90b543d9f62d3ac34ec1ab97fc5334b048565 upstream. When using kernel with the following extra config, - CONFIG_KASAN=y - CONFIG_KASAN_GENERIC=y - CONFIG_KASAN_INLINE=y - CONFIG_KASAN_VMALLOC=y - CONFIG_FRAME_WARN=4096 kernel detects that snd_pcm_suspend_all() access a freed 'snd_soc_pcm_runtime' object when the system is suspended, which leads to a use-after-free bug: [ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270 [ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330 [ 52.047785] Call trace: [ 52.047787] dump_backtrace+0x0/0x3c0 [ 52.047794] show_stack+0x34/0x50 [ 52.047797] dump_stack_lvl+0x68/0x8c [ 52.047802] print_address_description.constprop.0+0x74/0x2c0 [ 52.047809] kasan_report+0x210/0x230 [ 52.047815] __asan_report_load1_noabort+0x3c/0x50 [ 52.047820] snd_pcm_suspend_all+0x1a8/0x270 [ 52.047824] snd_soc_suspend+0x19c/0x4e0 The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before making any access. So we need to always set 'substream->runtime' to NULL everytime we kfree() it. Fixes: a72706ed8208 ("ASoC: codec2codec: remove ephemeral variables") Signed-off-by: robelin <robelin(a)nvidia.com> Signed-off-by: Sameer Pujar <spujar(a)nvidia.com> Link: https://patch.msgid.link/20240823144342.4123814-2-spujar@nvidia.com Signed-off-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Liu Mingrui <liumingrui(a)huawei.com> --- sound/soc/soc-dapm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c index 85e3bbf7e5f0..7729f8f4d5e6 100644 --- a/sound/soc/soc-dapm.c +++ b/sound/soc/soc-dapm.c @@ -4018,6 +4018,7 @@ static int snd_soc_dai_link_event(struct snd_soc_dapm_widget *w, case SND_SOC_DAPM_POST_PMD: kfree(substream->runtime); + substream->runtime = NULL; break; default: -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
by Bowen You 24 Sep '24

24 Sep '24

mainline inclusion from mainline-v6.11-rc1 commit 0974d03eb479384466d828d65637814bee6b26d7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWPW CVE: CVE-2024-46774 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks to clamp these values for speculative execution. Signed-off-by: Nathan Lynch <nathanl(a)linux.ibm.com> Reported-by: Breno Leitao <leitao(a)debian.org> Reviewed-by: Breno Leitao <leitao(a)debian.org> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://msgid.link/20240530-sys_rtas-nargs-nret-v1-1-129acddd4d89@linux.ibm… Conflicts: arch/powerpc/kernel/rtas.c [Some header files are not included.] Signed-off-by: Bowen You <youbowen2(a)huawei.com> --- arch/powerpc/kernel/rtas.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c index 7e0722b62cae..e39d25744ea2 100644 --- a/arch/powerpc/kernel/rtas.c +++ b/arch/powerpc/kernel/rtas.c @@ -24,6 +24,7 @@ #include <linux/completion.h> #include <linux/cpumask.h> #include <linux/memblock.h> +#include <linux/nospec.h> #include <linux/slab.h> #include <linux/reboot.h> #include <linux/syscalls.h> @@ -1224,6 +1225,9 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs) || nargs + nret > ARRAY_SIZE(args.args)) return -EINVAL; + nargs = array_index_nospec(nargs, ARRAY_SIZE(args.args)); + nret = array_index_nospec(nret, ARRAY_SIZE(args.args) - nargs); + /* Copy in args. */ if (copy_from_user(args.args, uargs->args, nargs * sizeof(rtas_arg_t)) != 0) -- 2.34.1

2 1

[openeuler:OLK-5.10 29872/30000] ld.lld: error: duplicate symbol: lld_dev_hold
by kernel test robot 24 Sep '24

24 Sep '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 686352476cd29ec854b93e09a49d57c25a18a32f commit: 33116132568edcf6565cfd65cfa433f440d90494 [29872/30000] drm/qxl: Add check for drm_cvt_mode config: x86_64-allyesconfig (https://download.01.org/0day-ci/archive/20240924/202409241604.35w0b2j4-lkp@…) compiler: clang version 18.1.8 (https://github.com/llvm/llvm-project 3b5b5c1ec4a3095ab096dd780e84d7ab81f3d7ff) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240924/202409241604.35w0b2j4-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202409241604.35w0b2j4-lkp@intel.com/ Note: the openeuler/OLK-5.10 HEAD 686352476cd29ec854b93e09a49d57c25a18a32f builds fine. It only hurts bisectability. All errors (new ones prefixed by >>): >> ld.lld: error: duplicate symbol: lld_dev_hold >>> defined at hifc_lld.c >>> scsi/huawei/hifc/hifc_lld.o:(lld_dev_hold) in archive drivers/built-in.a >>> defined at sss_adapter_mgmt.c >>> net/ethernet/3snic/sssnic/hw/sss_adapter_mgmt.o:(.text+0x20) in archive drivers/built-in.a -- >> ld.lld: error: duplicate symbol: lld_dev_put >>> defined at hifc_lld.c >>> scsi/huawei/hifc/hifc_lld.o:(lld_dev_put) in archive drivers/built-in.a >>> defined at sss_adapter_mgmt.c >>> net/ethernet/3snic/sssnic/hw/sss_adapter_mgmt.o:(.text+0x80) in archive drivers/built-in.a -- >> ld.lld: error: duplicate symbol: g_uld_mutex >>> defined at sss_pci_global.c >>> net/ethernet/3snic/sssnic/hw/sss_pci_global.o:(g_uld_mutex) in archive drivers/built-in.a >>> defined at hinic3_lld.c >>> net/ethernet/huawei/hinic3/hw/hinic3_lld.o:(.bss+0x340) in archive drivers/built-in.a -- >> ld.lld: error: duplicate symbol: lld_dev_hold >>> defined at hifc_lld.c >>> scsi/huawei/hifc/hifc_lld.o:(lld_dev_hold) in archive drivers/built-in.a >>> defined at hinic3_dev_mgmt.c >>> net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.o:(.text+0x120) in archive drivers/built-in.a -- >> ld.lld: error: duplicate symbol: lld_dev_put >>> defined at hifc_lld.c >>> scsi/huawei/hifc/hifc_lld.o:(lld_dev_put) in archive drivers/built-in.a >>> defined at hinic3_dev_mgmt.c >>> net/ethernet/huawei/hinic3/hw/hinic3_dev_mgmt.o:(.text+0x180) in archive drivers/built-in.a -- >> ld.lld: error: duplicate symbol: nic_ioctl >>> defined at hinic_nictool.c >>> net/ethernet/huawei/hinic/hinic_nictool.o:(nic_ioctl) in archive drivers/built-in.a >>> defined at hinic3_dbg.c >>> net/ethernet/huawei/hinic3/hinic3_dbg.o:(.text+0x0) in archive drivers/built-in.a -- >> ld.lld: error: duplicate symbol: set_slave_host_enable >>> defined at hinic_multi_host_mgmt.c >>> net/ethernet/huawei/hinic/hinic_multi_host_mgmt.o:(set_slave_host_enable) in archive drivers/built-in.a >>> defined at hinic3_hwdev.c >>> net/ethernet/huawei/hinic3/hw/hinic3_hwdev.o:(.text+0x0) in archive drivers/built-in.a -- >> ld.lld: error: duplicate symbol: set_func_host_mode >>> defined at hinic_multi_host_mgmt.c >>> net/ethernet/huawei/hinic/hinic_multi_host_mgmt.o:(set_func_host_mode) in archive drivers/built-in.a >>> defined at hinic3_hwdev.c >>> net/ethernet/huawei/hinic3/hw/hinic3_hwdev.o:(.text+0x2C0) in archive drivers/built-in.a -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-22.03-LTS-SP1] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
by Bowen You 24 Sep '24

24 Sep '24

mainline inclusion from mainline-v6.11-rc1 commit 0974d03eb479384466d828d65637814bee6b26d7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWPW CVE: CVE-2024-46774 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks to clamp these values for speculative execution. Signed-off-by: Nathan Lynch <nathanl(a)linux.ibm.com> Reported-by: Breno Leitao <leitao(a)debian.org> Reviewed-by: Breno Leitao <leitao(a)debian.org> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://msgid.link/20240530-sys_rtas-nargs-nret-v1-1-129acddd4d89@linux.ibm… Conflicts: arch/powerpc/kernel/rtas.c [Some header files are not included.] Signed-off-by: Bowen You <youbowen2(a)huawei.com> --- arch/powerpc/kernel/rtas.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c index bf962051af0a..2e92e87ac0e3 100644 --- a/arch/powerpc/kernel/rtas.c +++ b/arch/powerpc/kernel/rtas.c @@ -21,6 +21,7 @@ #include <linux/completion.h> #include <linux/cpumask.h> #include <linux/memblock.h> +#include <linux/nospec.h> #include <linux/slab.h> #include <linux/reboot.h> #include <linux/syscalls.h> @@ -1168,6 +1169,9 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs) || nargs + nret > ARRAY_SIZE(args.args)) return -EINVAL; + nargs = array_index_nospec(nargs, ARRAY_SIZE(args.args)); + nret = array_index_nospec(nret, ARRAY_SIZE(args.args) - nargs); + /* Copy in args. */ if (copy_from_user(args.args, uargs->args, nargs * sizeof(rtas_arg_t)) != 0) -- 2.34.1

2 1

[PATCH OLK-6.6] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
by Bowen You 24 Sep '24

24 Sep '24

mainline inclusion from mainline-v6.11-rc1 commit 0974d03eb479384466d828d65637814bee6b26d7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWPW CVE: CVE-2024-46774 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks to clamp these values for speculative execution. Signed-off-by: Nathan Lynch <nathanl(a)linux.ibm.com> Reported-by: Breno Leitao <leitao(a)debian.org> Reviewed-by: Breno Leitao <leitao(a)debian.org> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://msgid.link/20240530-sys_rtas-nargs-nret-v1-1-129acddd4d89@linux.ibm… Conflicts: arch/powerpc/kernel/rtas.c [Some header files are not included.] Signed-off-by: Bowen You <youbowen2(a)huawei.com> --- arch/powerpc/kernel/rtas.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c index 46b9476d7582..dc294c95da21 100644 --- a/arch/powerpc/kernel/rtas.c +++ b/arch/powerpc/kernel/rtas.c @@ -18,6 +18,7 @@ #include <linux/kernel.h> #include <linux/lockdep.h> #include <linux/memblock.h> +#include <linux/nospec.h> #include <linux/of.h> #include <linux/of_fdt.h> #include <linux/reboot.h> @@ -1839,6 +1840,9 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs) || nargs + nret > ARRAY_SIZE(args.args)) return -EINVAL; + nargs = array_index_nospec(nargs, ARRAY_SIZE(args.args)); + nret = array_index_nospec(nret, ARRAY_SIZE(args.args) - nargs); + /* Copy in args. */ if (copy_from_user(args.args, uargs->args, nargs * sizeof(rtas_arg_t)) != 0) -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] VMCI: Fix use-after-free when removing resource in vmci_resource_remove()
by Zhang Kunbo 24 Sep '24

24 Sep '24

From: David Fernandez Gonzalez <david.fernandez.gonzalez(a)oracle.com> mainline inclusion from mainline-v6.11-rc7 commit 48b9a8dabcc3cf5f961b2ebcd8933bf9204babb7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARY1L CVE: CVE-2024-46738 Reference: https://lore.kernel.org/lkml/20240828154338.754746-1-david.fernandez.gonzal… -------------------------------- When removing a resource from vmci_resource_table in vmci_resource_remove(), the search is performed using the resource handle by comparing context and resource fields. It is possible though to create two resources with different types but same handle (same context and resource fields). When trying to remove one of the resources, vmci_resource_remove() may not remove the intended one, but the object will still be freed as in the case of the datagram type in vmci_datagram_destroy_handle(). vmci_resource_table will still hold a pointer to this freed resource leading to a use-after-free vulnerability. BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106 print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239 __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425 kasan_report+0x38/0x51 mm/kasan/report.c:442 vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182 ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444 kref_put include/linux/kref.h:65 [inline] vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline] vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195 vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143 __fput+0x261/0xa34 fs/file_table.c:282 task_work_run+0xf0/0x194 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187 exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220 __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline] syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313 do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x6e/0x0 This change ensures the type is also checked when removing the resource from vmci_resource_table in vmci_resource_remove(). Fixes: bc63dedb7d46 ("VMCI: resource object implementation.") Cc: stable(a)vger.kernel.org Reported-by: George Kennedy <george.kennedy(a)oracle.com> Signed-off-by: David Fernandez Gonzalez <david.fernandez.gonzalez(a)oracle.com> Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com> --- drivers/misc/vmw_vmci/vmci_resource.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/misc/vmw_vmci/vmci_resource.c b/drivers/misc/vmw_vmci/vmci_resource.c index da1ee2e1ba99..2779704e128a 100644 --- a/drivers/misc/vmw_vmci/vmci_resource.c +++ b/drivers/misc/vmw_vmci/vmci_resource.c @@ -152,7 +152,8 @@ void vmci_resource_remove(struct vmci_resource *resource) spin_lock(&vmci_resource_table.lock); hlist_for_each_entry(r, &vmci_resource_table.entries[idx], node) { - if (vmci_handle_is_equal(r->handle, resource->handle)) { + if (vmci_handle_is_equal(r->handle, resource->handle) && + resource->type == r->type) { hlist_del_init_rcu(&r->node); break; } -- 2.34.1

2 1

[PATCH OLK-5.10] powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()
by Bowen You 24 Sep '24

24 Sep '24

mainline inclusion from mainline-v6.11-rc1 commit 0974d03eb479384466d828d65637814bee6b26d7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARWPW CVE: CVE-2024-46774 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks to clamp these values for speculative execution. Signed-off-by: Nathan Lynch <nathanl(a)linux.ibm.com> Reported-by: Breno Leitao <leitao(a)debian.org> Reviewed-by: Breno Leitao <leitao(a)debian.org> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Link: https://msgid.link/20240530-sys_rtas-nargs-nret-v1-1-129acddd4d89@linux.ibm… Conflicts: arch/powerpc/kernel/rtas.c [Some header files are not included.] Signed-off-by: Bowen You <youbowen2(a)huawei.com> --- arch/powerpc/kernel/rtas.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c index 5976a25c6264..9d87e7dec5f1 100644 --- a/arch/powerpc/kernel/rtas.c +++ b/arch/powerpc/kernel/rtas.c @@ -21,6 +21,7 @@ #include <linux/completion.h> #include <linux/cpumask.h> #include <linux/memblock.h> +#include <linux/nospec.h> #include <linux/slab.h> #include <linux/reboot.h> #include <linux/syscalls.h> @@ -1173,6 +1174,9 @@ SYSCALL_DEFINE1(rtas, struct rtas_args __user *, uargs) || nargs + nret > ARRAY_SIZE(args.args)) return -EINVAL; + nargs = array_index_nospec(nargs, ARRAY_SIZE(args.args)); + nret = array_index_nospec(nret, ARRAY_SIZE(args.args) - nargs); + /* Copy in args. */ if (copy_from_user(args.args, uargs->args, nargs * sizeof(rtas_arg_t)) != 0) -- 2.34.1

2 1