- Kernel - mailweb.openeuler.org

[PATCH openEuler-22.03-LTS-SP1
by Luo Gengkun 03 Jun '24

03 Jun '24

From: l00855224 <l00855224(a)notesmail.huawei.com/> mainline inclusion from mainline-v6.9 commit ee0166b637a5e376118e9659e5b4148080f1d27e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9U7YV CVE: CVE-2024-36898 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- If a line is requested with debounce, and that results in debouncing in software, and the line is subsequently reconfigured to enable edge detection then the allocation of the kfifo to contain edge events is overlooked. This results in events being written to and read from an uninitialised kfifo. Read events are returned to userspace. Initialise the kfifo in the case where the software debounce is already active. Fixes: 65cff7046406 ("gpiolib: cdev: support setting debounce") Signed-off-by: Kent Gibson <warthog618(a)gmail.com> Link: https://lore.kernel.org/r/20240510065342.36191-1-warthog618@gmail.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Conflicts: drivers/gpio/gpiolib-cdev.c [fix context conflicts] Signed-off-by: Luo Gengkun <luogengkun2(a)huawei.com> --- drivers/gpio/gpiolib-cdev.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c index 381cfa26a4a1..0f98a07efcd6 100644 --- a/drivers/gpio/gpiolib-cdev.c +++ b/drivers/gpio/gpiolib-cdev.c @@ -816,6 +816,8 @@ static int edge_detector_update(struct line *line, unsigned int line_idx, u64 eflags, bool polarity_change) { + u64 errflags; + int ret; unsigned int debounce_period_us = gpio_v2_line_config_debounce_period(lc, line_idx); @@ -827,6 +829,18 @@ static int edge_detector_update(struct line *line, if (debounce_period_us && READ_ONCE(line->sw_debounced)) { line->eflags = eflags; WRITE_ONCE(line->desc->debounce_period_us, debounce_period_us); + /* + * ensure event fifo is initialised if edge detection + * is now enabled. + */ + errflags = eflags & GPIO_V2_LINE_EDGE_FLAGS; + if (errflags && !kfifo_initialized(&line->req->events)) { + ret = kfifo_alloc(&line->req->events, + line->req->event_buffer_size, + GFP_KERNEL); + if (ret) + return ret; + } return 0; } -- 2.34.1

1 0

[PATCH openEuler-1.0-LTS] smb: client: fix use-after-free bug in cifs_debug_data_proc_show()
by Wang Zhaolong 03 Jun '24

03 Jun '24

From: Paulo Alcantara <pc(a)manguebit.com> mainline inclusion from mainline-v6.7-rc1 commit d328c09ee9f15ee5a26431f5aad7c9239fa85e62 category: bugfix bugzilla: 190029 CVE: CVE-2023-52752 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- Skip SMB sessions that are being teared down (e.g. @ses->ses_status == SES_EXITING) in cifs_debug_data_proc_show() to avoid use-after-free in @ses. This fixes the following GPF when reading from /proc/fs/cifs/DebugData while mounting and umounting [ 816.251274] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6d81: 0000 [#1] PREEMPT SMP NOPTI ... [ 816.260138] Call Trace: [ 816.260329] <TASK> [ 816.260499] ? die_addr+0x36/0x90 [ 816.260762] ? exc_general_protection+0x1b3/0x410 [ 816.261126] ? asm_exc_general_protection+0x26/0x30 [ 816.261502] ? cifs_debug_tcon+0xbd/0x240 [cifs] [ 816.261878] ? cifs_debug_tcon+0xab/0x240 [cifs] [ 816.262249] cifs_debug_data_proc_show+0x516/0xdb0 [cifs] [ 816.262689] ? seq_read_iter+0x379/0x470 [ 816.262995] seq_read_iter+0x118/0x470 [ 816.263291] proc_reg_read_iter+0x53/0x90 [ 816.263596] ? srso_alias_return_thunk+0x5/0x7f [ 816.263945] vfs_read+0x201/0x350 [ 816.264211] ksys_read+0x75/0x100 [ 816.264472] do_syscall_64+0x3f/0x90 [ 816.264750] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 816.265135] RIP: 0033:0x7fd5e669d381 Cc: stable(a)vger.kernel.org Signed-off-by: Paulo Alcantara (SUSE) <pc(a)manguebit.com> Signed-off-by: Steve French <stfrench(a)microsoft.com> Conflicts: fs/smb/client/cifs_debug.c fs/cifs/cifs_debug.c [Path is changed and related functions has been refactored for a long time] Signed-off-by: Wang Zhaolong <wangzhaolong1(a)huawei.com> --- fs/cifs/cifs_debug.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c index a85aeff90df8..2595a528be97 100644 --- a/fs/cifs/cifs_debug.c +++ b/fs/cifs/cifs_debug.c @@ -287,6 +287,8 @@ static int cifs_debug_data_proc_show(struct seq_file *m, void *v) list_for_each(tmp2, &server->smb_ses_list) { ses = list_entry(tmp2, struct cifs_ses, smb_ses_list); + if (ses->status == CifsExiting) + continue; if ((ses->serverDomain == NULL) || (ses->serverOS == NULL) || (ses->serverNOS == NULL)) { -- 2.34.3

2 1

[PATCH openEuler-1.0-LTS] memory: fsl_ifc: fix leak of private memory on probe failure
by Tong Tiangen 03 Jun '24

03 Jun '24

From: Krzysztof Kozlowski <krzysztof.kozlowski(a)canonical.com> stable inclusion from stable-v4.19.198 commit ee1aa737ba0b75ab8af3444c4ae5bdba36aed6e6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RL3N CVE: CVE-2021-47314 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 8e0d09b1232d0538066c40ed4c13086faccbdff6 ] On probe error the driver should free the memory allocated for private structure. Fix this by using resource-managed allocation. Fixes: a20cbdeffce2 ("powerpc/fsl: Add support for Integrated Flash Controller") Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)canonical.com> Link: https://lore.kernel.org/r/20210527154322.81253-2-krzysztof.kozlowski@canoni… Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Tong Tiangen <tongtiangen(a)huawei.com> --- drivers/memory/fsl_ifc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/memory/fsl_ifc.c b/drivers/memory/fsl_ifc.c index 1b182b117f9c..1272e8886a42 100644 --- a/drivers/memory/fsl_ifc.c +++ b/drivers/memory/fsl_ifc.c @@ -109,7 +109,6 @@ static int fsl_ifc_ctrl_remove(struct platform_device *dev) iounmap(ctrl->gregs); dev_set_drvdata(&dev->dev, NULL); - kfree(ctrl); return 0; } @@ -221,7 +220,8 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev) dev_info(&dev->dev, "Freescale Integrated Flash Controller\n"); - fsl_ifc_ctrl_dev = kzalloc(sizeof(*fsl_ifc_ctrl_dev), GFP_KERNEL); + fsl_ifc_ctrl_dev = devm_kzalloc(&dev->dev, sizeof(*fsl_ifc_ctrl_dev), + GFP_KERNEL); if (!fsl_ifc_ctrl_dev) return -ENOMEM; -- 2.25.1

2 1

[PATCH openEuler-1.0-LTS] tty: vcc: Add check for kstrdup() in vcc_probe()
by Yi Yang 03 Jun '24

03 Jun '24

stable inclusion from stable-v4.19.300 commit 909963e0c16778cec28efb1affc21558825f4200 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9RFK8 CVE: CVE-2023-52789 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit d81ffb87aaa75f842cd7aa57091810353755b3e6 ] Add check for the return value of kstrdup() and return the error, if it fails in order to avoid NULL pointer dereference. Signed-off-by: Yi Yang <yiyang13(a)huawei.com> Reviewed-by: Jiri Slaby <jirislaby(a)kernel.org> Link: https://lore.kernel.org/r/20230904035220.48164-1-yiyang13@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Yi Yang <yiyang13(a)huawei.com> --- drivers/tty/vcc.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/drivers/tty/vcc.c b/drivers/tty/vcc.c index 58b454c34560..73dae8902216 100644 --- a/drivers/tty/vcc.c +++ b/drivers/tty/vcc.c @@ -586,18 +586,22 @@ static int vcc_probe(struct vio_dev *vdev, const struct vio_device_id *id) return -ENOMEM; name = kstrdup(dev_name(&vdev->dev), GFP_KERNEL); + if (!name) { + rv = -ENOMEM; + goto free_port; + } rv = vio_driver_init(&port->vio, vdev, VDEV_CONSOLE_CON, vcc_versions, ARRAY_SIZE(vcc_versions), NULL, name); if (rv) - goto free_port; + goto free_name; port->vio.debug = vcc_dbg_vio; vcc_ldc_cfg.debug = vcc_dbg_ldc; rv = vio_ldc_alloc(&port->vio, &vcc_ldc_cfg, port); if (rv) - goto free_port; + goto free_name; spin_lock_init(&port->lock); @@ -630,6 +634,11 @@ static int vcc_probe(struct vio_dev *vdev, const struct vio_device_id *id) goto unreg_tty; } port->domain = kstrdup(domain, GFP_KERNEL); + if (!port->domain) { + rv = -ENOMEM; + goto unreg_tty; + } + mdesc_release(hp); @@ -659,8 +668,9 @@ static int vcc_probe(struct vio_dev *vdev, const struct vio_device_id *id) vcc_table_remove(port->index); free_ldc: vio_ldc_free(&port->vio); -free_port: +free_name: kfree(name); +free_port: kfree(port); return rv; -- 2.25.1

2 1

[PATCH OLK-5.10] mISDN: fix possible use-after-free in HFC_cleanup()
by Xiang Yang 03 Jun '24

03 Jun '24

From: Zou Wei <zou_wei(a)huawei.com> stable inclusion from stable-v4.19.198 commit 5f2818185da0fe82a932f0856633038b66faf124 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4CC CVE: CVE-2021-47356 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 009fc857c5f6fda81f2f7dd851b2d54193a8e733 ] This module's remove path calls del_timer(). However, that function does not wait until the timer handler finishes. This means that the timer handler may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling del_timer_sync(), which makes sure the timer handler has finished, and unable to re-schedule itself. Reported-by: Hulk Robot <hulkci(a)huawei.com> Signed-off-by: Zou Wei <zou_wei(a)huawei.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Xiang Yang <xiangyang3(a)huawei.com> --- drivers/isdn/hardware/mISDN/hfcpci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c index ebb3fa2e1d00..53349850f866 100644 --- a/drivers/isdn/hardware/mISDN/hfcpci.c +++ b/drivers/isdn/hardware/mISDN/hfcpci.c @@ -2348,7 +2348,7 @@ static void __exit HFC_cleanup(void) { if (timer_pending(&hfc_tl)) - del_timer(&hfc_tl); + del_timer_sync(&hfc_tl); pci_unregister_driver(&hfc_driver); } -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS 0/2] CVE-2024-36015
by Chen Ridong 03 Jun '24

03 Jun '24

*** BLURB HERE *** Christophe JAILLET (1): ppdev: Remove usage of the deprecated ida_simple_xx() API Huai-Yuan Liu (1): ppdev: Add an error check in register_device drivers/char/ppdev.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) -- 2.34.1

2 3

[PATCH openEuler-22.03-LTS-SP1 0/2] CVE: CVE-2024-36015
by Chen Ridong 03 Jun '24

03 Jun '24

*** BLURB HERE *** Christophe JAILLET (1): ppdev: Remove usage of the deprecated ida_simple_xx() API Huai-Yuan Liu (1): ppdev: Add an error check in register_device drivers/char/ppdev.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) -- 2.34.1

2 3

[PATCH OLK-5.10 0/2] CVE: CVE-2024-36015
by Chen Ridong 03 Jun '24

03 Jun '24

*** BLURB HERE *** Christophe JAILLET (1): ppdev: Remove usage of the deprecated ida_simple_xx() API Huai-Yuan Liu (1): ppdev: Add an error check in register_device drivers/char/ppdev.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) -- 2.34.1

2 3

[PATCH OLK-5.10 0/1] CVE: CVE-2024-36015
by Chen Ridong 03 Jun '24

03 Jun '24

*** BLURB HERE *** Huai-Yuan Liu (1): ppdev: Add an error check in register_device drivers/char/ppdev.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) -- 2.34.1

2 2

[PATCH openEuler-22.03-LTS-SP1 0/1] CVE: CVE-2024-36015
by Chen Ridong 03 Jun '24

03 Jun '24

*** BLURB HERE *** Huai-Yuan Liu (1): ppdev: Add an error check in register_device drivers/char/ppdev.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) -- 2.34.1

2 2