[PATCH OLK-6.6 0/2] *** fix CVE-2026-31443 ***
*** fix CVE-2026-31443 *** Dan Carpenter (1): dmaengine: idxd: Delete unnecessary NULL check Vinicius Costa Gomes (1): dmaengine: idxd: Fix crash when the event log is disabled drivers/dma/idxd/device.c | 3 +++ drivers/dma/idxd/init.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) -- 2.43.0
From: Dan Carpenter <dan.carpenter@linaro.org> mainline inclusion from mainline-v6.15-rc1 commit 2c17e9ea0caa5555e31e154fa1b06260b816f5cc category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14186 CVE: CVE-2026-31443 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- The "saved_evl" pointer is a offset into the middle of a non-NULL struct. It can't be NULL and the check is slightly confusing. Delete the check. Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Fenghua Yu <fenghua.yu@intel.com> Link: https://lore.kernel.org/r/ec38214e-0bbb-4c5a-94ff-b2b2d4c3f245@stanley.mount... Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Lin Ruifeng <linruifeng4@huawei.com> --- drivers/dma/idxd/init.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c index 91933dd7973f..e51c025d55b7 100644 --- a/drivers/dma/idxd/init.c +++ b/drivers/dma/idxd/init.c @@ -982,8 +982,7 @@ static void idxd_device_config_restore(struct idxd_device *idxd, idxd->rdbuf_limit = idxd_saved->saved_idxd.rdbuf_limit; - if (saved_evl) - idxd->evl->size = saved_evl->size; + idxd->evl->size = saved_evl->size; for (i = 0; i < idxd->max_groups; i++) { struct idxd_group *saved_group, *group; -- 2.43.0
From: Vinicius Costa Gomes <vinicius.gomes@intel.com> mainline inclusion from mainline-v6.15-rc1 commit 2c17e9ea0caa5555e31e154fa1b06260b816f5cc category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14186 CVE: CVE-2026-31443 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- [ Upstream commit 52d2edea0d63c935e82631e4b9e4a94eccf97b5b ] If reporting errors to the event log is not supported by the hardware, and an error that causes Function Level Reset (FLR) is received, the driver will try to restore the event log even if it was not allocated. Also, only try to free the event log if it was properly allocated. Fixes: 6078a315aec1 ("dmaengine: idxd: Add idxd_device_config_save() and idxd_device_config_restore() helpers") Reviewed-by: Dave Jiang <dave.jiang@intel.com> Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com> Link: https://patch.msgid.link/20260121-idxd-fix-flr-on-kernel-queues-v3-v3-2-7ed7... Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Lin Ruifeng <linruifeng4@huawei.com> --- drivers/dma/idxd/device.c | 3 +++ drivers/dma/idxd/init.c | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c index c41ef195eeb9..e356081aa317 100644 --- a/drivers/dma/idxd/device.c +++ b/drivers/dma/idxd/device.c @@ -815,6 +815,9 @@ static void idxd_device_evl_free(struct idxd_device *idxd) struct device *dev = &idxd->pdev->dev; struct idxd_evl *evl = idxd->evl; + if (!evl) + return; + gencfg.bits = ioread32(idxd->reg_base + IDXD_GENCFG_OFFSET); if (!gencfg.evl_en) return; diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c index e51c025d55b7..797af2ce524b 100644 --- a/drivers/dma/idxd/init.c +++ b/drivers/dma/idxd/init.c @@ -982,7 +982,8 @@ static void idxd_device_config_restore(struct idxd_device *idxd, idxd->rdbuf_limit = idxd_saved->saved_idxd.rdbuf_limit; - idxd->evl->size = saved_evl->size; + if (idxd->evl) + idxd->evl->size = saved_evl->size; for (i = 0; i < idxd->max_groups; i++) { struct idxd_group *saved_group, *group; -- 2.43.0
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://atomgit.com/openeuler/kernel/merge_requests/22167 邮件列表地址:https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/KSM... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://atomgit.com/openeuler/kernel/merge_requests/22167 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/KSM...
participants (2)
-
Lin Ruifeng -
patchwork bot