- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()
by Cui GaoSheng 07 Jun '24

07 Jun '24

From: Boris Brezillon <boris.brezillon(a)collabora.com> stable inclusion from stable-v6.6.28 commit 31806711e8a4b75e09b1c43652f2a6420e6e1002 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9QRMU CVE: CVE-2024-35951 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 1fc9af813b25e146d3607669247d0f970f5a87c3 upstream. Subject: drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr() If some the pages or sgt allocation failed, we shouldn't release the pages ref we got earlier, otherwise we will end up with unbalanced get/put_pages() calls. We should instead leave everything in place and let the BO release function deal with extra cleanup when the object is destroyed, or let the fault handler try again next time it's called. Fixes: 187d2929206e ("drm/panfrost: Add support for GPU heap allocations") Cc: <stable(a)vger.kernel.org> Reviewed-by: Steven Price <steven.price(a)arm.com> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno(a)collabora.com> Signed-off-by: Boris Brezillon <boris.brezillon(a)collabora.com> Co-developed-by: Dmitry Osipenko <dmitry.osipenko(a)collabora.com> Signed-off-by: Dmitry Osipenko <dmitry.osipenko(a)collabora.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240105184624.508603-18-dmit… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: drivers/gpu/drm/panfrost/panfrost_mmu.c Signed-off-by: Cui GaoSheng <cuigaosheng1(a)huawei.com> --- drivers/gpu/drm/panfrost/panfrost_mmu.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/panfrost/panfrost_mmu.c b/drivers/gpu/drm/panfrost/panfrost_mmu.c index 7ab916a6ba3f..3d822ecc3448 100644 --- a/drivers/gpu/drm/panfrost/panfrost_mmu.c +++ b/drivers/gpu/drm/panfrost/panfrost_mmu.c @@ -447,12 +447,19 @@ static int panfrost_mmu_map_fault_addr(struct panfrost_device *pfdev, int as, mapping_set_unevictable(mapping); for (i = page_offset; i < page_offset + NUM_FAULT_PAGES; i++) { + /* Can happen if the last fault only partially filled this + * section of the pages array before failing. In that case + * we skip already filled pages. + */ + if (pages[i]) + continue; + pages[i] = shmem_read_mapping_page(mapping, i); if (IS_ERR(pages[i])) { mutex_unlock(&bo->base.pages_lock); ret = PTR_ERR(pages[i]); pages[i] = NULL; - goto err_pages; + goto err_bo; } } @@ -462,7 +469,7 @@ static int panfrost_mmu_map_fault_addr(struct panfrost_device *pfdev, int as, ret = sg_alloc_table_from_pages(sgt, pages + page_offset, NUM_FAULT_PAGES, 0, SZ_2M, GFP_KERNEL); if (ret) - goto err_pages; + goto err_bo; ret = dma_map_sgtable(pfdev->dev, sgt, DMA_BIDIRECTIONAL, 0); if (ret) @@ -482,8 +489,6 @@ static int panfrost_mmu_map_fault_addr(struct panfrost_device *pfdev, int as, err_map: sg_free_table(sgt); -err_pages: - drm_gem_shmem_put_pages(&bo->base); err_bo: panfrost_gem_mapping_put(bomapping); return ret; -- 2.34.1

2 1

[PATCH OLK-5.10 v2 0/2] iomap: fix sub-page not set dirty state
by Long Li 07 Jun '24

07 Jun '24

This patch fix sub-page not set dirty stat issuse. Long Li (2): Revert "iomap: Don't create iomap_page objects in iomap_page_mkwrite_actor" iomap: Ensure sub-page dirty state is set during mmap writes fs/iomap/buffered-io.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) -- 2.31.1

2 3

[PATCH OLK-5.10] cvm: enhance security for cvm host feature
by Ju Fu 07 Jun '24

07 Jun '24

virtcca inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9TM0T -------------------------------- enhance security for cvm host feature Signed-off-by: Ju Fu <fuju1(a)huawei.com> --- arch/arm64/include/asm/kvm_emulate.h | 4 ++- arch/arm64/include/asm/kvm_tmi.h | 34 ++------------------ arch/arm64/include/asm/kvm_tmm.h | 2 +- arch/arm64/kvm/cvm.c | 48 ++++++++++++++++++++++++---- drivers/irqchip/irq-gic-v3-its.c | 2 +- 5 files changed, 49 insertions(+), 41 deletions(-) diff --git a/arch/arm64/include/asm/kvm_emulate.h b/arch/arm64/include/asm/kvm_emulate.h index 540563623..1271df56c 100644 --- a/arch/arm64/include/asm/kvm_emulate.h +++ b/arch/arm64/include/asm/kvm_emulate.h @@ -571,7 +571,9 @@ static inline enum cvm_state kvm_cvm_state(struct kvm *kvm) { struct cvm *cvm = kvm->arch.cvm; - return cvm && READ_ONCE(cvm->state); + if (!cvm) + return 0; + return READ_ONCE(cvm->state); } #endif #endif /* __ARM64_KVM_EMULATE_H__ */ diff --git a/arch/arm64/include/asm/kvm_tmi.h b/arch/arm64/include/asm/kvm_tmi.h index 536594017..b89680f31 100644 --- a/arch/arm64/include/asm/kvm_tmi.h +++ b/arch/arm64/include/asm/kvm_tmi.h @@ -18,22 +18,6 @@ #define TMM_TTT_LEVEL_2 2 #define TMM_TTT_LEVEL_3 3 -#ifdef CONFIG_CVM_HOST_FVP_PLAT -#define CVM_MEM_BASE ULL(0x8800000000) /* choose FVP platform to run cVM */ -#define VQ_NUM 3 -#else -#define CVM_MEM_BASE ULL(0x800000000) /* choose qemu platform to run cVM */ -#define VQ_NUM 3 -#endif - -#define MEM_SEG_NUMS 2 - -/* define in QEMU hw/arm/virt.c */ -#define VIRT_PCIE_MMIO 0x10000000 /* 256MB */ -#define VIRT_PCIE_MMIO_SIZE 0x1000000 /* 16MB */ -#define VIRT_HIGH_PCIE_ECAM 0x8000000000 /* 512GB */ -#define VIRT_HIGH_PCIE_ECAM_SIZE 0x12000000 /* 288MB */ - /* TMI error codes. */ #define TMI_SUCCESS 0 #define TMI_ERROR_INPUT 1 @@ -214,6 +198,8 @@ struct tmi_tec_run { #define TMI_NO_MEASURE_CONTENT U(0) #define TMI_MEASURE_CONTENT U(1) +#define CVM_IPA_MAX_VAL (1UL << 48) + /* * SMC_TMM_INIT_COMPLETE is the only function in the TMI that originates from * the CVM world and is handled by the SPMD. The remaining functions are @@ -264,7 +250,7 @@ struct tmi_tec_run { #define TMI_ABI_VERSION_GET_MAJOR(_version) ((_version) >> 16) #define TMI_ABI_VERSION_GET_MINOR(_version) ((_version) & 0xFFFF) -#define TMI_ABI_VERSION_MAJOR U(0x0) +#define TMI_ABI_VERSION_MAJOR U(0x1) /* KVM_CAP_ARM_TMM on VM fd */ #define KVM_CAP_ARM_TMM_CONFIG_CVM_HOST 0 @@ -330,20 +316,6 @@ struct kvm_cap_arm_tmm_populate_region_args { __u32 reserved[3]; }; -enum tmi_tmm_mem_type { - TMM_MEM_TYPE_RD, - TMM_MEM_TYPE_TEC, - TMM_MEM_TYPE_TTT, - TMM_MEM_TYPE_CVM_PA, -}; - -enum tmi_tmm_map_size { - TMM_MEM_MAP_SIZE_4K, - TMM_MEM_MAP_SIZE_2M, - TMM_MEM_MAP_SIZE_1G, - TMM_MEM_MAP_SIZE_MAX, -}; - static inline bool tmm_is_addr_ttt_level_aligned(uint64_t addr, int level) { uint64_t mask = (1 << (12 + 9 * (3 - level))) - 1; diff --git a/arch/arm64/include/asm/kvm_tmm.h b/arch/arm64/include/asm/kvm_tmm.h index 88fa0873c..8cc7a35c9 100644 --- a/arch/arm64/include/asm/kvm_tmm.h +++ b/arch/arm64/include/asm/kvm_tmm.h @@ -8,7 +8,7 @@ #include <uapi/linux/kvm.h> enum cvm_state { - CVM_STATE_NONE, + CVM_STATE_NONE = 1, CVM_STATE_NEW, CVM_STATE_ACTIVE, CVM_STATE_DYING diff --git a/arch/arm64/kvm/cvm.c b/arch/arm64/kvm/cvm.c index 70521fec8..9b4087a37 100644 --- a/arch/arm64/kvm/cvm.c +++ b/arch/arm64/kvm/cvm.c @@ -181,8 +181,9 @@ int kvm_arm_create_cvm(struct kvm *kvm) memcpy(cvm->params->rpv, &cvm->cvm_vmid, sizeof(cvm->cvm_vmid)); cvm->rd = tmi_cvm_create(__pa(cvm->params), numa_set); if (!cvm->rd) { - kvm_err("KVM creates cVM: %d\n", cvm->cvm_vmid); + kvm_err("KVM creates cVM failed: %d\n", cvm->cvm_vmid); ret = -ENOMEM; + goto out; } WRITE_ONCE(cvm->state, CVM_STATE_NEW); @@ -341,7 +342,7 @@ int kvm_cvm_populate_par_region(struct kvm *kvm, u64 numa_set, */ ipa = ALIGN_DOWN(ipa, map_size); - if (is_data_create_region(ipa_base, args)) { + if (is_data_create_region(ipa, args)) { pfn = gfn_to_pfn_memslot(memslot, gpa_to_gfn(ipa)); if (is_error_pfn(pfn)) { ret = -EFAULT; @@ -602,6 +603,7 @@ static int kvm_populate_ram_region(struct kvm *kvm, u64 map_size, static int kvm_populate_ipa_cvm_range(struct kvm *kvm, struct kvm_cap_arm_tmm_populate_region_args *args) { + struct cvm *cvm = (struct cvm *)kvm->arch.cvm; u64 l2_granule = cvm_granule_size(TMM_TTT_LEVEL_2); phys_addr_t ipa_base1, ipa_end2; @@ -612,7 +614,10 @@ static int kvm_populate_ipa_cvm_range(struct kvm *kvm, !IS_ALIGNED(args->populate_ipa_base2, PAGE_SIZE) || !IS_ALIGNED(args->populate_ipa_size2, PAGE_SIZE)) return -EINVAL; - if (args->populate_ipa_base2 < args->populate_ipa_base1 + args->populate_ipa_size1) + + if (args->populate_ipa_base1 < cvm->loader_start || + args->populate_ipa_base2 < args->populate_ipa_base1 + args->populate_ipa_size1 || + cvm->dtb_end < args->populate_ipa_base2 + args->populate_ipa_size2) return -EINVAL; if (args->flags & ~TMI_MEASURE_CONTENT) @@ -755,6 +760,26 @@ int kvm_init_tmm(void) return 0; } +bool is_numa_ipa_range_valid(struct kvm_numa_info *numa_info) +{ + unsigned long i; + struct kvm_numa_node *numa_node, *prev_numa_node; + + prev_numa_node = NULL; + for (i = 0; i < numa_info->numa_cnt; i++) { + numa_node = &numa_info->numa_nodes[i]; + if (numa_node->ipa_start + numa_node->ipa_size < numa_node->ipa_start) + return false; + if (prev_numa_node && + numa_node->ipa_start < prev_numa_node->ipa_start + prev_numa_node->ipa_size) + return false; + prev_numa_node = numa_node; + } + if (numa_node->ipa_start + numa_node->ipa_size > CVM_IPA_MAX_VAL) + return false; + return true; +} + int kvm_load_user_data(struct kvm *kvm, unsigned long arg) { struct kvm_user_data user_data; @@ -766,26 +791,34 @@ int kvm_load_user_data(struct kvm *kvm, unsigned long arg) return -EFAULT; if (copy_from_user(&user_data, argp, sizeof(user_data))) - return -EFAULT; + return -EINVAL; numa_info = &user_data.numa_info; if (numa_info->numa_cnt > MAX_NUMA_NODE) - return -EFAULT; + return -EINVAL; if (numa_info->numa_cnt > 0) { unsigned long i, total_size = 0; struct kvm_numa_node *numa_node = &numa_info->numa_nodes[0]; unsigned long ipa_end = numa_node->ipa_start + numa_node->ipa_size; + if (!is_numa_ipa_range_valid(numa_info)) + return -EINVAL; if (user_data.loader_start < numa_node->ipa_start || user_data.dtb_end > ipa_end) - return -EFAULT; + return -EINVAL; for (i = 0; i < numa_info->numa_cnt; i++) total_size += numa_info->numa_nodes[i].ipa_size; if (total_size != user_data.ram_size) - return -EFAULT; + return -EINVAL; } + if (user_data.image_end <= user_data.loader_start || + user_data.initrd_start < user_data.image_end || + cvm->dtb_end < user_data.initrd_start || + cvm->ram_size < cvm->dtb_end - user_data.loader_start) + return -EINVAL; + cvm->loader_start = user_data.loader_start; cvm->image_end = user_data.image_end; cvm->initrd_start = user_data.initrd_start; @@ -871,6 +904,7 @@ int kvm_init_cvm_vm(struct kvm *kvm) return -ENOMEM; cvm->params = params; + WRITE_ONCE(cvm->state, CVM_STATE_NONE); return 0; } diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c index 2c2f23f35..153930d01 100644 --- a/drivers/irqchip/irq-gic-v3-its.c +++ b/drivers/irqchip/irq-gic-v3-its.c @@ -2905,7 +2905,7 @@ static void its_free_tables(struct its_node *its) for (i = 0; i < GITS_BASER_NR_REGS; i++) { if (its->tables[i].base) { #ifdef CONFIG_CVM_GUEST - if (!is_cvm_world()) + if (is_cvm_world()) its_free_shared_pages(its->tables[i].base, its->tables[i].order); else -- 2.25.1.windows.1

2 1

[PATCH openEuler-1.0-LTS] watchdog: Fix possible use-after-free in wdt_startup()
by Zeng Heng 07 Jun '24

07 Jun '24

From: Zou Wei <zou_wei(a)huawei.com> mainline inclusion from mainline-v5.14-rc1 commit c08a6b31e4917034f0ed0cb457c3bb209576f542 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9ROH3 CVE: CVE-2021-47324 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. Reported-by: Hulk Robot <hulkci(a)huawei.com> Signed-off-by: Zou Wei <zou_wei(a)huawei.com> Reviewed-by: Guenter Roeck <linux(a)roeck-us.net> Link: https://lore.kernel.org/r/1620716495-108352-1-git-send-email-zou_wei@huawei… Signed-off-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Wim Van Sebroeck <wim(a)linux-watchdog.org> Signed-off-by: Zeng Heng <zengheng4(a)huawei.com> --- drivers/watchdog/sbc60xxwdt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/watchdog/sbc60xxwdt.c b/drivers/watchdog/sbc60xxwdt.c index 87333a41f753..1702df7f8c38 100644 --- a/drivers/watchdog/sbc60xxwdt.c +++ b/drivers/watchdog/sbc60xxwdt.c @@ -152,7 +152,7 @@ static void wdt_startup(void) static void wdt_turnoff(void) { /* Stop the timer */ - del_timer(&timer); + del_timer_sync(&timer); inb_p(wdt_stop); pr_info("Watchdog timer is now disabled...\n"); } -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] igb: Fix use-after-free error during reset
by liwei 07 Jun '24

07 Jun '24

From: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> mainline inclusion from mainline-v5.14-rc2 commit 7b292608db23ccbbfbfa50cdb155d01725d7a52e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4I4 CVE: CVE-2021-47301 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Cleans the next descriptor to watch (next_to_watch) when cleaning the TX ring. Failure to do so can cause invalid memory accesses. If igb_poll() runs while the controller is reset this can lead to the driver try to free a skb that was already freed. (The crash is harder to reproduce with the igb driver, but the same potential problem exists as the code is identical to igc) Fixes: 7cc6fd4c60f2 ("igb: Don't bother clearing Tx buffer_info in igb_clean_tx_ring") Signed-off-by: Vinicius Costa Gomes <vinicius.gomes(a)intel.com> Reported-by: Erez Geva <erez.geva.ext(a)siemens.com> Tested-by: Tony Brelinski <tonyx.brelinski(a)intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen(a)intel.com> Signed-off-by: dengquan <dengquan9(a)huawei.com> --- drivers/net/ethernet/intel/igb/igb_main.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c index 6d9b8e81b44d..e54f1c033c60 100644 --- a/drivers/net/ethernet/intel/igb/igb_main.c +++ b/drivers/net/ethernet/intel/igb/igb_main.c @@ -4684,6 +4684,8 @@ static void igb_clean_tx_ring(struct igb_ring *tx_ring) DMA_TO_DEVICE); } + tx_buffer->next_to_watch = NULL; + /* move us one more past the eop_desc for start of next pkt */ tx_buffer++; i++; -- 2.25.1

2 1

[PATCH OLK-5.10] cvm: enhance security for cvm host feature
by Ju Fu 07 Jun '24

07 Jun '24

virtcca inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9TM0T -------------------------------- enhance security for cvm host feature Signed-off-by: Ju Fu <fuju1(a)huawei.com> --- arch/arm64/include/asm/kvm_emulate.h | 4 +++- arch/arm64/include/asm/kvm_tmi.h | 32 +--------------------------- arch/arm64/include/asm/kvm_tmm.h | 2 +- arch/arm64/kvm/cvm.c | 12 ++++++++--- drivers/irqchip/irq-gic-v3-its.c | 2 +- 5 files changed, 15 insertions(+), 37 deletions(-) diff --git a/arch/arm64/include/asm/kvm_emulate.h b/arch/arm64/include/asm/kvm_emulate.h index 540563623..1271df56c 100644 --- a/arch/arm64/include/asm/kvm_emulate.h +++ b/arch/arm64/include/asm/kvm_emulate.h @@ -571,7 +571,9 @@ static inline enum cvm_state kvm_cvm_state(struct kvm *kvm) { struct cvm *cvm = kvm->arch.cvm; - return cvm && READ_ONCE(cvm->state); + if (!cvm) + return 0; + return READ_ONCE(cvm->state); } #endif #endif /* __ARM64_KVM_EMULATE_H__ */ diff --git a/arch/arm64/include/asm/kvm_tmi.h b/arch/arm64/include/asm/kvm_tmi.h index 536594017..5dcc5d83f 100644 --- a/arch/arm64/include/asm/kvm_tmi.h +++ b/arch/arm64/include/asm/kvm_tmi.h @@ -18,22 +18,6 @@ #define TMM_TTT_LEVEL_2 2 #define TMM_TTT_LEVEL_3 3 -#ifdef CONFIG_CVM_HOST_FVP_PLAT -#define CVM_MEM_BASE ULL(0x8800000000) /* choose FVP platform to run cVM */ -#define VQ_NUM 3 -#else -#define CVM_MEM_BASE ULL(0x800000000) /* choose qemu platform to run cVM */ -#define VQ_NUM 3 -#endif - -#define MEM_SEG_NUMS 2 - -/* define in QEMU hw/arm/virt.c */ -#define VIRT_PCIE_MMIO 0x10000000 /* 256MB */ -#define VIRT_PCIE_MMIO_SIZE 0x1000000 /* 16MB */ -#define VIRT_HIGH_PCIE_ECAM 0x8000000000 /* 512GB */ -#define VIRT_HIGH_PCIE_ECAM_SIZE 0x12000000 /* 288MB */ - /* TMI error codes. */ #define TMI_SUCCESS 0 #define TMI_ERROR_INPUT 1 @@ -264,7 +248,7 @@ struct tmi_tec_run { #define TMI_ABI_VERSION_GET_MAJOR(_version) ((_version) >> 16) #define TMI_ABI_VERSION_GET_MINOR(_version) ((_version) & 0xFFFF) -#define TMI_ABI_VERSION_MAJOR U(0x0) +#define TMI_ABI_VERSION_MAJOR U(0x1) /* KVM_CAP_ARM_TMM on VM fd */ #define KVM_CAP_ARM_TMM_CONFIG_CVM_HOST 0 @@ -330,20 +314,6 @@ struct kvm_cap_arm_tmm_populate_region_args { __u32 reserved[3]; }; -enum tmi_tmm_mem_type { - TMM_MEM_TYPE_RD, - TMM_MEM_TYPE_TEC, - TMM_MEM_TYPE_TTT, - TMM_MEM_TYPE_CVM_PA, -}; - -enum tmi_tmm_map_size { - TMM_MEM_MAP_SIZE_4K, - TMM_MEM_MAP_SIZE_2M, - TMM_MEM_MAP_SIZE_1G, - TMM_MEM_MAP_SIZE_MAX, -}; - static inline bool tmm_is_addr_ttt_level_aligned(uint64_t addr, int level) { uint64_t mask = (1 << (12 + 9 * (3 - level))) - 1; diff --git a/arch/arm64/include/asm/kvm_tmm.h b/arch/arm64/include/asm/kvm_tmm.h index 88fa0873c..8cc7a35c9 100644 --- a/arch/arm64/include/asm/kvm_tmm.h +++ b/arch/arm64/include/asm/kvm_tmm.h @@ -8,7 +8,7 @@ #include <uapi/linux/kvm.h> enum cvm_state { - CVM_STATE_NONE, + CVM_STATE_NONE = 1, CVM_STATE_NEW, CVM_STATE_ACTIVE, CVM_STATE_DYING diff --git a/arch/arm64/kvm/cvm.c b/arch/arm64/kvm/cvm.c index 70521fec8..8c428597b 100644 --- a/arch/arm64/kvm/cvm.c +++ b/arch/arm64/kvm/cvm.c @@ -181,8 +181,9 @@ int kvm_arm_create_cvm(struct kvm *kvm) memcpy(cvm->params->rpv, &cvm->cvm_vmid, sizeof(cvm->cvm_vmid)); cvm->rd = tmi_cvm_create(__pa(cvm->params), numa_set); if (!cvm->rd) { - kvm_err("KVM creates cVM: %d\n", cvm->cvm_vmid); + kvm_err("KVM creates cVM failed: %d\n", cvm->cvm_vmid); ret = -ENOMEM; + goto out; } WRITE_ONCE(cvm->state, CVM_STATE_NEW); @@ -341,7 +342,7 @@ int kvm_cvm_populate_par_region(struct kvm *kvm, u64 numa_set, */ ipa = ALIGN_DOWN(ipa, map_size); - if (is_data_create_region(ipa_base, args)) { + if (is_data_create_region(ipa, args)) { pfn = gfn_to_pfn_memslot(memslot, gpa_to_gfn(ipa)); if (is_error_pfn(pfn)) { ret = -EFAULT; @@ -602,6 +603,7 @@ static int kvm_populate_ram_region(struct kvm *kvm, u64 map_size, static int kvm_populate_ipa_cvm_range(struct kvm *kvm, struct kvm_cap_arm_tmm_populate_region_args *args) { + struct cvm *cvm = (struct cvm *)kvm->arch.cvm; u64 l2_granule = cvm_granule_size(TMM_TTT_LEVEL_2); phys_addr_t ipa_base1, ipa_end2; @@ -612,7 +614,10 @@ static int kvm_populate_ipa_cvm_range(struct kvm *kvm, !IS_ALIGNED(args->populate_ipa_base2, PAGE_SIZE) || !IS_ALIGNED(args->populate_ipa_size2, PAGE_SIZE)) return -EINVAL; - if (args->populate_ipa_base2 < args->populate_ipa_base1 + args->populate_ipa_size1) + + if (args->populate_ipa_base1 < cvm->loader_start || + args->populate_ipa_base2 < args->populate_ipa_base1 + args->populate_ipa_size1 || + cvm->dtb_end < args->populate_ipa_base2 + args->populate_ipa_size2) return -EINVAL; if (args->flags & ~TMI_MEASURE_CONTENT) @@ -871,6 +876,7 @@ int kvm_init_cvm_vm(struct kvm *kvm) return -ENOMEM; cvm->params = params; + WRITE_ONCE(cvm->state, CVM_STATE_NONE); return 0; } diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c index 2c2f23f35..153930d01 100644 --- a/drivers/irqchip/irq-gic-v3-its.c +++ b/drivers/irqchip/irq-gic-v3-its.c @@ -2905,7 +2905,7 @@ static void its_free_tables(struct its_node *its) for (i = 0; i < GITS_BASER_NR_REGS; i++) { if (its->tables[i].base) { #ifdef CONFIG_CVM_GUEST - if (!is_cvm_world()) + if (is_cvm_world()) its_free_shared_pages(its->tables[i].base, its->tables[i].order); else -- 2.25.1.windows.1

2 1

[openeuler:OLK-6.6] BUILD REGRESSION 59d9c906473fa92a8dc7a1b0c8e05046883fbed4
by kernel test robot 07 Jun '24

07 Jun '24

tree/branch: https://gitee.com/openeuler/kernel.git OLK-6.6 branch HEAD: 59d9c906473fa92a8dc7a1b0c8e05046883fbed4 !8750 ubifs: Check @c->dirty_[n|p Error/Warning ids grouped by kconfigs: gcc_recent_errors |-- arm64-defconfig | |-- arch-arm64-kernel-cpufeature.c:warning:enable_pseudo_nmi-defined-but-not-used | `-- arch-arm64-kvm-vgic-vgic-mmio.c:warning:variable-is_pending-set-but-not-used `-- loongarch-allnoconfig `-- drivers-irqchip-irq-loongson-eiointc.c:error:NODES_PER_FLATMODE_NODE-undeclared-(first-use-in-this-function) clang_recent_errors `-- arm64-allmodconfig `-- arch-arm64-kvm-vgic-vgic-mmio.c:warning:variable-is_pending-set-but-not-used elapsed time: 1167m configs tested: 10 configs skipped: 104 tested configs: arm64 allmodconfig clang arm64 allnoconfig gcc arm64 defconfig gcc loongarch allmodconfig gcc loongarch allnoconfig gcc loongarch defconfig gcc x86_64 allnoconfig clang x86_64 allyesconfig clang x86_64 defconfig gcc x86_64 rhel-8.3-rust clang -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()
by Ziyang Xuan 07 Jun '24

07 Jun '24

From: Sungwoo Kim <iam(a)sung-woo.kim> stable inclusion from stable-v6.6.32 commit cfe560c7050bfb37b0d2491bbe7cd8b59e77fdc5 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RMPS CVE: CVE-2024-36013 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 4d7b41c0e43995b0e992b9f8903109275744b658 upstream. Extend a critical section to prevent chan from early freeing. Also make the l2cap_connect() return type void. Nothing is using the returned value but it is ugly to return a potentially freed pointer. Making it void will help with backports because earlier kernels did use the return value. Now the compile will break for kernels where this patch is not a complete fix. Call stack summary: [use] l2cap_bredr_sig_cmd l2cap_connect ┌ mutex_lock(&conn->chan_lock); │ chan = pchan->ops->new_connection(pchan); <- alloc chan │ __l2cap_chan_add(conn, chan); │ l2cap_chan_hold(chan); │ list_add(&chan->list, &conn->chan_l); ... (1) └ mutex_unlock(&conn->chan_lock); chan->conf_state ... (4) <- use after free [free] l2cap_conn_del ┌ mutex_lock(&conn->chan_lock); │ foreach chan in conn->chan_l: ... (2) │ l2cap_chan_put(chan); │ l2cap_chan_destroy │ kfree(chan) ... (3) <- chan freed └ mutex_unlock(&conn->chan_lock); ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: slab-use-after-free in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline] BUG: KASAN: slab-use-after-free in l2cap_connect+0xa67/0x11a0 net/bluetooth/l2cap_core.c:4260 Read of size 8 at addr ffff88810bf040a0 by task kworker/u3:1/311 Fixes: 73ffa904b782 ("Bluetooth: Move conf_{req,rsp} stuff to struct l2cap_chan") Signed-off-by: Sungwoo Kim <iam(a)sung-woo.kim> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Ziyang Xuan <william.xuanziyang(a)huawei.com> --- net/bluetooth/l2cap_core.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 706d2478ddb33..edf83e886b82e 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -3902,13 +3902,12 @@ static inline int l2cap_command_rej(struct l2cap_conn *conn, return 0; } -static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, - struct l2cap_cmd_hdr *cmd, - u8 *data, u8 rsp_code, u8 amp_id) +static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, + u8 *data, u8 rsp_code, u8 amp_id) { struct l2cap_conn_req *req = (struct l2cap_conn_req *) data; struct l2cap_conn_rsp rsp; - struct l2cap_chan *chan = NULL, *pchan; + struct l2cap_chan *chan = NULL, *pchan = NULL; int result, status = L2CAP_CS_NO_INFO; u16 dcid = 0, scid = __le16_to_cpu(req->scid); @@ -3921,7 +3920,7 @@ static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, &conn->hcon->dst, ACL_LINK); if (!pchan) { result = L2CAP_CR_BAD_PSM; - goto sendresp; + goto response; } mutex_lock(&conn->chan_lock); @@ -4008,17 +4007,15 @@ static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, } response: - l2cap_chan_unlock(pchan); - mutex_unlock(&conn->chan_lock); - l2cap_chan_put(pchan); - -sendresp: rsp.scid = cpu_to_le16(scid); rsp.dcid = cpu_to_le16(dcid); rsp.result = cpu_to_le16(result); rsp.status = cpu_to_le16(status); l2cap_send_cmd(conn, cmd->ident, rsp_code, sizeof(rsp), &rsp); + if (!pchan) + return; + if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) { struct l2cap_info_req info; info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK); @@ -4041,7 +4038,9 @@ static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn, chan->num_conf_req++; } - return chan; + l2cap_chan_unlock(pchan); + mutex_unlock(&conn->chan_lock); + l2cap_chan_put(pchan); } static int l2cap_connect_req(struct l2cap_conn *conn, -- 2.25.1

2 1

[PATCH OLK-6.6] ipv6: Fix potential uninit-value access in __ip6_make_skb()
by Zhengchao Shao 07 Jun '24

07 Jun '24

From: Shigeru Yoshida <syoshida(a)redhat.com> stable inclusion from stable-v6.6.31 commit 68c8ba16ab712eb709c6bab80ff151079d11d97a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9UAZH CVE: CVE-2024-36903 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 4e13d3a9c25b7080f8a619f961e943fe08c2672c ] As it was done in commit fc1092f51567 ("ipv4: Fix uninit-value access in __ip_make_skb()") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags instead of testing HDRINCL on the socket to avoid a race condition which causes uninit-value access. Fixes: ea30388baebc ("ipv6: Fix an uninit variable access bug in __ip6_make_skb()") Signed-off-by: Shigeru Yoshida <syoshida(a)redhat.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/ipv6/ip6_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 53fe1375b147..fba789cbd215 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -2003,7 +2003,7 @@ struct sk_buff *__ip6_make_skb(struct sock *sk, u8 icmp6_type; if (sk->sk_socket->type == SOCK_RAW && - !inet_test_bit(HDRINCL, sk)) + !(fl6->flowi6_flags & FLOWI_FLAG_KNOWN_NH)) icmp6_type = fl6->fl6_icmp_type; else icmp6_type = icmp6_hdr(skb)->icmp6_type; -- 2.34.1

2 1

[PATCH OLK-5.10] dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA
by Ze Zuo 07 Jun '24

07 Jun '24

From: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> stable inclusion from stable-v5.10.210 commit ae6769ba51417c1c86fb645812d5bff455eee802 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q99M CVE: CVE-2024-35833 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 3aa58cb51318e329d203857f7a191678e60bb714 ] This dma_alloc_coherent() is undone neither in the remove function, nor in the error handling path of fsl_qdma_probe(). Switch to the managed version to fix both issues. Fixes: b092529e0aa0 ("dmaengine: fsl-qdma: Add qDMA controller driver for Layerscape SoCs") Signed-off-by: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Link: https://lore.kernel.org/r/7f66aa14f59d32b13672dde28602b47deb294e1f.17046215… Signed-off-by: Vinod Koul <vkoul(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Ze Zuo <zuoze1(a)huawei.com> --- drivers/dma/fsl-qdma.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/dma/fsl-qdma.c b/drivers/dma/fsl-qdma.c index a59d0e743af2..bc0830de08b4 100644 --- a/drivers/dma/fsl-qdma.c +++ b/drivers/dma/fsl-qdma.c @@ -514,11 +514,11 @@ static struct fsl_qdma_queue queue_temp = queue_head + i + (j * queue_num); queue_temp->cq = - dma_alloc_coherent(&pdev->dev, - sizeof(struct fsl_qdma_format) * - queue_size[i], - &queue_temp->bus_addr, - GFP_KERNEL); + dmam_alloc_coherent(&pdev->dev, + sizeof(struct fsl_qdma_format) * + queue_size[i], + &queue_temp->bus_addr, + GFP_KERNEL); if (!queue_temp->cq) return NULL; queue_temp->block_base = fsl_qdma->block_base + -- 2.25.1

2 1