- Kernel - mailweb.openeuler.org

[PATCH openEuler-1.0-LTS] x86/boot: Ignore relocations in .notes sections in walk_relocs() too
by Xiongfeng Wang 29 Aug '24

29 Aug '24

From: Guixiong Wei <weiguixiong(a)bytedance.com> stable inclusion from stable-v4.19.319 commit 2487db16d4b9faead07b7825d33294e9e783791d category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAMXCL CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… --------------------------- [ Upstream commit 76e9762d66373354b45c33b60e9a53ef2a3c5ff2 ] Commit: aaa8736370db ("x86, relocs: Ignore relocations in .notes section") ... only started ignoring the .notes sections in print_absolute_relocs(), but the same logic should also by applied in walk_relocs() to avoid such relocations. [ mingo: Fixed various typos in the changelog, removed extra curly braces from the code. ] Fixes: aaa8736370db ("x86, relocs: Ignore relocations in .notes section") Fixes: 5ead97c84fa7 ("xen: Core Xen implementation") Fixes: da1a679cde9b ("Add /sys/kernel/notes") Signed-off-by: Guixiong Wei <weiguixiong(a)bytedance.com> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Reviewed-by: Kees Cook <keescook(a)chromium.org> Link: https://lore.kernel.org/r/20240317150547.24910-1-weiguixiong@bytedance.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Xiongfeng Wang <wangxiongfeng2(a)huawei.com> --- arch/x86/tools/relocs.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c index 3a6c8ebc8032..64c8a95cfea8 100644 --- a/arch/x86/tools/relocs.c +++ b/arch/x86/tools/relocs.c @@ -664,6 +664,15 @@ static void walk_relocs(int (*process)(struct section *sec, Elf_Rel *rel, if (!(sec_applies->shdr.sh_flags & SHF_ALLOC)) { continue; } + + /* + * Do not perform relocations in .notes sections; any + * values there are meant for pre-boot consumption (e.g. + * startup_xen). + */ + if (sec_applies->shdr.sh_type == SHT_NOTE) + continue; + sh_symtab = sec_symtab->symtab; sym_strtab = sec_symtab->link->strtab; for (j = 0; j < sec->shdr.sh_size/sizeof(Elf_Rel); j++) { -- 2.20.1

2 1

[PATCH OLK-6.6] nvme: apple: fix device reference counting
by Liu Shixin 29 Aug '24

29 Aug '24

From: Keith Busch <kbusch(a)kernel.org> mainline inclusion from mainline-v6.11-rc1 commit b9ecbfa45516182cd062fecd286db7907ba84210 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAMMBA CVE: CVE-2024-43913 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Drivers must call nvme_uninit_ctrl after a successful nvme_init_ctrl. Split the allocation side out to make the error handling boundary easier to navigate. The apple driver had been doing this wrong, leaking the controller device memory on a tagset failure. Reviewed-by: Christoph Hellwig <hch(a)lst.de> Reviewed-by: Chaitanya Kulkarni <kch(a)nvidia.com> Signed-off-by: Keith Busch <kbusch(a)kernel.org> Conflicts: drivers/nvme/host/apple.c [ Conflicts because blk_mq_init_queue due to commit 9ac4dd8c47d5 ("block: pass a queue_limits argument to blk_mq_init_queue") ] Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> --- drivers/nvme/host/apple.c | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/drivers/nvme/host/apple.c b/drivers/nvme/host/apple.c index 596bb11eeba5..396eb9437659 100644 --- a/drivers/nvme/host/apple.c +++ b/drivers/nvme/host/apple.c @@ -1387,7 +1387,7 @@ static void devm_apple_nvme_mempool_destroy(void *data) mempool_destroy(data); } -static int apple_nvme_probe(struct platform_device *pdev) +static struct apple_nvme *apple_nvme_alloc(struct platform_device *pdev) { struct device *dev = &pdev->dev; struct apple_nvme *anv; @@ -1395,7 +1395,7 @@ static int apple_nvme_probe(struct platform_device *pdev) anv = devm_kzalloc(dev, sizeof(*anv), GFP_KERNEL); if (!anv) - return -ENOMEM; + return ERR_PTR(-ENOMEM); anv->dev = get_device(dev); anv->adminq.is_adminq = true; @@ -1515,10 +1515,26 @@ static int apple_nvme_probe(struct platform_device *pdev) goto put_dev; } + return anv; +put_dev: + put_device(anv->dev); + return ERR_PTR(ret); +} + +static int apple_nvme_probe(struct platform_device *pdev) +{ + struct apple_nvme *anv; + int ret; + + anv = apple_nvme_alloc(pdev); + if (IS_ERR(anv)) + return PTR_ERR(anv); + anv->ctrl.admin_q = blk_mq_init_queue(&anv->admin_tagset); if (IS_ERR(anv->ctrl.admin_q)) { ret = -ENOMEM; - goto put_dev; + anv->ctrl.admin_q = NULL; + goto out_uninit_ctrl; } nvme_reset_ctrl(&anv->ctrl); @@ -1526,8 +1542,9 @@ static int apple_nvme_probe(struct platform_device *pdev) return 0; -put_dev: - put_device(anv->dev); +out_uninit_ctrl: + nvme_uninit_ctrl(&anv->ctrl); + nvme_put_ctrl(&anv->ctrl); return ret; } -- 2.25.1

2 1

[openeuler:OLK-5.10 29859/30000] drivers/usb/dwc2/core_intr.c:404:22: error: 'struct dwc2_hsotg' has no member named 'bus_suspended'
by kernel test robot 29 Aug '24

29 Aug '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 9c002e226526016292b0c1d3dbed7ebc4e3e71d6 commit: cae57e806b90cecf7f322a6a37de4fb422f1ea60 [29859/30000] usb: dwc2: gadget: LPM flow fix config: x86_64-randconfig-101-20240829 (https://download.01.org/0day-ci/archive/20240829/202408291511.CoEgpYo7-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240829/202408291511.CoEgpYo7-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202408291511.CoEgpYo7-lkp@intel.com/ All errors (new ones prefixed by >>): drivers/usb/dwc2/core_intr.c: In function 'dwc2_wakeup_from_lpm_l1': >> drivers/usb/dwc2/core_intr.c:404:22: error: 'struct dwc2_hsotg' has no member named 'bus_suspended' 404 | hsotg->bus_suspended = false; | ^~ vim +404 drivers/usb/dwc2/core_intr.c 340 341 /** 342 * dwc2_wakeup_from_lpm_l1 - Exit the device from LPM L1 state 343 * 344 * @hsotg: Programming view of DWC_otg controller 345 * 346 */ 347 void dwc2_wakeup_from_lpm_l1(struct dwc2_hsotg *hsotg, bool remotewakeup) 348 { 349 u32 glpmcfg; 350 u32 pcgctl; 351 u32 dctl; 352 353 if (hsotg->lx_state != DWC2_L1) { 354 dev_err(hsotg->dev, "Core isn't in DWC2_L1 state\n"); 355 return; 356 } 357 358 glpmcfg = dwc2_readl(hsotg, GLPMCFG); 359 if (dwc2_is_device_mode(hsotg)) { 360 dev_dbg(hsotg->dev, "Exit from L1 state, remotewakeup=%d\n", remotewakeup); 361 glpmcfg &= ~GLPMCFG_ENBLSLPM; 362 glpmcfg &= ~GLPMCFG_HIRD_THRES_MASK; 363 dwc2_writel(hsotg, glpmcfg, GLPMCFG); 364 365 pcgctl = dwc2_readl(hsotg, PCGCTL); 366 pcgctl &= ~PCGCTL_ENBL_SLEEP_GATING; 367 dwc2_writel(hsotg, pcgctl, PCGCTL); 368 369 glpmcfg = dwc2_readl(hsotg, GLPMCFG); 370 if (glpmcfg & GLPMCFG_ENBESL) { 371 glpmcfg |= GLPMCFG_RSTRSLPSTS; 372 dwc2_writel(hsotg, glpmcfg, GLPMCFG); 373 } 374 375 if (remotewakeup) { 376 if (dwc2_hsotg_wait_bit_set(hsotg, GLPMCFG, GLPMCFG_L1RESUMEOK, 1000)) { 377 dev_warn(hsotg->dev, "%s: timeout GLPMCFG_L1RESUMEOK\n", __func__); 378 goto fail; 379 return; 380 } 381 382 dctl = dwc2_readl(hsotg, DCTL); 383 dctl |= DCTL_RMTWKUPSIG; 384 dwc2_writel(hsotg, dctl, DCTL); 385 386 if (dwc2_hsotg_wait_bit_set(hsotg, GINTSTS, GINTSTS_WKUPINT, 1000)) { 387 dev_warn(hsotg->dev, "%s: timeout GINTSTS_WKUPINT\n", __func__); 388 goto fail; 389 return; 390 } 391 } 392 393 glpmcfg = dwc2_readl(hsotg, GLPMCFG); 394 if (glpmcfg & GLPMCFG_COREL1RES_MASK || glpmcfg & GLPMCFG_SLPSTS || 395 glpmcfg & GLPMCFG_L1RESUMEOK) { 396 goto fail; 397 return; 398 } 399 400 /* Inform gadget to exit from L1 */ 401 call_gadget(hsotg, resume); 402 /* Change to L0 state */ 403 hsotg->lx_state = DWC2_L0; > 404 hsotg->bus_suspended = false; 405 fail: dwc2_gadget_init_lpm(hsotg); 406 } else { 407 /* TODO */ 408 dev_err(hsotg->dev, "Host side LPM is not supported.\n"); 409 return; 410 } 411 } 412 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] tools/perf: fix use-after-free issue
by Li Huafei 29 Aug '24

29 Aug '24

stable inclusion from stable-v6.6.33 commit 39cfce75168c11421d70b8c0c65f6133edccb82a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6SIE CVE: CVE-2024-38581 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 948255282074d9367e01908b3f5dcf8c10fc9c3d ] Delete fence fallback timer to fix the ramdom use-after-free issue. v2: move to amdgpu_mes.c Signed-off-by: Li Huafei <lihuafei1(a)huawei.com> --- tools/perf/builtin-ftrace.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/perf/builtin-ftrace.c b/tools/perf/builtin-ftrace.c index ac2e6c75f912..b19fd7b32add 100644 --- a/tools/perf/builtin-ftrace.c +++ b/tools/perf/builtin-ftrace.c @@ -44,6 +44,8 @@ static void sig_handler(int sig __maybe_unused) done = true; } +static unsigned long long test; + /* * evlist__prepare_workload will send a SIGUSR1 if the fork fails, since * we asked by setting its exec_error to the function below, -- 2.25.1

2 1

[PATCH openEuler-22.03-LTS-SP1] net: bridge: mcast: wait for previous gc cycles when removing port
by Zhengchao Shao 29 Aug '24

29 Aug '24

From: Nikolay Aleksandrov <razor(a)blackwall.org> mainline inclusion from mainline-v6.11-rc3 commit 92c4ee25208d0f35dafc3213cdf355fbe449e078 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAMMBI CVE: CVE-2024-44934 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ------------------------------------------- syzbot hit a use-after-free[1] which is caused because the bridge doesn't make sure that all previous garbage has been collected when removing a port. What happens is: CPU 1 CPU 2 start gc cycle remove port acquire gc lock first wait for lock call br_multicasg_gc() directly acquire lock now but free port the port can be freed while grp timers still running Make sure all previous gc cycles have finished by using flush_work before freeing the port. [1] BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861 Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699 CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861 call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792 expire_timers kernel/time/timer.c:1843 [inline] __run_timers+0x74b/0xaf0 kernel/time/timer.c:2417 __run_timer_base kernel/time/timer.c:2428 [inline] __run_timer_base kernel/time/timer.c:2421 [inline] run_timer_base+0x111/0x190 kernel/time/timer.c:2437 Reported-by: syzbot+263426984509be19c9a0(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=263426984509be19c9a0 Fixes: e12cec65b554 ("net: bridge: mcast: destroy all entries via gc") Signed-off-by: Nikolay Aleksandrov <razor(a)blackwall.org> Link: https://patch.msgid.link/20240802080730.3206303-1-razor@blackwall.org Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/bridge/br_multicast.c [The conflict occurs because the commit 9632233e7de8("net: bridge: multicast: factor out port multicast context") is not merged] Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/bridge/br_multicast.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c index de79fbfe1611..aa0a413b5cc0 100644 --- a/net/bridge/br_multicast.c +++ b/net/bridge/br_multicast.c @@ -1618,16 +1618,14 @@ void br_multicast_del_port(struct net_bridge_port *port) { struct net_bridge *br = port->br; struct net_bridge_port_group *pg; - HLIST_HEAD(deleted_head); struct hlist_node *n; /* Take care of the remaining groups, only perm ones should be left */ spin_lock_bh(&br->multicast_lock); hlist_for_each_entry_safe(pg, n, &port->mglist, mglist) br_multicast_find_del_pg(br, pg); - hlist_move_list(&br->mcast_gc_list, &deleted_head); spin_unlock_bh(&br->multicast_lock); - br_multicast_gc(&deleted_head); + flush_work(&br->mcast_gc_work); del_timer_sync(&port->multicast_router_timer); free_percpu(port->mcast_stats); } -- 2.34.1

2 1

[PATCH OLK-5.10] net: bridge: mcast: wait for previous gc cycles when removing port
by Zhengchao Shao 29 Aug '24

29 Aug '24

From: Nikolay Aleksandrov <razor(a)blackwall.org> mainline inclusion from mainline-v6.11-rc3 commit 92c4ee25208d0f35dafc3213cdf355fbe449e078 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAMMBI CVE: CVE-2024-44934 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… ------------------------------------------- syzbot hit a use-after-free[1] which is caused because the bridge doesn't make sure that all previous garbage has been collected when removing a port. What happens is: CPU 1 CPU 2 start gc cycle remove port acquire gc lock first wait for lock call br_multicasg_gc() directly acquire lock now but free port the port can be freed while grp timers still running Make sure all previous gc cycles have finished by using flush_work before freeing the port. [1] BUG: KASAN: slab-use-after-free in br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861 Read of size 8 at addr ffff888071d6d000 by task syz.5.1232/9699 CPU: 1 PID: 9699 Comm: syz.5.1232 Not tainted 6.10.0-rc5-syzkaller-00021-g24ca36a562d6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 br_multicast_port_group_expired+0x4c0/0x550 net/bridge/br_multicast.c:861 call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792 expire_timers kernel/time/timer.c:1843 [inline] __run_timers+0x74b/0xaf0 kernel/time/timer.c:2417 __run_timer_base kernel/time/timer.c:2428 [inline] __run_timer_base kernel/time/timer.c:2421 [inline] run_timer_base+0x111/0x190 kernel/time/timer.c:2437 Reported-by: syzbot+263426984509be19c9a0(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=263426984509be19c9a0 Fixes: e12cec65b554 ("net: bridge: mcast: destroy all entries via gc") Signed-off-by: Nikolay Aleksandrov <razor(a)blackwall.org> Link: https://patch.msgid.link/20240802080730.3206303-1-razor@blackwall.org Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Conflicts: net/bridge/br_multicast.c [The conflict occurs because the commit 9632233e7de8("net: bridge: multicast: factor out port multicast context") is not merged] Signed-off-by: Zhengchao Shao <shaozhengchao(a)huawei.com> --- net/bridge/br_multicast.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c index f3886d5b7952..21fd5ff70dc2 100644 --- a/net/bridge/br_multicast.c +++ b/net/bridge/br_multicast.c @@ -1621,16 +1621,14 @@ void br_multicast_del_port(struct net_bridge_port *port) { struct net_bridge *br = port->br; struct net_bridge_port_group *pg; - HLIST_HEAD(deleted_head); struct hlist_node *n; /* Take care of the remaining groups, only perm ones should be left */ spin_lock_bh(&br->multicast_lock); hlist_for_each_entry_safe(pg, n, &port->mglist, mglist) br_multicast_find_del_pg(br, pg); - hlist_move_list(&br->mcast_gc_list, &deleted_head); spin_unlock_bh(&br->multicast_lock); - br_multicast_gc(&deleted_head); + flush_work(&br->mcast_gc_work); del_timer_sync(&port->multicast_router_timer); free_percpu(port->mcast_stats); } -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] serial: core: check uartclk for zero to avoid divide by zero
by Yi Yang 29 Aug '24

29 Aug '24

From: George Kennedy <george.kennedy(a)oracle.com> stable inclusion from stable-v4.19.320 commit 3bbd90fca824e6fd61fb20f6dd2b0fa5f8b14bba category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAMM8U CVE: CVE-2024-43893 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 6eabce6608d6f3440f4c03aa3d3ef50a47a3d193 upstream. Calling ioctl TIOCSSERIAL with an invalid baud_base can result in uartclk being zero, which will result in a divide by zero error in uart_get_divisor(). The check for uartclk being zero in uart_set_info() needs to be done before other settings are made as subsequent calls to ioctl TIOCSSERIAL for the same port would be impacted if the uartclk check was done where uartclk gets set. Oops: divide error: 0000 PREEMPT SMP KASAN PTI RIP: 0010:uart_get_divisor (drivers/tty/serial/serial_core.c:580) Call Trace: <TASK> serial8250_get_divisor (drivers/tty/serial/8250/8250_port.c:2576 drivers/tty/serial/8250/8250_port.c:2589) serial8250_do_set_termios (drivers/tty/serial/8250/8250_port.c:502 drivers/tty/serial/8250/8250_port.c:2741) serial8250_set_termios (drivers/tty/serial/8250/8250_port.c:2862) uart_change_line_settings (./include/linux/spinlock.h:376 ./include/linux/serial_core.h:608 drivers/tty/serial/serial_core.c:222) uart_port_startup (drivers/tty/serial/serial_core.c:342) uart_startup (drivers/tty/serial/serial_core.c:368) uart_set_info (drivers/tty/serial/serial_core.c:1034) uart_set_info_user (drivers/tty/serial/serial_core.c:1059) tty_set_serial (drivers/tty/tty_io.c:2637) tty_ioctl (drivers/tty/tty_io.c:2647 drivers/tty/tty_io.c:2791) __x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907 fs/ioctl.c:893 fs/ioctl.c:893) do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Reported-by: syzkaller <syzkaller(a)googlegroups.com> Cc: stable(a)vger.kernel.org Signed-off-by: George Kennedy <george.kennedy(a)oracle.com> Rule: add Link: https://lore.kernel.org/stable/1721148848-9784-1-git-send-email-george.kenn… Link: https://lore.kernel.org/r/1721219078-3209-1-git-send-email-george.kennedy@o… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/tty/serial/serial_core.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c index 8d8d63c3ca7d..3faf643de752 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -850,6 +850,14 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, new_flags = (__force upf_t)new_info->flags; old_custom_divisor = uport->custom_divisor; + if (!(uport->flags & UPF_FIXED_PORT)) { + unsigned int uartclk = new_info->baud_base * 16; + /* check needs to be done here before other settings made */ + if (uartclk == 0) { + retval = -EINVAL; + goto exit; + } + } if (!capable(CAP_SYS_ADMIN)) { retval = -EPERM; if (change_irq || change_port || -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] mtd: rawnand: hynix: fixed typo
by Yi Yang 29 Aug '24

29 Aug '24

From: Maxim Korotkov <korotkov.maxim.s(a)gmail.com> stable inclusion from stable-v4.19.316 commit 80850a39e2548988f4feae26f3fd66286b460278 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IANCT2 CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 6819db94e1cd3ce24a432f3616cd563ed0c4eaba ] The function hynix_nand_rr_init() should probably return an error code. Judging by the usage, it seems that the return code is passed up the call stack. Right now, it always returns 0 and the function hynix_nand_cleanup() in hynix_nand_init() has never been called. Found by RASU JSC and Linux Verification Center (linuxtesting.org) Fixes: 626994e07480 ("mtd: nand: hynix: Add read-retry support for 1x nm MLC NANDs") Signed-off-by: Maxim Korotkov <korotkov.maxim.s(a)gmail.com> Signed-off-by: Miquel Raynal <miquel.raynal(a)bootlin.com> Link: https://lore.kernel.org/linux-mtd/20240313102721.1991299-1-korotkov.maxim.s… Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/mtd/nand/raw/nand_hynix.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/raw/nand_hynix.c b/drivers/mtd/nand/raw/nand_hynix.c index 4ffbb26e76d6..6f595455a8c2 100644 --- a/drivers/mtd/nand/raw/nand_hynix.c +++ b/drivers/mtd/nand/raw/nand_hynix.c @@ -414,7 +414,7 @@ static int hynix_nand_rr_init(struct nand_chip *chip) if (ret) pr_warn("failed to initialize read-retry infrastructure"); - return 0; + return ret; } static void hynix_nand_extract_oobsize(struct nand_chip *chip, -- 2.25.1

2 1

[PATCH 0/4] perf: Support event alias in form foo-bar-baz
by Yushan Wang 29 Aug '24

29 Aug '24

From: zhangqz <14294317+zwx1160575(a)user.noreply.gitee.com> 1、Event aliasing for events whose name in the form foo-bar-baz is not supported, while foo-bar, foo_bar_baz, and other combinations are, i.e. two hyphens are not supported. 2、Add a test for aliases with hyphens in the name to ensure that the pmu-events tables are as expects. There should be no reason why these sort of aliases would be treated differently, but no harm in checking. 3、Add a test which allows us to test parsing an event alias with hyphens. Since these events typically do not exist on most host systems, add the alias to the fake pmu. Function perf_pmu__test_parse_init() has terms added to match known test aliases. John Garry (3): perf parse-events: Support event alias in form foo-bar-baz perf test: Add pmu-events test for aliases with hyphens perf test: Add parse-events test for aliases with hyphens Yushan Wang (1): perf parse-event bugfix merge .../arch/test/test_soc/cpu/uncore.json | 16 ++ tools/perf/tests/parse-events.c | 49 ++++++ tools/perf/tests/pmu-events.c | 32 ++++ tools/perf/util/parse-events.c | 159 +++++++++++++----- tools/perf/util/parse-events.h | 7 +- tools/perf/util/parse-events.l | 2 + tools/perf/util/parse-events.y | 34 +++- 7 files changed, 253 insertions(+), 46 deletions(-) -- 2.33.0

1 4

[PATCH openEuler-1.0-LTS] [Backport] media: xc2028: avoid use-after-free in load_firmware_cb()
by Wenyu Huang 29 Aug '24

29 Aug '24

From: Chi Zhiling <chizhiling(a)kylinos.cn> stable inclusion from stable-v6.6.46 commit 850304152d367f104d21c77cfbcc05806504218b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAMMTD CVE: CVE-2024-43900 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 68594cec291ff9523b9feb3f43fd853dcddd1f60 ] syzkaller reported use-after-free in load_firmware_cb() [1]. The reason is because the module allocated a struct tuner in tuner_probe(), and then the module initialization failed, the struct tuner was released. A worker which created during module initialization accesses this struct tuner later, it caused use-after-free. The process is as follows: task-6504 worker_thread tuner_probe <= alloc dvb_frontend [2] ... request_firmware_nowait <= create a worker ... tuner_remove <= free dvb_frontend ... request_firmware_work_func <= the firmware is ready load_firmware_cb <= but now the dvb_frontend has been freed To fix the issue, check the dvd_frontend in load_firmware_cb(), if it is null, report a warning and just return. [1]: ================================================================== BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0 Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504 Call trace: load_firmware_cb+0x1310/0x17a0 request_firmware_work_func+0x128/0x220 process_one_work+0x770/0x1824 worker_thread+0x488/0xea0 kthread+0x300/0x430 ret_from_fork+0x10/0x20 Allocated by task 6504: kzalloc tuner_probe+0xb0/0x1430 i2c_device_probe+0x92c/0xaf0 really_probe+0x678/0xcd0 driver_probe_device+0x280/0x370 __device_attach_driver+0x220/0x330 bus_for_each_drv+0x134/0x1c0 __device_attach+0x1f4/0x410 device_initial_probe+0x20/0x30 bus_probe_device+0x184/0x200 device_add+0x924/0x12c0 device_register+0x24/0x30 i2c_new_device+0x4e0/0xc44 v4l2_i2c_new_subdev_board+0xbc/0x290 v4l2_i2c_new_subdev+0xc8/0x104 em28xx_v4l2_init+0x1dd0/0x3770 Freed by task 6504: kfree+0x238/0x4e4 tuner_remove+0x144/0x1c0 i2c_device_remove+0xc8/0x290 __device_release_driver+0x314/0x5fc device_release_driver+0x30/0x44 bus_remove_device+0x244/0x490 device_del+0x350/0x900 device_unregister+0x28/0xd0 i2c_unregister_device+0x174/0x1d0 v4l2_device_unregister+0x224/0x380 em28xx_v4l2_init+0x1d90/0x3770 The buggy address belongs to the object at ffff8000d7ca2000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 776 bytes inside of 2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800) The buggy address belongs to the page: page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0 flags: 0x7ff800000000100(slab) raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== [2] Actually, it is allocated for struct tuner, and dvb_frontend is inside. Signed-off-by: Chi Zhiling <chizhiling(a)kylinos.cn> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wenyu Huang <huangwenyu5(a)huawei.com> --- drivers/media/tuners/tuner-xc2028.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/media/tuners/tuner-xc2028.c b/drivers/media/tuners/tuner-xc2028.c index aa6861dcd3fd7..eb74cb8f259a9 100644 --- a/drivers/media/tuners/tuner-xc2028.c +++ b/drivers/media/tuners/tuner-xc2028.c @@ -1362,9 +1362,16 @@ static void load_firmware_cb(const struct firmware *fw, void *context) { struct dvb_frontend *fe = context; - struct xc2028_data *priv = fe->tuner_priv; + struct xc2028_data *priv; int rc; + if (!fe) { + pr_warn("xc2028: No frontend in %s\n", __func__); + return; + } + + priv = fe->tuner_priv; + tuner_dbg("request_firmware_nowait(): %s\n", fw ? "OK" : "error"); if (!fw) { tuner_err("Could not load firmware %s.\n", priv->fname); -- 2.34.1

2 1