[PATCH openEuler-1.0-LTS v2 0/4] CVE-2024-26771
 
            This patchset fixes CVE-2024-26771. Conflicts of patch 2 and 3 is cause by commit 31f4b28f6c41 ("dmaengine: ti: edma: Add support for handling reserved channels") not being merged, which has been adapted. Conflicts of patch 4 is a context conflict which does not effect the effectiveness of this patch. v2: Removed CVE dedication for the first 3 patches. Chuhong Yuan (2): dmaengine: ti: edma: fix missed failure handling dmaengine: ti: edma: add missed operations Kunwu Chan (1): dmaengine: ti: edma: Add some null pointer checks to the edma_probe Wei Yongjun (1): dmaengine: ti: edma: Fix error return code in edma_probe() drivers/dma/ti/edma.c | 53 +++++++++++++++++++++++++++++-------------- 1 file changed, 36 insertions(+), 17 deletions(-) -- 2.34.1
 
            From: Chuhong Yuan <hslester96@gmail.com> mainline inclusion from mainline-v5.6-rc1 commit 340049d453682a9fe8d91fe794dd091730f4bb25 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9E2MP CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- When devm_kcalloc fails, it forgets to call edma_free_slot. Replace direct return with failure handler to fix it. Fixes: 1be5336bc7ba ("dmaengine: edma: New device tree binding") Signed-off-by: Chuhong Yuan <hslester96@gmail.com> Link: https://lore.kernel.org/r/20191118073802.28424-1-hslester96@gmail.com Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: GUO Zihua <guozihua@huawei.com> --- drivers/dma/ti/edma.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/dma/ti/edma.c b/drivers/dma/ti/edma.c index 982631d4e1f8..44158fa85973 100644 --- a/drivers/dma/ti/edma.c +++ b/drivers/dma/ti/edma.c @@ -2345,8 +2345,10 @@ static int edma_probe(struct platform_device *pdev) ecc->tc_list = devm_kcalloc(dev, ecc->num_tc, sizeof(*ecc->tc_list), GFP_KERNEL); - if (!ecc->tc_list) - return -ENOMEM; + if (!ecc->tc_list) { + ret = -ENOMEM; + goto err_reg1; + } for (i = 0;; i++) { ret = of_parse_phandle_with_fixed_args(node, "ti,tptcs", -- 2.34.1
 
            From: Chuhong Yuan <hslester96@gmail.com> mainline inclusion from mainline-v5.6-rc1 commit 2a03c1314506557277829562dd2ec5c11a6ea914 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9E2MP CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- The driver forgets to call pm_runtime_disable and pm_runtime_put_sync in probe failure and remove. Add the calls and modify probe failure handling to fix it. To simplify the fix, the patch adjusts the calling order and merges checks for devm_kcalloc. Fixes: 2b6b3b742019 ("ARM/dmaengine: edma: Merge the two drivers under drivers/dma/") Signed-off-by: Chuhong Yuan <hslester96@gmail.com> Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com> Link: https://lore.kernel.org/r/20191124052855.6472-1-hslester96@gmail.com Signed-off-by: Vinod Koul <vkoul@kernel.org> Conflicts: drivers/dma/ti/edma.c Signed-off-by: GUO Zihua <guozihua@huawei.com> --- drivers/dma/ti/edma.c | 35 ++++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/drivers/dma/ti/edma.c b/drivers/dma/ti/edma.c index 44158fa85973..800271647574 100644 --- a/drivers/dma/ti/edma.c +++ b/drivers/dma/ti/edma.c @@ -2218,13 +2218,6 @@ static int edma_probe(struct platform_device *pdev) if (!info) return -ENODEV; - pm_runtime_enable(dev); - ret = pm_runtime_get_sync(dev); - if (ret < 0) { - dev_err(dev, "pm_runtime_get_sync() failed\n"); - return ret; - } - ret = dma_set_mask_and_coherent(dev, DMA_BIT_MASK(32)); if (ret) return ret; @@ -2255,21 +2248,27 @@ static int edma_probe(struct platform_device *pdev) platform_set_drvdata(pdev, ecc); + pm_runtime_enable(dev); + ret = pm_runtime_get_sync(dev); + if (ret < 0) { + dev_err(dev, "pm_runtime_get_sync() failed\n"); + pm_runtime_disable(dev); + return ret; + } + /* Get eDMA3 configuration from IP */ ret = edma_setup_from_hw(dev, info, ecc); if (ret) - return ret; + goto err_disable_pm; /* Allocate memory based on the information we got from the IP */ ecc->slave_chans = devm_kcalloc(dev, ecc->num_channels, sizeof(*ecc->slave_chans), GFP_KERNEL); - if (!ecc->slave_chans) - return -ENOMEM; ecc->slot_inuse = devm_kcalloc(dev, BITS_TO_LONGS(ecc->num_slots), sizeof(unsigned long), GFP_KERNEL); - if (!ecc->slot_inuse) - return -ENOMEM; + if (!ecc->slave_chans || !ecc->slot_inuse) + goto err_disable_pm; ecc->default_queue = info->default_queue; @@ -2310,7 +2309,7 @@ static int edma_probe(struct platform_device *pdev) ecc); if (ret) { dev_err(dev, "CCINT (%d) failed --> %d\n", irq, ret); - return ret; + goto err_disable_pm; } ecc->ccint = irq; } @@ -2326,7 +2325,7 @@ static int edma_probe(struct platform_device *pdev) ecc); if (ret) { dev_err(dev, "CCERRINT (%d) failed --> %d\n", irq, ret); - return ret; + goto err_disable_pm; } ecc->ccerrint = irq; } @@ -2334,7 +2333,8 @@ static int edma_probe(struct platform_device *pdev) ecc->dummy_slot = edma_alloc_slot(ecc, EDMA_SLOT_ANY); if (ecc->dummy_slot < 0) { dev_err(dev, "Can't allocate PaRAM dummy slot\n"); - return ecc->dummy_slot; + ret = ecc->dummy_slot; + goto err_disable_pm; } queue_priority_mapping = info->queue_priority_mapping; @@ -2418,6 +2418,9 @@ static int edma_probe(struct platform_device *pdev) err_reg1: edma_free_slot(ecc, ecc->dummy_slot); +err_disable_pm: + pm_runtime_put_sync(dev); + pm_runtime_disable(dev); return ret; } @@ -2448,6 +2451,8 @@ static int edma_remove(struct platform_device *pdev) if (ecc->dma_memcpy) dma_async_device_unregister(ecc->dma_memcpy); edma_free_slot(ecc, ecc->dummy_slot); + pm_runtime_put_sync(dev); + pm_runtime_disable(dev); return 0; } -- 2.34.1
 
            From: Wei Yongjun <weiyongjun1@huawei.com> mainline inclusion from mainline-v5.6-rc1 commit d1fd03a35efc6285e43f4ef35ef04dbf2c9389c6 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9E2MP CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Fix to return negative error code -ENOMEM from the error handling case instead of 0, as done elsewhere in this function. Fixes: 2a03c1314506 ("dmaengine: ti: edma: add missed operations") Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com> Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com> Link: https://lore.kernel.org/r/20191212114622.127322-1-weiyongjun1@huawei.com Signed-off-by: Vinod Koul <vkoul@kernel.org> Conflicts: drivers/dma/ti/edma.c Signed-off-by: GUO Zihua <guozihua@huawei.com> --- drivers/dma/ti/edma.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/dma/ti/edma.c b/drivers/dma/ti/edma.c index 800271647574..c35fe3d82670 100644 --- a/drivers/dma/ti/edma.c +++ b/drivers/dma/ti/edma.c @@ -2267,8 +2267,10 @@ static int edma_probe(struct platform_device *pdev) ecc->slot_inuse = devm_kcalloc(dev, BITS_TO_LONGS(ecc->num_slots), sizeof(unsigned long), GFP_KERNEL); - if (!ecc->slave_chans || !ecc->slot_inuse) + if (!ecc->slave_chans || !ecc->slot_inuse) { + ret = -ENOMEM; goto err_disable_pm; + } ecc->default_queue = info->default_queue; -- 2.34.1
 
            From: Kunwu Chan <chentao@kylinos.cn> mainline inclusion from mainline-v6.8-rc3 commit 6e2276203ac9ff10fc76917ec9813c660f627369 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9E2MP CVE: CVE-2024-26771 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- devm_kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Ensure the allocation was successful by checking the pointer validity. Signed-off-by: Kunwu Chan <chentao@kylinos.cn> Link: https://lore.kernel.org/r/20240118031929.192192-1-chentao@kylinos.cn Signed-off-by: Vinod Koul <vkoul@kernel.org> Conflicts: drivers/dma/ti/edma.c Signed-off-by: GUO Zihua <guozihua@huawei.com> --- drivers/dma/ti/edma.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/dma/ti/edma.c b/drivers/dma/ti/edma.c index c35fe3d82670..2824f8cf414b 100644 --- a/drivers/dma/ti/edma.c +++ b/drivers/dma/ti/edma.c @@ -2307,6 +2307,11 @@ static int edma_probe(struct platform_device *pdev) if (irq >= 0) { irq_name = devm_kasprintf(dev, GFP_KERNEL, "%s_ccint", dev_name(dev)); + if (!irq_name) { + ret = -ENOMEM; + goto err_disable_pm; + } + ret = devm_request_irq(dev, irq, dma_irq_handler, 0, irq_name, ecc); if (ret) { @@ -2323,6 +2328,11 @@ static int edma_probe(struct platform_device *pdev) if (irq >= 0) { irq_name = devm_kasprintf(dev, GFP_KERNEL, "%s_ccerrint", dev_name(dev)); + if (!irq_name) { + ret = -ENOMEM; + goto err_disable_pm; + } + ret = devm_request_irq(dev, irq, dma_ccerr_handler, 0, irq_name, ecc); if (ret) { -- 2.34.1
 
            反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/5839 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/7... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/5839 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/7...
participants (2)
- 
                 GUO Zihua GUO Zihua
- 
                 patchwork bot patchwork bot