- Kernel - mailweb.openeuler.org

[openeuler:openEuler-1.0-LTS 15383/23901] fs/proc/etmem_scan.c:823: undefined reference to `kvm_flush_remote_tlbs'
by kernel test robot 29 Oct '24

29 Oct '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 7b2baa68ab7f9f7fc4023e8121ddb050b2e45f30 commit: bad4d8833739acc8eef306e7ad5c7877f9f4f0fb [15383/23901] etmem: add etmem-scan feature config: x86_64-randconfig-072-20241029 (https://download.01.org/0day-ci/archive/20241029/202410291925.OMbLBBuG-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241029/202410291925.OMbLBBuG-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202410291925.OMbLBBuG-lkp@intel.com/ All errors (new ones prefixed by >>): ld: warning: arch/x86/lib/csum-copy_64.o: missing .note.GNU-stack section implies executable stack ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker ld: warning: arch/x86/lib/csum-copy_64.o: missing .note.GNU-stack section implies executable stack ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker ld: warning: .tmp_vmlinux1 has a LOAD segment with RWX permissions ld: fs/proc/etmem_scan.o: in function `page_scan_release': >> fs/proc/etmem_scan.c:823: undefined reference to `kvm_flush_remote_tlbs' vim +823 fs/proc/etmem_scan.c 804 805 static int page_scan_release(struct inode *inode, struct file *file) 806 { 807 struct mm_struct *mm = file->private_data; 808 struct kvm *kvm; 809 int ret = 0; 810 811 if (!mm) { 812 ret = -EBADF; 813 goto out; 814 } 815 816 kvm = mm_kvm(mm); 817 if (!kvm) { 818 ret = -EINVAL; 819 goto out; 820 } 821 #ifdef CONFIG_X86_64 822 spin_lock(&kvm->mmu_lock); > 823 kvm_flush_remote_tlbs(kvm); 824 spin_unlock(&kvm->mmu_lock); 825 #endif 826 827 out: 828 module_put(THIS_MODULE); 829 return ret; 830 } 831 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc()
by Li Huafei 29 Oct '24

29 Oct '24

From: Elena Salomatkina <esalomatkina(a)ispras.ru> stable inclusion from stable-v6.6.55 commit 0168ab6fbd9e50d20b97486168b604b2ab28a2ca category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRB1 CVE: CVE-2024-50000 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit f25389e779500cf4a59ef9804534237841bce536 ] In mlx5e_tir_builder_alloc() kvzalloc() may return NULL which is dereferenced on the next line in a reference to the modify field. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: a6696735d694 ("net/mlx5e: Convert TIR to a dedicated object") Signed-off-by: Elena Salomatkina <esalomatkina(a)ispras.ru> Reviewed-by: Simon Horman <horms(a)kernel.org> Reviewed-by: Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> Reviewed-by: Tariq Toukan <tariqt(a)nvidia.com> Reviewed-by: Gal Pressman <gal(a)nvidia.com> Signed-off-by: Saeed Mahameed <saeedm(a)nvidia.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Li Huafei <lihuafei1(a)huawei.com> --- drivers/net/ethernet/mellanox/mlx5/core/en/tir.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c index d4239e3b3c88..11f724ad90db 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c @@ -23,6 +23,9 @@ struct mlx5e_tir_builder *mlx5e_tir_builder_alloc(bool modify) struct mlx5e_tir_builder *builder; builder = kvzalloc(sizeof(*builder), GFP_KERNEL); + if (!builder) + return NULL; + builder->modify = modify; return builder; -- 2.25.1

2 1

[PATCH OLK-6.6] ocfs2: remove unreasonable unlock in ocfs2_read_blocks
by Tong Tiangen 29 Oct '24

29 Oct '24

From: Lizhi Xu <lizhi.xu(a)windriver.com> stable inclusion from stable-v6.6.55 commit 84543da867c967edffd5065fa910ebf56aaae49d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRCH CVE: CVE-2024-49965 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit c03a82b4a0c935774afa01fd6d128b444fd930a1 upstream. Patch series "Misc fixes for ocfs2_read_blocks", v5. This series contains 2 fixes for ocfs2_read_blocks(). The first patch fix the issue reported by syzbot, which detects bad unlock balance in ocfs2_read_blocks(). The second patch fixes an issue reported by Heming Zhao when reviewing above fix. This patch (of 2): There was a lock release before exiting, so remove the unreasonable unlock. Link: https://lkml.kernel.org/r/20240902023636.1843422-1-joseph.qi@linux.alibaba.… Link: https://lkml.kernel.org/r/20240902023636.1843422-2-joseph.qi@linux.alibaba.… Fixes: cf76c78595ca ("ocfs2: don't put and assigning null to bh allocated outside") Signed-off-by: Lizhi Xu <lizhi.xu(a)windriver.com> Signed-off-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Reviewed-by: Heming Zhao <heming.zhao(a)suse.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Reported-by: syzbot+ab134185af9ef88dfed5(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ab134185af9ef88dfed5 Tested-by: syzbot+ab134185af9ef88dfed5(a)syzkaller.appspotmail.com Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> [4.20+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Tong Tiangen <tongtiangen(a)huawei.com> --- fs/ocfs2/buffer_head_io.c | 1 - 1 file changed, 1 deletion(-) diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c index 196638a22b48..a71b40065e8b 100644 --- a/fs/ocfs2/buffer_head_io.c +++ b/fs/ocfs2/buffer_head_io.c @@ -235,7 +235,6 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, if (bhs[i] == NULL) { bhs[i] = sb_getblk(sb, block++); if (bhs[i] == NULL) { - ocfs2_metadata_cache_io_unlock(ci); status = -ENOMEM; mlog_errno(status); /* Don't forget to put previous bh! */ -- 2.25.1

2 1

[PATCH OLK-5.10] ocfs2: remove unreasonable unlock in ocfs2_read_blocks
by Tong Tiangen 29 Oct '24

29 Oct '24

From: Lizhi Xu <lizhi.xu(a)windriver.com> stable inclusion from stable-v5.10.227 commit 3f1ca6ba5452d53c598a45d21267a2c0c221eef3 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRCH CVE: CVE-2024-49965 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit c03a82b4a0c935774afa01fd6d128b444fd930a1 upstream. Patch series "Misc fixes for ocfs2_read_blocks", v5. This series contains 2 fixes for ocfs2_read_blocks(). The first patch fix the issue reported by syzbot, which detects bad unlock balance in ocfs2_read_blocks(). The second patch fixes an issue reported by Heming Zhao when reviewing above fix. This patch (of 2): There was a lock release before exiting, so remove the unreasonable unlock. Link: https://lkml.kernel.org/r/20240902023636.1843422-1-joseph.qi@linux.alibaba.… Link: https://lkml.kernel.org/r/20240902023636.1843422-2-joseph.qi@linux.alibaba.… Fixes: cf76c78595ca ("ocfs2: don't put and assigning null to bh allocated outside") Signed-off-by: Lizhi Xu <lizhi.xu(a)windriver.com> Signed-off-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Reviewed-by: Heming Zhao <heming.zhao(a)suse.com> Reviewed-by: Joseph Qi <joseph.qi(a)linux.alibaba.com> Reported-by: syzbot+ab134185af9ef88dfed5(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ab134185af9ef88dfed5 Tested-by: syzbot+ab134185af9ef88dfed5(a)syzkaller.appspotmail.com Cc: Mark Fasheh <mark(a)fasheh.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Changwei Ge <gechangwei(a)live.cn> Cc: Gang He <ghe(a)suse.com> Cc: Jun Piao <piaojun(a)huawei.com> Cc: <stable(a)vger.kernel.org> [4.20+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Tong Tiangen <tongtiangen(a)huawei.com> --- fs/ocfs2/buffer_head_io.c | 1 - 1 file changed, 1 deletion(-) diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c index f0b104e483d8..da24e8449f24 100644 --- a/fs/ocfs2/buffer_head_io.c +++ b/fs/ocfs2/buffer_head_io.c @@ -237,7 +237,6 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, if (bhs[i] == NULL) { bhs[i] = sb_getblk(sb, block++); if (bhs[i] == NULL) { - ocfs2_metadata_cache_io_unlock(ci); status = -ENOMEM; mlog_errno(status); /* Don't forget to put previous bh! */ -- 2.25.1

2 1

[openeuler:OLK-5.10 18685/30000] drivers/ub/urma/uburma/uburma_dev_ops.c:32:6: warning: no previous prototype for 'uburma_release_file'
by kernel test robot 29 Oct '24

29 Oct '24

Hi Yizhen, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 2d902497d466f0e7c448a2c6ad00878b549c2192 commit: cd637a6dded9c0dce5f8d79898bb25be2edb927a [18685/30000] ub: uburma support open/release file ops config: arm64-randconfig-003-20241029 (https://download.01.org/0day-ci/archive/20241029/202410291823.s7QZPUJc-lkp@…) compiler: aarch64-linux-gcc (GCC) 14.1.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241029/202410291823.s7QZPUJc-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202410291823.s7QZPUJc-lkp@intel.com/ All warnings (new ones prefixed by >>): >> drivers/ub/urma/uburma/uburma_dev_ops.c:32:6: warning: no previous prototype for 'uburma_release_file' [-Wmissing-prototypes] 32 | void uburma_release_file(struct kref *ref) | ^~~~~~~~~~~~~~~~~~~ >> drivers/ub/urma/uburma/uburma_dev_ops.c:49:5: warning: no previous prototype for 'uburma_open' [-Wmissing-prototypes] 49 | int uburma_open(struct inode *inode, struct file *filp) | ^~~~~~~~~~~ drivers/ub/urma/uburma/uburma_dev_ops.c: In function 'uburma_open': >> drivers/ub/urma/uburma/uburma_dev_ops.c:66:50: warning: the comparison will always evaluate as 'false' for the address of 'dev_name' will never be NULL [-Waddress] 66 | if (ubc_dev == NULL || ubc_dev->dev_name == NULL) { | ^~ In file included from drivers/ub/urma/uburma/uburma_dev_ops.c:25: include/urma/ubcore_types.h:1589:14: note: 'dev_name' declared here 1589 | char dev_name[UBCORE_MAX_DEV_NAME]; | ^~~~~~~~ drivers/ub/urma/uburma/uburma_dev_ops.c: At top level: >> drivers/ub/urma/uburma/uburma_dev_ops.c:102:5: warning: no previous prototype for 'uburma_close' [-Wmissing-prototypes] 102 | int uburma_close(struct inode *inode, struct file *filp) | ^~~~~~~~~~~~ vim +/uburma_release_file +32 drivers/ub/urma/uburma/uburma_dev_ops.c 31 > 32 void uburma_release_file(struct kref *ref) 33 { 34 struct uburma_file *file = container_of(ref, struct uburma_file, ref); 35 int srcu_idx; 36 37 srcu_idx = srcu_read_lock(&file->ubu_dev->ubc_dev_srcu); 38 srcu_dereference(file->ubu_dev->ubc_dev, &file->ubu_dev->ubc_dev_srcu); 39 40 srcu_read_unlock(&file->ubu_dev->ubc_dev_srcu, srcu_idx); 41 42 if (atomic_dec_and_test(&file->ubu_dev->refcnt)) 43 complete(&file->ubu_dev->comp); 44 45 kobject_put(&file->ubu_dev->kobj); 46 kfree(file); 47 } 48 > 49 int uburma_open(struct inode *inode, struct file *filp) 50 { 51 struct uburma_device *ubu_dev; 52 struct ubcore_device *ubc_dev; 53 struct uburma_file *file; 54 int srcu_idx; 55 int ret; 56 57 ubu_dev = container_of(inode->i_cdev, struct uburma_device, cdev); 58 if (!atomic_inc_not_zero(&ubu_dev->refcnt)) { 59 uburma_log_err("device was not ready.\n"); 60 return -ENXIO; 61 } 62 63 srcu_idx = srcu_read_lock(&ubu_dev->ubc_dev_srcu); 64 mutex_lock(&ubu_dev->lists_mutex); 65 ubc_dev = srcu_dereference(ubu_dev->ubc_dev, &ubu_dev->ubc_dev_srcu); > 66 if (ubc_dev == NULL || ubc_dev->dev_name == NULL) { 67 uburma_log_err("can not find ubcore device.\n"); 68 ret = EIO; 69 goto err; 70 } 71 72 file = kzalloc(sizeof(struct uburma_file), GFP_KERNEL); 73 if (!file) { 74 ret = -ENOMEM; 75 uburma_log_err("can not alloc memory.\n"); 76 goto err; 77 } 78 79 file->ubu_dev = ubu_dev; 80 file->ucontext = NULL; 81 kref_init(&file->ref); 82 mutex_init(&file->mutex); 83 filp->private_data = file; 84 85 list_add_tail(&file->list, &ubu_dev->uburma_file_list); 86 kobject_get(&ubu_dev->kobj); // Increase reference count for file. 87 88 mutex_unlock(&ubu_dev->lists_mutex); 89 srcu_read_unlock(&ubu_dev->ubc_dev_srcu, srcu_idx); 90 91 uburma_log_info("device: %s open succeed.\n", ubc_dev->dev_name); 92 return nonseekable_open(inode, filp); 93 94 err: 95 mutex_unlock(&ubu_dev->lists_mutex); 96 srcu_read_unlock(&ubu_dev->ubc_dev_srcu, srcu_idx); 97 if (atomic_dec_and_test(&ubu_dev->refcnt)) 98 complete(&ubu_dev->comp); 99 return ret; 100 } 101 > 102 int uburma_close(struct inode *inode, struct file *filp) -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-22.03-LTS-SP1] drm/amd/display: Fix index out of bounds in degamma hardware format translation
by Liu Chuang 29 Oct '24

29 Oct '24

From: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> stable inclusion from stable-v5.10.227 commit c130a3c09e3746c1a09ce26c20d21d449d039b1d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR9A CVE: CVE-2024-49894 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit b7e99058eb2e86aabd7a10761e76cae33d22b49f ] Fixes index out of bounds issue in `cm_helper_translate_curve_to_degamma_hw_format` function. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds the function returns false to indicate an error. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:594 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:595 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:596 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max Cc: Tom Chung <chiahsuan.chung(a)amd.com> Cc: Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> Cc: Roman Li <roman.li(a)amd.com> Cc: Alex Hung <alex.hung(a)amd.com> Cc: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Cc: Harry Wentland <harry.wentland(a)amd.com> Cc: Hamza Mahfooz <hamza.mahfooz(a)amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> Reviewed-by: Tom Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Chuang <liuchuang40(a)huawei.com> --- drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c index bd9bc51983fe..da7aeb9c4632 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c +++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c @@ -560,6 +560,8 @@ bool cm_helper_translate_curve_to_degamma_hw_format( i += increment) { if (j == hw_points - 1) break; + if (i >= TRANSFER_FUNC_POINTS) + return false; rgb_resulted[j].red = output_tf->tf_pts.red[i]; rgb_resulted[j].green = output_tf->tf_pts.green[i]; rgb_resulted[j].blue = output_tf->tf_pts.blue[i]; -- 2.34.1

2 1

[PATCH OLK-5.10] drm/amd/display: Fix index out of bounds in degamma hardware format translation
by Liu Chuang 29 Oct '24

29 Oct '24

From: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> stable inclusion from stable-v5.10.227 commit c130a3c09e3746c1a09ce26c20d21d449d039b1d category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR9A CVE: CVE-2024-49894 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit b7e99058eb2e86aabd7a10761e76cae33d22b49f ] Fixes index out of bounds issue in `cm_helper_translate_curve_to_degamma_hw_format` function. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds the function returns false to indicate an error. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:594 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:595 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:596 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max Cc: Tom Chung <chiahsuan.chung(a)amd.com> Cc: Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> Cc: Roman Li <roman.li(a)amd.com> Cc: Alex Hung <alex.hung(a)amd.com> Cc: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Cc: Harry Wentland <harry.wentland(a)amd.com> Cc: Hamza Mahfooz <hamza.mahfooz(a)amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> Reviewed-by: Tom Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Chuang <liuchuang40(a)huawei.com> --- drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c index bd9bc51983fe..da7aeb9c4632 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c +++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c @@ -560,6 +560,8 @@ bool cm_helper_translate_curve_to_degamma_hw_format( i += increment) { if (j == hw_points - 1) break; + if (i >= TRANSFER_FUNC_POINTS) + return false; rgb_resulted[j].red = output_tf->tf_pts.red[i]; rgb_resulted[j].green = output_tf->tf_pts.green[i]; rgb_resulted[j].blue = output_tf->tf_pts.blue[i]; -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] drm/amd/display: Fix index out of bounds in degamma hardware format translation
by Liu Chuang 29 Oct '24

29 Oct '24

From: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> mainline inclusion from mainline-v6.12-rc1 commit b7e99058eb2e86aabd7a10761e76cae33d22b49f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYR9A CVE: CVE-2024-49894 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- Fixes index out of bounds issue in `cm_helper_translate_curve_to_degamma_hw_format` function. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds the function returns false to indicate an error. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:594 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:595 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:596 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max Cc: Tom Chung <chiahsuan.chung(a)amd.com> Cc: Rodrigo Siqueira <Rodrigo.Siqueira(a)amd.com> Cc: Roman Li <roman.li(a)amd.com> Cc: Alex Hung <alex.hung(a)amd.com> Cc: Aurabindo Pillai <aurabindo.pillai(a)amd.com> Cc: Harry Wentland <harry.wentland(a)amd.com> Cc: Hamza Mahfooz <hamza.mahfooz(a)amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam(a)amd.com> Reviewed-by: Tom Chung <chiahsuan.chung(a)amd.com> Signed-off-by: Alex Deucher <alexander.deucher(a)amd.com> Signed-off-by: Liu Chuang <liuchuang40(a)huawei.com> --- drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c index 67a3ba49234e..ad4247061344 100644 --- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c +++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c @@ -482,6 +482,8 @@ bool cm_helper_translate_curve_to_degamma_hw_format( i += increment) { if (j == hw_points - 1) break; + if (i >= TRANSFER_FUNC_POINTS) + return false; rgb_resulted[j].red = output_tf->tf_pts.red[i]; rgb_resulted[j].green = output_tf->tf_pts.green[i]; rgb_resulted[j].blue = output_tf->tf_pts.blue[i]; -- 2.34.1

2 1

[PATCH OLK-5.10] selinux: fix potential counting error in avc_add_xperms_decision()
by Gu Bowen 29 Oct '24

29 Oct '24

From: Zhen Lei <thunder.leizhen(a)huawei.com> stable inclusion from stable-v5.10.225 commit bbcdda4b0d041fc1302d508321720d6d2c42d083 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB0J6P Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 379d9af3f3da2da1bbfa67baf1820c72a080d1f1 upstream. The count increases only when a node is successfully added to the linked list. Cc: stable(a)vger.kernel.org Fixes: fa1aa143ac4a ("selinux: extended permissions for ioctls") Signed-off-by: Zhen Lei <thunder.leizhen(a)huawei.com> Acked-by: Stephen Smalley <stephen.smalley.work(a)gmail.com> Signed-off-by: Paul Moore <paul(a)paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Gu Bowen <gubowen5(a)huawei.com> --- security/selinux/avc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 884a014ce2b8..ab71d0948205 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -332,12 +332,12 @@ static int avc_add_xperms_decision(struct avc_node *node, { struct avc_xperms_decision_node *dest_xpd; - node->ae.xp_node->xp.len++; dest_xpd = avc_xperms_decision_alloc(src->used); if (!dest_xpd) return -ENOMEM; avc_copy_xperms_decision(&dest_xpd->xpd, src); list_add(&dest_xpd->xpd_list, &node->ae.xp_node->xpd_head); + node->ae.xp_node->xp.len++; return 0; } -- 2.25.1

2 1

[PATCH OLK-5.10] randomize_kstack: Improve entropy diffusion
by Gu Bowen 29 Oct '24

29 Oct '24

From: Kees Cook <keescook(a)chromium.org> stable inclusion from stable-v6.6.27 commit 300a2b9c2b28282974ee300bb5d5025cbbb1f64c category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB0K55 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 9c573cd313433f6c1f7236fe64b9b743500c1628 ] The kstack_offset variable was really only ever using the low bits for kernel stack offset entropy. Add a ror32() to increase bit diffusion. Suggested-by: Arnd Bergmann <arnd(a)arndb.de> Fixes: 39218ff4c625 ("stack: Optionally randomize kernel stack offset each syscall") Link: https://lore.kernel.org/r/20240309202445.work.165-kees@kernel.org Signed-off-by: Kees Cook <keescook(a)chromium.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Gu Bowen <gubowen5(a)huawei.com> --- include/linux/randomize_kstack.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/randomize_kstack.h b/include/linux/randomize_kstack.h index 91f1b990a3c3..2cfdc53f01f7 100644 --- a/include/linux/randomize_kstack.h +++ b/include/linux/randomize_kstack.h @@ -47,7 +47,7 @@ void *__builtin_alloca(size_t size); if (static_branch_maybe(CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT, \ &randomize_kstack_offset)) { \ u32 offset = raw_cpu_read(kstack_offset); \ - offset ^= (rand); \ + offset = ror32(offset, 5) ^ (rand); \ raw_cpu_write(kstack_offset, offset); \ } \ } while (0) -- 2.25.1

2 1