- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10] media: s5p-jpeg: prevent buffer overflows
by Zhang Kunbo 22 Nov '24

22 Nov '24

From: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> stable inclusion from stable-v5.10.230 commit f54e8e1e39dacccebcfb9a9a36f0552a0a97e2ef category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5KQX CVE: CVE-2024-53061 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 14a22762c3daeac59a5a534e124acbb4d7a79b3a upstream. The current logic allows word to be less than 2. If this happens, there will be buffer overflows, as reported by smatch. Add extra checks to prevent it. While here, remove an unused word = 0 assignment. Fixes: 6c96dbbc2aa9 ("[media] s5p-jpeg: add support for 5433") Cc: stable(a)vger.kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei(a)kernel.org> Reviewed-by: Jacek Anaszewski <jacek.anaszewski(a)gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zhang Kunbo <zhangkunbo(a)huawei.com> --- drivers/media/platform/s5p-jpeg/jpeg-core.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/drivers/media/platform/s5p-jpeg/jpeg-core.c b/drivers/media/platform/s5p-jpeg/jpeg-core.c index d515eb08c3ee..55d0ba45a970 100644 --- a/drivers/media/platform/s5p-jpeg/jpeg-core.c +++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c @@ -775,11 +775,14 @@ static void exynos4_jpeg_parse_decode_h_tbl(struct s5p_jpeg_ctx *ctx) (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2; jpeg_buffer.curr = 0; - word = 0; - if (get_word_be(&jpeg_buffer, &word)) return; - jpeg_buffer.size = (long)word - 2; + + if (word < 2) + jpeg_buffer.size = 0; + else + jpeg_buffer.size = (long)word - 2; + jpeg_buffer.data += 2; jpeg_buffer.curr = 0; @@ -1058,6 +1061,7 @@ static int get_word_be(struct s5p_jpeg_buffer *buf, unsigned int *word) if (byte == -1) return -1; *word = (unsigned int)byte | temp; + return 0; } @@ -1145,7 +1149,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result, if (get_word_be(&jpeg_buffer, &word)) break; length = (long)word - 2; - if (!length) + if (length <= 0) return false; sof = jpeg_buffer.curr; /* after 0xffc0 */ sof_len = length; @@ -1176,7 +1180,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result, if (get_word_be(&jpeg_buffer, &word)) break; length = (long)word - 2; - if (!length) + if (length <= 0) return false; if (n_dqt >= S5P_JPEG_MAX_MARKER) return false; @@ -1189,7 +1193,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result, if (get_word_be(&jpeg_buffer, &word)) break; length = (long)word - 2; - if (!length) + if (length <= 0) return false; if (n_dht >= S5P_JPEG_MAX_MARKER) return false; @@ -1214,6 +1218,7 @@ static bool s5p_jpeg_parse_hdr(struct s5p_jpeg_q_data *result, if (get_word_be(&jpeg_buffer, &word)) break; length = (long)word - 2; + /* No need to check underflows as skip() does it */ skip(&jpeg_buffer, length); break; } -- 2.34.1

2 1

[PATCH OLK-5.10] btrfs: reinitialize delayed ref list after deleting it from the list
by Zizhi Wo 22 Nov '24

22 Nov '24

From: Filipe Manana <fdmanana(a)suse.com> stable inclusion from stable-v5.10.230 commit bf0b0c6d159767c0d1c21f793950d78486690ee0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5AVH CVE: CVE-2024-50273 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- commit c9a75ec45f1111ef530ab186c2a7684d0a0c9245 upstream. At insert_delayed_ref() if we need to update the action of an existing ref to BTRFS_DROP_DELAYED_REF, we delete the ref from its ref head's ref_add_list using list_del(), which leaves the ref's add_list member not reinitialized, as list_del() sets the next and prev members of the list to LIST_POISON1 and LIST_POISON2, respectively. If later we end up calling drop_delayed_ref() against the ref, which can happen during merging or when destroying delayed refs due to a transaction abort, we can trigger a crash since at drop_delayed_ref() we call list_empty() against the ref's add_list, which returns false since the list was not reinitialized after the list_del() and as a consequence we call list_del() again at drop_delayed_ref(). This results in an invalid list access since the next and prev members are set to poison pointers, resulting in a splat if CONFIG_LIST_HARDENED and CONFIG_DEBUG_LIST are set or invalid poison pointer dereferences otherwise. So fix this by deleting from the list with list_del_init() instead. Fixes: 1d57ee941692 ("btrfs: improve delayed refs iterations") CC: stable(a)vger.kernel.org # 4.19+ Reviewed-by: Johannes Thumshirn <johannes.thumshirn(a)wdc.com> Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Zizhi Wo <wozizhi(a)huawei.com> --- fs/btrfs/delayed-ref.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/btrfs/delayed-ref.c b/fs/btrfs/delayed-ref.c index 30883b9a26d8..e2309bc9e45d 100644 --- a/fs/btrfs/delayed-ref.c +++ b/fs/btrfs/delayed-ref.c @@ -620,7 +620,7 @@ static int insert_delayed_ref(struct btrfs_trans_handle *trans, &href->ref_add_list); else if (ref->action == BTRFS_DROP_DELAYED_REF) { ASSERT(!list_empty(&exist->add_list)); - list_del(&exist->add_list); + list_del_init(&exist->add_list); } else { ASSERT(0); } -- 2.46.1

2 1

[PATCH OLK-6.6] perf: Add PMCG platform information for HiSilicon HIP09A
by Yushan Wang 22 Nov '24

22 Nov '24

From: Qinxin Xia <xiaqinxin(a)huawei.com> driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB5WVR CVE: NA ---------------------------------------------------------------------- Bugfix or Feature: Bugfix Description: HiSilicon HIP09A platforms using the same SMMU PMCG with HIP09 and thus suffers the same erratum. List them in the PMCG platform information list without introducing a new SMMU PMCG Model. Fixes: 0785c8a6d09e ("ACPI/IORT: Add PMCG platform information for HiSilicon HIP10/11") Signed-off-by: Qinxin Xia <xiaqinxin(a)huawei.com> Signed-off-by: zhangqz <14294317+zhangqizhi3(a)user.noreply.gitee.com> --- Documentation/arm64/silicon-errata.rst | 5 +++-- drivers/acpi/arm64/iort.c | 2 ++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/Documentation/arm64/silicon-errata.rst b/Documentation/arm64/silicon-errata.rst index 77ba5531e0ee..29287a91bbb7 100644 --- a/Documentation/arm64/silicon-errata.rst +++ b/Documentation/arm64/silicon-errata.rst @@ -147,8 +147,9 @@ stable kernels. +----------------+-----------------+-----------------+-----------------------------+ | Hisilicon | Hip08 SMMU PMCG | #162001800 | N/A | +----------------+-----------------+-----------------+-----------------------------+ -| Hisilicon | Hip{08,09,10,10C| #162001900 | N/A | -| | ,11} SMMU PMCG | | | +| Hisilicon | Hip{08,09,09A, | #162001900 | N/A | +| | 10,10C,11} | | | +| | SMMU PMCG | | | +----------------+-----------------+-----------------+-----------------------------+ | Hisilicon | TSV{110,200} | #1980005 | HISILICON_ERRATUM_1980005 | +----------------+-----------------+-----------------+-----------------------------+ diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c index a0786cd8ca83..a86f65e47d17 100644 --- a/drivers/acpi/arm64/iort.c +++ b/drivers/acpi/arm64/iort.c @@ -1481,6 +1481,8 @@ static struct acpi_platform_list pmcg_plat_info[] __initdata = { /* HiSilicon Hip09 Platform */ {"HISI ", "HIP09 ", 0, ACPI_SIG_IORT, greater_than_or_equal, "Erratum #162001900", IORT_SMMU_V3_PMCG_HISI_HIP09}, + {"HISI ", "HIP09A ", 0, ACPI_SIG_IORT, greater_than_or_equal, + "Erratum #162001900", IORT_SMMU_V3_PMCG_HISI_HIP09}, /* HiSilicon Hip10/11 Platform uses the same SMMU IP with Hip09 */ {"HISI ", "HIP10 ", 0, ACPI_SIG_IORT, greater_than_or_equal, "Erratum #162001900", IORT_SMMU_V3_PMCG_HISI_HIP09}, -- 2.33.0

2 1

[openeuler:OLK-6.6 1513/1513] drivers/crypto/montage/tsse/tsse_ipc_api.c:62:36: warning: variable 'device_handle' is uninitialized when used here
by kernel test robot 22 Nov '24

22 Nov '24

tree: https://gitee.com/openeuler/kernel.git OLK-6.6 head: dccd6d8473b2f20aaa76e23820a3bf4934fc8d36 commit: 914854f2adb6988ac3b6521088ec96833d6743e2 [1513/1513] driver: crypto - update support for Mont-TSSE Driver config: x86_64-allyesconfig (https://download.01.org/0day-ci/archive/20241122/202411221252.PUnKjTWH-lkp@…) compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241122/202411221252.PUnKjTWH-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202411221252.PUnKjTWH-lkp@intel.com/ All warnings (new ones prefixed by >>): In file included from drivers/crypto/montage/tsse/tsse_ipc_api.c:10: In file included from drivers/crypto/montage/tsse/tsse_dev.h:13: In file included from include/linux/pci.h:1669: In file included from include/linux/dmapool.h:14: In file included from include/linux/scatterlist.h:8: In file included from include/linux/mm.h:2243: include/linux/vmstat.h:508:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 508 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 509 | item]; | ~~~~ include/linux/vmstat.h:515:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 515 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 516 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:522:36: warning: arithmetic between different enumeration types ('enum node_stat_item' and 'enum lru_list') [-Wenum-enum-conversion] 522 | return node_stat_name(NR_LRU_BASE + lru) + 3; // skip "nr_" | ~~~~~~~~~~~ ^ ~~~ include/linux/vmstat.h:527:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 527 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 528 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ include/linux/vmstat.h:536:43: warning: arithmetic between different enumeration types ('enum zone_stat_item' and 'enum numa_stat_item') [-Wenum-enum-conversion] 536 | return vmstat_text[NR_VM_ZONE_STAT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~ ^ 537 | NR_VM_NUMA_EVENT_ITEMS + | ~~~~~~~~~~~~~~~~~~~~~~ >> drivers/crypto/montage/tsse/tsse_ipc_api.c:62:36: warning: variable 'device_handle' is uninitialized when used here [-Wuninitialized] 62 | service_instance->device_handle = device_handle; | ^~~~~~~~~~~~~ drivers/crypto/montage/tsse/tsse_ipc_api.c:56:19: note: initialize the variable 'device_handle' to silence this warning 56 | int device_handle; | ^ | = 0 6 warnings generated. vim +/device_handle +62 drivers/crypto/montage/tsse/tsse_ipc_api.c 41 42 /** 43 * tsse_im_service_handle_alloc() - Allocate IPC Message service handle for specific service. 44 * @name: IPC Message service name 45 * @cb: request callback for the service 46 * @handle: function output for the service handle 47 * Return: 0 if allocated successfully, other values for failure 48 */ 49 int tsse_im_service_handle_alloc( 50 const char *name, 51 tsse_im_cb_func cb, 52 tsse_im_service_handle *handle) 53 { 54 struct tsse_service_instance *service_instance; 55 int ret; 56 int device_handle; 57 58 service_instance = kzalloc(sizeof(struct tsse_service_instance), GFP_ATOMIC); 59 if (!service_instance) 60 return -ENOMEM; 61 service_instance->service_opened = 0; > 62 service_instance->device_handle = device_handle; 63 service_instance->cb = cb; 64 strscpy(service_instance->service_name, name, TSSE_IM_SERVICE_NAME_LEN); 65 66 ret = tsse_schedule_device_handle(service_instance); 67 if (ret) { 68 kfree(service_instance); 69 return ret; 70 } 71 72 ret = tsse_service_open(service_instance); 73 if (ret) { 74 pr_err("%s(): open service: %s failed: %d\n", 75 __func__, service_instance->service_name, ret); 76 kfree(service_instance); 77 return ret; 78 } 79 *handle = service_instance; 80 return 0; 81 } 82 EXPORT_SYMBOL_GPL(tsse_im_service_handle_alloc); 83 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 1304/1304] kernel/sched/core.c:5845:2: error: implicit declaration of function 'tg_update_affinity_domains'
by kernel test robot 22 Nov '24

22 Nov '24

Hi Hui, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 81e029d5dd0cae934243168eee37ef303ebcce38 commit: 713cfd2684fa5ea08b144d92b9858b932c0f1705 [1304/1304] sched: Introduce smart grid scheduling strategy for cfs config: x86_64-randconfig-002-20241122 (https://download.01.org/0day-ci/archive/20241122/202411221242.ljLHS46N-lkp@…) compiler: clang version 19.1.3 (https://github.com/llvm/llvm-project ab51eccf88f5321e7c60591c5546b254b6afab99) reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241122/202411221242.ljLHS46N-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202411221242.ljLHS46N-lkp@intel.com/ All errors (new ones prefixed by >>): In file included from kernel/sched/core.c:8: In file included from kernel/sched/sched.h:39: In file included from include/linux/blkdev.h:16: include/linux/pagemap.h:425:21: warning: cast from 'int (*)(struct file *, struct page *)' to 'filler_t *' (aka 'int (*)(void *, struct page *)') converts to incompatible function type [-Wcast-function-type-strict] 425 | filler_t *filler = (filler_t *)mapping->a_ops->readpage; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from kernel/sched/core.c:8: kernel/sched/sched.h:1249:15: warning: cast from 'void (*)(struct rq *)' to 'void (*)(struct callback_head *)' converts to incompatible function type [-Wcast-function-type-strict] 1249 | head->func = (void (*)(struct callback_head *))func; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ kernel/sched/core.c:1587:6: warning: no previous prototype for function 'sched_set_stop_task' [-Wmissing-prototypes] 1587 | void sched_set_stop_task(int cpu, struct task_struct *stop) | ^ kernel/sched/core.c:1587:1: note: declare 'static' if the function is not intended to be used outside of this translation unit 1587 | void sched_set_stop_task(int cpu, struct task_struct *stop) | ^ | static kernel/sched/core.c:2741:10: warning: cast from 'void (*)(struct callback_head *)' to 'void (*)(struct rq *)' converts to incompatible function type [-Wcast-function-type-strict] 2741 | func = (void (*)(struct rq *))head->func; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ kernel/sched/core.c:3632:35: warning: no previous prototype for function 'schedule_user' [-Wmissing-prototypes] 3632 | asmlinkage __visible void __sched schedule_user(void) | ^ kernel/sched/core.c:3632:22: note: declare 'static' if the function is not intended to be used outside of this translation unit 3632 | asmlinkage __visible void __sched schedule_user(void) | ^ | static kernel/sched/core.c:3771:35: warning: no previous prototype for function 'preempt_schedule_irq' [-Wmissing-prototypes] 3771 | asmlinkage __visible void __sched preempt_schedule_irq(void) | ^ kernel/sched/core.c:3771:22: note: declare 'static' if the function is not intended to be used outside of this translation unit 3771 | asmlinkage __visible void __sched preempt_schedule_irq(void) | ^ | static >> kernel/sched/core.c:5845:2: error: implicit declaration of function 'tg_update_affinity_domains' [-Werror,-Wimplicit-function-declaration] 5845 | tg_update_affinity_domains(cpu, 1); | ^ kernel/sched/core.c:5904:2: error: implicit declaration of function 'tg_update_affinity_domains' [-Werror,-Wimplicit-function-declaration] 5904 | tg_update_affinity_domains(cpu, 0); | ^ kernel/sched/core.c:5976:2: error: implicit declaration of function 'init_auto_affinity' [-Werror,-Wimplicit-function-declaration] 5976 | init_auto_affinity(&root_task_group); | ^ kernel/sched/core.c:5976:2: note: did you mean 'irq_set_affinity'? include/linux/interrupt.h:292:1: note: 'irq_set_affinity' declared here 292 | irq_set_affinity(unsigned int irq, const struct cpumask *cpumask) | ^ kernel/sched/core.c:5976:22: error: use of undeclared identifier 'root_task_group'; did you mean 'task_group'? 5976 | init_auto_affinity(&root_task_group); | ^~~~~~~~~~~~~~~ | task_group kernel/sched/sched.h:1444:34: note: 'task_group' declared here 1444 | static inline struct task_group *task_group(struct task_struct *p) | ^ kernel/sched/core.c:6029:32: warning: variable 'ptr' set but not used [-Wunused-but-set-variable] 6029 | unsigned long alloc_size = 0, ptr; | ^ 7 warnings and 4 errors generated. vim +/tg_update_affinity_domains +5845 kernel/sched/core.c 5831 5832 int sched_cpu_activate(unsigned int cpu) 5833 { 5834 struct rq *rq = cpu_rq(cpu); 5835 struct rq_flags rf; 5836 5837 #ifdef CONFIG_SCHED_SMT 5838 /* 5839 * When going up, increment the number of cores with SMT present. 5840 */ 5841 if (cpumask_weight(cpu_smt_mask(cpu)) == 2) 5842 static_branch_inc_cpuslocked(&sched_smt_present); 5843 #endif 5844 set_cpu_active(cpu, true); > 5845 tg_update_affinity_domains(cpu, 1); 5846 5847 if (sched_smp_initialized) { 5848 sched_domains_numa_masks_set(cpu); 5849 cpuset_cpu_active(); 5850 } 5851 5852 /* 5853 * Put the rq online, if not already. This happens: 5854 * 5855 * 1) In the early boot process, because we build the real domains 5856 * after all CPUs have been brought up. 5857 * 5858 * 2) At runtime, if cpuset_cpu_active() fails to rebuild the 5859 * domains. 5860 */ 5861 rq_lock_irqsave(rq, &rf); 5862 if (rq->rd) { 5863 BUG_ON(!cpumask_test_cpu(cpu, rq->rd->span)); 5864 set_rq_online(rq); 5865 } 5866 rq_unlock_irqrestore(rq, &rf); 5867 5868 update_max_interval(); 5869 5870 return 0; 5871 } 5872 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-6.6] tpm: Lock TPM chip in tpm_pm_suspend() first
by Chen Zhongjin 22 Nov '24

22 Nov '24

From: Jarkko Sakkinen <jarkko(a)kernel.org> mainline inclusion from mainline-v6.12-rc1 commit 9265fed6db601ee2ec47577815387458ef4f047a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB5KRG CVE: CVE-2024-53085 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- Setting TPM_CHIP_FLAG_SUSPENDED in the end of tpm_pm_suspend() can be racy according, as this leaves window for tpm_hwrng_read() to be called while the operation is in progress. The recent bug report gives also evidence of this behaviour. Aadress this by locking the TPM chip before checking any chip->flags both in tpm_pm_suspend() and tpm_hwrng_read(). Move TPM_CHIP_FLAG_SUSPENDED check inside tpm_get_random() so that it will be always checked only when the lock is reserved. Cc: stable(a)vger.kernel.org # v6.4+ Fixes: 99d464506255 ("tpm: Prevent hwrng from activating during resume") Reported-by: Mike Seo <mikeseohyungjin(a)gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219383 Reviewed-by: Jerry Snitselaar <jsnitsel(a)redhat.com> Tested-by: Mike Seo <mikeseohyungjin(a)gmail.com> Signed-off-by: Jarkko Sakkinen <jarkko(a)kernel.org> Conflicts: drivers/char/tpm/tpm-interface.c [df745e25098d ("tpm: Lazily flush the auth session") is not merged] Signed-off-by: Chen Zhongjin <chenzhongjin(a)huawei.com> --- drivers/char/tpm/tpm-chip.c | 4 ---- drivers/char/tpm/tpm-interface.c | 29 +++++++++++++++++++++-------- 2 files changed, 21 insertions(+), 12 deletions(-) diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c index 42b1062e33cd5..78999f7f248cb 100644 --- a/drivers/char/tpm/tpm-chip.c +++ b/drivers/char/tpm/tpm-chip.c @@ -519,10 +519,6 @@ static int tpm_hwrng_read(struct hwrng *rng, void *data, size_t max, bool wait) { struct tpm_chip *chip = container_of(rng, struct tpm_chip, hwrng); - /* Give back zero bytes, as TPM chip has not yet fully resumed: */ - if (chip->flags & TPM_CHIP_FLAG_SUSPENDED) - return 0; - return tpm_get_random(chip, data, max); } diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index 66b16d26eecc7..c8ea52dfa5567 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -394,6 +394,13 @@ int tpm_pm_suspend(struct device *dev) if (!chip) return -ENODEV; + rc = tpm_try_get_ops(chip); + if (rc) { + /* Can be safely set out of locks, as no action cannot race: */ + chip->flags |= TPM_CHIP_FLAG_SUSPENDED; + goto out; + } + if (chip->flags & TPM_CHIP_FLAG_ALWAYS_POWERED) goto suspended; @@ -401,19 +408,18 @@ int tpm_pm_suspend(struct device *dev) !pm_suspend_via_firmware()) goto suspended; - rc = tpm_try_get_ops(chip); - if (!rc) { - if (chip->flags & TPM_CHIP_FLAG_TPM2) - tpm2_shutdown(chip, TPM2_SU_STATE); - else - rc = tpm1_pm_suspend(chip, tpm_suspend_pcr); - - tpm_put_ops(chip); + if (chip->flags & TPM_CHIP_FLAG_TPM2) { + tpm2_shutdown(chip, TPM2_SU_STATE); + goto suspended; } + rc = tpm1_pm_suspend(chip, tpm_suspend_pcr); + suspended: chip->flags |= TPM_CHIP_FLAG_SUSPENDED; + tpm_put_ops(chip); +out: if (rc) dev_err(dev, "Ignoring error %d while suspending\n", rc); return 0; @@ -462,11 +468,18 @@ int tpm_get_random(struct tpm_chip *chip, u8 *out, size_t max) if (!chip) return -ENODEV; + /* Give back zero bytes, as TPM chip has not yet fully resumed: */ + if (chip->flags & TPM_CHIP_FLAG_SUSPENDED) { + rc = 0; + goto out; + } + if (chip->flags & TPM_CHIP_FLAG_TPM2) rc = tpm2_get_random(chip, out, max); else rc = tpm1_get_random(chip, out, max); +out: tpm_put_ops(chip); return rc; } -- 2.25.1

2 1

[PATCH OLK-6.6 0/2] ext4: fix potential memory exposure issues during truncate in iomap
by Yongjian Sun 22 Nov '24

22 Nov '24

*** BLURB HERE *** Yongjian Sun (2): ext4: do not always order data when partial zeroing out a block ext4: fix potential memory exposure issues during truncate in iomap mode. fs/ext4/inode.c | 75 ++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 59 insertions(+), 16 deletions(-) -- 2.39.2

2 3

[PATCH OLK-5.10 V1] sched/topology: Prevent race condition in sched_domain topology
by Zicheng Qu 22 Nov '24

22 Nov '24

hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB485D -------------------------------- A race condition in `build_sched_domains() -> build_sched_domain() -> sd_init()` can lead to a null pointer dereference when `tl->data` is accessed. This occurs because `build_sched_domains() -> alloc_state()` may skip memory allocation for `tl->data` based on `tl->flags` and `SDTL_SKIP`, which can be influenced by concurrent modifications through `sched_cluster_handler()`, supported by the feature named "scheduler: Add runtime knob sysctl_sched_cluster". The issue arises when `sysctl_sched_cluster()` is modified via `/proc/sys/kernel/sched_cluster`, affecting `tl->flags` through `sched_cluster_handler() -> set_sched_cluster()`. This can lead to an inconsistent state where `tl->data` is expected to be non-null in `sd_init()`, but was not allocated in `alloc_state()` before `sd_init()`. To resolve this, lock `sched_domains_mutex` before calling `set_sched_cluster()`. This ensures that changes to `tl->flags` do not interfere with the memory allocation process in `build_sched_domains()`. Fixes: 8ce3e706b314 ("scheduler: Add runtime knob sysctl_sched_cluster") Signed-off-by: Zicheng Qu <quzicheng(a)huawei.com> --- kernel/sched/topology.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/kernel/sched/topology.c b/kernel/sched/topology.c index 4bf575e4e7fc..3a8673a1a3fc 100644 --- a/kernel/sched/topology.c +++ b/kernel/sched/topology.c @@ -1722,7 +1722,13 @@ int sched_cluster_handler(struct ctl_table *table, int write, ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); if (!ret && write) { if (oldval != sysctl_sched_cluster) { + /* + * Here may have raced with partition_sched_domains_locked, + * it needs to be protected with sched_domains_mutex. + */ + mutex_lock(&sched_domains_mutex); set_sched_cluster(); + mutex_unlock(&sched_domains_mutex); arch_rebuild_cpu_topology(); } } -- 2.34.1

2 3

[PATCH openEuler-22.03-LTS-SP1 V1] udf: fix uninit-value use in udf_get_fileshortad
by Zicheng Qu 22 Nov '24

22 Nov '24

From: Gianfranco Trad <gianf.trad(a)gmail.com> stable inclusion from stable-v5.15.170 commit 4fc0d8660e391dcd8dde23c44d702be1f6846c61 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB2SWN CVE: CVE-2024-50143 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 264db9d666ad9a35075cc9ed9ec09d021580fbb1 ] Check for overflow when computing alen in udf_current_aext to mitigate later uninit-value use in udf_get_fileshortad KMSAN bug[1]. After applying the patch reproducer did not trigger any issue[2]. [1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df [2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000 Reported-by: syzbot+8901c4560b7ab5c2f9df(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df Tested-by: syzbot+8901c4560b7ab5c2f9df(a)syzkaller.appspotmail.com Suggested-by: Jan Kara <jack(a)suse.com> Signed-off-by: Gianfranco Trad <gianf.trad(a)gmail.com> Signed-off-by: Jan Kara <jack(a)suse.cz> Link: https://patch.msgid.link/20240925074613.8475-3-gianf.trad@gmail.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: fs/udf/inode.c [The stable version 5.10 is missing patch 4fc0d8660e391dcd8dde23c44d702be1f6846c61, which was pulled from 5.15. The current version of check_add_overflow() lacks the relevant commit d219d2a9a92e39aa92799efe8f2aa21259b6dd82 ("overflow: Allow mixed type arguments"). Therefore, it is necessary to cast the arguments to int.] Signed-off-by: Zicheng Qu <quzicheng(a)huawei.com> --- fs/udf/inode.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/fs/udf/inode.c b/fs/udf/inode.c index 3ae9955c42b0..1198d27552b5 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -2182,12 +2182,15 @@ int8_t udf_current_aext(struct inode *inode, struct extent_position *epos, alen = udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc; } else { + struct allocExtDesc *header = + (struct allocExtDesc *)epos->bh->b_data; + if (!epos->offset) epos->offset = sizeof(struct allocExtDesc); ptr = epos->bh->b_data + epos->offset; - alen = sizeof(struct allocExtDesc) + - le32_to_cpu(((struct allocExtDesc *)epos->bh->b_data)-> - lengthAllocDescs); + if (check_add_overflow((int)sizeof(struct allocExtDesc), + (int)le32_to_cpu(header->lengthAllocDescs), &alen)) + return -1; } switch (iinfo->i_alloc_type) { -- 2.34.1

2 1

[PATCH OLK-5.10 V1] udf: fix uninit-value use in udf_get_fileshortad
by Zicheng Qu 22 Nov '24

22 Nov '24

From: Gianfranco Trad <gianf.trad(a)gmail.com> stable inclusion from stable-v5.15.170 commit 4fc0d8660e391dcd8dde23c44d702be1f6846c61 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB2SWN CVE: CVE-2024-50143 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 264db9d666ad9a35075cc9ed9ec09d021580fbb1 ] Check for overflow when computing alen in udf_current_aext to mitigate later uninit-value use in udf_get_fileshortad KMSAN bug[1]. After applying the patch reproducer did not trigger any issue[2]. [1] https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df [2] https://syzkaller.appspot.com/x/log.txt?x=10242227980000 Reported-by: syzbot+8901c4560b7ab5c2f9df(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8901c4560b7ab5c2f9df Tested-by: syzbot+8901c4560b7ab5c2f9df(a)syzkaller.appspotmail.com Suggested-by: Jan Kara <jack(a)suse.com> Signed-off-by: Gianfranco Trad <gianf.trad(a)gmail.com> Signed-off-by: Jan Kara <jack(a)suse.cz> Link: https://patch.msgid.link/20240925074613.8475-3-gianf.trad@gmail.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: fs/udf/inode.c [The stable version 5.10 is missing patch 4fc0d8660e391dcd8dde23c44d702be1f6846c61, which was pulled from 5.15. The current version of check_add_overflow() lacks the relevant commit d219d2a9a92e39aa92799efe8f2aa21259b6dd82 ("overflow: Allow mixed type arguments"). Therefore, it is necessary to cast the arguments to int.] Signed-off-by: Zicheng Qu <quzicheng(a)huawei.com> --- fs/udf/inode.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/fs/udf/inode.c b/fs/udf/inode.c index a8105eded07e..6ff9cc8adb26 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -2184,12 +2184,15 @@ int8_t udf_current_aext(struct inode *inode, struct extent_position *epos, alen = udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc; } else { + struct allocExtDesc *header = + (struct allocExtDesc *)epos->bh->b_data; + if (!epos->offset) epos->offset = sizeof(struct allocExtDesc); ptr = epos->bh->b_data + epos->offset; - alen = sizeof(struct allocExtDesc) + - le32_to_cpu(((struct allocExtDesc *)epos->bh->b_data)-> - lengthAllocDescs); + if (check_add_overflow((int)sizeof(struct allocExtDesc), + (int)le32_to_cpu(header->lengthAllocDescs), &alen)) + return -1; } switch (iinfo->i_alloc_type) { -- 2.34.1

2 1