- Kernel - mailweb.openeuler.org

[PATCH OLK-6.6] bpf: fix OOB devmap writes when deleting elements
by Tengda Wu 31 Dec '24

31 Dec '24

From: Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> stable inclusion from stable-v6.6.66 commit 8e858930695d3ebec423e85384c95427258c294f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEAPP CVE: CVE-2024-56615 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit ab244dd7cf4c291f82faacdc50b45cc0f55b674d upstream. Jordy reported issue against XSKMAP which also applies to DEVMAP - the index used for accessing map entry, due to being a signed integer, causes the OOB writes. Fix is simple as changing the type from int to u32, however, when compared to XSKMAP case, one more thing needs to be addressed. When map is released from system via dev_map_free(), we iterate through all of the entries and an iterator variable is also an int, which implies OOB accesses. Again, change it to be u32. Example splat below: [ 160.724676] BUG: unable to handle page fault for address: ffffc8fc2c001000 [ 160.731662] #PF: supervisor read access in kernel mode [ 160.736876] #PF: error_code(0x0000) - not-present page [ 160.742095] PGD 0 P4D 0 [ 160.744678] Oops: Oops: 0000 [#1] PREEMPT SMP [ 160.749106] CPU: 1 UID: 0 PID: 520 Comm: kworker/u145:12 Not tainted 6.12.0-rc1+ #487 [ 160.757050] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [ 160.767642] Workqueue: events_unbound bpf_map_free_deferred [ 160.773308] RIP: 0010:dev_map_free+0x77/0x170 [ 160.777735] Code: 00 e8 fd 91 ed ff e8 b8 73 ed ff 41 83 7d 18 19 74 6e 41 8b 45 24 49 8b bd f8 00 00 00 31 db 85 c0 74 48 48 63 c3 48 8d 04 c7 <48> 8b 28 48 85 ed 74 30 48 8b 7d 18 48 85 ff 74 05 e8 b3 52 fa ff [ 160.796777] RSP: 0018:ffffc9000ee1fe38 EFLAGS: 00010202 [ 160.802086] RAX: ffffc8fc2c001000 RBX: 0000000080000000 RCX: 0000000000000024 [ 160.809331] RDX: 0000000000000000 RSI: 0000000000000024 RDI: ffffc9002c001000 [ 160.816576] RBP: 0000000000000000 R08: 0000000000000023 R09: 0000000000000001 [ 160.823823] R10: 0000000000000001 R11: 00000000000ee6b2 R12: dead000000000122 [ 160.831066] R13: ffff88810c928e00 R14: ffff8881002df405 R15: 0000000000000000 [ 160.838310] FS: 0000000000000000(0000) GS:ffff8897e0c40000(0000) knlGS:0000000000000000 [ 160.846528] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 160.852357] CR2: ffffc8fc2c001000 CR3: 0000000005c32006 CR4: 00000000007726f0 [ 160.859604] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 160.866847] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 160.874092] PKRU: 55555554 [ 160.876847] Call Trace: [ 160.879338] <TASK> [ 160.881477] ? __die+0x20/0x60 [ 160.884586] ? page_fault_oops+0x15a/0x450 [ 160.888746] ? search_extable+0x22/0x30 [ 160.892647] ? search_bpf_extables+0x5f/0x80 [ 160.896988] ? exc_page_fault+0xa9/0x140 [ 160.900973] ? asm_exc_page_fault+0x22/0x30 [ 160.905232] ? dev_map_free+0x77/0x170 [ 160.909043] ? dev_map_free+0x58/0x170 [ 160.912857] bpf_map_free_deferred+0x51/0x90 [ 160.917196] process_one_work+0x142/0x370 [ 160.921272] worker_thread+0x29e/0x3b0 [ 160.925082] ? rescuer_thread+0x4b0/0x4b0 [ 160.929157] kthread+0xd4/0x110 [ 160.932355] ? kthread_park+0x80/0x80 [ 160.936079] ret_from_fork+0x2d/0x50 [ 160.943396] ? kthread_park+0x80/0x80 [ 160.950803] ret_from_fork_asm+0x11/0x20 [ 160.958482] </TASK> Fixes: 546ac1ffb70d ("bpf: add devmap, a map for storing net device references") CC: stable(a)vger.kernel.org Reported-by: Jordy Zomer <jordyzomer(a)google.com> Suggested-by: Jordy Zomer <jordyzomer(a)google.com> Reviewed-by: Toke Høiland-Jørgensen <toke(a)redhat.com> Acked-by: John Fastabend <john.fastabend(a)gmail.com> Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> Link: https://lore.kernel.org/r/20241122121030.716788-3-maciej.fijalkowski@intel.… Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Tengda Wu <wutengda2(a)huawei.com> --- kernel/bpf/devmap.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c index 96b0345f76c2..5f2356b47b2d 100644 --- a/kernel/bpf/devmap.c +++ b/kernel/bpf/devmap.c @@ -180,7 +180,7 @@ static struct bpf_map *dev_map_alloc(union bpf_attr *attr) static void dev_map_free(struct bpf_map *map) { struct bpf_dtab *dtab = container_of(map, struct bpf_dtab, map); - int i; + u32 i; /* At this point bpf_prog->aux->refcnt == 0 and this map->refcnt == 0, * so the programs (can be more than one that used this map) were @@ -813,7 +813,7 @@ static long dev_map_delete_elem(struct bpf_map *map, void *key) { struct bpf_dtab *dtab = container_of(map, struct bpf_dtab, map); struct bpf_dtab_netdev *old_dev; - int k = *(u32 *)key; + u32 k = *(u32 *)key; if (k >= map->max_entries) return -EINVAL; @@ -830,7 +830,7 @@ static long dev_map_hash_delete_elem(struct bpf_map *map, void *key) { struct bpf_dtab *dtab = container_of(map, struct bpf_dtab, map); struct bpf_dtab_netdev *old_dev; - int k = *(u32 *)key; + u32 k = *(u32 *)key; unsigned long flags; int ret = -ENOENT; -- 2.34.1

2 1

[openeuler:OLK-5.10 2612/2612] fs/fscache/main.c:52:21: warning: 'fscache_min_op_max_active' defined but not used
by kernel test robot 31 Dec '24

31 Dec '24

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: 908c8608d2c0fcf6f49b1f48f074515c42474946 commit: c55fa11d134b40dbe1a4a5512a7fe43497cb6d5e [2612/2612] fscache: limit fscache_object_max_active to avoid blocking config: x86_64-buildonly-randconfig-002-20241231 (https://download.01.org/0day-ci/archive/20241231/202412311354.iggKIx0H-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241231/202412311354.iggKIx0H-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202412311354.iggKIx0H-lkp@intel.com/ All warnings (new ones prefixed by >>): >> fs/fscache/main.c:52:21: warning: 'fscache_min_op_max_active' defined but not used [-Wunused-variable] 52 | static unsigned int fscache_min_op_max_active = FSCACHE_MIN_OBJECT_MAX_ACTIVE / 2; | ^~~~~~~~~~~~~~~~~~~~~~~~~ >> fs/fscache/main.c:51:21: warning: 'fscache_min_object_max_active' defined but not used [-Wunused-variable] 51 | static unsigned int fscache_min_object_max_active = FSCACHE_MIN_OBJECT_MAX_ACTIVE; | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ vim +/fscache_min_op_max_active +52 fs/fscache/main.c 46 47 /* these values serve as lower bounds, will be adjusted in fscache_init() */ 48 #define FSCACHE_MIN_OBJECT_MAX_ACTIVE 4 49 static unsigned int fscache_object_max_active = FSCACHE_MIN_OBJECT_MAX_ACTIVE; 50 static unsigned int fscache_op_max_active = FSCACHE_MIN_OBJECT_MAX_ACTIVE / 2; > 51 static unsigned int fscache_min_object_max_active = FSCACHE_MIN_OBJECT_MAX_ACTIVE; > 52 static unsigned int fscache_min_op_max_active = FSCACHE_MIN_OBJECT_MAX_ACTIVE / 2; 53 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[openeuler:openEuler-1.0-LTS 1359/1359] drivers/scsi/sssraid/sssraid_os.c:1704:9: error: implicit declaration of function 'for_each_pci_msi_entry'; did you mean 'for_each_msi_entry'?
by kernel test robot 31 Dec '24

31 Dec '24

tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 4dc4cec05b40921a3db85d24f97f1142272e4abf commit: 2e2a4edd9d4a725c5474dc278b090913d9b5bfd5 [1359/1359] SCSI: SSSRAID: Support 3SNIC 3S5XX serial RAID/HBA controllers config: x86_64-buildonly-randconfig-004-20241231 (https://download.01.org/0day-ci/archive/20241231/202412311259.7ewDSIIe-lkp@…) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241231/202412311259.7ewDSIIe-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202412311259.7ewDSIIe-lkp@intel.com/ All error/warnings (new ones prefixed by >>): drivers/scsi/sssraid/sssraid_os.c: In function 'sssraid_map_queues': >> drivers/scsi/sssraid/sssraid_os.c:1704:9: error: implicit declaration of function 'for_each_pci_msi_entry'; did you mean 'for_each_msi_entry'? [-Werror=implicit-function-declaration] 1704 | for_each_pci_msi_entry(entry, pdev) { | ^~~~~~~~~~~~~~~~~~~~~~ | for_each_msi_entry >> drivers/scsi/sssraid/sssraid_os.c:1704:44: error: expected ';' before '{' token 1704 | for_each_pci_msi_entry(entry, pdev) { | ^~ | ; drivers/scsi/sssraid/sssraid_os.c:1702:22: warning: unused variable 'node_id_array' [-Wunused-variable] 1702 | unsigned int node_id_array[100]; | ^~~~~~~~~~~~~ >> drivers/scsi/sssraid/sssraid_os.c:1701:28: warning: unused variable 'i' [-Wunused-variable] 1701 | u8 node_count = 0, i; | ^ drivers/scsi/sssraid/sssraid_os.c:1701:12: warning: unused variable 'node_count' [-Wunused-variable] 1701 | u8 node_count = 0, i; | ^~~~~~~~~~ drivers/scsi/sssraid/sssraid_os.c:1700:18: warning: unused variable 'queue' [-Wunused-variable] 1700 | int cpu, queue = 0; | ^~~~~ >> drivers/scsi/sssraid/sssraid_os.c:1700:13: warning: unused variable 'cpu' [-Wunused-variable] 1700 | int cpu, queue = 0; | ^~~ >> drivers/scsi/sssraid/sssraid_os.c:1699:31: warning: unused variable 'node_id_last' [-Wunused-variable] 1699 | unsigned int node_id, node_id_last = 0xFFFFFFFF; | ^~~~~~~~~~~~ >> drivers/scsi/sssraid/sssraid_os.c:1699:22: warning: unused variable 'node_id' [-Wunused-variable] 1699 | unsigned int node_id, node_id_last = 0xFFFFFFFF; | ^~~~~~~ >> drivers/scsi/sssraid/sssraid_os.c:1698:22: warning: unused variable 'nr_queues' [-Wunused-variable] 1698 | unsigned int nr_queues = tag_set->nr_hw_queues; | ^~~~~~~~~ drivers/scsi/sssraid/sssraid_os.c:1697:31: warning: unused variable 'node_mask' [-Wunused-variable] 1697 | const struct cpumask *node_mask = NULL; | ^~~~~~~~~ >> drivers/scsi/sssraid/sssraid_os.c:1696:23: warning: unused variable 'map' [-Wunused-variable] 1696 | unsigned int *map = tag_set->mq_map; | ^~~ drivers/scsi/sssraid/sssraid_os.c:1739:1: warning: no return statement in function returning non-void [-Wreturn-type] 1739 | } | ^ cc1: some warnings being treated as errors vim +1704 drivers/scsi/sssraid/sssraid_os.c 1689 1690 static int sssraid_map_queues(struct Scsi_Host *shost) 1691 { 1692 struct sssraid_ioc *sdioc = shost_priv(shost); 1693 struct pci_dev *pdev = sdioc->pdev; 1694 struct msi_desc *entry = NULL; 1695 struct blk_mq_tag_set *tag_set = &shost->tag_set; > 1696 unsigned int *map = tag_set->mq_map; 1697 const struct cpumask *node_mask = NULL; > 1698 unsigned int nr_queues = tag_set->nr_hw_queues; > 1699 unsigned int node_id, node_id_last = 0xFFFFFFFF; > 1700 int cpu, queue = 0; > 1701 u8 node_count = 0, i; 1702 unsigned int node_id_array[100]; 1703 > 1704 for_each_pci_msi_entry(entry, pdev) { 1705 struct list_head *msi_list = &pdev->dev.msi_list; 1706 1707 if (list_is_last(msi_list, &entry->list)) 1708 goto get_next_numa_node; 1709 1710 if (entry->irq) { 1711 node_mask = entry->affinity; 1712 1713 cpu = cpumask_first(node_mask); 1714 node_id = cpu_to_node(cpu); 1715 if (node_id_last == node_id) 1716 continue; 1717 1718 for (i = 0; i < node_count; i++) { 1719 if (node_id == node_id_array[i]) 1720 goto get_next_numa_node; 1721 } 1722 node_id_array[node_count++] = node_id; 1723 node_id_last = node_id; 1724 } 1725 get_next_numa_node: 1726 continue; 1727 } 1728 1729 for (i = 0; i < node_count; i++) { 1730 node_mask = cpumask_of_node(node_id_array[i]); 1731 dbgprint(sdioc, "NUMA_node = %d\n", node_id_array[i]); 1732 for_each_cpu(cpu, node_mask) { 1733 map[cpu] = (queue < nr_queues) ? queue++ : 0; 1734 dbgprint(sdioc, "map[%d] = %d\n", cpu, map[cpu]); 1735 } 1736 } 1737 1738 return 0; 1739 } 1740 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10] NFSD: Prevent a potential integer overflow
by Li Lingfeng 31 Dec '24

31 Dec '24

From: Chuck Lever <chuck.lever(a)oracle.com> stable inclusion from stable-v5.10.231 commit 3c5f545c9a1f8a1869246f6f3ae8c17289d6a841 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHG9 CVE: CVE-2024-53146 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 7f33b92e5b18e904a481e6e208486da43e4dc841 upstream. If the tag length is >= U32_MAX - 3 then the "length + 4" addition can result in an integer overflow. Address this by splitting the decoding into several steps so that decode_cb_compound4res() does not have to perform arithmetic on the unsafe length value. Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Cc: stable(a)vger.kernel.org Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- fs/nfsd/nfs4callback.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c index bd79fc4934f0..9b692bcacd4b 100644 --- a/fs/nfsd/nfs4callback.c +++ b/fs/nfsd/nfs4callback.c @@ -286,17 +286,17 @@ static int decode_cb_compound4res(struct xdr_stream *xdr, u32 length; __be32 *p; - p = xdr_inline_decode(xdr, 4 + 4); + p = xdr_inline_decode(xdr, XDR_UNIT); if (unlikely(p == NULL)) goto out_overflow; - hdr->status = be32_to_cpup(p++); + hdr->status = be32_to_cpup(p); /* Ignore the tag */ - length = be32_to_cpup(p++); - p = xdr_inline_decode(xdr, length + 4); - if (unlikely(p == NULL)) + if (xdr_stream_decode_u32(xdr, &length) < 0) + goto out_overflow; + if (xdr_inline_decode(xdr, length) == NULL) + goto out_overflow; + if (xdr_stream_decode_u32(xdr, &hdr->nops) < 0) goto out_overflow; - p += XDR_QUADLEN(length); - hdr->nops = be32_to_cpup(p); return 0; out_overflow: return -EIO; -- 2.31.1

2 1

[PATCH openEuler-22.03-LTS-SP1] EDAC/bluefield: Fix potential integer overflow
by liukai 31 Dec '24

31 Dec '24

From: David Thompson <davthompson(a)nvidia.com> stable inclusion from stable-v5.10.231 commit e0269ea7a628fdeddd65b92fe29c09655dbb80b9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHGU CVE: CVE-2024-53161 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- [ Upstream commit 1fe774a93b46bb029b8f6fa9d1f25affa53f06c6 ] The 64-bit argument for the "get DIMM info" SMC call consists of mem_ctrl_idx left-shifted 16 bits and OR-ed with DIMM index. With mem_ctrl_idx defined as 32-bits wide the left-shift operation truncates the upper 16 bits of information during the calculation of the SMC argument. The mem_ctrl_idx stack variable must be defined as 64-bits wide to prevent any potential integer overflow, i.e. loss of data from upper 16 bits. Fixes: 82413e562ea6 ("EDAC, mellanox: Add ECC support for BlueField DDR4") Signed-off-by: David Thompson <davthompson(a)nvidia.com> Signed-off-by: Borislav Petkov (AMD) <bp(a)alien8.de> Reviewed-by: Shravan Kumar Ramani <shravankr(a)nvidia.com> Link: https://lore.kernel.org/r/20240930151056.10158-1-davthompson@nvidia.com Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Liu Kai <liukai284(a)huawei.com> --- drivers/edac/bluefield_edac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/edac/bluefield_edac.c b/drivers/edac/bluefield_edac.c index e4736eb37bfb..0ef048982768 100644 --- a/drivers/edac/bluefield_edac.c +++ b/drivers/edac/bluefield_edac.c @@ -180,7 +180,7 @@ static void bluefield_edac_check(struct mem_ctl_info *mci) static void bluefield_edac_init_dimms(struct mem_ctl_info *mci) { struct bluefield_edac_priv *priv = mci->pvt_info; - int mem_ctrl_idx = mci->mc_idx; + u64 mem_ctrl_idx = mci->mc_idx; struct dimm_info *dimm; u64 smc_info, smc_arg; int is_empty = 1, i; -- 2.34.1

2 1

[PATCH OLK-6.6] NFSD: Prevent a potential integer overflow
by Li Lingfeng 31 Dec '24

31 Dec '24

From: Chuck Lever <chuck.lever(a)oracle.com> stable inclusion from stable-v6.6.64 commit dde654cad08fdaac370febb161ec41eb58e9d2a2 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHG9 CVE: CVE-2024-53146 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 7f33b92e5b18e904a481e6e208486da43e4dc841 upstream. If the tag length is >= U32_MAX - 3 then the "length + 4" addition can result in an integer overflow. Address this by splitting the decoding into several steps so that decode_cb_compound4res() does not have to perform arithmetic on the unsafe length value. Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Cc: stable(a)vger.kernel.org Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- fs/nfsd/nfs4callback.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c index 49a88dde9631..a8671c7c3e22 100644 --- a/fs/nfsd/nfs4callback.c +++ b/fs/nfsd/nfs4callback.c @@ -297,17 +297,17 @@ static int decode_cb_compound4res(struct xdr_stream *xdr, u32 length; __be32 *p; - p = xdr_inline_decode(xdr, 4 + 4); + p = xdr_inline_decode(xdr, XDR_UNIT); if (unlikely(p == NULL)) goto out_overflow; - hdr->status = be32_to_cpup(p++); + hdr->status = be32_to_cpup(p); /* Ignore the tag */ - length = be32_to_cpup(p++); - p = xdr_inline_decode(xdr, length + 4); - if (unlikely(p == NULL)) + if (xdr_stream_decode_u32(xdr, &length) < 0) + goto out_overflow; + if (xdr_inline_decode(xdr, length) == NULL) + goto out_overflow; + if (xdr_stream_decode_u32(xdr, &hdr->nops) < 0) goto out_overflow; - p += XDR_QUADLEN(length); - hdr->nops = be32_to_cpup(p); return 0; out_overflow: return -EIO; -- 2.31.1

2 1

[PATCH openEuler-1.0-LTS] NFSD: Prevent a potential integer overflow
by Li Lingfeng 31 Dec '24

31 Dec '24

From: Chuck Lever <chuck.lever(a)oracle.com> stable inclusion from stable-v4.19.325 commit 745f7ce5a95e783ba62fe774325829466aec2aa8 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBDHG9 CVE: CVE-2024-53146 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 7f33b92e5b18e904a481e6e208486da43e4dc841 upstream. If the tag length is >= U32_MAX - 3 then the "length + 4" addition can result in an integer overflow. Address this by splitting the decoding into several steps so that decode_cb_compound4res() does not have to perform arithmetic on the unsafe length value. Reported-by: Dan Carpenter <dan.carpenter(a)linaro.org> Cc: stable(a)vger.kernel.org Reviewed-by: Jeff Layton <jlayton(a)kernel.org> Signed-off-by: Chuck Lever <chuck.lever(a)oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: fs/nfsd/nfs4callback.c [Commit eb72f484a5eb ("NFS: Remove print_overflow_msg()") remove print_overflow_msg.] Signed-off-by: Li Lingfeng <lilingfeng3(a)huawei.com> --- fs/nfsd/nfs4callback.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c index b601e5915e6f..282bb8163cd1 100644 --- a/fs/nfsd/nfs4callback.c +++ b/fs/nfsd/nfs4callback.c @@ -294,17 +294,17 @@ static int decode_cb_compound4res(struct xdr_stream *xdr, u32 length; __be32 *p; - p = xdr_inline_decode(xdr, 4 + 4); + p = xdr_inline_decode(xdr, XDR_UNIT); if (unlikely(p == NULL)) goto out_overflow; - hdr->status = be32_to_cpup(p++); + hdr->status = be32_to_cpup(p); /* Ignore the tag */ - length = be32_to_cpup(p++); - p = xdr_inline_decode(xdr, length + 4); - if (unlikely(p == NULL)) + if (xdr_stream_decode_u32(xdr, &length) < 0) + goto out_overflow; + if (xdr_inline_decode(xdr, length) == NULL) + goto out_overflow; + if (xdr_stream_decode_u32(xdr, &hdr->nops) < 0) goto out_overflow; - p += XDR_QUADLEN(length); - hdr->nops = be32_to_cpup(p); return 0; out_overflow: print_overflow_msg(__func__, xdr); -- 2.31.1

2 1

[PATCH openEuler-22.03-LTS-SP1] gpio: grgpio: Add NULL check in grgpio_probe
by Pu Lehui 31 Dec '24

31 Dec '24

From: Charles Han <hanchunchao(a)inspur.com> stable inclusion from stable-v5.10.231 commit 4733f68e59bb7b9e3d395699abb18366954b9ba7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEANT CVE: CVE-2024-56634 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 050b23d081da0f29474de043e9538c1f7a351b3b ] devm_kasprintf() can return a NULL pointer on failure,but this returned value in grgpio_probe is not checked. Add NULL check in grgpio_probe, to handle kernel NULL pointer dereference error. Cc: stable(a)vger.kernel.org Fixes: 7eb6ce2f2723 ("gpio: Convert to using %pOF instead of full_name") Signed-off-by: Charles Han <hanchunchao(a)inspur.com> Link: https://lore.kernel.org/r/20241114091822.78199-1-hanchunchao@inspur.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/gpio/gpio-grgpio.c [The conflicts were due to some minor issues.] Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- drivers/gpio/gpio-grgpio.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpio/gpio-grgpio.c b/drivers/gpio/gpio-grgpio.c index f954359c9544..e8e059ae5476 100644 --- a/drivers/gpio/gpio-grgpio.c +++ b/drivers/gpio/gpio-grgpio.c @@ -362,6 +362,9 @@ static int grgpio_probe(struct platform_device *ofdev) gc->owner = THIS_MODULE; gc->to_irq = grgpio_to_irq; gc->label = devm_kasprintf(&ofdev->dev, GFP_KERNEL, "%pOF", np); + if (!gc->label) + return -ENOMEM; + gc->base = -1; err = of_property_read_u32(np, "nbits", &prop); -- 2.34.1

2 1

[PATCH OLK-5.10] gpio: grgpio: Add NULL check in grgpio_probe
by Pu Lehui 31 Dec '24

31 Dec '24

From: Charles Han <hanchunchao(a)inspur.com> stable inclusion from stable-v5.10.231 commit 4733f68e59bb7b9e3d395699abb18366954b9ba7 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEANT CVE: CVE-2024-56634 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 050b23d081da0f29474de043e9538c1f7a351b3b ] devm_kasprintf() can return a NULL pointer on failure,but this returned value in grgpio_probe is not checked. Add NULL check in grgpio_probe, to handle kernel NULL pointer dereference error. Cc: stable(a)vger.kernel.org Fixes: 7eb6ce2f2723 ("gpio: Convert to using %pOF instead of full_name") Signed-off-by: Charles Han <hanchunchao(a)inspur.com> Link: https://lore.kernel.org/r/20241114091822.78199-1-hanchunchao@inspur.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/gpio/gpio-grgpio.c [The conflicts were due to some minor issues.] Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- drivers/gpio/gpio-grgpio.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpio/gpio-grgpio.c b/drivers/gpio/gpio-grgpio.c index f954359c9544..e8e059ae5476 100644 --- a/drivers/gpio/gpio-grgpio.c +++ b/drivers/gpio/gpio-grgpio.c @@ -362,6 +362,9 @@ static int grgpio_probe(struct platform_device *ofdev) gc->owner = THIS_MODULE; gc->to_irq = grgpio_to_irq; gc->label = devm_kasprintf(&ofdev->dev, GFP_KERNEL, "%pOF", np); + if (!gc->label) + return -ENOMEM; + gc->base = -1; err = of_property_read_u32(np, "nbits", &prop); -- 2.34.1

2 1

[PATCH OLK-6.6] gpio: grgpio: Add NULL check in grgpio_probe
by Pu Lehui 31 Dec '24

31 Dec '24

From: Charles Han <hanchunchao(a)inspur.com> stable inclusion from stable-v6.6.66 commit 8d2ca6ac3711a4f4015d26b7cc84f325ac608edb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBEANT CVE: CVE-2024-56634 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 050b23d081da0f29474de043e9538c1f7a351b3b ] devm_kasprintf() can return a NULL pointer on failure,but this returned value in grgpio_probe is not checked. Add NULL check in grgpio_probe, to handle kernel NULL pointer dereference error. Cc: stable(a)vger.kernel.org Fixes: 7eb6ce2f2723 ("gpio: Convert to using %pOF instead of full_name") Signed-off-by: Charles Han <hanchunchao(a)inspur.com> Link: https://lore.kernel.org/r/20241114091822.78199-1-hanchunchao@inspur.com Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Conflicts: drivers/gpio/gpio-grgpio.c [The conflicts were due to some minor issues.] Signed-off-by: Pu Lehui <pulehui(a)huawei.com> --- drivers/gpio/gpio-grgpio.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpio/gpio-grgpio.c b/drivers/gpio/gpio-grgpio.c index 0163c95f6dd7..b8b9f55e1bc0 100644 --- a/drivers/gpio/gpio-grgpio.c +++ b/drivers/gpio/gpio-grgpio.c @@ -361,6 +361,9 @@ static int grgpio_probe(struct platform_device *ofdev) gc->owner = THIS_MODULE; gc->to_irq = grgpio_to_irq; gc->label = devm_kasprintf(&ofdev->dev, GFP_KERNEL, "%pOF", np); + if (!gc->label) + return -ENOMEM; + gc->base = -1; err = of_property_read_u32(np, "nbits", &prop); -- 2.34.1

2 1